Story image

Singapore's PDPC vows to crack down on telemarketing and spam

01 May 2018

Singapore’s Personal Data Protection Commission (PDPC) is vowing to better protect consumers from spam and telemarketing messages, through stricter regulations and guidance requirements.

The PDPC is seeking public feedback in two areas relating to the proposal: A merger of the Do Not Call Provisions of the Personal Data Protection Act (PDPA) and Spam Control Act; and better Enhanced Practical Guidance for organisations who must comply with the PDPA.

Do Not Call (DNC) Provisions and Spam Control Act (SCA)

The merger of Do Not Call (DNC) Provisions of the Personal Data Protection Act (PDPA) and Spam Control Act will fall under a new Act that governs unsolicited commercial messages, includinging marketing messages and those relating to deception or dishonest gains.

The United Kingdom and Hong Kong have already taken similar approaches to crack down on unsolicited messages.

According to the PDPC, “The proposed changes will provide greater protection to individuals from unsolicited commercial messages and reduce ambiguity for organisations in complying with differing requirements when sending commercial messages.”

The PDPC will look at the following:

  • Providing a shorter withdrawal of consent period for consumers: Individuals can expect their withdrawal of consent under the DNC Provisions to take effect within 10 business days, instead of the current 30 calendar days. This is in line with the withdrawal period provided under the SCA. Streamlining the withdrawal period will also minimise potential confusion for organisations complying with both DNC and Spam Control Provisions as well as enable consumers to stop receiving unsolicited marketing messages more quickly.
  • Regulating unsolicited commercial messages sent in bulk via Instant Messaging (IM) platforms: The Spam Control Provisions will be extended to cover messages sent in bulk via IM identifiers (e.g. account or login ID created by the user) under the new Act. Individuals will be able to better manage such messages sent using their IM identifiers with spam control requirements, for example, organisations sending unsolicited commercial messages via IM platforms will have to ensure that they have a fully functioning ‘unsubscribe’ facility. The proposed approach is aligned with approaches adopted by other jurisdictions, where text messages sent using IM identifiers are addressed under their spam legislation.
  • Prohibiting the use of dictionary attacks and address harvesting software: The use of random number generators or address harvesting software to generate telephone numbers, IM identifiers or email addresses for sending commercial messages (including robocalls) will be prohibited under the new Act. This will help ensure Singapore does not become a haven for spammers using such technologies to send unsolicited commercial messages to a large number of recipients.
  • Additionally, the PDPC is proposing for infringements of the DNC Provisions under the new Act to be enforced under an administrative regime similar to the PDPA. This will allow for prompt action to be taken in cases investigated by the PDPC which will be empowered to issue directions, including financial penalties, for infringements of the DNC Provisions under the New Act.
  • The proposals also seek comments on changes that affect organisations. With more organisations relying on third-party DNC checkers, new legal obligations are proposed to ensure that they accurately communicate the results of their DNC Registry checks and prohibit their resale. Additionally, the PDPC seeks comments on whether the DNC Provisions should be extended to cover business-to-business (B2B) telemarketing messages.

Enhance Practical Guidance (EPG):

  • The PDPC currently provides Practical Guidance to organisations seeking clarity on the application of the PDPA.
  • Recognising the immense opportunities for innovations around the use of data in the Digital Economy, the PDPC is proposing to introduce an Enhanced Practical Guidance (EPG) Framework under the PDPA that will allow the PDPC to provide guidance as to whether a proposed use of personal data complies with the PDPA.
  • The EPG would provide regulatory certainty to organisations. Overseas jurisdictions have provided for similar frameworks, where the data protection authority is able to issue guidance to organisations that are legally binding.

Public consultation opened on April 27, 2018 and will close on 7 June 2018.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.