The General Division of the High Court recently delivered a judgment in the case of Bellingham Alex v Reed Michael [2021] SGHC 125, that shed light on the extent to which an individual person could bring a civil action in court in connection of a contravention of the Personal Data Protection Act 2012.   This Client Update discusses that decision.

In Bellingham Alex v Reed Michael [2021] SGHC 125, Chua Lee Ming J heard an appeal from a decision of a district judge, wherein an injunction was granted against the defendant, who was found to have breached statutory obligations under the PDPA, but in respect of which the plaintiff was unable to establish any form of physical or financial loss, other than general distress and loss of control over his personal data. 

The defendant was a former employee of a fund management company. In the course of his employment with the fund management company, he became aware that the plaintiff was a client of the fund management company and had certain investments with the fund management company. The defendant subsequently left the employ of the fund management company to join a rival fund management business. He then emailed the plaintiff to inquire if the plaintiff would be interested to invest with his new employers. The plaintiff (together with the defendant's previous employer) took objection to this and considered the defendant to have contravened the PDPA in respect of his use of the plaintiff's personal data.  A claim under section 32 of the PDPA was initially brought against the defendant by the previous employer alone.  When faced with the argument that the previous employer did not have the legal standing to bring the action since the personal data related to the plaintiff rather than the previous employer, the plaintiff was added as a party to the suit.

Section 32(1) of the PDPA provides that a person who has suffered loss or damage directly as a result of a contravention, by an organisation, of any provision in Part IV, V or VI of the PDPA (these being the Parts of the PDPA that provide for various obligations relating to the handling of personal data), shall have a right of action for relief in civil proceedings in a court. Section 32(3) goes on to provide that the court may grant any form of relief as the court thinks fit, including an injunction or declaration, as well as damages.

The High Court agreed with the district judge that the defendant breached various obligations under the PDPA, but decided that the plaintiff was not able to make a claim under section 32 because he had not suffered any loss or damage within the meaning of the PDPA.

The term "loss or damage", as used in section 32 of the PDPA was not statutorily defined. Chua Lee Ming J surveyed the legal position in a number of commonwealth jurisdictions as well as the parliamentary materials relating to the PDPA and concluded that the legislative purpose of the PDPA was not to recognise or protect an absolute or fundamental right to privacy (unlike in the other commonwealth jurisdictions surveyed), but rather the PDPA was intended to enhance the competitiveness of Singapore and to strengthen Singapore's reputation as a trusted business hub by safeguarding an individual's personal data against misuse. To these ends, the High Court Judge considered that it was not necessary to interpret the term "loss or damage" more widely than what is commonly understood under the general law of tort (i.e. covering pecuniary loss, property damage and personal injury). Accordingly, it was decided that the plaintiff was not entitled to claim relief under section 32 of the PDPA if all he was able to prove by way of loss was distress and loss of control over the personal data.  


While the decision in Bellingham v Reed is helpful in providing clarity as to the circumstances when one is able to sue under section 32 of the PDPA, it seems unfortunate that the High Court chose to apply a relatively narrow interpretation of the private right of enforcement.  

Given the inherent nature of data privacy, it is not easy to envisage many situations where a breach of privacy will actually cause a person to suffer pecuniary loss, property damage or personal injury. While other commonwealth legislation may have more explicit provisions that make clear that distress and loss of control are recoverable heads of losses, limiting the scope of our PDPA in such a manner will simply deprive aggrieved individuals of what could be an effective self-help remedy. If the concern is with the difficulty in quantifying these comparative novel heads of loss, this will only be relevant in relation to an award of damages. In principle, if a defendant is indeed found to have contravened obligations under the PDPA, it is hard to see, as a matter of principle, why a court should decline to grant an injunction to restrain the defendant from continuing to contravene his obligations.

In effect, such a conservative reading of section 32 leaves it very much to the Personal Data Protection Commission to enforce almost all contraventions of the PDPA. In the author's view, our courts can afford to adopt a more robust interpretation of section 32. The High Court has now granted the plaintiff leave to appeal. Hopefully, this will therefore not be the last and final word on an issue of considerable importance. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.