Singapore seeks to introduce new data portability obligation
Jun04

Singapore seeks to introduce new data portability obligation

Key Takeaways  Singapore’s Personal Data Protection Commission (PDPC) released a public consultation on 22 May 2019 relating to data portability and data innovation under the Personal Data Protection Act (PDPA). The proposed data portability obligation would impose a mandatory obligation on organisations to provide an individual’s data at their request to another organisation in a commonly used machine-readable format. The proposed data innovation clarifications would exempt organisations from: (a) notifying individuals of and seeking their consent to use personal data for “business innovation purposes”; and (b) complying with the access, correction and proposed data portability obligations in respect of “derived personal data”. This PDPC is now seeking feedback on these proposals. The deadline to submit feedback is 3 July 2019. The proposed changes at a glance  Proposed Data Portability Obligation Who does the obligation apply to? All organisations to which the PDPA applies, except for data intermediaries. What is the scope of the obligation? Upon request from an individual, an organisation must provide the individual’s data in its possession or under its control to another organisation that has a presence in Singapore in a commonly used machine-readable format. This is subject to compliance with a prescribed process for dealing with such requests that includes verification of the request and allowing the individual to verify the data before it is ported. Please see the graphic below for more details. What data is subject to the obligation? Any data in electronic form: (i) provided by the individual to the organisation; and (ii) generated by the individual’s activities in using the organisation’s product or service. This is not limited to personal data and may include non-personal data, such as business contact information. However, personal data collected lawfully without consent (e.g. where authorised under the PDPA or other law) is not included. Are there any exceptions to the obligation? These would be the same as the exceptions to the existing Access Obligation, save for the exceptions where fulfilling the request would: (i) reveal personal data about another individual; (ii) reveal the identity of the individual who has provided the personal data and that individual does not consent to the disclosure of his/her identity. The data portability obligations must still be fulfilled in those situations. What are the penalties for non-compliance? The PDPC has the power to review refusals to port data, failure to port data within a reasonable time, and the fees imposed for porting data. Breaches of the proposed data portability obligation would be subject to the same penalty framework as the rest of the PDPA. Fig. 1 Handling Data Portability Requests: Key Obligations  Proposed Data Innovation Provisions PDPC is proposing clear...

Read More
Update on proposed amendments to Singapore’s PDPA
Nov08

Update on proposed amendments to Singapore’s PDPA

Singapore’s Personal Data Protection Commission (PDPC) has today issued a response to the feedback received on its earlier public consultation on a new direct marketing act, a new enhanced practical guidance framework (EPG Framework) and a review of the exceptions to the consent obligation. A copy of the PDPC’s response can be found here. The PDPC’s response refines and clarifies some of its earlier proposals, taking into account the public feedback that was received. Outlined below are some of the key developments. The PDPC will clarify that the new direct marketing act: (A) will not apply to in-app notifications; (B) will also apply to unsolicited marketing and commercial messages sent via text but that include images, videos and audio files; and (C) will also apply to messages sent by senders who users have “followed” on a social media platform but from whom users may not wish to receive commercial text messages. The PDPC will institute a phased approach to the shortening of the mandated period for effecting a user’s withdrawal of consent for direct marketing calls. Such withdrawal period for phone calls under the Do-Not-Call provisions will be shortened from 30 days to 21 days initially, before being shortened to 10 business days in order to align with the withdrawal period for unsolicited marketing messages. The PDPC has confirmed that: (A) determinations under the EPG Framework will be available proposed business activities which have sufficiently detailed plans; and (B) that professional advisors will be allowed to seek determinations on behalf of organisations, and industry bodies will be allowed to seek determinations on behalf of their members. The PDPC will now impose a fixed validity period for all EPG Framework determinations, which will be decided on a case-by-case basis. What’s next? It is expected that the new Direct Marketing Act and EPG Framework provisions will now be drafted, although the timeframe within which these will be open to public consultation and tabled in Parliament is unknown. The PDPC’s response also suggests that further refinements to the exceptions to the Consent Obligation can be...

Read More
New direct marketing act and other proposed amendments to the PDPA
May30

New direct marketing act and other proposed amendments to the PDPA

Key takeaways Singapore’s Personal Data Protection Commission (PDPC) is proposing a new act on direct marketing that will combine the provisions in the Spam Control Act with the Do-Not-Call provisions in the Personal Data Protection Act (PDPA). The new act will also include some changes to streamline the regulations for all unsolicited commercial messages. A new Enhanced Practical Guidance framework has been proposed that will allow the PDPC to provide “determinations” with regulatory certainty on whether specific business activities are PDPA-compliant. A review of the existing exceptions to the consent obligation set out in the Second to Fourth Schedules to the PDPA will be undertaken, with a view to updating them for continuing commercial relevance. The deadline to submit comments on these proposals is 5pm on 7 June 2018. What you need to know about this Public Consultation On 27 April 2018, the PDPC released a Public Consultation Paper with a number of proposed changes to the PDPA. This Public Consultation follows in the wake of two recent public consultations conducted last year which dealt with proposed guidelines on the use of NRIC numbers, enhancements of the way in which data is collected, used and disclosed, and on the introduction of a data breach notification regime. We discuss some of the key proposals of this Public Consultation below. 1. New act to merge direct marketing regulations Unsolicited commercial messages are currently regulated under two Acts – the PDPA and the Spam Control Act (SCA). Presently, the SCA applies to electronic messages (i.e. email and text messages) sent in bulk, while the Do-Not-Call (DNC) provisions of the PDPA applies to marketing messages sent to a Singapore telephone number. The PDPC proposes to merge the SCA and the DNC provisions of the PDPA into a new act that will govern all unsolicited commercial messages, mirroring the approach taken in other jurisdictions such as Hong Kong and the United Kingdom. The new act will also introduce some additional changes including the extension the DNC provisions to all unsolicited marketing text messages sent to Singapore numbers (not just those sent in bulk) and by extending the SCA provisions to unsolicited messages sent through instant messaging platforms (e.g. WhatsApp and LINE). Amendments are also proposed to align the time period afforded to organisations to effect a withdrawal of consent or unsubscribe request from an individual. These changes are intended to reduce ambiguity for organisations in complying with different requirements when sending marketing messages. 2. New Enhanced practical guidance framework The PDPC proposes to introduce a new Enhanced Practical Guidance Framework to supplement the existing general advisory guidelines and guides it publishes. The proposed Framework...

