I OVERVIEW

The government continues to recognise and places much emphasis on the importance of TMT in society. For the fiscal year ending March 2019, the government is projected to launch tenders in the information and communications sectors worth approximately S$2.6 billion, a slight increase from the S$2.4 billion set aside in FY2017.2 Of the S$2.6 billion earmarked for the 2018 fiscal year, more than S$1 billion has been allocated to supporting Singapore's digital transformation efforts. One major digital transformation project is the National Digital Identity (NDI) system, which is one of Singapore's five strategic projects to drive the pervasive adoption of technology in society and the economy through back-end whole-of-nation enabling systems. Citizens and businesses will be issued digital credentials to transact with the government more seamlessly and securely without the need for physical tokens or SMS passwords.3 Another project is Singapore Tourism Board's Singapore Visitor Centre system, which aims to help officers make more tailored recommendations to tourists. The government also plans to issue bulk tenders for companies to provide software tools and consultancy services in the area of robotic process automation to support the growth of current government services, and for Agile project development and management methodology and ICT technical specialist services to support the co-sourcing of projects in the emerging tech areas of application development, data science, ICT infrastructure, geospatial technology, cybersecurity, sensors and the IoT.4

This sustained ICT expenditure will be used to speed up Singapore's digital transformation and continue its push to become a smart nation under the Smart Nation initiative that was introduced by Prime Minister Lee Hsien Loong in November 2014. The initiative aims to transform the daily life of Singaporeans by more fully integrating life with technology and making technology more accessible to the masses. The government has indicated that it will adopt a whole-of-government, whole-of-nation approach to this, and has set up a dedicated Smart Nation Programme Office under the Prime Minister's Office to promote the greater integration of technology. The futuristic vision of the initiative is seen in the intention to develop, inter alia, technologies such as driverless cars, integrated 3D mapping and data analytics.

Smart Nation infrastructure, such as the Smart Nation Platform (SNP), which aims to facilitate the sharing of resources and data among government agencies to contribute to more efficient urban and operational planning as well as improve the running of city services, is already being developed.5

The Smart Nation initiative is the newest iteration of the government's plans to develop ICT usage and integration in Singapore, following the successful conclusion of the 10-year An Intelligent Nation 2015, A Global City, Powered by Infocomm plan (IN2015 Masterplan), which was introduced in 2005. On 11 August 2015, the Infocomm Media Masterplan Steering Committee released the Infocomm Media 2025 report (Infocomm Media 2025), which maps out a holistic plan for developing Singapore's infocomm media sector over the next 10 years. Infocomm Media 2025 enables and complements the Singapore Smart Nation vision and provides broad directions under three strategic thrusts to further strengthen the infocomm media landscape of Singapore. More recently on 5 June 2018, the government also released its Digital Government Blueprint for building a digital government that 'uses data, connectivity and computing decisively to re-engineer business processes, re-architect technology infrastructure and transform services for citizens, businesses and public officers'. The Digital Government Blueprint sets the 2023 goal of getting all Singapore citizens and businesses to cross the digital divide and be able to access all government services at any time, anywhere on an internet enabled device.6 This follows the Digital Readiness Blueprint released on 2 June 2018, which sets out the government's strategy for equipping Singapore citizens for digital access, literacy and participation, so that every citizen, young or old, will be able to be a part of the Singapore Smart Nation vision. Some recommendations in the Digital Readiness Blueprint include making access to basic digital enablers (i.e., a network-connected mobile device, internet access, a bank account with card facilities and a national digital identity) as widespread as possible, building up a basic digital skills curriculum for Singapore's youth, further enhancing the public–private sector collaboration for increased digital participation and inclusion in the community, and promoting digital inclusion by design in Singapore's digital ecosystem so that the impediments preventing people from using digital products and services are overcome.7

Singapore's success in developing its ICT industry is apparent. As of 2016, total ICT industry revenue reached S$175.8 billion.8 The number of ICT professionals has also increased year on year, with over 42,000 new ICT professionals projected to be required by the sector from 2018 to 2020, bringing the total number of ICT professionals expected to be employed by 2019 up to 273,800.9 The ICT sector is believed to contribute to approximately 8 per cent of Singapore's gross domestic product.10 Singapore was placed first in the World Economic Forum's Global Information Technology Report 2016, which ranks countries in terms of their ability to leverage ICT as an enabler of sustainable, long-term economic growth.

As of March 2018, the number of fixed-line subscribers remained steady at approximately 1,991,700, representing a 35.5 per cent penetration.11 Further, as of May 2018, the amount of mobile subscribers was approximately 8.34 million (down from 8.46 million the previous year), the slight dip potentially reflecting the cessation of 2G network mobile subscriptions in 2017. Notwithstanding the slight dip, mobile population penetration as of May 2018 sits at 148.6 per cent, and there remain 5,700 dial-up internet subscribers (0.1 per cent penetration) in Singapore. Broadband internet subscriber figures decreased slightly, with approximately 12.3 million subscribers (94.7 per cent penetration by household for wired broadband and 193.5 per cent penetration for wireless broadband). By comparison, the figures on 1 April 2000 (at the start of liberalisation) were 1.876 million fixed-line subscribers, 1.63 million mobile subscribers and 1.711 million dial-up internet subscribers (no broadband services were available at that time).

II REGULATION

i The regulators

In the late 1980s, the government announced plans to privatise the telecommunication and postal services then being provided by the Telecommunication Authority of Singapore. Singapore Telecommunications Pte Ltd and Singapore Post Pte Ltd were subsequently incorporated in Singapore on 28 March 1992, and acquired all the necessary properties, assets and liabilities held by the Telecommunication Authority of Singapore in connection with the provision of such services.

The Singapore Broadcasting Authority was set up as a statutory board under the former Ministry of Information and the Arts – currently Ministry of Communications and Information (MCI)12 – in 1994. Formed in response to the privatisation of Singapore's broadcasting industry, the Singapore Broadcasting Authority played a central role in the regulation and promotion of the broadcasting industry in Singapore. The Singapore Broadcasting Authority worked closely with the Economic Development Board, the National Computer Board and the Telecommunication Authority of Singapore to develop Singapore as a regional broadcasting hub. To provide a single agency for integrated planning, policy formulation, regulation and industry development of the IT and telecommunications sectors, a new Info-communications Development Authority of Singapore (IDA) was formed as a result of the merger between the Telecommunication Authority of Singapore and the National Computer Board in 1999. The Media Development Authority (MDA) was formed on 1 January 2003 by the merger of the Singapore Broadcasting Authority, the Films and Publications Department and the Singapore Film Commission to champion the development of a vibrant media sector in Singapore. The MDA regulates content delivery across various platforms, including television, radio, videos, internet and publications.

As part of the Infocomm Media 2025 plan, the government announced on 18 January 2016 that the IDA, MDA and Personal Data Protection Commission (PDPC) would be restructured by the end of 2016 into two new statutory boards, the Infocomm Media Development Authority of Singapore (IMDA) and GovTech. In anticipation of the formal establishment of the two new agencies, the IDA and MDA were administratively reorganised from 1 April 2016.

On 16 August 2016, the Parliament passed the Government Technology Agency Bill (GovTech Bill) and Info-communications Media Development Authority Bill (IMDA Bill). The GovTech Bill legislates the creation of GovTech, while the IMDA Bill establishes the IMDA and officially merges certain functions of the IDA with the MDA.

