_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,3,3,1,952,A warning was administered to a registered salesperson of an estate agency for failing to (i) obtain clear and unambiguous consent; or (ii) check the Do Not Call Register before sending specified messages to individuals registered on the Do Not Call Register.,"[""Do Not Call Provision(s)"", ""Warning"", ""Real Estate""]",2023-08-16,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_Leon-Wee_11072023-(004).pdf,Do Not Call Provision(s),Breach of Duty to Check the Do Not Call Register by a Registered Salesperson,https://www.pdpc.gov.sg/all-commissions-decisions/2023/08/breach-of-duty-to-check-the-do-not-call-register-by-a-registered-salesperson,2023-08-16,"PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 8 Case No. ENF-DNC-221129-0007 & Others In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Wee Jing Kai Leon … Person DECISION 1 Wee Jing Kai Leon Wong Huiwen Denise, Deputy Commissioner — Case No. ENF-DNC-221129-0007 & Others 11 July 2023 Introduction 1 The Do Not Call Registry (“DNC Registry”) is a national database kept and maintained by the Personal Data Protection Commission (the “Commission”) pursuant to section 39 of the Personal Data Protection Act 2012 (“PDPA”). Persons may register their Singapore telephone numbers with the DNC Registry so as to not receive unsolicited telemarketing calls and messages. The DNC Registry comprises of 3 separate registers (i) the No Text Message Register, (ii) the No Voice Call Register, and (iii) the No Fax Message Register. 2 Between November 2022 and March 2023, the Commission received ten (10) complaints that one Wee Jing Kai Leon (“Individual”) had sent unsolicited telemarketing messages to telephone numbers registered on the No Text Message Register of the DNC Registry (the “Complaints”). 2 3 The Commission commenced investigations to determine whether there had been any breaches of the “Do Not Call” provisions in Part 9 and 9A of the PDPA (“DNC Provisions”). Facts of the Case 4 The Individual is a real estate salesperson registered with Propnex Realty Pte Ltd since 2006. Over the years, the Individual collated a list of 2,918 Singapore telephone numbers (the “Marketing List”). 5 Of the 2,918 telephone numbers in the Marketing List, 1,224 were registered with the No Text Message Register of the DNC Registry on or around 31 March 2023. 6 The Individual did not send any marketing messages to the telephone numbers on his Marketing List before November 2022 and only admitted to sending a short messaging service message each month from November 2022 to March 2023 (the “SMS Messages”) to the telephone numbers on the Marketing List to offer, advertise and/or promote his services as a real estate salesperson. According to the Individual, by November 2022, the challenging business environment had made it more difficult for him to get leads. He therefore opted to rely on the numbers in the Marketing List to prospect for leads. 7 Given that the Marketing List included 1,224 telephone numbers registered on the DNC Registry, the Individual had sent approximately 6,120 SMS Messages to 3 telephone numbers registered on the DNC Registry from November 2022 to March 2023. 8 The SMS Messages bore the sender ID “Propnex LW”, which is registered under the SMS Sender ID Regime (“SSIR”)1 by DGK Global Pte Ltd (“DGK Global”), a company owned by the Individual. During investigations, the Individual clarified that DGK Global was not involved in his real estate business, and that he used DGK Global to register the sender ID under SSIR because he needed a UEN number to do so. Findings and Basis for Determination The Duty to check DNC Registry under section 43(1) of the PDPA 9 The Commission’s investigation focused on whether the Individual had intentionally or negligently breached section 43(1) of the PDPA by: (a) sending “specified messages” addressed to Singapore telephone numbers, (b) without having valid confirmation that the Singapore telephone numbers were not listed in the DNC Registry at the time the specified messages were sent. 1 The SSIR was set up in March 2022 to enable organisations to protect their customers from receiving fraudulent SMS messages that spoofed the organisations’ SMS Sender IDs. Organisations intending to send SMS messages to Singapore mobile numbers can register any alphanumeric Sender IDs under the SSIR. The Full SSIR Regime came into effect from 31 January 2023, upon which all non-registered Sender IDs will be marked as “LikelySCAM” for a transition period of 6 months. Thereafter, messages with non-registered Sender IDs will be blocked and not delivered to end-users. 4 “Specified message” 10 A message is a “specified message” if one of its purposes is for: 2 (a) (b) Advertising, promoting, or offering to supply or provide: (i) goods or services; (ii) land or an interest in land; (iii) business opportunity or an investment opportunity; Advertising or promoting a supplier or provider (or a prospective supplier or provider) of the items listed in sub-paragraphs (i) to (iii) above. 