TMT 2021

Last Updated February 19, 2021

Singapore

Law and Practice

Author



Drew & Napier has a highly regarded TMT Practice Group, consistently ranked as the leading IT, telecommunications, broadcasting and multimedia legal practice in Singapore. The firm possesses unparalleled transactional, licensing and regulatory experience in the areas of telecommunications, technology, media, data protection and cybersecurity. Its Data Protection, Privacy and Cybersecurity Practice Group has been at the forefront of data protection law in Singapore since 2013, and has worked on significant data protection enforcement cases and appeals, including cases that involve cybersecurity elements. The firm established the Drew Data Protection & Cybersecurity Academy in 2020 to offer additional services related to data protection and cybersecurity compliance, including training, data protection consulting and external Data Protection Officer (DPO) services. Drew & Napier is the preferred counsel of many regional companies, multinationals, associations, government bodies and industry regulators, and regularly assists them on a wide range of matters in Singapore and ASEAN member countries.

There are limitations placed on organisations that seek to entrust certain processes or data to the cloud, although most of these limitations are in the context of personal data protection.

Applicable Laws and Guidelines

The main legislation governing the processing of personal data is the Personal Data Protection Act 2012 (PDPA). "Personal data" is defined under the PDPA as data, whether true or not, about an individual who can be identified (i) from that data; or (ii) from that data and other information to which the organisation has or is likely to have access. The PDPA is administered and enforced by the Personal Data Protection Commission (PDPC). (See 6 Key Data Protection Principles for more details on the PDPA.)

There are cross-border data transfer restrictions in the PDPA. Under Section 26 of the PDPA, an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with prescribed requirements to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA (the transfer limitation obligation).

The prescribed requirements, as set out in the Personal Data Protection Regulations 2021 (PDPR), require the transferring organisation to ensure that the recipient of the personal data is bound by legally enforceable obligations. These "legally enforceable obligations" include any laws in the jurisdiction to which the personal data is transferred, contracts, as well as binding corporate rules (BCRs).

BCRs may be used for recipients that are "related" to the transferring organisation (eg, parent company or subsidiary), whilst contracts may be used for data transfers to any party. In particular, the BCRs and contracts must specify the countries and territories to which the personal data will be transferred under the BCRs or contract.

In addition, under the PDPR, an overseas recipient of personal data will also be considered to be legally bound to provide comparable protection for the transferred personal data if it holds an Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System or Privacy Recognition for Processors (PRP) System certification that is granted or recognised under the laws of the country or territory to which the personal data is transferred. That said, transferring organisations that are seeking to rely on this transfer mechanism should ensure that they carry out the necessary due diligence to determine that the overseas recipient is indeed CBPR or PRP-certified under the laws of the country or territory in question.

Furthermore, the PDPC has published a chapter on cloud services in its non-legally binding Advisory Guidelines on the PDPA for Selected Topics (cloud guidelines) which clarify the application of the PDPA in respect of cloud services. Specifically, an organisation should ensure that the cloud service providers (CSPs) that it engages only transfer data to locations with comparable data protection regimes, or otherwise has legally enforceable obligations to ensure a comparable standard of protection for the transferred personal data.

Sector-Specific Regulation

Apart from the PDPA and the cloud guidelines, the use of CSPs in the financial sector is subject to additional regulation by the sectoral regulator, the Monetary Authority of Singapore (MAS). In this respect, the MAS has published guidelines for financial institutions (FIs) which set out its position on cloud computing and cloud outsourcing arrangements:

  • Technology Risk Management Guidelines;
  • ABS (Association of Banks in Singapore) Cloud Computing Implementation Guide 2.0; and
  • Guidelines on Outsourcing.

In general, these guidelines provide guidance to FIs on maintaining data, infrastructure and network security; sound practices on risk management of outsourcing arrangements; and the use of cloud computing platforms. FIs are encouraged to conduct appropriate due diligence on the CSP and evaluate the risks before entering into a cloud outsourcing arrangement. The risk assessment should also be performed periodically on existing outsourcing arrangements, as part of the approval, strategic planning, risk management or internal control reviews of the outsourcing arrangements of the FI.

Specific Issues Regarding Personal Data Protection

The transfer limitation obligation under the PDPA requires the contract or BCRs to expressly state the locations to which the personal data may be transferred. However, in the context of a CSP outsourcing cloud-arrangement, an organisation may have to agree to a CSP’s standard contractual terms, which may include a term that confers discretion onto the CSP as to the exact jurisdictions to which personal data may be transferred.

According to the PDPC’s cloud guidelines, in such a situation, the organisation may be considered to have taken appropriate steps to comply with the transfer limitation obligation if:

  • the CSP based in Singapore is certified or accredited as meeting relevant industry standards (such as ISO 27001); and
  • the CSP provides assurances that all the data centres or sub-processors – in such overseas locations that the personal data is transferred to – comply with these standards.

Blockchain as a technology is not specifically regulated under a single piece of legislation in Singapore. However, various pieces of legislation and regulations may apply, depending on the particular use-case of the blockchain technology in question.

