BR Law Corporation
br@brlawcorp.com +65 6899 9888
  • Our Team
  • Practice Areas
  • News and Insights
  • Join Us
  • Contact Us
br@brlawcorp.com +65 6899 9888

PDPA Data Protection Obligations – First Looks At Enforcement

 
24 March 2015
Dharma Sadasivan
Picture
​The data protection provisions of the Personal Data Protection Act 2012 ("PDPA") came into effect on 02 July 2014. It has now been 8 months since the data protection provisions have been in force and we are beginning to see an awareness of data protection and privacy rights emerge in the general public. Accordingly, we're also beginning to see news reports raising the question of whether there have been breaches of the PDPA.

In particular, I thought 2 recent news reports were rather interesting.
The first article relates to a cab passenger who was caught on video rudely berating the cab driver. The video was uploaded by the cab driver's daughter. Although the passenger's face is hidden, his voice is audible. The passenger's alleged details have since been leaked online, including his name, phone number, address, and occupation.

In this article, lawyer Michael Loh opines that "the video revealed only the passenger's voice and not his appearance, so the passenger's identity cannot be verified from the clip alone...The taxi driver installed the in-car camera as a security measure, not for commercial use, and the passenger's identity was not disclosed. So, strictly speaking, this does not violate the Personal Data Protection Act."

In this regard, reasonable minds can differ. I suspect that there may have been 3 instances of possible breach:

First: Breach vis a vis the collection of the passenger's personal data inside the taxi (if there was no notification):
  • It doesn't matter that the in-car camera was installed for security measures instead of commercial uses. The PDPA applies to all non-public agency organizations collecting personal data, and there are no exemptions for the collection of personal data for private security purposes.
  • If there was no notification of the fact of and purposes for collection of the personal data, the cab driver cannot rely on implied consent to the collection of the personal data. It is unclear if the passenger even knew of the presence of a security camera.
  • I'm not convinced that the passenger's identity was not disclosed. Notwithstanding the fact that his face was not visible, clearly enough information about him must have been collected to identify him because netizens appear to actually have identified him (and leaked his personal data online).

Second: Breach by the daughter who uploaded the video on the grounds that she disclosed his personal data without his consent.

Third: Breaches by the netizens who leaked the passenger's personal data, on the grounds that they collected and disclosed his personal data without his consent.

That said, there is an argument to be made in the third instance that so long as the netizens dug up the information from public sources, it was publicly available data and is therefore exempted. A lot of personal data may be found online (albeit scattered all over the internet) and it's not clear whether the PDPC would consider "mosaicking" small pieces of publicly available personal data to build one comprehensive personal data profile in order to make it easily accessible to others, something that ought to be protected under the "publicly available data" exemption as a matter of policy. The increasing volume of internet vigilantism utilizing leaks of personal data to "name and shame" individuals brings this issue into sharp focus, and calls into question whether there should be qualifications to the "publicly available data" exemption.

The second article that I thought was interesting relates to a primary school accidentally releasing the personal data of more than 1,900 students (such as their names and birth certificate numbers), and their parents (including names, phone numbers, email addresses). This leak is particularly provocative because it involves the personal data of minors, and the fact that the birth certificate numbers would generally be considered sensitive in nature and deserving of stronger forms of protection than normal personal data.

While the parents hoped for recourse, the Personal Data Protection Commission ("Commission") said that Ministry of Education ("MOE") schools are exempt from the PDPA as public agencies, which are governed by their own rules. I am given to understand that these rules are broadly similar to the obligations under PDPA, but they are set out in confidential government manuals which I have no sight of, and I cannot verify this.

As Asiaone reported, "lawyer Bryan Tan...noted that in situations not covered by the Personal Data Protection Act, the public has no recourse and 'only moral suasion'." However lawyer Gilbert Leong said that "if parents suspect their data has been sold to a third party, they can complain to MOE and the Commission, which can investigate complaints and charge wrongdoers in court."

Again, reasonable minds can differ and I find the latter interpretation unconvincing.

