Jurisdiction - Singapore
Reports and Analysis
Singapore – PDPC Issues Advisory Guidelines For The Telecommunication And Real Estate Agency Sectors.

23 May, 2014

 

 

Background

 

On 16 May 2014, the Personal Data Protection Commission (“PDPC”) issued the finalised Advisory Guidelines for the Telecommunication Sector (“Telecoms Guidelines”) and the Advisory Guidelines for the Real Estate Agency Sector (“Real Estate Agency Guidelines”). This comes after public feedback on both sets of guidelines, which were developed in consultation with the Info-Communications Development Authority of Singapore (“IDA”) and the Council for Estate Agencies (“CEA”) respectively.

 

The guidelines offer illustrations of how both the Data Protection Provisions (“DP Provisions”) and the Do-Not-Call Provisions (“DNC Provisions”) under the Personal Data Protection Act (“PDPA”) apply to scenarios faced in each sector, with the aim of addressing the unique circumstances faced by both sectors in complying with the PDPA.

 

With respect to the telecoms sector, IDA also introduced corresponding amendments to the Telecoms Competition Code (“TCC”). The amendments to the TCC, which similarly underwent public consultation, seek to streamline the framework governing the use of End User Service Information (“EUSI”) in the telecommunication sector, in view of the primary framework for personal data protection under the PDPA.
These developments are timely in view of the coming into effect of the DP Provisions on 2 July 2014, following the operation of the DNC Provisions as from 2 January 2014.

 

In relation to the application of the DNC Provisions, both documents provide sector-specific guidance as to:

 

(a) whether messages are specified messages;

 

(b) whether there is an ongoing relationship for the purposes of the Personal Data Protection (Exemption from Section 43) Order (S 817/2013) (“Exemption Order”);

 

(c) whether a message is related to the subject of an ongoing relationship, for the purposes of the Exemption Order; and

 

(d) obtaining clear and unambiguous consent in evidential form.

 

The application of the DP Provisions to each sector is discussed in greater detail below.

 

Part I: Telecoms Guidelines

 

Telephone Numbers And IMEI Numbers

 

The PDPC has clarified that an individual’s mobile telephone number is likely to be personal data1 as it may be uniquely associated with an individual,whereas a telephone number shared by more than one individual (eg a landline shared by several residents in a dwelling) may also be considered personal data if its combination with other information that the organisation has or is likely to have access to allows an individual to be identified.

 

The PDPC also makes clear that International Mobile Station Equipment Identity (“IMEI”) numbers, on their own, would generally not constitute personal data, as they merely identify a  network device and not an individual. Nonetheless, IMEI numbers remain capable of identifying an individual and thus constituting personal data, when combined with other information.

 

Inbound And Outbound Roaming

 

In the case of inbound roaming, the PDPC recognises that a Singapore telecommunication operator may collect personal data (eg telephone number, device identifier, service usage patterns) of a foreign mobile user (ie the inbound roamer) in the provision of its roaming service to him.

 

Where such personal data collected is transferred to the respective home operators (eg for billing purposes), the Singapore operator could potentially be a data intermediary, to the extent that it is “ processing” the personal data on behalf of and for the purposes of each home operator pursuant to a contract evidenced or made in writing with that home operator. “Processing” is defined as “the carrying out of any operation or set of operations in relation to the personal data”, and includes the recording, holding, organisation, adaptation or alteration, retrieval, combination, transmission; and erasure or destruction of such data.

 

If the Singapore operator is acting as such a data intermediary, it would only be required to comply with the Protection Obligation and Retention Limitation Obligation of the PDPA, but only in relation to the personal data which it processes as a data intermediary of the home operator. Where the Singapore operator is not acting as such a data intermediary, such as when it is collecting, using, disclosing or otherwise processing the personal data of inbound roamers for purposes beyond what has been contractually agreed with the foreign operator, the DP Provisions would apply to such activities, unless an exception under the PDPA applies.

