Big Bubble Centre Pte Ltd [2018] SGPDPC 25

Case Details

• Citation: [2018] SGPDPC 25
• Court: Personal Data Protection Commission
• Date: 2018-11-28
• Judges: Yeong Zee Kin, Deputy Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Big Bubble Centre Pte Ltd
• Legal Areas: Data Protection – Disclosure of personal data
• Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
• Cases Cited: [2017] SGPDPC 15, [2018] SGPDPC 3, [2018] SGPDPC 25
• Judgment Length: 6 pages, 1,331 words

Summary

This case concerns the disclosure of personal data by Big Bubble Centre Pte Ltd, a sole-proprietorship in the scuba-diving services business, in response to a dispute with a former employee. The Personal Data Protection Commission (PDPC) found that the organization had breached its obligations under the Personal Data Protection Act 2012 (PDPA) by disclosing the former employee's personal data, including sensitive information like NRIC and passport details, without obtaining the employee's consent. The PDPC issued a warning to the organization, emphasizing the need for caution when responding to public comments and the importance of proportionality in disclosing personal data.

What Were the Facts of This Case?

The case arose from a contractual dispute between Big Bubble Centre Pte Ltd (the "Organization") and a former employee, the Complainant. The Complainant claimed that the Organization had failed to pay his wages, while the Organization alleged that the Complainant owed them money for participating in and logging dives organized by the Organization. The Organization also claimed that the Complainant had taken dive equipment and documents without paying for them.

After the Complainant resigned, he posted on Facebook detailing his unhappiness with the Organization and its sole proprietor, alleging that he felt cheated and warning other divers from joining the Organization. In response, the Organization posted on its sole proprietor's personal Facebook page and a public group for scuba divers, defending its position and disclosing the Complainant's personal data, including his name, NRIC number, date of birth, passport number and expiry date, mobile phone number, email address, residential address, as well as the name, residential address, and car details of the Complainant's female friend.

It is undisputed that the Organization had obtained this personal data from the Complainant during his employment, but the Organization did not obtain the Complainant's consent to disclose it in the manner described.

What Were the Key Legal Issues?

The key legal issues in this case were whether the Organization's disclosure of the Complainant's personal data without his consent breached:

(a) The Organization's obligation under section 13 of the Personal Data Protection Act 2012 (PDPA) to obtain valid consent before disclosing personal data; and

(b) The Organization's obligation under section 18 of the PDPA to only use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances and that the data subject has been informed of.

How Did the Court Analyse the Issues?

The PDPC, represented by Deputy Commissioner Yeong Zee Kin, analyzed the case based on the principles established in previous decisions, such as Re M Star Movers & Logistics Specialist Pte Ltd [2017] SGPDPC 15 and Re My Digital Lock Pte Ltd [2018] SGPDPC 3.

The PDPC acknowledged that organizations should not be prevented from responding to public comments about them, and that in some situations, it may be reasonable or even necessary to disclose personal data to advance an explanation. However, the PDPC emphasized that the disclosure must be proportionate and not clearly disproportionate on an objective standard.

In the present case, the PDPC found that the Organization's disclosure of the Complainant's NRIC and passport numbers, as well as the personal details of the Complainant's friend, was clearly disproportionate and could not be justified as necessary to defend the Organization's position. The PDPC stated that it could conceive of no legitimate reason for the Organization to disclose such sensitive personal data in this context.

The PDPC recognized that the excessive disclosure of personal data may have been made in the "heat of the moment" when responding to the Complainant's Facebook post, but nevertheless found it to be inexcusable conduct. The PDPC emphasized the need for caution when responding to public comments and the importance of proportionality in disclosing personal data.

What Was the Outcome?

The PDPC found that the Organization had breached its obligations under section 13 of the PDPA by disclosing the Complainant's personal data without obtaining his consent. The PDPC decided to issue a warning to the Organization, without imposing any further directions or financial penalty.

The PDPC noted that as of March 15, 2018, the Facebook posts containing the Complainant's personal data had been removed. Additionally, upon being contacted by the PDPC, the Organization's sole proprietor resolved to improve his awareness of the Organization's data protection obligations under the PDPA.

Why Does This Case Matter?

This case provides important guidance on the limits of an organization's ability to disclose personal data when responding to public comments or disputes. While organizations have the right to defend themselves, the PDPC has made it clear that the disclosure of personal data must be proportionate and justified, even in the context of a public dispute.

The case emphasizes the need for organizations to exercise caution and restraint when disclosing personal data, particularly sensitive information like NRIC and passport details. Organizations must ensure that they have obtained the necessary consent from individuals before disclosing their personal data, even if the disclosure is in response to public allegations or comments.

This decision serves as a reminder to organizations to carefully consider the proportionality and appropriateness of any personal data disclosures, and to prioritize compliance with the PDPA's consent and purpose limitation requirements. It also highlights the PDPC's willingness to take enforcement action, even in the context of private disputes, to protect individuals' personal data rights.

Legislation Referenced

• Personal Data Protection Act
• Personal Data Protection Act 2012

Cases Cited

• [2017] SGPDPC 15 (Re M Star Movers & Logistics Specialist Pte Ltd)
• [2018] SGPDPC 3 (Re My Digital Lock Pte Ltd)
• [2018] SGPDPC 25 (Big Bubble Centre Pte Ltd)

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2018] SGPDPC 25 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.