Case Details
- Citation: [2018] SGPDPC 3
- Court: Personal Data Protection Commission
- Date: 2018-02-12
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: My Digital Lock Pte. Ltd.
- Legal Areas: Data Protection – Powers of investigation, Data Protection – Intersection between the law protecting privacy and personal data protection
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012, Protection from Harassment Act, UK Data Protection Act
- Cases Cited: [2013] SGCA 9, [2016] SGPDPC 20, [2016] SGPDPC 21, [2017] SGPDPC 12, [2017] SGPDPC 6, [2017] SGPDPC 13, [2017] SGPDPC 15, [2017] SGPDPC 3, [2018] SGPDPC 3
- Judgment Length: 30 pages, 9,176 words
Summary
This case involves a series of complaints lodged by a complainant against My Digital Lock Pte. Ltd. ("the Organisation") regarding the disclosure of the complainant's personal data. The Personal Data Protection Commission ("the Commission") ultimately decided to discontinue investigations into the third complaint, citing the intersection between data protection laws and other areas of privacy law. The decision provides guidance on when the Commission will exercise its investigatory powers under the Personal Data Protection Act 2012 (PDPA) and how the PDPA interacts with other legal frameworks safeguarding individual privacy.
What Were the Facts of This Case?
The complainant purchased a digital lock from the Organisation in October 2015. A dispute subsequently arose between the complainant and the sole director of the Organisation regarding alleged defects in the product. The Organisation then took civil action against the complainant for defamation in relation to certain remarks he had allegedly made about the Organisation's business.
The sole director of the Organisation later posted screenshots of WhatsApp messages and photographs related to the dispute on his personal Facebook page. The complainant's personal data, including his mobile phone number and residential address, was disclosed in these posts. The complainant lodged a complaint with the Commission, and the Organisation was issued a warning for breaching its obligations under the PDPA.
Before the decision on the first complaint was issued, the complainant lodged a second complaint regarding the Organisation's disclosure of his personal data on the sole director's personal blog. The blog contained images and screenshots of the complainant's online allegations against the Organisation, as well as a redacted letter from the Organisation's solicitors to the complainant. Investigations into this second complaint were discontinued, as the matters were deemed more appropriately addressed through the ongoing civil proceedings between the parties.
The complainant then made a third complaint, referring the Commission to a Facebook post where the Organisation had posted a copy of a police report alleging that the complainant was harassing the Organisation's staff. Investigations into this third complaint were also discontinued, and an advisory notice was issued to the Organisation.
What Were the Key Legal Issues?
The key legal issues in this case centered around the scope of the Commission's investigatory powers under the PDPA and the intersection between data protection laws and other areas of privacy law.
Specifically, the Commission had to determine when a document containing personal data becomes subject to its enforcement jurisdiction under the PDPA. The Commission also had to consider how the PDPA interacts with the framework of statutory and common law rights that collectively provide safeguards to individual privacy in Singapore, and how to discern between a breach of the PDPA that warrants investigation and cases where private action in the civil courts would provide better remedies.
How Did the Court Analyse the Issues?
The Commission began by examining the definition of "personal data" under the PDPA, which is broadly defined as data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access.
The Commission then considered the factors it would take into account in deciding whether the use or disclosure of personal data in documents falls within the scope of its scrutiny under the PDPA. The Commission drew guidance from the UK case of Durant v. Financial Services Authority, which adopted the "biographically significant information" test, where the focus of the information should be the data subject rather than some other person or event.
However, the Commission also noted the subsequent UK case of Edem v. IC & Financial Services Authority, which cast doubt on the "biographically significant information" test as the sole criterion. The Edem case held that it is not always necessary to consider the "biographical significance" of the data, and the key question is whether the document is clearly about an individual or clearly linked to them.
Applying these principles, the Commission determined that documents that serve the function of conveying information about individuals, such as flight manifests or letters identifying former employees, would fall within the scope of the PDPA. As the collection of documents increases, the purpose of recording or conveying information about individuals becomes indisputable.
However, the Commission also recognized that an organization cannot be prevented from making reasonable and proportionate responses to defend itself from allegations made against it, even if personal data is disclosed in doing so. The key is whether the disclosure of personal data is disproportionate in the circumstances.
What Was the Outcome?
In the end, the Commission decided to discontinue investigations into the complainant's third complaint against the Organisation. While the Organisation had disclosed the complainant's personal data in the Facebook post containing the police report, the Commission determined that this disclosure was not disproportionate in the circumstances, as the Organisation was responding to the complainant's alleged harassment of its staff.
The Commission issued an advisory notice to the Organisation, but did not take any further enforcement action. The Commission's decision to discontinue the investigation was based on its assessment that the matters raised in the complaint were more appropriately addressed through private action in the civil courts, rather than through the PDPA enforcement framework.
Why Does This Case Matter?
This case provides important guidance on the scope of the Commission's investigatory powers under the PDPA and how the PDPA intersects with other areas of privacy law in Singapore. It clarifies that the Commission will not automatically investigate every case involving the disclosure of personal data, but will instead consider whether the matter is more appropriately addressed through other legal avenues.
The decision highlights the Commission's recognition that organizations must be able to make reasonable and proportionate responses to defend themselves against allegations, even if this involves some disclosure of personal data. This balances the need to protect individual privacy with the practical realities of commercial disputes and litigation.
Ultimately, this case underscores the Commission's role in administering the PDPA in a way that complements, rather than duplicates, the broader framework of laws safeguarding individual privacy in Singapore. It demonstrates the Commission's willingness to exercise its discretion to discontinue investigations where the matter is better suited for resolution through private civil action.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
- Protection from Harassment Act
- UK Data Protection Act
Cases Cited
- [2013] SGCA 9
- [2016] SGPDPC 20
- [2016] SGPDPC 21
- [2017] SGPDPC 12
- [2017] SGPDPC 6
- [2017] SGPDPC 13
- [2017] SGPDPC 15
- [2017] SGPDPC 3
- [2018] SGPDPC 3
- Durant v. Financial Services Authority [2003] EWCA Civ 1746
- Edem v. IC & Financial Services Authority [2014] EWCA Civ 92
Source Documents
This article analyses [2018] SGPDPC 3 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.