Case Details
- Citation: [2019] SGPDPC 19
- Court: Personal Data Protection Commission
- Date: 2019-06-20
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Xbot Pte. Ltd.
- Legal Areas: Data protection – Openness obligation
- Statutes Referenced: Personal Data Protection Act 2012
- Cases Cited: [2019] SGPDPC 19
- Judgment Length: 8 pages, 1,824 words
Summary
In this case, the Personal Data Protection Commission (PDPC) investigated Xbot Pte. Ltd. for allegedly disclosing the personal data of property owners through its Strata.sg mobile application and website without their consent. The PDPC found that while Xbot was permitted to collect, use, and disclose the personal data under the Personal Data Protection Act 2012 (PDPA), the company failed to comply with the PDPA's openness obligation by not having adequate data protection policies and practices in place. As a result, the PDPC issued a warning to Xbot without imposing any further directions or financial penalties, noting that the company had ceased operations and cooperated with the investigation.
What Were the Facts of This Case?
Xbot Pte. Ltd. (the "Organisation") developed and operated the Strata.sg mobile application (the "App") and an associated website, http://Strata.sg (the "Website"), which provided access to a database of residential property transactions (the "Database"). The Database included information on transactions involving both private residential properties ("Private Properties") and Housing Development Board ("HDB") properties ("HDB Properties"). This information, which included a partial address, area, type, and price for the properties, was made available to users of the App and Website.
In addition, the complete addresses of the Private Properties (including the specific unit number) were made available to premium subscribers of the App or Website who paid a fee for access to the information in the Database. The Organisation also collected personal data from users of the Website and the App in order to grant them access to the Database.
The Organisation had a data protection policy for the Website (referred to as a "Privacy Policy"), but that policy did not mention or cover the personal data collected from users of the App. The App did not include any separate data protection policy nor any link to the Organisation's data protection policy for the Website. Furthermore, the Organisation did not have any internal policies or procedures relating to its personal data practices. At the material time, the Organisation was run by a single individual who was also an employee, with only one other employee.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the information in the Database constituted personal data under the PDPA.
2. Whether the Organisation was permitted to collect, use, and disclose the personal data in the Database without the consent of the individuals concerned.
3. Whether the Organisation had in place the necessary data protection policies and practices required under the PDPA.
How Did the Court Analyse the Issues?
On the first issue, the PDPC found that the information in the Database relating to Private Properties constituted personal data under the PDPA, as the complete addresses of the Private Properties could be used to trace the names of the owners through the Singapore Land Authority's Land Titles Register. However, the information relating to HDB Properties did not constitute personal data, as there was no publicly available means of identifying the owners of those properties based on the information in the Database.
On the second issue, the PDPC determined that the Organisation was permitted to collect, use, and disclose the personal data in the Database without the consent of the individuals concerned, as the information had been obtained from sources that were generally available to the public, such as the Urban Redevelopment Authority's Real Estate Information System (REALIS) portal and the HDB's Resale Flat Prices portal.
On the third issue, the PDPC found that the Organisation was in breach of the PDPA's openness obligation under Section 12. While the Organisation had a data protection policy for the Website, it did not cover the personal data collected from users of the App. Additionally, the Organisation did not have any internal policies or practices in place to ensure that its employees adhered to the appropriate practices when handling personal data. The PDPC noted that the size of the Organisation was not the only determinant of the complexity of the internal policies and practices required, and that the types and amount of personal data possessed and controlled by the Organisation were also relevant considerations.
What Was the Outcome?
Having found the Organisation in breach of Section 12 of the PDPA, the PDPC issued a warning to the Organisation without imposing any further directions or financial penalties. The PDPC noted that the Organisation had ceased operations of both the App and the Website on 16 May 2018 and had been cooperative throughout the investigation.
Why Does This Case Matter?
This case is significant for several reasons:
1. It provides guidance on the interpretation of "personal data" under the PDPA, particularly in the context of property transaction information. The PDPC's distinction between the information relating to Private Properties (which constituted personal data) and HDB Properties (which did not) is a useful clarification.
2. The case highlights the importance of organizations having comprehensive data protection policies and practices in place, even for small companies with limited resources. The PDPC emphasized that the size of the organization is not the only factor in determining the necessary policies and practices, and that the types and amount of personal data possessed are also relevant considerations.
3. The PDPC's decision to issue a warning without further directions or financial penalties, despite the breach of the PDPA, demonstrates the Commission's willingness to take into account mitigating factors such as the cessation of operations and the organization's cooperation with the investigation.
This case serves as a valuable precedent for organizations in Singapore, particularly those in the property and real estate industry, on the application of the PDPA's requirements for data protection policies and practices.
Legislation Referenced
Cases Cited
Source Documents
This article analyses [2019] SGPDPC 19 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.