Case Details
- Citation: [2022] SGPDPC 7
- Court: Personal Data Protection Commission
- Date: 2022-10-06
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: (1) Supernova Pte Ltd, (2) Shopify Commerce Singapore Pte Ltd
- Legal Areas: Data Protection – Transfer Limitation Obligation, Data Protection – Data intermediary
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Regulations 2014
- Cases Cited: [2022] SGPDPC 7
- Judgment Length: 14 pages, 2,479 words
Summary
This case concerns a data breach incident that affected the personal data of customers of Supernova Pte Ltd ("SNPL"), an online retailer that used Shopify Inc's e-commerce platform. The Personal Data Protection Commission ("PDPC") investigated whether SNPL and Shopify Commerce Singapore Pte Ltd ("Shopify SG") had breached their obligations under the Personal Data Protection Act 2012 ("PDPA") in relation to the transfer of personal data outside of Singapore. The PDPC found that SNPL had failed to comply with the transfer limitation obligation under section 26 of the PDPA, while Shopify SG was not in breach as it was acting as a data intermediary for SNPL.
What Were the Facts of This Case?
SNPL is an online retailer that began using Shopify's e-commerce platform in 2018 to sell its products to customers. Shopify, a company based in Canada, provided payment processing and other services to SNPL pursuant to the Shopify Plus Agreement. Shopify Commerce Singapore Pte Ltd ("Shopify SG") acted as Shopify's Asia-Pacific data sub-processor, responsible for collecting customer personal data (including SNPL's) via the platform and transferring the data out of Singapore to Shopify.
On 1 July 2019, the Shopify Plus Agreement was assigned to Shopify SG. This reconfigured the relationship between the parties - for purchase processing, Shopify SG became SNPL's data intermediary, while for platform processing, Shopify SG became the data controller of the customer personal data collected through the platform.
Between June to September 2020, two Philippines-based service contractors of Shopify illegally accessed and exfiltrated certain customer personal data stored in Shopify's systems, including the personal data of SNPL's customers. This incident was disclosed to SNPL on 18 September 2020.
What Were the Key Legal Issues?
The key legal issues in this case were whether SNPL and Shopify SG had complied with the transfer limitation obligation under section 26 of the PDPA in relation to the transfer of SNPL's customer personal data outside of Singapore.
Section 26(1) of the PDPA requires an organisation to ensure that personal data transferred to a country or territory outside Singapore is protected to a standard that is comparable to the protection under the PDPA. The PDPC had to determine whether SNPL and Shopify SG had taken the necessary steps to comply with this obligation.
How Did the Court Analyse the Issues?
The PDPC found that SNPL, as the data controller of its customers' personal data, had an obligation to comply with the transfer limitation obligation under section 26 of the PDPA. This obligation did not abate even after the assignment of the Shopify Plus Agreement to Shopify SG, as the flow of SNPL's customer personal data to Shopify (and later Shopify SG) for processing outside of Singapore remained unchanged.
The PDPC noted that the onus was on SNPL to put in place the relevant contractual clauses to ensure that the personal data transferred to Shopify (and later Shopify SG) was protected to a standard comparable to the PDPA. However, investigations revealed that SNPL did not do so, even though it had conducted a due diligence assessment of Shopify's data protection practices in 2018 before entering into the Shopify Plus Agreement.
In contrast, the PDPC found that Shopify SG was not in breach of the transfer limitation obligation, as it was acting as a data intermediary for SNPL. Section 4(3) of the PDPA provides that an organisation has the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself. Therefore, the onus was on SNPL, as the data controller, to ensure that the transfer limitation obligation was complied with.
What Was the Outcome?
The PDPC found that SNPL had failed to comply with the transfer limitation obligation under section 26 of the PDPA. SNPL was in breach of the PDPA for not ensuring that the personal data transferred to Shopify (and later Shopify SG) outside of Singapore was protected to a standard comparable to the PDPA.
On the other hand, the PDPC determined that Shopify SG, as SNPL's data intermediary, was not in breach of the PDPA. The responsibility to comply with the transfer limitation obligation rested with SNPL as the data controller.
Why Does This Case Matter?
This case highlights the importance of organisations complying with the transfer limitation obligation under the PDPA when transferring personal data outside of Singapore. Even if an organisation engages a data intermediary to process personal data on its behalf, the organisation remains responsible for ensuring that the transferred personal data is protected to a standard comparable to the PDPA.
The case also underscores the need for organisations to conduct thorough due diligence on their data intermediaries and to put in place appropriate contractual clauses to ensure the protection of personal data. Relying solely on a general assessment of the data intermediary's data protection practices may not be sufficient to meet the transfer limitation obligation.
This decision serves as a reminder to organisations to carefully review their data transfer practices and contractual arrangements to ensure compliance with the PDPA. Failure to do so can result in regulatory action by the PDPC, as demonstrated in this case.
Legislation Referenced
- Personal Data Protection Act 2012
- Personal Data Protection Regulations 2014
Cases Cited
- [2022] SGPDPC 7
Source Documents
This article analyses [2022] SGPDPC 7 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.