Ch. 31 Technology, Media, and Telecom
SECTION 1 INTRODUCTION
31.1.1 The infocommunications and telecommunications (ICT) sector is a key sector for Singapore. Increasingly, it is recognized as one that reaches across all industries that Singapore wishes to nurture. As such, various government programmes such as the SG Digital – Digitalising Singapore, Industry 4.0 and Smart Nation Initiatives are all based on developing ICT capabilities across the entire economy.
31.1.2 In order to remain on the forefront technologies and to address the ensuing issues arising from the use by such technologies, the regulatory agency, the Info-Communications Media Development Authority (IMDA) is charged with regulating and promoting the ICT and ecommerce sectors. In addition, this agency, which was formed with the merger of the ICT and media regulators, represents the confluence of information technology and media.
31.1.3 However, it is not just the merger of telecommunications and media that has revolutionized Singapore. Technology has also permeated every industry and has brought about or threatened ‘disruption’ to sectors such as finance, education, healthcare, law, retail, food & beverage and transportation, not by itself but in tandem with industry. These developments demand that laws evolve to assist the evolution of technology and its impact on areas such as data protection, cybersecurity and digital inclusion.
31.1.4 It is fitting that the full breadth of technology, media and telecommunications (TMT) demands a broad examination of the principles and laws in these areas. Therefore, the areas of TMT Law stretches into various areas from ecommerce to data protection to media regulations. It is a fast moving area, where times regulation has to be introduced to address new challenges at one in which an appearance in international practice in often greatly desired.
SECTION 2 TECHNOLOGY LAW
31.2.1 In Singapore, the Electronic Transactions Act (Cap. 88, 2011 Rev Ed) ("ETA") provides a framework for the regulation of nearly all digital and e-commerce services, including electronic contracts, records and signatures. The ETA reflects Singapore's implementation of the United Nations Convention on the Use of Electronic Communications in International Contracts which follows from the 1998 UNCITRAL Model Law on Electronic Commerce, and the UNCITRAL Model Law on Electronic Transferable Records.
(1) Application of the ETA
31.2.2 Generally, apart from the matters expressly listed in the First Schedule to the ETA, all other matters are likely to be capable of being dealt with by electronic means. At the time of writing, excluded matters under the First Schedule to the ETA include:
- Creation or execution of a will;
- Negotiable instruments, documents of title, bills of exchange, promissory notes, consignment notes, bills of lading, warehouse receipts or any transferable document or instrument that entitles the bearer or beneficiary to claim the delivery of goods or the payment of a sum of money;
- The creation, performance or enforcement of an indenture, declaration of trust or power of attorney, with the exception of implied, constructive and resulting trusts;
- Any contract for the sale or other disposition of immovable property, or any interest in such property; and
- The conveyance of immovable property or the transfer of any interest in immovable property.
31.2.3 Note that under the recently-passed Electronic Transactions (Amendment) Bill (Bill No. 1/2021), item 2 of the First Schedule to the ETA will be deleted. Accordingly, once the amendments come into force, the ETA provisions relating to the legal enforceability of electronic records and signatures will henceforth also apply to negotiable instruments, documents of title, bills of exchange, promissory notes, consignment notes, bills of lading, warehouse receipts or any transferable document or instrument that entitles the bearer or beneficiary to claim the delivery of goods or the payment of a sum of money.
(2) Electronic contracting
31.2.4 In Singapore, the validity of electronic or online contracts is recognised under section 11(2) of the ETA. Section 11(2) of the ETA expressly recognises that a contract shall not be denied validity or enforceability solely on the ground that an electronic communication was used in the formation of the contracts.
31.2.5 The usual requirements for contract formation (offer, acceptance, intent to create legal relations and consideration) will apply in determining whether a contract has been validly formed electronically. Section 11(1) of the ETA specifically recognises that "in the context of the formation of contracts, an offer and the acceptance of an offer may be expressed by means of electronic communications". Therefore, unless parties are otherwise prevented from doing so, contracts can typically be concluded and executed by electronic means.
(3) Electronic records
31.2.6 Section 6 of the ETA expressly recognises that information will not be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic record. This applies even to information that is required by law to be reduced to writing, except for items in the First Schedule of the ETA.
31.2.7 To the extent that any electronic record has been properly verified by specified security procedures or commercially reasonable security procedures, such records may also be treated as a "secure electronic record" pursuant to section 17 of the ETA. Under the Second Schedule to the ETA, specified security procedures include any digital signature which falls within the definition of the Third Schedule to the ETA. Alternatively, section 17(2) sets out the criteria to determine whether a security procedure is commercially reasonable, including:
- the nature of the transaction;
- the sophistication of the parties;
- the volume of similar transactions engaged in by either or all parties;
- the availability of alternatives offered to but rejected by any party;
- the cost of alternative procedures; and
- the procedures in general use for similar types of transactions.
31.2.8 Section 19(1) of the ETA further creates a legal presumption that unless there is evidence adduced to the contrary, the court will presume that a secure electronic record has not been altered since the specific point in time to which the secure status relates.
(4) Electronic signatures and digital signatures
(i) Electronic signatures
31.2.9 Under section 8 of the ETA, a legal requirement for a signature is satisfied in an electronic record if a method is used to identify the signatory to indicate the person's intent in respect of the information in the electronic record, and such method is appropriately reliable in the circumstances. Accordingly, when assessing whether a proposed method of obtaining electronic-based signatures is appropriate, the critical factor to consider is whether the individual's identity and intent may be reliably ascertained in the circumstances. Some practical means of obtaining electronic-based signatures may include scanned copies of a handwritten signature capable of identifying the individual, drawing of a signature, clicking an acceptance button, and entering account passwords.
31.2.10 Given the proliferation of major cross-border transactions today, parties may also opt to use secure electronic signatures to verify their identity. The primary benefit of using a secured electronic signature is that parties may rely on the legal presumption in section 19 of the ETA under which a court will presume that the secure electronic signature is the signature of the person to whom it relates, and that such signature was affixed by that person with the intent of signing and approving the electronic record.