 

In this regard, taking into account the IDA’s amendments to the EUSI framework under the TCC (discussed in greater detail under Part II below), Singapore operators would, from 2 July 2014, be exempted from the Consent Obligation (pursuant to the exception where the collection, use or disclosure without the consent of the individual is required or authorised under a written law) in respect of the collection, use or disclosure of EUSI which is reasonably necessary for the provision of mobile roaming-related information to in-bound roamers in Singapore.

 

With respect to outbound roaming, the PDPC has noted that Singapore operators typically have contractual agreements with foreign operators to provide mobile services to outbound roamers in place. In this regard, the PDPC highlights that Singapore operators are required to comply with the Consent, Notification and Transfer Limitation Obligations, to the extent that personal data is disclosed to the foreign operators.

 

Importantly, we note that the authorisation under the TCC in respect of the collection, use or disclosure of EUSI for providing roaming-related information does not extend to outbound roaming. Singapore operators would therefore have to obtain consent from subscribers of their mobile or roaming services to disclose their EUSI to foreign operators. 

 

Provision Of Subscriber Identity For Calls Or Text Messages 


The PDPC considers that a subscriber who opts to have an “unblocked” or a “listed” telephone number would, given established practice, be aware that the telephone number would be collected, used or disclosed for the purpose of identifying him to other parties. As such, where his personal data (ie the number) is provided to a recipient as part of his initiating a call / sending a message, he may be deemed to have consented to the collection, use or disclosure of his telephone number for such a purpose, since he would have provided the data voluntarily, and it would be reasonable for him to do so. 


Conversely, where a subscriber opts or subsequently applies for a “blocked” or anunlisted” number, he would be considered as not having consented or having withdrawn his consent for the collection, use or disclosure of his telephone number for the purpose of identifying himself to recipients of his calls / messages. 


The PDPC notes further that, where a subscriber is deemed to have given consent for the disclosure of his telephone number by one telecommunication operator to another, for the purpose of identifying himself to the recipient of his call/message, consent for the collection, use or disclosure of the telephone number by that other operator may be deemed for the same purpose. 


Displaying Personal Data In Itemised Bills

 

The PDPC considers that the display of call data in itemised bills for telecommunication services may reflect personal data of both the subscriber and that of other individuals. However, the PDPC notes further that the consent obtained by the subscriber to make a call / send a message to an individual or vice versa would extend to the display of such call data in the subscriber’s itemised bill, such that there would not be a need for further consent. 


Pre-Paid Mobile Services 


The sale of pre-paid cards may involve the collection of various types of personal data from the individual by the telecommunication operator (or the reseller of the pre-paid card). In addition, such personal data would typically be used by the telecommunication operator for a number of purposes, such as

 

(a) providing of telecommunication services to the individual;
(b) complying with requirements under written law;
(c) sending messages to the Singapore telephone number tied to the pre-paid card; and
(d) analysing usage profiles of the pre-paid subscriber base to plan new pre-paid products and services.

 

Where an individual voluntarily provides his personal data to a reseller for the above purposes, he may be deemed to have consented to the disclosure of his personal data by the reseller to the telecommunication operator for these purposes. 


Moreover, the PDPC notes that a reseller may, depending on the arrangements with the respective telecommunication operators, be considered to be a data intermediary acting pursuant to a contract made or evidenced in writing, such that it would only be subject to the Protection and Retention Limitation Obligations. 


In this regard, telecommunication operators should assess how best they can ensure compliance with the DP Provisions, or if there are applicable exceptions (eg where such collection, use or disclosure of personal data is required under written law). 


For example, a telecommunication operator may consider briefly stating the purposes for which it will collect, use and disclose a subscriber’s personal data on the pre-paid card itself, or in the service activation message, and referring the subscriber to its website for its data protection policy or a more detailed statement of the purposes. Alternatively, it may require its resellers to provide subscribers with a separate notice stating these purposes.

