Introduction
Every organisation manages its fair share of personal data. In order to ensure that such data is duly secured and protected, it is critical to ensure compliance with the Personal Data Protection Act 2012 (“PDPA“). The PDPA prescribes standards and outlines legislative requirements governing the collection, use, disclosure and care of personal data in Singapore.
While the PDPA stipulates organisation obligations when managing personal data, the applicability of specific prohibitions and exceptions at play has little local judicial precedent. This is especially so in more complex factual scenarios not explicitly addressed in regulations or guidelines. This was precisely the case in Martin Piper v Singapore Kindness Movement [2024] SGDC 292, in which the Court had to determine (i) whether the organisation in question had breached specific provisions of the PDPA; and (ii) whether the claimant suffered loss or damage directly as a result of the contravention.
In this case, the claimant individual had reached out to the defendant organisation, making a complaint about a member of the defendant’s affiliate. Following various correspondence, the claimant was eventually connected with this member via email, leading to the disclosure of his name and email address. The claimant brought this action against the defendant, alleging that it had breached the PDPA by disclosing his personal data to the member, leading to loss and/or damage and emotional distress.
The Court considered certain key provisions of the PDPA such as sections 13, 14 and 18, elucidating valuable insight on the operation of these provisions. In particular, the Court considered (i) when an individual may be deemed to have consented to the disclosure of his personal data for specific purposes; and (ii) when the statutory exceptions to the consent obligation come into operation.
On the facts, the Court found that the defendant had not breached its PDPA obligations, and that the claimant was deemed to have consented to the disclosure of his identity by the defendant in the course of the defendant investigating the complaint. Moreover, even if, arguendo, there was a data breach, there was no demonstrable loss or damage directly resulting from the alleged contravention.
The defendant was successfully represented by Gregory Vijayendran SC and Meher Malhotra of Rajah & Tann Singapore LLP.
Brief Facts
The claimant had sent an email to the defendant, a registered charity, in his full name and from his email account. The email was a complaint against one Ms Loi, the co-founder of an affiliate of the defendant. The claimant alleged that Ms Loi was attempting to use the name of the affiliate to promote discriminatory material via a Telegram chat group, and he hoped that the defendant would reach out to Ms Loi, gain control over the Telegram chat group and remove the offending material.
What followed was a series of correspondence between the defendant and Ms Loi on one side, and the defendant and the claimant on the other side, with the upshot being that no resolution was reached. The defendant eventually emailed Ms Loi, copying the claimant and setting out the chain of correspondence between the defendant and the claimant, stating that it would be best for her to respond to the claimant directly.
The claimant contended that, by emailing Ms Loi and disclosing his name and email address, the defendant had breached the obligations it owed to the claimant under the PDPA, and that the alleged contraventions led to the claimant suffering losses and damages, as well as emotional distress.
The Court considered two key issues:
- Whether the defendant contravened the PDPA – specifically, whether the defendant had breached the consent obligation or the purpose obligation, and whether it could rely on any of the consent exceptions; and
- Whether the claimant suffered any financial losses or emotional distress as a result of the alleged contraventions.
Holding of the Court
The Court held that the claimant failed to prove that the defendant had contravened the PDPA. The claimant also failed to show that the disclosure of his identity by the defendant had directly caused him loss or damage.
Consent obligation
One of the obligations under the PDPA is the consent obligation, under which an organisation may only collect, use or disclose personal data for purposes which an individual has given his consent to. Consent need not be express; it can also be deemed. In particular, section 15 of the PDPA provides that an individual is deemed to consent to the collection, use or disclosure of his personal data for a purpose if: (i) he voluntarily provides the personal data to the organisation for that purpose; and (ii) it is reasonable that the individual would voluntarily provide the data.
In reaching its decision, the Court set out the following principles relating to deemed consent:
- When an individual voluntarily provides his personal data to an organisation for a purpose, he is presumed to have consented to the collection, use or disclosure of the personal data. This gives rise to a presumption of consent.
- This presumption can be displaced by the individual making an express request to limit the use and disclosure of the personal data provided. The onus is on the individual to make such a request.
On the facts, the Court found that, having provided his identity in making the complaint, the claimant was deemed to have consented to the disclosure of his identity by the defendant for the purpose of the defendant acting on the complaint.
