A new era starts today with the full implementation of Singapore's Personal Data Protection Act, but consumers have only a foggy idea of what it entails for them.
They put the blame on the "confusing" privacy mailers, e-mail and Web notices put out by many companies over the past few weeks in their effort to comply with the new Act.
But the Personal Data Protection Commission pointed out last night that from today, the new law requires fresh consent to be obtained "if customers' personal data is used or disclosed for new purposes".
The legislation seeks to provide safeguards against the wrongful collection, use and disclosure of personal data for marketing. It requires organisations to inform individuals of the purpose for collecting, using and disclosing personal data.
They must also get a consumer's explicit consent before they can call or text him or her to market their products or services, or to disclose personal information to a third party.
Failure to do so could mean a breach of the Act and a fine of up to $1 million.
In the past few weeks, some service providers have sent notices to customers, asking them to approve the use of their personal data for marketing or billing.
But most companies merely state that their customers are bound by new policies that allow their data to be used for all kinds of purposes, including third parties.
They, however, add that customers may withdraw their consent.
The different ways of communication have confused many people.
Marketing manager Aaron Koh is unsure of his rights. "I thought companies have to ask for my permission to use my information for marketing?" said the 38-year-old, who had received notices from telcos and banks stating their new policies.
For engineer Ngiam Shih Tung, 47, the main worry is that companies may slip in new uses for consumers' personal data in their blanket privacy statements to consumers, as there is no way of telling what one had previously consented to.
Mr Rajesh Sreenivasan, partner and head of the technology law practice at law firm Rajah & Tann, acknowledged the confusion but said both methods could be legal.
It depends on the existing agreements between service providers and their customers, including consent given previously to contact them for marketing unless withdrawn, he added.
"The key challenges are to be ready when customers ask how the data is being used, and to be ready to allow customers to withdraw their consent for any purpose, including marketing," said Mr Sreenivasan.
Customers have these rights. They also have the right to ask for access to and correct their personal data. Organisations must respond to such requests within 30 days.
Lawyer Gilbert Leong, a partner at Rodyk & Davidson, said consumers need to be educated a bit more.
A case in point: Some bank account holders were reportedly concerned that they could be "kicked out" of their own bank unless they consent to giving the bank access to their personal information.
Their concerns stem from privacy notices put out by banks, stating that a withdrawal of consent to access personal data may be considered a termination of a contractual relationship.
"If you tell the bank not to use your personal information at all, then how is the bank going to provide you service?" said Mr Leong. At the very least, banks must have access to a customer's name, identity card number, phone number and address information to verify them.
The Personal Data Protection Commission said in a statement last night that the law does not prohibit organisations from sending notices to customers stating how personal data would be used "in accordance with existing contractual agreements". This is to give them the flexibility on how they may inform customers. But from today, "fresh consent will be needed if customers' personal data is used or disclosed for new purposes", it said.