The PDPA provides an individual who has suffered damage or loss as a result of an organization's breach of the PDPA with a private right of action against that organization (i.e. you can sue the organization). But this is a statutory right of private action arising out of section 32 of the PDPA.

Similarly, as Gilbert points out, individuals can complain to the Commission, which is empowered to investigate breaches and give directions, including charging wrongdoers in court if they have committed offences. However the Commission's powers also arise from the PDPA, and they are granted in relation to breaches of the PDPA. 

It therefore seems unlikely to me that the scope of such powers would (or should) also extend beyond the remit of the PDPA to encompass entities that are exempted from PDPA compliance. If, as Gilbert says, the wrongdoers can be charged in court, it seems to me that the charges would need to be on a basis other than a breach of the PDPA. (Quite separately, and for completeness, the MOE has no right to investigate, give directions or prosecute breaches under the PDPA, although it may have independent rights to sanction schools under its purview.)

So if individuals have no recourse against public agencies, what then? 

That's precisely the question to which, at present, there seems to be no clear answer - even in a case where sensitive personal data of minors was leaked.

It will be interesting to see whether the PDPC takes any further steps in dealing with the leak of personal data by the school, or if it chooses to be involved at all.

Comparisons with other Asian countries
It's worth noting that many bodies of comprehensive privacy legislation in Asia have begun with legislation governing the public sector - for example: Japan's "Act on the Protection of Computer Processed Data Held by Administrative Organs" in 1988, Taiwan's "Computer Processed Personal Data Protection Act" of 1995 that dealt generally with the public sector and only specific private sectors, and South Korea's "Public Agency Data Protection Act" of 1995.

By contrast, the PDPA regulates only the private sector and we have no visibility over whether the public sector is regulated, and if so, to what extent.

Until we have a truly comprehensive privacy framework that extends to public agencies and provides an enforcement mechanism with some form of recourse against public agencies in breach, it looks like our data protection framework is really only half-complete.

​
Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com

Post date. Edit this to change the date post was posted. Does not show up on published site. 24/3/2015


Your comment will be posted after it is approved.


Leave a Reply.

    We're Here To Help

    Our team welcome any comments or questions and will gladly assist you with your enquiry. You can call us on +65 6899 9888 or fill out our simple contact form. 

    Disclaimer

    The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. The authors of the articles are or were employees of BR Law Corporation at the time of  publication, but may no longer be, now or in the future, in the employ of the firm.

    Subscribe to our Newsletter

    Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
    Subscribe to Newsletter

    RSS Feed

    Categories

    All
    Awards And Accolades
    Commercial Transactions
    Conveyancing
    Corporate Law
    COVID19
    Criminal Law
    Dispute Resolution
    Family And Matrimonial Law
    Intellectual Property
    International Law
    Personal Data Protection
    Probate And Administration
    Technology
    Wills And Trusts

    Archives

    November 2022
    June 2022
    May 2022
    April 2022
    March 2022
    November 2021
    October 2021
    September 2021
    July 2021
    May 2021
    April 2021
    October 2020
    September 2020
    July 2020
    May 2020
    April 2020
    January 2020
    October 2019
    June 2019
    March 2019
    February 2019
    January 2019
    December 2018
    August 2018
    July 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    September 2017
    August 2017
    January 2017
    September 2016
    March 2015
    January 2015
    July 2014
    June 2014
    May 2014
    April 2014

Firm Brochure

Download

Practice Areas

Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law.
Subscribe to Newsletter

Contact Us

br@brlawcorp.com
 
Main Branch - Republic Plaza
9 Raffles Place
#08-03 Republic Plaza
Singapore 048619
+65 6388 1717 Telephone
+65 6394 7398 Fax

Branch Office - Bank of China
4 Battery Road #29-00
Bank of China
Singapore 049908
+65 6899 9888 Telephone
+65 6338 5377 Fax

Branch Office - United Square
101 Thomson Road
#26-02/04 United Square
Singapore 307591
+65 6336 1717 Telephone
+65 6394 7318 Fax

Awards and Accolades

Picture
Terms of Use​  •  Privacy Statement
​© Copyright 2018 BR Law Corporation. Registered in Singapore (UEN: 200312051N).