Koh Wei Ming @ Muhammad Amin Koh (trading as Mobile Chat) [2023] SGPDPC 11

Case Details

• Citation: [2023] SGPDPC 11
• Court: Personal Data Protection Commission
• Date: 2023-10-17
• Judges: Lew Chuen Hong, Commissioner
• Plaintiff/Applicant: -
• Defendant/Respondent: Koh Wei Ming @ Muhammad Amin Koh (trading as Mobile Chat)
• Legal Areas: Data Protection – Consent obligation, Data Protection – Purpose limitation obligation
• Statutes Referenced: Computer Misuse Act, Personal Data Protection Act, Personal Data Protection Act 2012, Telecommunications Act
• Cases Cited: [2016] SGPDPC 10, [2018] SGPDPC 1, [2021] SGPDPC 12, [2023] SGPDPC 11
• Judgment Length: 12 pages, 2,317 words

Summary

In this case, the Personal Data Protection Commission (PDPC) investigated Koh Wei Ming @ Muhammad Amin Koh, the sole proprietor of Mobile Chat, for breaching the consent and purpose limitation obligations under the Personal Data Protection Act 2012 (PDPA). The investigation revealed that Koh had exploited the SIM card registration process to register additional SIM cards using his customers' personal data without their consent, in order to sell the illicit SIM cards to unauthorized purchasers for profit. The PDPC found Koh liable for breaching both the consent obligation under Section 13 of the PDPA and the purpose limitation obligation under Section 18 of the PDPA.

What Were the Facts of This Case?

The Organization is a sole proprietorship owned by Koh Wei Ming @ Muhammad Amin Koh, operating a business in the sale and servicing of mobile phones, prepaid SIM cards, and mobile phone accessories. As a retailer of M1 SIM cards, Koh was provided a terminal device by M1 installed at the Organization's premises for the purposes of SIM card registration.

The typical SIM card registration process involved scanning the customer's identity document to capture their personal data, scanning the barcode of the SIM card to tag it to the registered customer, and then loading credit value to activate the SIM card. The Commission's investigation revealed that Koh exploited this registration process to use his customers' personal data without consent to register additional prepaid M1 SIM cards that his customers did not intend to purchase.

Koh employed two methods to achieve this. Under the "Duplicate Scanning" method, after scanning a customer's identity documents to register the SIM card they wished to purchase, Koh would scan the documents a second time to register a second SIM card to the same customer without their knowledge. Koh would then hand over only one SIM card to the customer and keep the other to sell to unauthorized purchasers. Under the "Incomplete Transactions" method, when customers who had completed the registration process decided not to proceed with the purchase, Koh would keep the SIM card(s) and activate them without the customer's knowledge, before offering them for sale to other unauthorized purchasers.

Koh admitted that the purpose of these methods was to earn extra money from the unauthorized sale of the pre-registered SIM cards. Over 4 years, Koh estimated that he made a profit of approximately $35,000 from selling around 250 illicit SIM cards per year at a profit of $35 per card.

What Were the Key Legal Issues?

The key legal issues in this case were whether Koh had breached:

(a) The Consent Obligation under Section 13 of the PDPA by using his customers' personal data without their consent; and

(b) The Purpose Limitation Obligation under Section 18 of the PDPA by using his customers' personal data for purposes that a reasonable person would not consider appropriate in the circumstances.

How Did the Court Analyse the Issues?

On the Consent Obligation, the PDPC found that Koh had breached Section 13 of the PDPA. In the case of the "Duplicate Scanning" method, Koh's customers had only consented to the collection and use of their personal data for the purpose of registering the SIM card(s) they had requested, not for registering additional SIM cards without their knowledge. In the case of the "Incomplete Transactions" method, the customers had withdrawn their consent to the use of their personal data when they decided not to proceed with the purchase, but Koh continued to use their data to activate and sell the SIM cards.

On the Purpose Limitation Obligation, the PDPC found that Koh had breached Section 18 of the PDPA. The purpose for which Koh used his customers' personal data - to register illicit SIM cards in order to sell them to third parties for profit - was clearly not a purpose that a reasonable person would consider appropriate in the circumstances. Koh's customers could not have reasonably intended for their personal data to be used in this manner.

In analyzing these breaches, the PDPC noted that prepaid SIM cards are frequently used to further criminal activities, and that a supplier of such SIM cards who breaches the PDPA must be dealt with severely for deterrence purposes. The PDPC also took into account the aggravating factors, such as the intentional and long-running nature of Koh's breaches, the inconvenience caused to innocent parties, and the significant financial gain Koh obtained through the misuse of his customers' personal data.

What Was the Outcome?

Based on the findings, the PDPC determined that Koh had breached both the consent obligation under Section 13 and the purpose limitation obligation under Section 18 of the PDPA. The PDPC notified Koh of its preliminary decision to impose a financial penalty on him, and invited him to make representations on the matter.

Why Does This Case Matter?

This case is significant for several reasons:

Firstly, it highlights the importance of organizations strictly adhering to the consent and purpose limitation obligations under the PDPA. Exploiting customer data for unauthorized purposes, even in the context of a seemingly routine business activity like SIM card registration, can constitute a serious breach of the law.

Secondly, the case demonstrates the PDPC's willingness to take a strong stance against data protection breaches, especially when they involve the misuse of personal data for financial gain. The PDPC's emphasis on the need for deterrence in cases involving prepaid SIM cards, which are often used for criminal activities, underscores the gravity with which such breaches are viewed.

Finally, this case serves as a cautionary tale for businesses handling sensitive customer data. It underscores the importance of implementing robust data protection practices, training staff, and maintaining strict controls over the collection, use, and storage of personal information. Failure to do so can result in significant legal and financial consequences.

Legislation Referenced

• Computer Misuse Act
• Personal Data Protection Act
• Personal Data Protection Act 2012
• Telecommunications Act

Cases Cited

• [2016] SGPDPC 10
• [2018] SGPDPC 1
• [2021] SGPDPC 12
• [2023] SGPDPC 11

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2023] SGPDPC 11 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.