 

Inclusion Of Advertisements With Bills 


In relation to the inclusion of advertisements by telecommunication operators with bills, the PDPC considers that this would amount to the use of personal data for advertising purposes. This is regardless of whether the advertisements are addressed to the individual.
As such, a telecommunication operator would be required to obtain consent in respect of such use of its subscribers’ personal data. Moreover the operator would be required to allow and facilitate withdrawals of consent in respect of such purposes. 


Rights And Obligations, Etc Under Other Laws

 

Liability Of Network Service Providers

 

Pursuant to Section 67 of the PDPA (which amends Section 26 of the Electronic Transactions Act (Cap. 88)), Network Service Providers(“NSPs”) would be able to collect, use and disclose personal data without consent, where it is in respect of third-party material in the form of electronic records to which they merely provide access, such as in the case of the temporary and automatic caching of data in relation to certain websites by an Internet Service Provider.

 

End User Service Information

 

Telecommunication operators would be allowed to collect, use or disclose EUSI (some of which qualifies as personal data) without consent, in the specific circumstances set out within the regulatory framework governing such collection, use and disclosure. In this regard, please refer to our discussion on the amendments to the TCC in Part II below.

 

Part II: Changes To The Telecoms Competition Code

 

The amendments to the TCC relate to the framework governing the use of EUSI in the telecommunication sector under Section 3 of the TCC (Duty of Licensees To Their End Users), specifically, to: 


(a) sub-section 3.2.6.2; and
(b) sub-section 3.3.7.

 

EUSI is defined as “consist[ing] of all information that a Licensee obtains as a result of an End User’s use of a Service provided by the Licensee”, and includes (without limitation) information regarding the services used by the end user, his usage patterns, telephone number and network configuration, location information and billing name, address and credit history. As such, EUSI could potentially constitute personal data for the purposes of the PDPA, to the extent that it is capable of identifying an individual (either by itself or when combined with other information). 


The current sub-section 3.2.6.2 provides that telecommunication licensees (“licensees”) may not use EUSI without the end user’s consent for any purpose other than those stated in the sub-section itself. In the context of the PDPA, licensees would therefore not be required to obtain consent from end users for the use or disclosure of any EUSI constituting personal data in respect of the listed purposes, pursuant to the “other written law” exception. 


In turn, sub-section 3.3.7 provides that all End User Service Agreements (“EUSAs”) must state:

 

(a) that the licensee will use the EUSI only for the purposes under sub-section 3.2.6.2 unless the end user has provided consent; and

 

(b) the additional purposes which the licensee may use EUSI for, and the means by which the end user can grant consent or withdraw consent for such purposes.

 

Broadly, the amendments introduce a distinction between the authorisation framework for Residential EUSI and that for Business EUSI. The underlying rationale for this is that Residential EUSI would generally qualify as personal data, given that it would be possible to identify an individual from such information and other information in the licensee’s possession; whereas not all Business EUSI may be classified as personal data, in view of the exclusion of business contact information (“BCI”) from the application of the DP Provisions. 


As an illustration, IDA has clarified that all end users of mobile plans subscribed by companies for their employees will generally be considered business end users, while end users of mobile plans with corporate discounts (which employees can subscribe to at their own discretion) will be considered residential end users. 


A summary of the revised EUSI framework is set out below. 


Authorisation Framework For Residential EUSI 


Authorisation For Collection And Use Of Residential EUSI For “Planning” Purposes 


Under the amended sub-section 3.2.6.2, licensees are authorised to collect and use Residential EUSI for “planning” purposes. However, the purposes of “provisioning and billing” for telecommunication services will no longer be authorised, as IDA has considered that consent in respect of thesepurposes may reasonably be obtained at the point where end users contract for the services (eg by including these purposes within the EUSAs). 


