A spamming we will go, a spamming we will go...but at what cost?
2020-07-30
On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.
Perhaps counterintuitively, one of the things that the amendment bill does is to amend the Spam Control Act. So, let’s see what that is all about.
But first, for a sneak preview – this paper is about:
- what is being taken out of the Spam Control Act and
- what is being put into the Personal Data Protection Act, the PDPA
The headlines are that:
- messages sent via an instant messaging service will be within the scope of the Do Not Call provisions in the PDPA
- that dictionary attacks and address-harvesting software used to gather telephone numbers will be prohibited by the PDPA and
- the Commission will be able to enforce compliance with the Do Not Call provisions and compliance with the prohibition on dictionary attacks and address-harvesting software by issuing directions, including directions requiring payment of a monetary penalty
Overview of the Spam Control Act and of the Do Not Call regime in the PDPA
Background
At present, it is true to say that the Spam Control Act is mostly disregarded. The Do Not Call provisions in the PDPA are seen to have duplicated it. This is partly, but not entirely, true in practice - even it is not technically true.
The Spam Control Act defines 'commercial electronic message' in very similar, if not the same, terms as a 'specified message' under the PDPA - the difference is that:
- the Spam Control Act is about sending unsolicited commercial electronic messages in bulk to email addresses and to mobile telephone numbers (that is, for example, SMS messages)
- the Do Not Call provisions are about sending specified messages to Singapore telephone numbers without checking the Do Not Call register or getting clear and unambiguous consent
The Spam Control Act is about sending unsolicited commercial electronic messages so the definition of an 'electronic message' is central to it.
An 'electronic message' is 'a message sent to an electronic address' and 'electronic address' means 'an electronic mail address or a mobile telephone number to which an electronic message can be sent.'
Therefore, commercial electronic messages are emails and SMS messages. (Voice calls are excluded explicitly.)
The Spam Control Act also prohibits the use of dictionary attacks and of address-harvesting software to send commercial electronic messages. The PDPA does not currently prevent the use of dictionary attacks and address-harvesting software.
The problem with the Spam Control Act
The Spam Control Act is mostly disregarded because enforcement is, to say the least, cumbersome. It can only be enforced by a person who suffers loss or damage as a result of a contravention of the Spam Control Act. They can go to Court to get various remedies, including statutory damages of $25 per message (up to a total of $1 million) if certain matters are proven.
It is seldom the case that taking Court action would be worthwhile. Indeed, a search of Singapore's legal records yields only one hit on
Already a member?
Unlock these benefits
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.