16 November, 2018
Businesses in Singapore that come under fire for the innovative way they use personal data will generally be immune from enforcement action in the city state if its data protection authority has previously endorsed the activities, the authority has said.
The announcement by the Personal Data Protection Commission (PDPC) (19-page / 557KB PDF) concerns how a new framework of 'enhanced practical guidance' (EPG) it is setting up will work in practice.
Under that framework, businesses in Singapore will be able to apply to the PDPC for a "determination" that confirms "whether a particular business activity complies with the data protection provisions under the PDPA".
The PDPA is the Personal Data Protection Act in Singapore.
In a response it has published to feedback it obtained on a consultation on the EPG proposals earlier this year, the PDPC clarified when businesses benefiting from an EPG determination will be immune from subsequent findings of non-compliance.
"PDPC intends to retain its proposal that it will not find the organisation in breach of the PDPA in relation to the subject matter for which it has issued a determination confirming that the matter is in compliance with the PDPA," the watchdog said. "This is save for certain prescribed circumstances, in particular, where there have been changes made to an aspect of the PDPA that is relevant to the determination, or the information provided by the organisation with which the PDPC’s determination was made was false, misleading or no longer accurate – which would render the determination invalid."
"In relation to queries on what PDPC considers to be 'no longer accurate', PDPC intends to assess the material inaccuracy of the information provided by the organisation that would have affected the EPG issued," it said.
"Organisations may seek supplemental EPG if there are any material changes (e.g., changes to business situations, products or services) to the proposal in its original application. In addition, PDPC intends to impose a validity period for all determinations. The validity period will be decided on a case-by-case basis."
"PDPC also intends to retain its proposal not to initiate investigations in the event it finds any non-compliance with the PDPA based on the information submitted by the organisation during the EPG determination process, regardless of whether the non-compliance is related to the scope of the EPG. Where there is an ongoing investigation into the organisation, EPG applications made to PDPC on the same subject matter will not be accepted," it said.
In its response paper, the PDPC confirmed that strict criteria will apply to its EPG to limit the type of queries companies can raise. Queries must be "complex or novel" and concern proposed business activities that are "more than just exploratory". The queries will have to contain "sufficiently detailed plans" if they are to be considered by the watchdog, it said.
While businesses will be able to seek the PDPC's guidance through their legal advisers, they will not be able to pose queries that amount to a request for legal advice. The PDPC explained that questions about "IT security arrangements" required to comply with the PDPA is an example of a request which would fall into the 'legal advice' category under the EPG framework.
A spokesperson for the PDPC told Out-Law.com that its review of the PDPA is still ongoing and that the enhanced practical guidance framework will be implemented when the proposed amendments to the Act come into effect.
"This new feature offers greater certainty for organisations needing it and who are willing to take the extra effort to obtain the guidance," said Bryan Tan of Pinsent Masons MPillay said.
In its earlier consultation paper, the PDPC outlined plans to bring together and streamline existing 'do not call' (DNC) rules contained in the PDPA, and the country's Spam Control Act (SCA), which applies to emails that are sent in bulk. The DNC rules require businesses to check a DNC register (DNCR) of Singapore telephone numbers before sending marketing communications to ensure they do not send messages to consumers that have opted out of receiving them.
One of the main changes would see the law updated to reflect the fact that marketing communications are often addressed to 'instant messaging' (IM) identifiers. Messages sent in this way are currently outside the scope of regulation.
In its response paper, the PDPC confirmed its intention to go-ahead with the DNC and SCA reforms and clarified that the proposed new restrictions on unsolicited marketing will apply to "images, videos and audio files that contain commercial messages" as well as to text messages, but that "in-app notifications" would be outside the scope of the new rules.
The PDPC also said it would follow through with plans to make businesses that check the DNCR on behalf of businesses engaging in marketing communications responsible for sharing "accurate information" with the senders from their DNCR screening exercises. The third parties could be held liable for failing to meet the accuracy obligation, although the senders will also face obligations to carry out and evidence due diligence on those providers.
The watchdog said that the introduction of those safeguards means that it will not "prohibit the resale of results of telephone numbers checked against the DNCR".
This article was published in Out-law here.
For further information please contact:
Bryan Tan, Partner, Pinsent Masons MPillay
bryan.tan@pinsentmasons.com