On 27 April 2018, the Personal Data Protection Commission (the "PDPC") announced that it will be undertaking a review of the Personal Data Protection Act ("PDPA"). The review seeks to streamline legislation so that organisations can have a degree of clarity and certainty in the instances where the PDPA and the Spam Control Act ("SCA") may overlap.
Public consultations will take place between 27 April 2018 to 7 June 2018 as part of the process of the PDPC's review of two key areas:
(i) Consolidation of the Do Not Call Registry ("DNCR") provisions of the PDPA and the Spam Control Act into a proposed new Act (the "New Act").
(ii) Introduction of Enhanced Practical Guidance ("EPG") framework.
Interested parties may submit their views to the PDPC by email (to [email protected]) until 7 June 2018.
The Current Framework
Unsolicited commercial messages are currently regulated under the DNCR provisions of the PDPA, and the SCA. The SCA regulates electronic messages (i.e. emails and text messages) that are sent in bulk. Whereas, the DNCR provisions under the PDPA deals with specified messages sent via text message, fax message or voice call to Singapore telephone numbers, regardless of whether such messages are sent in bulk.
Breaches of the DNCR provisions are enforced as criminal offences under the PDPA, whereas the SCA is enforced as an administrative regime.
Both the DNCR provisions under the PDPA and the SCA do not regulate text messages that are sent through instant messaging ("IM"). As such, individuals who register their number on the DNCR may continue to receive marketing messages sent through IM platforms such as Facebook and Whatsapp.
Key Area #1: Key Features of the Proposed New Law
The key areas in which the New Act seeks to address include:
(i) Provide a shorter withdrawal of consent period: Under the DNCR provisions of the PDPA, organisations with an ongoing relationship with a subscriber or user of a Singapore telephone number have 30 days to stop messaging the subscriber or user with telemarketing messages, if the subscriber or user opts out of receiving such messages. The New Act will give organisations 10 business days to stop messaging the subscriber or user if they opt out from receiving such messages. Such shorter withdrawal of consent period is consistent with the provisions of the SCA.
(ii) Regulating unsolicited commercial messages sent in bulk via Instant Messaging ("IM") platforms: Commercial text messages sent through IM platforms will be caught under the New Act. Breaches of the New Act in relation to messages sent through IM platforms will therefore be subject also to enforcement under its administrative regime.
(iii) Prohibiting the use of dictionary attacks and address harvesting software: The SCA prohibits the use of random number generators or address harvesting software in relation to electronic messages, but does not extend to Singapore telephone numbers. The New Act will extend such prohibition to the DNCR provisions of the PDPA thereby prohibiting dictionary attacks and address harvesting in relation to Singapore telephone numbers as well.
(iv) New law enforced under administrative regime: The offences under the New Act will be enforced under an administrative regime. For example, the PDPC will be empowered to issue directions and financial penalties for infringements of the DNC Provisions under the New Act. A private right of action in respect of the DNC Provisions will also be provided under the New Act.
Key Area #2: Enhanced Practical Guidance
The PDPC informally provides practical guidance to organisations in relation to how the provisions of the PDPA may be applied in a specific situation. However, such practical guidance will not be a confirmation of an organisation's compliance with the PDPA.
The PDPC has therefore proposed the EPG, which is a framework in which organisations may apply to the PDPC to provide determinations on their obligations with regulatory certainty under the New Act.
The PDPC drew an analogy between the proposed function of the EPG framework, and the framework administered by the Competition and Consumer Commission of Singapore ("CCCS") in which the CCCS may issue decisions as to whether an agreement, conduct or merger infringes Singapore competition law.
As such, the EPG framework may similarly see the PDPC providing decisions on whether certain conduct may infringe the New Act regulating unsolicited messages commercial messages.
The PDPC's policy on having more regulatory certainty in the digital economy appears to be heading in a direction which is more conducive and relevant in light of technological advancements. However, organisations should still take note of the proposed changes under the new law as set out above, which may affect them in the event that the New Act is passed.
Organisations may also want to consider if it has any views on the New Act and to make submissions to the PDPC accordingly.