In addition, the purpose of “planning” has been scoped to encompass only “planning requirements in relation to network operations or network maintenance for any Service provided by the Licensee”. In this regard, IDA has clarified that the tightened scope does not prohibit licensees from collecting and using Residential EUSI for network planning purposes to facilitate their provision of services to end users, and in fact covers activities to maintain network performance and network enhancements, such as the collection and use of network usage information to plan or manage network capacities. 


Conversely, IDA’s intent is to ensure that Residential EUSI is not used for planning activities which are commercial in nature, such as business, product or marketing planning. To conduct such activities, licensees would therefore have to obtain consent from end users. 


Authorisation For Collection, Use And Disclosure Of Residential EUSI For Interconnection And Inter-Operability Purposes

 

IDA has decided to authorise the collection, use and disclosure of Residential EUSI without consent for the purposes of interconnection and inter-operability, in view of the impracticality of seeking end users’ consent for such technical matters which are inherent aspects of telecommunication service provisioning.

 

Authorisation For Collection, Use And Disclosure Of Residential EUSI For Providing Roaming-Related Information To Inbound Roamers


Recognising the impracticality for licensees to obtain inbound roamers’ express consent for the provision of roaming-related information2 prior to their arrival in Singapore or before they roam onto a licensee’s network, IDA has decided to authorise this purpose to enable inbound roamers to be informed of the available roaming services. 


However, it is important to note that this authorisation does not extend to the collection, use and disclosure of EUSI for the provision of outbound roaming services and related information. In this regard, licensees would have to obtain end users’ consent for the collection, use and disclosure of their EUSI for such purposes when they sign up for their mobile or roaming services. 


Removal Of Specific Purposes For Which Use Of Residential EUSI Without Consent Is Currently Allowed

 

IDA has removed the authorisations to use Residential EUSI without consent, in respect of the following purposes: 


(a) providing assistance to law enforcement, judicial or other government agencies;
(b) managing bad debt and preventing fraud related to the provision of telecommunication services; and
(c) complying with any regulatory requirements imposed by IDA, 


as these purposes may generally be covered by similar exceptions to the Consent Obligation under the PDPA framework. In any case, IDA considers that licensees may reasonably obtain consent in respect of the collection, use or disclosure of personal data for these purposes when an individual contracts for a telecommunication service. 


IDA has proposed to remove sub-section 3.2.6.2(b) of the TCC which prohibits disclosure of EUSI to third parties without consent, given that there are similar safeguards under the PDPA framework. 


Apart from the above, the TCC makes clear that the collection, use or disclosure of Residential EUSI for all other purposes and areas shall be governed in accordance with the PDPA framework.

 

Authorisation Framework For Business EUSI

 

IDA has largely retained the existing EUSI framework in respect of the governance of Business EUSI, as it considers that Business EUSI would generally not be considered personal data and therefore would not be governed under the PDPA.

 

As such, the only changes to the Business EUSI framework have been made to correspond with the amendments in the Residential EUSI framework, namely:

 

(a) authorising the collection and use of Business EUSI without consent for the scoped “planning” purposes, but excluding the purposes of “provisioning and billing”; and
(b) authorising the collection, use and disclosure of Business EUSI without consent, for the provision of roaming-related information to inbound roamers. 


Framework Governing EUSA

 

To reflect the aforementioned changes to the EUSI framework, IDA has retained the current EUSA framework in respect of Business EUSI, but removed the reference to Residential EUSI, which it considers to be covered by similar obligations for the notification and withdrawal of consent under the PDPA framework. 


Prospective Application Of TCC Amendments 


Finally, it is important to note that the amendments to the TCC apply on a prospective basis. In this regard, licensees may continue to use the EUSI for purposes as stated within existing agreements or contracts signed by end users. However, new agreements and contracts would have to take into account the TCC amendments and the PDPA obligations with effect from 2 July 2014. 


In addition, further consent from these end users would have to be sought if licensees wish to use EUSI for purposes beyond what has been stated in existing agreements or contracts.

 

Part III: Real Estate Agency Guidelines

 

The PDPC has included new examples following the public consultation of the Real Estate Agency Guidelines to further clarify the operation of the DP Provisions in the following scenarios.