Sector-Specific Regulation – SFA

In the financial investments and capital markets sector, the MAS has clarified that pursuant to the Securities and Futures Act (Chapter 289) (SFA), offers or issuances of blockchain-based digital tokens will be regulated if such digital tokens are capital markets products as defined under the SFA. Digital token exchanges which operate a market or facility for the exchange of digital tokens which are capital markets products will generally have to obtain MAS approval as an approved exchange or MAS recognition as a recognised market operator.

In this regard, the MAS has published a Guide to Digital Token Offerings aimed at providing guidance on the application of the SFA and other laws administered by the MAS pertaining to offers or issuances of digital tokens in Singapore.

Sector-Specific Regulation – PSA

Additionally, under the Payment Services Act (No 2 of 2019) (PSA), any entity providing account issuance, domestic money transfers, cross-border money transfers, merchant acquisition, e-money issuance, digital payment tokens, or money-changing services in Singapore will need a payment services licence unless exempted.

As such, operators of blockchain-based systems which provide e-money issuance services, digital payment token services (eg, digital token exchanges), and/or cross-border money transfer (ie, remittance) services may have to be licensed, comply with various anti-money laundering/countering the financing of terrorism requirements, and establish cybersecurity procedures to reduce cyber-risks.

Singapore’s Parliament has recently passed amendments to the PSA. Under these amendments, entities facilitating the transmission, exchange or storage of digital payment tokens will have to be licensed, and will be subject to expanded rules and regulations set by the MAS aimed at reducing money laundering/terrorism-financing risks, ensuring better consumer protection, maintaining financial stability and safeguarding the efficacy of monetary policy.

In particular, the definition of cross-border money transfer (ie, remittance) services will be broadened to include the facilitation of money transfers between persons in different jurisdictions, even where the money is not accepted or received by the service provider in Singapore. The MAS will also be empowered to impose user protection measures on service providers (eg, requiring the segregation of customer assets) where necessary.

Risk and Liability

Pre-existing legal frameworks (eg, contractual, tortious, equitable and property law principles) are likely to apply to risk and liability issues concerning blockchain-based systems.

For example, in the landmark case of Quoine Pte Ltd v B2C2 Ltd [2020] SGCA (I) 02, which involved smart contracts and the autonomous algorithmic trading of digital tokens, the Singapore courts recognised the existence of a contractual relationship between buyers and sellers when executing a trade on the digital token exchange and accordingly applied traditional contractual principles of unilateral mistake and breach of contract.

Data Protection

Insofar as the use of blockchain technologies involves the collection, use and disclosure of personal data, the PDPA may be applicable. Moreover, the inherent computational difficulties or technical infeasibility of altering or deleting confirmed entries on blockchain records may present compliance challenges to certain of the data protection obligations to which an organisation is subject.

For example, the right of an individual to request an organisation correct an error or omission in their personal data is incompatible with the blockchain’s distinguishing feature of immutability. Similarly, the obligation on an organisation to cease to retain personal data or to anonymise personal data as soon as it is reasonable to assume that the purpose for collection is no longer being served and retention is no longer necessary for legal or business purposes is also incompatible with this concept of immutability. (See 6 Key Data Protection Principles for more information on the data protection obligations.)

As a final point, for blockchain network servers and nodes that are situated across multiple jurisdictions, additional issues relating to cross-border data transfers should also be considered. (See 1 Cloud Computing for more information on the transfer limitation obligation.)

At present, there is no specific legislation regulating the use of big data, machine learning and artificial intelligence (AI) technologies in Singapore. However, various government and regulatory agencies have developed non-legally binding frameworks to provide industry guidance on these subjects.

Applicable Frameworks

Examples of these frameworks include:

  • the PDPC’s Model AI Governance Framework and Implementation and Self-Assessment Guide for Organisations, which provide organisations with practical recommendations in implementing ethical principles and adopting responsible AI governance;
  • the MAS’s Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of AI and Data Analytics in Singapore’s Financial Sector; and
  • the MAS’s Veritas Framework, which assists FIs in evaluating their AI and data analytics solutions against the MAS’s FEAT principles.

Notably, the PDPC’s Model AI Framework represents the efforts of Singapore’s policymakers and regulators to articulate a common approach and set of consistent definitions and principles in the governance of AI. Broadly, it sets out principles in four key areas, including the following.

  • Internal governance – organisations should ensure that there are clear roles and responsibilities as well as risk management and internal controls in place for the ethical deployment of AI.
  • AI decision-making models – organisations should consider the risks of different AI models and determine the appropriate degree of human oversight based on the expected probability and severity of harm.
  • Operations management – organisations should understand the lineage, provenance and quality of data used, as well as the transparency of algorithms chosen.
  • Customer relations – organisations should seek to build trust and maintain open relationships with individuals regarding the use of AI through general disclosure, transparency and policy explanations, and careful design of human-AI interfaces.

Autonomous Vehicles

In the context of autonomous vehicles (ie, self-driving cars), the Road Traffic (Autonomous Motor Vehicles) Rules 2017 provide that the trial or use of an autonomous motor vehicle on any road is prohibited unless specific authorisation is obtained. Parties wishing to do so must submit an application to the Land Transport Authority (LTA) stating matters such as the trial’s objectives, the type of autonomous vehicle to be used and its intended purposes. The LTA has the discretion to accept or reject the application and/or impose conditions.