The new IMDA develops and regulates the converging infocomm and media sectors in a holistic way, and implements the Infocomm Media 2025 plan for Singapore. The new IMDA also deepens regulatory capabilities for a converged infocomm media sector, safeguarding the interests of consumers and fostering pro-enterprise regulations. The IMDA takes over the regulatory framework previously overseen by the IDA and MDA, such as the Telecommunications Act (Telecoms Act), the Postal Service Act, the Broadcasting Act and the Films Act. The PDPC will form part of the IMDA, and will continue to oversee personal data protection regulation in Singapore.

GovTech was established at the end of 2016 to lead digital technological transformation in the public sector. From 1 May 2017, GovTech has reported to the new Smart Nation and Digital Government Group under the auspices of the Prime Minister's Office.13 GovTech has been tasked with building a more intuitive and anticipatory government through digital service delivery with technologies and ensure that people are always at the heart of digital service transformation for the public sector. As the nexus of technology and engineering capability within the government, GovTech is well-placed to help government agencies capitalise on the speed of innovation and new technology trends such as robotics, artificial intelligence, IoT and big data. The new organisation plays a vital role in supporting Singapore's Smart Nation vision, especially in delivering the SNP and Smart Nation applications. GovTech also focuses on developing new technology capabilities as well as attracting and nurturing ICT engineering talent that will provide a strong foundation for Singapore's Smart Nation ambitions.

ii Regulated activities

The Telecoms Act gives the IMDA monopoly powers to operate and provide telecommunications systems and services. The IMDA's key functions include:

  1. exercising licensing and regulatory functions in respect of telecommunication systems and services in Singapore;
  2. the allocation and use of satellite orbits and RF spectrum;
  3. exercising regulatory functions in respect of determinations;
  4. approval of prices, tariffs and charges; and
  5. the provision of telecommunication and other related services.

The IMDA is empowered to grant, modify or suspend the licences of telecommunication operators, and to sanction offences under the Telecoms Act. There is a general prohibition on the running of telecommunication services in Singapore unless they have been licensed by the IMDA under Section 5 of the Telecoms Act.

The IMDA uses a two-tiered framework for the licensing of telecommunication operators. An operator who intends to deploy or operate any form of telecommunication network, systems or facilities for the purpose of providing telecommunication or broadcasting services outside its own property boundaries to third parties (who may include other licensed telecommunication operators, business consumers or the general public) is required to possess an FBO licence. On the other hand, an operator who intends to lease telecommunication network elements (such as transmission capacity and switching services) from any FBO licensee so as to provide its own telecommunication services, or to resell or promote the telecommunication services of FBO licensees to third parties, is required to apply for a SBO licence. An SBO licence is also required to deploy telecommunication networks, systems and facilities within the operator's own property boundaries in order to offer telecommunications services to third parties resident within their property boundaries.

The IMDA may also formulate and develop infocomm-related policies, as well as standards, codes of practices and advisory guidelines – all of which it can enforce – pertaining to issues such as licensing, interconnection, resource, assignment of spectrum rights and competition management. Mergers and acquisitions of telecommunication licensees are regulated under the Code of Practice for Competition in the Provision of Telecommunication Services 2012 (Telecoms Competition Code), which is enforced by the IMDA. Under this Code, all licensees are also required to interconnect with each other, whether directly or indirectly, to ensure seamless any-to-any communications throughout Singapore. The IMDA may grant exemptions from specific provisions of the Code where good cause is shown. Recently, the Telecoms Competition Code has also been amended for the purposes of alignment with the Singapore Personal Data Protection Act 2012 (PDPA), the key data protection provisions of which came into effect on 2 July 2014.

The IMDA is also empowered to grant licences in respect of broadcasting services and broadcasting apparatuses. No person is allowed to provide any of the licensable broadcasting services set out in the Second Schedule of the Broadcasting Act without a valid broadcasting licence issued by the IMDA. These services include free-to-air television or radio services (localised, nationwide or international), subscription television or radio services (localised, nationwide or international), special-interest television or radio services, audiotext, videotext or teletext services, VOD services, broadcast data services and online computer services. Some of the licensable broadcasting services (including audiotext, videotext and teletext services, broadcast data services and online computer services) are class-licensed by the IMDA under the Broadcasting (Class Licence) Notification (Notification).

The Code of Practice for Market Conduct in the Provision of Mass Media Services (MMCC) was issued by the then MDA in 2003 to promote fair market conduct and effective competition in the broadcasting and print sectors. The MMCC was significantly revised in 2010 to, inter alia, impose obligations around the cross-carriage of exclusive content in the pay-TV market, and further revisions were made to enhance consumer protection in the pay-TV sector in early 2016.

Unfair methods of competition and anticompetitive practices are expressly dealt with in the MMCC. These regulations also ensure that media players do not unfairly leverage their own or their affiliates' significant market power in a media or non-media market.

Mergers of any dominant media player with another media player (whether dominant or not) would require the IMDA's approval for consolidation. As such, this will assist in addressing potential anticompetitive issues arising from convergence and merging of portfolios of various players in the market.

In the event a particular media resource is declared to be an essential resource by the IMDA (i.e., the resource must be used by another media licensee, but such resource cannot be created within the foreseeable future or cannot be obtained from a third party at a cost to allow it to compete efficiently), access to such essential resource must be provided on reasonable and non-discriminatory prices, terms and conditions.

iii Ownership and market access restrictions

Full market competition in the telecommunications sector was introduced in April 2000. Direct and indirect foreign equity limits for all public telecommunications services licences were removed, and licensees were free to decide on the types of networks, systems, facilities and preferred technology platform to offer their services. The limits on the number or type of licences were also removed, except when there are physical or resource constraints.

In general, there are no foreign ownership restrictions on FBO or SBO licensees. However, an FBO licensee will be required to be a company incorporated under the Singapore Companies Act. An SBO (individual) licensee may be a company incorporated or a foreign company registered under the Companies Act, while an SBO (class) licensee may (in addition) be a limited liability partnership or limited partnership.

The Broadcasting Act regulates the ownership of broadcasting companies in Singapore. A broadcasting company is a company (or a holding company) incorporated or registered under the Companies Act that holds a free-to-air licence; any broadcasting licence under which a subscription broadcasting service may be provided (in each case where such licence permits broadcast that is capable of being received in 50,000 dwelling houses or more, but does not include a class licence); or any other broadcasting licence as the Minister of Communications and Information may from time to time specify in the public interest, or in the interest of public security or order or national defence.

There are also controls on the shareholding and voting power of broadcasting companies. For example, substantial shareholdings (i.e., an aggregate of more than 5 per cent of the nominal amount of all voting shares) in a broadcasting company and other forms of controlling shareholdings are subject to the Minister's approval. Broadcasting companies in Singapore must also ensure that at least half of their directors are citizens of Singapore, unless the IMDA approves otherwise. The IMDA also has the right to approve the chief executive officer of a broadcasting company, as well as its directors and chair.

Further, there are media cross-ownership restrictions that provide that no regulated person shall be merged or consolidated with, or taken over by, any other regulated person, or any other person (not being a regulated person) carrying on business in any media industry, without the prior written approval of the IMDA.

iv Transfers of control and assignments

Generally, licences cannot be transferred from a licensee to a third party. For telecommunication licensees, the IMDA's approval is required for any consolidation involving an FBO or SBO licensee that the IMDA has declared to be a designated telecommunication licensee pursuant to Section 32A(2) of the Telecoms Act that would result in an entity holding an ownership interest in the licensee of 12 per cent or more. For acquisitions of between 5 and 12 per cent, the IMDA is required to be notified, unless such acquisitions occur by virtue of certain prescribed transactions set out in the Telecommunications (Prescribed Transactions) Order 2012.

