Do we need a Do Not Call registry to block off calls and spam text messages from telemarketers?
HELLO, is this Miss XQEW? We want to offer you a special medical scheme ...”
Another day, another call. So what’s new? But wait a minute, these cold calls should not be happening now that the Personal Data Protection Act 2010 (PDPA) has been enforced. Yet, many of us are still being bothered by unsolicited calls and SMS spams from telemarketers.
Netizen Einna Nana complains about getting SMS spam not only from the usual suspects – banks, telecommunication service providers and insurance agents – but also from international fast-food chains!
Worse, shares Eric Wong on The Star Online Facebook, he has been getting them at odd hours.
“I have no problem getting promotional calls, SMSes or email during my waking hours. I’m looking for bargains all the time but a cafe sent me their SMS promotion in the wee hours of the night, waking me up. That’s a no no! Stupid cafe! I boycotted them.”
Edmund Hunt feels the same way. “Both my wife and myself get crazy calls in the middle of the night too!”
Resigned to the problem, many Malaysians are bearing with the nuisance. Drew Lim, for one, says he usually just hangs up. “It’s entirely your own fault if you let the conversation continue.”
However, if reports are to be believed, annoyed Malaysians can soon legally put a stop to the telemarketers.
As the PDPA commissioner Abu Hassan Ismail told a Chinese daily recently, the Personal Data Protection Department (DPDP) – which he also heads – is looking at establishing a registry like Singapore’s Do Not Call Registry (DNCR) to enable consumers to opt out of commercial spams before the end of this year.
This is how it works: all you have to do is register your telephone number with the DNCR which will tabulate the data. Companies and individuals who want to market their products or services via telemarketing will have to refer to the DNCR first. If your number is registered with the DNCR, they will not be allowed to call and send text messages that promote or advertise their goods or services to you.
If registered consumers continue to be bothered by telemarketers, all they have to do is file a complaint to the registry. The DNCR should be equipped to trace the unsolicited call and take action against the telemarketers who continue to harass registered consumers.
In Singapore, a person violating the act will be fined S$10,000 (RM26,000), and Abu Hassan was quoted as saying that a similar fine is being considered here.
The Direct Selling Association of Malaysia (DSAM) is confident that while a DNCR will be good for consumers, the PDPA is already adequate in regulating and protecting data users or consumers from unsolicited cold calls.
DSAM president Frederick Ng says the PDPA already has its seven principles that can protect their personal data.
Ng points out that the Act does not only prescribe direct selling and direct marketing as one of the 11 classes of data users that must register with the department, but it also stipulates explicit rules for the sector.
The PDPA gives consumers the right to request in writing for the direct marketer or direct seller to stop or even not begin processing their personal data. Failure to cease using personal data for direct marketing purposes after a data subject has objected could cost the offender a fine of up to RM200,000 and/or imprisonment of up to two years.
DSAM members are also already practising strict confidential usage and storage of any data collected from their independent distributors and consumers, adds Ng.
“The confidential safekeeping of personal data is already one of the criteria in our globally recognised Code of Ethics in which all DSAM members must abide.”
He claims that from their experience with any law/regulation, the culprits are usually those who are not registered or operating without a valid licence.
“They are the ones tarnishing the good name of the legitimate players in the industry,” stresses Ng, adding that they have not received any complaints from consumers about unsolicited calls/SMS from their members.
Also in support of a DNCR, Direct Marketing Association Malaysia (DMAM) former president Ray Choo believes it will be good for Malaysian consumers as such a listing will also give DMAM a chance “to monitor unauthorised calls or messages”.
He adds that to help reduce abuses of personal numbers, what the authorities should scrutinise is how data subjects’ consent is obtained.
Not the usual suspects
For a DNCR to be effective in eliminating unsolicited spam, many say it needs to cover mobile content providers.
Malaysia Mobile Content Provider Association (MMCP) president Johary Mustapha, however, insists they are not the main offenders.
“Many are licensed and partnering with the telecommunications companies to provide content to their subscribers.”
Mobile content providers use the mobile messaging services to provide diverse mobile contents such as jokes, football results, horoscopes, weather forecasts as well as product and service promotions for their corporate clients such as retailers, product brands and service providers.
According to the Malaysia Communications and Multimedia Commission (MCMC), there are some 533 licensed mobile content providers in the country as of October 2013. These companies, along with the telcos, are subjected to a mandatory standard under the MCMC Act and face a penalty of up to RM100,000 or jail, or both if they abuse the platform.
Another thing that many consumers don’t realise is most of the text spams and cold calls come from entities they already have “existing business relationship” with, or that they had unwittingly “agreed” to them, Johary points out.
“There are many grey areas where your consent is concerned. Many consumers do not read the fine print when they sign up for services and goods. Most calls and spam text messages come from companies you have already given consent to including telcos and banks.”