Fake News

In the context of fake news and misinformation, the Protection from Online Falsehoods and Manipulation Act 2019 (No 18 of 2019) (POFMA) was enacted to, amongst other things, prevent the electronic communication in Singapore of false statements of fact. Notably, the POFMA prohibits the making or alteration of an automated computer program (ie, an AI "bot") with the intention of using it to communicate a false statement of fact in Singapore.

Data Protection

The collection and use of large datasets for big data analytics, machine learning and AI may trigger data protection concerns, especially where such datasets involve personal data. (See 1 Cloud Computing (Applicable Laws and Guidelines) for the definition of personal data.) Moreover, it is not uncommon for AI systems to utilise data mining solutions to obtain data from third-party sources, in some cases without having obtained consent from the individual.

Another significant data protection challenge is the increasing ease with which researchers can re-identify individuals from previously pseudonymised or anonymised datasets by matching against publicly available information or other datasets.

Intellectual Property

At present, it remains unclear whether and how existing IP frameworks may be applied in protecting AI-generated works. Under Singapore copyright law, the creative elements of a work must be attributable to a natural person in order for copyright protection to vest.

AI-related inventions may, however, be patentable. The Intellectual Property Office of Singapore (IPOS) has recently launched an Accelerated Initiative for Artificial Intelligence (AI2) scheme under which AI-related patent applications may be granted on an accelerated basis if various conditions are satisfied – most notably, the application must be an AI invention. Additionally, under the Patents Act (Chapter 221), in order for an invention to be patentable, it must be new, involve an inventive step, and be capable of industrial application.

While Singapore has not enacted any laws which specifically govern the internet of things (IoT), there are existing laws and regulations which may apply to various aspects of such IoT projects or applications.

Telecommunications

Firstly, the Infocomm Media Development Authority (IMDA), as established under the Info-communications Media Development Authority Act 2016 (No 22 of 2016) (IMDA Act), is responsible for regulating, amongst others, the telecommunications sector in Singapore pursuant to its exclusive privilege under the Telecommunications Act (Chapter 323) (TA).

Under the TA, “telecommunications” is defined very broadly as any transmission, emission or reception of signs, signals, writing, images, sounds or intelligence of any nature by wire, radio, optical or other electro-magnetic systems whether or not such signs, signals, writing, images, sounds or intelligence have been subjected to a rearrangement, computation or other processes by any means in the course of their transmission, emission or reception.

As the primary legislation governing the telecommunications industry in Singapore, the TA sets out the broad licensing and regulatory framework for the telecommunications sector. Unless an exemption applies, IMDA’s jurisdiction may potentially extend to the licensing of IoT projects or applications if such projects or applications may be regarded as involving the operation or provision of telecommunications systems or services under the TA. Where applicable, such persons would therefore need to comply with the general obligations and any specific conditions of approval under their respective licences which have been granted by IMDA. (See 8 Scope of Telecommunications Regime for more details on the licensing of telecommunication systems and services.)

Data Protection

The applicability of the PDPA may be triggered insofar as the IoT device in question can be used to collect personal data in Singapore and transfer it wirelessly through the network. In such a case, the organisation that collects or transfers the personal data (which may be an IoT service provider) will need to comply with the data protection obligations in respect of such data, unless an exception applies. (See 6 Key Data Protection Principles for more details.)

Cybersecurity

The primary cybersecurity legislation is the Cybersecurity Act 2018 (No 9 of 2018) (Cybersecurity Act), which sets out a framework for the designation and monitoring of critical information infrastructure (CII) in essential sectors such as energy, info-communications, media, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, and services relating to the functioning of the government.

Under the Cybersecurity Act, a computer or computer system may be designated by the Commissioner of Cybersecurity as CII if it is:

  • necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and
  • the computer or computer system is located wholly or partly in Singapore.

Owners of CII are subject to various obligations under the Cybersecurity Act, including reporting of cybersecurity incidents, conducting of regular cybersecurity audits and risk assessments, and furnishing of relevant information.

With the increasing adoption of IoT solutions among various stakeholder groups – including consumers, enterprises and governments – organisations which deploy IoT projects or solutions in the essential sectors stated above may wish to pay particular attention to the possibility of their systems being designated as CII and subjected to the obligations under the Cybersecurity Act.

Data Security

One challenge that some organisations may face when entering into IT service agreements relates to obligations surrounding data security, particularly where personal data is involved. It is common for organisations seeking to engage third-party IT service providers to enter into a written data processing agreement which sets out each party’s roles and responsibilities in relation to the personal data in question, as well as the specific security measures that would be put in place.

In addition, the PDPC encourages organisations to design and organise their security arrangements to fit the nature of the personal data held by the organisation and the possible harm that might result from a security breach; and identify reliable and well-trained personnel responsible for ensuring information security.

In cases where the contract for IT services is with an FI, for instance, the organisation should be aware that FIs in Singapore are also subject to the regulations and guidelines promulgated by the MAS. These regulations and guidelines include, but are not limited to the MAS’s Notice on Technology Risk Management, Notice on Cyber Hygiene and Technology Risk Management Guidelines, which, among other things, may require FIs to exercise strong oversight of arrangements with third-party service providers to ensure system resilience as well as maintain data confidentiality and integrity. As a result, there may be a need for organisations entering into IT service agreements with FIs to include applicable provisions in relation to the conduct of security audits and reporting with regard to breaches or cyber-attacks.

