Case Details
- Citation: [2021] SGPDPC 13
- Court: Personal Data Protection Commission
- Date: 2021-11-12
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: (1) Belden Singapore Private Limited, (2) Grass Valley Singapore Pte Ltd
- Legal Areas: Data Protection – Transfer obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2021] SGPDPC 13
- Judgment Length: 15 pages, 3,710 words
Summary
This case involves a data breach incident affecting Belden Singapore Private Limited and Grass Valley Singapore Pte Ltd, where an unauthorized third party gained access to the Belden Group's servers and exfiltrated personal data of the organizations' employees. The key issue is whether the organizations complied with the transfer limitation obligation under the Personal Data Protection Act 2012 when transferring personal data to their parent company Belden Inc. in the United States. The Personal Data Protection Commission found that the organizations had not taken appropriate steps to ensure the recipient was bound by legally enforceable obligations to provide a comparable standard of data protection, and thus had breached the transfer limitation obligation.
What Were the Facts of This Case?
The Belden Group is a multinational company involved in manufacturing networking, connectivity, and cable products. Its various subsidiaries and affiliated companies operate across the Americas, Europe, Middle East, Africa, and the Asia Pacific region. Belden Singapore Private Limited and Grass Valley Singapore Pte Ltd (the "Organizations") are part of the Belden Group.
As the main human resources functions for Belden Singapore are conducted by the parent company Belden Inc. in the United States, Belden Singapore transfers the personal data of its employees to Belden Inc., which are then stored on Belden Inc.'s servers. Similarly, after Grass Valley entities (including Grass Valley Singapore) were acquired by another company in 2020, the personal data of Grass Valley Singapore's employees were also transferred to and stored on Belden Inc.'s servers.
In November 2020, the Belden Group's IT team detected anomalies in its systems and subsequent investigations revealed that a threat actor had accessed the Belden Group's servers in the USA and other jurisdictions through malicious software, and exfiltrated the information and data contained therein. This included the personal data of 126 individuals related to Belden Singapore and 63 individuals related to Grass Valley Singapore, such as names, addresses, contact details, dates of birth, identification numbers, marital status, photographs, salary information, and tax information.
What Were the Key Legal Issues?
The key legal issue in this case is whether the Organizations complied with the transfer limitation obligation under Section 26 of the Personal Data Protection Act 2012 (PDPA) when transferring personal data of their employees to Belden Inc. in the United States.
Section 26(1) of the PDPA prohibits an organization from transferring personal data to a country or territory outside Singapore, unless it takes appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of data protection that is comparable to the protection under the PDPA.
How Did the Court Analyse the Issues?
The Personal Data Protection Commission (the "Commission") examined whether the Organizations had complied with the transfer limitation obligation under the PDPA.
The Commission noted that the Organizations had put in place a Global Data Transfer Agreement (GDTA) to govern the terms on which the various Belden entities transfer personal data to each other. However, the Commission found that the GDTA did not adequately ensure that Belden Inc. was bound by legally enforceable obligations to provide a comparable standard of data protection as required under the PDPA.
Specifically, the Commission highlighted that the GDTA did not:
- Specify the countries and territories to which the personal data may be transferred under the contract
- Require Belden Inc. to provide a comparable standard of data protection as required under the PDPA Regulations
- Constitute "binding corporate rules" as defined in the PDPA Regulations, as it did not specify the rights and obligations provided by the binding corporate rules
The Commission emphasized that organizations have an obligation to undertake appropriate due diligence and obtain assurances when engaging an overseas data recipient, even if it is a related entity within the same corporate group. This is to ensure the transferred personal data is protected to a standard comparable with the PDPA.
What Was the Outcome?
Based on the findings, the Commission determined that the Organizations had breached the transfer limitation obligation under Section 26 of the PDPA by failing to take appropriate steps to ensure that Belden Inc. was bound by legally enforceable obligations to provide a comparable standard of data protection for the personal data that was transferred.
The Commission did not impose any financial penalties on the Organizations, as it was the first time the transfer limitation obligation had been considered in an investigation. However, the Commission directed the Organizations to:
- Review and update their data transfer agreements to ensure compliance with the PDPA's transfer limitation obligation
- Conduct a comprehensive review of their data protection policies and practices to ensure ongoing compliance with the PDPA
Why Does This Case Matter?
This case provides important guidance on the application of the transfer limitation obligation under the PDPA in the context of intra-group data transfers. It clarifies that organizations have a duty to undertake appropriate due diligence and obtain assurances from overseas recipients of personal data, even if they are related entities within the same corporate group.
The case highlights that simply having an intra-group data transfer agreement in place may not be sufficient to comply with the transfer limitation obligation. Organizations must ensure that the agreement contains the necessary provisions to bind the overseas recipient to a standard of data protection that is comparable to the PDPA.
This case serves as a reminder to organizations with cross-border data flows, particularly within multinational corporate groups, to carefully review their data transfer practices and underlying agreements to ensure they meet the PDPA's requirements. Failure to do so can expose the organization to regulatory action and potential reputational harm in the event of a data breach incident.
Legislation Referenced
- Personal Data Protection Act 2012
- Personal Data Protection Regulations 2014
Cases Cited
- [2021] SGPDPC 13
Source Documents
This article analyses [2021] SGPDPC 13 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.