11 Whether a “specified message” has one of the above purposes is determined with regard to the following:3 (a) the content of the message; (b) the presentational aspects of the message; (c) the content that can be obtained using the numbers, URLs or contact information (if any) mentioned in the message; and (d) if the telephone number from which the message is made is disclosed to the recipient (whether by calling line identity or otherwise), the content (if any) that can be obtained by calling that number. 12 The SMS Messages were “specified messages” within the meaning of the DNC Provisions, as they were sent for the purpose of advertising and/or promoting the Individual’s real estate services. The SMS Messages contained statements such as, 2 3 Tenth Schedule to the PDPA. Section 37(1) of the PDPA. 5 “Engage Professional & Committed Agent to Sell/Rent your Home.”, and “Whatsapp Leon Wee directly at https://chatwith.io/s/enquire to rent/sell your property”. They also included links to the Individual’s website and social media profiles. 13 The Individual admitted that the SMS Messages were addressed to Singapore telephone numbers, as also evidenced by the complaints received by the Commission. Valid confirmation 14 A person can obtain valid confirmation that a Singapore telephone number is not listed in the DNC Registry by doing the following:4 (a) Within 21 days before sending the specified message,5 the person can apply for and receive confirmation from the Commission that the Singapore telephone number is not listed in the relevant register of the DNC Registry;6 or (b) The person can obtain confirmation that the Singapore telephone number is not listed in the relevant register of the DNC Registry from a “checker”,7 but must not have reason to believe that, or be reckless as to whether the checker’s information was obtained more than 21 days ago, or is false or inaccurate. 4 Section 43(2) of the PDPA. Section 15 of the Personal Data Protection (Do Not Call Registry) Regulations 2013 (the “DNC Regulations”). 6 Under section 40(2) of the PDPA 7 A “checker” refers to a person that, for a reward, provides to another person (P) information on whether a Singapore telephone number is listed in the relevant register for the purpose of P’s compliance with Section 43(1) of the PDPA. A “checker” is a person other than the Commission, an employee of P, and an employee or agent of a checker. 5 6 15 Investigations revealed that the Individual did not obtain valid confirmation that the telephone numbers on his Marketing List were not listed in the DNC Registry. Whether the Individual received clear and unambiguous consent 16 Even if a specified message is sent to a Singapore telephone number without valid confirmation that the number is not listed in the DNC Registry, a person does not contravene section 43(1) of the PDPA if: (a) the subscriber or user of the Singapore telephone number gave clear and unambiguous consent to the sending of the specified message; and (b) the consent is evidenced in writing or other form so as to be accessible for subsequent reference8. This means that the consent must be captured in a manner or form which can be retrieved and reproduced at a later time in order to confirm that such consent was obtained. Possible forms include an audio or video recording of the consent given9. 17 In the course of investigations, the Individual represented to the Commission that he was under the impression that since he had obtained the telephone numbers prior to the enactment of the PDPA, he could use them for marketing purposes. 18 The Commission recognises that a subscriber of a Singapore telephone number is deemed to have given his consent to a person to send a specified message to that Singapore telephone number if the subscriber consents to the sending of the 8 9 Section 43(4) of the PDPA. [8.3] of the Advisory Guidelines on the DNC Provisions (revised 1 February 2021) 7 specified message before 2 January 2014 (i.e. before the DNC Provisions came into effect), and that consent has not been withdrawn.10 Even if the subscriber subsequently adds his telephone number to the DNC Registry, this would not amount to withdrawal of consent.11 19 However, this does not relieve the Individual of his obligations under section 43(4) to obtain the consent of the subscribers or users of the Singapore telephone number to which a specified message is sent to him. In other words, if the Individual intended to rely on section 43(4) of the PDPA, he should have obtained clear and unambiguous consent to the sending of the SMS Messages to the telephone numbers in his Marketing List from the subscribers of the Singapore telephone numbers contained therein evidenced in written or other forms. The Commission sets out, at [8.5] of the Advisory Guidelines on the DNC Provisions (revised 1 February 2021), various methods through which such consent can be obtained from the subscribers or users: “For example, persons may seek to obtain consent by asking individuals to: a) respond to a pop-up on a webpage; b) respond to pop-ups or other form of notifications within mobile applications; c) fill out and submit a web form; d) fill out and submit a physical form; e) indicate their choice by signing or ticking against a check box printed on a letter or service agreement; or 10 11 Section 47(4) of the PDPA. Section 47(5) of the PDPA. 8 f) call or send an SMS to the person.” 