Jurisdiction - Singapore
News
Singapore – Public Consultations On Personal Data Protection In The Telecommunication Industry.

6 February, 2014

 

 

Introduction

 

The Personal Data Protection Act (‘PDPA’) was introduced in 2012 as a baseline legislation to govern the collection, use and disclosure of personal data in Singapore. Among others, the Consent Obligation in the PDPA requires organisations to obtain an individual’s consent for the collection, use or disclosure of personal data for reasonable purposes.

 

In light of the personal data provisions of the PDPA, the Info-Communications Development Authority of Singapore (‘IDA’) is proposing several amendments to the Code of Practice for Competition in the Provision of Telecommunication Services (the ‘Code’) governing the use of End User Service Information (‘EUSI’) in the telecommunication sector. On 23 January 2014, the IDA issued a public consultation to seek public feedback on these proposed amendments to the Code. The IDA’s public consultation will close on 28 February 2014.

 

On the same day, the Personal Data Protection Commission (‘PDPC’) – the agency which administers and enforces the PDPA – issued a public consultation on its proposed advisory guidelines on the application of the PDPA to scenarios faced in the telecommunication sector (the ‘Proposed Guidelines’) to address sector-specific compliance issues. PDPC’s public consultation will close on 13 February 2014.

 

Telecommunication licensees are required to comply with both the Code and the PDPA.

The key proposals by the PDPC and the IDA are summarised below.

 

Proposed Guidelines And Code Amendments

 

Scope Of Personal Data

 

‘Personal data’ is defined under the PDPA as data about an individual that allows him/her to be identified from: (i) that data; or (ii) that data or any other information which the organisation has or is likely to have access.

 

The Proposed Guidelines clarify that an individual’s mobile telephone number is likely to be personal data, as it may uniquely identify that individual. Where a telephone number is shared by more than one individual, it may also be considered personal data if, in combination with other information, it results in the identification of an individual. On the other hand, numbers that are used in connection with the operation of a telecommunication network to identify particular equipment connected to the network, such as IMEI numbers or an Internet Protocol (‘IP’) address, would not on their own, be considered personal data. However, they have the potential to form part of data that in combination relate to an identifiable individual and be considered personal data when used in combination with other data.

 

EUSI is defined in the Code as all the information obtained by a telecommunications licensee as a result of an end user’s use of a telecommunication service provided by the licensee. This includes information such as the end user’s name, address and telephone number, as well as information generated from the use of the telecommunication services, such as location information, call patterns and billing history. According to the public consultation to the Code, the EUSI of residential subscribers under the Code is likely to fall within the definition of personal data in the PDPA.

 

Removal Of Overlap Between PDPA And The Code’s EUSI Provisions

 

The PDPA requires organisations to obtain an individual’s consent for the collection, use or disclosure of personal data, except: (i) where the collection, use or disclosure without consent is authorised or required under any other written law; or (ii) under specifically prescribed circumstances in the Second to Fourth Schedules of the PDPA, e.g. where the personal data is publicly available, or where the personal data is used by the organisation to recover a debt owed to it.

 

The Code adopts a similar framework requiring consent for use of EUSI. The relevant section in the Code is Section 3.2.6.2, which provides that licensees may not use EUSI without the end user’s consent for any purpose other than the specific purposes stated in the section itself.

 

In view of the overlap, the IDA has proposed that personal data within the scope of EUSI, i.e. the EUSI of residential subscribers, should be governed by the PDPA and removed from the Code. This is to ensure consistent treatment of personal data in the telecommunication sector vis a vis other sectors, and to minimise overlap and uncertainty in terms of compliance requirements for telecommunication licensees.

 

The IDA therefore proposes to remove from Section 3.2.6.2(a) of the Code the following specific purposes which currently allow a telecommunication licensee to use EUSI without the end user’s consent as these are already covered under the PDPA:

 

(a) Managing bad debt and preventing fraud related to the provision of services;

(b) Providing assistance to law enforcement, judicial or other government agencies; and

(c) Complying with any regulatory requirements imposed by the IDA authorising the use of EUSI.

 

The IDA also proposes to remove Section 3.2.6.2(b) of the Code which stipulates that licensees are required to seek end users’ consent before disclosing their EUSI to any third party (including its Affiliates) for the purposes of developing and marketing any goods or services, as such safeguards are provided under the PDPA.

 

In addition, as these are already provided under the PDPA, the IDA proposes to remove the reference to the EUSI of residential subscribers in Section 3.3.7 of the Code which currently requires licensees to state in the End User Service Agreements (the ‘EUSA’) that the licensee will use the EUSI only for the purposes specified in Section 3.2.6.2 unless the end user has provided consent. In addition, the EUSA must contain any additional purposes which the licensee may use EUSI for, and the means by which the end user can grant consent or withdraw consent for such purposes.

 

Use Of EUSI For ‘Planning’ Purposes

 

Section 3.2.6.2(a)(i) of the Code currently allows licensees to use the EUSI of the end user, without his/her consent, for the purpose of planning, provisioning and billing for any service provided by the licensee.

 

The IDA is proposing to make two amendments to this sub-section. Firstly, the IDA proposes to remove the references to ‘provisioning’ and ‘billing’ of services. This is because consent for such purposes can be obtained or deemed when the end user signs up to the telecommunication service, if the telecommunication licensee requires this as a condition for providing the telecommunication service. Hence, there is no need for these to be expressly authorised under the Code.

