Case Details
- Citation: [2018] SGPDPC 1
- Court: Personal Data Protection Commission
- Date: 2018-01-11
- Legal Areas: Data Protection – Consent obligation, Data Protection – Notification obligation, Data Protection – Personal or domestic capacity
- Statutes Referenced: Data Protection Act, Data Protection Act 1998, Personal Data Protection Act, The facts disclose a straightforward breach of the Personal Data Protection Act 2012
- Cases Cited: [2016] SGPDPC 13, [2017] SGPDPC 17, [2017] SGPDPC 13, [2018] SGPDPC 1
- Judgment Length: 15 pages, 4,004 words
Summary
This case involves an individual, Sharon Assya Qadriyah Tang (the "Respondent"), who was found to have breached the Personal Data Protection Act 2012 ("PDPA") in Singapore by engaging in the unauthorized selling of personal data. The Personal Data Protection Commission (the "Commission") determined that the Respondent was acting in a business capacity, rather than a personal or domestic capacity, and was therefore subject to the data protection obligations under the PDPA. The Commission found the Respondent in breach of the consent and notification obligations under the PDPA for her activities in buying and selling personal data leads.
What Were the Facts of This Case?
The Respondent was employed as a telemarketer from 2004 to 2014. In 2012, she began purchasing "leads" to expand her marketing reach and meet her sales targets. These leads typically comprised an individual's name, NRIC number, mobile number, and annual income range. The Respondent would buy the leads from unknown online sellers, without verifying that the sellers had obtained the data legitimately with the individuals' consent.
The Respondent estimated that she bought approximately 10,000 leads per year, starting in late 2012 and ending sometime in May or June 2014. During this period, she had accumulated around 30,990 leads, which were stored in Microsoft Excel spreadsheets. From late 2012 until February 2017, the Respondent resold these leads about 9 to 10 times, typically charging customers between $0.05 to $0.20 per lead. To conceal her identity, the Respondent used an alias, her husband's bank account, and a mobile number registered under a friend's name when conducting these transactions.
The Respondent explained that she had decided to resell the leads as a side-line to supplement her income, while also holding a job as a telemarketer and running an apparel business.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Respondent, as an individual, was considered an "organisation" subject to the data protection provisions of the PDPA, or whether she was acting in a personal or domestic capacity and therefore excluded from the PDPA's requirements.
2. Whether the Respondent's activities in buying and selling the personal data leads complied with the consent and notification obligations under the PDPA.
How Did the Court Analyse the Issues?
On the first issue, the Commission determined that the Respondent was not acting in a personal or domestic capacity, but rather in a business capacity, when she engaged in the unauthorized buying and selling of personal data leads. The Commission noted that the PDPA defines "organisation" broadly to include individuals, and that the converse of acting in a personal or domestic capacity is acting in a business capacity. Since the Respondent's activities were undertaken to make a profit, rather than for her own personal use, the Commission found that she was subject to the data protection obligations under the PDPA as an "organisation".
On the second issue, the Commission found that the Respondent's activities in buying and selling the personal data leads fell within the scope of the PDPA. The purchase of the leads amounted to a "collection" of personal data, while the sale of the leads amounted to a "disclosure" of personal data. As such, the Respondent was subject to the consent and notification obligations under the PDPA.
The Commission acknowledged that the Respondent's initial purchase and sale of the personal data leads occurred before the PDPA's data protection provisions came into effect on July 2, 2014 (the "Appointed Day"). However, the Commission held that after the Appointed Day, the Respondent was still obligated to comply with the PDPA's requirements, including obtaining consent and providing notification, in respect of both the existing personal data in her possession and any new personal data she acquired.
The Commission further examined the "grandfathering" provision under section 19 of the PDPA, which allows organizations to continue using personal data collected before the Appointed Day for the purposes for which it was originally collected. The Commission found that this provision may allow the Respondent to continue using the personal data for her own reasonable purposes, such as telemarketing, provided there was no indication that the individuals did not consent. However, the Commission determined that the grandfathering provision would not permit the Respondent to continue selling or disclosing the personal data to third parties after the Appointed Day, as this would fall outside the original purposes of collection.
What Was the Outcome?
Based on the findings, the Commission concluded that the Respondent had breached sections 13 and 20 of the PDPA by failing to obtain the necessary consent and provide the required notification for the collection, use, and disclosure of the personal data leads. The Commission did not impose a financial penalty on the Respondent, as this was the first reported case of an individual engaging in the unauthorized selling of personal data. However, the Commission warned the Respondent that any future breaches could result in a financial penalty.
Why Does This Case Matter?
This case is significant as it represents the first reported instance of an individual being found to have breached the PDPA by engaging in the unauthorized selling of personal data. It demonstrates that the data protection obligations under the PDPA apply not only to organizations, but also to individuals acting in a business capacity, rather than a personal or domestic capacity.
The case also provides guidance on the application of the PDPA's "grandfathering" provision, which allows for the continued use of personal data collected before the Appointed Day. The Commission's interpretation suggests that while the grandfathering provision may permit the continued use of such data for the original purposes of collection, it does not extend to the disclosure or selling of the data to third parties after the Appointed Day.
This decision serves as an important precedent for the Commission's enforcement of the PDPA, highlighting the need for individuals and organizations to comply with the consent and notification requirements when handling personal data, even if the data was obtained prior to the PDPA's implementation. It also underscores the Commission's willingness to take action against individuals who engage in the unauthorized buying and selling of personal data, which can have significant privacy implications for affected individuals.
Legislation Referenced
- Data Protection Act
- Data Protection Act 1998
- Personal Data Protection Act
Cases Cited
- [2016] SGPDPC 13
- [2017] SGPDPC 17
- [2017] SGPDPC 13
- [2018] SGPDPC 1
Source Documents
This article analyses [2018] SGPDPC 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.