Written Answer to Unanswered Oral Question

Safeguarding User Privacy and Data against Illegal Tracking by Tech Companies

28 November 2022 · Ministry of Home Affairs

Speakers

Josephine Teo (Minister for Communications and Information and Second Minister for Home Affairs) Shawn Huang Wei Zhong

Summary

This question concerns measures to safeguard user privacy against illegal location tracking by tech companies, raised by MP Mr Shawn Huang Wei Zhong. Minister Josephine Teo explained that location data is protected under the Personal Data Protection Act (PDPA) and requires consent or anonymisation for legitimate use. She noted that the PDPC issues guidelines recommending that organisations collect approximate locations and offer specific authorisation options for data access. Companies that track users illegally through deceptive practices or lack of consent are in breach of the PDPA and face enforcement. Ultimately, the Minister emphasised that consumers serve as the first line of defence and must exercise caution regarding app permissions and downloads.

Transcript

47 Mr Shawn Huang Wei Zhong asked the Minister for Communications and Information with rising concerns of tech companies illegally tracking location data for search and advertisement purposes, what are the measures in place to safeguard the privacy and data of users in Singapore.

Mrs Josephine Teo: Location data can form part of the personal data that organisations collect, if such location data can be used by companies to identify individuals. Location data may be used legitimately, including for search and advertisement purposes, such as when it is anonymised before use, or the organisation has obtained consent. Illegal tracking occurs when organisations fail to obtain consent when required, or obtain consent through misleading or deceptive practices. In such cases, organisations, including tech companies, may be in breach of the Personal Data Protection Act (PDPA).

When organisations collect location data as part of their customers’ personal data, they are required under PDPA to manage the data responsibly and securely protect them. PDPC has outlined specific security measures on location data in the Guide to Data Protection Practices for ICT Systems, which organisations are expected to adhere to. For instance, the Guide suggests that organisations could collect approximate location data of users, rather than their exact location. It also suggests that apps provide users with the option to authorise the collection of their location data only when required, rather than on a continuous basis. PDPC has previously taken companies to task for failure to protect location data.

While PDPA designs safeguards to protect consumers’ personal data, consumers are, ultimately, the first line of defence to protect their own location data. Location data can be collected by any mobile app developer that has been granted permission to read the GPS sensor on a consumer’s mobile phone. Thus, consumers should exercise caution with regard to the types of apps they download and the app permissions they consent to.