Case Details
- Citation: [2022] SGPDPC 4
- Court: Personal Data Protection Commission
- Date: 2022-03-14
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: (1) Toll Logistics (Asia) Limited, (2) Toll Global Forwarding (Singapore) Pte. Limited, (3) Toll Offshore Petroleum Services Pte. Ltd., (4) Toll (TZ) Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation, Data Protection – Transfer Limitation obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2018] SGPDPC 26, [2020] SGPDPC 20, [2022] SGPDPC 4
- Judgment Length: 10 pages, 2,575 words
Summary
This case involves an investigation by the Singapore Personal Data Protection Commission (PDPC) into a ransomware attack that affected the IT systems of Toll Holdings Limited and its Singapore-registered subsidiaries, including Toll Logistics (Asia) Limited, Toll Global Forwarding (Singapore) Pte. Ltd., Toll Offshore Petroleum Services Pte. Ltd., and Toll (TZ) Pte. Ltd. (collectively, "the Organisations"). The PDPC examined whether the Organisations had breached their obligations under the Personal Data Protection Act (PDPA) to protect personal data and to properly transfer personal data outside of Singapore.
The PDPC ultimately found that the Organisations had not breached their protection obligation, as they had implemented reasonable security arrangements to prevent unauthorized access. However, the PDPC determined that the Organisations had breached their transfer limitation obligation by failing to ensure that the recipient of personal data transferred to Australia was bound by legally enforceable obligations to provide a comparable standard of data protection.
What Were the Facts of This Case?
Toll Holdings Limited is an integrated logistics services provider headquartered in Australia. The Organisations are Singapore-registered entities that are part of Toll Holdings' multinational group of companies. In July 2013, Toll Holdings contracted with a vendor in Ireland ("the HR Vendor") for the group's use of the HR Vendor's human resources software platform ("the HR Platform"). The Organisations began uploading the personal data of their employees to the HR Platform, which was hosted by the HR Vendor in data centres in the European Economic Area.
In 2019, the Organisations entered into Corporate Services Agreements (CSAs) with Toll Holdings, under which Toll Holdings would provide various corporate services, including human resources, IT, and legal services, to the Organisations. As part of these services, Toll Holdings was permitted to appoint subcontractors. The Organisations maintained their own servers in Singapore ("the Singapore Servers") to support their operations, including servers used by their corporate teams that contained employee personal data.
Sometime prior to the incident, Toll Holdings' Chief Human Resources Officer extracted personal data relating to 1,748 of the Organisations' current and former employees from the HR Platform and transmitted it to a server in Australia ("the Australia Server"). Toll Holdings claimed this was done to perform services for the Organisations under the CSAs.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the Organisations had breached their obligations under section 26 of the PDPA to not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA (the "Transfer Limitation Obligation").
2. Whether the Organisations had breached their obligations under section 24 of the PDPA to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks (the "Protection Obligation").
How Did the Court Analyse the Issues?
Regarding the Transfer Limitation Obligation, the PDPC noted that any transfers of personal data by the Organisations out of Singapore after 2 July 2014 would have been subject to the requirements in the Personal Data Protection Regulations 2014 (PDPR 2014) and, after 1 February 2021, the requirements in the Personal Data Protection Regulations 2021 (PDPR 2021). These regulations require an organization transferring personal data outside of Singapore to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to that under the PDPA.
The PDPC found that the Organisations had failed to take such appropriate steps to ensure the recipient (Toll Holdings in Australia) was bound by legally enforceable obligations. The PDPC noted that the Organisations did not provide any evidence of a contract, binding corporate rules, or other legally binding instrument that would impose the required data protection obligations on Toll Holdings in Australia.
Regarding the Protection Obligation, the PDPC examined the security measures implemented by the Organisations, including the use of industry-standard security solutions and the engagement of a Managed Security Service Provider (MSSP) to provide cyber security detection and incident response services. The PDPC found that the Organisations had implemented reasonable security arrangements to protect the personal data in their possession, and that the unauthorized access and ransomware attack were not due to a failure in the Organisations' security measures.
What Was the Outcome?
The PDPC found that the Organisations had breached their Transfer Limitation Obligation by failing to ensure that the recipient of the personal data transferred to Australia (Toll Holdings) was bound by legally enforceable obligations to provide a comparable standard of data protection. However, the PDPC determined that the Organisations had not breached their Protection Obligation, as they had implemented reasonable security arrangements to prevent unauthorized access to the personal data in their possession.
The PDPC did not impose any financial penalties on the Organisations, but directed them to review and strengthen their processes for transferring personal data outside of Singapore to ensure compliance with the PDPA's Transfer Limitation Obligation.
Why Does This Case Matter?
This case provides important guidance on the obligations of organizations under the PDPA when transferring personal data outside of Singapore. It reinforces that organizations must take appropriate steps to ensure the recipient of the transferred data is bound by legally enforceable obligations to provide a comparable standard of data protection, regardless of whether the transfer is to a related group entity or a third party.
The case also highlights that the PDPC will closely scrutinize an organization's security measures and incident response procedures when assessing compliance with the PDPA's Protection Obligation. While the Organisations were found to have met this obligation, the case demonstrates the importance of implementing robust, industry-standard security controls and having effective incident response plans in place.
Overall, this decision serves as a valuable precedent for organizations in Singapore to review their data transfer practices and security arrangements to ensure alignment with the PDPA's requirements.
Legislation Referenced
- Personal Data Protection Act 2012
- Personal Data Protection Regulations 2014
- Personal Data Protection Regulations 2021
Cases Cited
- [2018] SGPDPC 26
- [2020] SGPDPC 20
- [2022] SGPDPC 4
Source Documents
This article analyses [2022] SGPDPC 4 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.