A patchwork of legislation is available to tackle issues relating to data protection, the prevention of online harm, and digital assets in the metaverse.
Data Protection and Privacy
The Personal Data Protection Act 2012 (PDPA) is the primary legislation in Singapore that governs the protection of personal data by organisations. An “organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not they are:
The PDPA does not generally apply to:
Therefore, in the virtual world, organisations have to comply with the obligations set out in the PDPA. Notable obligations include the consent obligation where, subject to exceptions, an organisation must obtain an individual’s consent before collecting, using or disclosing their personal data for a purpose, and the protection obligation, which requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements.
Section 48J of the PDPA provides that the Personal Data Protection Commission (PDPC) is empowered to impose the following financial penalties if an organisation fails to comply with its obligations under the PDPA:
Online Harm
The Protection from Online Falsehoods and Manipulation Act 2019 (POFMA) aims to:
Furthermore, the Foreign Interference (Countermeasures) Act 2021 (FICA) empowers the Minister for Home Affairs to issue directions to various entities, such as internet access service providers, to help the authorities investigate and counter hostile communications activity that is of foreign origin.
With respect to the online safety of users, the Protection from Harassment Act 2004 (POHA) covers offences relating to the publication of personal information in order to harass, threaten or facilitate violence against a person.
The Online Safety (Miscellaneous Amendments) Act 2022 (the “Online Safety Act”) came into operation on 1 February 2023, and the Broadcasting Act 1994 (BA) was amended to contain measures that allow the government to:
The Online Safety Act introduced new provisions to the BA to regulate Online Communication Services (OCS) accessible by Singapore end-users. Currently, social media services are the only regulated OCS. OCS are an electronic services (or parts of an electronic service) that have the characteristics of a social media service, which may be provided in or from Singapore, or from outside Singapore. OCS enable end-users to access or communicate content on the internet, or to deliver content to end-users. Under the amended BA, OCS with significant reach and impact in Singapore may be designated as Regulated Online Communication Services. The providers of such Regulated Online Communication Services have the duty to take all reasonably practicable steps to comply with the applicable Codes of Practice, to implement measures to mitigate the risks of danger to Singapore users from exposure to harmful content and to provide accountability to their users on such measures.
Under the new Part 10A of the BA, the Infocomm Media Development Authority (IMDA) is empowered to issue directions to deal with egregious content that can be accessed by Singapore users on OCS. For instance, the IMDA may issue directions to an OCS provider to disable access by Singapore users to the egregious content on the service or to ensure that a specified account cannot continue to communicate to Singapore users. Moreover, the amended BA empowers the IMDA to issue directions to internet access service providers to block access by Singapore users to the non-compliant OCS if an OCS provider fails to comply with the IMDA’s direction.
On 18 July 2023, the Code of Practice for Online Safety (Online Safety Code) took effect. It seeks to minimise Singapore users’ exposure to harmful content, with additional protection for children, by requiring designated social media services to put systems and processes in place to curb the spread of harmful content on their services, among other measures. The categories of harmful content covered by the Online Safety Code are:
In light of the proliferation of scams and malicious cyber-activities, the Singapore government introduced the Online Criminal Harms Bill, which targets online content that is criminal in nature or that is used to facilitate or abet crimes. Once enacted, the Online Criminal Harms Act will allow the Singapore government to issue directions to any online service provider through which criminal activities could be conducted to remove or block access to content that is suspected of being used to commit crimes such as scams.
Digital Assets
Two types of digital assets are likely to play prominent roles in the metaverse: cryptocurrencies and non-fungible tokens (NFTs). Cryptocurrencies or NFTs may be regulated by the Monetary Authority of Singapore (MAS) under the Payment Services Act 2019 (PSA) or the Securities and Futures Act 2001 (SFA).
Under the SFA, the offer or issue of digital assets such as cryptocurrencies or NFTs may be regulated if they constitute capital market products under Section 2(1). Capital markets products include any securities, derivatives contracts and contracts or arrangements for purposes of leveraged foreign exchange trading.
Digital assets that fall within the scope of digital payment tokens (DPTs) are subject to the regulatory regime under the PSA, which defines a DPT as any digital representation of value that:
Subject to applicable exemptions provided for therein, the PSA requires a person who carries on a business of providing a DPT service as defined under Part 3 of the First Schedule to the PSA (ie, dealing in DPTs or facilitating the exchange of DPTs) to apply for either a standard payment institution (SPI) licence or a major payment institution (MPI) licence.
On top of compliance with the PSA, licence holders must also take note of and comply with the MAS’s guidelines and notices, such as the Guidelines on Provision of Digital Payment Token Services to the Public. The MAS also intends to tighten the rules on cryptocurrency, and on 23 November 2023 announced the finalised measures relating to business conduct, consumer access and managing technology and cyber-risks for DPT service providers. MAS’ regulatory measures on DPT services will be implemented through regulations and guidelines, which will take effect in phases from mid-2024.
In the metaverse, NFT trading is likely to become more commonplace and a part of transacting in the virtual space. While there is no legislation that specifically targets NFTs, issues such as ownership continue to be governed by the principles of intellectual property and contract law. A contract for the purchase of NFTs usually contains three distinct subject matters that are capable of ownership by different people. The first is the code on the blockchain, which may identify and authenticate the asset. The second is the asset itself. The third is the intellectual property rights in respect of the asset.
The relevant intellectual property right is usually copyright, as most NFTs constitute a form of artistic expression that is afforded protection under the Copyright Act 2021 (CA). Therefore, contracts may include the assignment of copyright or a licence. Assignments of copyright must comply with the formalities stipulated in the CA and must be in writing and signed by or on behalf of the assignor. However, this requirement can easily be met even in the virtual space through the application of the Electronic Transactions Act 2010 (ETA). See 9.1 Trust Services and Electronic Signatures/Digital Identity Schemes for more details on the ETA.
