A spamming we will go, a spamming we will go...but at what cost?

On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.

Perhaps counterintuitively, one of the things that the amendment bill does is to amend the Spam Control Act. So, let’s see what that is all about.

But first, for a sneak preview – this paper is about:

• what is being taken out of the Spam Control Act and 
• what is being put into the Personal Data Protection Act, the PDPA

The headlines are that:

• messages sent via an instant messaging service will be within the scope of the Do Not Call provisions in the PDPA
• that dictionary attacks and address-harvesting software used to gather telephone numbers will be prohibited by the PDPA and 
• the Commission will be able to enforce compliance with the Do Not Call provisions and compliance with the prohibition on dictionary attacks and address-harvesting software by issuing directions, including directions requiring payment of a monetary penalty

Overview of the Spam Control Act and of the Do Not Call regime in the PDPA

Background

At present, it is true to say that the Spam Control Act is mostly disregarded. The Do Not Call provisions in the PDPA are seen to have duplicated it. This is partly, but not entirely, true in practice - even it is not technically true.

The Spam Control Act defines 'commercial electronic message' in very similar, if not the same, terms as a 'specified message' under the PDPA - the difference is that:

1. the Spam Control Act is about sending unsolicited commercial electronic messages in bulk to email addresses and to mobile telephone numbers (that is, for example, SMS messages)
2. the Do Not Call provisions are about sending specified messages to Singapore telephone numbers without checking the Do Not Call register or getting clear and unambiguous consent

The Spam Control Act is about sending unsolicited commercial electronic messages so the definition of an 'electronic message' is central to it.  

An 'electronic message' is 'a message sent to an electronic address' and 'electronic address' means 'an electronic mail address or a mobile telephone number to which an electronic message can be sent.' 

Therefore, commercial electronic messages are emails and SMS messages. (Voice calls are excluded explicitly.)

The Spam Control Act also prohibits the use of dictionary attacks and of address-harvesting software to send commercial electronic messages. The PDPA does not currently prevent the use of dictionary attacks and address-harvesting software.

The problem with the Spam Control Act

The Spam Control Act is mostly disregarded because enforcement is, to say the least, cumbersome. It can only be enforced by a person who suffers loss or damage as a result of a contravention of the Spam Control Act. They can go to Court to get various remedies, including statutory damages of $25 per message (up to a total of $1 million) if certain matters are proven.  

It is seldom the case that taking Court action would be worthwhile. Indeed, a search of Singapore's legal records yields only one hit on 'Spam Control Act'...and it's an enforcement action by the Personal Data Protection Commission.

What is changing in the Spam Control Act?

Instant messaging services

The first change to the Spam Control Act relates to instant messaging services. Examples of instant messaging services include WeChat, WhatsApp, Facebook Messenger, Line, Viber, SnapChat and Skype.  

After the changes to the Spam Control Act take effect a message sent via an instant messaging service to an instant messaging account is not an 'electronic message' if the name used to identify, or which is associated with, that instant messaging account is:

• an email address or 
• a mobile telephone number

The effect of this change is that instant messaging service messages will not be 'commercial electronic messages' within the scope of the Spam Control Act.

Dictionary attacks and address-harvesting software

The second change to the Spam Control Act relates to dictionary attacks and address-harvesting software. The rules in the Spam Control Act about such practices will:

• no longer apply to any electronic message sent to a mobile telephone number and
• continue to apply to any electronic messages sent to an email address

Why are these changes being made?

The rules in the Spam Control Act about instant messaging services when a message is sent to a mobile telephone number are:

• being taken out of the Spam Control Act and 
• being put into the PDPA

From a practical and operational perspective, the thing to note is that the unwieldy enforcement provisions under the Spam Control Act will no longer be relevant to them.  

Instead, the enforcement provisions under the PDPA will apply to instant messaging services that use mobile telephone numbers. The Commission will be able to enforce them by issuing directions, including a direction to pay a financial penalty, as set out at the end of this paper.

Changes in the Do Not Call provisions in the PDPA

Definition of 'specified message'

At present a 'specified message' - that is, a marketing message - relates to the marketing of goods, services, land, an interest in land, a business opportunity or an investment opportunity.

