BR Law Corporation
br@brlawcorp.com +65 6899 9888
  • Our Team
  • Practice Areas
  • News and Insights
  • Join Us
  • Contact Us
br@brlawcorp.com +65 6899 9888

The Changing Nature of Data Intermediaries

 
6 December 2017
Dharma Sadasivan
Picture
I previously wrote about the dual nature of data intermediaries. In that post, I discussed how, under certain circumstances, a data intermediary may simultaneously be an organization in its own right, in relation to a particular set of personal data.
A recent decision (27 November 2017) from the Personal Data Protection Commission ("Commission") has raised yet another permutation in the ongoing development of case law relating to data intermediaries - the changing nature of the data intermediary. In this case, In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 and Social Metric Pte Ltd [2017] SGPDPC 17, we see an organization's status change from "data intermediary" to "organization", in relation to a particular set of personal data.
 
The facts of the case salient to this point are as follows:

  1. Social Metric Pte Ltd (the "Company") is a digital marketing agency that provides social media marketing services. It built nine webpages (the "Webpages"), for internal administrative use by the Company and its clients, containing tables populated with the personal data of its clients' customers. The Webpages contained personal data that included names, email addresses, contact numbers, employers, occupations, and other information. Two of the nine Webpages contained the personal data (names and ages) of children. Almost all of the personal data was collected before the Personal Data Protection Act 2012 came into full force on 02 July 2014 (the "Appointed Day").

  2. Some of the Company's social media marketing campaigns had ended before the Appointed Day.
 
In this case, the Commission took the view that (i) the Company was a data intermediary because it was collecting personal data on behalf of its clients for their marketing campaigns; and (ii) posting the personal data online was also done in the Company's capacity as a data intermediary, as the webpages were also for the clients' marketing campaigns. Therefore, the Company was subject to only the Protection and Retention obligations in its capacity as a data intermediary, and was obliged to comply with these obligations from the Appointed Day onwards.
 
The Retention obligation is what this discussion focuses on. To briefly recap, the Retention obligation requires organizations to cease retaining the personal data where it is reasonable to assume that retention (i) no longer serves the purposes for which the personal data was collected; and (ii) is no longer necessary for legal or business purposes.
 
The Commission held that "it was when the marketing campaigns had ended, and Social Metric had held on to the personal data (which was still posted on the Website) for a longer period than was reasonable, that Social Metric can no longer be considered a data intermediary in relation to such activities".
 
Here we see the Commission articulating an interaction between the Retention obligation and the nature of the Company as a data intermediary. While the scope and application of the Retention organization is the same regardless of whether an organization is a data intermediary, the Commission seems to be saying that there is a consequence unique to data intermediaries if they retain personal data for longer than reasonable in their capacity as data intermediaries – that is, the data intermediary will no longer be considered a data intermediary in relation to that personal data.

To put this more bluntly – breaching the Retention obligation as a data intermediary can result in the "data intermediary" status being revoked in relation to a particular set of data.
 
This decision is not unprecedented. The UK and EU also take the position that a data processor (analogous to a "data intermediary") may become a data controller (analogous to an "organization") in its own right if it uses the personal data for its own purposes – in other words, beyond what is reasonable in its capacity as a data processor, including retaining it for longer than is reasonable. 

​
Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com

Post date. Edit this to change the date post was posted. Does not show up on published site. 6/12/2017


Your comment will be posted after it is approved.


Leave a Reply.

    We're Here To Help

    Our team welcome any comments or questions and will gladly assist you with your enquiry. You can call us on +65 6899 9888 or fill out our simple contact form. 

    Disclaimer

    The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. The authors of the articles are or were employees of BR Law Corporation at the time of  publication, but may no longer be, now or in the future, in the employ of the firm.

    Subscribe to our Newsletter

    Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
    Subscribe to Newsletter

    RSS Feed

    Categories

    All
    Awards And Accolades
    Commercial Transactions
    Conveyancing
    Corporate Law
    COVID19
    Criminal Law
    Dispute Resolution
    Family And Matrimonial Law
    Intellectual Property
    International Law
    Personal Data Protection
    Probate And Administration
    Technology
    Wills And Trusts

    Archives

    August 2023
    July 2023
    June 2023
    May 2023
    February 2023
    November 2022
    June 2022
    May 2022
    April 2022
    March 2022
    November 2021
    October 2021
    September 2021
    July 2021
    May 2021
    April 2021
    October 2020
    September 2020
    July 2020
    May 2020
    April 2020
    January 2020
    October 2019
    June 2019
    March 2019
    February 2019
    January 2019
    December 2018
    August 2018
    July 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    September 2017
    August 2017
    January 2017
    September 2016
    March 2015
    January 2015
    July 2014
    June 2014
    May 2014
    April 2014

Firm Brochure

Download

Practice Areas

Subscribe to our quarterly newsletter to keep up to date with a wealth of insights from the BR Law.
Subscribe to Newsletter

Contact Us

br@brlawcorp.com
 
Main Branch - Republic Plaza
9 Raffles Place
#08-03 Republic Plaza
Singapore 048619
+65 6388 1717 Telephone
+65 6394 7398 Fax

Branch Office - Bank of China
4 Battery Road #29-00
Bank of China
Singapore 049908
+65 6899 9888 Telephone
+65 6338 5377 Fax

Branch Office - United Square
101 Thomson Road
#26-02/04 United Square
Singapore 307591
+65 6336 1717 Telephone
+65 6394 7318 Fax

Awards and Accolades

Picture
Terms of Use​  •  Privacy Statement
​© Copyright 2018 BR Law Corporation. Registered in Singapore (UEN: 200312051N).