A consolidation application needs to be filed either separately or jointly by both parties, together with a competitive impact and public interest statement. The short-form consolidation application procedure, with an abbreviated statement, may be used if the consolidation is a horizontal consolidation that will not result in the post-consolidation entity having more than a 15 per cent share in the telecommunication market in Singapore; or if the consolidation is a non-horizontal consolidation in which none of the applicants has more than a 25 per cent share of any telecommunications market, whether in Singapore or elsewhere, in which it participates.

The IMDA will not approve a consolidation application where it determines that the consolidation is likely to substantially lessen competition in any telecommunications market in Singapore or harm the public interest. The IMDA may approve the consolidation application with or without conditions.

The IMDA will ordinarily complete its consolidation review within 30 days of the start of the consolidation review period. In any case in which the IMDA determines that a consolidation application raises novel or complex issues, it may extend the review period by up to 90 days, to a maximum of 120 days. Where appropriate, the IMDA will provide the public with an opportunity to comment on a request or a consolidation application.

For media licensees, the IMDA's prior written approval is required for any consolidation between regulated entities, including broadcasting licensees.

For the purposes of the MMCC, a consolidation means a merger, acquisition, takeover or other similar transaction that results in two entities that were previously independent economic entities becoming – as a practical matter – a single economic entity, including by way of an asset purchase or the setting up of a new joint-venture vehicle into which significant assets of the entities will be transferred. Part 8 of the MMCC requires all regulated persons seeking to enter into a consolidation with another regulated person or any other person (not being a regulated person) that provides mass media services or ancillary media services to submit a consolidation application within 30 days of the day on which they entered into a consolidation agreement.

Both entities must jointly submit a consolidation application with a statement that provides a clear, accurate and comprehensive description of the proposed consolidation, a good-faith assessment of the likely impact of the proposed consolidation on competition in any mass media services market and a discussion of why approval of the proposed consolidation would serve the public interest.

As the IMDA may make statements available to the public, applicants should put proprietary or commercially sensitive information in a separate appendix and request its confidential treatment. The consolidation agreement (and any public statement regarding the proposed consolidation) must include language expressly stating that the consolidation will not be consummated unless and until such time as the IMDA grants written approval. The IMDA will ordinarily complete its review of the consolidation application within 30 days of the start of the consolidation review period (i.e., when the applicants submit a consolidation application that contains all materials required pursuant to Part 8 of the MMCC), but this can be extended up to a maximum of 120 days where novel or complex issues are raised, and 180 days in extraordinary cases.

There is a short-form application procedure for cases in which a proposed consolidation is unlikely to raise significant competitive issues. The IMDA will generally grant approval for any application that is eligible for this procedure without significant review based on the applicant's abbreviated description, competitive impact and public interest statement. The two cases when this procedure can be used are when the proposed consolidation is unlikely to result in the post-consolidation entity having a market share of 40 per cent or more of any media market in Singapore; or a market share of between 20 and 40 per cent of any media market in Singapore, and the post-consolidation combined market share of the largest three regulated persons or ancillary media service providers, or a combination thereof, is 70 per cent or more of any media market in Singapore.

The IMDA can impose structural and behavioural conditions as part of its approval.

III TELECOMMUNICATIONS AND INTERNET ACCESS

i Internet and internet protocol regulation

The IMDA regulates the carriage of internet and IP-based services and the content delivered on these various platforms. For example, if one were to deploy a telecommunication network or system to provide internet or IP-based services, one would have to apply to the IMDA for an FBO licence. For provision of internet or IP-based services over leased telecommunication network elements, an SBO licence will be required.

Provision of IP telephony services in particular requires an SBO (individual) licence. Licensees must likewise adhere to the National Numbering Plan provided by the IMDA, which sets out rules and guidelines for the use and assignment of numbers to telephone services delivered over the PSTN radio network (collectively, the paging network, cellular mobile network and trunked radio network) and the internet or other IP-based network. In general, numbers beginning with '3' are reserved for use in the IP telephony service, while numbers beginning with '6' are reserved for use in PSTN and IP telephony services.

ii Universal service

Since 2000, the government has rolled out the Singapore ONE project to provide nationwide broadband access over ADSL and cable to households in Singapore. With full market liberalisation over recent years, the broadband household penetration rate has risen steadily from 7 per cent in December 2000 to a residential wired broadband household penetration rate of 94.7 per cent (residential wired broadband penetration rate only) in May 2018.14

In the area of wireless broadband access, the government appointed three operators to launch a nationwide wireless broadband programme called Wireless@SG in December 2006. This service aims to extend free wireless broadband access to the public in high human- traffic areas, and is available at about 7,500 hotspots around the island. Access speeds were doubled to 1Mb/s from 512kb/s from 1 September 2009 to allow users to enjoy better access to media-rich and interactive websites and bandwidth-intensive services. The most recent phase of this free Wi-Fi service (from 1 April 2013 to 31 March 2019) is offered by the three mobile operators, Y5Zone Singapore Pte Ltd and MyRepublic.15 Interoperable SIM-based authentication for automatic log-in to the network has been implemented from 1 April 2014 to supplement the web-based and seamless secure access login methods. On 29 April 2017, it was announced that Wireless@SG would allow automatic login to non-SIM devices, which will eliminate the need to log in using usernames and passwords.16 Further, having identified Wireless@SG as a key enabler of Singapore's Smart Nation initiative, the government has announced that the IMDA is on track to double its network of hotspots to 20,000 by 2018, reaching more locations such as public hospitals, hawker centres and government service centres.17 This is an increase from the 10,000 hotspots running at 5Mbps in 2017.

The government has also invested about S$1 billion to fund the deployment of the Next Gen National Broadband Network (NBN), a nationwide FTTH network. The Next Gen NBN is designed to be an open access network, and comprises three key industry layers. The network company (NetCo) designs, builds and operates the passive infrastructure layer, while the operating company (OpCo) designs, builds and operates the active network components to provide wholesale bandwidth connectivity to retail service providers. The NetCo must be structurally separated from the other industry layers, while operational separation is imposed on the OpCo.

It is envisioned that the Next Gen NBN will provide nationwide ultra-high-speed broadband access of 1Gb/s and beyond to all physical addresses, including homes, schools, government buildings, businesses and hospitals. The deployment of the Next Gen NBN commenced in 2009, and commercial services on the new fibre-optic network have been launched by all major telecommunication service providers. With the levelling of the playing field, a number of smaller ISPs, including MyRepublic, ViewQwest, OSINet and LGA Telecom, has joined the three existing operators in offering new high-speed packages to commercial and residential broadband subscribers. The coverage of the Next Gen NBN has reached over 95 per cent, with more than 560,000 subscribers signed up to services from approximately 15 retail service providers.

iii Restrictions on the provision of service

Dominant licensees are subject to tariff-filing requirements in respect of certain services, such as standardised services designed for residential customers, standardised services designed for business customers, services designed for specific customers, promotional services, and certain resale and wholesale services. The IMDA will determine whether a proposed tariff is just and reasonable. Non-dominant licensees are not subject to the tariff-filing requirements. Dominant licensees are also required to provide services on non-discriminatory terms.

There is a duty imposed on FBO and SBO licensees that use switching or routing equipment to provide services to the public to interconnect with other licensees. There is also a duty on public telecommunication licensees to provide a basic telephone service to any person in Singapore who requests the provision of such service. Otherwise, licensees have the latitude to choose the customers and the content they carry. There are no specific network neutrality obligations currently imposed on licensees, albeit ISPs must meet the minimum broadband quality-of-service standards to ensure a reasonable broadband internet experience for end users. ISPs are allowed to implement reasonable network management practices and offer niche or differentiated internet service offerings provided that they satisfy the IMDA's requirements on information transparency and fair competition, and do not amount to blocking of legitimate internet content.

