"I find that merely including this restriction in the Code of Conduct is insufficient as a reasonable security arrangement to protect passengers’ personal data." — Per Yeong Zee Kin, Deputy Commissioner, Para 19
Case Information
- Citation: [2019] SGPDPC 14 (Para 0)
- Court: Personal Data Protection Commission, Singapore (Para 0)
- Date: 11 June 2019 (Para 0)
- Coram: Yeong Zee Kin, Deputy Commissioner — Case Nos DP-1702-B0508/DP-1703-B0613 (Para 0)
- Counsel for the Organisation: Not answerable from the extraction
- Counsel for the Complainants: Not answerable from the extraction
- Case Number: DP-1702-B0508 / DP-1703-B0613 (Para 0)
- Area of Law: Data protection – Personal or domestic capacity; Data protection – Protection obligation – Unauthorised disclosure of personal data – Insufficient security arrangements (Para 0)
- Judgment Length: Not answerable from the extraction
Summary
This decision addressed complaints arising from the disclosure of passengers’ personal data by GrabHitch drivers on Facebook after disputes over ride payments. The Deputy Commissioner explained that the case concerned “the obligations of an online ride-sharing platform and drivers who use the platform to provide carpool rides to passengers,” and the factual matrix showed that the disclosures included names, phone numbers, ride details, photographs, and screenshots of messages exchanged through the Grab App. (Para 1, Para 3, Para 3(a), Para 3(b))
The central legal question was whether the drivers were “organisations” under the PDPA and therefore subject to section 13, or whether they were individuals acting in a personal or domestic capacity and thus outside Parts III to VI of the PDPA. The Deputy Commissioner held that GrabHitch drivers were acting in a personal capacity, so they were not subject to the PDPA in relation to those disclosures, but the Organisation itself remained responsible for the personal data it collected and controlled through the Grab App. (Para 8, Para 9, Para 14, Para 15)
On the protection obligation, the Deputy Commissioner found that the Organisation breached section 24 because it had not implemented sufficient security arrangements. The key deficiency was that the Organisation relied on a prohibition in the Code of Conduct, but “merely including this restriction in the Code of Conduct is insufficient as a reasonable security arrangement,” and the Organisation should have provided more detailed guidance and communication to drivers. The matter ended with directions under section 29, but no financial penalty, because only two individuals were directly affected and the type of data disclosed did not warrant a monetary sanction. (Para 19, Para 20, Para 33, Para 34, Para 35, Para 36)
What Were the Complaints and What Personal Data Was Disclosed?
The complaints were straightforward in form but significant in their implications. The Deputy Commissioner recorded that the “substance of each complaint was, in essence, that the Complainant’s personal data had been disclosed without consent on social media by the Driver who gave a ride to the Complainant.” The disclosures were not abstract or technical; they were public postings on Facebook arising from disputes between drivers and passengers over payment or ride-related disagreements. (Para 3)
The first complaint involved a public Facebook group, and the disclosed material included screenshots of messages sent through the Grab App and a type-written post describing the dispute and identifying the complainant by name. The second complaint involved a closed Facebook group, and the disclosed material included screenshots of messages with the complainant’s mobile phone number, screenshots of the Grab App showing the complainant’s name and pick-up and destination points, and other ride-related details. These were not merely incidental references; they were direct disclosures of personal data obtained through the platform. (Para 3(a), Para 3(b))
"The substance of each complaint was, in essence, that the Complainant’s personal data had been disclosed without consent on social media by the Driver who gave a ride to the Complainant." — Per Yeong Zee Kin, Deputy Commissioner, Para 3
The Organisation itself was not alleged to have created or operated the Facebook pages. The Deputy Commissioner expressly noted that “The Organisation did not create or operate either the GHSC or UGSGP Facebook pages and investigations did not reveal any apparent link between the persons operating those pages and the Organisation.” That factual finding mattered because it narrowed the inquiry: the issue was not whether the Organisation ran the Facebook pages, but whether it had obligations in relation to the data that its own platform had made available to drivers. (Para 5)
How Did the Deputy Commissioner Frame the Legal Issues?