31.2.11 Under section 18 of the ETA, an electronic signature will be treated as a secure electronic signature, if, through the application of a specified security procedure or an agreed commercially reasonable security procedure, it can be verified that the electronic signature (at the time it was made) was unique to the person using it, capable of identifying the person, created in a manner or using a means under the sole control of the person using it and linked to the electronic record to which it relates, such that if the electronic record was changed, the electronic signature would be correspondingly invalidated.
31.2.12 Section 19(2) of the ETA further creates a legal presumption that unless there is evidence adduced to the contrary, the court will presume that a secure electronic signature is the signature of the person to whom it relates, and it was affixed by that person with the intention of signing and approving the electronic record.
(ii) Digital signatures
31.2.13 Digital signatures are defined in Paragraph 1 of the Third Schedule to the ETA as a type of electronic signature which consists of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can accurately determine whether the transformation was created using the private key that corresponds to the signer’s public key can accurately determine whether the transformation was created using the private key that corresponds to the signer’s public key, and whether the initial electronic record has been altered since the transformation was made.
31.2.14 Electronic records which are signed with a digital signature will be treated as a secure electronic record under section 17(1) of the ETA.
(5) Electronic transferable instruments
31.2.15 The Electronic Transactions (Amendment) Bill (Bill No. 1/2021) also includes a new Part IIA, which relates to electronic transferable instruments. When the new section 16H comes into force, an electronic record will be treated as satisfying any rule of law for transferable instruments if such record contains the information that would be required to be contained in a transferable instrument, and a "reliable method" is used to identify the authoritativeness of the electronic record, render that electronic record capable of control from the time of creation to the time it ceases to have any effect, and retains the integrity of that electronic record. In assessing the integrity of the record, the primary criterion is whether information contained in the electronic record has remained complete and unaltered apart from any change that arises in the normal course of communication, storage or display.
31.2.16 The new sections 16M and 16N will also provide for legal recognition for a change in medium from a transferable document or instrument to an electronic transferable record and vice versa, if a "reliable method" is used. A change of medium will only be effective if (i) all the information from the original medium is accurately reproduced in the new medium, and (ii) the new medium contains a statement indicating a change in medium.
31.2.17 In assessing whether a method is reliable for the purposes of the provisions in Part IIA, the new section 16O requires that the method must either have been proven in fact to have fulfilled the function, or must be as reliable as appropriate for the fulfilment of its function, in the light of all relevant circumstances, which may include but is not limited to:
- any operational rules that are relevant to the assessment of reliability;
- the assurance of data integrity;
- the ability to prevent unauthorised access to and use of the system;
- the security of hardware and software;
- the regularity and extent of audit by an independent body;
- the existence of declaration by a supervisory body, an accreditation body or a voluntary scheme, regarding the reliability of the method; or
- any applicable industry standard
B. Electronic evidence
31.2.18 Generally, the rules pertaining to relevance and admissibility of evidence apply to the admissibility of electronic evidence in the same way as documentary or physical evidence.
31.2.19 There is no prescribed list of what constitutes electronic evidence. Instead, the provisions in the Evidence Act (Cap. 97, 1997 Rev Ed) (the "EA") which pertain to electronic evidence instead refer to evidence which takes the form of electronic records. Under section 2(1) of the EA, an "electronic record is defined as:
"a record generated, communicated, received or stored by electronic, magnetic, optical or other means in an information system or transmitted from one information system to another".
31.2.20 Additionally, section 116A of the EA creates 4 legal presumptions with respect to electronic records, such that unless there is evidence adduced to the contrary, the court will presume that:
- the electronic record in question was produced or accurately communicated by a electronic device or process, if the device or process is of a kind that, when properly used, ordinarily produces or accurately communicates an electronic record (see section 116A(1) of the EA);
- the electronic record in question is authentic if it is established that the electronic record was generated, recorded or stored in the usual and ordinary course of business by a person who was not a party to the proceedings on the occasion in question and who did not generate, record or store it under the control of the party seeking to introduce the electronic record as evidence in the proceedings (see section 116A(2) of the EA);
- the electronic record in question is authentic if it was generated, recorded or stored by a party who is adverse in interest to the party seeking to adduce the evidence (see section 116A(3) of the EA); and
- the electronic record in question accurately reproduces a document if that record was recorded or stored from a document pursuant to an "approved process" in accordance with the Evidence (Computer Output) Regulations (1997 Rev Ed).
C. Digital tax
31.2.21 The Inland Revenue Authority of Singapore ("IRAS") is the main governing authority in Singapore responsible for the tax regime in Singapore. Taxation for digital goods and services, including e-commerce, is mainly provided for under the Goods and Services Tax Act (the "GST Act"), which provides for the imposition and collection of goods and service tax and for matters connected therewith.
31.2.22 Goods and services tax ("GST") is a general consumption tax imposed on all goods and services consumed in Singapore. As a starting point, the medium through which such goods and services are provided does not alter the taxability of the transaction, and therefore, GST may applied regardless of whether such goods and services are supplied physically or digitally (for example, via the internet, or an electronic network or marketplace). The current rate of GST is 7%.
31.2.23 Generally, businesses must register and charge GST if the taxable turnover of such business exceed $1,000,000.
31.2.24 Whether GST applies to goods sold and delivered over the internet depends on the destination of delivery of the goods. In short, if goods sold via the internet are intended to be delivered locally in Singapore, GST may be chargeable. If however, the physical deliver of goods is not from a place in Singapore, and to another place outside of Singapore, then GST does not apply and does not need to be charged. A similar regime applies to the sale of digitised goods, such as e-books, music, or software.
31.2.25 Currently, goods imported via land or sea, as well as goods above $400 imported by air or post are subject to GST. Low value goods (goods worth less than $400) imported via air or post are currently not subject to GST to facilitate clearance at the border, although GST will start to apply on such goods from 1 January 2021 onwards.