Network operators must take reasonable measures to prevent the unauthorised use of end user service information (EUSI). Network operators may intercept messages for the purpose of providing assistance to law enforcement, judicial or other government agencies.

iv Security

Regulatory and legislative policies governing the internet and IP sector as well as national security issues have evolved in tandem to adapt to the changes on each side.

Unauthorised access to, or modification of, computer material would constitute offences under the Computer Misuse and Cybersecurity Act (CMCA). Unauthorised use or interception of computer services would also constitute offences, and enhanced punishment is provided for offences involving protected computers (e.g., computers used in connection with national security or defence, law enforcement, public key infrastructure, and essential emergency and public safety services). The CMCA was amended in January 2013 and further amended in April 2017 to provide the government with greater powers to implement countermeasures against cyberattacks on critical infrastructure. In particular, where the relevant minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the national security, essential services, defence or foreign relations of Singapore, that minister may authorise or direct any person or organisation to take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service, or any class of computers or computer services. The definition of essential services was also widened to include services relating to land transport infrastructure, aviation, shipping and health services. The amended CMCA now criminalises the dealing in personal data obtained via a cybercrime without a legitimate purpose (e.g., journalistic reporting) as well as dealing in hacking tools with the intention of committing or facilitating the commission of a computer offence.

Apart from the offences provided for under the CMCA, the government has launched the National Cyber Security Masterplan 2018 (NCSM2018) to enhance Singapore's resilience against cyberthreats. The NCSM2018 aims to reinforce Singapore's cybersecurity by intensifying efforts in the government and critical infocomm infrastructure as well as the wider infocomm ecosystem, which includes businesses and individuals. Complementary to the NCSM2018 is the National Trust Framework, which was conceptualised as part of the iN2015 Masterplan to provide a national framework that provides greater assurance and trust. One of the key initiatives is establishing a national authentication framework, which will enhance the security of online transactions through the deployment of a nationwide-strong authentication platform.

A National Cyberthreat Monitoring Centre has also been established to provide the government with the capability for early detection of potentially devastating cyberattacks and the ability to respond to cybersecurity incidents in real time. Further, a major initiative launched in April 2015 was the new Cyber Security Agency (Agency), Singapore's apex cybersecurity watchdog created to develop national cybersecurity strategy and policy, and to coordinate cyber-related operations between the multiple government agencies and departments. The need for the Agency has only grown as the number of cybersecurity incidents in Singapore continue to increase, with notable cyberattacks such as the hacking of the Prime Minister's Office website in 2013, and the illegal accessing of over 1,000 SingPass accounts, which store crucial citizen information and provide access to important government websites, in 2014, breaches of the IT systems of the National University of Singapore, Nanyang Technological University and Singapore Armed Forces over separate incidents in 2017, and, most recently, the theft of the personal data of 1.5 million patients of SingHealth (Singapore's largest group of healthcare institutions), including that of the Prime Minister, on July 2018. Concurrently with the aim of increasing the strength of Singapore's cybersecurity, the Economic Development Board and the Defence Science and Technology Agency have also stepped up efforts to recruit talent for the cybersecurity industry, with the latter conducting outreach to young Singaporeans through its Cyber Defenders Discovery Camp. The Agency carried out its first cybersecurity tabletop exercise for the banking and finance sectors, test-driving responses to hypothetical cyber incidents, in May 2015.

The Singapore Common Criteria Evaluation and Certification Scheme (SCCS), which was established in May 2005 as part of the iN2015 Masterplan, also aims to enhance cybersecurity. The SCCS allows infocomm companies to evaluate and certify their security products against the common criteria (CC) standard (ISO/IEC 15408) in Singapore. The framework of the CC is based on the Common Criteria Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security, a set of publicly available standards that define the criteria for evaluating IT security properties.

Material that has a subversive tendency or compromises national interests, public order or security may be prohibited under the Internal Security Act. This includes material that:

  1. contains any incitement to violence;
  2. counsels disobedience regarding the law or any lawful order;
  3. is calculated or likely to lead to a breach of the peace, or to promote feelings of hostility between different races or classes of the population; or
  4. is prejudicial to the national interest, public order or security of Singapore.

The transmission of false threats of terrorist acts (e.g., bomb hoaxes) is also penalised under Regulation 8(1) of the United Nations (Anti-Terrorism Measures) Regulations, read with Section 5(1) of the United Nations Act. In some cases, such offences are prosecuted under Section 45 of the Telecoms Act, which contains a general prohibition against the transmission of a false or fabricated message through the telecommunications system.

The Sedition Act has also been used against persons who post racist or other incendiary remarks on the internet. The Sedition Act makes it an offence for a person to:

  1. commit or attempt to commit any act that has or that would have a seditious tendency;
  2. utter any seditious words;
  3. print, publish, sell, offer for sale, distribute or reproduce any seditious publications; or
  4. import any seditious publications.

Material that may potentially fall foul of the Sedition Act includes material that excites disaffection against the government or the administration of justice in Singapore, or excites hatred or contempt against it, and material that promotes feelings of ill will and hostility between different races or classes of the population of Singapore.

Under the Internet Code of Practice (Internet Code), prohibited material is not allowed to be provided on the internet by any licensee under a class licence. The term prohibited material includes material that is objectionable on public interest, public morality, public order, public security and national harmony grounds. Similarly, the various television content codes provide that content provided on television should not undermine public security interests or public confidence in the law and its enforcement in Singapore.

The IMDA has worked with three ISPs in Singapore to provide family access networks (FANs) or filtering services that parents can subscribe to for their children. FANs assist parents who may be unfamiliar with standalone filtering software by filtering out pornographic and other undesirable sites. Parents can contact their respective ISPs to subscribe to the filtering services or can otherwise opt to purchase other internet-filtering software from the market.

The IMDA has also mandated that ISPs in Singapore are required to promote the use of internet filters, including filters for mobile devices, at the point of sale and upon renewal of the subscription agreement. It is hoped that this move will raise the awareness of parents and encourage the use of such filters to protect the young from inappropriate content. The first internet filtering service for mobile devices such as smartphones and tablets has been introduced by one of the major telecommunications service providers in Singapore.

v Data protection and privacy

On 15 October 2012, the Parliament passed the PDPA, which establishes a baseline data protection framework that applies to all organisations in the private sector. Inter alia, it establishes notification and consent requirements for the use, collection and disclosure of personal data, establishes restrictions on the transfer of personal data abroad and places protection obligations on the private sector. The PDPA also establishes a do-not-call registry, which aims to provide individuals with a simple and efficient way to opt out of receiving unsolicited marketing messages.

On 2 July 2014, the Personal Data Protection Regulations (PDPR) came into force. The PDPR expand on, inter alia, the PDPA's Access and Correction Obligation and Transfer Obligation. In particular, the PDPR require organisations to respond to each access request as accurately and completely as necessary, and as reasonably possible, within 30 days of such request being made. However, if an organisation is unable to comply with this requirement, it must (within the 30-day period) inform the applicant in writing of the date by which it will respond to the request.

Further, the PDPR require an organisation transferring personal data outside Singapore to take appropriate steps to ascertain whether, and to ensure that, the recipient of the personal data in that country or territory outside Singapore is bound by legally enforceable obligations to provide for the transferred personal data a standard of protection that is at least comparable with the protection under the PDPA.