The decision framed two main issues. First, whether the drivers were “organisations” under the PDPA and, if so, whether they contravened section 13 by disclosing the complainants’ personal data on the Facebook pages. Second, whether the Organisation contravened section 24 with respect to the protection of the complainants’ personal data. This framing is important because it separated the conduct of the individual drivers from the obligations of the platform operator. (Para 8)
The statutory structure was central to that framing. Section 13 prohibits collection, use, or disclosure of personal data without consent unless authorised or required by law; section 24 requires organisations to protect personal data in their possession or control by making reasonable security arrangements; and section 4(1) excludes individuals acting in a personal or domestic capacity from Parts III to VI, which includes section 13. The court therefore had to determine both the status of the drivers and the adequacy of the Organisation’s safeguards. (Para 6, Para 7, Para 9)
"In the circumstances, two main issues arise: (a) whether the Drivers are “organisations” under the PDPA and if so, whether they had contravened section 13 of the PDPA in relation to the disclosure of the Complainants’ personal data on the GHSC and UGSGP Facebook pages; and (b) Whether the Organisation had contravened section 24 of the PDPA with respect to the protection of the Complainants’ personal data." — Per Yeong Zee Kin, Deputy Commissioner, Para 8
That issue-framing also reveals the structure of the reasoning that followed. The first issue turned on the nature of the GrabHitch service and the drivers’ role in it. The second issue turned on the Organisation’s own handling of passenger data and whether its internal controls were reasonable in light of the foreseeable risk of disclosure. (Para 8, Para 19, Para 20, Para 30)
Why Were GrabHitch Drivers Held to Be Acting in a Personal Capacity?
The Deputy Commissioner began with the nature of the GrabHitch service. The judgment recorded that GrabHitch drivers “provide carpool rides on a non-commercial and non-profit basis in accordance with the Road Traffic (Car Pools) (Exemption) Order 2015” and are not required to obtain a Private Hire Car Driver’s Vocational Licence. The service was therefore treated as a carpool arrangement rather than a commercial transport operation. (Para 10)
The judgment also referred to the exemption order itself, noting that paragraph 3(1) of the Order states the relevant conditions. Although the extraction does not reproduce the full text of the paragraph, the court clearly relied on the regulatory framework to characterise the activity as one that remained within the personal sphere of the driver’s own vehicle use, subject to the conditions of the exemption. (Para 10)
"GrabHitch drivers provide carpool rides on a non-commercial and non-profit basis in accordance with the Road Traffic (Car Pools) (Exemption) Order 2015 and as such are not required to obtain a Private Hire Car Driver’s Vocational Licence." — Per Yeong Zee Kin, Deputy Commissioner, Para 10
On that basis, the Deputy Commissioner concluded that the drivers were not acting as organisations in their own right. The reasoning was that the activity remained personal in character, even though it involved strangers rather than friends or family. The court expressly rejected the Organisation’s attempt to treat the drivers as independent data controllers merely because they exercised some practical discretion over when and how to carpool. (Para 14, Para 15, Para 21, Para 30)
The holding was stated directly: “Based on the foregoing, I find that GrabHitch drivers provide carpool rides in their personal capacity.” The next sentence followed naturally from that finding: “In the circumstances, GrabHitch drivers who are providing carpool rides in accordance with the applicable terms and conditions (as detailed above) are not subject to the PDPA.” This was the decisive answer to the first issue. (Para 14, Para 15)
"Based on the foregoing, I find that GrabHitch drivers provide carpool rides in their personal capacity." — Per Yeong Zee Kin, Deputy Commissioner, Para 14
"In the circumstances, GrabHitch drivers who are providing carpool rides in accordance with the applicable terms and conditions (as detailed above) are not subject to the PDPA." — Per Yeong Zee Kin, Deputy Commissioner, Para 15
What Arguments Did the Organisation Advance, and Why Were They Rejected?