Data Localisation

In Singapore, there are no express laws in relation to data localisation or data residency. The Singapore government has notably taken a stance against data localisation and emphasised the importance of the free flow of data through coherent and efficient cross-border data transfer mechanisms.

Where the IT service agreement involves a cross-border transfer of personal data (eg, storage of data in the cloud or in a data centre located outside of Singapore, or the solution involves cloud computing), the organisation should also consider compliance with cross-border data transfer requirements under the PDPA and PDPR. (See 1 Cloud Computing (Specific Issues Regarding Personal Data Protection) for more details on the transfer limitation obligation and specific issues for CSPs.)

The PDPA is the primary legislation in Singapore that governs the processing of personal data by organisations, in a manner that balances the needs of organisations against the privacy of individuals. Processing of personal data is broadly defined to include data activities such as (but not limited to) the collection, use, disclosure, storage and deletion of personal data.

The PDPA

In the PDPA, an “individual” refers to a natural person, whether living or deceased, while an “organisation” includes any individual, company, associate or body of persons, corporate or unincorporated, whether or not they (i) are formed or recognised under the law of Singapore, or (ii) are resident, or have an office or a place of business, in Singapore. Notwithstanding this, the data protection provisions of the PDPA (as elaborated below) will not apply to individuals acting in a personal or domestic capacity (Section 4(1)(a) of the PDPA).

Data Protection Provisions

Parts III to VI of the PDPA set out provisions relating to the protection of personal data (data protection provisions). The data protection provisions include the following obligations (data protection obligations), which organisations are required to comply with in relation to their data processing activities.

  • Consent obligation – an organisation must obtain an individual’s consent before collecting, using or disclosing their personal data for a purpose (Sections 13–17, PDPA).
  • Purpose limitation obligation – an organisation may only collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances (Section 18, PDPA).
  • Notification obligation – an organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose their personal data on or before such collection, use or disclosure, and may only collect, use and disclose personal data for such purposes (Sections 18 and 20, PDPA).
  • Access and correction obligation – an organisation must, upon request, allow an individual to access and/or correct their personal data in its possession or under its control; in addition, the organisation is obliged to provide the individual with information about the ways in which the personal data may have been used or disclosed during the past year (Sections 21 and 22, PDPA).
  • Accuracy obligation – an organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned, or disclose such personal data to another organisation (Section 23, PDPA).
  • Protection obligation – an organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent:
    1. its unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and
    2. the loss of any storage medium or device on which that personal data is stored (Section 24, PDPA).
  • Retention limitation obligation – an organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected and is no longer necessary for legal or business purposes (Section 25, PDPA).
  • Transfer limitation obligation – an organisation must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that assured under the PDPA (Section 26, PDPA).
  • Accountability obligation – an organisation must appoint a person to be responsible for ensuring that it complies with the PDPA, typically referred to as a data protection officer (DPO), and develop and implement policies and practices that are necessary to meet its obligations under the PDPA, including a process to receive complaints; in addition, the organisation is required to communicate to its staff information about such policies and practices and make information available upon request to individuals about such policies and practices (Sections 11 and 12, PDPA).

Amendments to the PDPA

The Personal Data Protection (Amendment) Act 2020, which was passed in Parliament on 2 November 2020, introduced the mandatory data breach notification obligation, which came into effect on 1 February 2021.

Under this new data protection obligation, an organisation must conduct an assessment of a data breach, in a reasonable and expeditious manner, to determine if the data breach is a “notifiable data breach”. The organisation also has a duty to notify the PDPC of such a data breach (Part VIA, PDPA).

A data breach is classified as a "notifiable data breach" if the data breach:

  • results in, or is likely to result in, significant harm to the individual; or
  • is, or is likely to be, of a significant scale.

An organisation is also required to inform affected individuals of a notifiable data breach, unless pre-existing technological requirements have been put in place or if action is taken in accordance with prescribed requirements, such that it is unlikely the notifiable data breach will result in significant harm to the affected individuals (Part VIA, PDPA).

Additionally, the exceptions to the consent obligation have also been expanded to include several new ones, including, but not limited to, the legitimate interests exception.

Under the legitimate interests exception, consent from the individual will not be required if the collection, use or disclosure of the personal data is in the legitimate interests of the organisation or another person, and the legitimate interests of the organisation or other person outweigh any adverse effects to the individual.

Prior to relying on this new legitimate interests exception, the organisation must conduct an assessment, before collecting, using or disclosing the personal data, to:

  • identify any adverse effect that the proposed collection, use or disclosure of personal data about an individual is likely to have on that individual; and
  • identify and implement reasonable measures to eliminate the adverse effect, reduce the likelihood that the adverse effect will occur, or mitigate the adverse effect.

The organisation must also provide the individual with reasonable access to information about the organisation’s collection, use or disclosure of personal data (as the case may be) in reliance on this exception.

