Singapore High Court denies injunction for emotional distress and loss of control of personal data, in the first private action brought under the Personal Data Protection Act

Key Takeaways

This case highlights:

• An individual who brings a private action under the PDPA must show that “loss or damage” was suffered as a direct result of the offending organisation’s breach of their PDPA obligations. Mere distress or loss of control of personal data is insufficient. The heads of “loss or damage” are pegged to those claimable for a tortious breach in common law – e.g. pecuniary loss, damage to property, personal injury, including psychiatric illness.
  

   

• However, all is not lost for individuals who may not be able to prove the required loss or damage. Recourse may still be sought by way of a complaint to the PDPC. The individual may be granted relief if the PDPC decides to issue directions to ensure the offending organisation’s compliance with the PDPA.

Relevant Background Facts

Alex Bellingham (“Bellingham”) was a marketing consultant who used personal data he obtained from his former employers to market a new fund to Michael Reed (“Reed”). Bellingham had obtained Reed’s name and investment information from his former employers and Reed’s email address from Reed’s LinkedIn account. Bellingham’s actions prompted Reed to question how Bellingham was able to obtain information about Reed’s previous investments.

Reed subsequently joined Bellingham’s former employers in an application for an injunction under the PDPA to restrain Bellingham from using, disclosing or communicating to any person any personal data of Reed.

High Court found that although Bellingham had breached the PDPA, Reed was not entitled to injunctive relief for mere distress and loss of control over personal data.

The Singapore High Court found that Reed had not suffered any loss or damage, which would entitle him to pursue private action under s 32(1) of the PDPA (as it stood in 2018).

As a starting point, the Court found that Bellingham had breached the PDPA by failing to obtain consent from Reed to use Reed’s email to among others, contact Reed and to market fund services to Reed. It was also held that a reasonable person would not have considered it appropriate for Bellingham to use Reed’s personal data to market services to Reed.

While Reed’s email address could be obtained from Reed’s LinkedIn account, which is a public source, Bellingham conceded that he obtained Reed’s name in the course of his work with his former employers and that he would not have been able to find Reed’s email without the unlawful use of Reed’s name. The Court also found that Bellingham had become aware of Reed’s investment in the fund through his former employers – this was considered personal data since it identified Reed.

The Court, however, found that there was no “loss or damage” to trigger Reed’s right to an action for relief in civil proceedings. The Court found that distress and loss of control over personal data would not constitute “loss or damage” as required under the relevant statutory provision. In this regard, the Court reviewed the Minister’s statements in Parliament during the introduction of the Personal Data Protection Bill and found that express omission of references to any form of emotional harm or loss of control over personal data must mean that the intention was to exclude them from statutory relief.

There was also cognizance that the position in Singapore differs from the positions in other jurisdictions such as Canada, New Zealand, Hong Kong, the EU and the UK, where the data protection frameworks were driven primarily by the need to recognise the right to privacy. In contrast, the purpose of the PDPA was as much to enhance Singapore’s competitiveness and to strengthen Singapore’s position as a trust business hub as it was to safeguard individuals’ personal data against misuse.

The Court, therefore, found that “loss or damage” under the PDPA giving rise to a private right of action must refer only to the heads of loss or damage applicable to torts under common law.

It was not disputed that Reed had not suffered any financial loss, psychiatric injury or nervous shock as a result of Bellingham’s contraventions of the PDPA, and there was no evidence that Reed suffered distress. On this basis, Reed’s claim was not allowed.

The Court did, however, hold that Reed was not completely without remedy. The PDPC could enforce Bellingham’s obligations under the PDPA in respect of Reed’s personal data. Among others, the PDPC could direct a party to stop collecting, using or disclosing personal data in contravention of the Act and/or destroy all personal data collected in contravention of the Act, which would achieve the same objective as the injunction order sought by Reed in this case.

Comments

This decision will not be the final word on the right of private action under the PDPA. Reed has been granted leave to appeal on the basis that there is a question of general principle to be decided for the first time, and the question is one of importance upon which a decision of the Singapore Court of Appeal would be to public advantage.

Further, it is not certain whether the same interpretation of “loss or damage” will be applicable to a private action brought under the PDPA after amendments in 2021. Although the same terminology of “loss or damage” has been imported into the new s 48O of the PDPA, the grounds for which a private action may be brought have also been expanded to include situations where:

1. An individual whose phone number is listed on the Do Not Call Register receives an advertising or promotional message; or
   

    

2. An individual whose phone number has been generated or obtained through the use of a dictionary attack or address-harvesting software receives an advertising or promotional message.

In such situations, an individual is unlikely to be able to prove any pecuniary loss, damage to property or personal injury, which can be directly attributed to the mere nuisance value of an unsolicited message. To exclude emotional distress, loss of control of personal data or other non-tortious heads of damage from the scope of “loss or damage” could render the private right of action (at least for receipt of unsolicited messages) otiose.

Since the Singapore High Court had been careful to state upfront that the decision only applies to the PDPA as it stood in 2018, it remains to be seen whether “loss or damage” will be construed in the same narrow fashion for private actions brought post-2021.

==

The authors would like to thank Huang Xianxi for her contributions to this article.

This article is produced by our Singapore office, Bird & Bird ATMD LLP, and does not constitute legal advice. It is intended to provide general information only. Please contact our lawyers if you have any specific queries.