The Organisation’s central submission was that a GrabHitch driver does not drive in a “personal or domestic” capacity and should instead be treated as an “organisation” required to comply with the PDPA in his or her own right. The judgment summarised the Organisation’s position as follows: “By driving individuals who are not friends or family, the GrabHitch driver’s activities move out of the private sphere and into the public.” The Organisation also argued that drivers “maintain independence” from the Organisation in deciding the practical details of the service, such as how often to drive, where to go, and how much payment to collect. (Para 21(a), Para 21(b))
The Deputy Commissioner rejected that approach as conceptually mistaken. The judgment observed that the Organisation “appears to have mistakenly equated the GrabHitch driver’s choice over whether to carpool with the control of purposes for, or the manner in, which personal data is collected, used or disclosed.” That distinction was critical: the fact that a driver chooses whether to offer a ride does not mean the driver controls the data-processing purposes or means in the PDPA sense. (Para 30)
"The Organisation appears to have mistakenly equated the GrabHitch driver’s choice over whether to carpool with the control of purposes for, or the manner in, which personal data is collected, used or disclosed." — Per Yeong Zee Kin, Deputy Commissioner, Para 30
The court’s reasoning also emphasised the Organisation’s own role in disclosing data to drivers. The judgment stated: “In fact, it is the Organisation that discloses the passengers’ personal data to the GrabHitch Drivers in the Organisation’s chosen manner and for the purposes the Organisation deems acceptable.” That observation undercut the Organisation’s attempt to shift responsibility to the drivers, because the platform itself determined what data was made available and how. (Para 30)
Accordingly, the first issue was resolved in favour of the drivers. They were not “organisations” for the purposes of the PDPA when providing carpool rides in accordance with the applicable terms and conditions, and the disclosure complaints against them did not proceed under section 13. The legal significance of that conclusion was that the PDPA’s obligations were not extended to individuals merely because they used a platform to facilitate a private, non-commercial carpool arrangement. (Para 14, Para 15, Para 30)
What Role Did the Exemption Order, Terms, and Code of Conduct Play in the Court’s Reasoning?
The court examined several sources to understand the practical and legal framework governing GrabHitch drivers. These included the Road Traffic (Car Pools) (Exemption) Order 2015, the Driver’s Code of Conduct, the GrabHitch Terms, and the FAQ on the website. The judgment also considered the actual manner in which the Grab App transmitted passenger data to drivers. Together, these materials showed both the regulatory setting and the Organisation’s own expectations of driver conduct. (Para 10, Para 17, Para 30)
One important feature was the Code of Conduct. The Organisation set out a prohibition in clear terms: “You are prohibited from posting passenger details in public forums including social media sites or sharing contact details. This is a violation of the Personal Data Protection Act.” The existence of that rule showed that the Organisation had identified the risk of disclosure, but the court later held that the mere existence of the rule was not enough. (Para 17, Para 19)
"You are prohibited from posting passenger details in public forums including social media sites or sharing contact details. This is a violation of the Personal Data Protection Act." — Per Yeong Zee Kin, Deputy Commissioner, Para 17
The court’s treatment of these materials was not formalistic. It used them to assess whether the Organisation had done enough to translate its privacy expectations into operational safeguards. The answer was no. The judgment stated that the Organisation “could have done more to inform GrabHitch drivers of the range of acceptable and unacceptable conduct,” and that it ought to have put in place “more detailed guidance” to educate drivers about handling riders’ personal data with care. (Para 19, Para 20)
That reasoning shows why the materials mattered. The Exemption Order explained why the drivers were treated as acting in a personal capacity, but the Code of Conduct and related materials showed that the Organisation knew data would be shared with drivers and knew that misuse was possible. The gap between awareness and implementation was what led to the section 24 breach. (Para 10, Para 17, Para 19, Para 20)
Why Was the Organisation Found in Breach of Section 24?
The second issue concerned the Organisation’s own protection obligation. Section 24 requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised disclosure and other risks. The Deputy Commissioner found that the Organisation had possession or control of the complainants’ personal data through the Grab App and that it had not taken sufficient steps to prevent the kind of disclosure that occurred. (Para 7, Para 30, Para 33)
The key deficiency was the reliance on a single prohibition in the Code of Conduct. The court held: “I find that merely including this restriction in the Code of Conduct is insufficient as a reasonable security arrangement to protect passengers’ personal data.” The judgment then explained that the Organisation should have provided more detailed guidance and education to drivers. In other words, a rule on paper was not enough where the risk of misuse was foreseeable and the data was being transmitted to drivers as part of the service. (Para 19, Para 20)
"I find that merely including this restriction in the Code of Conduct is insufficient as a reasonable security arrangement to protect passengers’ personal data." — Per Yeong Zee Kin, Deputy Commissioner, Para 19
The court also stated that “The Organisation ought to have put in place more detailed guidance for GrabHitch drivers to educate them about the need to handle the personal data of their riders, obtained through the Grab App, with care.” This is a classic section 24 analysis: the question is not whether some rule exists, but whether the arrangements are reasonable in light of the nature of the data, the mode of access, and the foreseeable misuse. (Para 20)
The conclusion was explicit. “In the circumstances, and after considering the representations made by the Organisation, I find that the Organisation is in breach of section 24 of the PDPA.” That finding was the operative breach determination, and it was followed by directions under section 29. (Para 33, Para 34)
"The Organisation ought to have put in place more detailed guidance for GrabHitch drivers to educate them about the need to handle the personal data of their riders, obtained through the Grab App, with care." — Per Yeong Zee Kin, Deputy Commissioner, Para 20
"In the circumstances, and after considering the representations made by the Organisation, I find that the Organisation is in breach of section 24 of the PDPA." — Per Yeong Zee Kin, Deputy Commissioner, Para 33
How Did the Court Explain the Relationship Between Data Disclosure and Platform Control?
