Global | Publication | September 2022
In a significant judgment affirming the importance of the protection of personal data in Singapore, the Singapore Court of Appeal (SGCA or Court) has clarified the ambit of the right of private action in section 32(1) of the Personal Data Protection Act 2012 (PDPA)1.
In Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60 (Reed v Bellingham), the SGCA held that emotional distress is sufficient to constitute the “loss or damage” required to found a private action under section 32(1) PDPA, reversing the Singapore High Court’s earlier decision on the matter. The SGCA also held that, by contrast, the loss of control of personal data does not, without more, constitute such “loss or damage”. We previously commented on the Singapore High Court’s decision on the matter – access our commentary here: A Tale of Two Cities: The Right of Private Action in Data Protection in Singapore and Hong Kong | Singapore | Global law firm | Norton Rose Fulbright.
The judgment lays down general principles as to what emotional distress under section 32(1) PDPA entails and clarifies the nature and scope of a defence to liability set out in section 4(1)(b) PDPA.
The key facts of the case relate to the unauthorised collection and use by Mr. Alex Bellingham (Mr. Bellingham) of personal data belonging to Mr. Michael Reed (Mr. Reed), a customer of Mr. Bellingham’s former employers. After Mr. Bellingham left the employ of his former employers to work for a competitor, he contacted Mr. Reed via the latter’s personal e-mail address. In such correspondence, Mr. Bellingham expressed knowledge of Mr. Reed’s investment activity with his former employers and presented new investment opportunities to Mr. Reed.
Mr. Reed subsequently requested, amongst other things, that Mr. Bellingham clarify how he had obtained, and intended to protect, Mr. Reed’s personal data. In Mr. Bellingham’s response, he did not address Mr. Reed’s concern regarding the protection of his personal data. The unauthorised collection and use of Mr. Reed’s personal data was the subject of a private action commenced in the District Court under section 32(1) PDPA against Mr. Bellingham.
At first instance, the District Court granted Mr. Reed: (a) an injunction restraining Mr. Bellingham from using, disclosing or communicating Mr. Reed’s personal data; and (b) an order that Mr. Bellingham undertake to destroy Mr. Reed’s personal data that was in his possession (collectively, District Judge’s orders).
On Mr. Bellingham’s appeal to the High Court, the District Judge’s orders were set aside. While Mr. Reed’s case was that he suffered emotional distress and loss of control of his personal data, the High Court held that neither type of loss constituted the requisite “loss or damage” for the purpose of a private action under section 32(1) PDPA. Mr. Reed filed an appeal to the Court of Appeal.
The Court of Appeal’s decision
In its judgment, the SGCA considered three main issues.
1. Whether s 4(1)(b) PDPA exempts Mr. Bellingham from liability for breaching sections 13 and 18 PDPA
Section 13 of the PDPA imposes an obligation on an organisation not to collect, use or disclose an individual’s personal data unless the individual has so consented or the organisation is otherwise required or authorised under the law to do so. Section 18 of the PDPA permits an organisation to collect, use or disclose an individual’s personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that the individual has been informed of (unless certain exceptions apply). On the facts of the case, the unauthorised collection and use of Mr. Reed’s personal data constituted breaches of sections 13 and 18 of the PDPA.
As a preliminary point, the SGCA rejected Mr. Bellingham’s contention that the obligations under sections 13 and 18 only apply to organisations and therefore do not apply to him as an individual. In so doing, the Court observed that the term “organisation” is explicitly defined under the PDPA to include an individual2.
The SGCA held that an individual seeking to avoid an obligation under the PDPA would instead have to satisfy the requirements of a relevant limb of section 4 PDPA3. The Court regarded section 4(1) as a defence to liability for breaches of the PDPA, and noted that the burden of proof therefore lies on the defendant to establish, on the balance of probabilities, the requirement(s) of the limb of section 4(1) being invoked4.
In respect of Mr. Bellingham’s argument that section 4(1)(b) PDPA was applicable in the present case (such that he would not be liable for any breaches of sections 13 and 18 of the PDPA committed “in the course of his employment”), the Court noted that there was insufficient evidence in this regard and that Mr Bellingham accordingly could not avail himself of such a defence5.
2. Whether “loss or damage” in section 32(1) PDPA includes emotional distress or loss of control of personal data
Having established that Mr. Bellingham had contravened sections 13 and 18 of the PDPA, the Court turned to consider the issue of whether Mr. Reed was entitled to bring a section 32 action against Mr. Bellingham – in particular, whether the requisite “loss or damage” in section 32(1) had been suffered.
The SGCA held that as section 32 of the PDPA creates a statutory tort, the scope of the right of action has to be determined first and foremost by the principles of statutory construction6. Applying such principles in respect of the claim of emotional distress:
However, insofar as the claim of loss of control of personal data was concerned, this did not constitute the requisite “loss or damage” under section 32(1) as every contravention of Part IV to VI of the PDPA (which set out organisations’ obligations in respect of personal data) would inevitably involve some form of loss of control of personal data. Loss of control of personal data therefore could not found an action under section 32(1).
3. Whether Mr. Reed suffered emotional distress
The SGCA held that a multi-factorial approach should be adopted in determining whether an individual suffered emotional distress, and provided several non-exhaustive considerations:
The Court found that, on the facts, Mr. Reed had as a direct result of Mr. Bellingham’s contravention of sections 13 and 18 of the PDPA suffered emotional distress significant enough to be actionable. The available evidence showed, amongst other things, that Mr. Reed was anxious about the potential misuse of his personal data (which included sensitive information relating to his personal investments), particularly as Mr. Bellingham refused to offer any assurances that the personal data would be protected.
As such, the Court found that Mr. Reed had suffered loss or damage within the meaning of section 32(1) which founded a right of private action. The Court accordingly allowed Mr. Reed’s appeal and restored the District Judge’s orders in full.
Reed v Bellingham is a clear testament to the importance placed on the protection of personal data in Singapore. The SGCA’s emphasis of Parliament’s intent to “provide robust protection for personal data belonging to individuals”11, and the Court’s corresponding willingness to further such intent, indicate that the personal data regime in Singapore will only mature and strengthen over time.
The recognition of emotional distress as a form of actionable “loss or damage” is significant because it is often difficult for individuals whose personal data had been misused to prove traditional heads of actionable damage for tort claims, viz. pecuniary loss, damage to property and personal injury (including psychiatric injury). The scope for liability under the PDPA has, with the SGCA’s decision in Reed v Bellingham, been expanded and organisations should be mindful to comply fully with their obligations under the PDPA, as they may not only face regulatory scrutiny by the Personal Data Protection Commission but also aggrieved data subjects.
At the same time, the Court took pains to emphasise that its decision will not necessarily lead to a flurry of opportunistic private actions as section 32(1) nevertheless requires a “strict causal link” between the breach of the PDPA and the loss or damage suffered, and no legal recourse will be permitted where the loss or damage is minimal12.
As the Court indicated that it would not prescribe a general standard as to the threshold of emotional distress, and would instead let the law develop on a case-by-case basis, the scope of the right to private action under the PDPA is likely to continue to evolve.
Publication
In OneMove Capital Corporation v. Dye & Durham Limited, 2024 the Ontario Superior Court of Justice considered, among other issues, whether OneMove Capital Corporation, a shareholder of Dye & Durham Limited (D&D or the company), could make a proposal under s. 99 of the Business Corporations Act (Ontario) (OBCA) to remove a director mid-term.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023