 

Secondly, the IDA has proposed to clarify and limit the scope of “planning requirements” to network operations and maintenance. The IDA has highlighted that business development ‘planning’, such as market research and product development, would not fall within the IDA’s proposed scope. Furthermore, licensees will not be permitted to disclose the EUSI of residential subscribers to third parties for network planning purposes, if the licensees do not have the subscriber’s consent.

 

Specific Amendments For EUSI Of Business Subscribers

 

The above proposed amendments relate only to EUSI of residential subscribers as these would be covered by the PDPA within the scope of ‘personal data’. The EUSI of business subscribers does not fall within the scope of ‘personal data’ under the PDPA. To ensure that their information continues to be protected, the IDA generally proposes to retain the current framework in the Code for business subscribers. This means that licensees will be prohibited from using EUSI of business subscribers without the end user’s consent, unless for the purposes specified in the Code.

 

However, the IDA is proposing to adjust the EUSI provisions in relation to business subscribers to ensure consistency between the use of EUSI of both business subscribers and residential subscribers. Firstly, the IDA is proposing to remove the specified purpose on ‘managing bad debt and preventing fraud related to the provision of telecommunication services’ from the current framework in the Code. This is because telecommunication licensees generally do not need to use or disclose EUSI of business subscribers for debt recovery or fraud management. Secondly, the IDA proposes to clarify the scope of the specified purpose in Section 3.2.6.2(a)(i) in the same way as was noted above. Specifically, the IDA proposes to remove the ‘provisioning’ and ‘billing’ purposes, and to scope the ‘planning’ purpose to cover network operations and maintenance only.

 

Collection And Use Of Personal Data For Mobile Roaming

 

Where ‘in-bound roaming’ is concerned, a Singapore telecommunication operator collects some personal data of a foreign mobile operator (the inbound roamer) using its network, in order for the foreign telecommunication operator (the home operator) to provide a roaming service to the inbound roamer.

 

The Proposed Guidelines state that to the extent that the Singapore telecommunication operator is processing the information of inbound roamers on behalf and for the purposes of their respective home operators, such local telecommunication operators could be data intermediaries of the home operators. As a data intermediary, the Singapore telecommunication operator would then be subject to fewer obligations under the PDPA – it would not have to obtain the consent of the inbound roamers to use their personal data.

 

However, where the Singapore telecommunication operator is collecting, using, disclosing or otherwise processing the personal data of inbound roamers for other purposes beyond what was set out in the contract with the home operator, e.g. to market the local operators’ own pre-paid card options, they would not be considered a data intermediary of the home operator, and the data protection provisions of the PDPA would apply to such activities, unless exceptions apply.

 

One of these exceptions would be where the collection, use or disclosure without the consent of the individual is required or authorized under a written law. In this regard, the IDA has, as part of its Code amendments, proposed introducing a new provision in the Code authorising local mobile licensees to collect, use and disclose (to other telecommunication licensees) the personal data of in-bound roamers to send roaming- related information and charges, without the consent of the in-bound roamers. The IDA views that this will benefit in-bound roamers by raising their awareness on the suite of roaming services available and improving transparency on roaming charges.

 

Application Of The PDPA Data Protection Provisions To The Telecommunication Sector

 

The Proposed Guidelines address how the PDPA provisions might apply to other scenarios in the telecommunication sector.

 

For example, the PDPC clarified that a subscriber who opts to have an ‘unblocked’ or ‘listed’ telephone number would typically be aware that his/her telephone number would be collected, used or disclosed for the purpose of identifying that subscriber to other parties, and deemed to provide consent for this. Conversely, a subscriber who has opted for a ‘blocked’ or ‘unlisted’ number at the outset would not be considered to have consented to the collection, use or disclosure of his/her number for that purpose.

 

The PDPC also clarified that it would generally consider that a message sent to a Singapore telephone number solely to provide account information / product information relating to the ongoing use of the service / product by the individual would not constitute the sending of a specific message, so the Do Not Call Provisions would not apply. However, where there is information contained in the message that is not part of the product or service the individual has subscribed to, and is an offer to supply, promote or advertise another product service, such messages will likely be considered specified messages, unless they are related to the subject of an ongoing relationship with the subscriber or user of the Singapore telephone number. One-off interactions or transactions in themselves would be insufficient to constitute an ongoing relationship between the individual and the telecommunication operator.

 

Concluding Words

 

The purpose of the IDA’s proposed amendments to the Code and the PDPC’s Proposed Guidelines is to bring greater clarity to issues regarding the use of personal data within the telecommunication sector. Specifically, the IDA’s amendments aim to minimise any areas of overlap and remove any inconsistency between the Code and the PDPA. This might be the approach taken by other sectoral regulators who have their own personal data protection provisions in their respective codes and regulations. In addition, in recognition of the unique scenarios faced by firms operating in the telecommunication sector, the PDPC’s Proposed Guidelines provide further guidance on the manner in which the PDPC will interpret the application of the PDPA for the telecommunication sector, to address any sector-specific scenarios and uncertainties for firms operating in their sector.

 

Rajah & Tann

 

For further information, please contact:

 

Rajesh Sreenivasan, Partner, Rajah & Tann

rajesh@rajahtann.com

 

Steve Tan, Partner, Rajah & Tann 

steve.tan@rajahtann.com

 

Kala Anandarajah, Partner, Rajah & Tann

kala.anandarajah@rajahtann.com

 

Tanya Tang, Rajah & Tann

tanya.tang@rajahtann.com

 

Rajah & Tann TMT Practice Profile in Singapore 

 

Homegrown TMT Firms in Singapore

International TMT Law Firms in Singapore

Comments are closed.