Although most of the changes under the Personal Data Protection (Amendment) Act 2020 have come into force as of 1 February 2021, there are a few provisions which have yet to take effect. One example is the data portability obligation, which states that an organisation must transmit applicable data to a receiving organisation upon receiving an individual’s data porting request, in accordance with the prescribed requirements, unless an exception applies (Part VIB, PDPA).

Data Intermediaries

"Data intermediaries" are defined in the PDPA as organisations that process personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing. Data intermediaries are only subject to the protection obligation and the retention limitation obligation under the PDPA in respect of the personal data they process (Section 4(2), PDPA). The rest of the data protection obligations remain with the primary organisation which has possession or is in control of the personal data.

Exclusion for Public Agencies

Notably, public agencies are expressly excluded from the application of the data protection provisions in the PDPA. As such, only private sector organisations are subject to the PDPA, whereas data management in the public sector is governed by the Public Sector (Governance) Act 2018 and the Government Instruction Manual on IT Management.

Enforcement

The PDPA is administered and enforced by Singapore’s data protection authority, the PDPC. In the case of a breach of the data protection provisions, the PDPC is empowered to issue such remedial directions as it thinks fit, including a direction to require the organisation to pay a financial penalty of up to SGD1 million. However, the current quantum of financial penalties is set to be revised when the amendments to the PDPA take effect. Under the amended PDPA, the PDPC will be able to impose financial penalties of (i) up to a maximum of 10% of an organisation’s annual turnover in Singapore, or (ii) up to SGD1 million, whichever is higher (Section 48J, PDPA). The amendments concerning the increased quantum of financial penalties have yet to take effect at the time of writing.

At present, there are no specific restrictions under Singapore law that govern the monitoring of employees and the use of company computer resources by employees. In practice, these restrictions are typically set out in the employment agreement and company-specific employee handbooks and codes of conduct.

Generally, employers may monitor the activities of their employees (including usage of company computer resources) as long as their surveillance efforts are in compliance with the data protection provisions of the PDPA.

Under the PDPA, employers may collect, use and disclose the personal data of their employees for the purpose of managing or terminating an employment relationship (eg, payroll administration), as long as the employee is notified of such purposes.

Under Section 20(4) of the PDPA, in respect of the personal data of an individual that is an employee of an organisation, that organisation – on or before collecting, using or disclosing such personal data for the purpose of managing or terminating an employment relationship between the organisation and that individual – must inform the individual (i) of such purposes, and (ii) on request by that individual, provide that individual with the contact information of the organisation's DPO.

In addition, the PDPC has published a chapter in its Advisory Guidelines on PDPA for Selected Topics on data protection issues in the employment context (employment guidelines). The PDPC has clarified in its employment guidelines that the phrase “managing or terminating an employment relationship” can include, amongst other things, monitoring how an organisation's employees use company computer network resources.

For purposes that are not related to, or where the personal data being collected is not relevant to, the management or termination of an employment relationship, employers will still need to obtain consent from their employees before collecting, using or disclosing their personal data.

Specifically, employers would need to obtain consent when processing employee personal data for business or client purposes not related to managing or terminating an employment relationship.

The employment guidelines suggest that the use of data loss prevention tools, web traffic monitoring tools, and the monitoring of private email use may be permitted under the PDPA, insofar as such tools and monitoring are necessary for the purpose of managing or terminating an employment relationship. However, in compliance with the requirement to notify, the organisation is still required to inform its employees of such purposes for the collection, use or disclosure of their personal data.

Regulation of the Telecommunications Sector

As noted in the definition of “telecommunications” (see 4 Legal Consideration for Internet of Things Projects), the licensing and regulatory framework for telecommunication systems and services under the TA is sufficiently broad to cover almost every technological application, even if there are no specific references to individual applications such as RFID tags, Voice over Internet Protocol (VoIP) or instant messaging. That said, service-specific issues may be covered in various regulations, codes of practice, standards of performance, directions, advisory guidelines and licences issued by IMDA pursuant to its powers under the TA.

For instance, issues pertaining to the licensing and use of radio frequency (RF) spectrum and the operation of radio stations and networks are regulated under the Telecommunications (Radio-communications) Regulations, while the Telecommunications (Dealers) Regulations set out the framework in relation to the manufacturing, importation and sale (among other things) of telecommunication equipment.

It should also be noted that although IMDA was formally established on 1 October 2016 as a converged regulator for both the info-communications and media sectors, the telecommunication and media sectors continue to be governed by separate regulatory frameworks. For instance, the TA does not presently apply to the licensing of broadcasting services or any broadcasting apparatus, which fall under the Broadcasting Act (Chapter 28) (BA) instead.

Licensing for the Operation and Provision of Telecommunication Systems and Services

Generally, licences for the operation and provision of telecommunication systems and services in Singapore would fall into either of two categories, namely, facilities-based operations (FBOs) or services-based operations (SBOs).

Taking the provision of VoIP services as an example, it is noted in IMDA’s Guidelines on Licensing and Regulatory Framework for IP Telephony Services in Singapore that applicants need to first obtain either an FBO or SBO licence from IMDA in order to provide IP telephony services. IP telephony services are defined as any VoIP services offered using an E.164 telephone number allocated to customers in Singapore, which allow customers to make and receive voice, data and/or video calls using the same IP telephone number from any domestic or overseas location where broadband internet access is available.