Furthermore, the law in relation to NFTs is evolving rapidly. Most notably, in 2022 the Singapore High Court held that the NFTs being considered in that case satisfied the legal criteria to be considered as property and could be subject to proprietary injunctions. With the growing prominence of NFTs, courts and legislation can be expected to explore and address complex and novel legal issues raised by NFTs in the upcoming years.
A patchwork of legislation is currently available, including in relation to consumer protection, the sale of goods and services, payment services and personal data protection.
Digital Payment Solutions
Under the PSA, providers of digital payment solutions (such as e-wallet services) may need to apply for either an SPI licence or an MPI licence – see 1.1 Laws and Regulations (Digital Assets) – if they offer the following services:
The PSA also imposes a stock and flow cap on personal payment accounts issued by MPI licensees to protect customers by limiting a customer’s potential loss from the customer’s account. Personal payment accounts issued by an MPI are subject to a load capacity of SGD20,000 and an annual transaction flow cap of SGD100,000.
E-Commerce
E-marketplaces and e-retailers should ensure that they conform with the Consumer Protection (Fair Trading) Act 2003 (CPFTA), which applies where the consumer or supplier is resident in Singapore or where the offer or acceptance relating to the consumer transaction is made in or sent from Singapore. Therefore, in the digital economy where cross-border transactions are the norm, the CPFTA will apply where this nexus to Singapore is established.
The CPFTA accords customers rights and prohibits sellers from engaging in unfair practices or selling defective goods. If a supplier engages in unfair practices such as making false representations, deceiving consumers or taking advantage of consumers in certain circumstances, the consumer may take legal action against them under the CPFTA. In addition, where a good does not conform to the agreement between the parties, the consumer has a right against the supplier to demand repair or replacement of the good at the supplier’s expense or, alternatively, a price reduction or refund.
Moreover, in June 2020 the first national standard for e-commerce transactions, Technical Reference 76 (TR 76), was issued by Enterprise Singapore and the Singapore Standards Council. TR 76 serves as a practical reference for e-retailers and online intermediaries to build trust and transparency in online transactions. The TR 76 was recently revised to include additional anti-scam guidelines for e-retailers and e-commerce marketplaces, in order to offer better protection for consumers transacting online.
The Competition and Consumer Commission of Singapore (CCCS) has also updated its guidelines in relation to digital markets. For instance, the CCCS Guidelines on Market Definition have clarified issues related to market definition, which are particularly relevant in digital markets that feature multi-sided platforms. Notably, the CCCS has defined a “multi-sided platform” as an undertaking acting as a platform that facilitates interactions between two or more groups of users and creates value for sellers or buyers on one side of the platform by matching or connecting them with buyers or sellers on the other side of the platform.
The PDPA strikes a balance between safeguarding consumers' personal data and commercial needs. Notably, while organisations are required to obtain the consent of individuals to collect, use or disclose personal data, the PDPA provides for exemptions to the consent obligation, which may be useful to e-commerce providers. For example, the business improvement exception under the PDPA allows organisations to use personal data, without consent, for the purposes of:
Limitations are placed on organisations that seek to entrust certain processes or data to the cloud, although most of these limitations are in the context of personal data protection.
Applicable Laws and Guidelines
The main legislation governing the protection of personal data is the PDPA, which defines “personal data” as data, whether true or not, about an individual who can be identified (i) from that data, or (ii) from that data and other information to which the organisation has or is likely to have access. The PDPA is administered and enforced by the PDPC.
There are cross-border data transfer restrictions in the PDPA. Under Section 26 of the PDPA, an organisation must not transfer any personal data to a country or territory outside Singapore, except in accordance with prescribed requirements to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that given under the PDPA (the transfer limitation obligation).
The prescribed requirements, as set out in the Personal Data Protection Regulations 2021 (PDPR), require the transferring organisation to ensure that the recipient of the personal data is bound by legally enforceable obligations. These “legally enforceable obligations” include:
BCRs may be used for recipients that are “related” to the transferring organisation (eg, a parent company or subsidiary), whilst contracts may be used for data transfers to any party. In particular, BCRs and contracts must specify the countries and territories to which the personal data will be transferred under said BCRs or contract.
In addition, under the PDPR, an overseas recipient of personal data is taken to be bound by legally enforceable obligations to provide comparable protection for the transferred personal data if it holds an Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System or Privacy Recognition for Processors (PRP) System certification (which is granted or recognised under the laws of the country or territory to which the personal data is transferred). That said, transferring organisations that are seeking to rely on this transfer mechanism should ensure that they carry out the necessary due diligence to determine that the overseas recipient is indeed CBPR or PRP-certified under the laws of the country or territory in question.
Furthermore, the PDPC has published a chapter on cloud services in its non-legally binding Advisory Guidelines on the PDPA for Selected Topics, which clarify the application of the PDPA in respect of cloud services (the “Cloud Services Guidelines”). Specifically, an organisation should ensure that the cloud service providers (CSPs) that it engages only transfer personal data in accordance with the PDPA – namely, to locations with comparable data protection regimes – or otherwise has legally enforceable obligations to ensure a comparable standard of protection for the transferred personal data.
Industry Standards and Codes of Conduct
The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS584) is the primary local industry standard for determining the level of cloud security provided by CSPs. The MTCS has three levels of security, with Level 1 being the base standard and Level 3 being the most stringent standard. The adoption of the MTCS is voluntary for CSPs, unless they are participating in bulk tenders for government procurement of public cloud services.
Under the PDPC’s Cloud Services Guidelines, MTCS Level 3 certification could give organisations assurance of the CSP’s ability to comply with the protection obligation under the PDPA.
