Lin DaoWen Kenny [2023] SGPDPCS 6

Case Details

• Citation: [2023] SGPDPCS 6
• Court: Personal Data Protection Commission
• Date: 2024-02-22
• Judges: N/A
• Plaintiff/Applicant: N/A
• Defendant/Respondent: Lin DaoWen Kenny
• Legal Areas: Data Protection – Do Not Call Registry
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2023] SGPDPCS 6
• Judgment Length: 5 pages, 850 words

Summary

This case involves an investigation by the Personal Data Protection Commission (the "Commission") into the actions of Lin DaoWen Kenny (the "Individual"), a financial advisor, for breaching the "Do Not Call" provisions of the Personal Data Protection Act 2012 ("PDPA"). The Commission received 12 complaints about unsolicited telemarketing calls made by the Individual to telephone numbers registered on the No Voice Call Register of the Do Not Call ("DNC") Registry.

The investigation found that the Individual had generated a list of 1,000 telephone numbers using an Excel spreadsheet formula, 384 of which were registered on the DNC Registry. The Individual then engaged a telemarketer to make marketing calls to the numbers on the list without first checking the DNC Registry, in contravention of section 43(1) of the PDPA. The Individual also generated the telephone numbers through an automated "dictionary attack" method, which is prohibited under section 48B(1) of the PDPA.

While the Individual claimed the breaches were inadvertent, the Commission issued a warning to the Individual for the contraventions of sections 43(1) and 48B(1) of the PDPA, considering the Individual's previous compliance record and prompt remedial actions.

What Were the Facts of This Case?

The key facts of this case are as follows:

The DNC Registry is a national database maintained by the Commission under the PDPA, which allows individuals to register their Singapore telephone numbers to opt-out of receiving unsolicited telemarketing calls and messages. The DNC Registry comprises three separate registers: the No Text Message Register, the No Voice Call Register, and the No Fax Message Register.

From January 2023 to July 2023, the Commission received 12 complaints about unsolicited telemarketing calls made by the Individual to telephone numbers registered on the No Voice Call Register of the DNC Registry. The Commission commenced an investigation to determine if there had been any breaches of the DNC provisions in Parts 9 and 9A of the PDPA.

The Individual is a financial advisor who, in order to generate leads, used an Excel spreadsheet formula ("randbetween") to generate a list of 1,000 telephone numbers (the "Phone List") with the intention of finding Singapore telephone numbers to market his financial advisory services. Of the 1,000 numbers generated, 384 corresponded to Singapore telephone numbers that were registered with the No Voice Call Register of the DNC Registry.

The Individual engaged a telemarketer to make marketing calls to the numbers on the Phone List, but admitted that he failed to check if the telephone numbers were registered with the DNC Registry before providing the list to the telemarketer. The Individual was also unable to provide any evidence that he had obtained clear and unambiguous consent from the subscribers of the 384 DNC-registered numbers before making the marketing calls.

What Were the Key Legal Issues?

The key legal issues in this case were:

1. Whether the Individual had contravened section 43(1) of the PDPA by failing to check the DNC Registry before sending specified messages to the telephone numbers on the Phone List.

2. Whether the Individual had contravened section 48B(1) of the PDPA by generating the 384 Singapore telephone numbers through an automated "dictionary attack" method and engaging a telemarketer to make marketing calls to those numbers.

How Did the Court Analyse the Issues?

In analyzing the issues, the Commission made the following key findings:

1. Contravention of section 43(1) of the PDPA:

The Commission found that the Individual had failed to check the DNC Registry before providing the Phone List to the telemarketer, in contravention of section 43(1) of the PDPA. This section requires a person to have valid confirmation that a Singapore telephone number is not listed in the relevant DNC register before sending a specified message to that number.

2. Contravention of section 48B(1) of the PDPA:

The Commission also found that the Individual had contravened section 48B(1) of the PDPA by generating the 384 Singapore telephone numbers through an automated "dictionary attack" method using an Excel spreadsheet formula, and then engaging a telemarketer to make marketing calls to those numbers. Section 48B(1) prohibits the use of such automated means to generate telephone numbers for the purpose of sending applicable messages.

In considering the appropriate enforcement action, the Commission took into account the Individual's previous compliance record, the fact that he had immediately ceased the telemarketing calls and taken remedial action, and his claim that the breaches were inadvertent. Based on these factors, the Commission issued a warning to the Individual for the contraventions of sections 43(1) and 48B(1) of the PDPA.

What Was the Outcome?

The outcome of this case was that the Commission issued a warning to the Individual for contravening sections 43(1) and 48B(1) of the PDPA.

Specifically, the Commission found that the Individual had failed to check the DNC Registry before providing the Phone List to the telemarketer, in contravention of section 43(1) of the PDPA. The Commission also found that the Individual had generated the 384 Singapore telephone numbers through an automated "dictionary attack" method, in contravention of section 48B(1) of the PDPA.

While the Commission considered the breaches to be serious, it took into account the Individual's previous compliance record, the fact that he had immediately ceased the telemarketing calls and taken remedial action, and his claim that the breaches were inadvertent. As a result, the Commission issued a warning to the Individual rather than imposing a financial penalty or other enforcement action.

Why Does This Case Matter?

This case is significant for several reasons:

1. It highlights the importance of complying with the DNC provisions in the PDPA. The DNC Registry is a key mechanism for individuals to opt-out of receiving unsolicited telemarketing calls and messages, and organizations must strictly adhere to the requirements to check the registry before sending specified messages.

2. The case illustrates how the use of automated tools and "dictionary attack" methods to generate telephone numbers for marketing purposes can lead to breaches of the PDPA. Organizations must be cautious about employing such techniques and ensure they are in compliance with the relevant provisions.

3. The case demonstrates the Commission's approach to enforcement, where it considers the totality of the circumstances, including the individual's compliance history and remedial actions, in determining the appropriate enforcement response. This suggests that organizations that proactively address breaches and demonstrate a commitment to compliance may be treated more leniently by the Commission.

Overall, this case provides valuable guidance for organizations and individuals on the DNC requirements under the PDPA and the potential consequences of non-compliance, as well as insights into the Commission's enforcement approach.

Legislation Referenced

• Personal Data Protection Act 2012

Cases Cited

• [2023] SGPDPCS 6

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2023] SGPDPCS 6 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.