This will continue, but in addition a specified message may relate to a 'specified purpose'. This is a purpose specified by the Commission (with the approval of the Minister) at any time.  

In other words, the Commission will have the power to add an additional purpose or additional purposes to what may fall within the Do Not Call rules.

Dictionary attacks and Address-harvesting software - overview 

The Do Not Call provisions are in Part IX of the PDPA. The amendment bill will add a new Part IXA to the PDPA. It will deal with dictionary attacks and address-harvesting software.  

As mentioned above, use of these technologies is prohibited by the Spam Control Act and applies at present to all electronic messages (as defined in the Spam Control Act). After amendment of the Spam Control Act, electronic messages will not include messages sent using instant messaging services.

A 'dictionary attack' is the method by which the telephone number of a recipient is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations.

'Address-harvesting software' - this is software that is specifically designed or marketed for use for searching the internet for telephone numbers and collecting, compiling, capturing or otherwise harvesting those telephone numbers.

In other words, both dictionary attacks and address-harvesting software are ways of coming up with telephone numbers. In context, this is done with the intention of sending marketing messages - specified messages - to the users or subscribers of such telephone numbers. 

When the rules about dictionary attacks and address-harvesting software will apply

The rules in the new Part IXA of the PDPA about dictionary attacks and address-harvesting software will apply whenever there is a 'Singapore link'. A message sent to a telephone number has a Singapore link if:

1. the message originates in Singapore or
2. the sender of the message is (if the sender is an individual) physically present in Singapore when the message is sent or (if the sender is not an individual) is formed or recognised under the law of Singapore or has an office or a place of business in Singapore or
3. the telephone, mobile telephone or device that is used to access the message is located in Singapore or
4. the recipient is (if the recipient is an individual) physically present in Singapore when the message is accessed or (if the sender is not an individual) carries on business or activities in Singapore when the message is accessed or
5. if the message cannot be delivered because the telephone number has ceased to exist (assuming that it had previously existed), it is reasonably likely that the message would have been accessed using a telephone, mobile telephone or device located in Singapore

Prohibition on using dictionary attacks and address-harvesting software

A person will be prohibited from sending any message to a telephone number generated or obtained through the use of a dictionary attack or address-harvesting software.

(This does not apply to employees sending any such message in the course of their employment and on instructions given by their employer. However, if the employee is an 'officer' this defence may not be available to them.)

Consequences of failing to comply with Do Not Call provisions

Currently, it is an offence for:

1. a person to send a specified message without first checking the Do Not Call register (unless the person has clear and unambiguous consent to send it)
2. a person to fail to provide certain information (such as information identifying themselves) when they send a specified message
3. a person to withhold their calling line identity when sending a specified message

Upon any contravention, the person is guilty of an offence and can be liable upon conviction for that offence to a fine not exceeding $10,000 (per offence). (Here 'person' includes a natural person/individual and a body corporate or other legal person.)

The draft amendment bill removes these offences from the PDPA.

Enforcement of the Do Not Call provisions and of the dictionary attack and software-harvesting provisions

At present, the Commission has the power to give directions whenever it finds that there has been a failure to comply with the data protection provisions in the PDPA - that is, Parts III to VI of the PDPA.

The amending bill gives the Commission the additional power to give directions whenever it finds that there has been a failure to comply with:

1. Part IX of the PDPA - that is, the Do Not Call provisions or
2. Part IXA of the PDPA - that is, the prohibition on using dictionary attacks and address-harvesting software

This includes the power to give a direction to pay a financial penalty. At present, any financial penalty may not exceed S$1 million. The amending bill changes this limit so that the financial penalty may not exceed the greater of S$1 million and 10 percent of the person’s annual turnover in Singapore.

Oh, and one final reminder: even though the prohibition on dictionary attacks and address-harvesting software applies only where they will be used to gather telephone numbers, organisations do need to ensure that they have consent to collect, use or disclose both telephone numbers and email addresses for marketing purposes.  

'Clear and unambiguous consent' is a 'get out of jail free' card when an organisation does not check the relevant Do Not Call register before sending a marketing message.  

But consent is required in accordance with the trinity of data protection obligations - the Notification Obligation, the Purpose Limitation Obligation and the Consent Obligation - in all cases.

Written by Lyn Boxall, Director, Lyn Boxall LLC

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.