20 The Commission found no evidence of the Individual obtaining such clear and unambiguous consent from any of the subscribers of the Singapore telephone numbers on the Marketing List, in written or other forms before or after 2 January 2014. 21 Accordingly, the Individual failed to obtain valid confirmation that the telephone numbers in the Marketing List are not listed in the DNC Registry before sending the SMS Messages, and has negligently contravened section 43(1) of the PDPA. Whether the Individual is an employee acting in the course of employment 22 For completeness, the Commission assessed whether the defence under section 48 of the PDPA was available to the Individual, and concluded that it was not. Section 48(2) provides that section 43(1) does not apply to an employee who sends a specified message to a Singapore telephone number if he can prove that he did so in good faith in the course of his employment or in accordance with instructions given to him by or on behalf of his employer in the course of his employment. The Commission considered the following: (a) In accordance with industry practices, real estate salespersons such as the Individual are not in an “employer-employee relationship” with their agencies. (b) The Individual confirmed that he is not an employee of Propnex Realty Pte Ltd (“Propnex”) despite being registered with them. He does not 9 receive salary from Propnex, nor does Propnex provide the Individual with medical benefits, CPF contributions, or annual leave benefits. The Individual is self-employed and does not report to Propnex on the conduct of his business. (c) The contents of the SMS Messages related to the services of the Individual specifically, and not Propnex. The Deputy Commissioner’s Decision 23 In determining whether any financial penalties or directions should be imposed on the Individual, the Commission took the following into consideration: (a) The Individual was cooperative with the Commission’s investigations; (b) The Individual had otherwise made efforts to ensure his compliance with other DNC Provisions, in particular the requirement under section 44 of the PDPA to include clear and accurate information identifying the sender of the SMS Messages and how he can be readily contacted. He had also provided recipients the option to unsubscribe from the SMS Messages, and would remove a recipient’s telephone number from the Marketing List if so requested; and (c) The Individual’s efforts to register the sender ID “Propnex LW” showed a willingness to comply with regulatory regimes, in particular the SSIR. 24 Having considered all the factors listed above, the Individual is hereby administered a warning in respect of his breach of section 43(1) of the PDPA. No other 10 directions are necessary in view of the Individual’s voluntary cessation of sending specified messages to numbers on the Marketing List. 25 The Commission observes that this case occurred alongside media reports of an increase in property scams. The Commission has also investigated complaints involving property agents who had concealed their identities while sending marketing messages in contravention of the DNC Provisions. For the avoidance of doubt, while there was no evidence that the Individual was involved in any scams or had attempted to conceal his identity in his marketing messages, the Commission will continue to monitor this trend involving property agents and calibrate its decisions in future cases accordingly to ensure compliance with the DNC Provisions of the PDPA. WONG HUIWEN DENISE DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 11 ",Warning,f18593fdbb15638a11bc2083adacad1a58daf1b2,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,10,10,1,952,"A warning was issued to an individual for using dictionary attack methods to generate telephone numbers which were then used for telemarketing purposes, thereby breaching section 48B of the PDPA.","[""Do Not Call Provision(s)"", ""Warning"", ""Others"", ""Telemarketing""]",2023-04-17,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/GD_TaiShinFatt_140223.pdf,Do Not Call Provision(s),Breach of Section 48B of the PDPA (Prohibition on Use of Dictionary Attacks) by an individual,https://www.pdpc.gov.sg/all-commissions-decisions/2023/04/breach-of-section-48b-of-the-pdpa-prohibition-on-use-of-dictionary-attacks-by-an-individual,2023-04-17,"PERSONAL DATA PROTECTION COMMISSION [2023] SGPDPC 2 Case No. ENF-DNC-210826-0015 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Tai Shin Fatt … Individual DECISION Tai Shin Fatt Lee Ti-Ting, Assistant Commissioner - Case No. ENF-DNC-210826-0015 14 February 2023 Introduction 1 On 2 July 2021, the Personal Data Protection Commission (“the Commission”) was notified by the Singapore Police Force that the Singapore Civil Defence Force (“SCDF”) had received an influx of marketing calls between 25 and 28 June 2021 from telephone numbers registered to one LongSheng Consultancy Pte Ltd (“LongSheng”) on behalf of one Tai Shin Fatt (the “Individual”). The Commission commenced investigations to determine whether the circumstances relating to the calls disclosed any breaches of the Personal Data Protection Act 2012 (“PDPA”). Facts of the Case 2 The Individual is an insurance director with a large and well-known insurance company managing a team of 25 insurance agents. In an effort to conduct marketing calls more efficiently, the Individual sought to engage the services of 2 companies hereinafter referred to as the “Call Automation Vendor” and the “Checker”. 