Singapore: New Online Criminal Harms Law

Latest developments

On 5 July 2023, the Singapore Parliament passed the Online Criminal Harms Act 2023 (“OCHA”), which is intended to enable the authorities to better tackle online criminal activities and harm, and proactively prevent scams and malicious cyber activities.

The OCHA will come into effect on a date to be notified subsequently.

Summary

The OCHA allows a competent authority to issue the following directions in cases involving specified offences, scams or malicious cyber activities:

• Stop communication direction: requires a person who has control of online material or the proprietor of an online location to (i) remove online material, (ii) stop storing, posting, providing or transmitting any similar online material, and/or (iii) disable access to the online location;
  
  
• Disabling direction: requires an online service provider, excluding Internet access service providers and app stores, to disable access to online material (e.g. a post or page) on their service to Singapore persons;
  
  
• Access blocking direction: requires an Internet access service provider to disable access to online content or online material (e.g. a web domain) to Singapore persons;
  
  
• Account restriction direction: requires an online service providers, excluding Internet access service providers and app stores, to stop an account on their service from interacting with Singapore persons (e.g. by terminating, suspending or restricting the functionalities of an account); and
  
  
• App removal direction: requiring an app store to stop distributing an app and to stop further downloads of the app by Singapore persons.

A competent authority can issue a direction where the following thresholds are met: (a) in respect of online activity where a specified offence has been committed, or (b) where it suspects that online activity is preparatory to or in furtherance of the commission of a scam or malicious cyber activity. The lower threshold for scams and malicious cyber activities compared to specified offences is intended to reflect the greater harm that can be propagated to many people in a short time.

A failure to comply with a direction is an offence under the OCHA, and can attract a maximum fine of SGD 500,000 (approximately USD 375,000 or EUR 350,000) or SGD 1 million (approximately USD 750,000 or EUR 700,000), depending on the type of direction not complied with.

The OCHA also empowers a competent authority to require designated online service providers to comply with codes of practice that set out detailed requirements for putting in place systems, processes and measures to counter scams and malicious cyber activities. A code of practice may contain requirements for the following purposes:

• Minimising the exposure of Singapore end-users to scams or malicious cyber activities;
• Verifying the authenticity of accounts, and detect and safeguard against (i) the creation of inauthentic accounts and misuse of accounts; (ii) the misrepresentation of any end-user’s identity; and (iii) the misuse of online bots;
• Receiving information from Singapore end-users on suspected scams or malicious cyber activities;
• Facilitating information sharing between the competent authority and designated provider on suspected scam or malicious cyber activities;
• Acting on information to proactively detect, prevent and disrupt scams or malicious cyber activities;
• Facilitating criminal investigations into scams or malicious cyber activities;
• Providing payment protection mechanisms for online payments;
• Facilitating the administration of the OCHA including by providing relevant information to a competent authority.

How could it be relevant for you?

Online service providers, including app stores, Internet access service providers and operators of other online platforms, can potentially be issued directions by the authorities when the OCHA comes into effect. These directions may require online service providers to block online material, restrict accounts and remove apps from app stores, amongst others.

Designated online service providers may also be required to comply with detailed requirements under a code of practice to implement systems, processes and measures to counter scams and malicious cyber activities.

Next steps

As the OCHA has yet to take effect, it remains to be seen in what circumstances the authorities will exercise the new powers under the OCHA, and which online service providers the authorities will decide to designate for compliance with a code of practice. There will likely be more clarity on the regulatory approach after the authorities start to implement the new law. Online service providers should continue to monitor this space for further developments.

*Information is accurate up to 27 November 2023