Under the Telecoms Competition Code, there is a prohibition on all FBO and SBO licensees from unauthorised use of any EUSI. EUSI consists of all information that the licensee obtains as a result of an end user's use of its telecommunication services, and includes the end user's usage patterns, services used, telephone number and network configuration, location information as well as the billing name, address and credit history. Thus, unless the end user has provided prior consent, a licensee must not use EUSI for any purpose other than that as provided for in the Telecoms Competition Code.

vi Spam control

The Spam Control Act (SCA) seeks to regulate the sending of spam (i.e., unsolicited commercial communications sent in bulk) by prescribing requirements that must be met before such communications may be sent. Such requirements include the provision of an unsubscribe facility and compliance with labelling and other requirements. The SCA applies to emails and mobile messages (i.e., text or multimedia messages sent via a mobile telephone) originating from or sent to a device located in Singapore, or where the sender or receiver of the message is an individual or entity either physically present, or carrying on business or other activities, in Singapore. Sending of spam to electronic addresses obtained by way of a dictionary attack or address-harvesting software is prohibited under the SCA.

IV SPECTRUM POLICY

i Development

The IMDA is the regulatory body responsible for the utilisation of RF spectrum. It constantly monitors trends in and developments of new wireless technology, and reviews the frequency allocations whenever there is a demand for spectrum. In the past, spectrum was administratively allocated; however, the IMDA has recognised that in a liberalised environment, administrative allocation may not be the most objective, efficient or transparent means of ensuring that spectrum is effectively used. As such, the IMDA has moved towards a market-based approach by adopting an auction process where competing services in common bands cannot effectively share the same spectrum. For example, the IMDA has adopted the auction process for allocating spectrum for 3G services, 4G and wireless broadband access.

ii Flexible spectrum use

The spectrum of RFs in the VHF and UHF bands currently allocated for use, on a primary basis, for the provision of terrestrial broadcast services in Singapore are not all in use at any given time. Within this spectrum, there are interleaved and contiguous spectrum blocks that are not used to provide broadcast services. Such unused spectrum (white spaces) are situated below 1GHz, and radio signals within such spectrum have propagation characteristics that allow the signals to travel long distances and penetrate buildings easily. As such, the IMDA has invited interested parties to conduct trials to explore the various spectrum environments and regimes that white space technology can operate in, yet at the same time ensuring continued protection of licensed services in Singapore from possible interference during the trial period. One of the key objectives of the cognitive radio venues (CRAVE) trials is to examine how best to make use of the white space spectrum for the benefit of consumers and businesses. In April 2012, several organisations (I2R, StarHub and Microsoft) confirmed that they would lead the formation of a Singapore White Spaces Pilot Group to leverage on the CRAVE trials to establish Singapore as an innovation zone for white space technology. The pilot group intends to undertake commercial pilot deployments to explore how white space technology could supplement the existing wireless infrastructures and develop innovative consumer and business applications.

On 16 June 2014, the then-IDA issued its decision on the regulatory framework for the use of TV white space (TVWS) technology in Singapore after holding a public consultation. The then-IDA decision set out, inter alia, the inclusion of 700MHz band for TVWS deployment in the future, the adoption of the geolocation database approach as the mandated method for white space devices to access TVWS spectrum space and the implementation of unique white space devices identifiers.

In mid-2014, the then-IDA concluded a public consultation that sought to canvass industry views on the allocation of long-term rights in the 3.5GHz band, and planned services and target market segments for use of these bands. However, no further information from the IMDA has been forthcoming about the results of this consultation exercise.

iii Broadband and next-generation mobile spectrum use

To address the growing need for spectrum for broadband services and next-generation mobile services, apart from the white space trials, the IMDA is also reviewing current spectrum allocations to ensure the most efficient use. For example, it has identified certain spectrums for the future expansion of 3G services. In relation to the evolution of 4G spectrum bands, the IMDA is also aware of the necessity to ensure that there is adequate lead time for existing services to migrate to alternative modes of reception where necessary. In relation to wireless broadband services, the IMDA is looking into opening more spectrum for wireless broadband services, and has identified a certain bandwidth for mobile or wireless services.

One step that the IMDA has taken to expand 3G and 4G services is the closure of the 2G mobile network in April 2017, with the spectrum previously assigned to the 2G network being reallocated to provide faster and more advanced 3G and 4G services. These 2G users have had to upgrade to the 3G or 4G networks. The IMDA stopped accepting registrations of 2G-only mobile equipment in September 2015, and consumers have been advised not to purchase such equipment.

The government indicated in July 2010 that it would go ahead with a proposed auction of a fourth lot of spectrum in the 3G band (i.e., the 1,900/2,100MHz frequency band). This fourth lot of spectrum was left unallocated during the last round of auctions in 2001, when three lots of 3G spectrum were allocated to the three mobile operators in Singapore.

Pursuant to a public consultation process leading to this decision, respondents submitted feedback indicating that they generally agreed with the allocation of the remaining spectrum. However, three out of the four respondents (namely the existing mobile operators in Singapore) objected to the market allocation (i.e., allocation by way of auction) of the spectrum lots. The mobile operators instead suggested that the then-IDA allocate the spectrum administratively to them equally as a more cost-effective approach. Nonetheless, the then-IDA took the view that the auction mechanism ensured that scarce spectrum resources would be allocated in the most efficient and transparent manner.

However, only three applications were received from the existing mobile operators during the auction process. As such, the then-IDA allocated each of the available 3G spectrum lots to the respective bidders for the reserve price of S$20 million.

Where 4G spectrum is concerned, the then-IDA issued a public consultation paper in April 2012 on the proposed framework for the reallocation of spectrum for 4G telecommunication systems and services. Following the public consultation, the then-IDA announced on 16 January 2013 that it was putting up a total of 270MHz of 4G spectrum for auction, comprising 150MHz of spectrum in the 1,800MHz band and 120MHz of spectrum in the 2.5GHz band. The three mobile operators submitted initial offers for the spectrum, but the total amount of spectrum that they bid for did not exceed the amount available in each of the spectrum bands mentioned above.

As such, on 28 June 2013, the then-IDA provisionally awarded the 4G spectrum rights to the three mobile operators. M1 obtained 80MHz of spectrum, SingTel obtained 100MHz of spectrum and StarHub obtained 90MHz of spectrum. The placement of the spectrum lots acquired by the mobile operators will be determined in the next stage of the process (the assignment stage). These spectrum rights commenced on 1 July 2015 for spectrum in the 2.5GHz band and on 1 April 2017 for spectrum in the 1,800MHz band, upon the expiration of the existing spectrum rights. The mobile operators may continue to provide mobile services (including 4G services) over their existing spectrum rights until then.

The mobile operators were required to provide nationwide 4G street level coverage by 30 June 2016, and coverage for Mass Rapid Transit underground stations and lines and road tunnels by 30 June 2018.

An additional total of 235MHz of spectrum was made available for auction for mobile services in the second half of 2016.

iv Spectrum auctions and fees

The IMDA typically uses two schemes to charge users for access to the radio spectrum: market-based charging (auctions) or cost-based charging. Auctions are used to set a market-based charge for use in frequency bands in scarce supply. In frequency bands that are congested or potentially congested, the IMDA will set fees according to the opportunity cost of the spectrum. Cost-based charges are set to recover costs incurred in administering the use of the spectrum, such as frequency coordination, radio monitoring, interference investigations and frequency database management. In any event, the IMDA has moved away from administrative allocation, where feasible, to a market-based allocation approach using auctions, especially when assigning highly contested spectrum, so as to allow market forces to set the price.

