Introduction

The Personal Data Protection Act ("PDPA") sets out the duties of businesses and organisations regarding the collection, use and disclosure of personal data. To enforce these obligations, the Personal Data Protection Commission ("PDPC") is empowered to issue directions for compliance and impose financial penalties. In addition, affected individuals are entitled to bring private actions against the offending organisation if they have suffered loss or damage from the breach of such duties.

However, not all forms of loss give rise to the right of private action under the PDPA. In Reed, Michael v Bellingham, Alex [2022] SGCA 60, the Singapore Court of Appeal provided some much-anticipated clarification on what constitutes "loss or damage", and thus when an individual is entitled to initiate civil proceedings under the PDPA.

The Court of Appeal held that emotional distress falls within the scope of "loss or damage" under the PDPA, but the mere loss of control over personal data does not. In reaching its decision, the Court of Appeal considered the general purpose of the PDPA and adopted a wide interpretation of its private enforcement provisions.

The Court of Appeal also considered when an employee should be held responsible for a PDPA breach, and when the employee's actions should be attributed to the employer instead. As the relevant PDPA obligations do not apply to an employee who is only acting in the course of their employment, the Court of Appeal set out the applicable principles for determining when an employee can rely on this defence.

The Court of Appeal's decision provides important guidance for organisations and individuals that manage or deal with personal data in the course of operations, shedding light on when they may be exposed to private action for PDPA breaches.

Private Enforcement of PDPA

The PDPA provides for both public and private enforcement of its obligations. In terms of public enforcement, the PDPC is the public authority vested with the power to issue directions to ensure compliance with the PDPA and to impose financial penalties for the breach of PDPA obligations and compliance orders.

In terms of private enforcement, the PDPA provides for private actions by individuals affected by breaches of the PDPA. The decision in this case discusses the right of private action under the previous section 32 of the PDPA ("section 32"), which provided that any individual who suffered loss or damage directly as a result of a breach of the relevant obligations under Parts IV, V or VI of the PDPA would have a right of action for relief in civil proceedings in court. Such relief may include damages, injunctions, declarations or other relief that the court thinks fit. 

While section 32 has since been repealed, it has been materially reproduced in the current section 48O of the PDPA, which similarly provides for the right of action for relief in civil proceedings for loss or damage suffered directly as a result of a breach of the relevant obligations under Parts 4, 5, 6 or 6A of the PDPA. As such, the Court's decision remains relevant to the determination of the right of private action under the current version of the PDPA.

It should be noted that the PDPA obligations referred to above which may lead to private action when breached relate to the following areas:

  • Part 4: Collection, use and disclosure of personal data
  • Part 5: Access to and correction of personal data
  • Part 6: Care of personal data
  • Part 6A: Notification of data breaches

Brief Facts

The Respondent was an employee of connected companies in the business of managing funds ("Employers"). Part of his role involved managing an investment fund known as the Edinburgh Fund. The Appellant was an individual who had invested in the Edinburgh Fund.

The Respondent eventually left his employment with the Employers to join a competitor ("QIP"). After joining QIP, the Respondent contacted some investors in the Edinburgh Fund, including the Appellant, whom he had come to know of through his employment with the Employers. In an email to the Appellant, the Respondent referenced the Appellant's upcoming exit from the Edinburgh Fund and introduced other investments with QIP.

The Appellant found it unacceptable that the Respondent knew his name, personal email address and investment activity ("Personal Data"). The Employers commenced a private action against the Respondent under what was then section 32 of the PDPA, and the Appellant was joined as a party.

The District Judge injuncted the Respondent from using, disclosing or communicating the Personal Data and ordered him to destroy the Personal Data. However, the High Court Judge allowed the Respondent's appeal from the decision, finding that the Appellant had not suffered "loss or damage" giving rise to the right of private action under section 32. Notably, the High Court Judge found that emotional distress and the loss of control over personal data did not fall within the scope of such "loss or damage".

In any event, the High Court Judge accepted that by collecting and using the Personal Data to market his new firm's services, the Respondent had contravened section 13 (which prohibits the collection, use or disclosure of personal data by an organisation without the individual's consent) and section 18 (which provides that an organisation may collect, use or disclose personal information only for purposes that the individual has been informed of) of the PDPA.

Holding of the Court of Appeal

The Appellant appealed against the decision of the High Court Judge. The Court of Appeal allowed the appeal, restoring the orders made by the District Judge. Importantly, the Court of Appeal held that emotional distress was a form of "loss or damage" under section 32.

