Search for:

This decision clarifies the ambit of the right of private action under the Singapore Personal Data Protection Act 2012 and sheds light on how the phrase “loss or damage” should be interpreted.

In brief

The Singapore Court of Appeal, in its recent decision of Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60, provides clarity on two provisions under the Personal Data Protection Act (“PDPA“). The first is section 4(1)(b), which states that the PDPA does not impose any obligation on any employee acting in the course of his or her employment with an organisation.

The second is the then section 32 (now section 48O), which allows individuals who suffer loss or damage as a result of an organisation’s contravention of the PDPA, the right to commence private action against the organisation.


Key takeaways

There are three main takeaways from this decision.

First, section 4(1)(b) is regarded as a defence for employees to prove that he/she engaged in the conduct in good faith during the course of his/her employment. The doctrine of vicarious liability cannot be imported into the section as it is contrary to the effect of section 4(1)(b), which is to exempt the employee from liability.

Secondly, the Court made clear that aggrieved individuals can decide between complaining to the Personal Data Protection Commission (“PDPC“) and commencing a private action against an organisation that contravenes the PDPA. A complainant need not make a complaint to the PDPC first before litigating under section 32.

Thirdly, the Court held that the phrase “loss or damage” includes emotional distress. The emotional distress must be suffered directly as a result of a contravention of PDPA’s provisions and the loss or damage suffered must not be trivial.

Even if the loss or damage suffered by the aggrieved individual is confined to emotional distress, the Court recognised that it is common for emotional distress to be the only loss or damage suffered, and individuals may still bring a claim against the organisation.

With aggrieved individuals having more than one avenue against the organisation and given the broad interpretation of “loss or damage”, this decision serves as a good reminder to  organisations that their liability is fault-based under the PDPA and they are to review their existing data protection policies and measures and ensure compliance with the PDPA. 

In further detail

Background

IP Investment Management Pte Ltd and IP Real Estate Investments Pte Ltd (the “Employers“) commenced a private action against their former employee, Alex Bellingham (the “respondent“). Amongst others, they sought to restrain the respondent from using Michael Reed’s (the “appellant“) and others’ personal data. The appellant received an email from the respondent regarding his investment activity in a particular fund, and was surprised how the respondent got hold of his personal email address and was aware of his investment activities.

The District Judge granted the appellant an injunction to restrain the respondent and an order that the respondent undertakes to destroy the appellant’s personal data that was in his possession. The respondent subsequently filed an appeal against the District Judge’s decision. The High Court judge allowed the appeal and was of the view that neither the loss of control nor personal data and emotional distress are recognised under section 32 of the PDPA.

Issues for determination before the Court of Appeal

It was accepted by both parties that the respondent was in breach of sections 13 and 18 of the PDPA. There were three issues that arose for the Court’s determination:

  • Whether section 4(1)(b) of the PDPA exempts the respondent from liability for breaching sections 13 and 18;
  • Whether “loss or damage” includes emotional distress or loss of control of personal data; and
  • Whether the appellant suffered emotional distress or loss of control of personal data.

Section 4(1)(b) does not exempt the respondent from liability

The Court held that section 4(1) is a defence that may be invoked by a party accused of breaching the PDPA to avoid liability. On the burden of proof, it is for the respondent to show that when the breaches of the PDPA occurred, he was an employee, and was acting in the course of his employment in committing the breach.

However, there was insufficient evidence to prove that the respondent was acting within the course of employment when he misused the personal data.

The Court also expressly declined the importation of the doctrine of vicarious liability into section 4(1)(b) of the PDPA due to the fundamental conceptual incompatibility between the two – an employer’s liability under the PDPA is fault-based whereas the doctrine of vicarious liability seeks to hold an employer liable through no fault of its own.

“Loss or damage” includes emotional distress but not loss of control of personal data

The Court adopted a purposive interpretation of section 32(1) of the PDPA (now section 48O(1)) and held that emotional distress can found a section 32 action. In support of this conclusion, the Court first looked to the legislative intent underlying section 32. It held that the parliamentary intention to promote the right of individuals to protect their personal data supersedes the presumptive common law position that emotional distress per se is not actionable.

Adopting a textual and contextual interpretation of the section, there is nothing that militates against the inclusion of emotional distress into the phrase “loss or damage”.

The Court acknowledged that it is common for emotional distress to be the only loss or damage suffered when there is a misuse of personal data. It does not matter that Singapore does not expressly recognise a right to privacy as it is “ordinary human experience” that the misuse of personal data will result in distress and anxiety.

The Court also considered the question of whether it will open the floodgates of litigation if “loss or damage” can be interpreted to include emotional distress, and considered the question moot with the following control mechanisms in place:

  • the loss or damage must have been suffered directly as a result of the contravention; and
  • there is no recourse for minimal loss (the de minimis principle).

However, the loss of control of personal data does not constitute “loss or damage” under section 32. This is because the loss of control of personal data (in one way or another) permeates every contravention of Part 4 to Part 6 of the PDPA. 

