O2 Advertising Pte. Ltd. [2019] SGPDPC 32

Case Details

• Citation: [2019] SGPDPC 32
• Court: Personal Data Protection Commission
• Date: 2019-08-28
• Judges: Tan Kiat How, Commissioner
• Plaintiff/Applicant: N/A
• Defendant/Respondent: O2 Advertising Pte. Ltd.
• Legal Areas: Data protection – Protection obligation, Data protection – Retention limitation obligation, Data protection – Accountability obligation
• Statutes Referenced: Sections 11(3), 12, 24, and 25 of the Personal Data Protection Act (PDPA)
• Cases Cited: [2019] SGPDPC 32, [2019] SGPDPC 5
• Judgment Length: 7 pages, 1,479 words

Summary

In this case, the Personal Data Protection Commission (PDPC) found that O2 Advertising Pte. Ltd. (the Organisation) breached its obligations under the Personal Data Protection Act (PDPA) by failing to implement reasonable security measures to protect the personal data of individuals, retaining personal data beyond the purpose for which it was collected, and lacking data protection policies and a designated data protection officer. The PDPC directed the Organisation to pay a financial penalty, appoint a data protection officer, and develop and implement necessary data protection policies and practices.

What Were the Facts of This Case?

The case arose from a complaint lodged by an individual who found that his personal data, including his name, NRIC number, email address, residential address, gender, date of birth, mobile number, age, and skin type, was accessible online without his consent. The individual discovered that a search for his name and NRIC number on Google led to a URL link that directed to a database maintained by the Organisation.

The Organisation, which provides advertising and marketing services in Singapore, had collected the personal data of the affected individuals during an advertising campaign for one of its clients in 2015. The Organisation stored the collected personal data in two databases, referred to as Database A and Database B.

The personal data of 403 affected individuals was stored in Database A and was exposed to unauthorized access through the URL link found by the complainant. The personal data of an additional 1,165 affected individuals was stored in Database B, which was at risk of unauthorized access as a party with knowledge of how to navigate the root directory could potentially gain access to it. Additionally, two PHP files containing user names and passwords to the Organisation's email system and another database were also exposed and at risk of unauthorized access.

What Were the Key Legal Issues?

The key legal issues in this case were:

1. Whether the Organisation breached the Protection Obligation under section 24 of the PDPA by failing to implement reasonable security measures to protect the personal data of the affected individuals.
2. Whether the Organisation complied with the Retention Limitation Obligation under section 25 of the PDPA by retaining the personal data beyond the purpose for which it was collected.
3. Whether the Organisation complied with the Accountability Obligation under sections 11(3) and 12 of the PDPA by failing to appoint a data protection officer and develop and implement data protection policies and practices.

How Did the Court Analyse the Issues?

Regarding the Protection Obligation under section 24 of the PDPA, the PDPC found that the Organisation had possession and control of the personal data and was therefore obligated to protect it. The PDPC noted that the databases containing the personal data were stored in the public HTML directory of the Organisation's server, which allowed internet search engines to index the URL link and expose the personal data. The PDPC highlighted several technical security measures that the Organisation could have implemented, such as storing the databases in a non-public folder or directory, or using access controls like a password requirement or IP address restriction. The PDPC concluded that the Organisation's failure to conduct vulnerability scanning and implement reasonable security measures amounted to a breach of the Protection Obligation.

Regarding the Retention Limitation Obligation under section 25 of the PDPA, the PDPC found that the Organisation had retained the personal data even after the purpose for which it was collected had been served, and there were no reasonable grounds for the Organisation to continue retaining the data. The PDPC noted that the Organisation only deleted the personal data after being informed of the complaint by the PDPC, which constituted a breach of the Retention Limitation Obligation.

Regarding the Accountability Obligation under sections 11(3) and 12 of the PDPA, the PDPC found that the Organisation had failed to appoint a data protection officer and develop and implement data protection policies and practices, as required by the PDPA. The PDPC concluded that the Organisation's lack of these measures amounted to a breach of the Accountability Obligation.

What Was the Outcome?

Having found the Organisation in breach of sections 11(3), 12, 24, and 25 of the PDPA, the PDPC directed the Organisation to:

1. Pay a financial penalty of $10,000 within 30 days, failing which interest would accrue on the outstanding amount.
2. Appoint an individual responsible for ensuring the Organisation's compliance with the PDPA within 30 days.
3. Develop and implement policies and practices necessary for the Organisation to meet its obligations under the PDPA within 60 days.
4. Inform the PDPC of the completion of the above directions within 1 week of implementation.

The PDPC noted that the reduced financial penalty of $10,000 was an exceptional measure, considering the Organisation's dire financial circumstances and the director's intention to continue the business on a significantly reduced scale.

Why Does This Case Matter?

This case is significant for several reasons:

First, it reinforces the importance of organizations implementing reasonable security measures to protect the personal data they collect and maintain. The PDPC's guidance on technical security measures, such as storing data in non-public directories and using access controls, provides a useful reference for organizations to assess and improve their data protection practices.

Second, the case highlights the need for organizations to regularly review the personal data they retain and delete it once the purpose for which it was collected has been served, unless there are legitimate grounds for continued retention. The PDPC's finding that the Organisation's retention of the personal data beyond the relevant purpose was a breach of the PDPA serves as a reminder for organizations to have robust data retention policies and practices.

Third, the case underscores the importance of organizations appointing a data protection officer and developing and implementing comprehensive data protection policies and practices, as required by the PDPA. The PDPC's finding that the Organisation's lack of these measures constituted a breach of the PDPA's Accountability Obligation emphasizes the need for organizations to take a proactive and holistic approach to data protection compliance.

Finally, the PDPC's consideration of the Organisation's financial circumstances in determining the appropriate financial penalty serves as a reminder that the PDPC may take into account an organization's specific situation when imposing sanctions, though the reduced penalty in this case should not be seen as setting a precedent for future cases.

Legislation Referenced

• Sections 11(3), 12, 24, and 25 of the Personal Data Protection Act (PDPA)

Cases Cited

• [2019] SGPDPC 32
• [2019] SGPDPC 5

Source Documents

• Original Judgment (PDF) — Singapore Law Watch
• Archived Copy (PDF) — Litt Law CDN

This article analyses [2019] SGPDPC 32 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.