This country-specific Q&A provides an overview to technology laws and regulations relevant in Singapore.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Communications networks and services are regulated in Singapore. A person providing communications networks should obtain a facilities-based operator ("FBO") licence. An FBO licensee would be allowed to deploy and/or operate any form of telecommunication infrastructure for the purpose of providing telecom services to end users or to other telecom licensees.
A person providing communications services should obtain a service-based operator ("SBO") licence. An SBO licensee may lease telecommunication infrastructure from FBO licensees to provide telecommunication services to end users or to resell telecommunication services of other telecoms licensees.
Both licences are issued by the Info-communications Media Development Authority ("IMDA") of Singapore.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The IMDA is the authority that regulates the provisions of communications-related services in Singapore.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
In order to apply for an FBO or SBO licence, the applicant must be a company incorporated in Singapore.
A Singapore incorporated company may be wholly owned by a foreign entity. There is no restriction on foreign ownership for telecom licensees.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
The Code of Practice for the Provision of Telecommunication Services ("Telecom Competition Code") mandates interconnection between operators.
Where a licensee is considered to be a "dominant licensee" it is subject to further requirements regarding interconnection. The IMDA requires dominant licensees maintain and to provide interconnection services in accordance with, a reference interconnection offer ("RIO"). The RIO sets out prices, terms and conditions that have been pre-approved by the IMDA.
A licensee will be considered to be a "dominant licensee" if:
(a) it is licensed to operate facilities that are sufficiently costly or difficult to replicate such that requiring new entrants to do so would create a significant barrier to rapid and successful entry into the telecommunication market in Singapore by an efficient competitor; or
(b) it has the ability to exercise significant market power in any market in Singapore in which it provides telecommunication services.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The principal consumer protection regulations specific to telecom services are set out in the Telecom Competition Code. Some examples are set out below:
(a) licensee must disclose to end users the price, terms and conditions of the service (including a free-trial service);
(b) licensee must provide procedures to contest charges in a service agreement;
(c) licensee must not charge for disproportionate early termination fees;
(d) where the licensee seeks to terminate the service agreement due a breach by an end user, the licensee must provide the end user with advance notice and reasonable opportunity to remedy the breach; and
(e) at the end of a free trial service the licensee must not charge for such services unless the licensee has notified the end user the date on which the free trial ends and the end user has agreed to continue the services.
What legal protections are offered in relation to the creators of computer software?
The computer software may be protected in the following ways:
The computer code, which is considered to be "literary works" under the Copyright Act, may be protected by copyright. The computer code must meet copyright requirements such as originality. The duration of copyright protection for computer code is 70 years after the creator's death.
The computer software may be protected as a trade secret. A trade secret is confidential information that is private to only individuals who possess such confidential information. Generally, once a trade secret is in the public domain, it loses protection under trade secret laws. A computer software creator may commercialise his software and yet keeps his underlying software architecture, algorithm and code as a trade secret. However, trade secret protection does not protect against independent creation or reverse engineering. A trade secret does not require any application and has no limitation on its duration.
Do you recognise specific intellectual property rights in respect of data/databases?
Data or database alone is not copyrightable. However, copyright may subsist in the compilation of the data. In the recent Court of Appeal decision of the Global Yellow Pages Ltd v Promedia Directories Pte Ltd and another matter  SGCA 28, the court ruled that for a compilation of data to be afforded with copyright protection such compilation must contain some element of creativity and have been created by an identifiable human author.
The data may be protected as a trade secret provided it remains as confidential information.
What key protections exist for personal data?
The Personal Data Protection Act (Act 26 of 2012) ("PDPA") provides the overarching legislative framework which governs the protection of personal data in Singapore. The PDPA sets out minimum standards and obligations for organisations to comply with when handling personal data. The following are the key principles of the PDPA relating to the collection, use and disclosure of personal data: (i) consent; (ii) notification of purpose; (iii) access and correction; (iv) retention; (v) protection; (vi) accuracy; and (vii) transfer out of Singapore.
Additionally, there are also sector-specific legislative and regulatory frameworks which operate in tandem with the PDPA. Examples of such sector-specific considerations include additional legislation and/or regulations governing the handling of personal data by financial institutions or certain organisations in the life sciences or healthcare industry. Such other legislations would prevail over the PDPA to the extent of any inconsistencies.