The IMDA has also decided to use a new auction format after holding a public consultation on the reallocation of 4G spectrum. In the consultation paper, the IMDA proposed the use of a clock plus auction format, which is a variant of the simultaneous multiple round action and combinatorial clock auction formats commonly used in 4G auctions in other jurisdictions. Under the clock plus auction format that the IMDA has decided to use for the main auction, bidders will specify demand for quantities of lots within specified lot categories, subject to the relevant spectrum caps. In each round, there is a single common price for all lots within a category, and this price ticks up over successive rounds until there is no longer any excess demand.

v TPG Telecom wins IMDA's spectrum auction to become Singapore's fourth mobile telecom company18

In an effort to encourage a fourth mobile telecom company to enter the Singapore market, the IMDA held a highly anticipated new entrant spectrum auction (NESA) in the fourth quarter of 2016. The NESA was first open only to interested pre-qualified parties that did not operate a nationwide mobile network in Singapore, and offered a lower starting bid price of S$35 million for the 60MHz of spectrum up for auction. A general spectrum auction for additional spectrum followed thereafter at a higher reserve price, and was open to the three incumbent mobile telecoms companies as well as any aspiring new entrants. Although previous attempts to lure a fourth mobile operator into the market have been unsuccessful, on 14 December 2016, the IMDA announced that TPG Telecom made a winning bid of S$105 million in the NESA. The spectrum rights commenced in April 2017, and TPG is required to utilise the allocated spectrum to provide nationwide street level coverage for 4G within 18 months from the start of the new spectrum rights, with road tunnels and in-building service coverage within 30 months.19 The entry of a new MNO is expected to enhance innovation and competition in the mobile market.

V MEDIA

i Restrictions on the provision of service

Broadcasters licensed by the IMDA are required to comply with various codes issued by the IMDA under the Broadcasting Act, including the Free-to-air Television Programme Code, Subscription Television Programme Code, Free-to-air Radio Programme Code (collectively, Programme Codes), Television Advertising Code, Radio Advertising Code (collectively, Advertising Codes) and Television Programme Sponsorship Code (Sponsorship Code).

The Programme Codes seek to impose guidelines that are congruent with national interests in upholding racial and religious harmony, observing societal and moral standards, and promoting positive family values. However, it is recognised in the Programme Codes that standards may vary according to the time of the telecast and the target audience (the watershed time for television is 10pm), as well as the accessibility or otherwise of the programme (e.g., premium channels for subscription television). The Programme Codes also require broadcasters to maintain high standards of language and speech in the four official languages of Singapore, and to refrain from using localised English or other dialects.

The Advertising Codes seek to ensure that the interests of viewers and listeners as consumers are protected. Therefore, the Advertising Codes prescribe that advertisements on television and radio must be truthful and lawful, and should not contain any claims that may be misleading. All claims and comparisons must be capable of substantiation, and should not in any way deceive or mislead. Advertisements should respect public tastes and interests, and uphold moral and social mores. In addition, the Advertising Codes stipulate that broadcasters should exercise discretion when scheduling advertisements and trailers to ensure that they are appropriate for the target audience.

The Sponsorship Code is concerned with aspects of television programme services that entail advertiser involvement in programming and promotional (rather than advertising) time. Besides exercising social responsibility, broadcasters are required to maintain editorial integrity and programming independence, and should not be influenced by the sponsor regarding either the content or acquisition of a programme.

In addition, the Broadcasting Act provides that the Minister of Communications and Information may, by an order published in the Gazette, declare any foreign broadcasting service rebroadcast in Singapore on any relevant licensable broadcasting service to be a foreign broadcasting service engaging in the domestic politics of Singapore. Currently, the nationwide subscription television services provided by StarHub Cable Vision Ltd and SingNet Pte Ltd have been designated as relevant licensable broadcasting services. Prior approval for the inclusion of such declared foreign broadcasting service would need to be sought from the Minister, who may make the approval conditional upon restrictions being imposed on the number of persons capable of receiving such declared foreign broadcasting service. The Minister may also impose conditions requiring that the rebroadcast be suspended for such period as the Minister may, from time to time, direct.

ISPs and ICPs licensed under the Notification are required to comply with the conditions of the class licence set out in the Schedule of the Notification. These conditions stipulate, inter alia, that the licensee shall:

  1. ensure that its service is not used for, or in furtherance of, games and lotteries, the conduct of which is an offence under the Common Gaming Houses Act unless the licensee is exempted from the provisions of that Act;
  2. avoid the broadcast of horse-racing analyses, commentaries or tips, other than horse-racing results, for the purpose of gambling;
  3. ensure that its service is not used to advertise, provide or otherwise promote astrology, geomancy, palmistry or any other type of fortune-telling device;
  4. ensure that its service is not used for soliciting or for any other immoral activity;
  5. ensure that any professional advice or any specialist consultancy service offered on its service is offered by persons with qualifications recognised by the relevant professional bodies in Singapore;
  6. in the case of the broadcast of sound recordings, ensure that only sound recordings that are acceptable to the censorship section of the MDA are broadcast; and
  7. in the case of the broadcast of films or video recordings, ensure that only films and video recordings that are approved by the Board of Film Censors are broadcast, unless the film or video recording is one to which the Films Act does not apply or is one that is exempted from the provisions of that Act.

Class licensees are also subject to the Internet Code, which seeks to set out other obligations and duties of licensees. Generally speaking, the Internet Code requires all licensees to ensure that no prohibited materials (i.e., material that is objectionable on the grounds of public interest, public morality, public order, public security or national harmony, or is otherwise prohibited by applicable Singapore laws) is broadcast via the internet to users in Singapore. In considering what material should be prohibited, the factors listed below are relevant:

  1. whether the material depicts nudity or genitalia in a manner calculated to titillate;
  2. whether the material promotes sexual violence or sexual activity involving coercion or non-consent of any kind;
  3. whether the material depicts a person or persons clearly engaged in explicit sexual activity;
  4. whether the material depicts a person who is, or appears to be, under 16 years of age engaged in sexual activity, in a sexually provocative manner or in any other offensive manner;
  5. whether the material advocates homosexuality or lesbianism, or depicts or promotes incest, paedophilia, bestiality and necrophilia;
  6. whether the material depicts detailed or relished acts of extreme violence or cruelty;
  7. whether the material glorifies, incites or endorses ethnic, racial or religious hatred, strife or intolerance; and
  8. whether the material has intrinsic medical, scientific, artistic or educational value.

The IMDA has the power to order the removal of objectionable content under the Notification, and if a licensee breaches such order, the IMDA has the discretion to cancel or suspend the class licence in respect of such licensee for such period as it thinks fit, or to require the payment of a fine of such amount as it thinks fit. However, the IMDA generally applies a light-touch approach towards regulating services on the internet, and a licensee found to be in breach of the foregoing regulations will generally be given a chance to rectify the same.

The IMDA implemented a new licensing regime for certain online news websites that have been subject to an individual licensing regime from 1 June 2013 in order to place them on more consistent regulatory footing with traditional news platforms. This new licensing requirement applies to websites that regularly report on issues relating to Singapore (on average at least one article per week on Singapore news and current affairs over a period of two months) and have significant reach (at least 50,000 unique IP addresses from Singapore per month over a period of two months). Since the implementation of the new licensing regime, the IMDA has assessed that 11 local news websites fall under the new licensing regime, including nine from the main newspaper publishers and broadcasters in Singapore (Singapore Press Holdings and MediaCorp), and one operated by Yahoo! News. The latest addition to the list is the current affairs site Mothership.sg.

Instead of being automatically class-licensed under the Notification (as is currently the case), the news websites subject to the new licensing regime will need to be individually licensed, and have to put up a performance bond of S$50,000 with the IMDA. While it is expected that the prevailing content regulation requirements will not change, the new licence will also provide greater clarity on what the IMDA would consider prohibited content, and impose a requirement for licensees to comply with the IMDA's direction to remove infringing content within 24 hours.

