Update on proposed amendments to Singapore’s PDPA
Nov08

Update on proposed amendments to Singapore’s PDPA

Singapore’s Personal Data Protection Commission (PDPC) has today issued a response to the feedback received on its earlier public consultation on a new direct marketing act, a new enhanced practical guidance framework (EPG Framework) and a review of the exceptions to the consent obligation. A copy of the PDPC’s response can be found here. The PDPC’s response refines and clarifies some of its earlier proposals, taking into account the public feedback that was received. Outlined below are some of the key developments. The PDPC will clarify that the new direct marketing act: (A) will not apply to in-app notifications; (B) will also apply to unsolicited marketing and commercial messages sent via text but that include images, videos and audio files; and (C) will also apply to messages sent by senders who users have “followed” on a social media platform but from whom users may not wish to receive commercial text messages. The PDPC will institute a phased approach to the shortening of the mandated period for effecting a user’s withdrawal of consent for direct marketing calls. Such withdrawal period for phone calls under the Do-Not-Call provisions will be shortened from 30 days to 21 days initially, before being shortened to 10 business days in order to align with the withdrawal period for unsolicited marketing messages. The PDPC has confirmed that: (A) determinations under the EPG Framework will be available proposed business activities which have sufficiently detailed plans; and (B) that professional advisors will be allowed to seek determinations on behalf of organisations, and industry bodies will be allowed to seek determinations on behalf of their members. The PDPC will now impose a fixed validity period for all EPG Framework determinations, which will be decided on a case-by-case basis. What’s next? It is expected that the new Direct Marketing Act and EPG Framework provisions will now be drafted, although the timeframe within which these will be open to public consultation and tabled in Parliament is unknown. The PDPC’s response also suggests that further refinements to the exceptions to the Consent Obligation can be...

Read More
New direct marketing act and other proposed amendments to the PDPA
May30

New direct marketing act and other proposed amendments to the PDPA

Key takeaways Singapore’s Personal Data Protection Commission (PDPC) is proposing a new act on direct marketing that will combine the provisions in the Spam Control Act with the Do-Not-Call provisions in the Personal Data Protection Act (PDPA). The new act will also include some changes to streamline the regulations for all unsolicited commercial messages. A new Enhanced Practical Guidance framework has been proposed that will allow the PDPC to provide “determinations” with regulatory certainty on whether specific business activities are PDPA-compliant. A review of the existing exceptions to the consent obligation set out in the Second to Fourth Schedules to the PDPA will be undertaken, with a view to updating them for continuing commercial relevance. The deadline to submit comments on these proposals is 5pm on 7 June 2018. What you need to know about this Public Consultation On 27 April 2018, the PDPC released a Public Consultation Paper with a number of proposed changes to the PDPA. This Public Consultation follows in the wake of two recent public consultations conducted last year which dealt with proposed guidelines on the use of NRIC numbers, enhancements of the way in which data is collected, used and disclosed, and on the introduction of a data breach notification regime. We discuss some of the key proposals of this Public Consultation below. 1. New act to merge direct marketing regulations Unsolicited commercial messages are currently regulated under two Acts – the PDPA and the Spam Control Act (SCA). Presently, the SCA applies to electronic messages (i.e. email and text messages) sent in bulk, while the Do-Not-Call (DNC) provisions of the PDPA applies to marketing messages sent to a Singapore telephone number. The PDPC proposes to merge the SCA and the DNC provisions of the PDPA into a new act that will govern all unsolicited commercial messages, mirroring the approach taken in other jurisdictions such as Hong Kong and the United Kingdom. The new act will also introduce some additional changes including the extension the DNC provisions to all unsolicited marketing text messages sent to Singapore numbers (not just those sent in bulk) and by extending the SCA provisions to unsolicited messages sent through instant messaging platforms (e.g. WhatsApp and LINE). Amendments are also proposed to align the time period afforded to organisations to effect a withdrawal of consent or unsubscribe request from an individual. These changes are intended to reduce ambiguity for organisations in complying with different requirements when sending marketing messages. 2. New Enhanced practical guidance framework The PDPC proposes to introduce a new Enhanced Practical Guidance Framework to supplement the existing general advisory guidelines and guides it publishes. The proposed Framework...

Read More
Economic ambitions drive Asian data shake-up
Aug24

Economic ambitions drive Asian data shake-up

Data protection has been something of a focus for Asian law-makers recently. Until the last couple of years, there were very few laws or regulations in the region which addressed the issue specifically. This is not to say that there were no laws to protect privacy but, rather, that they tended to come from a number of older statutes or case law, and were in many cases no longer appropriate for countries competing on a global scale in the face of technological advances. That is changing. Driven by economic and commercial ambitions (and not just by protection of consumers), legislators across the region have recognised the need to bring their data protection regimes more in line with international standards. The ASEAN region in particular has become the most active in the world for new data legislation. As a result, organisations based in Asia or that have online platforms targeted at or hosted in Asia are having to wrestle with the new rules. So what does this all mean for businesses? We look here at the three most recent new laws in the region, in the Philippines, Malaysia and Singapore, and the practical steps that businesses will need to take to comply. Some context: economic ambitions as a driver for data policy in Asia Having in place a consolidated data protection law has some clear advantages. There is the obvious benefit to consumers, who will now be subject to a privacy framework that is more in line with that enjoyed by citizens elsewhere, such as in Europe. However, economic ambitions are the key driver. In order to compete on an international scale, countries in the region need to be able to demonstrate that they are “safe” places to do business and that the requirements they impose on organisations are in line with international standards. In order to get themselves on any “white-list” of adequate jurisdictions for data processing, governments have recognised the need to have legislation in place. At a business-to-business level, businesses wanting to source suppliers (e.g. customer call centre providers) or to locate operations in the region (e.g. data centres) need to know that data will be held and processed securely, to the standards that their customers (and their own regulators) expect. The Business Processing Association of the Philippines believes that the legislation will raise the country’s profile as a destination for IT outsourcing projects that involve the handling of sensitive personal data, describing the legislation as “an important step to increasing confidence among foreign investors”. In Singapore, the government’s ambition was to “strengthen and entrench Singapore’s position as a trusted hub for business”. The Philippines: “keystone legislation”...

Read More