New direct marketing act and other proposed amendments to the PDPA
May30

New direct marketing act and other proposed amendments to the PDPA

Key takeaways Singapore’s Personal Data Protection Commission (PDPC) is proposing a new act on direct marketing that will combine the provisions in the Spam Control Act with the Do-Not-Call provisions in the Personal Data Protection Act (PDPA). The new act will also include some changes to streamline the regulations for all unsolicited commercial messages. A new Enhanced Practical Guidance framework has been proposed that will allow the PDPC to provide “determinations” with regulatory certainty on whether specific business activities are PDPA-compliant. A review of the existing exceptions to the consent obligation set out in the Second to Fourth Schedules to the PDPA will be undertaken, with a view to updating them for continuing commercial relevance. The deadline to submit comments on these proposals is 5pm on 7 June 2018. What you need to know about this Public Consultation On 27 April 2018, the PDPC released a Public Consultation Paper with a number of proposed changes to the PDPA. This Public Consultation follows in the wake of two recent public consultations conducted last year which dealt with proposed guidelines on the use of NRIC numbers, enhancements of the way in which data is collected, used and disclosed, and on the introduction of a data breach notification regime. We discuss some of the key proposals of this Public Consultation below. 1. New act to merge direct marketing regulations Unsolicited commercial messages are currently regulated under two Acts – the PDPA and the Spam Control Act (SCA). Presently, the SCA applies to electronic messages (i.e. email and text messages) sent in bulk, while the Do-Not-Call (DNC) provisions of the PDPA applies to marketing messages sent to a Singapore telephone number. The PDPC proposes to merge the SCA and the DNC provisions of the PDPA into a new act that will govern all unsolicited commercial messages, mirroring the approach taken in other jurisdictions such as Hong Kong and the United Kingdom. The new act will also introduce some additional changes including the extension the DNC provisions to all unsolicited marketing text messages sent to Singapore numbers (not just those sent in bulk) and by extending the SCA provisions to unsolicited messages sent through instant messaging platforms (e.g. WhatsApp and LINE). Amendments are also proposed to align the time period afforded to organisations to effect a withdrawal of consent or unsubscribe request from an individual. These changes are intended to reduce ambiguity for organisations in complying with different requirements when sending marketing messages. 2. New Enhanced practical guidance framework The PDPC proposes to introduce a new Enhanced Practical Guidance Framework to supplement the existing general advisory guidelines and guides it publishes. The proposed Framework...

Read More
The week in Connected Asia
Dec11

The week in Connected Asia

Here is a quick round-up of stories from a busy week in Connected Asia. 1. China has the highest number of fast-growing tech companies. With 128 companies ranked in Deloitte’s Technology Fast 500 Asia-Pacific, China has emerged as the country with the highest number of fast-growing tech companies. China Communications Media Group, which is one of the largest mobile software platforms in China, was the fastest growing of them all. It has grown revenues by a staggering 266 times over the last three years. Taiwan, Australia and India were the other “stand-out” performers, although the tech sector across the region appears to be in fairly good health, despite the slowdown in China and sluggish economic growth in other parts of the world. 2. Amazon is said to be testing a cash-on-delivery business model in India. The Amazon drones made the headlines but the reported move by Amazon to test a “cash-on-delivery” model is one to watch in the e-commerce space in Asia. Consumers in India, particularly in more rural areas, are notoriously reluctant to make up-front payments via e-commerce platforms and this is a major challenge. Cash-on-delivery is far from a perfect solution though, for logistical, financial and legal reasons. First, it raises logistical issues (not least in collecting cash and dealing with rejected goods) that will need to be addressed by Amazon’s local delivery partner, India Post. Second, cash-on-delivery locks up working capital and exposes merchants to the obvious risk of “time-wasting” purchases that are ultimately rejected (although that risk does still exist to some extent with “cooling-off” periods in an up-front payment model). The shortcomings of the cash-on-delivery model are acknowledged but the hope is that it will build trust in e-commerce and that eventually consumers will move towards up-front payments. The fact that ever-innovative Amazon seems to be looking at the model suggests that it could be a long time before up-front replaces on-delivery in India. 3. Singapore’s “Do Not Call” register opens for business. The Asian data shake-up continues apace. On Sunday, Singapore’s new data regulator, the Personal Data Protection Commission, announced the opening of the “Do Not Call” registry. The “Do Not Call” rules under Singapore’s Personal Data Protection Act, which come into effect in January 2014, require businesses to verify with the registry that numbers are not listed there before engaging in direct marketing activities (voice calls, text or fax messages). Around 67,000 unique telephone numbers had been listed on the registry within 24 hours. From January, “Do Not Call” will be a new compliance burden for organisations to address. The remaining rules of Singapore’s Personal Data Protection Act (which impose obligations when it comes to the collection and...

Read More
What is “The Law of the App” and how do you comply with it?
Nov23

What is “The Law of the App” and how do you comply with it?