The new licensing framework invited a considerable amount of criticism from political and social activists, as well as ordinary members of the public. The IMDA is currently discussing details of the licensing regime with the three affected companies. It remains to be seen whether the IMDA would be forced to address such criticisms in the implementation of the regime.

ii Internet-delivered video content

Given the widespread availability of broadband access in Singapore, internet-delivered or OTT video content has gained much popularity as compared with broadcast video distribution. The increasing number of consumers accessing internet video content, along with other new media-rich content and applications, has led to an increased demand for bandwidth in Singapore.

There is a general consensus among network operators in Singapore that the demand for bandwidth, including over mobile broadband, will continue to grow steadily. Network operators are still grappling with business models that would allow them to monetise such transmission or otherwise allow them to recoup the investment sunk into infrastructure upgrading to meet such increased bandwidth demand.

iii Mobile services

The growing demand for mobile media services and media-rich services has fuelled the need for mobile broadband access in Singapore. An advanced communications infrastructure (Heterogenous Network) is recognised as a key pillar of one of the strategic thrusts set out in Infocomm Media 2025, building upon one of the key objectives of the iN2015, which was to increase the availability of wired and wireless broadband infrastructure in Singapore (see the Wireless@SG and Next Gen NBN initiatives discussed above).

Despite the higher costs per minute of mobile calls to fixed-line calls, mobile phone subscriptions have been increasing at a steady rate and have far surpassed the number of fixed-line subscriptions. The decrease in fixed-line penetration rates since July 2002 suggests that households may have replaced their fixed lines with their mobile phone lines.

The IMDA continues to recognise that certain spectrums may require review to address the growing need for spectrum for broadband services and next-generation mobile services.

VI THE YEAR IN REVIEW

i Public Sector (Governance) Act regulates the sharing of personal data of Singaporeans by government agencies and public sector officers

With effect from 1 April 2018, the Public Sector (Governance) Act (PSGA) on 8 January 2018 introduced a consistent governance framework across government agencies, including formalising the data-sharing arrangements between public sector agencies (which are excluded from the ambit of the PDPA). The PSGA provides more safeguards to protect the usage of citizens' personal data by government agencies. Under the PSGA, public sector officers who share the personal data of Singaporeans, make use of such data to benefit themselves or re-identify anonymised data without authorisation can be fined up to S$5,000 or imprisoned for up to two years, or both. The PSGA recognises the importance of intergovernmental sharing of raw data to improve policy analysis, planning and formulation, and lists seven specific purposes for which data can be shared between public sector agencies, such as to improve the efficiency of policy planning. Centralised agencies will also be set up to ensure that raw data will be properly anonymised before being released to appropriate government agencies for analysis and policy work.20

ii PDPC releases guidelines to clarify the usage of passenger-facing video cameras by cab and private-hire car drivers

On 9 April 2018, the PDPC released advisory guidelines developed in consultation with the Land Transport Authority of Singapore (LTA) regulating the use of in-vehicle recording devices (IVRD). The safeguards imposed by LTA in conjunction with the PDPC include requiring that:

  1. adequate security measures be implemented to protect passenger's personal data;
  2. a prominent notice about the use of IVRDs be displayed to passengers;
  3. drivers be prohibited from uploading any IVRD recordings on social media; and
  4. allowing passengers to request to have access to the IVRD recordings.21

iii Proposed New Healthcare Services Act

The Ministry of Health, having sought public feedback on the draft Healthcare Services Bill earlier in 2018, will be repealing the former Private Hospitals and Medical Clinics Act and replacing it with a new Act later this year. This legislation is directed at enhancing oversight and creating better safeguards for patients in light of the emergence of new care models and healthcare services, such as telemedicine. One proposed key aspect of the new Act is that it will be mandatory for all healthcare institutes, including laboratories, to input patient data in the National Electronic Health Record (NEHR), which is a record of patient data shared across all healthcare providers to enable better continuity of patient care. Safeguards will be put in place to ensure the confidentiality of the NEHR and to ensure that the privacy rights of patients are not eroded, and patients can opt out of using healthcare providers having access to their information on the NEHR.22

However, in light of the recent 2018 cyberattack on SingHealth, the plan for mandatory contributions to the NEHR has been temporarily suspended.23

iv Cyberattack on SingHealth

In July 2018, the personal particulars of 1.5 million patients were stolen by sophisticated hackers in a directed and coordinated attack on the Prime Minister. These hackers had infiltrated the computers of SingHealth, Singapore's largest group of healthcare institutions. Preliminary investigations showed that one SingHealth front-end workstation was infected with malware through which the hackers gained access to the database. Of the 1.5 million patients that were affected, 160,000 people, including Prime Minister Lee Hsien Loong, had their outpatient prescriptions stolen.

In response, SingHealth has imposed a temporary internet surfing separation on all of its staff's work computers, and mandatory contributions to the NEHR has been put on hold.24 The PDPC continues to investigate what has been Singapore's worst cyberattack to date, and a government Committee of Inquiry has been convened to conduct an independent external review of the incident to make recommendations for better safeguards for critical systems.25

v Singapore and France reaffirm commitment to collaborate in innovation at the France–Singapore Year of Innovation 2018

Singapore and France have deepened their collaboration in innovation in areas such as FinTech and smart cities at the France–Singapore Year of Innovation 2018. French Minister for Higher Education, Research and Innovation Frederique Vidal signed four agreements during her visit in Singapore, which were to renew joint laboratories and allow collaboration in autonomous vehicle safety research and research on smart cities. 26

vi Alibaba sets up artificial intelligence research centre in Singapore

On 28 February 2018, Chinese e-commerce giant Alibaba opened an artificial intelligence (AI) research institute in Singapore in collaboration with Nanyang Technological University (NTU), a local university. This will be Alibaba's first joint research centre located outside of mainland China. The institute will carry out research on AI technology for an initial five years with a pool of 50 researchers from both organisations, and aims to develop technologies to help in caring for the elderly, such as developing robot companions and sensors to detect problems.27

vii PDPC contemplates mandating that organisations must report any breaches of personal data

As part of the revisions to the Personal Data Protection Act, tougher breach reporting rules have been proposed to be imposed on organisations. The proposed revisions to the PDPA will require individuals affected by a breach to be notified as soon as practicable, and the PDPC to be notified no later than 72 hours after an eligible breach is identified. The PDPC, in recognising that organisations may need time to determine the veracity of suspected breaches, will give organisations up to 30 days to assess if breaches are eligible for reporting, and the 72-hours notification period will kick in after that. These changes follow the steps of mature jurisdictions such as the United States, Canada and Australia.28

viii MCI introduces new framework for nationwide e-invoice system

In hopes of boosting productivity and sectoral digitalisation in Singapore, a new framework for a nationwide e-invoice system was introduced in May 2018. Singapore will be adopting the Pan-European Public Procurement On-Line system, a widely used European standard, and will be the first country outside of Europe to do so. The System is interoperable and allows any company on the network to talk to others without any compatibility issues. The IMDA will be in charge of overseeing the adoption of the System, and already some 45 organisations, including private sector entities, technology solution providers and government agencies, have expressed interest in joining the System.29

ix Sophisticated cyberattack by Iranian hackers on Singaporean universities

Fifty-two staff accounts across four Singaporean universities (NTU, the National University of Singapore, the Singapore Management University, and the Singapore University of Technology and Design) were attacked by an Iranian hacking syndicate in March 2018. The Iranian hackers are believed to have stolen more than 31 terabytes of academic data and intellectual property from varsities all over the world at the behest of the Iranian government. Investigations showed that the incident stemmed from a phishing attack where staff members were directed to a credential harvesting website to key in their login details, which were used to gain unauthorised access to the institutes' libraries.30

