Data privacy watchdog proposes tougher regulations against unsolicited commercial messages

SINGAPORE – In a bid to better protect consumers from unsolicited telemarketing and spam messages, the Republic’s data privacy watchdog is proposing new regulations that would ban the use of “harvesting” software used to compile large recipient lists, while requiring companies to act more quickly to stop sending unsolicited marketing messages.

The proposed changes, which follow similar approaches in places like Hong Kong and United Kingdom, are also aimed at reducing the ambiguity for companies when sending commercial messages, the Personal Data Protection Commission (PDPC) said on Friday (April 27).

The proposals are up for public consultation until June 7, and revisions to the Personal Data Protection Act (PDPA) are expected to be tabled in Parliament by next year.

One of the Commission’s main proposal is to merge the Do Not Call Provisions of the PDPA and the Spam Control Act under a single Act governing unsolicited commercial messages.

As part of requirements under the new Act, the “withdrawal of consent” period under the Do Not Call Provisions will be reduced from the current 30 calendar days to 10 business days.

This means companies must act faster to stop sending the related marketing messages once consumers have formally withdrawn their consent for the firms to send them the promotional material.

This change will ensure consistency with provisions under the Spam Control Act, which also has a “withdrawal of consent” period of 10 business days, and “minimise potential confusion” for organisations complying with both provisions, said the commission.

The proposed changes will also beef up efforts to clamp down on spammers who use software to generate large email contact lists.

Such lists can be generated by using harvesting software, which are specifically designed to trawl the Internet for email addresses, or via “dictionary attacks”, where possible email addresses are generated via the combinations of different names, letters and numbers.

“This will help ensure Singapore does not become a haven for spammers using such technologies to send unsolicited commercial messages to a large number of recipients,” said the PDPC.

Meanwhile, companies which send unsolicited messages via instant messaging platforms must ensure they have a functioning “unsubscribe” option.

Under the new Act, the PDPC is also proposing that a new administrative regime be given the authority to deal with infringements under the Do Not Call Provisions. Currently, it is up to the courts to enforce any penalties if there is a breach.

“This will allow for prompt action to be taken in cases investigated by the PDPC, which will be empowered to issue directions, including financial penalties,” the commission said.