An FBO licence is required if applicants intend to deploy and/or operate any form of telecommunication network, systems and/or facilities for the purpose of providing telecommunication (eg, IP telephony services) and/or broadcasting services outside of their own property boundaries to third parties (which may include other licensed telecommunication operators, business customers or the general public).

In contrast, only an SBO licence is required if applicants intend to lease telecommunication network elements from any FBO licensee to provide telecommunication services (eg, IP telephony services), or to resell the telecommunication services of such FBO licensees to third parties.

While there are two licensing schemes under the SBO framework (ie, class-licensing and individual licensing), operators that lease international transmission capacity for the provision of their services are usually required to obtain an SBO (Individual) licence. The SBO (Class) Licence is a licensing scheme where the terms and conditions are gazetted in the Telecommunications (Class Licences) Regulations. Anyone who provides the services within the scope of the SBO (Class) licence will be deemed to have read and agreed to the terms and conditions of the class licence.

IMDA’s licensing framework is formulated on a hierarchical basis, with FBO licences placed on a higher level than SBO licences. This means that FBO licensees are able to offer telecommunication services that would ordinarily require an SBO licence without having to obtain a separate SBO licence, but not vice versa. If an SBO licensee subsequently wishes to undertake FBO-related activities such as deploying or operating any telecommunication network, systems or facilities, it will need to apply for a new FBO licence to replace its existing SBO licence.

Eligibility, Fees and Charges

In terms of eligibility, IMDA’s current practice is to issue FBO licences only to Singapore-incorporated companies, although such companies can be wholly owned by a foreign entity. In the case of SBO (Individual) licences, local registered branches of foreign companies are eligible to apply, while SBO (Class) licences may also be held by limited liability partnerships or limited partnerships. Further details regarding the application process for an FBO or SBO licence, and the information required, can be found in the respective application guidelines issued by IMDA on their website.

In terms of applicable fees and charges, FBO licensees are subject to a minimum annual recurrent fee of SGD80,000 or SGD200,000 (depending on whether the licensee is an FBO or a designated public telecommunication licensee), with further fees chargeable as a percentage of their incremental annual gross turnover (AGTO) exceeding SGD50 million as follows:

  • 0.8% of the incremental AGTO between SGD50 million and SGD100 million, and
  • 1% of the incremental AGTO above SGD100 million.

SBO (Individual) licensees are subject to a minimum annual recurrent licence fee of SGD4,000, with further fees chargeable as a percentage of their incremental AGTO exceeding SGD50 million as follows:

  • 0.5% of the incremental AGTO between SGD50 million and SGD100 million, and
  • 0.8% of the incremental AGTO above SGD100 million.

As of the time of writing, there are no annual recurrent licence fees for SBO (Class) licensees. Depending on the type of services provided, SBO (Class) licensees may need to make a one-time payment of SGD200 upon registration with IMDA.

Regulation of the Media Sector

Similar to telecommunications, IMDA is also responsible for the regulation of the media (including broadcasting and film) sector. With regard to the media sector, “media” is defined in the IMDA Act as:

  • a film (as defined in the Films Act (Chapter 107));
  • a newspaper (as defined in the Newspaper and Printing Presses Act (Chapter 206));
  • a broadcasting service (as defined in the BA);
  • a publication (as defined in the Undesirable Publications Act (Chapter 338)); or
  • such other medium of communication of information, entertainment or other matter to the public (or a section of the public) as the Minister may specify by order in the Gazette.

Generally, the provision of audio-visual services in or from Singapore (eg, TV or radio) would be regulated under the BA and IMDA may grant a broadcasting licence for the provision of:

  • free-to-air nationwide, localised and international television services;
  • subscription nationwide, localised and international television services;
  • special interest television services;
  • free-to-air nationwide, localised and international radio services;
  • subscription nationwide, localised and international radio services;
  • special interest radio services;
  • audio-text, video-text and teletext services;
  • video-on-demand services;
  • broadcast data services; and
  • computer online services.

In addition, the BA provides for a class-licensing regime, under the Broadcasting (Class Licence) Notification and Broadcasting (Class Licence – Broadcasting to Digital Display Panels) Notification 2020, for:

  • audio-text, video-text and teletext services;
  • broadcast data services;
  • virtual area network computer online services;
  • computer online services that are provided by internet content providers and internet service providers; and
  • distribution network digital display panels services.

In particular, it should be noted that “internet content providers” is broadly defined under the Broadcasting (Class Licence) Notification to include any individual in Singapore who provides any programme, for business, political or religious purposes, on the World Wide Web through the internet, as well as any corporation or group of individuals (whether registrable or incorporated under Singapore law or not) who provides any programme on the World Wide Web through the internet.

In such cases, it is possible that companies operating online video channels on YouTube, for example, may be automatically deemed to be class-licensed and must comply with the conditions of the class licence and the Internet Code of Practice. Amongst other requirements, broadcasting class licensees may be asked by IMDA to remove or prohibit the broadcast of certain programmes which IMDA has deemed to be against the public interest, public order or national harmony or to offend against good taste or decency.