He warns that many also don’t realise they have given the organisation or entity permission to share their personal data with their associates and partners.
Still, he concedes, there were some licensed content providers who sent out spams and committed other abuses due to lax enforcement by the authorities.
“However, in the last two years, there has been a decrease of these offences. We have been working closely with the MCMC to eliminate them and the offenders caught have been charged and had their licences terminated,” claims Johary.
Other offenders that the MCMC has cracked down on are errant sub-contracted content providers, he highlights.
“Many licensed content providers outsource to sub-contractors to provide content, and they do not require operating licence or are sometimes based overseas. The MCMC has warned the main content providers to do more to regulate their sub-contractors or they will take action against them.”
Johary believes that as the industry matures, we will see fewer of these abuses, “Many of our members do not dare take the risk any more.”
More importantly, consumers have the power to stop the unwanted messages if they want to.
“You can always send <STOP> or <STOP_ALL> to the number. That would cancel whatever services you accidentally agreed upon. But most people spend more time complaining than sending out STOP,” he says.
Another grey area that will hinder the effective implementation of the registry is that most spam messages come from “friends”, he opines.
“This is called peer-to-peer or person-to-person spam. For example, I send out a promotion of my café to 200 friends. I take it up a notch and use the GSM modem to send it to 10,000 people. But how can you take action against a ‘friend’?”
Confident the DNCR will not have far-reaching impact on MMCP members, Johary lauds the proposed move for a DNCR, pointing out that it is integral in many personal data protection acts in the world.
“It is the pillar of the PDPA to safeguard the personal data of consumers. And even though it will have an impact on our members, I support it as, at the end of the day, we are all consumers.”
No legal bind
It cannot be denied that the Do Not Call Registry will be good for Malaysian consumers as it will allow consumers to have more control of the text messages and phone calls they receive and prevent abuse of their personal numbers. It will also give them faster, if not immediate, legal redress against unsolicited telemarketing calls.
As Islamic International University’s cyberlaw specialist Dr Sonny Zulhuda puts it, “The DNCR is an advanced step towards protecting individuals’ personal data, therefore it is highly commendable.”
Unfortunately, he adds, “The PDPA 2010, unlike Singapore’s law, neither provides nor mandates specifically for a DNCR.”
Data protection law expert Prof Abu Bakar Munir from Universiti Malaya agrees that Malaysia’s PDPA does not provide the necessary legal basis and framework.
“The PDPA will have to be amended first. The Commissioner does not have the power (to implement such a scheme) either,” he points out.
A reader, Yeo Shu Pin, believes it is possible to establish a DNCR under a separate piece of legislation without the need to insert it in the PDPA.
“Australia and the US have that. (Australia enacted the DNCR Act in 2006 to curb the growing number of cold calls in the country.) Alternatively, we can come out with a Spam Act and insert DNCR in the proposed spam act.”
Ultimately, proper implementation is key.
It will only be effective if the regulatory bodies take tougher action, says Johary.
“Take the peer-to-peer spam, for instance. Under the law, anyone who subscribes to a personal phone line cannot use it for commercial purposes. Or someone who repeatedly or continuously sends a communication without disclosing his or her identity and with the intent to annoy, abuse, threaten or harass a person at any number or electronic address commits an offence. It is time for the authorities to take action against these offenders and make a public example of them,” he adds.
Johary also feels the DNCR will not be so easy to implement with today’s technology.
“As we can see, technology evolves very fast. You close one avenue, another will open. You give people the chance to opt out, marketers will try to find other ways to blast them with their spam. For example, even now, you can already get spam on the free mobile messaging apps like Line and WhatsApp.”
Implementing a DNCR will require a carefully structured procedure and rules, Dr Sonny agrees.
“While the consumers will be the biggest beneficiary, industries will bear a lot of consequences,” he says.
“Telcos will be the most concerned, and next will be the marketing industries and practically all sectors that practise direct marketing.
“Telcos may indirectly put the burden on consumers if they require the DNCR. The best way to do it is there must be a joint role among telcos, customers and DNCR operators to help alert individuals and understand how to join the DNCR.
“The question arises as to who operates, manages and processes the DNC Registry? What safeguards are put in place? How adequate are they? Does it involve an outsourcing company? Or a cloud service?”
And Malaysia’s track record in enforcing laws notwithstanding, the DNCR has proven that it is not foolproof in most countries that have already implemented it.
With lack of enforcement being the biggest complaint in many countries, Canada’s experience provides another point to ponder: In 2009, the Consumers Association of Canada was bombarded with complaints from people who claim that they started getting spammed by telemarketers after they registered with the country’s DNCR.
It was discovered later that they were not mistaken – more than 100 companies had downloaded the registry for use as a source of telemarketing contact information!