By Chei-Liang Sin, Luke Grubb & Sally Murphy

The Personal Data Protection Commission (the Commission) was established in January 2013 to implement and enforce The Personal Data Protection Act 2012 (PDPA). The PDPA fully came into force on 2 July 2014. So far, the Commission has mainly used its investigation and enforcement powers to take action against organisations not adhering to the Do Not Call provisions of the PDPA. However, the Commission is also in the process of investigating a complaint that Xiaomi, a major smartphone maker and Chinese company, breached its obligations in Singapore’s first data breach under the PDPA.

What is the PDPA?

The PDPA aims to implement measures which provide transparency for individuals about how their personal data is used by organisations. It also introduces potential fines for breaches of up to S$1 million per breach. Any organisation that breaches the Do Not Call provisions in the PDPA will be liable to a fine of up to S$10,000 for each offence.

At a high level, the PDPA sets out a number of key obligations which organisations must comply with including:

  • Notification: Must notify individuals prior to collection of the purposes for which the organisation intends to collect, use or disclose the individual’s personal data
  • Purpose: May only collect, use or disclose personal data about an individual for purposes which are reasonable in the circumstances, or those about which the individual has been notified
  • Consent: May only collect, use or disclose an individual’s personal data if the organisation has obtained consent from that individual (subject to certain exclusions)
  • Accuracy, Protection and Retention: Must take care of personal data, ensuring that it is:
    • Accurate and complete (if it is likely to be (i) used to make a decision or (ii) disclosed to another organisation)
    • Kept secure
    • Only retained while there is a valid purpose or business or legal reason for doing so
  • Data Protection Officer: Must designate at least one person to be responsible for ensuring that the organisation complies with the PDPA. A data protection officer might, for example, be responsible for implementing and developing the organisation’s personal data protection policies.

Do Not Call Registries

The PDPA also established Do Not Call registers (the “Registers”) and associated provisions to control the sending of marketing messages to Singapore telephone numbers — which have been in force since January 2014. Organisations which send marketing messages to Singapore telephone numbers must first check whether the number is on the Registers, unless the organisation has obtained clear and unambiguous consent to send such messages to the Singapore number. f a marketing message is sent to a Singapore number which is on the Registers and the organisation does not have consent, the organisation will be in breach of the Do Not Call provisions. The Do Not Call provisions also prescribe that the content of the message must identify the sender and provide the sender’s contact details.

Organisations may register for access to the lists here.  Numbers may be submitted for review using an interactive form or in bulk.  There are three registries—one each for voice, text (SMS) and fax calls, but results to queries are based on all three lists, so one must check a discrete list for the type of marketing call being placed (if an organisation places more than one type of calls).  There is a per number charge for access to the registries with volume discounts.

What happens if my organisation breaches the PDPA?

The PDPA provides the Commission with a variety of tools it can use to enforce and investigate breaches of the PDPA including:

  • Entering premises to gain access to information, documents and equipment relevant to an investigation
  • Requiring a breaching organisation to comply with any or all of the following directions:
    • Stop collecting, using or disclosing personal data in contravention of the PDPA
    • Destroy personal data collected in contravention of the PDPA
    • Comply with any direction of the Commission under section 28(2) of the PDPA
    • Pay a financial penalty of such amount, not exceeding S$1 million, as the Commission thinks fit

How strictly is the Commission enforcing the PDPA?

Since the full implementation of the PDPA, all of the penalties the Commission has issued have been handed out to organisations or individuals in breach of the Do Not Call provisions. In August 2014, the Commission found that a tuition agency was sending unwanted marketing SMS messages to individuals registered on the Registers. The tuition agency and its director were fined S$39,000 each. In October 2014, a property agent was fined S$27,000 for breaching the Do Not Call provisions.

Media outlets reported in August 2014 that the Commission was in the process of investigating the alleged breach by smartphone maker, Xiaomi, of the PDPA. According to the reports, the allegation against Xiaomi is that on start-up, the phone automatically sent certain personal data, including information from the user’s phone book to an external server without obtaining the users consent. The Commission has not yet reported the outcome of the investigation.

The PDPA has only very recently been implemented and the Commission is still in its infancy. Because of this, a decision from the Commission on the Xiaomi investigation is eagerly anticipated; the conduct of the investigation and its outcome will be instructive in understanding the teeth behind Singapore’s new data privacy regime. The penalties handed out by the Commission so far indicate that it is taking breaches of the PDPA’s Do Not Call provisions seriously. Entities marketing within Singapore should familiarise themselves with those provisions to avoid falling foul of them.