Singapore data protection update

New guidance from the Court of Appeal for parties involved in an action against another individual for loss and damage suffered as a result of a contravention of the provisions of the PDPA.

On 9 of September 2022, the Singapore Court of Appeal (“CA”) released its decision in Reed Michael v Bellingham, Alex (Attorney-General, Intervener) [2022] SGCA 60 This is the first decision by the CA relating to the Personal Data Protection Act (“PDPA”), and has provided significant guidance, not just for individuals looking to commence actions under the PDPA, but also for employers where an employee is trying to allege that the employer is responsible as the contravention was carried out within the course of his employment.

Brief facts

The respondent AB was employed as marketing consultant by entities that were part of a group called IP Global (“Ex-Employers”). As part of that role, the respondent managed an investment fund known as the “Edinburgh Fund”.

In the second half of 2017, the respondent left his role and joined a competitor QIP as “Head of Fund Raising”. In August 2018, the respondent contacted the appellant MR (who was an investor in the Edinburgh Fund) on the latter’s personal email address with a view to offering the appellant further investment opportunities by QIP.

The appellant was concerned that the respondent knew his name, personal email address and investment activity in the Edinburgh Fund (collectively, the “Personal Data”). Among other things, the appellant responded to the respondent’s email wanting to know how the respondent had come to access the Personal Data and what steps he would take to protect it.

The respondent claimed that he obtained some of the Personal Data from Linkedin, but did not provide the appellant with any further assurances relating to the Personal Data.

The appellant was joined as plaintiff to an action commenced by the Ex-Employers against the respondent under what was then s32 of the PDPA (which we shall refer to by its current section number, s48O) for an injunction restraining the respondent from using the appellant’s personal data, and an order that the respondent undertake to destroy the appellant’s personal data that was in his possession.

This was granted by the District Judge, but overturned on appeal to the High Court. The matter was then referred to the CA who largely affirmed the District Judge’s decision.

What is s48(O) of the PDPA

S48(O) of the PDPA grants a person who suffers loss or damage directly as a result of a contravention of certain parts of the PDPA, a civil action for relief in Court. Many issues were considered by the CA. We will summarise the key parts of the CA’s decision in terms of what they mean for

1. individuals commencing actions under s48(O)

2. individuals facing a claim under s48(O), and

3. corporations who employed the individuals in (2).

For Individuals commencing actions under s48(O)

The first important point to note is that the CA affirmed that a claimant could rely on emotional distress as part of “loss or damage”. This aligns the position in Singapore with the UK position expressed in Vidal-Hall and others v Google Inc (Information Commissioner intervening) [2016] QB 1003 where it was recognised that “distress… is often the only real damage that is caused by a contravention.”

The second point relates the test such individuals need to meet in order to prove their case for loss or damage, which the CA enunciated for the first time. The CA identified a multi-factorial approach considering (1) the nature of the personal data involved in the breach, (2) whether
the breach was one-off or continuing, (3) the nature of the defendant’s conduct, (4) the risk of future breaches causing emotional distress and (5) the actual impact of the breach on the claimant.

In finding in favour of the appellant, the CA placed particular emphasis on the fact that the respondent refused to give the appellant an undertaking not to use the Personal Data in the future. The CA appeared to take the view that the matter would have been resolved if the respondent had given such an undertaking in the course of his email exchange with the appellant. The CA also considered the actions taken by the appellant after receiving the initial email from the respondent (confronting the Ex-Employers and writing to the respondent) in considering whether emotional distress was in fact suffered.

For individuals defending actions under s48O

The first point to note relates to whether individuals are subject to obligations under the PDPA which apply to “organisations”. The respondent sought to argue that such obligations should only apply to business entities, not individuals. The CA swiftly rejected this position on the basis that the definition of an “organisation” in the PDPA included natural persons. One therefore should be careful when assuming that only corporate entities are subject to the obligations under the PDPA.

The second point to consider is the respondent’s attempt to rely on a defence in s4(1)(b) of the PDPA, which provides that the specific sections of the PDPA do not impose obligations on employees acting in the course of their employment. The CA held that it was too late for the respondent to try to rely on this provision as he had not adduced evidence of (1) what was done, (2) what the employment required him to do as an employee (3) whether the employee deliberately evaded practices set up by the employer to deter such action. It is therefore important for defendants to consider the defences in s4 of the PDPA early with their counsel.

Finally, we reiterate the finding that the respondent never undertook to not use the Personal Data in future. It is puzzling why the respondent did not do this in this case, as he had stated over email to the appellant that he would not be contacting the appellant again. Potential defendants should immediately obtain advice from legal counsel when faced with a potential claim under s48O so that appropriate remedial measures can be taken.

For employers

The CA considered the question of when it is that an employer would be liable for the actions of an employee. It held that an employer’s liability under the PDPA was not strict, but fault based. It reiterated that an employer would only be in breach of the PDPA if it fails to do what a reasonable person would consider appropriate in the circumstances.

As an example, the CA suggested that if an employer has developed and implemented policies and practices necessary for the organisation to meet its obligations under the PDPA, but a rogue employee takes pains to evade such supervision and thereby breaches the PDPA, it would be artificial to say that the employee was acting within the course of his employment.

This once again underscores the importance of employers ensuring that they have taken sufficient steps to ensure that their processes with regards to personal data collection, storage and use are compliant with the PDPA.