Eligibility, Fees and Charges

In general, broadcasting companies are required to be Singapore-incorporated companies or the registered local branches of a foreign company in order to hold a “relevant licence” (unless exempted by the Minister for Communications and Information).

A “relevant licence” (which excludes class licences) refers to any free-to-air licence or any broadcasting licence under which a subscription broadcasting service may be provided, and which permits broadcast which is capable of being received in 50,000 dwelling-houses or more.

Different types of broadcasting licences may come with different licence fees, for instance:

  • for free-to-air nationwide television and radio service licences, licensees must pay 2.5% of their total revenue or SGD250,000 per annum, whichever is higher, and provide a performance bond of SGD200,000;
  • for subscription international television services licences (for satellite television service broadcasters), licensees must pay SGD5,000 per annum and provide a performance bond of SGD50,000 if they are not based or registered in Singapore;
  • for nationwide subscription television licences, licensees must pay 2.5% of their total revenue or SGD50,000 per annum, whichever is higher, and provide a performance bond of SGD200,000; and
  • for niche television service licences (which applies to providers of television services targeting niche market segments and over-the-top television services delivered through the internet), no licence fee is required.

For completeness, yearly fees are payable for certain types of services under the Broadcasting (Class Licence) Notification as follows.

  • Teletext services – SGD2,000.
  • Computer online services by internet access service providers – SGD1,000.
  • Computer online services by non-localised internet service resellers – SGD100 (if less than 500 user accounts) or SGD1,000 (for 500 accounts or more).
  • Computer online services by a localised internet service reseller – SGD100 for each premise at which the computer online services are provided.

While Singapore has not enacted any laws which specifically govern encryption standards and technology, there are existing laws and regulations which may apply to various aspects of encryption.

PDPA

Organisations that process personal data are subject to the data protection provisions in the PDPA, and need to comply with, amongst others, the protection obligation (see 6 Key Data Protection Principles for more details). As part of complying with the protection obligation, organisations need to put in place reasonable security arrangements to protect the personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

While the PDPA does not provide much elaboration on what constitutes “reasonable security arrangements”, the PDPC, in its Advisory Guidelines on Key Concepts in the PDPA, has stated that these security arrangements may be in the form of administrative measures, physical measures, technical measures or a combination of these. In particular, the PDPC has recognised that the encryption of personal data to prevent unauthorised access is an example of a technical security measure that an organisation may use to protect personal data.

Additionally, the PDP (Amendment) Act 2020 introduces a number of significant changes to Singapore’s data protection regime, one of which is a requirement for organisations to notify affected individuals of a data breach which results, or is likely to result, in significant harm or impact to the individuals to whom the information relates. (See 6 Key Data Protection Principles on the mandatory data breach notification obligation.)

However, the notification of the affected individuals is not required where the stated exceptions apply. In particular, one exception is where the personal data that was compromised by the data breach is subject to technological protection (eg, encryption) that is of a reasonable security standard.

Cybersecurity Act 2018

The Cybersecurity Act sets out a regulatory framework governing CII which have been designated by the Commissioner of Cybersecurity (see 4 Legal Considerations for Internet of Things Projects for more details on CII.) Section 11(6) of the Cybersecurity Act requires every CII owner to comply with the codes of practice and standards of performance that apply to the CII.

Pursuant to its powers under Section 11(1)(a) of the Cybersecurity Act, the Commissioner of Cybersecurity has issued the Cybersecurity Code of Practice for Critical Information Infrastructure (Cybersecurity Code for CII).

The Cybersecurity Code for CII imposes various protection requirements on CII owners. Amongst other things, CII owners are required to implement encryption for all remote network connections to that CII, and to encrypt all the CII’s sensitive information on removable storage media.

Strategic Goods Control

The use of encryption in a system or product may, depending on its nature, cause it to be considered as a regulated “strategic good” under the Strategic Goods (Control) Act (Chapter 300) (SGCA) read with the Strategic Goods (Control) Order 2020 (SGCO).

Under Section 4A of the SGCA, the Minister may prescribe any military or “dual-use” (ie, capable of being used for both a non-military purpose and a military purpose or relevant activity) goods or technology as being strategic goods or technology. The transfer and brokering of such strategic goods and technology are subject to various restrictions and permit requirements under the SGCA.

Part 2 of the Schedule to the SGCO specifies a range of “information security”-related goods or technology as being strategic goods and technology if they satisfy certain prescribed technical requirements, and do not fall within the prescribed categories of exclusions. Such goods and technology are:

  • systems, equipment and components;
  • test, inspection and “production” equipment;
  • software; and
  • other technology.

The Singapore government introduced a variety of measures and initiatives in response to the COVID-19 pandemic, most prominently, the enactment of the COVID-19 (Temporary Measures) Act 2020 (COVID-19 Act) and its various subsidiary legislation, including but not limited to the COVID-19 (Temporary Measures) (Control Order) Regulations 2020 (Control Order Regulations).

The COVID-19 Act and the Control Order Regulations are of general application across all sectors and are not specific to the TMT sector. The COVID-19 Act allows the government to make regulations for the purpose of preventing, protecting against, delaying or otherwise controlling the incidence or transmission of COVID-19 in Singapore.

