Singapore consults on guidelines on children and the Personal Data Protection Act
Published on 28th Sep 2023
A fairer approach would be to exclude organisations that expressly do not contract with children, data experts argue
Singapore's Personal Data Protection Commission (PDPC) launched its public consultation in July on proposed advisory guidelines on the Personal Data Protection Act for children's personal data.
The data practice at Singapore-based OC Queen Street gave feedback to the PDPC prior to the closure for submissions on 31 August.
The PDPC consultation covered issues such as obtaining children’s consent, using children’s personal data, and ensuring higher standards of protection to children’s personal data. The commission was established in 2013 to administer and enforce the PDPA.
OC Queen Street data specialists have given their general support to the extension of the advisory guidelines to organisations that “offer products or services that are likely to be accessed by children, or are in fact accessed by children”.
However, the OC Queen Street lawyers have proposed that organisations that do not expressly contract with children are excluded from the scope of the advisory guidelines.
The application of advisory guidelines without the exclusion would impose a disproportionate compliance cost on organisations, which would need to conduct assessments to determine whether their products or services were "in fact accessed by children”, they have argued.
Organisations would also have to bear the risk of being caught by the advisory guidelines if children access their products or services under a false identity or age declaration.
Therefore, a fairer approach would be to exclude organisations that expressly do not contract with children.
Contracts with minors
What is the general legal position on contracts with minors and the law's interaction with the framework for obtaining consent for the collection, use or disclosure of personal data?
Contracts with minors below the age of 18 have no effect except for certain contracts. These include contracts for necessaries; for the benefit of minors, such as contracts for service, training or education or analogous arrangements; and those that are voidable at the instance of the minor, such as contracts involving the acquisition of interests in land, the acquisition of or subscription for shares, partnerships and marriage settlements.
The collection, use and disclosure of children’s personal data by organisations should be limited to exceptional contracts, contracts executed on behalf of children by their parent or legal guardian, or non-contractual situations (that is, where the relationship between organisation and child is governed by statute).
The 'practical view' subject to limitations
The PDPC’s adoption of the “practical view" that children between the ages of 13 to 17 will have sufficient understanding to consent to the collection, use or disclosure of their personal data is welcome. Although the pro-business approach will be well received by organisations, the “practical view” may be subject to limitations.
First, it is not clear how an organisation may validly obtain consent from a child below 18 via contractual means if the general contract law position is that contracts with children below 18 have no effect, save for the exceptional contracts described above.
Second, section 4(6) of the PDPA provides that the provisions will not affect any “limitation imposed, by or under the law”, and the “provisions of other written law prevail” to the extent that the PDPA provisions are inconsistent with the other written law (that is, statutes and subsidiary legislation in Singapore).
In other words, the provisions of the PDPA are presently subject to the limitations imposed by common law, statute and subsidiary legislation on the validity of contracts with minors (for example, section 35(1) of the Civil Law Act 1909 and section 2(1) of the Women’s Charter 1961).
If the PDPC’s intention is to allow minors below 18 to consent via contractual means to the collection, use and disclosure of their personal data, then legislative amendments may have to be made to remove the limitations on the PDPA in section 4(6) of the PDPA.
It appears that to seek valid consent in cases where the contract is of no effect, an organisation must seek non-contractual consent. However, it remains to be determined by the courts whether as a matter of policy, an organisation may obtain valid non-contractual consent for the purposes of, say, entering a contract which has no effect.
Osborne Clarke comment
The legal position and proposed workaround we have highlighted are based on a cursory review of the law and should be explored in greater detail.
Organisations communicating with children between the ages of 13 to 17 on privacy matters should focus on using plain English. Organisations communicating with children below 13 on privacy matters should use ELI5 (explain it like I'm five) language, cartoons, diagrams or flowcharts as appropriate, in line with the UK Information Commissioner’s Office's General Data Protection Regulation guidance.
Organisations should also provide information about data subject rights under the PDPA and how to withdraw consent and complain about personal data handling.