China's Xiaomi is the first company investigated for allegedly violating the data collection rules set forth by Singapore's Personal Data Protection Act 2012 (PDPA). Promulgated in 2012, the PDPA requires all organizations in Singapore to comply with provisions relating to the collection, use, disclosure and security of personal data. The first provision prohibits organizations from conducting telemarketing activities (including via text messages) with individuals who register with the Do Not Call Registry. The second provision, implemented on July 2, 2014, sets out a number of key obligations for data collection, which include: i) providing notice to the individual before attempting to collect personal data, ii) disclosing the purpose of the collection, and iii) receiving consent. In addition, organizations are required to appoint at least one data protection officer whose role is to ensure PDPA compliance and duty is to respond to requests to correct any error or omission in the personal data. In August, a smartphone user filed a complaint under the PDPA alleging that personal data from his Xiaomi device, specifically his address book, was transmitted automatically to an external server in China and used for marketing purposes without his consent. Since January 2, 2014, several companies have been fined under the Do Not Call rules, but Xiaomi could be the first company penalized for violating the data collection provision of the PDPA, and if found guilty, it may face a financial penalty of up to US$800,000.
TIP: Companies that conduct business in Singapore should evaluate their data collection procedures and policies for compliance and appoint a data protection officer. Further, companies should understand that the rules in the PDPA apply to all personal data collected in Singapore, even if the data is transmitted and stored in the cloud or in another country.