Case Details
- Citation: [2019] SGPDPC 15
- Court: Personal Data Protection Commission
- Date: 2019-06-11
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: GrabCar Pte. Ltd. (UEN No. 201427085E)
- Legal Areas: Data protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 6, [2017] SGPDPC 14, [2018] SGPDPC 10, [2018] SGPDPC 16, [2019] SGPDPC 15
- Judgment Length: 9 pages, 2,590 words
Summary
This case concerns the unauthorized disclosure of the names and mobile phone numbers of 120,747 GrabCar Pte. Ltd. customers in marketing emails sent out by the organization. The Personal Data Protection Commission found that GrabCar Pte. Ltd. failed to have adequate measures in place to detect errors introduced when it made changes to the system holding customer personal data, resulting in a breach of its obligations under the Personal Data Protection Act 2012 to protect the personal data in its possession.
What Were the Facts of This Case?
GrabCar Pte. Ltd. (the "Organization") is part of the Grab Group, which offers ride-hailing, food delivery, and payment services. As part of its marketing strategy, the Organization regularly sends marketing emails to targeted customers offering special promotions.
On 17 December 2017, the Organization sent out 399,751 marketing emails as part of a campaign. However, 120,747 of these emails contained the name and mobile phone number of a different customer, rather than the intended recipient. This occurred because of an error in the database query used to generate the email list.
The Organization maintains a main database table ("Main Table") containing customer information such as name, email, and mobile number. It also had a separate "Verified Email Database Table" containing the email addresses of customers who had verified their email addresses. When generating the email list for the marketing campaign, the Organization's Product Analytics team incorrectly equated the "verified_email_user_id" field in the Verified Email Database Table with the "passengers_id" field in the Main Table, treating them as unique identifiers for the same customer. This resulted in the email addresses being drawn from the Verified Email Database Table while the names and mobile numbers were drawn from the Main Table, leading to the mismatch between the recipient and the personal data displayed in the emails.
What Were the Key Legal Issues?
The key legal issue was whether GrabCar Pte. Ltd. had complied with its obligations under section 24 of the Personal Data Protection Act 2012 (PDPA) to protect the personal data in its possession or under its control.
Section 24 of the PDPA requires an organization to make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks to the personal data it holds.
How Did the Court Analyse the Issues?
The Commissioner found that GrabCar Pte. Ltd. did not have adequate measures in place to detect whether changes it made to the system holding customer personal data introduced errors that put that personal data at risk.
The root cause of the incident was an error in the database query command, which incorrectly equated the "verified_email_user_id" field with the "passengers_id" field, leading to the mismatch between email addresses and customer names/mobile numbers. The Commissioner stated that when an organization makes changes to a system processing personal data, it must have reasonable arrangements to prevent any compromise to that personal data.
The Commissioner also found that the incident arose in part due to administrative failures, as the technical documentation for the new Verified Email Database Table was not sufficiently clear, which may have contributed to the employee writing the flawed database query.
What Was the Outcome?
The Commissioner determined that GrabCar Pte. Ltd. had breached its obligations under section 24 of the PDPA to protect the personal data in its possession.
As a result of the breach, the Commissioner directed GrabCar Pte. Ltd. to implement more rigorous data validation and checks when adding or changing user attributes, require a third party to perform sanity checks before triggering new campaigns, and incorporate privacy by design elements such as masking mobile phone numbers in future marketing campaigns.
Why Does This Case Matter?
This case is significant as it highlights the importance of organizations having adequate measures in place to detect and prevent errors when making changes to systems that process personal data. The Commissioner emphasized that organizations cannot simply rely on internal testing and verification processes, but must have robust safeguards to ensure the integrity of personal data is maintained.
The case also underscores the need for clear and comprehensive technical documentation, as the lack of clarity around the new Verified Email Database Table contributed to the error in the database query. Organizations must ensure that any changes to data structures or processing systems are properly documented and understood by relevant personnel.
More broadly, this decision reinforces the Personal Data Protection Commission's strict approach to enforcing the PDPA's protection obligation. Organizations must be proactive in identifying and mitigating risks to personal data, rather than simply reacting to data breaches after the fact.
Legislation Referenced
- Personal Data Protection Act 2012
- Personal Data Protection Act
Cases Cited
- [2016] SGPDPC 6
- [2017] SGPDPC 14
- [2018] SGPDPC 10
- [2018] SGPDPC 16
- [2019] SGPDPC 15
Source Documents
This article analyses [2019] SGPDPC 15 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.