The PDPC has also published the 2018 Guidelines for Cloud Outage Incident Response (COIR) (TR 62:2018). Under the voluntary COIR framework, cloud service customers (CSCs) can choose appropriate outage protection measures that would complement their business continuity/discovery recovery capabilities through a set of guidelines that assist CSCs in identifying, evaluating and negotiating protection needs with CSPs to incorporate into their service-level agreements, and the sharing of COIR practices by CSPs through the same set of common parameters.
While the adoption of the COIR guidelines is voluntary, CSPs are encouraged to self-disclose their service support capabilities with respect to service outages.
Sector-Specific Regulation
Apart from the PDPA and the Cloud Services Guidelines, the use of CSPs in the financial sector is subject to additional regulation by the sectoral regulator (the MAS). In this respect, the MAS has published guidelines for financial institutions (FIs), setting out its position on cloud computing and cloud outsourcing arrangements:
In general, these guidelines provide guidance to FIs on:
FIs are encouraged to conduct appropriate due diligence on CSPs and evaluate the risks before entering into a cloud outsourcing arrangement. The risk assessment should also be performed periodically on existing outsourcing arrangements, as part of the approval, strategic planning, risk management or internal control reviews of the outsourcing arrangements of the FI.
Specific Issues Regarding Personal Data Protection
The transfer limitation obligation under the PDPA requires the contract or BCRs to expressly state the locations to which the personal data may be transferred. However, in the context of a CSP cloud outsourcing arrangement, an organisation may have to agree to a CSP’s standard contractual terms, which may include a term that confers discretion onto the CSP as to the exact jurisdictions to which personal data may be transferred.
According to the PDPC’s Cloud Services Guidelines, in such a situation, the organisation may be considered to have taken appropriate steps to comply with the transfer limitation obligation if:
There is currently no specific legislation regulating the use of big data, machine learning and artificial intelligence (AI) technologies in Singapore. However, various government and regulatory agencies have developed non-legally binding frameworks to provide industry guidance on these subjects.
Applicable Frameworks
Examples of these frameworks include:
Notably, the PDPC’s Model AI Governance Framework represents the efforts of Singapore’s policymakers and regulators to articulate a common approach, and a set of consistent definitions and principles in the governance of AI. Broadly, it sets out principles in four key areas:
In 25 May 2022, the IMDA and PDPC launched AI Verify, which is the world’s first AI governance testing framework and toolkit for companies that wish to demonstrate responsible AI in an objective and verifiable manner. Developers and owners can verify the claimed performance of their AI systems against a set of principles through standardised tests. AI Verify packages together a set of open-source testing solutions, including a set of process checks, into a toolkit for convenient self-assessment. The toolkit will generate reports for developers, management and business partners, covering major areas affecting AI performance.
On 7 June 2023, IMDA set up the AI Verify Foundation (the Foundation) to harness the collective power and contributions of the global open source community to develop AI Verify. The Foundation seeks to boost AI testing capabilities and assurance to meet the needs of companies and regulators globally. It has more than 60 general members, with seven premier members – Aicadium, Google, IBM, IMDA, Microsoft, Red Hat and Salesforce – that will set strategic directions and a development roadmap for AI Verify.
Singapore’s second National AI Strategy (NAIS 2.0) was officially launched on 4 December 2023 and outlines Singapore’s vision to be a place where AI serves as a force for good, where AI is harnessed to uplift Singapore’s collective economic and social potential over the next three to five years.
Autonomous Vehicles
The Road Traffic (Autonomous Motor Vehicles) Rules 2017 provide that the trial or use of an autonomous motor vehicle on any road is prohibited, unless specific authorisation is obtained. Parties wishing to use such vehicles must submit an application to the Land Transport Authority (LTA), stating matters such as the trial’s objectives, the type of autonomous vehicle to be used and its intended purposes. The LTA has the discretion to accept or reject the application and/or impose conditions.
Fake News
POFMA was enacted to prevent the electronic communication in Singapore of false statements of fact, amongst other things. Notably, Section 8 of POFMA prohibits the making or alteration of an automated computer program (ie, an AI “bot”) with the intention of using it to communicate or enabling any other person to communicate a false statement of fact in Singapore.
Data Protection
The collection and use of large datasets for big data analytics, machine learning and AI may trigger data protection concerns, especially where such data sets involve personal data (see 3.1 Highly Regulated Industries and Data Protection for the definition of personal data). Moreover, it is not uncommon for AI systems to utilise data mining solutions to obtain data from third-party sources, in some cases without having obtained consent from the individual affected.
Another significant data protection challenge is the increasing ease with which researchers can re-identify individuals from previously pseudonymised or anonymised datasets by matching them against publicly available information or other datasets.
Intellectual Property
It remains unclear whether and how existing intellectual property frameworks may be applied in protecting AI-generated works. Under Singapore copyright law, the creative elements of a work must be attributable to a natural person in order for copyright protection to vest.
However, AI-related inventions may be patentable. In April 2019, the Intellectual Property Office of Singapore (IPOS) launched an Accelerated Initiative for Artificial Intelligence (AI2) scheme, under which AI-related patent applications may be granted on an accelerated basis if various conditions are satisfied – most notably, the application must be an AI invention. In addition, under the Patents Act 1994, in order for an invention to be patentable, it must be new, involve an inventive step, and be capable of industrial application.
Furthermore, the new CA, which came into force on 21 November 2021, includes a new exception to copyright infringement for the purpose of computational data analysis (regardless of whether commercial or non-commercial). This exception allows inventors to use lawfully accessed data in their AI machines for computational data analysis, under certain conditions, without the fear of being liable for copyright infringement.
Singapore has not enacted any laws that specifically govern the internet of things (IoT), but certain existing laws and regulations may apply to various aspects of IoT projects or applications. In addition, the IMDA and the IT Standards Committee’s IoT Technical Committee have developed and published Technical References in this area (eg, TR 47:2016, TR 50:2016 and TR 64:2018).
