Singapore's Personal Data Protection Act 2012 (PDPA) has been in force for a few years. By now, most organisations are familiar with the need to implement a privacy policy. However, organisations may not realise that their privacy policy needs to be reviewed from time to time to ensure that it remains relevant to the organisation as its business evolves.

Changes to the way an organisation does business may result in the following changes:

  • the type of personal data which it collects;
  • the manner in which it collects personal data;
  • the purposes for which personal data is collected.

These changes may necessitate updating of the privacy policy.

The case of Actxa Pte Ltd [2018] SGPDPC 5, recently decided by the Personal Data Protection Commission (PDPC) highlights the need for an organisation to review its privacy policy from time to time

Actxa Pte Ltd [2018] SGPDPC 5

Actxa operates a website which sells healthcare and fitness related Internet of Things (IoT) devices such as "smart" weighing scales and fitness trackers. These IoT devices collect data about the user.

The user can access the data collected by the IoT devices through the Actxa App (App) which may be downloaded and installed on a mobile device. To use the App, the user has to create a user account by providing certain personal data, such as name, email address, gender, date of birth, height and weight.

When the IoT weighing scale is used, it collects personal data such as weight, height, body mass index, total body water, total body fat, bone mass and muscle mass. The fitness trackers collect personal data such as an individual's goals, active minutes, sleep duration, start of sleep and end of sleep. These data which are collected through the user's use of the IoT device may be viewed by the user through the App, and are also collected and stored by Actxa's servers.

A complaint was made to the PDPC by a complainant alleging that Actxa has failed to notify him of, and obtain his consent for Actxa's collection of his personal data. The complainant's spouse had bought a weighing scale from Actxa's website, and the complainant had downloaded the App, and created an account.

Actxa argued that users of the App were required to agree to Actxa's privacy policy before using the App, and that the privacy policy would have notified the user of the collection, use and disclosure of personal data.

However, the PDPC found that the wordings of Actxa's privacy policy only referred to data collection through Actxa's website, and did not address the collection, use and disclosure of personal data through the App or any of the IoT devices.

The first few sentences of Actxa's privacy policy reads as follows:

"This Privacy Policy discloses the privacy practices for the Actxa website (collectively, the "Website" located at Actxa, the provider of the Website (referred to as "use" or "we"), is committed to protecting your privacy online in compliance with Personal Data Protection Ordinance (PDPO) ("PDPO"). Please read the following to learn what information we collect from you (the "User" or the "End User") and how we use that information..."

The PDPC found that "the complete absence of any reference to the Actxa App in the Privacy Policy shows that the Privacy Policy was only intended to govern the data collection activities undertaken through the Actxa Website, and not the Actxa App nor the IoT devices".

Actxa tried to argue that the users would have known that the privacy policy was applicable to personal data collected through the use of the App since the privacy policy would have been shown on the App. However, this argument was rejected by the PDPC on the basis that "displaying a privacy policy that has no relevance to the Actxa App cannot amount to proper notification".

Hence, any acceptance of the privacy policy by a user of the App would not constitute valid consent for the collection, use and disclosure of the user's personal data.

Lessons learnt from Actxa's case

Actxa's privacy policy may have been adequate for personal data collected through its retail website. However, when Actxa started to sell IoT devices, which enable Actxa to collect different types of personal data and through means other than Actxa's website, Actxa should have reviewed its privacy policy to ensure that it is adequate for its new line of business.

This case highlights the need for an organsation to review its privacy policy regularly to ensure that it reflects the organisational practices, and is adequate for any new business the organisation wishes to undertake.

It also highlights the importance of having a carefully drafted privacy policy that is tailored to the needs of the organisation. Many web developers provide "cookie cutter" privacy policies when developing a website for their clients. Such privacy policies do not address the personal data which are collected by the organisation through means other than the website, and should not be adopted by the organisation.

Dentons Rodyk thanks and acknowledges Joshua Woo for his contribution to the article.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.