Case Details
- Citation: [2020] SGPDPC 7
- Court: Personal Data Protection Commission
- Date: 2020-03-02
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Majestic Debt Recovery Pte Ltd
- Legal Areas: Data Protection – Consent obligation, Data Protection – Openness obligation
- Statutes Referenced: Personal Data Protection Act 2012
- Cases Cited: [2020] SGPDPC 7
- Judgment Length: 10 pages, 1,807 words
Summary
This case concerns a debt collection company, Majestic Debt Recovery Pte Ltd (the "Organisation"), that posted a video recording on social media as a tactic to shame a debtor. The recording captured exchanges between the Organisation's representatives and staff of the debtor company. The Personal Data Protection Commission (the "Commission") found that the Organisation had breached the consent and openness obligations under the Personal Data Protection Act 2012 ("PDPA") by collecting, using, and disclosing the personal data of the debtor company's personnel without consent, and by failing to develop data protection policies and appoint a data protection officer.
What Were the Facts of This Case?
Majestic Debt Recovery Pte Ltd is a company in the business of collecting debts on behalf of its clients. On 22 March 2019, the Commission received a complaint from the managing director (the "Complainant") of a debtor company (the "Company") stating that the Organisation had been engaged by the Company's sub-contractor to recover debts from the Company.
The Complainant stated that on or around 21 March 2019, the Organisation's representatives (the "Representatives") visited the Company's premises to collect a debt on behalf of its client (the "Incident"). During the visit, heated words were exchanged with the Company's personnel when the Representatives attempted to recover the debt. The Representatives recorded video footage of the exchanges with the Company's personnel, including the Complainant (the "Recording"), on a tablet device. The Complainant and the Company's personnel could be identified from the images and audio captured by the Recording.
According to the Complainant, he "protested against the taking of [the Recording and] posting it [on] social media but [the Representative] said he would do it". The Representatives nonetheless took the Recording and subsequently posted it on the Organisation's official public Facebook page (its "Facebook Page". During its investigation, the Commission found other video recordings on the Facebook Page that also captured images and voices of other individuals who appeared to be either individual debtors or representatives of corporate debtors of the Organisation's clients.
What Were the Key Legal Issues?
The key legal issues in this case were whether the Organisation had breached:
1. Section 13 of the PDPA by collecting, using, and disclosing the personal data of the Complainant and the Company's personnel without their consent; and
2. Sections 12 and 11(3) of the PDPA by failing to develop and implement data protection policies and practices, and by failing to appoint a data protection officer.
How Did the Court Analyse the Issues?
On the first issue, the Commission found that the Organisation had breached section 13 of the PDPA. The Commission noted that the Recording captured images and audio of the Complainant and the Company's personnel, which constituted their personal data. The Organisation had collected, used, and disclosed this personal data by recording the video and posting it on its Facebook Page, despite the Complainant's protests.
The Commission rejected the Organisation's argument that it had obtained consent from the Complainant and the Company's personnel to record and post the video. The Commission stated that it was "unlikely or even unconceivable that an individual who owed a debt would willingly consent to be filmed by the debt collecting agency calling on him, and for such recordings to be posted on social media". The Commission also noted that even if consent had been obtained previously, it could have been withdrawn by the Complainant under section 16(1) of the PDPA.
Furthermore, the Commission expressed doubts about the validity of any consent obtained by the Organisation, as it may have been obtained through unfair, deceptive, or misleading practices, which would vitiate the consent under section 14(3) of the PDPA.
On the second issue, the Commission found that the Organisation had also breached sections 12 and 11(3) of the PDPA. The Commission noted that by the nature of its business, the Organisation would be in possession and/or control of various personal data, including those of its employees and its clients' debtors or the debtors' employees. However, the Organisation admitted that it did not have any knowledge of the PDPA prior to this incident, did not have any data protection policies or practices, and had not appointed a data protection officer.
What Was the Outcome?
Based on the findings, the Deputy Commissioner directed the Organisation to:
1. Pay a financial penalty of $7,500 within 30 days;
2. Develop and implement policies and practices necessary for its compliance with the PDPA; and
3. Put in place a program of compulsory training for its employees on compliance with the PDPA.
Why Does This Case Matter?
This case is significant for several reasons:
1. It highlights the importance of obtaining valid consent under the PDPA before collecting, using, or disclosing personal data. The Commission's analysis of the potential issues with consent obtained in the context of debt collection is particularly noteworthy.
2. It emphasizes the need for organisations, especially those dealing with personal data as part of their core business activities, to have a good understanding of the PDPA and to develop and implement appropriate data protection policies and practices, including the appointment of a data protection officer.
3. The case serves as a warning to debt collection agencies and other organisations that may be tempted to use tactics like public shaming of debtors. Such practices are likely to be found in breach of the PDPA and may result in significant penalties.
4. The decision provides guidance on the factors the Commission will consider in determining appropriate directions, including the organisation's cooperation, remedial actions, and the absence of further breaches.
Legislation Referenced
- Personal Data Protection Act 2012
Cases Cited
- [2020] SGPDPC 7
Source Documents
This article analyses [2020] SGPDPC 7 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.