Telecommunications
Firstly, the IMDA, as established under the Info-communications Media Development Authority Act 2016 (IMDA Act), is responsible for regulating the telecommunications sector in Singapore, amongst others, pursuant to its exclusive privilege under the Telecommunications Act 1999 (TA).
Under the TA, “telecommunications” is defined very broadly as any transmission, emission or reception of signs, signals, writing, images, sounds or intelligence of any nature by wire, radio, optical or other electromagnetic systems, whether or not such signs, signals, writing, images, sounds or intelligence have been subjected to rearrangement, computation or other processes by any means in the course of their transmission, emission or reception.
As the primary legislation governing the telecommunications industry in Singapore, the TA sets out the broad licensing and regulatory framework for the telecommunications sector. Unless an exemption applies, the IMDA’s jurisdiction may potentially extend to the licensing of IoT projects or applications if such projects or applications may be regarded as involving the operation or provision of telecommunications systems or services under the TA. Where applicable, such persons would therefore need to comply with the general obligations and any specific conditions of approval under their respective licences that have been granted by the IMDA (see 7.1 Scope of Regulation and Pre-marketing Requirements for more details on the licensing of telecommunication systems and services).
Data Protection
The applicability of the PDPA may be triggered insofar as the IoT device in question can be used to collect personal data in Singapore and transfer it wirelessly through the network. In such a case, the organisation that collects or transfers the personal data (which may be an IoT service provider) will need to comply with the data protection obligations in respect of such data, unless an exception applies.
Cybersecurity
The primary cybersecurity legislation is the Cybersecurity Act 2018, which sets out a framework for the designation and monitoring of critical information infrastructure (CII) in essential sectors such as energy, info-communications, media, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, and services relating to the functioning of the government.
Under the Cybersecurity Act, a computer or computer system may be designated by the Commissioner of Cybersecurity as CII if:
Owners of CII are subject to various obligations under the Cybersecurity Act, including reporting cybersecurity incidents, conducting regular cybersecurity audits and risk assessments, and furnishing relevant information.
On 11 April 2022, the licensing framework for cybersecurity service providers came into effect, along with the Cybersecurity (Cybersecurity Service Providers) Regulations 2022. The licensing framework covers cybersecurity service providers providing penetration testing services and managed security operations centre monitoring services, and aims to improve the standard of cybersecurity service providers and address the information asymmetry between consumers and service providers.
On 15 December 2023, the Cyber Security Agency of Singapore (CSA) launched a public consultation to seek feedback on the Cybersecurity (Amendment) Bill. In light of the adoption of new technological tools and business models, such as cloud computing, the CSA is proposing amendments to the Cybersecurity Act to ensure that Singapore’s cybersecurity laws remain fit-for-purpose to address the emerging challenges in cyberspace. Among other matters, the proposed amendments seek to widen the oversight of the Commissioner of Cybersecurity beyond CII owners to also include major foundational digital infrastructure service providers, entities of special cybersecurity interest and owners of systems of temporary cybersecurity concern.
With the increasing adoption of IoT solutions amongst various stakeholder groups – including consumers, enterprises and governments – organisations that deploy IoT projects or solutions in the essential sectors discussed above may wish to pay particular attention to the possibility of their systems being designated as CII and subjected to the obligations under the Cybersecurity Act.
The IMDA has also published an IoT Cyber Security Guide, which provides baseline recommendations, foundational concepts and checklists relating to the security aspects of IoT systems.
Regulation of the Media Sector
Similar to telecommunications, the IMDA is also responsible for the regulation of the media sector (including broadcasting and film). “Media” is defined in the IMDA Act as:
Generally, the provision of audio-visual services in or from Singapore (eg, TV or radio) would be regulated under the BA, and the IMDA may grant a broadcasting licence for the provision of:
In addition, the BA provides for a class licensing regime, under the Broadcasting (Class Licence) Notification and Broadcasting (Class Licence – Broadcasting to Digital Display Panels) Notification 2020, for:
In particular, it should be noted that “internet content providers” is broadly defined under the Broadcasting (Class Licence) Notification to include any individual in Singapore who provides any programme, for business, political or religious purposes, on the World Wide Web through the internet, as well as any corporation or group of individuals (whether registrable or incorporated under Singapore law or not) that provides any programme on the World Wide Web through the internet.
In such cases, it is possible that companies operating video-sharing platform services on YouTube, for example, may be automatically deemed to be class-licensed, and must comply with the conditions of the class licence and the Internet Code of Practice. Amongst other requirements, broadcasting class licensees may be asked by the IMDA to remove or prohibit the broadcast of certain programmes the IMDA has deemed to be against the public interest, public order or national harmony or to offend against good taste or decency.
Furthermore, as of 1 February 2023, the amended BA contains measures to regulate providers of OCS. The IMDA will also be empowered to issue directions to deal with egregious content that can be accessed by Singapore users on an OCS (see 1.1 Laws and Regulations for more details on the Online Safety Act).
Eligibility, Fees and Charges
In general, broadcasting companies are required to be Singapore-incorporated companies or the registered local branches of a foreign company in order to hold a “relevant licence” (unless exempted by the Minister for Communications and Information). A “relevant licence” (which excludes class licences) refers to any free-to-air licence or any broadcasting licence under which a subscription broadcasting service may be provided, and which permits broadcasts that are capable of being received in 50,000 dwelling houses or more.
Different types of broadcasting licences may come with different licence fees, as follows:
For completeness, yearly fees are payable for certain types of services under the Broadcasting (Class Licence) Notification, as follows:
As noted in the definition of “telecommunications” (see 5.1 Machine-to Machine Communications, Communications Secrecy and Data Protection), the licensing and regulatory framework for telecommunication systems and services under the TA is sufficiently broad to cover almost every technological application, even if there are no specific references to individual applications such as RFID tags, Voice over Internet Protocol (VoIP) or instant messaging. That said, service-specific issues may be covered in various regulations, codes of practice, standards of performance, directions, advisory guidelines and licences issued by the IMDA pursuant to its powers under the TA.
