Towards the end of last year The Straits Times reported that 90 per cent of mobile apps in Singapore (including those from banks, telcos, real estate agents and financial advisers) do not adequately comply with data protection laws in Singapore. The concern continues this year in another article in the Straits Times. This topic is important. In today’s online world, it is worrying to hear about such a high level of non-compliance. In this post we look at the issues of non-compliance and provide our top tips to help app-makers in 2016.
Why are apps still not in compliance?
There are two key areas where apps are not in compliance:
- Lack of transparency: Apps are not providing app users with clear information about what data is collected and are not obtaining informed consent from app users.
- Data maximisation: Apps are collecting more data than they really need. It doesn’t take much of a leap to understand that if apps collect more data than they need, then there is more risk of apps misusing the data that they don’t need. Why else would you collect it?
The level of non-compliance quoted is surprising. Apps are ubiquitous, all of us use apps and we all put our data onto apps on a daily basis. It is even more surprising because the data protection laws in Singapore have been on the books since 2012 and have been in force since mid-2014. In addition, the regulator (the PDPC) has published plenty of helpful guidance here.
So what if apps are non-compliant?
The PDPC has the ability to fine non-compliance (and in extreme cases there can be imprisonment).
As yet the PDPC has not fined a non-compliant app. However, the PDPC has actively fined and investigated others for non-compliance e.g. Xiaomi, Tuition Agency, M1. It can only take a few complaints to grab a regulator’s attention.
The unavoidable truth is that regulators will only become more interested in the online world, an important part of everyone’s daily lives. There are regulatory changes in Singapore which show an increasing focus on technology: see our post on the newly created IMDA in Singapore.
But it’s not just about the legal risk. Our firms’ position has always been that the data protection laws in Singapore represent good business and common sense. It is not hard to comply with the laws’ requirements and organisations that do so are more likely to win the trust of their customers.
Our top tips for app-makers
There is no good excuse for non-compliance. In fact, compliance is not difficult. So, to get 2016 off on the right path, app-makers must (as a minimum) follow our top tips:
- Allow users to exercise their rights over their data (e.g. to amend their data) through simple online access tools;
- If you are using data for direct marketing purposes, you must get up front, standalone consent and you must always provide an unsubscribe feature; and
- Set up robust security features to prevent data breaches.
For further information about “the law of the app”, please see my colleague Matt Pollins’s article on the topic here.
With thanks to Matthew Hunter.