A major theme in the judgment is that the Organisation, not the drivers, controlled the initial disclosure of passenger data through the platform. The court stated in direct terms: “In fact, it is the Organisation that discloses the passengers’ personal data to the GrabHitch Drivers in the Organisation’s chosen manner and for the purposes the Organisation deems acceptable.” This observation is important because it anchors the section 24 analysis in the Organisation’s own design choices. (Para 30)
The court’s reasoning therefore distinguished between the driver’s practical autonomy in deciding whether to offer a ride and the Organisation’s control over the data-processing architecture. The Organisation’s attempt to rely on driver independence did not answer the real question: who determined what personal data was collected, how it was transmitted, and what safeguards accompanied that transmission? The judgment’s answer was that the Organisation did. (Para 21(b), Para 30)
"In fact, it is the Organisation that discloses the passengers’ personal data to the GrabHitch Drivers in the Organisation’s chosen manner and for the purposes the Organisation deems acceptable." — Per Yeong Zee Kin, Deputy Commissioner, Para 30
That finding also explains why the court did not accept the Organisation’s attempt to shift the focus entirely onto the drivers’ conduct. Even though the Facebook postings were made by drivers, the data had first been made available by the Organisation through the app. The protection obligation therefore attached to the Organisation’s arrangements for that disclosure, not merely to the drivers’ later misuse. (Para 3, Para 30, Para 33)
In practical terms, the case shows that a platform cannot avoid section 24 responsibility by pointing to the independent wrongdoing of users if the platform itself has created the conditions for disclosure and failed to implement adequate safeguards. The court’s analysis is a reminder that data protection obligations are assessed at the level of the organisation’s systems and controls, not only at the level of the final wrongful act. (Para 7, Para 30, Para 33)
What Did the Court Say About Reasonable Security Arrangements and Training?
The judgment expressly linked reasonable security arrangements to policies, practices, and training. It stated: “As has been held in Re Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 and Re National University of Singapore [2017] SGPDPC 5, reasonable security arrangements can include policies and practices as well as training.” That proposition was used to support the conclusion that the Organisation’s single prohibition was inadequate. (Para 20)
The court did not say that a policy is irrelevant. Rather, it said that a policy alone may be insufficient where the risk is foreseeable and the organisation has not ensured that the policy is understood and operationalised. The Organisation “could have done more to inform GrabHitch drivers of the range of acceptable and unacceptable conduct,” and the court specifically said that more detailed guidance was needed. (Para 19, Para 20)
"As has been held in Re Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 and Re National University of Singapore [2017] SGPDPC 5, reasonable security arrangements can include policies and practices as well as training." — Per Yeong Zee Kin, Deputy Commissioner, Para 20
This part of the reasoning is especially important for compliance practice. It indicates that organisations should not assume that a written prohibition, even one expressly referencing the PDPA, will satisfy section 24 if the organisation has not taken steps to communicate, explain, and reinforce the rule. The court’s focus was on the effectiveness of the arrangement, not merely its existence. (Para 19, Para 20)
Accordingly, the breach finding was not based on a failure to have any policy at all. It was based on the inadequacy of the policy architecture in context: the Organisation knew that drivers would receive passenger data, knew that misuse could occur, and yet did not implement sufficient educational or procedural safeguards. (Para 17, Para 19, Para 20, Para 33)
What Directions and Remedies Did the Deputy Commissioner Order?