For instance, issues pertaining to the licensing and use of the radio frequency (RF) spectrum and the operation of radio stations and networks are regulated under the Telecommunications (Radio-communication) Regulations, while the Telecommunications (Dealers) Regulations set out the framework in relation to the manufacturing, importation and sale (amongst other things) of telecommunication equipment.
The IMDA was formally established on 1 October 2016 as a converged regulator for both the info-communications and media sectors but, in general, the telecommunications and media sectors continue to be governed by separate regulatory frameworks. For instance, the TA does not currently apply to the licensing of broadcasting services or any broadcasting apparatus, which instead falls under the BA. On 2 May 2022, the Code of Practice for Competition in the Provision of Telecommunication and Media Services 2022 (Telecom and Media Competition Code) came into operation. The Telecom and Media Competition Code was issued by the IMDA to promote the efficiency and competitiveness of the media and telecommunications industry.
Licensing for the Operation and Provision of Telecommunication Systems and Services
Generally, licences for the operation and provision of telecommunication systems and services in Singapore would fall into either of two categories: facilities-based operations (FBOs) or services-based operations (SBOs). Where RF spectrum is required for the provision of wireless services, additional licensing is required under the Telecommunications (Radio-communication) Regulations.
Taking the provision of VoIP services as an example, it is noted in the IMDA’s Guidelines on Licensing and Regulatory Framework for IP Telephony Services in Singapore that applicants need to first obtain either an FBO or SBO licence from the IMDA in order to provide IP telephony services. IP telephony services are defined as any VoIP services offered using an E.164 telephone number allocated to customers in Singapore, which allow customers to make and receive voice, data and/or video calls using the same IP telephone number from any domestic or overseas location where broadband internet access is available.
An FBO licence is required if applicants intend to deploy and/or operate any form of telecommunication networks, systems and/or facilities for the purpose of providing telecommunication (eg, IP telephony services) and/or broadcasting services outside of their own property boundaries to third parties (which may include other licensed telecommunication operators, business customers or the general public).
In contrast, only an SBO licence is required if applicants intend to lease telecommunication network elements from any FBO licensee to provide telecommunication services (eg, IP telephony services), or to resell the telecommunication services of such FBO licensees to third parties.
While there are two licensing schemes under the SBO framework (ie, class-licensing and individual licensing), operators that lease international transmission capacity for the provision of their services are usually required to obtain an SBO (Individual) Licence. The SBO (Class) Licence is a licensing scheme where the terms and conditions are gazetted in the Telecommunications (Class Licences) Regulations. Anyone who provides the services within the scope of the SBO (Class) Licence will be deemed to have read and agreed to the terms and conditions of the class licence.
The IMDA’s licensing framework is formulated on a hierarchical basis, with FBO licences placed on a higher level than SBO licences. This means that FBO licensees are able to offer telecommunication services that would ordinarily require an SBO licence without having to obtain a separate SBO licence, but not vice versa. If an SBO licensee subsequently wishes to undertake FBO-related activities (such as deploying or operating any telecommunication network, systems or facilities), it will need to apply for a new FBO licence to replace its existing SBO licence.
Eligibility, Fees and Charges
In terms of eligibility, the IMDA’s current practice is to issue FBO licences only to Singapore-incorporated companies, although such companies can be wholly owned by a foreign entity. In the case of SBO (Individual) licences, local registered branches of foreign companies are eligible to apply, while SBO (Class) licences may also be held by limited liability partnerships or limited partnerships. Further details regarding the application process for an FBO or SBO licence and the information required can be found in the respective application guidelines issued by the IMDA on its website.
In terms of applicable fees and charges, FBO licensees are subject to a minimum annual recurrent licence fee of SGD80,000 or SGD200,000 (depending on whether the licensee is an FBO or a designated public telecommunication licensee), with further fees chargeable as a percentage of their incremental annual gross turnover (AGTO) exceeding SGD50 million as follows:
SBO (Individual) licensees are subject to a minimum annual recurrent licence fee of SGD4,000, with further fees chargeable as a percentage of their incremental AGTO exceeding SGD50 million as follows:
At the time of writing, there are no annual recurrent licence fees for SBO (Class) licensees. Depending on the type of services provided, SBO (Class) licensees may need to make a one-time payment of SGD200 upon registration with the IMDA.
Data Security
One challenge that some organisations may face when entering into IT service agreements relates to obligations surrounding data security, particularly where personal data is involved. It is common for organisations seeking to engage third-party IT service providers to enter into a written data processing agreement that sets out each party’s roles and responsibilities in relation to the personal data in question, as well as the specific security measures that would be put in place.
In addition, the PDPC requires organisations to design and organise their security arrangements to fit the nature of the personal data held by the organisation and the possible harm that might result from a security breach, and to identify reliable and well-trained personnel responsible for ensuring information security.
In cases where the contract for IT services is with an FI, for instance, the organisation should be aware that FIs in Singapore are also subject to the regulations and guidelines promulgated by the MAS. These regulations and guidelines include but are not limited to the MAS’s Guidelines on Outsourcing, Notice on Technology Risk Management, Notice on Cyber Hygiene, and Technology Risk Management Guidelines, which, amongst other things, may require FIs to exercise strong oversight of arrangements with third-party service providers to ensure system resilience and maintain data confidentiality and integrity. As a result, organisations entering into IT service agreements with FIs may need to include applicable provisions in relation to the conduct of security audits and reporting with regard to breaches or cyber-attacks.
Data Localisation
In Singapore, there are no express laws in relation to data localisation or data residency. The PDPC has notably taken a stance against data localisation and emphasised the importance of the free flow of data through coherent and efficient cross-border data transfer mechanisms.
