ARTICLE
17 February 2020

Recent Decisions Of The Personal Data Protection Commission

GA
Global Advertising Lawyers Alliance (GALA)

Contributor

With firms representing more than 90 countries, each GALA member has the local expertise and experience in advertising, marketing and promotion law that will help your campaign achieve its objectives, and navigate the legal minefield successfully. GALA is a uniquely sensitive global resource whose members maintain frequent contact with each other to maximize the effectiveness of their collaborative efforts for their shared clients. GALA provides the premier worldwide resource to advertisers and agencies seeking solutions to problems involving the complex legal issues affecting today's marketplace.
The Personal Data Protection Commission (‘PDPC') carried out certain investigations recently under Section 50(1) of the Personal Data Protection Act 2012 (‘PDPA'), ...
United States Privacy

The Personal Data Protection Commission ('PDPC') carried out certain investigations recently under Section 50(1) of the Personal Data Protection Act 2012 ('PDPA'), and subsequently issued a warning and financial penalty on the respective errant entities below:

L'Oréal Singapore Pte. Ltd., Case No. DP-1812-B3091

L'Oréal Singapore Pte. Ltd. ("L'Oréal") operated a website which had a login portal that enabled its customers to view their profile information, etc. (the "Customer Login Page"). The customers' profile information included their name, email address, postal address, mobile number and date of birth (the "Personal Data"). The development and maintenance of the website were carried out by a vendor engaged by L'Oréal. In order to improve the loading speed of the website, L'Oréal instructed its vendor to make some changes to the website. However, L'Oréal failed to scope the User Acceptance Tests ("UATs") to include the login and caching functions of the Customer Login Page, after the code changes were introduced. As a result, when a customer logged into the Customer Login Page, his or her Personal Data would be cached. The customer's Personal Data would then be disclosed to the next customer who logged in to the Customer Login Page until the cache was refreshed. The PDPC found that Personal Data of 7 individuals had been exposed to the risk of unauthorised disclosure as a result of L'Oréal's failure to ensure appropriate testing of its website or make other security arrangements to protect the Personal Data. The PDPC found L'Oréal in breach of Section 24 of the PDPA and issued a warning for this lapse.

Creative Technology Ltd., Case No DP-1811-B3058

Creative Technology Ltd. ("Creative") operated and hosted an online support forum (the "Forum") sometime in 2004 for users to share ideas and information on its products. In 2011, Creative adopted a third party forum software known as "vBulletin" to operate and host the forum internally. Unbeknownst to Creative, the vBulletin software had a Structured Query Language (SQL) vulnerability which could allow hackers to extract information hosted on the platform using SQL injection techniques. The developers of the vBulletin software released patches to address this SQL vulnerability in 2016 but Creative did not install these patches. In 2018, an unknown hacker used SQL injection techniques to obtain personal data of Forum users from the Forum's database. Creative found that 484,512 users' account information had been accessed and extracted, out of which only 8,258 were active users who had accessed or posted on the forum between 2014 and 2018. Creative made certain mitigating representations including the fact that the disclosure was unlikely to have caused serious or substantial harm or injury due to the low sensitivity of personal data disclosed. It had also taken swift remedial actions upon notification of incident by suspending and shutting down the Forum within a span of 2 weeks therefrom, and deleting the user database. The PDPC directed Creative to pay a financial penalty of S$15,000, but decided not to impose any other direction as Creative had ceased to operate the Forum and no longer retained the database of Forum users.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More