Case Details
- Citation: [2019] SGPDPC 13
- Court: Personal Data Protection Commission
- Date: 2019-06-11
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Skinny's Lounge
- Legal Areas: Data protection – Notification obligation, Data protection – Consent obligation, Data protection – Purpose limitation obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2019] SGPDPC 13
- Judgment Length: 5 pages, 1,152 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Skinny's Lounge, a karaoke television (KTV) bar, had breached its obligations under Singapore's Personal Data Protection Act (PDPA) by disclosing its patrons' personal data without their consent. The organization had streamed live CCTV footage of patrons in the KTV room onto a public screen, and later replayed selected recorded footage, without properly notifying the patrons of this purpose. The PDPC issued a warning to Skinny's Lounge for these breaches.
What Were the Facts of This Case?
Skinny's Lounge is a KTV bar located in Boat Quay, Singapore. The organization had a KTV room on its premises, which was equipped with CCTV cameras. A sign beside the TV screen in the KTV room informed patrons that they were being recorded.
The CCTV footage from the KTV room was streamed live onto a public screen in the organization's lounge area. On or before June 19, 2018, the complainant and her friends used the KTV room, and their images were live-streamed onto the public screen. After the complainant and her friends left, the CCTV in the KTV room malfunctioned, disrupting the live streaming. In response, the organization played randomly selected recorded CCTV footage on the public screen, which included footage of the complainant and her friends, for "a day or two".
After the complainant found out about the replaying of the CCTV footage, she lodged a complaint with the PDPC on June 19, 2018.
What Were the Key Legal Issues?
The key legal issues in this case were whether Skinny's Lounge had:
- Obtained valid consent from its patrons to disclose their personal data (i.e., their images) on the public screen, as required under the PDPA's consent obligation (section 13(a));
- Notified its patrons of the purposes for which it would collect, use, and disclose their personal data, as required under the PDPA's notification obligation (section 20(1)); and
- Used and disclosed the patrons' personal data only for purposes that a reasonable person would consider appropriate, as required under the PDPA's purpose limitation obligation (section 18).
How Did the Court Analyse the Issues?
The PDPC first determined that the images of the complainant and her friends on the CCTV footage were their personal data, as defined in the PDPA. This was the case regardless of whether the images were streamed live or replayed.
Regarding the consent obligation, the PDPC found that the organization had obtained some level of consent from its patrons. The patrons would have noticed the public screen showing images from the KTV room, and the sign in the KTV room informed them that they were being recorded. However, the PDPC determined that there was no notice to the patrons that their recorded images could be randomly selected and replayed on the public screen after they had left the premises. The organization had not obtained consent for this specific purpose.
Turning to the notification obligation, the PDPC found that the organization had not notified its patrons of the purposes for which their recorded images would be used. The only purpose evident from the circumstances was the live streaming visible to the patrons on the public screen. There was no evidence that the replaying of CCTV footage was a regular or obvious response to the CCTV malfunction.
Finally, with respect to the purpose limitation obligation, the PDPC determined that the organization's replaying of the CCTV footage on the public screen was not a purpose that a reasonable person would consider appropriate, given the lack of notice to the patrons.
What Was the Outcome?
The PDPC found that Skinny's Lounge had breached sections 13(a), 18, and 20(1) of the PDPA. However, the PDPC also noted several mitigating factors, including the lack of evidence of any unauthorized use of the CCTV footage, the fact that the organization received only one complaint, its cooperation during the investigation, and its prompt remedial action after being notified.
Considering all the relevant factors, the PDPC decided to issue a warning to Skinny's Lounge, rather than imposing further directions or a financial penalty.
Why Does This Case Matter?
This case provides important guidance on the obligations of organizations under the PDPA when collecting, using, and disclosing personal data, particularly in the context of CCTV surveillance.
The case highlights that organizations must not only obtain consent from individuals for the collection and use of their personal data, but they must also clearly notify individuals of the specific purposes for which the data will be used. Merely informing individuals that they are being recorded is not sufficient – organizations must also disclose how the recorded data will be utilized.
Furthermore, the case underscores that the purpose for which personal data is used must be one that a reasonable person would consider appropriate. Randomly replaying recorded footage without the knowledge or consent of the individuals involved is unlikely to meet this standard.
The PDPC's decision in this case serves as a reminder to organizations to carefully review their data collection and usage practices to ensure compliance with the PDPA's requirements. Failure to do so can result in regulatory action, even if no actual harm or misuse of the personal data has occurred.
Legislation Referenced
- Personal Data Protection Act
Cases Cited
- [2019] SGPDPC 13
Source Documents
This article analyses [2019] SGPDPC 13 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.