Case Details
- Citation: [2023] SGPDPC 2
- Court: Personal Data Protection Commission
- Date: 2023-02-14
- Judges: Lee Ti-Ting, Assistant Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Tai Shin Fatt
- Legal Areas: Do Not Call Registry – Dictionary attack and address-harvesting software
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2023] SGPDPC 2
- Judgment Length: 10 pages, 1,884 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Tai Shin Fatt, an insurance director, had breached the prohibition on sending unsolicited commercial messages generated through the use of "dictionary attacks" or "address-harvesting software" under Section 48B of the Personal Data Protection Act (PDPA). Fatt had engaged third-party vendors to facilitate automated marketing calls, and directed his staff to generate a large number of telephone numbers by combining common prefixes with randomly generated digits. The PDPC determined that this method of number generation constituted a "dictionary attack" under the PDPA, and that Fatt was liable for authorizing the sending of the resulting unsolicited messages. While Fatt cooperated with the investigation and took remedial action, the PDPC issued him a warning for the breach.
What Were the Facts of This Case?
Tai Shin Fatt is an insurance director at a large insurance company, managing a team of 25 agents. In an effort to conduct marketing calls more efficiently, Fatt engaged the services of two third-party vendors: a "Call Automation Vendor" that provided software to facilitate automated calls, and a "Checker" that supplied telephone numbers and software to screen them against the Do Not Call Registry (DNCR).
Fatt instructed his staff to generate a list of telephone numbers to be used for the automated marketing calls. His staff did so by using commonly seen telephone number prefixes for the first four digits, and then randomly generating the last four digits. This process resulted in the creation of 18,809 unique telephone numbers, which were then uploaded into the Call Automation Vendor's software.
Between June 25-28, 2021, a total of 22,268 automated marketing calls were made using this system, including 433 calls to the Singapore Civil Defence Force (SCDF) emergency line. The SCDF reported the influx of calls to the Singapore Police Force, who in turn notified the PDPC. The PDPC then commenced an investigation into whether Fatt had breached the PDPA.
What Were the Key Legal Issues?
The key legal issue in this case was whether Fatt had contravened Section 48B of the PDPA, which prohibits the sending of "applicable messages" to telephone numbers generated or obtained through the use of "dictionary attacks" or "address-harvesting software".
Specifically, the PDPC had to determine whether:
- Fatt had sent, caused to be sent, or authorized the sending of the automated marketing calls;
- The calls constituted "messages" as defined in the PDPA;
- The calls had a "Singapore link" as required by the legislation; and
- The telephone numbers used were generated through a "dictionary attack" as defined in the PDPA.
How Did the Court Analyse the Issues?
The PDPC carefully examined the facts of the case and applied the relevant provisions of the PDPA to determine whether Fatt's actions amounted to a breach of the Section 48B prohibition.
First, the PDPC found that Fatt had directly authorized and caused the making of the automated marketing calls, as he had instructed his staff to generate the telephone numbers and had initiated the calls through the Call Automation Vendor's software.
Second, the PDPC determined that the automated calls constituted "messages" as defined in the PDPA, as they were in the form of sound communications.
Third, the PDPC found that the calls had a "Singapore link" as they originated in Singapore, were made by a Singapore-formed company, and were likely to have been accessed by devices located in Singapore.
Finally, the PDPC concluded that the method used by Fatt's staff to generate the telephone numbers - combining common prefixes with randomly generated digits - amounted to a "dictionary attack" as defined in the PDPA. This was because the process involved the automated generation of numerous permutations of telephone numbers.
Having established that all the elements of a Section 48B breach were present, the PDPC determined that Fatt had contravened the prohibition on sending unsolicited commercial messages generated through dictionary attacks or address-harvesting software.
What Was the Outcome?
Based on its findings, the PDPC issued a warning to Tai Shin Fatt in respect of his breach of the Section 48B prohibition. The PDPC recognized that Fatt had cooperated with the investigation, had not previously contravened the PDPA, had made efforts to comply with the DNCR requirements, and had voluntarily taken action to cease the automated calls upon discovering the calls to the SCDF emergency line.
While the PDPC acknowledged the seriousness of Fatt's actions, particularly the calls made to the SCDF emergency line, it determined that a warning was the appropriate outcome in this case, given the mitigating factors. No other directions were issued, as the PDPC was satisfied that Fatt had already taken the necessary remedial steps.
Why Does This Case Matter?
This case is significant for several reasons:
First, it provides important guidance on the scope and application of the Section 48B prohibition on the use of "dictionary attacks" and "address-harvesting software" to generate telephone numbers for unsolicited commercial messages. The PDPC's analysis of the statutory definitions and the specific facts of the case help to clarify the boundaries of this relatively new provision in the PDPA.
Second, the case highlights the PDPC's willingness to take enforcement action against individuals who authorize or cause the sending of unsolicited commercial messages, even if they do not directly carry out the technical aspects of the messaging. The PDPC's finding that Fatt was liable for his role in directing and initiating the automated calls sends a clear message that businesses and their leaders cannot simply outsource their compliance obligations.
Finally, the case underscores the importance of maintaining the integrity and accessibility of emergency services like the SCDF hotline. While the PDPC acknowledged that the calls to the SCDF were not directly relevant to the Section 48B breach, the fact that such calls were made as a result of Fatt's actions was viewed as a significant aggravating factor.
Overall, this decision reinforces the PDPC's commitment to protecting consumers from the nuisance and potential harm caused by indiscriminate, automated marketing practices, and serves as a cautionary tale for businesses and individuals seeking to leverage technology for direct marketing purposes.
Legislation Referenced
Cases Cited
Source Documents
This article analyses [2023] SGPDPC 2 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.