Data privacy watchdog proposes new law to merge rules on spam, unsolicited calls

Data privacy watchdog proposes new law to merge rules on spam, unsolicited calls

A proposal to merge the rules governing telemarketing and spam messages into a new law was announced on Friday (Apr 27) by the Personal Data Protection Commission (PDPC), which said this is aimed at ​​​​​​​better protecting people from unsolicited commercial messages.

SINGAPORE: A proposal to merge the rules governing telemarketing and spam messages into a new law was announced on Friday (Apr 27) by the Personal Data Protection Commission (PDPC), which said this is aimed at better protecting people from unsolicited commercial messages.

For instance, consumers will be able to block unwanted marketing messages received via instant messaging apps under the proposed law.

The data privacy watchdog also wants to streamline processes. Consumers can expect a shorter withdrawal of consent period under the Do Not Call provisions (DNC), from the current 30 calendar days to 10 business days, if the proposals are approved. 

In a press release, PDPC said the proposal is part of the second round of public consultation on the Personal Data Protection Act (PDPA), to ensure that the law stays relevant with technological developments and changes in business practices.

Its first round of public consultation focused on a proposal for organisations to report certain data breaches to customers. The majority of the 68 responses received were “supportive” of the mandatory breach notification regime, PDPC said in February.

This time round, the Commission is looking to merge the Do Not Call provisions within the PDPA with the Spam Control Act.

The latter applies to electronic messages such as email and text messages when sent in bulk, and it was a “light touch” legislation enacted in 2007, according to the public consultation paper released on Friday. It is intended to fill the gap in tackling the less serious forms of spamming activities that were not within the reach of other laws such as the then-Computer Misuse Act.  

“While the PDPA and the Spam Control Act were enacted as separate legislation with different enforcement regimes, both aim to address consumer annoyance and provide consumers greater control over the number of unsolicited marketing messages received,” the privacy watchdog wrote in the consultation paper.

In combining both, the new legislation will govern all unsolicited commercial messages, and follows similar approaches in other places such as Hong Kong and the United Kingdom, it added.

These are some of the proposals laid out by PDPC:

  • Providing a shorter withdrawal of consent period for consumers
    Individuals can expect their withdrawal of consent under the DNC provisions to take effect within 10 business days, instead of the current 30 calendar days. This is in line with that stipulated under the Spam Control Act.
  • Regulating unsolicited commercial messages sent in bulk via instant messaging (IM) tools
    The rules under spam control will be extended to include messages sent in bulk via IM identifiers, such as account or log-in ID create by the user, under the new proposed legislation. Today, commercial messages sent this way are not covered under DNC or SCA provisions so consumers may continue to receive marketing text messages, PDPC said.

    With this, organisations that send unsolicited commercial messages using IM, for example, will have to make sure they have a “unsubscribe” function, the paper proposed.

    However, it acknowledged there are “practical difficulties” of implementing a national register for IM identifiers. These include the difficulty of verifying if an IM identifier is held by someone in Singapore and to track whether it is still in use or has been terminated, and the costs involved if companies have to check multiple registers and for all IM identifiers.

    “For these reasons, the intention is to treat IM identifiers similarly to email addresses under the Spam Control Provisions under the new Act, which would be maintained as unsubscribe lists by organisations that intend to send unsolicited commercial text messages via IM identifiers in bulk,” it said.
  • Prohibiting the use of dictionary attacks and address harvesting software
    Also being mooted under the new law is the prohibition of the use of random number generators or address harvesting software to generate telephone numbers, IM identifiers or email addresses for sending commercial messages.

    A dictionary attack refers to the method by which the electronic address of a recipient is obtained using an automated means that generates possible electronic addresses by combining names, letters, numbers, punctuation marks or symbols into numerous permutations, the consultation paper said.

In addition to these measures, the PDPC suggests that infringements of the Do Not Call provisions under the new law be enforced under an administrative regime similar to PDPA.

Currently, certain breaches such as the duty to check the DNC registry, provision of contact information and not to conceal the calling line identity are enforced as criminal offences.

Placing these breaches under an administrative regime will allow the watchdog to “better allocate resources for faster resolution of cases investigated”, as well as issue directions, including financial penalties, for these infringements, PDPC said.

The closing date for comments on the public consultation paper is Jun 7, the agency said.

Source: CNA/kk

Bookmark