Singapore’s economic development boom and the increasing penetration of mobile and internet services in the region has increased the need for cyber law reform in the area. Singapore has led the charge on a number of fronts, including privacy law, cloud computing law, and electronic transactions. With these changes in place, it’s important that new e-commerce businesses in Singapore and those who have customers in Singapore are aware of the laws in place that they must comply with.
What is the law?
In Singapore, the primary governing act is called the Personal Data Protection Act 2012 (PDPA). The PDPA provides for the rights of consumers to have their personal data protected, as well as the rights of companies such as your e-commerce business to collect that data for legitimate and reasonable purposes.
The purpose of the PDPA is to regulate the flow of personal data, and satisfy the concerns of individuals about how their data is used. In this way, the PDPA hopes to strengthen Singapore’s role as a trusted, competitive hub for businesses to be based.
The PDPA has three main concepts that make it up:
- Purpose; and
This means that your e-commerce business should only collect, use, or disclose personal data with your customers’ consent, and make sure that you only use that data in an appropriate way (considering the circumstances). You must inform your customers of the purposes for which you will use their data.
The “reasonableness” concept means that you can only use your customers’ data for uses that are considered appropriate or reasonable in the circumstances.
For example, for your e-commerce business, it would be reasonable to collect customer data so that you can target new markets, send out special deals, or order more of a popular product. Here’s an example from Adafruit asking me for my credit card and shipping details so that I can buy a Raspberry Pi:
Given that I am trying to purchase an item from their e-commerce store, it is completely reasonable that they need to collect this information.
On the other hand, it wouldn’t be reasonable to collect customer data through a store to sell to a recruitment company so that they can find more potential employees to market to their clients.
If they are international, you should make sure that not only do you comply with the PDPA, but also the privacy laws of other major jurisdictions, such as the US, Canada, the UK, and the EU. Luckily, the PDPA was heavily influenced by the law in the EU (the EU Data Protection Directive), so many of the principles are the same.
The main principles that are enshrined by privacy laws around the world are:
- Give notice that you are collecting the data;
- Obtain consent from your customers and users;
- Collect the data for a reasonable and legitimate purpose;
- Keep the data safe and secure;
- Tell the user when you will disclose the data (if ever);
- Be accountable to your users and customers; and
- Provide access to the data and allow changes to be made.
Singapore law includes the “reasonableness” principle, which isn’t normally covered in UK, EU, or US law.
- What data you will collect;
- How you will protect and store data;
- What you will do with the data;
- In what circumstances will you release the data;
- How your users can see what data you hold on them, and change or update it;
- Dispute resolution;
- Effective date; and
- Changes to the policy and where notices should be sent.
You should also carefully think through what things you will use the data for, and decide whether those uses are reasonable given the circumstances in which you collect the data, and your relationship with your customers.
Here’s an example of a clickwrap “I Agree” tickbox from HostGator:
One of the problems with approaching this question in Singapore is that there is no current Singapore case law on this point.
However, general contract law in Singapore is largely based on the contract law in England. This means that the basic elements of contract formation are generally what is required both online and offline to form any contract. These elements are:
- Certain and clear terms;
- Consideration (something in exchange for a promise, e.g. “I will sell you my goods if you promise to follow these rules of using my website); and
- Intention to create legal relations (in a commercial setting, this is usually presumed).
This means that, like in the UK and the US, it is likely that clickwrap style agreement will be held to be enforceable in Singapore, even though there is no current case law on this matter.