31.2.26 In relation to services supplied on the internet by foreign companies, Singapore introduced the Overseas Vendor Registration ("OVR") regime on 1 January 2020. The OVR regime applies to foreign companies supplying digital services to customers in Singapore (ie. B2C businesses), where such company's:
- annual global turnover exceeds S$1,000,000; and
- sale of digital services to consumers in Singapore exceeds S$100,000.
31.2.27 Foreign B2C businesses which meet the criteria above are required to register for GST and charge GST on the sale of its services.
31.2.28 A similar regime may apply to electronic marketplace operators if they are to be regarded as the supplier of such digital services. This depends on whether such marketplace operator's election of whether they are to be treated as a business-to-consumer ("B2C") business, or a business-to-business ("B2B") business. As clarified by IRAS:
- B2C election for supplies of digital services: An electronic marketplace operator (whether local or overseas) may elect to charge and account GST on all B2C supplies of digital services made by local suppliers through its marketplace, in addition to those made by overseas suppliers.
- B2B election for supplies of digital services: A local electronic marketplace operator may elect to charge and account GST on B2B supplies of digital services made by overseas suppliers through the marketplace, in addition to the B2C supplies of digital services made by the overseas suppliers. This would also cover B2B supplies# of digital services made by local suppliers if the local marketplace operator has made the B2C election in (1) as well.
31.2.29 Digital services are services which are supplied over the internet or an electronic network and the nature of which renders their supply essentially automated with minimal or no human intervention and impossible without the use of information technology. This includes:
- Downloadable digital content (e.g. downloading of mobile applications, e-books and movies);
- Subscription-based media (e.g. news, magazines, streaming of TV shows and music, and online gaming);
- Software programs (e.g. downloading of software, drivers, website filters and firewalls);
- Electronic data management (e.g. website hosting 5 , online data warehousing, file-sharing and cloud storage services); and
- Support services, performed via electronic means, to arrange or facilitate a transaction, which may not be digital in nature (e.g. commission, listing fees and service charges by electronic marketplaces).
31.2.30 A business may also qualify for a range of exceptions under the GST regime, the most common being the qualification for zero-rating under section 21(3) of the GST Act.
D. Data protection
31.2.31 The Personal Data Protection Act 2012 (No. 26 of 2012) ("PDPA") governs the collection, use, disclosure and care of personal data in Singapore. However, under section 4(1) of the PDPA, the obligations pertaining to treatment of personal data do not apply to:
- individuals acting in a personal or domestic capacity;
- employees acting in the course of his employment with an organisation;
- government agencies or tribunals appointed under any written law; or
- any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision.
(1) Meaning of 'personal data'
31.2.32 Under section 2(1) of the PDPA, "personal data" is defined as any data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
31.2.33 Section 4(4)-(5) of the PDPA excludes the following categories of personal data from the scope of the PDPA:
- personal data about an individual that is contained in a record that has been in existence for at least 100 years;
- personal data about a deceased individual who has been dead for more than 10 years; and
- business contact information, including an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes.
(2) Personal data protection obligations
31.2.34 The PDPA imposes 10 obligations relating to the processing and treatment of personal data under Parts IV to VIA.
- Consent obligation
31.2.35 Under section 13 of the PDPA, organisations must obtain an individual's consent before collecting, using or disclosing their personal data for any purpose. Section 14(1) further specifies that an individual will only be taken to have provided valid consent if they are notified of the purposes for which their personal data will be collected, used or disclosed, and the individual has provided their consent for those purposes. In certain situations (as outlined in section 15 of the PDPA), individuals may be deemed to have provided consent.
31.2.36 The First Schedule and Second Schedule to the PDPA further sets out a limited number of exceptions to the consent obligation.
- Purpose limitation obligation
31.2.37 Under section 18 of the PDPA, organisations ma y only collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances, and for which the individual has been notified.
- Notification obligation
31.2.38 Under section 20 of the PDPA, organisations must notify the individual of the purpose(s) for which it intends to collect, use or disclose their personal data on or before such collection, use or disclosure. Any personal data that is collected, use or disclosed by the organisation may only be done so for such purposes.
- Access and correction obligation
31.2.39 Under sections 21 and 22 of the PDPA, organisations must, on request and as soon as reasonably possible, permit an individual to access and/or correct any personal data of that individual which is in the organisation's possession or control. Additionally, organisations must also provide the individual with information about the ways in which their personal data may have been used or disclosed by the organisation during the past year.
31.2.40 This obligation is subject to certain exclusions set out in the Fifth and Sixth Schedules to the PDPA.
- Accuracy obligation
31.2.41 Under section 23 of the PDPA, organisations must make a reasonable effort to ensure that any personal data collected by them or on their behalf is accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates, or if the personal data is likely to be disclosed to another organisation.
- Protection obligation
31.2.42 Under section 24 of the PDPA, organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks, and the loss of any storage medium or device on which the personal data is stored.
- Retention limitation obligation
31.2.43 Under section 25 of the PDPA, organisations must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which the personal data was collected and is no longer necessary for legal or business purposes.
- Transfer limitation obligation
31.2.44 Under section 26 of the PDPA, organisations must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA.
- Data breach notification obligation
31.2.45 Under section 26C of the PDPA, organisations must conduct an assessment of whether a data breach affecting personal data in their possession or control is a "notifiable data breach" within the meaning of section 26B of the PDPA. Per section 26B, a data breach is a "notifiable data breach" if the data breach either (i) results in, or is likely to result in, significant harm to an affected individual, as, or (ii) is, or is likely to be, of a significant scale, each as described under the Personal Data Protection (Notification of Data Breaches) Regulations 2021.
31.2.46 In the event that a data breach is notifiable under section 26B, section 26D of the PDPA requires organisations to notify the Personal Data Protection Commission ("PDPC") of such breach as soon as practicable, but in any case no later than 3 calendar days. Where the notifiable data breach is one that is, or is likely to be, of a significant scale, the organisation must also inform each affected individual in any manner that is reasonable in the circumstances,
- Accountability obligation
31.2.47 Under sections 11 and 12 of the PDPA, organisations are required to appoint a data protection officer who is responsible for ensuring the organisation's compliance with the PDPA. The data protection officer is also responsible for developing and implementing policies and practices that are necessary for the organisation to satisfy their PDPA obligations.