Read More
The week in Connected Asia
Dec11

The week in Connected Asia

Here is a quick round-up of stories from a busy week in Connected Asia. 1. China has the highest number of fast-growing tech companies. With 128 companies ranked in Deloitte’s Technology Fast 500 Asia-Pacific, China has emerged as the country with the highest number of fast-growing tech companies. China Communications Media Group, which is one of the largest mobile software platforms in China, was the fastest growing of them all. It has grown revenues by a staggering 266 times over the last three years. Taiwan, Australia and India were the other “stand-out” performers, although the tech sector across the region appears to be in fairly good health, despite the slowdown in China and sluggish economic growth in other parts of the world. 2. Amazon is said to be testing a cash-on-delivery business model in India. The Amazon drones made the headlines but the reported move by Amazon to test a “cash-on-delivery” model is one to watch in the e-commerce space in Asia. Consumers in India, particularly in more rural areas, are notoriously reluctant to make up-front payments via e-commerce platforms and this is a major challenge. Cash-on-delivery is far from a perfect solution though, for logistical, financial and legal reasons. First, it raises logistical issues (not least in collecting cash and dealing with rejected goods) that will need to be addressed by Amazon’s local delivery partner, India Post. Second, cash-on-delivery locks up working capital and exposes merchants to the obvious risk of “time-wasting” purchases that are ultimately rejected (although that risk does still exist to some extent with “cooling-off” periods in an up-front payment model). The shortcomings of the cash-on-delivery model are acknowledged but the hope is that it will build trust in e-commerce and that eventually consumers will move towards up-front payments. The fact that ever-innovative Amazon seems to be looking at the model suggests that it could be a long time before up-front replaces on-delivery in India. 3. Singapore’s “Do Not Call” register opens for business. The Asian data shake-up continues apace. On Sunday, Singapore’s new data regulator, the Personal Data Protection Commission, announced the opening of the “Do Not Call” registry. The “Do Not Call” rules under Singapore’s Personal Data Protection Act, which come into effect in January 2014, require businesses to verify with the registry that numbers are not listed there before engaging in direct marketing activities (voice calls, text or fax messages). Around 67,000 unique telephone numbers had been listed on the registry within 24 hours. From January, “Do Not Call” will be a new compliance burden for organisations to address. The remaining rules of Singapore’s Personal Data Protection Act (which impose obligations when it comes to the collection and...

Read More
What is “The Law of the App” and how do you comply with it?
Nov23

What is “The Law of the App” and how do you comply with it?

Gaming operators have for years now been grappling with the full spectrum of legal requirements that apply to their online operations. Reputable online operators have, therefore, already developed a great degree of familiarity with issues like data protection, consumer law, advertising law and of course gambling regulation and the way in which these impact their online operations. However, with more and more operators now launching mobile gaming products (whether native device apps, web-based apps or mobile websites) and with a host of recent developments in this space, from new app store rules through to regulatory investigations, gaming lawyers are increasingly being asked an important question: what specific legal issues apply to mobile gaming products that might not necessarily apply to existing website-based offerings? In other words, is there such a thing as “The Law of the App” and, if so, what steps must operators take to comply with it? Understanding “The Law of the Platform” Such is the dominance of a limited number of mobile app platforms like Apple’s iOS and Google’s Android that their rules have become essential reading for any organisation with a mobile strategy. Effectively enacted via contract law through platform terms and conditions, “The Law of the Platform” can nonetheless have an even greater impact on operators’ products than the overriding legal framework of statute, case law and regulation. Changes to the Apple or Android terms can happen very quickly (and without the political, consultation or legislative processes preceding new laws or regulations). At their most extreme, they can create entirely new opportunities for operators or they can close off valuable revenue streams entirely. In practice, the key terms that organisations need to focus on are the developer or SDK terms (the terms that much be accepted in order to build an app for the platform in question), approval policies for the app (relevant to Apple’s iOS and others, less so to Android) and the app store terms governing how the app is marketed and sold and how in-app purchases work. These terms are generally available via the platform developer websites, although in some cases the applicable terms can be harder to obtain (for example, a developer account and login may be required for certain Apple terms), in which case lawyers may need to work with developers to get hold of them. Apple iOS and Android are currently the two dominant platforms and both have recently updated their platform rules specifically in relation to gaming apps. In August 2013, Apple updated its App Store Guidelines. The rules require that apps offering real-money gaming must have the necessary licences and permissions in the locations in which...

Read More