Loss or damage

The Court of Appeal sought to determine the proper interpretation of "loss or damage" under section 32 with reference to the purpose of the PDPA, choosing to adopt a wider interpretation which includes emotional distress.

The Court of Appeal considered that the PDPA was intended to provide robust protection for personal data belonging to individuals. The vast and ever-increasing volume of personal data being collected and used means that there is an increasing risk of misuse. The remedies in the PDPA should be effective in guarding the right of individuals to protect their personal data.

In this regard, the wider interpretation adopted by the Court of Appeal supports this intended purpose. The Court of Appeal noted that it would not be uncommon for emotional distress to be the only loss or damage suffered as a result of a breach of the PDPA obligations. Section 32 would thus not have any practical function if it did not include emotional distress as an actionable head of loss or damage.

The Court of Appeal stated that reading "loss or damage" to include emotional distress would not open the floodgates to litigation, setting out the following limiting principles:

  • The emotional distress must have been suffered directly as a result of the relevant PDPA breach.
  • Trivial annoyance or negative emotions which form part of the vicissitudes of life will not be actionable.

The Court of Appeal further clarified that the mere loss of control over personal data is not an actionable head of loss or damage under section 32 because every contravention of the relevant obligations of the PDPA would result in such loss of control.

Application

On the facts, the Court of Appeal found that the Appellant had in fact suffered emotional distress as a result of the Respondent's breach of section 13 and section 18 of the PDPA. The Court of Appeal highlighted the following factors:

  • The Respondent had unreasonably refused to give the Appellant an undertaking not to use the Personal Data in the future. Although the Respondent had promised to cease contact with the Appellant, the Personal Data was still in his possession and vulnerable to misuse.
  • The Personal Data included information about the Appellant's personal investments.
  • The Appellant reasonably perceived a real prospect of future misuse of the Personal Data given the Respondent's refusal to offer an undertaking.
  • The Respondent was evasive when confronted about the use of the Personal Data and dismissive of the Appellant's concerns about the Personal Data.

Exemption from liability for employees

Section 4(1)(b) of the PDPA provides that Parts 3 to 6A of the PDPA do not impose any obligations on an employee acting in the course of their employment with an organisation. The Respondent sought to rely on this defence to avoid liability, but this was rejected by the Court of Appeal.

The Court of Appeal held that the burden of proof lay on the employee to prove the requirements of the defence under section 4(1)(b). The employee would ordinarily have to adduce evidence of what was done, what the employment required the employee to do and, in appropriate cases, whether the employee deliberately evaded practices set up by the employer to deter such action. Here, the Court of Appeal found that the Respondent had not adduced sufficient evidence in this regard.

The Court of Appeal also clarified that section 4(1)(b) does not import the common law principle of vicarious liability (which imposes secondary liability for a tort committed by an employee upon an employer even though the employer is not personally at fault). Rather, the Court of Appeal noted that an employer's liability under the PDPA is fault-based. An employer would only be in breach of the PDPA if it fails to do "what a reasonable person would consider appropriate in the circumstances" (section 11(1) of the PDPA). Thus, the court would determine whether the employee's action should be attributed to the employer or whether the employee was off on a frolic of his own. The implication therefore is that "rogue" employees can be sued personally for breaches of the PDPA.

Concluding Words

The decision highlights that breaches of the PDPA open up the offending organisation and employees not only to public enforcement action, but to private civil action as well. While statutory and criminal law exposures are taken seriously, private actions, which are similarly palpable, are taken lightly by many organisations. Pursuant to such private actions, the courts are empowered to grant a wide range of remedies, including injunctions, damages and other orders that it thinks fit. This case thus demonstrates that in data protection matters, organisations need to be aware of the importance of private actions and ensure that their compliance manuals set out the corporate stance on private actions and that their data protection officers are apprised adequately of both the potential need to pursue such private action where legally appropriate and the potential liabilities when faced with such private actions commenced against them.

The decision also indicates that the courts are inclined to interpret the PDPA to afford robust protection to individuals' personal data. Here, this meant the recognition of emotional distress as an actionable head of loss or damage. Organisations handling personal data should note that individuals need not prove any financial loss in order to launch a civil action for misuse of their personal data.

Organisations and businesses should thus ensure that they have sufficient safeguards in place to protect personal data in their control from misuse, whether by their employees or otherwise. This is of particular importance given the wide scope of protection under the PDPA and the availability of enforcement action in both public and private spheres.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.