- Data portability obligation
31.2.48 The recently-passed Personal Data Protection (Amendment) Bill (Bill No. 37/2020) also creates a new Part VIB, which governs the data portability obligation. When this Part comes into force, the new section 26F will require certain prescribed porting organisations to transmit applicable data in its possession or control to another organisation that is incorporated or has a place of business in Singapore upon receiving a data porting request from the individual, as long as (i) the data porting request satisfies the prescribed requirements, and (ii) the porting organisation has an ongoing relationship with the individual at the time it receives the data porting request.
31.2.49 The new section 26G further specifies that the purpose of the data portability obligation is to provide individuals with greater autonomy and control over their personal data, and facilitate the innovative and more extensive use of specified categories of personal data that is in the possession or control of organisations in order to support the development, enhancement and refinement of products and services provided by other organisations located or operating in Singapore or elsewhere.
(3) Do Not Call Registry
31.2.50 Part IX of the PDPA sets out the provisions relating to the establishment and operations of the Do Not Call Registry ("DNC Registry"). These provisions apply to marketing messages (including voice calls, text or fax messages) which are sent for the applicable purposes which are outlined in the Tenth Schedule to the PDPA, and include messages involving:
- any offer to supply, advertise or promote goods or services;
- advertising or promoting suppliers or prospective suppliers of goods or services; or
- supplying, advertising or promoting land, interests in land or business/investment opportunities.
31.2.51 Under section 43 of the PDPA, organisations which may be involved in sending such marketing messages must ensure that the messages are not sent to Singapore telephone numbers that are registered with the DNC Registry.
31.2.52 In Singapore matters pertaining to cybersecurity are regulated under the Cybersecurity Act 2018 (No. 9 of 2018) ("CA"). Section 2 of the CA defines 'cybersecurity' as the state in which a computer or computer system is protected from unauthorised access or attack and, because of that state:
- the computer or system continued to be available and operational;
- the integrity of the computer or system is maintained; or
- the integrity and confidentiality of information stored in, processed by or transmitted through the computer or system is maintained.
(1) Application to critical information infrastructures (CIIs)
31.2.53 The regulatory obligations set out under the CA apply to systems which have been designated as 'critical information infrastructures' ("CII") under section 7(1) of the CA. A computer or computer system may be designated as a CII if they are located wholly or partly in Singapore, and are necessary for the continuous delivery of an essential service (as set out in the First Schedule to the CA), such that its loss or will have a debilitating effect on the availability of the essential service in Singapore.
31.2.54 The owner of a computer or computer system which has been designated as a CII will be expressly notified by the Cybersecurity Agency of Singapore ("CSA") of such designation. CII owners have various obligations under Part 3 of the CA.
- Notification of change in ownership
31.2.55 Under section 13 of the CA, CII owners must notify the CSA of any change in the beneficial or legal ownership (or share thereof) of a CII, no later than 7 days after the date of that change in ownership.
- Reporting cybersecurity incidents
31.2.56 Under section 14 of the CA (read with Regulation 5 of the Cybersecurity (Critical Information Infrastructure) Regulations 2018), CII owners must notify the CSA within certain prescribed time limits after it becomes aware of cybersecurity incidents affecting the CII or its computer systems which involve the following:
- any unauthorised hacking to gain unauthorised access to or control of the CII;
- any installation or execution of unauthorised software, or computer code, of a malicious nature;
- any man‑in‑the‑middle attack, session hijack or other unauthorised interception of communication by means of a computer or computer system; or
- any denial of service attack or other unauthorised act or acts carried out through a computer or computer system that adversely affects its availability or operability.
31.2.57 To the extent that any cybersecurity incident involves the unauthorised access or disclosure of personal data, the relevant provisions under the PDPA may also apply.
- Conducting cybersecurity audits and risk assessment
31.2.58 Under section 15 of the CA, CII owners must conduct cybersecurity audits at least once every 2 years, and cybersecurity risk assessments at least once a year. Copies of the reports from such audit or assessment must be provided to the CSA no later than 30 days after completion.
(2) Application to cybersecurity service providers
31.2.59 At the time of writing, Part 5 of the CA (which governs cybersecurity service providers) has not yet come into force. However, when this Part does come into effect, then under section 24 of the CA, any cybersecurity service provider must obtain and maintain a licence before offering such services in Singapore. Currently, the Second Schedule to the CA identifies penetration testing services and managed security operations centre monitoring services as licensable cybersecurity services.
31.2.60 Per section 2(1), this licensing obligation broadly applies to any person or entity that wishes to provide any service for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to another person. Licensed cybersecurity service providers must satisfy "fit and proper person" criteria, and must retain records of each occasion on which they are engaged to provide their cybersecurity service.
(3) Powers of the CSA
31.2.61 Part VI of the CA grants broad powers to the CSA to investigate and prevent cybersecurity incidents relating to any entity (whether designated as a CII or not), for the purpose of assessing the impact or potential impact of the cybersecurity threat or incident, preventing any or further harm arising from the cybersecurity incident, or preventing a further cybersecurity incident from arising from that cybersecurity threat or incident.
31.2.62 Section 2(1) of the CA further defines a cybersecurity threat or incident as any activity carried out without lawful activity on or through a computer or computer system that imminently or actually jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system.
F. Sector specific regulations
(1) Financial sector
31.2.63 The Monetary Authority of Singapore has also published Guidelines on Technology Risk Management ("MAS TRM Guidelines"), which provides general guidance to financial institutions to establish a sound and robust technology risk governance and oversight framework commensurate with the level of risk and complexity of the financial services offered by the institution.
31.2.64 Under the MAS TRM Guidelines, financial institutions are required to establish a technology risk management framework with clear governance structures and processes. For instance, organisations which provide online financial services are required to put in place security and control measures to ensure the security of their data and online services, including implementing processes to authenticate the customer's identity, encrypt data, and block suspicious or fraudulent online transactions.