 

Marketing Of Potential En-Bloc Sales 


Where an estate agent compiles a list containing the personal details of individual owners to market a potential en-bloc sale (eg to mail letters, make follow-up calls.), this would constitute the collection and use of personal data, for which consent has to be obtained, unless exceptions apply. 


Disclosure Of Client’s Personal Data In A Co-Broking Situation 


Where an estate agent intends to disclose his client’s personal data to another estate agent for the purposes of entering into a co-broking arrangement, he would be required to obtain prior consent from his client. 


Whether A Salesperson Is A Data Intermediary Processing Personal Data On Behalf Of And For Purposes Of An Estate Agent Pursuant To A Contract Evidenced Or Made In Writing 


The PDPC notes that a salesperson may either be regarded as an employee of the estate agent, or an associate under a contract for service, depending on the terms and conditions agreed upon between the parties (eg in an associate agreement). Where the salesperson is an employee, the estate agent would have to ensure that he abides by its policies and procedures for PDPA compliance. 


Where a salesperson is not an employee of the estate agent, he may not fall within the exclusion from the DP Provisions for employees acting in the course of their employment. As such, he would be required to comply with the DP Provisions as a separate “organisation” from the estate agent which he represents. 


Depending on the specific facts of the case however, he may also be regarded as a data intermediary of the estate agent. In that case, he would only be required to comply with the Protection and Retention Obligations under the PDPA, but only in respect of the personal data he processes. The estate agent would still be required to comply with all the DP obligations. 


For example, where a salesperson is required, pursuant to an associate agreement, to deliver completed estate agency agreements (which would include the client’s personal data) to the estate agent, he would be considered to be a data intermediary processing personal data on behalf of and for the purposes of the estate agent. 


Conversely, if the salesperson uses his clients’ personal data for purposes beyond what was contractually agreed with the estate agent, or for his own use, he would not be considered to be a data intermediary for the purposes of the PDPA.

 

Concluding Remarks

 

With the 2 July 2014 deadline for compliance drawing close, organisations in the telecommunication and real estate agency sectors should assess the adequacy of their compliance programmes against the newly issued guidelines. 


Ultimately, it is important to note that the new personal data protection regime operates only as a baseline law and builds upon existing sector-specific legal and/or regulatory frameworks. As such, organisations would be required to comply with their obligations under the PDPA, as well as any applicable sector-specific framework. 


Finally, we would highlight that both the Telecoms and Real Estate Agency Guidelines should be read in conjunction with the other Advisory Guidelines issued by the PDPC from time to time, including the Advisory Guidelines on Key Concepts in the PDPA (which explain in greater detail the obligations that organisations have to comply with under the PDPA), the Advisory Guidelines on the Do Not Call Provisions and the Advisory Guidelines on Selected Topics.

 

End Notes:

 

“Personal data” is defined as “data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access”.

 

“Roaming-related information” includes: (a) roaming partners in the foreign jurisdiction; (b) charges for voice, messaging and data services to the in-bound roamer’s home country, in Singapore and to any other country; and (c) the alternative roaming options available to the subscriber such as alternative call-back options or roaming rate-capped bundles.

 

References:

 

1. Advisory Guidelines for the Telecommunication Sector

 

2. Advisory Guidelines for the Real Estate Agency Sector

 

3. Explanatory Memorandum on IDA’s Decision on Review of End User Service Information Provisions in the Code of Practice for Competition in the Provision of Telecommunication Services 2012

 

4. Personal Data Protection Act

 

Drew & Napier

 

For further information, please contact:

 

Lim Chong Kin, Director, Drew & Napier 
chongkin.lim@drewnapier.com

 

Charmian Aw, Director, Drew & Napier 
charmian.aw@drewnapier.com


Drew & Napier TMT Practice Profile in Singapore


Homegrown TMT Firms in Singapore

 

 

 

 

Comments are closed.