The Control Order Regulations set out requirements on, amongst other things, mask wearing, size restrictions for social gatherings in the home and in public, safe distancing requirements, safe management measures for the workplace and customer operations, and work-from-home arrangements.

Specific Measures for the TMT and ICT Sector

IMDA, Singapore’s converged telecommunications and media regulator, has stated that all employers and businesses, including those in the Infocomm Technology (ICT) sector, must comply with the government’s nationwide advisories in all workplaces and workplace settings including a set of safe management guidelines (Safe Management Measures) published by the Ministry of Manpower.

IMDA has also released a joint advisory with SGTech (a trade association for the Singapore tech industry), containing a full set of safe management measures for ICT companies (IMDA Advisory). This includes requiring all employers and businesses (including those in the ICT sector) to comply with the government’s nation-wide advisories on safe management measures, which importantly include:

  • implementing a system of safe management measures at workplaces;
  • reducing physical interaction and ensuring safe distancing at workplaces;
  • supporting contact tracing;
  • requiring personal protective equipment and personal hygiene;
  • ensuring the cleanliness of workplace premises; and
  • implementing health checks and protocols to manage potential cases.

The IMDA Advisory also sets out additional measures for workplace settings specific to the ICT sector.

  • Onsite IT services, support or manpower at customers’ premises.
  • Data centre operations.
  • ICT retail stores and e-commerce.

These additional measures include requiring (in respect of data centre operations) that employers should implement staggered work hours or scheduling of different activities to prevent mingling of different teams or companies.

Measures in Respect of Media Content Production Activities

Additionally, the IMDA has also issued a set of Mandatory Safety Rules for the Resumption of Content Production (MSR), which applies to content producers in the media sector. The IMDA and the Singapore Film Commission have assessed that the MSR meets the necessary precautionary measures for managing the COVID-19-related risks during content productions, and that all media content productions must comply with the MSR. Compliance with the MSR is mandatory for all companies carrying out media content production activities.

In general, the MSR imposes the following rules in respect of content production activities.

For companies involved in the production of programmes for broadcast and other digital media, such as TV commercials, short narratives, documentaries, feature films, requiring large crew: no more than 50 personnel on location, including no more than 20 onscreen talent/performers unmasked, at any given time. These companies are to register with IMDA, and no live singing is allowed at this production size.

For companies involved in all other productions: no more than 30 personnel on location, including no more than ten onscreen talent/performers unmasked at any given time.

For “live” singing as part of the production, all productions must adhere to no more than 30 personnel on location, including no more than five onscreen talent/performers singing unmasked at any given time, and must observe a two-metre safe distancing from the next person.

Unmasking dispensations are to be kept strictly to the fixed cast of onscreen talent/performers (not interchangeable with other non-onscreen performing roles) for the entire production.

Penalties for Non-compliance

The Control Order Regulations give legal force to the advisories on safe management measures published by Singapore government. The penalties for non-compliance with the COVID-19 Act and the Control Order Regulations are set out in Section 34 and 35 of the COVID-19 Act.

Under Section 34(7) of the COVID-19 Act, a person who, without reasonable excuse, contravenes a control order, commits an offence and shall be liable on conviction (i) to a fine not exceeding SGD10,000 or to imprisonment for a term not exceeding six months or to both; or (ii) in the case of a second or subsequent offence, to a fine not exceeding SGD20,000 or to imprisonment for a term not exceeding 12 months or to both.

Under Sections 35(9) to 35(11) of the COVID-19 Act, an individual, body corporate, unincorporated association or partnership commits an offence if they/it, without reasonable excuse, refuses or fails to comply with a direction of an enforcement officer given or deemed to have been given, and shall be liable on conviction (i) to a fine not exceeding SGD10,000 or to imprisonment for a term not exceeding six months or to both; or (ii) in the case of a second or subsequent offence, to a fine not exceeding SGD20,000 or to imprisonment for a term not exceeding 12 months or to both.

Additionally, for companies that do not comply with the safe management measures, the Ministry of Manpower may issue a remedial order or stop-work order.

Drew & Napier

10 Collyer Quay
10th Floor
Ocean Financial Centre
Singapore
049315

+ 65 6531 4110

+ 65 6535 4864

chongkin.lim@drewnapier.com www.drewnapier.com
Author Business Card

Law and Practice

Author



Drew & Napier has a highly regarded TMT Practice Group, consistently ranked as the leading IT, telecommunications, broadcasting and multimedia legal practice in Singapore. The firm possesses unparalleled transactional, licensing and regulatory experience in the areas of telecommunications, technology, media, data protection and cybersecurity. Its Data Protection, Privacy and Cybersecurity Practice Group has been at the forefront of data protection law in Singapore since 2013, and has worked on significant data protection enforcement cases and appeals, including cases that involve cybersecurity elements. The firm established the Drew Data Protection & Cybersecurity Academy in 2020 to offer additional services related to data protection and cybersecurity compliance, including training, data protection consulting and external Data Protection Officer (DPO) services. Drew & Napier is the preferred counsel of many regional companies, multinationals, associations, government bodies and industry regulators, and regularly assists them on a wide range of matters in Singapore and ASEAN member countries.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.