31.2.65 Directors and senior management bear primary responsibility for ensuring the organisation's compliance with the MAS TRM Guidelines. They also responsible for implementing the organisation's technology risk management strategy to identify, analyse and address the threats and vulnerabilities that may arise in the organisation's course of business.
(2) Telecommunications sector
31.2.66 The Infocomm Media Development Authority ("IMDA") has formulated Codes of Practice to enhance the cybersecurity preparedness for designated telecommunications licensees, including major internet service providers operating in Singapore. IMDA has also published various IT standards and guidelines applicable cloud computing and services, Internet of Things, and data services.
G. Domain names
(1) Registration of domain names
31.2.67 Domain names are unique aliases corresponding to specific IP addresses on the Internet, and are used to access websites. Each domain name is associated with a top level domain. Generally, there are two categories of top level domains:
- Generic top level domains (gTLDs): This category includes general top level domains such as .com, .net, .edu, and .org, as well as specific top level domains such as .futbol, .pizza, .aero, and .biz (among others). The rules and policies for registration of domain names within gTLDs are largely coordinated by the Internet Corporation for Assigned Names and Numbers ("ICANN"), or by the community that has sponsored that gTLD.
- Country-code top level domains (ccTLDs): This category is reserved for use by countries, and are based on the respective two-letter country codes (e.g. .sg for Singapore, .jp for Japan). ccTLDs are managed locally, and the rules and policies for registering domain names within each ccTLD are set by the relevant authority in each jurisdiction. In Singapore, the .sg ccTLD is administered by the Singapore Network Information Centre ("SGNIC").
31.2.68 Users may register domain names through a variety of commercial registrars, on a first-come-first-served basis. The registration of a domain name gives the registrant the right to use the domain name; no other legal, beneficial or proprietary right is created in association with that domain name. Domain names are typically registered for one or two-year terms, and must be renewed prior to their expiry date.
(2) Domain name disputes
31.2.69 Although domain names are usually treated a form of intellectual property asset, they differ from traditional intellectual property rights in that the registrant's right to use a domain name is based on contractual rights created between ICANN, the registrar and the registrant, rather than a statutory right. The registrant is thus responsible for ensuring that the prospective registration would not infringe the rights of any third party, including any other intellectual property rights such as trademarks or copyright.
31.2.70 Nonetheless, domain name disputes may arise from cybersquatting and typosquatting activities:
- Cybersquatting occurs when individuals rely on the first-come-first-served nature of domain name registration to register names of trademarks, brands, or famous people with which they have no connection. The domain names may then be put up for auction or sale at high prices, or used to redirect traffic to other websites.
- Typosquatting is a form of cybersquatting which targets users who incorrectly type a website address into their Internet browser. Typosquatters deliberately register domain names using misspelt names of well-known brands and businesses (e.g. 'amazonn.com' instead of 'amazon.com') and create fake websites that are similar to the look and feel of the actual website. The fake website is then used to trick users into revealing their personal data or financial information.
(3) Dispute resolution processes
- Disputes involving gTLD domain names
31.2.71 The Uniform Domain Name Dispute Resolution Policy ("UDRP") was adopted by ICANN and took effect on 1 December 1999. The UDRP governs all ICANN-accredited gTLD registrars and the domain names they register.
31.2.72 Trademark holders which consider a domain name registration to be an infringement of their trademark may initiate a proceeding under the UDRP as a complainant with any dispute resolution service provider (e.g. WIPO Arbitration and Mediation Center, HKIAC). The fees for the proceeding will be borne solely by the complainant. The complaint must set out details of the domain name registration and the grounds for the complaint, including details of the following:
- the manner in which the domain name(s) is/are identical or confusingly similar to a trademark in which the complainant has rights; and
- why registrant should be considered as having no rights or legitimate interests in respect of the domain name(s) that is/are the subject of the complaint; and
- why the domain name(s) should be considered as having been registered and being used in bad faith.
31.2.73 UDRP disputes are heard by a panel of one or three independent members appointed by the dispute resolution service provider that is selected to administer the dispute. Panellists are typically selected from a list of domain name panellists assembled by the dispute resolution service provider, and are appointed based on their reputation and experience with trademark law and technology law.
31.2.74 A number of ccTLDs have adopted the UDRP. Where a ccTLD has adopted the UDRP, those domain names may be consolidated with gTLD and other ccTLD domain names against a single registrant in a single UDRP complaint.
- Disputes involving non-UDRP ccTLD domain names
31.2.75 In Singapore, the .sg ccTLD has not adopted the UDRP. Instead, SGNIC has adopted the Singapore Domain Name Dispute Resolution Policy Service ("SDRP") to resolve domain name disputes involving the .sg ccTLD.
31.2.76 The SDRP is largely based on the framework established under the UDRP. The primary difference is that parties may elect to resolve the dispute by mediation, which will be facilitated by the administrative panel. If either party does not agree to mediation, or if the parties are unable to resolve the dispute through mediation, then an administrative panel will be appointed to decide the dispute, similar to the UDRP process.
- Available remedies
31.2.77 In the event that the complaint is successful, the administrative panel may order that the domain name be transferred to the complainant, or be cancelled. Registrars are required to implement the decision within a specified period after receiving notification of the decision from the dispute resolution service provider. Administrative panels cannot award money judgments or lawyers' costs.
31.2.78 For .sg ccTLDs administered by SGNIC in Singapore, decisions of the administrative panel will be implemented by SGNIC
H. Technology export controls
31.2.79 Export control in Singapore is primarily governed by the Strategic Goods (Control) Act (Chapter 300 of Singapore) ("SGCA"). In general, the SGCA controls the transfer and brokering of strategic goods, strategic goods technology, goods and technology capable of being used to develop, produce, operate, stockpile or acquire weapons capable of causing mass destruction, and missiles capable of delivering such weapons; and for purposes connected therewith.
31.2.80 Subsidiary legislation of the SGCA includes the:
- Strategic Goods (Control) Regulations, which sets out procedural guidelines to support the implementation of the SGCA;
- Strategic Goods (Control) Order, which sets out a list of strategic goods and strategic goods technology; and
- Strategic Goods (Control) (Brokering) Order, which sets out a list of categories of goods and technology which require a brokering registration.