Are there restrictions on the transfer of personal data overseas?
Yes. If any personal data collected will be transferred out of Singapore, the transferring organisation has to ensure that the recipient organisation overseas provides a standard of protection to the personal data transferred that is comparable to that under the PDPA. This may be achieved by either:
(a) entering into a legally binding agreement with the recipient;
(b) ensuring that the recipient is under binding corporate rules that prescribe a similar level of protection; or
(c) verifying that the applicable law, in the jurisdiction that the personal data will be transferred to, provides a level of protection that is comparable to the PDPA.
The Personal Data Protection Commission ("PDPC"), the statutory body responsible for the administration and enforcement of the PDPA, recommends that when entering into a legally binding agreement with the recipient, the transferring organisation should, as a minimum, ensure certain key PDPA principles are protected.
In addition, the organisation is required to seek the individual's consent to the transfer of the individual's personal data overseas and, prior to seeking that consent, the organisation is required to provide the individual with a reasonable summary in writing of the extent to which the personal data transferred to those countries will be protected to a standard comparable to the protection under the PDPA.
What is the maximum fine that can be applied for breach of data protection laws?
The PDPC may impose financial penalties of up to S$1 million on an organisation that is in breach of the PDPA provisions.
Are there any restrictions applicable to cloud-based services?
Although there is presently no legislation specifically regulating cloud-based services in Singapore, cloud-based services may be subject to other general legislation depending on the scope and nature of the service. Examples of such applicable legislation are:
(a) The PDPA will apply to the handling and storage of personal data using cloud-based services. An organisation intending to adopt cloud-based services and transfer its customer data to a cloud server located outside Singapore should comply with the transfer obligations under the PDPA as discussed above. The Guide to Securing Personal Data in Electronic Medium issued by the PDPC also sets out certain recommendations for an organisation to adopt when engaging cloud-based services to manage personal data.
(b) Cloud-based services offered to consumers in Singapore will also be subject to consumer protection laws such as the Consumer Protection (Fair Trading) Act (Chapter 52A) and the Unfair Contract Terms Act (Chapter 396).
(c) For regulated financial institutions in Singapore, the Guidelines on Outsourcing Risk Management issued by the Monetary Authority of Singapore (“MAS”) sets out certain controls and measures for a financial institution to take note of when engaging in cloud-based outsourcing arrangements.
Are there specific requirements for the validity of an electronic signature?
Yes. Electronic signatures have to fulfil the requirements under Section 8 of the Electronic Transactions Act (Chapter 88) in order for it to be valid. Essentially, there must be a method used to identify the person and indicate his intention in respect of the information contained in the electronic record. Furthermore, the method used must either be as reliable as appropriate for the purposes for which the electronic record was generated or communicated; or proven in fact, by itself or together with further evidence, to have fulfilled the above functions of identification and indication of intention.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
If the outsourcing of IT services involves a transfer of business to the outsourcing supplier, there will be an automatic transfer of employees falling under the ambit of the Employment Act (Chapter 91) ("EA") to the outsourcing supplier. Under the EA, all employees who are:
(a) Workmen (generally people doing manual labour); or
(b) employed in a managerial or executive position and earning a basic salary not exceeding S$4,500 a month
will be covered by such an automatic transfer.
The transfer of employees (not falling within the above categories), assets or third party contracts would have to be contractually agreed upon with the outsourcing supplier.
In March 2018, the Singapore Government announced several amendments to be made to the EA. One such amendment is the removal of the salary cap for managerial and executive employees under (b) above, which will result in all managerial and executive employees being covered by the automatic transfer provision under the EA. Further details of the amendments are likely to be made public later this year and these amendments are expected to be effected by 1 April 2019.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
If the A.I. software is sold to a consumer and subsequently malfunctions, the issue of liability may be governed by consumer protection laws such as the Sale of Goods Act (Chapter 393) and the Unfair Contract Terms Act (Chapter 396). The Sale of Goods Act imposes several implied terms which cannot be excluded by contract when dealing with consumers. These include implied conditions or warranties regarding title and lack of encumbrances, correspondence with description, satisfactory quality and fitness for purpose. Therefore, the A.I. software provider will be liable for any malfunction that results in a breach of these mandatory implied terms.
Otherwise, the issue of liability will generally depend on the contractual agreement between the A.I. software provider and the software user.