Where the IT service agreement involves a cross-border transfer of personal data (eg, storage of data in the cloud or in a data centre located outside of Singapore, or if the solution involves cloud computing), the organisation should also consider compliance with cross-border data transfer requirements under the PDPA and PDPR; see 3.1 Highly Regulated Industries and Data Protection (Specific Issues Regarding Personal Data Protection) for more details on the transfer limitation obligation and specific issues for CSPs.
Digital Identity
Launched in 2003, SingPass is a secure personal authentication system that allows users to access various government services online. Under the National Digital Identity initiative, SingPass, MyInfo (a service that automatically fills out selected personal details for online forms) and MyInfo Business (a service that enables a business to manage the use of its corporate and applicant’s personal data for simpler online transactions) were brought together to provide greater transactional security and ease of use. All SingPass users are automatically provided with a MyInfo profile, which allows users to provide personal data once to digital services and then consent to have their personal data retrieved from government sources to pre-fill forms for digital transactions.
As SingPass and MyInfo are managed by the Government Technology Agency (“GovTech”), the data protection provisions in the PDPA do not apply to them and other public agencies. Instead, data management by public agencies is governed by the Public Sector (Governance) Act 2018 and guided by the Government Instruction Manual on Infocomm Technology & Smart Systems Management (previously known as IM8).
However, private organisations utilising SingPass and MyInfo to facilitate their transactions are subject to the obligations under the PDPA. As personal data on these platforms is often sensitive data, organisations should take the sensitivity of the personal data into account and implement robust policies and procedures to ensure appropriate levels of protection and security. For instance, when collecting national identification numbers, organisations should comply with the Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers issued by the PDPC.
Electronic Signatures
The ETA makes a distinction between electronic signatures, secure electronic signatures and digital signatures.
An electronic signature could conceivably take various forms, such as a scanned physical signature or typing one’s name where a signature is required.
According to Section 18 of the ETA, an electronic signature will be recognised as a “secure electronic signature” if, through the application of a specified security procedure or a commercially reasonable security procedure agreed to by the parties, it can be verified that, at the time the signature was made, it was:
The key difference between a secure electronic signature and an electronic signature is that the former raises the following statutory presumptions pursuant to Section 19 of the ETA:
Furthermore, the ETA defines a digital signature as an electronic signature consisting of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can accurately determine:
A digital signature can be treated as a secure electronic signature if it was created during the operational period of a valid certificate and is verified by reference to the public key listed in such certificate. The certificate must also meet the prescribed requirements under the ETA and be considered trustworthy.
On 5 November 2020, GovTech launched the “Sign with SingPass” service. This was rolled out through GovTech’s subsidiary, Assurity Trusted Solutions, which is an accredited Certification Authority under the ETA. The “Sign with SingPass” service allows SingPass users to electronically sign certain documents with some government agencies and private sector businesses. Signatures made using the “Sign with SingPass” service can be regarded as secure electronic signatures under the ETA.
However, the use of electronic or digital signatures in the following matters warrants further consideration:
On 2 August 2023, the Oaths, Declarations and Notarisations (Remote Methods) Bill and the Constitution of the Republic of Singapore (Amendment No 2) Bill were passed in Parliament. The Bills seek to introduce the option of making statutory declarations, oaths and affirmations and to notarise documents through remote means, in line with the government’s ongoing efforts to facilitate electronic transactions, so as to implement greater convenience and efficiency for individuals and businesses in Singapore.
10 Collyer Quay
10th Floor
Ocean Financial Centre
Singapore
049315
+65 6531 4110
+65 6535 4864
chongkin.lim@drewnapier.com www.drewnapier.comIntroduction
A key feature in the field of Technology, Media and Telecommunications (TMT) is its propensity for change and 2023 has demonstrated that such change can strike fast and furious. Whether it be due to advancements in technology or shifting trends, those in the field have found themselves having to adapt to a rapidly changing landscape.
At a national level, governments are seeking to keep pace with technological developments and manage their impact on business and society. In the Singapore context, much of this effort has been directed at formulating law and policy to facilitate controlled development and innovation, while also addressing the associated risks of new technology. The past year has thus seen a flurry of legal developments in the TMT sphere, with more initiatives set to come.
This article looks back at some of the key legal and regulatory developments in the area of TMT that have shaped 2023. In particular, it recounts the following developments:
The authors also look forward to the changes and developments that may be expected to take root in the year ahead, taking a cue from the dominant legal trends and impending legislative implementations. Specifically, the article considers the following plans in the area of AI.
Looking Back at 2023
AI
Sparked by the advent of ChatGPT in late 2022, interest in the development and adoption of AI technologies and solutions ‒ particularly in generative AI ‒ has truly been set ablaze. Acknowledging the importance of responsible development and deployment of AI, Singapore can be seen to have put in the yeoman’s work to create an infrastructure that facilitates AI research and development, while also establishing a regulatory framework to handle novel risks and ensure security and standards.
What follows is a summary of some of Singapore’s notable initiatives in the area of AI in 2023.
AI Verify Foundation
On 7 June 2023, the Infocomm Media Development Authority of Singapore (IMDA) announced the launch of the AI Verify Foundation, which aims to harness the collective contributions of the global open-source community to develop the AI Verify testing tool for the responsible use of AI. The AI Verify Foundation’s goals are as follows:
By way of background, AI Verify was developed by IMDA as a software toolkit that helps organisations validate the performance of their AI systems based on three principles: fairness, explainability, and robustness. It also allows users to record process checks and generate test reports for transparency and accountability.
Generative AI Evaluation Sandbox
On 31 October 2023, IMDA and the AI Verify Foundation announced the first of its kind Generative AI Evaluation Sandbox (“the Sandbox”). The Sandbox will bring together key global players to build capabilities in the testing and evaluation of generative AI and is part of larger efforts to have a common standard approach to assess generative AI.