31.2.81 Under the SGCA, "technology" is defined as information (including information comprised in such documents as specifications, blueprints, plans, manuals, models, diagrams, formulae, tables and designs) that is necessary for the development, production or use of any goods, and includes software. The SGCA applies to "strategic goods technology", which is defined as any technology which may be prescribed as such. A list of such technology is further set out in detail under the Strategic Goods (Control) Order.
31.2.82 There are also various regulations pertaining to the intangible transfer of technology. This generally refers to the transfer of technology through means such as electronic mail, phone, internet transfer or fax. It also includes the act of making technology available on a computer or server in Singapore in a way that allows an individual in a foreign location to access such technology. Generally, a permit will be required for any intangible transfer of strategic goods software or technology.
31.2.83 The Singapore Customs is the governing agency which administers the SGCA in Singapore. It has broad powers and functions in this regard, including (but not limited) to the:
- Processing of strategic goods permit applications
- Registering and auditing of arms brokers
- Conducting industry outreach and public awareness programmes
- Enforcing the SGCA and its regulations
- Serving as the focal point for local and international enquiries
SECTION 3 MEDIA LAW
A. Scope of regulation – Newspapers, Films, TV, radio, Internet Code
31.3.1 The Infocomm Media Development Authority ("IMDA"), which is established under the IMDA Act (No. 22 of 2016) (the "IMDA Act"), is the governing authority in Singapore responsible for the development of the information, communications and media industry in Singapore. A broad spectrum of media falls under the jurisdiction of the IMDA; under the IMDA Act, "Media" is defined to include films, newspapers, broadcasting services, publications, and other medium of communication of information, entertainment or other matter to the public as may be gazetted.
31.3.2 Specific regulations in relation to each type of media, as well as their specific definitions, are further set out in their respective governing statutes. This includes, inter alia, the Broadcasting Act (Cap.28), the Films Act (Cap.107), the Newspaper and Printing Presses Act (Cap.206), the Undesirable Publications Act (Cap.338) and the Spam Control Act (Cap.311A). Pursuant to such legislation, companies which provide such relevant services will be required to obtain a licence from the IMDA in order to operate.
31.3.3 Under the IMDA Act and its related statutes, the IMDA also has the power to issue codes of practice, standards of performance and advisory guidelines. Different codes may apply depending on the type of service being provided. For example, all Internet Service Providers and Internet Content Providers licensed under the Broadcasting (Class Licence) Notification (N1) pursuant to the Broadcasting Act are bound to comply with the Internet Code of Practice, which, inter alia, obliges licensees to use "best efforts to ensure that prohibited material is not broadcast via the Internet to users in Singapore". Licensees who are licensed to provide nationwide television services are required to comply with the Code of Practice for Television Broadcast Standards.
B. Broadcasting Act
31.3.4 The Broadcasting Act (Cap 28) is an Act to regulate dealing in, the operation of and ownership of broadcasting services and broadcasting apparatus (and for matters connected therewith). The IMDA is charged by the Act to regulate three general broadcasting areas – television, radio and others. Under the Broadcasting Act, "broadcasting service" is defined broadly to mean:
a service whereby signs or signals transmitted, whether or not encrypted, comprise —
(a) any programme capable of being received, or received and displayed, as visual images, whether moving or still;
(b) any sound programme for reception; or
(c) any programme, being a combination of both visual image (whether moving or still) and sound for reception or reception and display,
by persons having equipment appropriate for receiving, or receiving and displaying, as the case may be, that service, irrespective of the means of delivery of that service
31.3.5 There are two types of licences which the IMDA may grant under the Broadcasting Act – broadcasting licences and broadcasting apparatus licences.
31.3.6 The broadcasting apparatus licence pertains generally to dealing with broadcasting apparatus, and no person is permitted to partake in the following activities without the requisite broadcasting apparatus licence:
- installing any broadcasting apparatus in any place, or on board any ship, aircraft or vehicle registered in Singapore;
- importing, offering for sale, selling or having in his possession with a view to sale, any broadcasting apparatus; or
- operating or having on any premises in Singapore owned or occupied by him broadcasting apparatus on or by which broadcasting services are received.
31.3.7 Notwithstanding, the IMDA has the powers to exempt any person or broadcasting apparatus or class of broadcasting apparatus from the above requirements.
31.3.8 The broadcasting licence issued by the IMDA pertains generally to the provision of broadcasting services, and a person must obtain valid licensing in order to provide any of the licensable broadcasting services, as set out in the Second Schedule to the Broadcasting Act. This includes a range of television services, radio services, audiotext services, videotext services, teletext services, video-on-demand services, broadcast data services and computer on-line services. The IMDA is also empowered to issue class licensing, and certain of these licensable broadcasting services fall under the Broadcasting (Class Licence) Notification (Notification).
31.3.9 Licensees must also comply with certain conditions as set out generally in the Broadcasting Act, such as complying with the relevant codes of practice issued by the IMDA and certain public service broadcasting obligations. One should note that Internet Content Providers, including those offering political and religious content, are automatically class licensed under the Broadcasting (Class Licence) Notification of the Broadcasting Act. Providers of political and religious content over the Internet must register with the IMDA within 14 days of commencing their services, or as otherwise notified by IMDA.
31.3.10 The Broadcasting Act also puts in place certain controls and restrictions for the shareholdings of broadcasting companies. For example, (1) at least half of its board of directors must be citizens of Singapore; and (2) the approval of the Minister is required for shareholders who hold an aggregate of more than 5 per cent of the total votes attached to all voting shares in a broadcasting company.
31.3.11 Advertisements in Singapore must comply with the Consumer Protection (Fair Trading) Act (Cap 52A) ("CPFTA"), which generally prohibits "unfair practice" in relation to consumer transactions. Under the CPFTA, "unfair practice" includes acts where a supplier:
- does or says anything, or omits to do or say anything, where a consumer might reasonably be deceived or misled;
- makes a false claim; or
- takes any action as prohibited under the Second Schedule to the CPFTA, which covers general acts of misrepresentation.
