The Personal Data Protection Comission (PDPC) has argued that the existing customer exemption was introduced to give consumers the choice of receiving promotional messages and also that other countries such as the UK had similar exemptions. These arguments are red herrings: Even without the exemption, individuals always had the choice of giving consent to receive promotional messages and the UK “soft opt-in” rules for existing customers require that individuals must be given a chance to opt out at the time their data was initially collected.
Had they wanted to, the PDPC could have implemented a “soft opt-in” in Singapore even without an exemption order. Considering that businesses had more than a year to prepare for the implementation of the DNC after the Act was passed, the PDPC could have encouraged businesses to make use of that window to get consent from their customers. Instead, the PDPC created a permanent exemption which inverts the basic premise of Data Protection that individuals have the right to control how their personal information is used. Instead of the default position being that businesses should not use a person’s data without permission, the default has been inverted such that the company has the right to send promotional messages until consent is withdrawn.
Granted, the fact is that most businesses did not prepare in advance and did not get express or implied consent to send marketing messages even to customers with whom they had an on-going relationship. A hard stop once DNC kicked in may have been quite disruptive to many companies. Had a public consultation been held, I could have lived with a time-limited exemption under which businesses would be given a limited time, say one year, to get consent from their existing customers to send marketing messages. This would not be unduly onerous to businesses – If they claim to have an “ongoing relationship”, they should certainly be contacting that customer at least once a year anyway. Unfortunately, there was no public consultation so now we are stuck with a permanent exemption which subverts one of the basic principles of Data Protection.