Data Protection in Singapore Strikes a Balance

Feature image

A lot of people in Singapore know about the Personal Data Protection Act in Singapore (PDPA). A lot of people also know about the Personal Data Protection Commission (PDPC). The PDPC enforces the PDPA. The PDPC has a good reputation amongst most Singaporeans for its proactive approach to protecting the personal data of ordinary Singaporeans. To most people, this is the data protection regime in Singapore. Full stop.

Far fewer people (and I dare say professionals too) are aware that there is a “right to private action” hidden somewhere in the PDPA. Section 48O, to be exact.

Now who would want to experience the stresses of litigation , paying legal fees (most of which can't be recovered) and the prospect of losing?

Someone with an axe to grind, like the parties in Bellingham v. Reed. It's the first case to test the right to private action in the High Court of Singapore (and possibly the Court of Appeal as well). As a result of the parties' honourable public service, we now know the limitations of the right to private action.

A Private Action Goes Nowhere

This tortured litigation started when a fund manager moved to a competitor. To drum up the new business, the fund manager contacted a potential customer using information from his previous role. What started as a breach of confidence action suddenly morphs into a data protection action when the fund manager's ex-employers added the affected data subject to the litigation.

In the court below, the data subject obtained a court order for the fund manager to stop using his data. This was in spite of the fund manager already stating clearly that he would not be using the personal data of the data subject or contacting him.

The appeal turns on whether the data subject suffered “loss and damage” as a result of the breach of the PDPA. On the facts, a monetary loss seems far-fetched. The data subject argued instead that he suffered “distress and loss of control over personal data”. This wasn't a type of damage commonly recognised under the law, like personal injury or monetary loss. Did the PDPA create a new kind of damage to be found under a private action?

The High Court held that the answer is no. The PDPA “was not driven by the need to protect an absolute or fundamental right to privacy”. A “privacy right” was not part of Singapore's constitution or implied by Singapore's international obligations. The Court commented that:

The purpose of the PDPA was as much to enhance Singapore’s competitiveness and to strengthen Singapore’s position as a trusted business hub as it was to safeguard individuals’ personal data against misuse.

Since the data subject only suffered distress and loss of control over personal data, which were not recognised under the law, the appeal succeeded and the data subject's orders was set aside.

Leave the Private Action Behind

Oddly, the balance struck here could eviscerate the private action under the PDPA. What kind of damages can an affected individual claim for a breach of data protection obligations other than distress and loss of control over their own data?

On the key question of whether the PDPA's private action recognises new heads of damages such as emotional distress or loss of control over personal data, I don't expect the Court of Appeal to come up with a different answer. There might be alternative explanations, but the policy behind it is quite clear.

Firstly, a right of private action would probably end up with lots of litigation against companies, many of which can be for fairly minor breaches. We might be using too much judicial resources on many small matters. Companies might end up being stuck in a mire of lawsuits instead of innovating.

Secondly, many of the structures of the legal system in Singapore would not benefit such private actions. This includes the nearly complete absence of class action suits in Singapore. A private suit is likely to be an exhausting and expensive affair, which would leave many individuals out in the first place.

Thirdly, and this was recognised at the High Court at paragraph 94, there are better avenues for individuals to vindicate themselves. Most importantly, the PDPC has powers to enforce the PDPA, and many of these remedies mirror what an individual would most likely want from an action. This includes the dreaded financial penalty, the basis of which is on compliance with law rather than what loss or damage was suffered. It's notable that an affected individual can appeal the PDPC's decision.

Will Increased Penalties Lead to Greater Compliance With the PDPA?When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, was at stake. Several companies scrambled to get their houses in order.Love.Law.Robots.Houfu

Furthermore, the Protection of Harassment Act (which has received far more attention from the government) could provide a more effective route for any intrusion into privacy.

So even though it appears odd that the private action would be extremely limited under the PDPA, this “balance” might be palatable. The private action looks likely to remain as a relic for the most irrational parties. It speaks volumes that the only reported case of a private action in more than 5 years of the PDPA is going to the Court of Appeal.

Is a Constitutional Right necessary?

While I agreed with the result, the reasoning left me unsatisfied. By adamantly insisting that the PDPA was different from other privacy and data protection regimes in western liberal democracies, the High Court appeared to suggest that we compromised something by striking a balance. Or worse, that we are involved in a switch and bait whereby we have meaningless rights in the PDPA.

Any talk about human rights should keep a close eye on its efficacy, in this case whether data subjects can enforce their rights effectively. It's quite clear that individuals can't realistically take companies to task on data protection on their own. The PDPC has had far more success using its enforcement powers.

So, maybe the Court of Appeal can come up with a better way to explain this. However, I wouldn't be holding my breath on this one. This case is a rare sighting, and cases like this will remain rare.

In the meantime, we should train our focus on the PDPC. Full stop.

#Privacy #Singapore #Law

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu