Singapore’s Personal Data Protection Commission (PDPC) is vowing to better protect consumers from spam and telemarketing messages, through stricter regulations and guidance requirements.
The PDPC is seeking public feedback in two areas relating to the proposal: A merger of the Do Not Call Provisions of the Personal Data Protection Act (PDPA) and Spam Control Act; and better Enhanced Practical Guidance for organisations who must comply with the PDPA.
Do Not Call (DNC) Provisions and Spam Control Act (SCA)
The merger of Do Not Call (DNC) Provisions of the Personal Data Protection Act (PDPA) and Spam Control Act will fall under a new Act that governs unsolicited commercial messages, includinging marketing messages and those relating to deception or dishonest gains.
The United Kingdom and Hong Kong have already taken similar approaches to crack down on unsolicited messages.
According to the PDPC, “The proposed changes will provide greater protection to individuals from unsolicited commercial messages and reduce ambiguity for organisations in complying with differing requirements when sending commercial messages.”
The PDPC will look at the following:
- Providing a shorter withdrawal of consent period for consumers: Individuals can expect their withdrawal of consent under the DNC Provisions to take effect within 10 business days, instead of the current 30 calendar days. This is in line with the withdrawal period provided under the SCA. Streamlining the withdrawal period will also minimise potential confusion for organisations complying with both DNC and Spam Control Provisions as well as enable consumers to stop receiving unsolicited marketing messages more quickly.
- Regulating unsolicited commercial messages sent in bulk via Instant Messaging (IM) platforms: The Spam Control Provisions will be extended to cover messages sent in bulk via IM identifiers (e.g. account or login ID created by the user) under the new Act. Individuals will be able to better manage such messages sent using their IM identifiers with spam control requirements, for example, organisations sending unsolicited commercial messages via IM platforms will have to ensure that they have a fully functioning ‘unsubscribe’ facility. The proposed approach is aligned with approaches adopted by other jurisdictions, where text messages sent using IM identifiers are addressed under their spam legislation.
- Prohibiting the use of dictionary attacks and address harvesting software: The use of random number generators or address harvesting software to generate telephone numbers, IM identifiers or email addresses for sending commercial messages (including robocalls) will be prohibited under the new Act. This will help ensure Singapore does not become a haven for spammers using such technologies to send unsolicited commercial messages to a large number of recipients.
- Additionally, the PDPC is proposing for infringements of the DNC Provisions under the new Act to be enforced under an administrative regime similar to the PDPA. This will allow for prompt action to be taken in cases investigated by the PDPC which will be empowered to issue directions, including financial penalties, for infringements of the DNC Provisions under the New Act.
- The proposals also seek comments on changes that affect organisations. With more organisations relying on third-party DNC checkers, new legal obligations are proposed to ensure that they accurately communicate the results of their DNC Registry checks and prohibit their resale. Additionally, the PDPC seeks comments on whether the DNC Provisions should be extended to cover business-to-business (B2B) telemarketing messages.
Enhance Practical Guidance (EPG):
- The PDPC currently provides Practical Guidance to organisations seeking clarity on the application of the PDPA.
- Recognising the immense opportunities for innovations around the use of data in the Digital Economy, the PDPC is proposing to introduce an Enhanced Practical Guidance (EPG) Framework under the PDPA that will allow the PDPC to provide guidance as to whether a proposed use of personal data complies with the PDPA.
- The EPG would provide regulatory certainty to organisations. Overseas jurisdictions have provided for similar frameworks, where the data protection authority is able to issue guidance to organisations that are legally binding.
Public consultation opened on April 27, 2018 and will close on 7 June 2018.