PDPA Data Protection Obligations – First Looks At Enforcement

24 March 2015

Dharma Sadasivan

​The data protection provisions of the Personal Data Protection Act 2012 ("PDPA") came into effect on 02 July 2014. It has now been 8 months since the data protection provisions have been in force and we are beginning to see an awareness of data protection and privacy rights emerge in the general public. Accordingly, we're also beginning to see news reports raising the question of whether there have been breaches of the PDPA.

In particular, I thought 2 recent news reports were rather interesting.

The first article relates to a cab passenger who was caught on video rudely berating the cab driver. The video was uploaded by the cab driver's daughter. Although the passenger's face is hidden, his voice is audible. The passenger's alleged details have since been leaked online, including his name, phone number, address, and occupation.

In this article, lawyer Michael Loh opines that "the video revealed only the passenger's voice and not his appearance, so the passenger's identity cannot be verified from the clip alone...The taxi driver installed the in-car camera as a security measure, not for commercial use, and the passenger's identity was not disclosed. So, strictly speaking, this does not violate the Personal Data Protection Act."

In this regard, reasonable minds can differ. I suspect that there may have been 3 instances of possible breach:

First: Breach vis a vis the collection of the passenger's personal data inside the taxi (if there was no notification):

• It doesn't matter that the in-car camera was installed for security measures instead of commercial uses. The PDPA applies to all non-public agency organizations collecting personal data, and there are no exemptions for the collection of personal data for private security purposes.
• If there was no notification of the fact of and purposes for collection of the personal data, the cab driver cannot rely on implied consent to the collection of the personal data. It is unclear if the passenger even knew of the presence of a security camera.
• I'm not convinced that the passenger's identity was not disclosed. Notwithstanding the fact that his face was not visible, clearly enough information about him must have been collected to identify him because netizens appear to actually have identified him (and leaked his personal data online).

Second: Breach by the daughter who uploaded the video on the grounds that she disclosed his personal data without his consent.

Third: Breaches by the netizens who leaked the passenger's personal data, on the grounds that they collected and disclosed his personal data without his consent.

That said, there is an argument to be made in the third instance that so long as the netizens dug up the information from public sources, it was publicly available data and is therefore exempted. A lot of personal data may be found online (albeit scattered all over the internet) and it's not clear whether the PDPC would consider "mosaicking" small pieces of publicly available personal data to build one comprehensive personal data profile in order to make it easily accessible to others, something that ought to be protected under the "publicly available data" exemption as a matter of policy. The increasing volume of internet vigilantism utilizing leaks of personal data to "name and shame" individuals brings this issue into sharp focus, and calls into question whether there should be qualifications to the "publicly available data" exemption.

The second article that I thought was interesting relates to a primary school accidentally releasing the personal data of more than 1,900 students (such as their names and birth certificate numbers), and their parents (including names, phone numbers, email addresses). This leak is particularly provocative because it involves the personal data of minors, and the fact that the birth certificate numbers would generally be considered sensitive in nature and deserving of stronger forms of protection than normal personal data.

While the parents hoped for recourse, the Personal Data Protection Commission ("Commission") said that Ministry of Education ("MOE") schools are exempt from the PDPA as public agencies, which are governed by their own rules. I am given to understand that these rules are broadly similar to the obligations under PDPA, but they are set out in confidential government manuals which I have no sight of, and I cannot verify this.

As Asiaone reported, "lawyer Bryan Tan...noted that in situations not covered by the Personal Data Protection Act, the public has no recourse and 'only moral suasion'." However lawyer Gilbert Leong said that "if parents suspect their data has been sold to a third party, they can complain to MOE and the Commission, which can investigate complaints and charge wrongdoers in court."

Again, reasonable minds can differ and I find the latter interpretation unconvincing.

The PDPA provides an individual who has suffered damage or loss as a result of an organization's breach of the PDPA with a private right of action against that organization (i.e. you can sue the organization). But this is a statutory right of private action arising out of section 32 of the PDPA.

Similarly, as Gilbert points out, individuals can complain to the Commission, which is empowered to investigate breaches and give directions, including charging wrongdoers in court if they have committed offences. However the Commission's powers also arise from the PDPA, and they are granted in relation to breaches of the PDPA. 

It therefore seems unlikely to me that the scope of such powers would (or should) also extend beyond the remit of the PDPA to encompass entities that are exempted from PDPA compliance. If, as Gilbert says, the wrongdoers can be charged in court, it seems to me that the charges would need to be on a basis other than a breach of the PDPA. (Quite separately, and for completeness, the MOE has no right to investigate, give directions or prosecute breaches under the PDPA, although it may have independent rights to sanction schools under its purview.)

So if individuals have no recourse against public agencies, what then? 

That's precisely the question to which, at present, there seems to be no clear answer - even in a case where sensitive personal data of minors was leaked.

It will be interesting to see whether the PDPC takes any further steps in dealing with the leak of personal data by the school, or if it chooses to be involved at all.

Comparisons with other Asian countries
It's worth noting that many bodies of comprehensive privacy legislation in Asia have begun with legislation governing the public sector - for example: Japan's "Act on the Protection of Computer Processed Data Held by Administrative Organs" in 1988, Taiwan's "Computer Processed Personal Data Protection Act" of 1995 that dealt generally with the public sector and only specific private sectors, and South Korea's "Public Agency Data Protection Act" of 1995.

By contrast, the PDPA regulates only the private sector and we have no visibility over whether the public sector is regulated, and if so, to what extent.

Until we have a truly comprehensive privacy framework that extends to public agencies and provides an enforcement mechanism with some form of recourse against public agencies in breach, it looks like our data protection framework is really only half-complete.

​
Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com