Singapore High Court denies first-ever private action brought under the PDPA
What is the definition of “loss or damage”, a threshold requirement which data subjects need to satisfy to pursue a right of private action under the Personal Data Protection Act 2021 (the PDPA)? Specifically, will emotional distress and/or loss of control over personal data suffered by data subjects fall within the definition of “loss or damage”?
The key takeaway
The Singapore High Court’s decision to adopt a purposive and narrow interpretation of “loss or damage”, which excludes emotional distress and loss of control over personal data, lowers the potential litigation risk arising from private actions under the PDPA by affected data subjects. They must now prove that the misuse of personal data results in financial loss, damage to property and personal injury, such as psychiatric illness, in order to pursue a private action.
Given the novelty and importance of the questions raised in the case, the respondent has since been granted leave to appeal to the Court of Appeal (Singapore’s court of final appeal).
Alex Bellingham (Bellingham), a marketing consultant, used personal data obtained from his former employers to market a new investment fund to Michael Reed (Reed). This prompted Reed, a client of Bellingham’s former employers, to question how Bellingham was able to obtain his personal data. Reed subsequently joined Bellingham’s former employers in court proceedings before the District Court for an injunction under the PDPA to restrain Bellingham from using, disclosing or communicating to any person, any personal data of Reed (alongside two other clients). The District Court granted Reed’s injunction (but not Bellingham’s former employers’ application for the same as they were not the affected data subjects), which Bellingham subsequently appealed to the High Court.
Under the then-section 32 (now section 48O) of the PDPA, data subjects who suffer “loss or damage” directly as a result of contravention of specific sections of the PDPA have a right of private action to pursue monetary damages, injunctive relief and/or other remedies. However, as the PDPA does not define “loss or damage”, the scope of the provision remained unclear until this decision.
In its decision on 25 May 2021, the High Court firstly found that Bellingham had breached Part IV of the PDPA by, among others, failing to obtain Reed’s consent before using his name, email address and the fact that he was an existing investor of Bellingham’s former employers to market investment services.
However, the High Court held that “loss or damage” must refer only to heads of loss or damage applicable to torts under common law – namely financial loss, damage to property and personal injury, including psychiatric illness. Broader concepts of emotional harm (such as humiliation, loss of dignity, injury to feelings and distress) and/or loss of control over personal data were not covered. On this point, the Court recognised that there is no general right to privacy under Singapore law, and they mainly relied on the statutory purpose and context of the PDPA to reach their decision.
On the facts, the High Court further found that Reed did not suffer any financial loss, psychiatric injury or nervous shock as a result of Bellingham’s contraventions. As a result, the appeal was allowed, and the injunction was set aside pending the decision of appeal.
Why is this important?
This is the first ever decision by the High Court on the right and scope of a private action under the PDPA since its enactment in 2012. Of particular importance is the court’s finding that the purpose of the PDPA was as much to enhance Singapore’s competitiveness and position as a trusted business hub, as it was to safeguard individual personal data against misuse. The Court noted that the position in Singapore differed from the positions in other jurisdictions, such as the EU, where the data protection frameworks were driven primarily by the need to recognise the right to privacy.
Any practical tips
Where an individual cannot establish the threshold under section 32 (now section 48O) PDPA, remedies can still be sought through the Personal Data Protection Commission (PDPC), whose powers include giving directions to the infringer to (a) stop collecting, using or disclosing personal data; and/or (b) destroy all personal data collected in contravention of the PDPA. Regarding PDPC’s regulatory powers, it has recently released a Guide on Managing and Notifying Data Breaches, with key information on the mandatory data breach notification obligations introduced under the newly amended PDPA, including the criteria, timelines and information to be provided when notifying data breaches. The Personal Data Protection (Notification of Data Breaches) Regulations 2021 sets out comprehensively such information, including the various classes of personal data deemed to result in “significant harm” to affected individuals if compromised in a data breach.