x Singapore to set up first cybersecurity start-up hub

Singapore is setting up its first cybersecurity start-up incubation hub with funding to be provided for new inventions, in light of the nation moving to find a place in the new digital economy. This hub will be located in a cluster of industrial buildings on Ayer Rajah Crescent, and has been dubbed the Innovation Cybersecurity Ecosystem @Block71. This hub aims to nurture and groom aspiring entrepreneurs to ensure that their business ideas are sound and that they have the financial and business expertise to grow their business. The hub is also targeted at helping to build robust national cybersecurity to meet national security needs and stay ahead in the arms race against cyberattackers. In a separate funding scheme to spur developments, funding of up to S$500,000 will be provided to qualifying projects by Singapore-registered companies to develop home-grown companies that could own a slice of the cybersecurity market, which it is estimated will attract spending of S$138 billion by 2020.31

xi New Cybersecurity Act

The Cybersecurity Bill was passed by Parliament on 5 February 2018, after being revised to take into account feedback gathered at the public consultation by the Ministry of Communications and Cyber Security Agency of Singapore. This Act aims to create a coordinated national approach to cybersecurity and ensure that critical information infrastructure (CII) across all sectors is protected in a consistent manner. Apart from the regulation and protection of CII, a singular licensing scheme for cybersecurity service providers has been created to replace the numerous old licensing schemes.

A key feature of the new Act is the concentration of powers in the hands of the Cybersecurity Commissioner, who will be responsible for safeguarding Singapore's cyberspace. While some misgivings have been expressed over the broad investigative powers conferred on the Commissioner, others have argued that this power structure is necessary to create a robust command-and-control structure to effectively and speedily respond to a cyberattack.32

xii Bug bounty programme conducted by MINDEF to strengthen its internet-facing system

The Ministry of Defence (MINDEF) successfully concluded its first bug bounty programme on 4 February 2018, where selected white hat hackers were invited to test eight major MINDEF internet-facing systems for vulnerabilities and received rewards for doing so. This programme was targeted to strengthen MINDEF's cyber defences and respond to the rapidly evolving cyber threat landscape. Thirty-five valid bugs were found, and all of them have been mitigated, which means that the flaws could no longer be exploited. A reputable US bug bounty company, HackerOne, was engaged to manage the programme.33

xiii Singaporean firms not ready to comply with EU data regulations

Consultancy firm Ernst & Young found in February 2018 poll that only 10 per cent of Singaporean companies have compliance plans to align with Europe's General Data Protection Regulation (GDPR), which took effect from 25 May 2018. GDPR requirements are in certain aspects stricter than Singapore's own PDPA, for example with regards to data subject rights. The GDPR rules will affect many sectors in Singapore, especially those that target European consumers. Under the GDPR, companies can be fined up to 4 per cent of their annual global turnover or S$32 million (whichever is greater), in comparison to the maximum fine of S$1 million under the PDPA. Many Singaporean companies are operating under the fallacy that the GDPR will not affect them if they do not have a physical presence in the EU, which has contributed to the lack of urgency to start on GDPR compliance plans.34

xiv Singapore to introduce goods and services tax on imported services

Singapore will begin to charge goods and services tax (GST) on imported services from 2020 onwards. Dubbed the Netflix tax, foreign suppliers that have a global turnover of more than S$1 million and that sell digital services to Singapore consumers that exceed S$100,000 will be required to register to pay GST in Singapore. Businesses buying imported services are eligible for a GST refund as long as the input is used to make taxable supplies of goods and services. The digital sale threshold on this tax is meant to minimise the compliance burden for small overseas vendors. The Netflix tax is estimated to bring in additional revenue of S$90 million a year. This tax will make Singapore the first country in Southeast Asia to introduce a tax on the digital economy.

VII CONCLUSIONS AND OUTLOOK

As can be seen from the foregoing, Singapore's key strength lies in its foresight and strategic planning capabilities. Among other factors, the restructured IMDA is expected to strengthen and develop regulatory capabilities for a converged infocomm and media sector in a holistic manner, and further Singapore's goal of establishing a value-creating economy that is well-positioned to leverage growing opportunities in the convergent telecommunications, media and technology sphere. As a small island nation, Singapore has also effectively leveraged on its size, and has successfully implemented and continued to improve a number of ambitious nationwide projects, such as Wireless@SG and the Next Gen NBN initiatives.

The ubiquity of ultra-high-speed broadband access, coupled with the drive to promote next-generation interactive multimedia applications and services delivered through the IPTV platform, heralds an exciting period of transition into a new generation of services for both businesses and consumers. This can be seen from the steadily increasing take-up rate of total fibre-optic broadband, which as at May 2017 stood at approximately 1.19 million subscribers.

For Singapore to compete effectively at the global level, the government recognises that seamless, trusted and intelligent infocomm infrastructure will be crucial. The government has continued to encourage the development of new green data centre technologies, and has supported the establishment of a data centre park in Singapore so as to attract multinational corporations and other premium data centre operations to Singapore, and to strengthen its position as an economic hub. The government has also devoted increasing resources, effort and attention to its cybersecurity efforts with the continued development of resilient infrastructure, such as:

  1. the launch of the Defence Cyber Organisation and planned launch of the Government Security Operations Centre;
  2. the strengthening of the legislative tools it has to combat cyberthreats with the new cybersecurity bill;
  3. the development of a vibrant cybersecurity ecosystem through public–private partnerships such as the Alliance of Public–Private Cybercrime Stakeholders, and strong government support for Honeywell's industrial cybersecurity centre and the National Cybersecurity R&D Laboratories;
  4. equipping Singapore citizens for digital access, literacy and participation as part of the Digital Readiness initiative.

Adopting a new mindset that it is not if a significant cyber-threat will occur, but rather when, Singapore had also taken the controversial step to ring-fence or air-gap key government systems from the internet and unauthorised devices. This has proven particularly prescient given the significant increase of cyberattacks (both successful and thwarted) that Singapore has faced over the past few years. This is only likely to worsen as Singapore's increased reliance on ITC technologies as it achieves its goal of becoming a Smart Nation makes Singapore a more vulnerable and prominent target. Singapore continues to intensify its efforts to defend against and prepare to respond to cyberattacks, and by adopting a risk-based approach to cybersecurity and building in sufficient flexibility and redundancies, it has made itself significantly more prepared for any cyberattack and the new digital landscape than most nations. The Prime Minister's Office has also set up a Smart Nation Programme Office that aims to bring citizens, the government and industry players together to identify issues, co-develop solutions, prototype ideas and deploy them effectively to transform Singapore into a Smart Nation. This initiative focuses on the development of infocomm-based integrated networks, capabilities and solutions for urban environments with a systems-of-systems approach that enables synergies within the whole government, and integrated insights that will contribute to the optimisation of key national resources across interdependent and inter-related city systems. The Smart Nation vision aims to harness ICT, networks and data to support better living and stronger communities, and to create more opportunities.

Further, Singapore has enacted an overarching data protection law in the form of the PDPA, which should help to strengthen and enhance Singapore's position as a trusted data hub. We believe that the PDPA strikes the right balance in protecting the interests of consumers against the need for businesses to collect, use and disclose personal data. The PDPC continues to update and release new advisory guidelines to guide and inform organisations and individuals on data privacy, use, collection and disclosure. The PDPC also continues to look at further amending the PDPA to keep it updated and enable Singapore to continue exploiting growing opportunities in the world of big data, and allow businesses to harness value from information, arguably the most precious commodity in this era.


Footnotes

1 Ken Chia is a principal and Daryl Seetoh is an associate at Baker & McKenzie.Wong & Leow.

12 The MCI was previously known as the Ministry of Information, Communications and the Arts, but was renamed with effect from November 2012 with the formation of a new Ministry of Culture, Community and Youth.