Case Details
- Citation: [2021] SGPDPC 5
- Court: Personal Data Protection Commission
- Date: 2021-06-23
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: (1) NUInternational Singapore Pte Ltd; (2) Newcastle Research and Innovation Institute Pte Ltd
- Legal Areas: Data Protection – Transfer Limitation obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2020] SGPDPC 20, [2020] SGPDPC 21, [2021] SGPDPC 5
- Judgment Length: 6 pages, 1,314 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated a ransomware attack that affected databases belonging to two Singapore-based organizations, NUInternational Singapore Pte Ltd and Newcastle Research and Innovation Institute Pte Ltd. The investigation found that the organizations had failed to comply with the Transfer Limitation Obligation under the Personal Data Protection Act (PDPA) when transferring personal data of Singaporean individuals to their parent company in the United Kingdom and a related company in Malaysia. The PDPC directed the organizations to take remedial measures to ensure compliance with the PDPA's requirements for cross-border data transfers.
What Were the Facts of This Case?
On 17 September 2020 and 13 November 2020, the PDPC was notified of a ransomware attack affecting databases belonging to NUInternational Singapore Pte Ltd and Newcastle Research and Innovation Institute Pte Ltd (collectively referred to as "the Organisations"). The ransomware infected a database in the United Kingdom, managed by the Organisations' ultimate parent company, and a database in Malaysia, hosted by a related company of the Organisations. These databases contained the personal data of 1,083 and 194 Singapore-based individuals respectively, including staff members, undergraduates, and postgraduate students of the Organisations. The personal data, comprising names and user account identifications, was exfiltrated by the threat actor.
The Organisations had previously transferred the personal data of these Singapore-based individuals to their parent company in the United Kingdom and the related company in Malaysia. However, the PDPC found that the Organisations had failed to put in place the necessary safeguards to ensure that the transferred data would be protected to a standard comparable to that under the PDPA.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisations had complied with the Transfer Limitation Obligation under Section 26(1) of the PDPA when transferring personal data of Singaporean individuals to their parent company in the United Kingdom and a related company in Malaysia.
Section 26(1) of the PDPA stipulates that an organization shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA to ensure that organizations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA.
How Did the Court Analyse the Issues?
The PDPC, represented by Deputy Commissioner Yeong Zee Kin, analyzed the Organisations' compliance with the Transfer Limitation Obligation under the PDPA and the accompanying Personal Data Protection Regulations 2014 (the "Transfer Regulations 2014").
The Transfer Regulations 2014 (and the more recently amended Transfer Regulations 2021) provide for various mechanisms to ensure compliance with the Transfer Limitation Obligation, such as through legally enforceable obligations under any law, contracts, binding corporate rules, or other legally binding instruments. The PDPC noted that within a group of companies, the use of intra-group agreements and binding corporate rules is a common approach for cross-border data transfers, as it allows the group to establish a bespoke internal governance system to ensure the proper management of personal data across the group.
However, the PDPC found that the Organisations did not put in place any intra-group agreements, binding corporate rules, or other legally binding instruments to ensure that the personal data transferred to their parent company in the United Kingdom and the related company in Malaysia would be protected to a standard comparable to that under the PDPA, as required by Regulation 10(1) of the Transfer Regulations 2014 (now Regulation 11(1) of the Transfer Regulations 2021).
The Organisations argued that they had met the Transfer Limitation Obligation by virtue of the fact that the laws of the United Kingdom applied to the receiving organizations within their group. However, the PDPC was not satisfied that the Organisations had conducted a proper analysis to conclude that the data protection system governing the receiving organizations would provide comparable protection before the transfers took place. The PDPC stated that post-facto justification would not be accepted.
The PDPC also considered the Organisations' argument that they had obtained consent from 44 of the 1,083 Singapore-based individuals whose personal data was transferred to the parent company in the United Kingdom. While the Transfer Regulations 2014 (and 2021) do provide for the Transfer Limitation Obligation to be met through obtaining the consent of individuals, the PDPC found that the Organisations did not provide the required written summary to these individuals, as mandated by Regulation 9(4) of the Transfer Regulations 2014 (now Regulation 10(3) of the Transfer Regulations 2021).
What Was the Outcome?
Based on the findings, the PDPC determined that the Organisations had failed to discharge their Transfer Limitation Obligation under Section 26 of the PDPA. The PDPC directed the Organisations to take the following remedial measures within 30 days:
- Put in place intra-group agreements or binding corporate rules for compliance with Section 26 of the PDPA in relation to any personal data transferred out of Singapore.
- If relying on consent, review and make necessary changes to its consent and notification processes for compliance with Section 26 of the PDPA and Regulation 10(3) of the Transfer Regulations 2021 in relation to any personal data transferred out of Singapore.
- Inform the PDPC of the completion of the above within 7 days of implementation.
Why Does This Case Matter?
This case is significant as it highlights the importance of organizations complying with the Transfer Limitation Obligation under the PDPA when transferring personal data outside of Singapore. The PDPC's decision emphasizes that organizations must take appropriate steps to ensure that the recipients of transferred personal data are bound by legally enforceable obligations to provide a standard of protection that is at least comparable to that under the PDPA.
The case also underscores the PDPC's strict approach to enforcing the Transfer Limitation Obligation, as it rejected the Organisations' post-facto justifications and found that they had failed to meet the requirements even when relying on the consent of individuals. This sends a clear message to organizations that they must proactively and thoroughly assess the data protection measures in place before transferring personal data outside of Singapore.
The PDPC's directions in this case provide valuable guidance to organizations on the practical steps they should take to comply with the Transfer Limitation Obligation, such as the use of intra-group agreements, binding corporate rules, or proper consent and notification processes. Practitioners should closely follow this case and the PDPC's evolving approach to ensure their clients' cross-border data transfer practices are compliant with the PDPA.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Regulations 2014
- Personal Data Protection Regulations 2021
Cases Cited
Source Documents
This article analyses [2021] SGPDPC 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.