The Personal Data Protection Commission (PDPC) is reviewing the Personal Data Protection Act (PDPA) to ensure that the law stays relevant with technological developments and changes in business practices so as to better protect consumers from telemarketing and spam messages. This will be done via a public consultation held from 27 April to 7 June 2018 in two key areas.
The first area is the merger of the Do Not Call Provisions of the PDPA and the Spam Control act under a single act governing unsolicited commercial messages. Secondly, the PDPC seeks to provide greater clarity and certainty for organisations in complying with the PDPA while supporting innovation through the introduction of Enhanced Practical Guidance under the PDPA.
The government is also following approaches in Hong Kong and United Kingdom, proposing to merge the Do Not Call (DNC) and Spam Control Act (SCA) under a new act governing unsolicited commercial messages. The proposed changes will provide greater protection to individuals from unsolicited commercial messages and reduce ambiguity for organisations in complying with differing requirements when sending commercial messages.
Requirements that the PDPC is proposing to streamline include:
-Providing a shorter withdrawal of consent period for consumers.
Individuals can expect their withdrawal of consent under the DNC Provisions to take effect within 10 business days, instead of the current 30 calendar days. This is in line with the withdrawal period provided under the SCA. Streamlining the withdrawal period will also minimise potential confusion for organisations complying with both DNC and Spam Control Provisions as well as enable consumers to stop receiving unsolicited marketing messages more quickly.
- Regulating unsolicited commercial messages sent in bulk via Instant Messaging (IM) platforms.
The Spam Control Provisions will be extended to cover messages sent in bulk via IM identifiers (e.g. account or login ID created by the user) under the new act. Individuals will be able to better manage such messages sent using their IM identifiers with spam control requirements, for example, organisations sending unsolicited commercial messages via IM platforms will have to ensure that they have a fully functioning ‘unsubscribe’ facility. The proposed approach is aligned with approaches adopted by other jurisdictions, where text messages sent using IM identifiers are addressed under their spam legislation3.
- Prohibiting the use of dictionary attacks and address harvesting software.
The use of random number generators or address harvesting software to generate telephone numbers, IM identifiers or email addresses for sending commercial messages (including robocalls) will be prohibited under the new act. This will help ensure Singapore does not become a haven for spammers using such technologies to send unsolicited commercial messages to a large number of recipients.
Additionally, the PDPC is proposing for infringements of the DNC Provisions under the new act to be enforced under an administrative regime similar to the PDPA. This will allow for prompt action to be taken in cases investigated by the PDPC which will be empowered to issue directions, including financial penalties, for infringements of the DNC Provisions under the new act.
According to the release, with more organisations relying on third-party DNC checkers, new legal obligations are proposed to ensure that they accurately communicate the results of their DNC Registry checks and prohibit their resale. Additionally, the PDPC is also seeking comments on whether the DNC Provisions should be extended to cover business-to-business (B2B) telemarketing messages.