On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.
Perhaps counterintuitively, one of the things that the amendment bill does is to amend the Spam Control Act. So, let’s see what that is all about.
But first, for a sneak preview – this paper is about:
The headlines are that:
At present, it is true to say that the Spam Control Act is mostly disregarded. The Do Not Call provisions in the PDPA are seen to have duplicated it. This is partly, but not entirely, true in practice - even it is not technically true.
The Spam Control Act defines 'commercial electronic message' in very similar, if not the same, terms as a 'specified message' under the PDPA - the difference is that:
The Spam Control Act is about sending unsolicited commercial electronic messages so the definition of an 'electronic message' is central to it.
An 'electronic message' is 'a message sent to an electronic address' and 'electronic address' means 'an electronic mail address or a mobile telephone number to which an electronic message can be sent.'
Therefore, commercial electronic messages are emails and SMS messages. (Voice calls are excluded explicitly.)
The Spam Control Act also prohibits the use of dictionary attacks and of address-harvesting software to send commercial electronic messages. The PDPA does not currently prevent the use of dictionary attacks and address-harvesting software.
The problem with the Spam Control Act
The Spam Control Act is mostly disregarded because enforcement is, to say the least, cumbersome. It can only be enforced by a person who suffers loss or damage as a result of a contravention of the Spam Control Act. They can go to Court to get various remedies, including statutory damages of $25 per message (up to a total of $1 million) if certain matters are proven.
It is seldom the case that taking Court action would be worthwhile. Indeed, a search of Singapore's legal records yields only one hit on 'Spam Control Act'...and it's an enforcement action by the Personal Data Protection Commission.
Instant messaging services
The first change to the Spam Control Act relates to instant messaging services. Examples of instant messaging services include WeChat, WhatsApp, Facebook Messenger, Line, Viber, SnapChat and Skype.
After the changes to the Spam Control Act take effect a message sent via an instant messaging service to an instant messaging account is not an 'electronic message' if the name used to identify, or which is associated with, that instant messaging account is:
The effect of this change is that instant messaging service messages will not be 'commercial electronic messages' within the scope of the Spam Control Act.
Dictionary attacks and address-harvesting software
The second change to the Spam Control Act relates to dictionary attacks and address-harvesting software. The rules in the Spam Control Act about such practices will:
The rules in the Spam Control Act about instant messaging services when a message is sent to a mobile telephone number are:
From a practical and operational perspective, the thing to note is that the unwieldy enforcement provisions under the Spam Control Act will no longer be relevant to them.
Instead, the enforcement provisions under the PDPA will apply to instant messaging services that use mobile telephone numbers. The Commission will be able to enforce them by issuing directions, including a direction to pay a financial penalty, as set out at the end of this paper.
Definition of 'specified message'
At present a 'specified message' - that is, a marketing message - relates to the marketing of goods, services, land, an interest in land, a business opportunity or an investment opportunity.
This will continue, but in addition a specified message may relate to a 'specified purpose'. This is a purpose specified by the Commission (with the approval of the Minister) at any time.
In other words, the Commission will have the power to add an additional purpose or additional purposes to what may fall within the Do Not Call rules.
Dictionary attacks and Address-harvesting software - overview
The Do Not Call provisions are in Part IX of the PDPA. The amendment bill will add a new Part IXA to the PDPA. It will deal with dictionary attacks and address-harvesting software.
As mentioned above, use of these technologies is prohibited by the Spam Control Act and applies at present to all electronic messages (as defined in the Spam Control Act). After amendment of the Spam Control Act, electronic messages will not include messages sent using instant messaging services.
A 'dictionary attack' is the method by which the telephone number of a recipient is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations.
'Address-harvesting software' - this is software that is specifically designed or marketed for use for searching the internet for telephone numbers and collecting, compiling, capturing or otherwise harvesting those telephone numbers.
In other words, both dictionary attacks and address-harvesting software are ways of coming up with telephone numbers. In context, this is done with the intention of sending marketing messages - specified messages - to the users or subscribers of such telephone numbers.
When the rules about dictionary attacks and address-harvesting software will apply
The rules in the new Part IXA of the PDPA about dictionary attacks and address-harvesting software will apply whenever there is a 'Singapore link'. A message sent to a telephone number has a Singapore link if:
Prohibition on using dictionary attacks and address-harvesting software
A person will be prohibited from sending any message to a telephone number generated or obtained through the use of a dictionary attack or address-harvesting software.
(This does not apply to employees sending any such message in the course of their employment and on instructions given by their employer. However, if the employee is an 'officer' this defence may not be available to them.)
Consequences of failing to comply with Do Not Call provisions
Currently, it is an offence for:
Upon any contravention, the person is guilty of an offence and can be liable upon conviction for that offence to a fine not exceeding $10,000 (per offence). (Here 'person' includes a natural person/individual and a body corporate or other legal person.)
The draft amendment bill removes these offences from the PDPA.
At present, the Commission has the power to give directions whenever it finds that there has been a failure to comply with the data protection provisions in the PDPA - that is, Parts III to VI of the PDPA.
The amending bill gives the Commission the additional power to give directions whenever it finds that there has been a failure to comply with:
This includes the power to give a direction to pay a financial penalty. At present, any financial penalty may not exceed S$1 million. The amending bill changes this limit so that the financial penalty may not exceed the greater of S$1 million and 10 percent of the person’s annual turnover in Singapore.
Oh, and one final reminder: even though the prohibition on dictionary attacks and address-harvesting software applies only where they will be used to gather telephone numbers, organisations do need to ensure that they have consent to collect, use or disclose both telephone numbers and email addresses for marketing purposes.
'Clear and unambiguous consent' is a 'get out of jail free' card when an organisation does not check the relevant Do Not Call register before sending a marketing message.
But consent is required in accordance with the trinity of data protection obligations - the Notification Obligation, the Purpose Limitation Obligation and the Consent Obligation - in all cases.
Written by Lyn Boxall, Director, Lyn Boxall LLC
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.