Case Details
- Citation: [2018] SGPDPC 5
- Court: Personal Data Protection Commission
- Date: 2018-05-10
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Actxa Pte. Ltd.
- Legal Areas: Data Protection – Consent obligation, Data Protection – Purpose limitation obligation, Data Protection – Personal data
- Statutes Referenced: Personal Data Protection Act 2012 (PDPA)
- Cases Cited: [2018] SGPDPC 5
- Judgment Length: 18 pages, 4,792 words
Summary
This case concerns Actxa Pte. Ltd., a company that develops and sells healthcare and fitness-related Internet of Things (IoT) devices such as "smart" weighing scales and wearable fitness trackers. The key issue is whether Actxa obtained valid consent from its customers for the collection, use, and disclosure of personal data through these IoT devices and the accompanying mobile application, the Actxa App. The Personal Data Protection Commission found that Actxa's privacy policy was inadequate and did not properly notify customers of the purposes for collecting personal data, thereby breaching its consent and purpose limitation obligations under the Personal Data Protection Act 2012 (PDPA).
What Were the Facts of This Case?
Actxa Pte. Ltd. ("the Organisation") develops and sells various IoT devices, including a "smart" weighing scale called the "Sense Smart Scale" and wearable fitness trackers marketed as "Actxa Swift" and "Actxa Swift+". These devices collect a range of personal data from users, such as weight, body composition, activity levels, and sleep patterns.
Users can download the Actxa App on their mobile devices, create an account, and link the IoT devices to their account. The app then allows users to access and monitor the data collected by the devices. The Organisation's servers automatically collect this data from the IoT devices through the Actxa App.
At the time of the complaint, a total of 2,609 customers had downloaded and used the Actxa App, with 40 customers using the Sense Smart Scale and 2,569 customers using the fitness trackers.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether Actxa failed to obtain the consent of its customers, including the complainant, before collecting and using their personal data, in breach of section 13 of the PDPA (the "Consent Obligation").
2. Whether Actxa failed to collect and use personal data only for purposes that a reasonable person would consider appropriate and for which the impacted individuals have been informed, in breach of the "Purpose Limitation Obligation" under the PDPA.
How Did the Court Analyse the Issues?
The Commissioner examined Actxa's privacy policy, which was the primary document relied upon by the Organisation to notify customers of the purposes for collecting personal data and to obtain their consent.
The Commissioner found that Actxa's privacy policy at the time of the complaint only referenced the Actxa website and did not expressly address the collection, use, and disclosure of personal data through the Actxa App and the IoT devices. The policy did not provide any information about the types of personal data collected via the IoT devices (referred to as "Observed Personal Data") or the purposes for which this data would be used.
The Commissioner considered that the Actxa App could not be considered a proper notification mechanism for the purposes of the PDPA, as the app did not contain any information about the collection, use, and disclosure of personal data. Similarly, the Commissioner found that the privacy policy did not mention how Actxa App users would have known that the policy was applicable to the data collected through the IoT devices.
The Commissioner also examined the possibility that Actxa could rely on the concept of "deemed consent" under section 15 of the PDPA. However, the Commissioner determined that this provision only applied to the "Declared Personal Data" (such as name, email, and profile information) provided by users when creating an Actxa App account, and not to the "Observed Personal Data" collected through the IoT devices.
What Was the Outcome?
The Commissioner concluded that Actxa had breached both its Consent Obligation and Purpose Limitation Obligation under the PDPA.
Specifically, the Commissioner found that Actxa had failed to obtain valid consent from its customers, including the complainant, for the collection and use of the Observed Personal Data collected through the IoT devices. Actxa's privacy policy was inadequate and did not properly notify customers of the purposes for which this personal data would be collected and used.
As a result, the Commissioner directed Actxa to:
- Cease collecting, using, or disclosing the Observed Personal Data until it has obtained valid consent from its customers;
- Develop and implement a data protection policy that clearly explains the purposes for which personal data collected through the IoT devices will be used;
- Provide clear and detailed notification to all existing Actxa App users about the purposes for which their personal data is collected and used, and obtain their consent.
Why Does This Case Matter?
This case highlights the importance of organizations complying with the consent and purpose limitation obligations under the PDPA when collecting personal data through connected IoT devices and accompanying mobile applications.
The case demonstrates that organizations cannot rely on a single, generic privacy policy to cover the collection of personal data across multiple platforms and devices. They must ensure that the purposes for data collection are clearly and specifically communicated to individuals, and that valid consent is obtained for each type of personal data collected.
The decision also emphasizes that the concept of "deemed consent" under the PDPA has limitations and does not automatically apply to all types of personal data collected. Organizations must be careful to distinguish between "declared" and "observed" personal data, and obtain proper consent for the latter.
This case provides valuable guidance for organizations developing and selling IoT devices, as well as those using mobile apps and other platforms to collect personal data. It underscores the need for robust data protection practices and clear, transparent communication with customers about data collection and usage.
Legislation Referenced
- Personal Data Protection Act 2012 (PDPA)
Cases Cited
- [2018] SGPDPC 5
Source Documents
This article analyses [2018] SGPDPC 5 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.