31.3.12 A consumer has the right to sue a supplier in the event of an unfair practice. The court has a wide range of powers to grant a remedy to an aggrieved consumer, which includes:
- ordering restitution of any money, property or consideration given or furnished by the consumer:
- awarding the consumer damages in the amount of any loss or damage suffered by the consumer as a result of the unfair practice;
- making an order of specific performance against the supplier;
- making an order directing the supplier to repair goods or provide parts for goods; or
- making an order varying the contract between the supplier and the consumer.
31.3.13 Apart from the CPFTA, the content of advertisements as well as the manner of advertisement may be separately regulated under the various relevant acts and legislation, for example, the Broadcasting Act (Cap.28), the Films Act (Cap.107), the Newspaper and Printing Presses Act (Cap.206), the Undesirable Publications Act (Cap.338) and the Spam Control Act (Cap.311A)). The various Codes of Practice issued under such legislation will also be relevant. For example, relevant licensed service providers offering advertisements and sponsored programmes must observe the principles and obligations under the "Television and Radio Advertising and Sponsorship Code". The advertising of certain products may also be subject to its specific industry. For example, therapeutic products (as categorised under the Health Products Act (Chapter 122D)) are subject to the Health Products (Advertisement of Therapeutic Products) Regulations 2016.
31.3.14 Common law principles also continue to be applicable, and errant advertising practices may lead to civil claims, such as those arising out of misrepresentation, passing off, and defamation.
31.3.15 In addition to the above, advertising in Singapore is also supervised by the Advertising Standards Authority of Singapore ("ASAS"). The ASAS comprises various members drawn from the organisations representing advertisers, advertising agencies and media, government agencies and other supporting organisations, and is an advisory council set up under the Consumers Association of Singapore, a non-profit and non-governmental organization committed towards the protection of consumer interests.
31.3.16 To promote "a high standard of ethics in advertising by self-regulation against the background of national law and international law and practice, including the International Code of Advertising Practice published by the International Chamber of Commerce", the ASAS has issued the Singapore Code of Advertising Practice ("SCAP"), which sets out various recommended principles and standards for advertisers to follow. For example, according to the SCAP, advertisements in Singapore:
- should not contain anything illegal;
- should be honest;
- should not mislead in any way by inaccuracy, ambiguity exaggeration, omission or otherwise; and
- should not without justifiable reason play on fear.
31.3.17 The SCAP does not have the force of law in Singapore, although it complements the regimes above in governing advertisements in Singapore.
SECTION 4 TELECOMS LAW
A. Telecommuncations Act
31.4.1 The telecoms sector is regulated by the IMDA and the primarily piece of regulation is the Telecommunications Act. Under the Telecommunications Act, telecommunication service is defined as “any service for telecommunications, including the leasing of a telecommunication cable, but excludes any broadcasting service”.
31.4.2 In turn, “telecommunications” means a transmission, emission or reception of signs, signals, writing, images, sounds or intelligence of any nature by wire, radio, optical or other electro-magnetic systems whether or not such signs, signals, writing, images, sounds or intelligence have been subjected to rearrangement, computation or other processes by any means in the course of their transmission, emission or reception".
“telecommunication system” means any system used or intended to be used for telecommunications, including (for the avoidance of doubt) any such system capable of being used for the operation of any broadcasting service;
31.4.3 The operation and provision of telecommunication systems and service in Singapore is authorized under section 3(1) of the Telecommunications Act and would be exclusively licensed and regulated by the IMDA operating under the IMDA Act. The key exception to the exclusive privilege granted by section 3 is “the running by a person solely for his own use or solely for the purposes of his business (but not for providing any telecommunication service to another person) of a telecommunication line system in which all the equipment comprised therein is situated (i) on a single set of premises in single occupation; or (ii) in a vessel, aircraft or vehicle or in 2 or more vessels, aircraft or vehicles mechanically coupled together”.
31.4.4 The Telecommunications Act sets out through its regulations, code of practice, standards, directions and advisory guidelines from time to time the applicable regulatory framework from the telecoms sector.
31.4.5 Currently, the IMDA categorizes telecoms services into 2 main categories: facilities-based operators (FBO) or services-based operators (SBO).
31.4.6 FBOs are operators intending to deploy any form of telecommunication network, systems and facilities to offer telecommunication switching and/or telecommunication services to other licensed telecommunication operators, business, and/or consumers. Facilities-based operations refer to the deployment and/or operation of any form of telecommunication network, systems and/or facilities by any person for the purpose of providing telecommunication and/or broadcasting services outside of his own property boundaries to third parties, who may include other licensed telecommunication operators, business customers or the general public. The range of telecommunication services to be provided over the FBO licensees’ facilities may include the following:
• Public Switched Telephone Services
• Public Switched Integrated Services Digital Network (ISDN) Services
• Leased Circuit Services
• Public Radiocommunication Services4
• Public Cellular Mobile Telephone Service (PCMTS)
• Public Trunked Radio Services (PTRS)
• Public Mobile Data Services (PMDS)
• Terrestrial Telecommunication Network for Broadcasting Purposes
• Satellite Uplink/Downlink for Broadcasting Purposes
31.4.7 The licence fee for FBOs will be an annual recurrent fee based on Annual Gross Turnover (AGTO) of the FBOs, subject to a minimum amount of $80,000 or $200,000, depending on whether the licensee is an FBO or Public Telecommunication Licensee respectively. After the minimum amount, the licence fee is either 0.8% or 1.0% of AGTO based on tiers. There is no initial one-time licence fee payable. The duration of the licence will also differ depending on the scope of the FBO licensee’s operations, ranging from 10 to 20 years. The exception will be for FBOs with terrestrial telecommunication network for broadcasting purposes only or satellite Uplink/Downlink for broadcasting purposes, where the licensee fee is an annual $5,000.
