This decision clarifies the ambit of the right of private action under the Singapore Personal Data Protection Act 2012 and sheds light on how the phrase "loss or damage" should be interpreted.
The Singapore Court of Appeal, in its recent decision of Reed, Michael v Bellingham, Alex (Attorney-General, intervener)  SGCA 60, provides clarity on two provisions under the Personal Data Protection Act ("PDPA"). The first is section 4(1)(b), which states that the PDPA does not impose any obligation on any employee acting in the course of his or her employment with an organisation.
The second is the then section 32 (now section 48O), which allows individuals who suffer loss or damage as a result of an organisation's contravention of the PDPA, the right to commence private action against the organisation.
There are three main takeaways from this decision.
First, section 4(1)(b) is regarded as a defence for employees to prove that he/she engaged in the conduct in good faith during the course of his/her employment. The doctrine of vicarious liability cannot be imported into the section as it is contrary to the effect of section 4(1)(b), which is to exempt the employee from liability.
Secondly, the Court made clear that aggrieved individuals can decide between complaining to the Personal Data Protection Commission ("PDPC") and commencing a private action against an organisation that contravenes the PDPA. A complainant need not make a complaint to the PDPC first before litigating under section 32.
Thirdly, the Court held that the phrase "loss or damage" includes emotional distress. The emotional distress must be suffered directly as a result of a contravention of PDPA's provisions and the loss or damage suffered must not be trivial.
Even if the loss or damage suffered by the aggrieved individual is confined to emotional distress, the Court recognised that it is common for emotional distress to be the only loss or damage suffered, and individuals may still bring a claim against the organisation.
With aggrieved individuals having more than one avenue against the organisation and given the broad interpretation of "loss or damage", this decision serves as a good reminder to organisations that their liability is fault-based under the PDPA and they are to review their existing data protection policies and measures and ensure compliance with the PDPA.
In further detail
IP Investment Management Pte Ltd and IP Real Estate Investments Pte Ltd (the "Employers") commenced a private action against their former employee, Alex Bellingham (the "respondent"). Amongst others, they sought to restrain the respondent from using Michael Reed's (the "appellant") and others' personal data. The appellant received an email from the respondent regarding his investment activity in a particular fund, and was surprised how the respondent got hold of his personal email address and was aware of his investment activities.
The District Judge granted the appellant an injunction to restrain the respondent and an order that the respondent undertakes to destroy the appellant's personal data that was in his possession. The respondent subsequently filed an appeal against the District Judge's decision. The High Court judge allowed the appeal and was of the view that neither the loss of control nor personal data and emotional distress are recognised under section 32 of the PDPA.
Issues for determination before the Court of Appeal
It was accepted by both parties that the respondent was in breach of sections 13 and 18 of the PDPA. There were three issues that arose for the Court's determination:
- Whether section 4(1)(b) of the PDPA exempts the respondent from liability for breaching sections 13 and 18;
- Whether "loss or damage" includes emotional distress or loss of control of personal data; and
- Whether the appellant suffered emotional distress or loss of control of personal data.
Section 4(1)(b) does not exempt the respondent from liability
The Court held that section 4(1) is a defence that may be invoked by a party accused of breaching the PDPA to avoid liability. On the burden of proof, it is for the respondent to show that when the breaches of the PDPA occurred, he was an employee, and was acting in the course of his employment in committing the breach.
However, there was insufficient evidence to prove that the respondent was acting within the course of employment when he misused the personal data.
The Court also expressly declined the importation of the doctrine of vicarious liability into section 4(1)(b) of the PDPA due to the fundamental conceptual incompatibility between the two - an employer's liability under the PDPA is fault-based whereas the doctrine of vicarious liability seeks to hold an employer liable through no fault of its own.
"Loss or damage" includes emotional distress but not loss of control of personal data
The Court adopted a purposive interpretation of section 32(1) of the PDPA (now section 48O(1)) and held that emotional distress can found a section 32 action. In support of this conclusion, the Court first looked to the legislative intent underlying section 32. It held that the parliamentary intention to promote the right of individuals to protect their personal data supersedes the presumptive common law position that emotional distress per se is not actionable.
Adopting a textual and contextual interpretation of the section, there is nothing that militates against the inclusion of emotional distress into the phrase "loss or damage".
The Court acknowledged that it is common for emotional distress to be the only loss or damage suffered when there is a misuse of personal data. It does not matter that Singapore does not expressly recognise a right to privacy as it is "ordinary human experience" that the misuse of personal data will result in distress and anxiety.
The Court also considered the question of whether it will open the floodgates of litigation if "loss or damage" can be interpreted to include emotional distress, and considered the question moot with the following control mechanisms in place:
- the loss or damage must have been suffered directly as a result of the contravention; and
- there is no recourse for minimal loss (the de minimis principle).
However, the loss of control of personal data does not constitute "loss or damage" under section 32. This is because the loss of control of personal data (in one way or another) permeates every contravention of Part 4 to Part 6 of the PDPA.
The appellant suffered emotional distress
In ascertaining whether there was emotional distress, the inquiry is whether the very individual before the court subjectively suffered emotional distress. That said, the court is still entitled to take into account how a reasonable person would have reacted in similar circumstances to assess the claimant's subjective state of mind.
A multi-factorial approach should be adopted in assessing whether there was emotional distress. To this end, the Court helpfully laid down several non-exhaustive factors to be considered:
- the nature of personal data involved in the breach (some categories of personal data, such as financial data, are likely to be sensitive);
- the nature of the breach (whether the breach of the PDPA was one-off, repeated and/or continuing);
- the nature of the defendant's conduct (whether there was fraudulent or malicious intent);
- risk of future breaches of the PDPA causing emotional distress to the claimant;
- the actual impact of the breach on the claimant.
On the facts, the Court held that the appellant did suffer emotional distress. While the appellant's emails and the language used did not seem to suggest that there was distress, the conduct of both the appellant and the respondent must be taken into account. The appellant brought the issue to the attention of one of the Employers and the Employer was persuaded to demand an undertaking from the respondent to not misuse the personal data, which the respondent had refused to provide. Other factors that the Court took into account include the sensitive nature of the personal data involved and the attitude of the respondent when being confronted about the use of personal data.