In the first part of this article series, we covered the main provisions of Singapore’s Personal Data Protection Act 2012 (PDPA), which came into full effect on July 2 and is designed to govern the collection, use and disclosure of personal data in Singapore by private organizations, including those that are not physically located in Singapore. In this, the second and final part of the series, we will discuss the enforcement of the law so far and ongoing investigations.

One provision of the PDPA created a Do Not Call Registry (DNC Registry) whereby organizations are prohibited from sending marketing messages in the form of voice calls, text or fax messages to Singapore telephone numbers registered with the DNC Registry, including mobile, fixed-line, residential and business numbers. The DNC Registry rules came into effect on January 2, five months prior to the PDPA’s rules on handling personal data, so most of the enforcement actions have taken place in this realm.

DNC Registry Enforcement

According to a May 23 press release from Singapore’s Personal Data Protection Commission (PDPC), “investigations have been made in response to 3,700 valid complaints from members of the public against 630 organizations since the DNC Registry provisions took effect.” A Singaporean tuition agency, Star Zest Home Tuition, was the first company to receive a sanction under the DNC Registry provisions for unsolicited marketing. The tuition agency and its director were each fined SG$39,000 (equivalent to USD 31,200) on August 27 for sending unsolicited marketing messages to mobile phone users despite such users having registered their telephone numbers on the DNC Registry.

In order to avoid sanctions, companies that conduct direct marketing activities should regularly check the DNC Registry and ensure that they do not market goods or services to a telephone number listed on the DNC Registry without first obtaining clear and unambiguous consent in writing or other accessible form. Organizations can rely on the results returned for up to 30 days. To date, about 4,500 organizations have registered to check Singapore telephone numbers against the DNC Registry.

Ongoing Investigations

Xiaomi

The PDPC’s investigative powers are not limited to the DNC Registry only. The Straits Times reported on August 14 that the PDPC had begun investigating a complaint from a Singaporean that the Chinese electronics manufacturer Xiaomi had allegedly breached the PDPA after a user of a Xiaomi device claimed that he received unsolicited telemarketing calls from abroad and that his device was “secretly” connecting to a server in China. This is believed to be the first investigation from the DPA which is not related to the DNC Registry. The privacy authority of the Hong Kong Special Administrative Region government also announced that it has launched an investigation on Xiaomi.

These investigations follow reports by a Finnish security firm, F-Secure, and a Vietnamese security firm, Bkav, which found that the Xiaomi RedMi 1S phone would automatically send certain personal data to an external server, such as the user’s phone number or the phone number of user’s contacts and also from SMS messages received.

Hugo Barra, Vice President of International at Xiaomi, responded that these findings are due to Xiaomi’s MIUI Cloud Messaging service which allows users to exchange text messages with each other free of SMS charges by rerouting the messages through the Internet, but that information collected is not stored on Cloud Messaging servers, and message content is not kept for longer than necessary to ensure delivery to the receiver. Barra subsequently apologized to users and announced that a software update would be made available so that MIUI Cloud Messaging becomes an opt-in service and is no longer automatically activated on all Xiaomi devices.

If the allegations are found to be correct, Xiaomi may have breached the consent (section 13 of the PDPA) and notification (section 20 of the PDPA) obligations by disclosing personal data to servers without obtaining the prior consent from users. In addition, the DPA would likely investigate whether, depending on the location of the servers, there was a breach of the transfer limitation obligation (section 26 of the PDPA); i.e., that personal data had been transferred to a country or territory outside Singapore without ensuring that it was protected to a comparable standard of protection will be maintained over any personal data that is transferred.

If found guilty of breaching the PDPA, Xiaomi could be ordered to stop collecting data, destroy the data or provide access to the data, and may face a fine of up to SG$D 1 million (equivalent to USD 800,000). Negative publicity could also have disastrous effects for this rapidly growing company.

M1 Limited

Recent reports of security incidents in Singapore suggest, however, that more still needs to be done. One of Singapore’s largest telecommunications company, M1 Limited, suspended pre-orders of the iPhone 6, after a customer breached its website by mistake, and reported the security loophole to M1, whereby personal information of M1 customers, including phone numbers, home addresses, and identification card numbers could be accessed. Even though M1 says that the issue has now resolved, the PDPC is investigating the alleged security breach.

K Box Singapore

The PDPC is also investigating another security breach involving the membership database of karaoke entertainment company, K Box Singapore. A hacker group, The Knowns, had reportedly sent an email to various media outlets with a list containing personal information of more than 317,000 K Box members, including email addresses, contact numbers, birth dates, marital status as well as identification card numbers. If the allegations are accurate, then K Box may be in breach of section 24 of the PDPA, which provides that an “organization shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.” In addition to the negative publicity K Box is currently receiving, it may face a fine of up to SG$D 1 million (equivalent to USD 800,000) under the PDPA.

Conclusion

These cases should serve as a wake-up call to businesses collecting a growing amount of data. A recent Hitachi Data Systems survey found that CIOs are deeply concerned over compliance as it relates to the data that they collect: 74 percent of CIOs polled in the UK, EU and U.S. were concerned that their company’s data protection policies are not yet capable of handling big data. Likewise, another survey revealed that 65 percent of CIOs in Singapore perceived security as the biggest problem with cloud technology, a concern shared by 57 percent of CIOs polled in Asia-Pacific.

The trend for an increased regulation of the collection, storage and use of information is likely to increase in the coming years, requiring a legal and regulatory monitoring above and beyond the security function alone and a greater focus put on privacy and transparency.