The Sandbox offers a common language for the evaluation of generative AI through the Evaluation Catalogue, which details common baseline methods and recommendations for Large Language Models (LLMs). It will create a body of knowledge covering how generative AI products should be tested to help build evaluation capabilities and will go towards developing new benchmarks and tests for evaluating model performance in specific areas that are important for use cases and for countries such as Singapore that have cultural and language specificities.
Veritas Toolkit version 2.0
On 26 June 2023, the Monetary Authority of Singapore (MAS) announced the release of the Veritas Toolkit version 2.0, an open-source toolkit to enable the responsible use of AI in the financial industry. It seeks to help financial institutions (FIs) carry out the assessment methodologies for the Fairness, Ethics, Accountability and Transparency (FEAT) principles.
The Veritas Toolkit version 2.0 builds on the earlier Veritas Toolkit version 1.0, which had been released in February 2022 and focused on the assessment methodology for Fairness. The Veritas Toolkit version 2.0 features an improved Fairness assessment methodology and new assessment methodologies for Ethics, Accountability and Transparency. The Veritas Toolkit is the first responsible AI toolkit developed specifically for the financial industry.
Singapore‒US AI framework mapping
To facilitate the cross-border deployment of AI, Singapore and the USA have taken an important step towards technical standards equivalency. The inaugural US‒Singapore Dialogue on Critical and Emerging Technologies was launched on 12 October 2023 and aims to upgrade the bilateral partnership between the countries, including information sharing and consultation on AI standards and collaboration on responsible AI research and development.
Notably, a mapping exercise was completed between the US National Institute of Standards and Technology’s AI Risk Management Framework and Singapore IMDA’s AI Verify. By harmonising AI technical standards, the aligned approach provides businesses with greater certainty in meeting the requirements in both jurisdictions, which leads to lower compliance costs for AI deployment and innovation.
Intangible assets disclosure framework
With increased digitalisation and innovation, value creation in the global economy has shifted drastically towards intangible assets. In response, Singapore has taken the initiative to develop and launch an intangibles-specific disclosure framework. On 4 September 2023, the Accounting and Corporate Regulatory Authority and the Intellectual Property Office of Singapore jointly launched the Intangibles Disclosure Framework (“the Framework”), which aims to help enterprises commercialise their intangibles.
The Framework enables enterprises to disclose and communicate the value of intangibles such as brand value, patents, registered designs, human capital or internally generated intangibles by outlining the key principles that an enterprise should follow when disclosing their intangibles in a report. It details the four pillars for disclosure (strategy, identification, measurement and management), along with the requirements of each pillar, and provides guidance on how enterprises can disclose their intangibles.
In addition, the Framework also enables enterprises to better manage and generate value from their intangibles, attract investments or collaborations. It also aids enterprises in accessing financing.
First scheme of arrangement between crypto company and users
Section 210 of the Companies Act 1967 provides a tool for companies seeking to restructure their debts in Singapore by way of a scheme of arrangement. Although the scheme of arrangement is now a fairly common restructuring tool, the case of Defi Payments Pte Ltd (HC/OA 378/2023) is the first of its kind between a cryptocurrency company and its users.
The applicant company provided online services relating to cryptocurrencies, including lending, staking and trading. It had approximately 150,000 account holders and managed cryptocurrency assets valued in the region of USD300 million. However, the company encountered financial and liquidity pressures.
The company obtained leave of the Singapore court to convene a meeting of creditors for the purposes of presenting a scheme of arrangement for voting by its creditors. The vote for the scheme received strong creditor approval, far exceeding the statutory threshold. Following the vote, the court granted sanction to the scheme, which has since taken effect.
The scheme of arrangement had unique features, including dual recovery tracks for creditors to select, a choice of cryptocurrency to receive distributions in, nomination of a creditor onto the company’s board, and the opportunity to bid for an early exit via a Reverse Dutch Auction mechanism. The case demonstrates the flexibility and adaptability of the scheme of arrangement as a tool for restructuring, especially for unconventional industries such as the crypto space.
Restructuring of cryptocurrency business
In Re Babel Holding Ltd and other matters (2023) SGHC 98, the Singapore High Court had to apply Singapore’s restructuring and insolvency framework in the context of a cryptocurrency-related business. The applicants were a group of cryptocurrency companies seeking to extend a moratoria under Section 64 of the Insolvency, Restructuring and Dissolution Act 2018 to facilitate the formulation of a restructuring plan and to seal certain documents relating to the group’s creditors.
The court allowed the extension of the moratoria, finding that the applicants had met the applicable statutory and common law requirements. The court also allowed the sealing of the documents, highlighting the need to safeguard the commercially sensitive information at this point in the restructuring process.
The decision demonstrates the application of Singapore’s restructuring and insolvency framework to foreign companies and the court’s approach to the grant of moratoria and sealing orders in the circumstances of cryptocurrency and other digital businesses.
Court affirms enforceable property rights of crypto-assets
In ByBit Fintech Ltd v Ho Kai Xin and others (2023) SGHC 199, the Singapore High Court sought to determine whether crypto-assets are property capable of being held on trust and, if so, what type of property they are.
The crypto-assets in this case were United States Dollar Tether (USDT). The court granted a declaration of a constructive trust over the USDT, holding that the USDT was property capable of being held on trust. In considering the type of property represented by the USDT, the court held that it was a chose in action recognisable by common law as being enforceable in court.
The court’s decision is significant because earlier cases on crypto-assets had not determined whether such assets are things in action or a novel type of intangible property. The decision also provides insight on the remedies available to claimants seeking the return or repayment of crypto-assets. Here, the court granted orders for the return of the traceable sums and tracing orders over the sums which had been converted.
First live Electronic Transferable Record cross-border trade
IMDA announced that it had successfully executed a fully paperless, live cross-border trade from Singapore to Thailand during the first quarter of 2023. This shipment was conducted using an Electronic Transferable Record via Singapore’s TradeTrust framework, thereby allowing end users to digitally endorse, exchange and verify documents and effect title transfer.