Gaming operators have for years now been grappling with the full spectrum of legal requirements that apply to their online operations. Reputable online operators have, therefore, already developed a great degree of familiarity with issues like data protection, consumer law, advertising law and of course gambling regulation and the way in which these impact their online operations. However, with more and more operators now launching mobile gaming products (whether native device apps, web-based apps or mobile websites) and with a host of recent developments in this space, from new app store rules through to regulatory investigations, gaming lawyers are increasingly being asked an important question: what specific legal issues apply to mobile gaming products that might not necessarily apply to existing website-based offerings? In other words, is there such a thing as “The Law of the App” and, if so, what steps must operators take to comply with it? Understanding “The Law of the Platform” Such is the dominance of a limited number of mobile app platforms like Apple’s iOS and Google’s Android that their rules have become essential reading for any organisation with a mobile strategy. Effectively enacted via contract law through platform terms and conditions, “The Law of the Platform” can nonetheless have an even greater impact on operators’ products than the overriding legal framework of statute, case law and regulation. Changes to the Apple or Android terms can happen very quickly (and without the political, consultation or legislative processes preceding new laws or regulations). At their most extreme, they can create entirely new opportunities for operators or they can close off valuable revenue streams entirely. In practice, the key terms that organisations need to focus on are the developer or SDK terms (the terms that much be accepted in order to build an app for the platform in question), approval policies for the app (relevant to Apple’s iOS and others, less so to Android) and the app store terms governing how the app is marketed and sold and how in-app purchases work. These terms are generally available via the platform developer websites, although in some cases the applicable terms can be harder to obtain (for example, a developer account and login may be required for certain Apple terms), in which case lawyers may need to work with developers to get hold of them. Apple iOS and Android are currently the two dominant platforms and both have recently updated their platform rules specifically in relation to gaming apps. In August 2013, Apple updated its App Store Guidelines. The rules require that apps offering real-money gaming must have the necessary licences and permissions in the locations in which...

Read More
Economic ambitions drive Asian data shake-up
Aug24

Economic ambitions drive Asian data shake-up

Data protection has been something of a focus for Asian law-makers recently. Until the last couple of years, there were very few laws or regulations in the region which addressed the issue specifically. This is not to say that there were no laws to protect privacy but, rather, that they tended to come from a number of older statutes or case law, and were in many cases no longer appropriate for countries competing on a global scale in the face of technological advances. That is changing. Driven by economic and commercial ambitions (and not just by protection of consumers), legislators across the region have recognised the need to bring their data protection regimes more in line with international standards. The ASEAN region in particular has become the most active in the world for new data legislation. As a result, organisations based in Asia or that have online platforms targeted at or hosted in Asia are having to wrestle with the new rules. So what does this all mean for businesses? We look here at the three most recent new laws in the region, in the Philippines, Malaysia and Singapore, and the practical steps that businesses will need to take to comply. Some context: economic ambitions as a driver for data policy in Asia Having in place a consolidated data protection law has some clear advantages. There is the obvious benefit to consumers, who will now be subject to a privacy framework that is more in line with that enjoyed by citizens elsewhere, such as in Europe. However, economic ambitions are the key driver. In order to compete on an international scale, countries in the region need to be able to demonstrate that they are “safe” places to do business and that the requirements they impose on organisations are in line with international standards. In order to get themselves on any “white-list” of adequate jurisdictions for data processing, governments have recognised the need to have legislation in place. At a business-to-business level, businesses wanting to source suppliers (e.g. customer call centre providers) or to locate operations in the region (e.g. data centres) need to know that data will be held and processed securely, to the standards that their customers (and their own regulators) expect. The Business Processing Association of the Philippines believes that the legislation will raise the country’s profile as a destination for IT outsourcing projects that involve the handling of sensitive personal data, describing the legislation as “an important step to increasing confidence among foreign investors”. In Singapore, the government’s ambition was to “strengthen and entrench Singapore’s position as a trusted hub for business”. The Philippines: “keystone legislation”...

Read More
Singapore upgrades its cyber-defences
Feb14

Singapore upgrades its cyber-defences

A recent amendment to Singapore’s Computer Misuse Act is designed to enable a “nimble and comprehensive response” to the threat of cyber-attacks. But some argue that the new Government powers are too broad and are open to abuse. We examine the key provisions of the new law and what it might mean for organisations in Singapore and beyond. “Sophisticated and malicious”. “A real and present danger”. “A broad spectrum of attacks and threats”. These are not sensationalist headlines but comments from the Singapore Government’s Second Reading Speech on the Computer Misuse (Amendment) Bill. The language used underlines the level of concern with which the Government views the threat of cyber-attacks. And the Singapore Government is not alone. With the recent high profile hack of the New York Times, and attacks like “Stuxnet” and “Flame” making the news and the World Economic Forum ranking cyber-attacks among the top five global risks, the issue is rapidly moving up the legislative agenda for governments around the world. As such, the new Singapore law could be a glimpse of things to come in other jurisdictions. So what are the key changes to the old legislation and what action might organisations be required to take? New teeth The headline provision of the new law is a broad right for the Singapore Government to compel action in the defence against cyber-attacks. Specifically, the Government can require any person or organisation to “take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”. This power to compel a person or organisation to take action is the key change that the new law brings into effect. Under the previous legislation, the Government was only entitled to authorise a person or organisation to take action. The right to authorise was of course dependent on the relevant person or organisation actually electing to take the measures in question at its discretion. In short, the new law has teeth where the old law did not. But exactly what kinds of measures might organisations be required to take? Proactive and reactive The legislation is drafted broadly. The Government can require the taking of “measures” and compliance with “requirements”. The only condition is that the measures are “as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services”. The scope, therefore, is both proactive (to “prevent”) and reactive (to “detect” and “counter”) and could potentially cover both offensive (whether pre-emptive or retaliatory) and defensive actions. But...

Read More