Case Details
- Citation: [2018] SGPDPC 21
- Court: Personal Data Protection Commission
- Date: 2018-09-11
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Jade E-Services Singapore Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 21
- Judgment Length: 3 pages, 711 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Jade E-Services Singapore Pte. Ltd. (the "Organisation") failed to make reasonable security arrangements to protect the personal data of its customers, in breach of section 24 of the Personal Data Protection Act 2012 (PDPA). The Organisation, an online clothing retailer, had introduced a bot manager service that misidentified some customers as bots and cached their account subpages containing personal data, which were then accessed by another customer. The PDPC issued a warning to the Organisation for the breach, finding that further directions or a financial penalty were not warranted in this case.
What Were the Facts of This Case?
The complaint was filed by a customer of the Organisation, who had logged into her user account on the Organisation's website (www.zalora.sg) and was shown the account subpages of another customer. She could see the other customer's name, contact number, birth date, email address and residential address.
The Organisation is an online clothing retailer that operates the e-commerce fashion retail website www.zalora.sg in Singapore. As bot traffic took up much of the website's bandwidth, the Organisation introduced a bot manager service on 30 January 2018. The bot manager would identify whether a request for subpages of the website was made by a bot, and if so, serve the bot with cached subpages to save bandwidth.
The bot manager had a setting that would have prevented user account subpages containing personal data from being cached, but the Organisation did not apply this setting. The Organisation believed that if users had logged in to the website with their username and passwords, the bot manager would not consider them as bots and therefore not cache their account subpages.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had made reasonable security arrangements to protect the personal data of its customers that was in its possession or under its control, as required by section 24 of the PDPA.
Section 24 of the PDPA requires organisations to protect personal data in their possession or under their control by making reasonable security arrangements against risks such as unauthorised access, collection, modification, and other risks.
How Did the Court Analyse the Issues?
The PDPC found that the Organisation was in possession and control of the personal data in the user account subpages of its customers, as customers could access their user accounts on the website.
The PDPC noted that the bot manager had a setting that would have prevented user account subpages containing personal data from being cached, but the Organisation did not apply this setting. The Organisation believed that if users had logged in to the website with their username and passwords, the bot manager would not consider them as bots and therefore not cache their account subpages.
However, the PDPC found that the bot manager misidentified a user who had logged in with her password as a bot, and cached her account subpages containing personal data. These subpages were then served to the complainant, who was also misidentified as a bot.
The PDPC concluded that the Organisation should not have taken the risk of allowing web subpages with personal data to be cached for display, and should have applied the setting from the start to protect its customers' personal data.
What Was the Outcome?
The PDPC found that the Organisation did not make reasonable security arrangements to protect the personal data of its customers, and was therefore in breach of section 24 of the PDPA.
The PDPC took into account the number of affected individuals (estimated by the Organisation at 23), the type of personal data at risk of unauthorised access, and the remedial action taken by the Organisation to prevent recurrence (applying the setting to disable the caching of subpages containing personal data on 1 February 2018). The PDPC decided to issue a warning to the Organisation, as neither further directions nor a financial penalty was warranted in this case.
Why Does This Case Matter?
This case is significant as it provides guidance on the reasonable security arrangements that organisations must make to protect personal data under their control, as required by section 24 of the PDPA.
The case highlights the importance of organisations carefully considering the potential risks to personal data when implementing new technologies or services, and taking appropriate measures to mitigate those risks. In this case, the Organisation's failure to apply a readily available setting to prevent the caching of personal data was found to be a breach of its obligations under the PDPA.
The case also demonstrates the PDPC's approach to enforcement, where it may issue a warning rather than further directions or a financial penalty, depending on the circumstances of the breach and the remedial actions taken by the organisation. This suggests that the PDPC may take a more collaborative and educational approach in certain cases, rather than immediately imposing harsh penalties.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 21
Source Documents
This article analyses [2018] SGPDPC 21 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.