31.4.8 SBOs are operators who:
- Lease telecommunication network elements (such as transmission capacity and switching services) from any IMDA-licensed Facilities-Based Operator (FBO) to provide their own telecommunication services;
- Resell telecommunication services of FBOs to third parties; or
- Deploy telecommunication network, systems and facilities within their own property boundaries, but wish to offer telecommunication services to third parties residing within their property boundaries.
31.4.9 The Service-Based Operations (SBO) Licence allows an operator to provide services-based telecommunications services in Singapore so as to provide their own telecommunication services, or to resell the telecommunication services of FBOs, to third parties. Depending on the scope of the operation and nature of the service, a telecommunications SBO can be licensed under one of two categories:
i. SBO (Individual) Licence
31.4.10 In general, operators who lease international transmission capacity to provide their services would be licensed individually.
ii. SBO (Class) Licence
31.4.11 SBO (Class) Licensees shall not collect monetary deposits and/or use prepaid cards as a means of collecting payment from their customers. A range of telecommunication service-based operations and services fall under this category with an ensuing license structure.
SBO(Individual) Licence Licence Fees
First S$50 million in AGTO
Next S$50 – S$100 million in AGTO
0.5% AGTO annually
Above S$100 million in AGTO
0.8% AGTO annually
Live Audiotex services only
S$200 every five-yearly
SBO (Class) Licence)
$200 (one-time payment)
Call-back and call-origination services
Internet-based voice and data services
International calling card services
Store-and-forward value-added network services
Store-and-retrieve value-added network services (where leased circuits are used)
Store-and-retrieve value-added network services (where no leased circuits are used)
No fee payable
Resale of public switched telecommunication services
Public Chain Payphone Service
(2) Regulatory framework
31.4.12 All FBO and SBO licensees will be regulated in accordance with the licensing and regulatory frameworks established by IMDA, which are formulated under the provisions of the Telecommunications Act (Cap. 323). Some of the key frameworks currently in place include :
- the Code of Practice for Competition in the Provision of Telecommunication Services (“Telecom Competition Code”)
- the Code of Practice for Info-communication Facilities in Buildings (COPIF)
- the Accounting Separation Guidelines
- the National Numbering Plan
31.4.13 Other than dealing with its licensees, IMDA also has powers to deal with the unlawful operation of telecommunication systems or telecommunication services (section 33), the unlawful sale or possession of radio-communications equipment (section 34), the fraudulent use of telecommunication service with intent to avoid payment and the fraudulent retention of messages (section 46). Conviction of these offences carry fines or imprisonment or both.
B. Interface with the Broadcasting Act
31.4.14 The Broadcasting Act (Cap 28) is an Act to regulate dealing in, the operation of and ownership in broadcasting services and broadcasting apparatus and is administered by the IMDA. Broadly speaking, the IMDA is charged by the Act to regulate three broadcasting areas – television, radio and others. It has also specific remit under the Act over the regulation over Internet content.
31.4.15 Section 8 of the Broadcasting Act gives IMDA the authority to issue broadcasting licenses “in such form and for such period and may contain such terms and conditions as the (IMDA) may determine”, for a fee. Free-to-air licenses may be granted subject to conditions including those set out in Section 8(4).
31.4.16 Section 9 of the Broadcasting Act gives IMDA the authority to issue class licenses “in such form and for such period and may contain such terms and conditions as the (IMDA) may determine”. In particular, Section 9(4) provides that IMDA “may impose a condition on a class licence requiring the licensee to comply with a Code of Practice that is applicable to the licensee or designed to ensure that a breach of a condition of the class licence by the licensee does not recur”.
31.4.17 Class licences may issued by IMDA by notification to the following include:
- Internet Access Service Providers (as licensed under section 5 of the Telecommunications Act and a a subset of an Internet Service Provider)
- Internet Service Resellers (both Localised and Non-localised Internet Service Resellers)
- Internet Content Providers
- Subscription Online Newspaper Content (which is a subset of the Internet Content Providers)
31.4.18 In the context above, “Internet Content Provider” means —
(a) any individual in Singapore who provides any programme, for business, political or religious purposes, on the World Wide Web through the Internet; or
(b) any corporation or group of individuals (including any association, business, club, company, society, organisation or partnership, whether registrable or incorporated under the laws of Singapore or not) who provides any programme on the World Wide Web through the Internet,
and includes any web publisher and any web server administrator.
31.4.19 Do also note that the IMDA may also, by notification, issue a class licence to “any person who provides a computer on-line service in or from Singapore, whether for payment or free, and whether at regular intervals or otherwise —
(a) that is accessed from at least 50,000 different Internet protocol addresses in Singapore per month on average, over any period of 2 consecutive months; and
(b) that contains at least one Singapore news programme per week on average, over the same period of 2 consecutive months”.
31.4.20 The terms of the class license requires registration by Internet Content Providers and Internet Service Providers. Internet Access Service Providers must also provide content filtering services. Class licensees must also ensure its services comply with such Codes of Practice as IMDA the Authority may issue from time to time and are not used for any purpose, and does not contain any programme that is against the public interest, public order or national harmony or offends against good taste or decency. In particular, Internet Content Providers and Internet Service Providers adhere to the Internet Code of Practice which has been discussed [cross-reference].
31.4.21 Internet Content Providers and Internet Service Providers who hold class licences are required to comply with the Internet Code of Practice.
- Content Code for Over-the-Top, Video-on-Demand and Niche Services
C. Telecom Code of Competition
31.4.22 The Telecom Competition Code is a competition management framework which the licensees must comply with. Since its introduction in 2000, the Telecom Competition Code has undergone two rounds of review in 2005 and 2012. The Telecom Competition Code has obligations which are imposed on all IMDA-licensees, both FBO and SBO. These include consumer protection and competition and consolidation provisions, Certain provisions apply to FBO licensees only (such as interconnection) and within that class, certain provisions apply to Dominant FBO licensees (such as tariff regulation).
Updated as at 12 March 2021
By: Bryan Tan
Pinsent Masons MPillay LLP
Pinsent Masons MPillay LLP
Pinsent Masons MPillay LLP