The appellant suffered emotional distress

In ascertaining whether there was emotional distress, the inquiry is whether the very individual before the court subjectively suffered emotional distress. That said, the court is still entitled to take into account how a reasonable person would have reacted in similar circumstances to assess the claimant’s subjective state of mind.

A multi-factorial approach should be adopted in assessing whether there was emotional distress. To this end, the Court helpfully laid down several non-exhaustive factors to be considered:

  • the nature of personal data involved in the breach (some categories of personal data, such as financial data, are likely to be sensitive);
  • the nature of the breach (whether the breach of the PDPA was one-off, repeated and/or continuing);
  • the nature of the defendant’s conduct (whether there was fraudulent or malicious intent);
  • risk of future breaches of the PDPA causing emotional distress to the claimant;
  • the actual impact of the breach on the claimant.

On the facts, the Court held  that the appellant did suffer emotional distress. While the appellant’s emails and the language used did not seem to suggest that there was distress, the conduct of both the appellant and the respondent must be taken into account. The appellant brought the issue to the attention of one of the Employers and the Employer was persuaded to demand an undertaking from the respondent to not misuse the personal data, which the respondent had refused to provide. Other factors that the Court took into account include the sensitive nature of the personal data involved and the attitude of the respondent when being confronted about the use of personal data.

* * * * *

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

Author

Andy Leck is the head of the Intellectual Property and Technology (IPTech) Practice Group and a member of the Dispute Resolution Practice Group in Singapore. He is a core member of Baker McKenzie's regional IP practice and also leads the Myanmar IP Practice Group. Andy is recognised by reputable global industry and legal publications as a leader in his field. He was named on "The A-List: Singapore's Top 100 lawyers" by Asia Business Law Journal 2018. In addition, Chambers Asia Pacific notes that Andy is "a well-known IP practitioner who is highlighted for his record of handling major trade mark litigation, as well as commercial exploitation of IP rights in the media and technology sectors. He's been in the industry for a long time and has always been held in high regard. He is known to be very fair and is someone you would like to be in the trenches with you during negotiations." Furthermore, Asian Legal Business acknowledges Andy as a leading practitioner in his field and notes that he “always gives good, quick advice, [is] client-focused and has strong technical knowledge for his areas of practice.” Andy was appointed by the Intellectual Property Office of Singapore (IPOS) as an IP Adjudicator to hear disputes at IPOS for a two-year term from April 2021. He has been an appointed member of the Singapore Copyright Tribunal since May 2010 and a mediator with the WIPO Arbitration and Mediation Center. He is also appointed as a Notary Public & Commissioner for Oaths in Singapore. He previously served on the International Trademark Association’s Board of Directors and was a member of the executive committee.

Author

Ren Jun Lim is a principal with Baker McKenzie Wong & Leow. He represents local and international clients in both contentious and non-contentious intellectual property matters. He also advises on a full range of healthcare, as well as consumer goods-related legal and regulatory issues. Ren Jun co-leads Baker McKenzie Wong & Leow's Healthcare as well as Consumer Goods & Retail industry groups. He sits on the Law Society of Singapore IP Committee and on the Executive Committee of the Association of Information Security Professionals. He is also a member of the Vaccines Working Group, Singapore Association of Pharmaceutical Industries, a member of the International Trademark Association, as well as a member of the Regulatory Affairs Professionals Association. Ren Jun is ranked in the Silver tier for Individuals: Enforcement and Litigation and Individuals: Prosecution and Strategy, and a recommended lawyer for Individuals: Transactions by WTR 1000, 2020. He is also listed in Asia IP's Best 50 IP Expert, 2020, recognised as a Rising Star by Managing IP: IP Stars, 2019 and one of Singapore's 70 most influential lawyers aged 40 and under by Singapore Business Review, 2016. Ren Jun was acknowledged by WTR 1000 as a "trademark connoisseur who boasts supplementary knowledge of regulatory issues in the consumer products industry." He was also commended by clients for being "very responsive to enquiries and with a keen eye for detail, he is extremely hands-on. His meticulous and in-depth approach to strategising is key to the excellent outcomes we enjoy."

Author

Ken Chia is a member of the Firm’s IP Tech, International Commercial & Trade and Competition Practice Groups. He is regularly ranked as a leading TMT and competition lawyer by top legal directories, including Chambers Asia Pacific and Legal 500 Asia Pacific. Ken is an IAPP Certified International Privacy Professional (FIP, CIPP(A), CIPT, CIPM) and a fellow of the Chartered Institute of Arbitrators and the Singapore Institute of Arbitrators.

Author

Abe is a principal in our Singapore office. His main areas of practice include patents, trade secrets, copyright, and transactional IP for international and domestic clients. With over eleven years of legal experience as a lawyer and over ten years of technical experience as an engineer in the US and Canada, Abe is able to provide commercially oriented legal and technology-specific advice on a wide range of IP issues. Before joining our Singapore office in 2016, Abe was a lawyer in our Baker McKenzie offices in the US (where he passed the US patent bar examination and qualified as a US Registered Patent Attorney (limited recognition)) and Thailand.

Write A Comment