3 The Call Automation Vendor provides software to facilitate the making of automated calls using customised scripts. The Checker’s service comprises the provision of telephone numbers (from which automated calls could be made), and the provision of software to check whether the telephone numbers of intended recipients were registered with the Do Not Call Registry (“DNCR”). The systems / software of the Call Automation Vendor and the Checker were intended to work in tandem as follows: (a) the telephone numbers of intended recipients would be uploaded onto the Call Automation Vendor’s software; (b) the Checker’s software would check the DNCR for such telephone numbers; and (c) the Call Automation Vendor’s software would then avoid making any calls to the telephone numbers which appeared in the DNCR. 4 As the Call Automation Vendor and the Checker do not contract directly with individuals, the Individual caused LongSheng to enter into contracts with the Call Automation Vendor and the Checker on 17 March 2021 and 20 May 2021 respectively, to provide the services outlined at paragraph 3 above. The Individual used LongSheng as a corporate vehicle by which to procure the services of the Call Automation Vendor and the Checker. 5 Following the engagement of the Call Automation Vendor and the Checker, and pursuant to instructions from the Individual, the Call Automation Vendor provided 10 channels in its software, while the Checker subscribed for 10 telephone numbers in the name of LongSheng from which to make the automated marketing calls. 6 The Individual wished to test the systems provided by the Call Automation Vendor and the Checker, for which recipient telephone numbers were required. One of the Individual’s staff suggested to generate recipient telephone numbers by: (a) using commonly seen telephone numbers for the first 4 digits of each telephone number; and (b) randomly generating the last 4 digits of the telephone number by automated means. 7 The Individual authorised this method of generating the telephone numbers, and his staff proceeded to use Microsoft Excel to do so. 8 The Individual’s staff generated a total of 18,809 telephone number (“Subject Numbers”), which included 400 telephone numbers beginning with the digits “995”. “995” is the SCDF emergency line. 9 The Subject Numbers were contained in 3 lists, which were uploaded onto the Call Automation Vendor’s software by a member of the Individual’s staff. The Individual then clicked “send/call” in the Call Automation Vendor’s software to commence the automated marketing calls. 10 Between 25 and 28 June 2021, a total of 22,268 automated marketing calls were made (the “Subject Calls”), of which 433 were to the SCDF emergency line (the “Incident”). Such calls were not blocked as the SCDF emergency line was not registered in the DNCR. 11 On 28 June 2021, while reviewing the call recordings, the Individual discovered the calls made to the SCDF emergency line and immediately instructed his staff to stop using the Call Automation Vendor’s software. He also contacted the Call Automation Vendor to stop making further automated marketing calls; and deleted the lists containing the Subject Numbers. Findings and Basis for Determination The prohibition under Section 48B of the PDPA 12 Based on the circumstances of the Incident as set out above, the Commission’s investigation focused on whether the Individual had breached section 48B(1) of the PDPA by sending, causing to be sent, or authorising the sending of “applicable messages” - namely, (i) messages with a Singapore link to (ii) telephone numbers generated by a dictionary attack or address harvesting software (""Section 48B Prohibition""). 13 The Section 48B Prohibition and other provisions of the PDPA setting out relevant definitions are reproduced below: Term and definition (…) a person must not send, cause to be sent or PDPA provision s48B(1) authorise the sending of an applicable message. “applicable message” means a message with a s48A(1) Singapore link that is sent to any applicable telephone number; “message” means any message, whether in sound, text, s36(1) visual or other form; (2) In this Part, an applicable message has a Singapore link in any of the following circumstances: s48A(2) (a) the message originates in Singapore; (b) the sender of the message — (i) where the sender is an individual — is physically present in Singapore when the message is sent; or (ii) in any other case — (A) is formed or recognised under the law of Singapore; or (B) has an office or a place of business in Singapore; (c) the telephone, mobile telephone or other device that is used to access the message is located in Singapore; (d) the recipient of the message — (i) where the recipient is an individual — is physically present in Singapore when the message is accessed; or (ii) in any other case — carries on business or activities in Singapore when the message is accessed; (e) if the message cannot be delivered because the telephone number to which the message is sent has ceased to exist (assuming that the telephone number existed), it