Singapore passes Online Criminal Harms Act
Published on 21st Aug 2023
The legislation strengthens Singapore's fight against harmful cyber activity and bad actors using the internet for crime
The Singapore parliament passed the Online Criminal Harms Act (OCHA) on 5 July 2023, after it was put forward for a second reading and debated. The act will commence on a later date to be notified.
The OCHA received bi-partisan support and gives the Singapore government a suite of powers to target online criminal activities, scams and malicious cyber activities.
It gives the government the power to issue directions and orders – known as "part two directions" – to remove or stop the communication of online materials, disable access to online materials and locations, restrict online accounts and online services, and stop the distribution or downloading of apps.
It also has the power to obtain information – "part 10 powers" – on online activity in furtherance of specified offences.
Singapore Police oversight
A unit in the Singapore Police Force (SPF) will be designated as the competent authority in charge of administering the OCHA and serving as the single point of contact for the issuance of part two directions. The competent authority will also be responsible for developing codes of practice and working with designated providers to achieve certain specified outcomes. The SPF unit to be designated as the competent authority will be structurally separate from other units of the SPF which perform investigative functions.
Additionally, the Minister of Home Affairs will also appoint designated officers responsible for detecting, enforcing or investigating the specified offences in the OCHA. These designated officers are empowered to determine whether and what part two directions should be issued and will do so independently of the competent authority.
Part two directions
Designated officers may issue part two directions when they reasonably suspect that a specified offence has been committed and any online activity is in furtherance of the commission of the offence. These are listed in part one, first schedule of the OCHA and are mainly offences affecting national security and harmony and individual safety, including those relating to terrorism and internal security, harmony between different races, religion or classes, trafficking of controlled drugs and psychoactive substances, unlawful gambling, illegal moneylending, and sexual offences such as the distribution of child sexual abuse material or voyeuristic and intimate images without consent.
They can also issue part two directions if they suspect or have reason to believe that any online activity is preparatory to, or in furtherance of, the commission of a scam or malicious cyber activity offence (that is, the offences listed in part two, first schedule of the OCHA).
A lower threshold applies for the issuance of a part two direction when scams or malicious cyber activities are concerned since a direction can be issued even when there is no evidence that an offence has been committed (that is, evidence of preparatory steps such as the presence of a blank website with a fake domain name resembling a legitimate organisation) and a designated officer’s suspicion need not be reasonable in order to be triggered.
Part two directions: what can be issued and who are intended recipients?
| Type of direction | Intended recipient | Content of direction |
|---|---|---|
| Stop communication direction | Person who has control of the relevant material or proprietor of the relevant online location. | To require the recipient to take all reasonable steps (that is, to remove, cease storing, posting, providing or transmitting, or disable access) to ensure that the relevant or similar material or online location cannot be accessed by Singapore persons. |
|
Disabling direction
|
Provider of an online service, excluding an internet access service or app distribution service.
|
To require the recipient to take all reasonable steps to disable access by Singapore persons to any relevant material (and copies of such material) on the online service or relevant locations on the online service. |
| Access blocking direction | Provider of an internet access service. | To require the recipient to take all reasonable steps to disable access by Singapore persons on the Internet access service to any relevant material or relevant location. |
| Account restriction direction | Provider of an online service, excluding an internet access service or app distribution service. | To require the recipient to take all reasonable steps to disallow or restrict interaction between any relevant account and Singapore persons. |
| App removal direction | Provider of an app distribution service. | To require the recipient to take all reasonable steps to stop distributing a relevant app to Singapore persons and disable the ability of Singapore persons to download a relevant app. |
Codes, directives and notices
Under part four of the OCHA, the competent authority may, by written notice, identify designated providers in relation to one or more offence groups specified in the second schedule of the OCHA (currently, the scam and malicious cyber activity offence group). The authority can issue codes of practice promoting or requiring good practices by designated providers to counter the commission of offences within the specified offence groups.
It can also issue implementation directives requiring a designated provider to implement any system, process or measure necessary or expedient to implement the purposes listed in the third schedule of the OCHA (that is, to minimise the exposure of Singapore users to scams or malicious cyber activities, verify account authenticity, implement payment protection, facilitate investigations and information sharing, etc.).
Under section 19(4) of the OCHA, a requirement in a code of practice has effect despite any duty of confidentiality or privacy imposed by any rule of law or any duty imposed by any contract or rule of professional conduct that would otherwise prevent or restrict the designated provider from complying with such requirement.
The competent authority is empowered to issue rectification notices requiring designated providers to comply with any part of a code of practice, if the competent authority is of the opinion that there has been non-compliance on the part of the designated provider.
While no draft codes of practice have been issued at this time, the Singapore government has indicated its intention to issue codes for e-commerce platforms containing requirements adapted from the E-Commerce Marketplace Transaction Safety Ratings scheme.
This was introduced by the Singapore government to provide consumers with information on the types of anti-scam measures implemented by major e-commerce marketplaces.
Part 10 powers
Under part 10 of the OCHA, a competent authority, designated officer or authorised officer may, by written notice, require persons subject to part two directions, designated providers, codes of practices, implementation directives and orders, rectification notices and other orders to provide information necessary for the administration of the OCHA.
Law enforcement officers who reasonably suspect that any online activity in furtherance of a specified offence has occurred are also empowered to require that providers of an online service or proprietors of an online location provide:
- information pertaining to the online activity that has occurred.
- the online account or proprietor of the online account through which the online activity was conducted.
- any other information to assist in investigations or criminal proceedings relating to the specified offence.
Other OCHA features
The OCHA has extra-territoriality. It will apply to any individual or entity, whether or not resident or physically present in Singapore, or carrying on a business or operating in Singapore.
The appeal mechanisms of the OCHA provide avenues for persons subject to directions or orders under the act to apply for reconsideration or appeal the directions or orders. There is also no ouster clause within the OCHA, which means that decisions pertaining to the directions or orders are susceptible to judicial review.
In terms of offences, a failure to comply with the directions and orders in the OCHA is a criminal offence that may result in fines of up to S$1 million and/or imprisonment.
Osborne Clarke commentary
The introduction of the OCHA is a welcome addition to the suite of Singapore legislation targeting harmful cyber activity given that bad actors increasingly use the Internet as a means to commit crime.
The lower threshold for the application of part two directions, where scams and malicious cyber activity are concerned, is also arguably necessary as this would afford better protection to members of the public who would otherwise fall prey to scam or malicious sites, which can be activated within minutes if domain names have already been purchased.
That said, it remains to be seen how the OCHA will be enforced in practice. In particular, it will be interesting to see how the terms “reasonably suspects’ and “suspects or has reason to believe” in section six of the OCHA (in relation to the relevant mental state of a designated officer triggering the issuance of part two directions for online criminal activities and scams and malicious cyber activities) will be interpreted by the relevant government bodies and the courts.
Further, digital businesses should be prepared for the prospect of being named as designated providers subject to codes of practice and implementation directions under the OCHA. The Singapore government has indicated that it will adopt a collaborative and consultative approach when formulating codes of practice, and digital businesses should make use of all opportunities to have their voices heard and interests protected.
