Firms bypassing data protection rules?

Ever since the Personal Data Protection (PDP) Act came into effect in 2012, there have been reports of some less established companies violating these protocols and being fined by the authorities.

Most Singaporeans like me have a goodwill assumption that larger, well-established local and multinational corporations have in place capable and expert inhouse counsels and processes that keep them compliant with handling consumer data.

However, a recent episode has eroded this presumption. Are organisations circumventing the PDP policies that are in place by exploiting "exemptions" in order to promote and market their products via text messages?

I was a customer of ANZ Bank which was acquired by DBS earlier this year. In my standing instructions with ANZ Bank, I had opted to receive all marketing information only via conventional mail or e-mails. I had also signed up with the Personal Data Protection Commission or PDPC - Do Not Call Registry to ensure my privacy was respected.

After the acquisition of ANZ Bank, my account was transferred and handled by DBS Treasures and suddenly, I started receiving text messages with marketing information. I lodged a complaint with PDPC and soon, I received an official letter from DBS explaining that these text messages were service-oriented in nature and not deemed as marketing messages. The letter also mentioned that the bank's systems would be updated with my preferred mode of communications and at my request, I would be transferred from being a DBS Treasures consumer to a normal banking consumer.

In less than a week, I again started receiving marketing text messages from DBS "designed exclusively for Treasures clients".

Once again, I approached the PDPC and they assured me that I would be permanently removed from the mailing list.

However, barely a week later, I received another text message (this time promoting the DBS Remittance services). I asked PDPC why I continued to get marketing messages via text despite the various interventions of myself and the PDPC. I was told that this was possible as there might be an exemption order in place since I still have a banking relationship with DBS. What is the purpose of the policy when clear instructions can be bypassed?

Mohan Varadarajalu

A version of this article appeared in the print edition of The Straits Times on November 18, 2017, with the headline 'Firms bypassing data protection rules?'. Print Edition | Subscribe