Case Details
- Citation: [2019] SGPDPC 14
- Court: Personal Data Protection Commission
- Date: 2019-06-11
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Grabcar Pte. Ltd.
- Legal Areas: Data protection – Personal or domestic capacity, Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2017] SGPDPC 5, [2018] SGPDPC 9, [2019] SGPDPC 14
- Judgment Length: 18 pages, 4,746 words
Summary
This decision by the Personal Data Protection Commission of Singapore addresses the obligations of an online ride-sharing platform, Grabcar Pte Ltd, and the drivers who use the platform to provide carpool rides to passengers. The key issues were whether the drivers were "organizations" under the Personal Data Protection Act (PDPA) and thus subject to its requirements, and whether Grabcar had fulfilled its obligations to protect passenger data under the PDPA.
What Were the Facts of This Case?
The case involved separate complaints by two passengers (the "Complainants") who used Grabcar's GrabHitch carpooling service. The Complainants alleged that the drivers (the "Drivers") who provided their rides had disclosed their personal data without consent on social media.
In the first complaint, the Driver had posted screenshots of messages between himself and the first Complainant, as well as a written post identifying the Complainant by name, on a public Facebook group called "GrabHitch Singapore Community". This was done to seek views from other drivers on how to handle a dispute over whether the Complainant should contribute to ERP charges.
In the second complaint, the Driver had posted various personal data of the second Complainant, including screenshots of their messages, the Complainant's name, pickup/dropoff locations, and Facebook profile, on a closed Facebook group called "Uber/Grab SG Partners". This was done because the Driver was unable to contact the Complainant about a dispute over payment for the ride.
Investigations revealed that similar unauthorized disclosures of passenger data by GrabHitch drivers had occurred on these Facebook groups.
What Were the Key Legal Issues?
The key legal issues were:
- Whether the Drivers were "organizations" under the PDPA and thus subject to its requirements, particularly the prohibition on unauthorized disclosure of personal data under Section 13.
- Whether Grabcar had fulfilled its obligations under Section 24 of the PDPA to protect the Complainants' personal data.
How Did the Court Analyse the Issues?
On the first issue, the Deputy Commissioner examined the nature of the GrabHitch service and the regulations governing it. He found that GrabHitch drivers provide carpool rides in their personal capacity, not as commercial enterprises. This was based on several factors:
- GrabHitch drivers are not allowed to solicit passengers on the road, parking places or public stands.
- The carriage of passengers must be incidental to the driver's use of the vehicle.
- Drivers can only collect payment up to the cost and expenses incurred for the carpool ride.
- There are limits on the number of carpool trips a driver can offer per day.
Given these restrictions, the Deputy Commissioner concluded that GrabHitch drivers are not "organizations" under the PDPA and thus not subject to its obligations, including the prohibition on unauthorized disclosure of personal data under Section 13.
On the second issue, the Deputy Commissioner found that Grabcar had contravened Section 24 of the PDPA by failing to make reasonable security arrangements to prevent the unauthorized disclosure of passenger data by GrabHitch drivers. While Grabcar did not create or operate the Facebook groups where the disclosures occurred, it was still responsible for protecting passenger data shared through its platform. The Deputy Commissioner noted that Grabcar should have provided clearer guidance and training to drivers on their data protection obligations.
What Was the Outcome?
The Deputy Commissioner found that Grabcar had contravened Section 24 of the PDPA by failing to implement reasonable security arrangements to prevent the unauthorized disclosure of passenger data by GrabHitch drivers. He directed Grabcar to:
- Develop and implement a data protection training program for GrabHitch drivers.
- Enhance its data protection policies and practices to better protect passenger data.
- Conduct a review of its data protection practices and make any necessary improvements.
No directions were made against the individual GrabHitch drivers, as they were found to be acting in a personal capacity not subject to the PDPA's obligations.
Why Does This Case Matter?
This case provides important guidance on the application of the PDPA to individuals providing services through online platforms. It clarifies that individuals acting in a personal or domestic capacity, rather than as commercial enterprises, are not considered "organizations" under the PDPA and thus not directly subject to its requirements.
However, the case also underscores the obligation of platform operators like Grabcar to have reasonable security measures in place to protect personal data shared through their services, even if the direct disclosures are made by individual users. This highlights the need for platform providers to have robust data protection policies, training, and oversight mechanisms to fulfill their PDPA obligations.
The case is a useful precedent for understanding the boundaries between individual and organizational responsibilities under Singapore's data protection regime, and the importance of platform providers taking proactive steps to safeguard user data.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
- Road Traffic (Car Pools) (Exemption) Order 2015
Cases Cited
- [2017] SGPDPC 5
- [2018] SGPDPC 9
- [2019] SGPDPC 14
Source Documents
This article analyses [2019] SGPDPC 14 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.