What key laws exist in terms of obligations as to the maintenance of cyber security?
There is currently no legislation in Singapore that sets out general obligations as to the maintenance of cybersecurity.
In relation to personal data, the PDPA imposes obligations on an organisation to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. There is no "one size fits all" approach that organisations can take to protect personal data. Ultimately, the security arrangements implemented should be reasonable and appropriate in the circumstances taking into account the type of personal data that is collected and the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data.
Financial institutions in Singapore are also subject to additional regulations imposed by the MAS in relation to the maintenance of cybersecurity measures and controls.
Additionally, the Cybersecurity Act was passed by the Singapore Parliament on 5 February 2018 and received the Singapore President's assent on 2 March 2018. The Cybersecurity Act will regulate critical information infrastructure owners by imposing cybersecurity obligations such as notification obligations, audit obligations, obligations to provide information to the Cyber Security Agency of Singapore and obligations to participate in cybersecurity exercises.
"Critical information infrastructure" is broadly defined as a computer or computer system located wholly or partly in Singapore which "is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore". Eleven critical sectors of "essential services" have been identified in the Cybersecurity Act, including energy, info-communications, healthcare and banking and finance. The Cybersecurity Act is expected to come into force soon.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Computer Misuse and Cybersecurity Act (Chapter 50A) ("CMCA") is the main legislation that criminalises hacking activities or DDOS attacks. Under the CMCA, it is an offence to access, use, intercept, modify or obstruct the use of a computer, data and computer service without proper authorisation. The CMCA also has extra-territorial effect on offences committed outside Singapore if the accused or the computer, program or data was in Singapore at the material time, or the offence creates a significant risk of serious harm in Singapore.
What technology development will create the most legal change in your jurisdiction?
The increasing adoption of cryptocurrencies and blockchain technology in Singapore will drive the need for significant legal change. Currently, there is no regulatory framework in place to govern the use of such technology or provision of related services in Singapore.
However, in 2016, the MAS has proposed, in a consultation paper, a new regulatory framework and governance model for payment solutions. A second consultation paper on a Proposed Payment Services Bill was issued in November 2017. Among other changes, the consultation papers propose to bring all payment regulations under a single framework (i.e. the proposed Payment Services Act) that will provide for the licensing, regulation and supervision of all payment services, including stored value facility holders, remittance companies and virtual currency intermediaries. Hence, it is likely that virtual currency intermediaries (such as Bitcoin exchanges) will be subject to greater regulation and scrutiny in the near future.
Separately, the MAS has issued a statement in Aug 2017 and a follow-up guidance document in Nov 2017 clarifying that an offer or issue of digital tokens may be regulated by the MAS if the digital tokens constitute capital markets products under the Securities and Futures Act (Chapter 289).
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
The Singapore Government strives to support the economic development and the promotion of commerce and Singapore's legislative framework reflects this. Singapore is widely considered to be an easy and efficient place to do business.
Do you believe your legal system specifically encourages or hinders digital services?
Singapore's legal system encourages the development and use of digital services. Several regulatory and governmental initiatives have been implemented or proposed over the past few years. On 16 November 2016, the MAS issued guidelines for a regulatory sandbox which aims to encourage and enable experimentation of solutions that utilise technology innovatively to deliver financial products or services. New legislation, such as the Cybersecurity Act as mentioned above, is also being developed with the aim of fostering a stronger and more conducive legal landscape for the development of digital services.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
There is currently no legislation in Singapore that specifically deals with artificial intelligence. As mentioned above, consumer protection laws will apply to liability issues in respect of the artificial intelligence software purchased by the consumer. However, such laws may not be sufficient to deal with more complex liability issues relating to artificial intelligence when consumer protection laws are inapplicable. Furthermore, the use of artificial intelligence is currently not regulated in Singapore. This is likely to become a greater area of concern as artificial intelligence technology becomes more sophisticated and takes an increasingly active role in our economy.
In June 2018, the IMDA announced that it will be setting up an advisory council on the ethical use of artificial intelligence and data ("Advisory Council"). The Advisory Council will assist the Singapore Government to develop ethics standards and reference governance frameworks and publish advisory guidelines, practical guidance and codes of practice for voluntary adoption by businesses. It is hoped that this initiative will help to clarify some of the legal issues relating to the use of artificial intelligence as mentioned above.