Having found a breach of section 24, the Deputy Commissioner relied on section 29 of the PDPA to issue directions. The judgment stated: “Having found the Organisation to be in breach of section 24 of the PDPA, I am empowered under section 29 of the PDPA to give the Organisation such directions as I deem fit to ensure its compliance with the PDPA.” This is the statutory basis for the remedial orders that followed. (Para 34)
The directions required the Organisation to review and amend its policies and practices to provide detailed guidance for GrabHitch drivers on handling riders’ personal data, and to communicate those policies and practices to drivers within 120 days. The Organisation was also directed to implement any other reasonable security arrangements necessary to comply with section 24 and to inform the Commission within seven days of compliance. (Para 35)
"Having found the Organisation to be in breach of section 24 of the PDPA, I am empowered under section 29 of the PDPA to give the Organisation such directions as I deem fit to ensure its compliance with the PDPA." — Per Yeong Zee Kin, Deputy Commissioner, Para 34
"I hereby direct the Organisation to: (a) review and amend the Organisation’s policies and practices to provide detailed guidance for GrabHitch drivers on the handling of the personal data of their riders and to communicate to GrabHitch drivers all relevant policies and practices (including the amended policies and practices) within 120 days of this decision to protect the personal data in the possession or control of the Organisation from unauthorised disclosure by GrabHitch drivers; (b) implement any other reasonable security arrangements as necessary to comply with section 24 of the PDPA; and (c) to inform the Commission within seven days of the compliance with the above directions." — Per Yeong Zee Kin, Deputy Commissioner, Para 35
The court also declined to impose a financial penalty. The reason given was that only two individuals were directly affected by the unauthorised disclosure and that the type of personal data disclosed did not justify a monetary sanction. The judgment stated: “Given that only two individuals were directly affected by the unauthorised disclosure of personal data and in consideration of the type of personal data disclosed, I find that a financial penalty is not warranted in this matter.” (Para 36)
"Given that only two individuals were directly affected by the unauthorised disclosure of personal data and in consideration of the type of personal data disclosed, I find that a financial penalty is not warranted in this matter." — Per Yeong Zee Kin, Deputy Commissioner, Para 36
Why Does This Case Matter?
This case matters because it clarifies the boundary between personal conduct and organisational responsibility in a platform-based environment. The court accepted that GrabHitch drivers, when providing carpool rides in accordance with the applicable terms and conditions, were acting in a personal capacity and were not themselves subject to the PDPA. At the same time, the platform operator remained responsible for the personal data it collected and disclosed through its app. (Para 14, Para 15, Para 30)
It also matters because it demonstrates that a bare prohibition in a code of conduct is not necessarily a sufficient security arrangement. The Organisation had identified the risk and written a rule, but the court still found a breach because the Organisation had not gone further to provide detailed guidance, education, and practical safeguards. That is a significant compliance lesson for any platform that shares user data with independent participants. (Para 17, Para 19, Para 20, Para 33)
Finally, the case is important because it shows how the PDPA’s protection obligation can operate even where the immediate disclosure is made by a third party. The decisive question is whether the organisation made reasonable arrangements for data in its possession or control. If the organisation’s own system makes disclosure possible, it must take active steps to prevent misuse. (Para 7, Para 30, Para 33)
In that sense, the case is a practical reminder that privacy compliance is not satisfied by formal rules alone. Organisations must translate policy into training, communication, and operational controls, especially where personal data is shared with users who may not be sophisticated in data protection obligations. (Para 19, Para 20)
Cases Referred To
| Case Name | Citation | How Used | Key Proposition |
|---|---|---|---|
| Re Habitat for Humanity Singapore Ltd | [2018] SGPDPC 9 | Cited with Re National University of Singapore to support the proposition that reasonable security arrangements may include policies, practices, and training. (Para 20) | Reasonable security arrangements can include policies and practices as well as training. (Para 20) |
| Re National University of Singapore | [2017] SGPDPC 5 | Cited with Re Habitat for Humanity Singapore Ltd for the same proposition on the content of reasonable security arrangements. (Para 20) | Reasonable security arrangements can include policies and practices as well as training. (Para 20) |
Legislation Referenced
- Personal Data Protection Act 2012, section 4(1) (Para 9)
- Personal Data Protection Act 2012, section 13 (Para 6, Para 8) [CDN] [SSO]
- Personal Data Protection Act 2012, section 24 (Para 7, Para 33, Para 35) [CDN] [SSO]
- Personal Data Protection Act 2012, section 29 (Para 34) [CDN] [SSO]
- Personal Data Protection Act 2012, section 2 (Para 20) [CDN] [SSO]
- Road Traffic (Car Pools) (Exemption) Order 2015, paragraph 3(1) (Para 10)
- Road Traffic (Car Pools) (Exemption) Order 2015, Schedule (Para 10)
"YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION" — Per Yeong Zee Kin, Deputy Commissioner, Para 36
Source Documents
This article analyses [2019] SGPDPC 14 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.