- The claimant had provided his identity to the defendant for the purpose of the defendant acting on his complaint about Ms Loi. The claimant had also testified in court during cross-examination that it was reasonable for him to have voluntarily provided his personal data to facilitate the defendant’s investigation.
- It was clear that the claimant had made a complaint to the defendant of a serious nature, wanting it to be investigated. It was reasonable that the claimant would voluntarily provide his identity for that purpose (i.e., to get the defendant acting on the complaint).
- The defendant had acted reasonably in the circumstances in disclosing the claimant’s identity in the course of investigating the complaint as it was the most effective way for the defendant to conduct an investigation into the claimant’s conduct.
- The claimant did not at any time request for his complaint to be anonymised, despite it being open to him to do so.
The Court thus held that the defendant had acted in accordance with the PDPA with regard to the consent obligation.
Notification obligation
Another obligation under the PDPA is the notification obligation, under which an organisation must notify individuals of the purposes for which they intend to collect, use or disclose their personal data. An organisation may only collect, use or disclose personal data that the individual has been informed of. However, this does not apply if the individual is deemed to have consented to the collection, use or disclosure of the personal data.
As outlined above, the Court found that the claimant was deemed to have consented to the disclosure of his personal data. There was thus no requirement that the claimant be notified or provided with information on the purposes of the collection, use or disclosure of his personal data. Accordingly, the defendant had not breached its notification obligation.
Consent exceptions
The PDPA provides certain consent exceptions, in which the organisation may collect, use or disclose the personal data about an individual without his consent. This includes where: (i) it is necessary for any purpose which is clearly in the interests of the individual; or (ii) it is necessary for any investigation or proceedings.
The Court held that the defendant did not have to avail itself of the consent exceptions as the Court had already found that it had not breached the relevant obligations. For completeness however, the Court opined that the consent exceptions did not apply in the present circumstances.
The Court made the following observations on the application of the exceptions:
- With regard to the exception for the interests of the individual, this would refer to matters of personal health and safety of an urgent nature.
- With regard to the exception for investigations, this must be an investigation relating to an identified and specified wrong that is actionable in law.
Loss or distress
Although the ruling on breach was sufficient to dispose of the action in favour of the defendant, for completeness, the Court analysed the second issue and held that the claimant had failed to show that he suffered any financial losses or emotional distress directly resulting from the alleged contraventions of the PDPA.
The claimant’s case was that he had suffered loss and distress due to (i) an action filed by Ms Loi under the Protection from Harassment Act 2014 (“POHA“); (ii) Ms Loi’s chronicling and publishing the process of the POHA action in a public Facebook album; and (iii) the defendant being dismissive in its response when the claimant attempted to seek an explanation from the defendant about the disclosure of his identity.
The Court highlighted that any loss or damage claimed under Section 48O of the PDPA (right of private action) must be caused directly by the disclosure of the identity by the defendant. This strict causal link is prescribed by statute and has been endorsed by the Court of Appeal decision of Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] 2 SLR 1156.
Based on this approach, the Court held that there was no direct link between the disclosure of the claimant’s identity and the alleged losses suffered. The Court observed that while it may seem intuitive that the disclosure of the claimant’s identity led to Ms Loi filing the POHA action, which in turn led to the publishing of the Facebook album, the direct causal requirement under section 48O was to be stringently applied. In any event, the Court found that there was no evidence to show that the claimant had suffered emotional distress within the meaning of section 48O of the PDPA.
Concluding Words
While the need to protect personal data in an organisation’s control may seem straightforward, the decisions an organisation has to make in situations which may require the disclosure or use of such personal data can often exist in grey areas rather than in black and white. Organisations would have to balance the need to comply with its obligations under the PDPA to protect an individual’s personal data with the needs of the organisation to collect, use or disclose the personal data for purposes that a reasonable person would consider appropriate in the circumstances.
The decision of the Court here is salutary and provides instructive judicial guidance on, and a clear enunciation of, the proper balance to be struck between the rights of the individual and the organisational needs under the PDPA. In particular, the case sheds light on the availability and scope of deemed consent (including when an individual may be deemed to have consented to the collection, use or disclosure of his personal data). It also provides insight on the scope and limitations of the consent exceptions in the PDPA. Finally, this decision is a valuable illustration of the stringent nexus necessary to make civil claims for disclosure of personal data. It underscores the stringent direct causal link requirement to be applied for private actions under section 48O of the PDPA seeking to recover alleged losses and/or damages.
For further queries, please feel free to contact our team.