The trade involved shipping liquid chemicals from Singapore to Thailand, using Bunkerchain as the digital platform provider. The electronic bill of lading was issued, surrendered and verified using different systems, and supported solely by statutory law without any contract law or rulebook.
IMDA has stated that this is the world’s first Electronic Transferable Record cross-border trade. With countries increasingly looking to digitalisation of trade to utilise the advantages in efficiency, security and cost savings, Singapore has taken a position as a regional leader in trade digitalisation. Singapore is expected to continue to develop its capabilities in the use of Electronic Transferable Records to facilitate cross-border trade.
Looking Ahead to 2024
Generative AI has drawn intense focus as one of the most significant developments in the TMT industry. However, it is not without its own challenges. Although generative AI brings significant transformative potential, over and above the opportunities presented by traditional AI, it has also enhanced the inherent risks of AI and raised new threats. To address this, Singapore has launched a number of key initiatives that are under development or consultation and are expected to see further progress in the coming year.
Model AI Governance Framework for Generative AI
On 16 January 2024, the AI Verify Foundation and IMDA announced the Draft Model AI Governance Framework for Generative AI (the “Draft Framework”). This expands on the existing model governance framework that covers traditional AI and was last updated in 2020.
The Draft Framework establishes a systematic and balanced approach to address generative AI concerns while continuing to facilitate innovation. It provides a summary of the principles and recommendations for each of nine identified dimensions, which offer practical guidance for model developers and policymakers. The nine dimensions are as follows:
The Draft Framework is open for public consultation until 15 March 2024 and welcomes views from the international community. This will support the finalisation of the Model AI Governance Framework in mid-2024.
National AI Strategy 2.0
Governments across the world have been racing to fully explore and adopt AI solutions, with efforts being driven towards issues such as responsible development, regulatory frameworks, and the building of infrastructure. In this regard, Singapore has been at the forefront of the AI movement, issuing its first National AI Strategy in 2019, which outlined plans to deepen the use of AI to transform the economy.
Singapore has now launched its National AI Strategy 2.0 (the “NAIS 2.0”) on 4 December 2023. The NAIS 2.0 introduces key shifts to propel Singapore as a leader in the field of AI and sets out 15 actions that Singapore will undertake across the identified systems and enablers to support Singapore’s AI ambitions duringr the next three to five years. This includes:
Development of South-East Asia’s first LLM ecosystem
On 4 December 2023, IMDA announced that it would be partnering with AI Singapore and the Agency for Science, Technology and Research to launch the National Multimodal Large Language Model Programme (NMLP). The NMLP seeks to be South-East Asia’s first LLM ecosystem.
This new SGD70 million initiative will develop Singapore’s research and engineering capabilities in multimodal LLMs and support the NAIS 2.0. In particular, the NMLP aims to:
IMDA has highlighted the importance of developing sovereign capabilities in LLMs. The NMLP thus hinges on the development of multimodal and localised LLMs for Singapore and the region to understand context and values related to the diverse cultures and languages of South-East Asia ‒ for example, managing context-switching between languages in multilingual Singapore.
Generative AI risk framework for financial sector
Generative AI has proven to be both transformative and disruptive to the financial sector. Even though it helps FIs with efficiency and personalised customer experiences, it also introduces unique risks that go beyond those of traditional AI and potentially extend beyond the scope of the current FEAT principles.
To address this, MAS, financial industry participants and technology partners have collaborated on Project MindForge to develop a risk framework for the responsible use of generative AI for the financial sector. On 15 November 2023, MAS announced that Phase One of the project had successfully concluded with the development of a comprehensive generative AI risk framework and a platform-agnostic generative AI reference architecture. The full White Paper detailing the generative AI risk framework is expected to be shared in 2024.
The White Paper will cover, among other things:
The next phase of the project will involve developing strong industry use cases that can benefit from generative and other AI technologies, such as anti-money laundering, sustainability and cybersecurity. The project will also expand its scope to include FIs from the insurance and asset management industries and refine the generative AI risk framework for the entire financial industry.
Data protection in use of AI systems
We may also expect to see the release of Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (“the Guidelines”). The Personal Data Protection Commission (PDPC) held a public consultation seeking views on the Guidelines from 18 July 2023 to 31 August 2023.
Some of the key issues in the use of AI systems that embed machine learning models relate to the use of personal data in the training of such AI systems, including how it interacts with an organisation’s data protection obligations under the Personal Data Protection Act 2012 (PDPA) and how to avoid the breach of such obligations. The Guidelines thus seek to clarify how the PDPA applies to the collection and use of personal data by organisations to develop and deploy AI systems, as well as to provide baseline guidance and best practices for organisations on how to be transparent about whether and how their AI systems use personal data to make recommendations, predictions or decisions.
The Guidelines are organised according to the stages of AI system implementation, as follows.
Updating the cybersecurity legislation
On the cybersecurity front, Singapore’s legislative framework is expected to undergo certain amendments in order to keep up to date with emerging cyberthreats. The Cybersecurity Agency of Singapore (CSA) has introduced the draft Cybersecurity (Amendment) Bill (the “Draft Bill”), holding a public consultation seeking views on the Draft Bill from 15 December 2023 to 15 January 2024.
The Cybersecurity Act governs the oversight and maintenance of national cybersecurity in Singapore. The Draft Bill seeks to update the Cybersecurity Act to ensure that Singapore’s cybersecurity laws remain fit-for-purpose, including the following:
Specifically, the Draft Bill recognises the importance of entities in charge of key digital infrastructure other than CIIs, such as cloud service providers and data centre operators. The amendments seek to safeguard these entities by increasing oversight over their cybersecurity and requiring compliance with minimum standards.
9 Straits View
#06-07
Marina One West Tower
Singapore 018937
+65 6535 3600
info@rajahtannasia.com sg.rajahtannasia.com