is reasonably likely that the message would have been accessed using a telephone, mobile telephone or other device located in Singapore. “applicable telephone number” means a telephone s48A(1) number that is generated or obtained through the use of — (a) a dictionary attack; or (b) address‑harvesting software; “dictionary attack” means the method by which the s48A(1) telephone number of a recipient is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations; “address‑harvesting software” means software that is s48A(1) specifically designed or marketed for use for — (a) searching the Internet for telephone numbers; and (b) collecting, compiling, capturing or otherwise harvesting those telephone numbers 14 The Section 48B Prohibition was introduced as part of the 2020 amendments to the PDPA and came into effect on 1 February 2021. It was intended to supplement the existing “Do Not Call” provisions in Part 9 of the PDPA in striking the correct balance between safeguarding consumer interest and permitting legitimate business interests in direct marketing by: (a) establishing clear guardrails for sending unsolicited commercial messages; 1 and (b) addressing consumer annoyance and deterring spammers who use technologies that make it easier to indiscriminately send unsolicited commercial messages (including robocalls) to a large number of recipients.2 15 The Section 48B Prohibition operates by targeting the indiscriminate manner by which recipient telephone numbers may be generated and targeted, usually by automated means. It does not serve as a blanket prohibition on the sending of unsolicited commercial messages, and leaves room for legitimate direct marketing. Whether the Individual had contravened the s48B Prohibition 16 For the Individual to have breached the Section 48B Prohibition, he must have: (a) sent, cause to be sent or authorized the sending of; (b) a message; (c) with a Singapore link; (d) to telephone numbers generated or obtained through use of: 17 (i) a dictionary attack; or (ii) address harvesting software. Based on the facts of the Incident as set out above, the elements for breach of the Section 48B Prohibition are made out: 1 Singapore Parliamentary Debates (2 November 2020) vol 95, at page 36 (S Iswaran, Minister for Communications and Information) 2 Public Consultation Paper issued by the Ministry of Communications and Information and the Personal Data Protection Commission dated 14 May 2020, at paragraphs 53 54(b) (a) The Individual specifically authorised and caused the making of the Subject Calls to the Subject Numbers. (b) The Subject Calls were automated calls based on a customised script provided by the Call Automation Vendor. The Subject Calls were therefore messages in sound form, and “messages” as defined by s36(1) of the PDPA. (c) The Subject Calls were made in Singapore. As such, the Subject Calls had a “Singapore link” within the meaning of s48A(2) of the PDPA. (d) The Subject Numbers were generated by using commonly seen telephone numbers for the first 4 digits, then randomising the remaining 4 digits. Strings of numbers were combined and resulted in the creation of 18,809 different permutations – i.e. unique telephone numbers – and the process was performed using automated means via Microsoft Excel. This was therefore a “dictionary attack” within the meaning of s48A(1) of the PDPA. 18 Accordingly, the Individual is determined to have contravened the Section 48B Prohibition. The Commission’s Decision 19 By using a “dictionary attack” to generate the Subject Numbers and then causing and/or authorising the Subject Calls to be made to the Subject Numbers, the Individual failed to stay within the “clear guardrails” of the PDPA to safeguard consumer interests. 20 To make matters worse, numerous calls were made to the SCDF emergency line. The importance of keeping the SCDF emergency line open and unobstructed for genuine emergencies cannot be over-emphasised. That said, the fact that automated marketing calls were made to the SCDF is not itself relevant to the Individual’s breach of the Section 48B Prohibition. The issue is with the method used to generate the Subject Numbers, and the Individual’s role in authorising the Subject Calls. 21 The Commission recognises that: (a) the Individual was cooperative with the Commission’s investigations; (b) the Individual has not previously contravened the PDPA; (c) the Individual had made efforts to ensure that he complied with his obligations under Part 9 of the PDPA relating to the DNCR when making the Subject Calls; and (d) the Individual voluntarily took action to cease the Subject Calls upon discovery that the SCDF had been called. 22 Having considered all the relevant factors in this case, the Commission hereby administers a warning to the Individual in respect of his breach of the Section 48B Prohibition. No other directions are necessary in view of the remedial actions already taken by the Individual. LEE TI-TING ASSISTANT COMMISSIONER FOR PERSONAL DATA PROTECTION ",Warning,065914363a4287df302d4869dbb9b671721521e1,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-12-16T14:56:23+00:00,a4f6f8e41bd30b30b47062381168e96c14e1e38d,487,10,4,959,,,,,Do Not Call Provision(s),,,,,,7e6cd8746e2888fe5a84668ee5595c134a3f53c3,"[""nature""]"