Private right of action under Singapore's Personal Data Protection Act

The Personal Data Protection Act (PDPA) provides that any person who has suffered loss or damage as a result of an organisation's  breach of certain provisions in the PDPA may take civil action against that organisation. However, the outcome of the recent case of Bellingham, Alex v Reed, Michael [2021] SGHC 125  (Bellingham)  seems to suggest that a person who seeks monetary relief is in no better position today than before the PDPA came into force.

In Bellingham, the High Court interpreted “loss or damage” in section 32 (now section 48O) of the PDPA. This article comments on the implications of the High Court’s interpretation of that provision, as well as the District Court’s interpretation of “person” in that provision. 

Bellingham v Reed  

The appellant, Alex Bellingham, managed an investment fund known as the Edinburgh Fund for his former employer. He later left to join a competitor in 2017. Subsequently, he contacted a few Edinburgh Fund investors, including the respondent, Michael Reed, about an upcoming investment opportunity. In his email to Reed, Bellingham revealed his knowledge of Reed’s then upcoming exit from the Edinburgh Fund. 

Reed notified the companies managing the Edinburgh Fund, who subsequently brought an action against Bellingham under s 32 of the PDPA and later joined Reed as plaintiffs.

The District Court, in IP Investment Management Pte Ltd and others v Alex Bellingham [2019] SGDC 207 (Bellingham (DC)),  held that the investment companies had no standing to bring the action. In the court's view, the right of private action conferred by section 32 was not intended to have been one that could be exercised by parties other than the data subject whose personal data had been collected and used in contravention of the PDPA's provisions (at [111]).  However, the court gave judgment in favour of Reed. Bellingham then appealed to the High Court. 

The High Court made three findings that:

• Bellingham had contravened section 13 of the PDPA by using Reed’s personal data – that is, his name, email address and the fact that he was an investor in the Edinburgh Fund – without his consent to market investment products. Given that this exceeded what a reasonable person would have considered appropriate, this was also a contravention of s 18 of the PDPA (at [39]);
• “loss or damage” under section 32(1) of the PDPA was limited to the heads of damage recognised under the common law, and excluded emotional distress or loss of control over personal data (at [93]); and
• Reed had failed to show that he suffered “loss or damage” within the meaning of section 32(1), and hence did not satisfy the requirements to have a right of private action under that provision (at [91]).

'Loss or damage' 

Of special significance is the second holding pertaining to the scope of the term “loss or damage” in section 32(1). The provision (as of the version of the PDPA in force in 2018) is:

The counsel for Reed argued that the requirement of “loss or damage” was met as he suffered emotional distress and loss of control over his personal data. Both these arguments were rejected by the court. 

Beginning with the latter, the court reasoned that, since there would inevitably be a loss of control over personal data in every data breach, to give a right of action in every case where a provision of the PDPA is contravened would render the additional requirement of “loss or damage” otiose (Bellingham at [46]).

Referring to the legislative history of the provision, the court concluded that the intention of the legislature was to exclude emotional harm from the scope of “loss or damage”. This was inferred from the fact that the drafters deliberately did not adopt any express reference to emotional harm as could be found in the relevant data protection laws of other jurisdictions (Bellingham at [56]).

As the court explained, there is a good reason for this difference. The positions in Canada, New Zealand, Hong Kong, the EU and the UK have been driven primarily by the need to recognise the right to privacy. By contrast, the purpose of the PDPA is not driven by any recognition of such a right but, as encapsulated in section 3, the need to take a balanced approach between the right of individuals to protect their personal data and the right for organisations to use such data in a manner that a reasonable person would consider appropriate (Bellingham at [74-75]). 

Finally, the court also reasoned that a narrow interpretation of “loss or damage” to only the heads of loss applicable under common law would best further the purpose of section 32(1) of the PDPA as a statutory tort.

The court’s interpretation 

The decision in Bellingham v Reed is consistent with the general position at common law that, for a statutory tort, the alleged breach of statutory duty must give rise to the kinds of damage generally remediable in tort, namely personal injury, damage to property, or economic loss (see Pickering v Liverpool Daily Post [1991] 2 AC 370 (HL)). The majority judges, Lord Hutton and Lord Millett, in Cullen v Chief Constable of the Royal Ulster Constabulary [2003] UKHL 39 agreed with the formulation in Pickering, although they recognised that, in that individual case, the legislature had intended to provide for redress against “substantial inconvenience, distress or other disadvantage”  resulting from the refusal of access to a solicitor.

Tort law currently does not recognise loss of control of personal data as an as actionable head of damage. Neither does it recognise emotional distress as an actionable head of damage, except for claims for distress in the tort of nuisance. 

However, should the law recognise such forms of damage, especially in light of recent amendments to the PDPA, which recognise that certain kinds of data breaches may result in, or are likely to result in, ''significant harm'' to the data subject (PDPA at section 26B)? 

New forms of 'actionable damage' 

Notwithstanding the holding in Bellingham, the types of damage actionable in tort is arguably not a closed list. The tort of negligence, for instance, initially protected against physical injury only, but has since grown to encompass claims for psychiatric harm, certain types of economic loss and, more recently, after the Singapore Court of Appeal decision of ACB v Thomson Medical Pte Ltd [2017] SGCA 20 (ACB), the “loss of genetic affinity”.

Briefly, ACB involved a fertility clinic which negligently carried out in-vitro fertilization (IVF) procedures. This resulted in the appellant conceiving a baby that did not share genetic affinity with her husband. For the first time, the court recognised the interest of IVF treatment patients in maintaining the integrity of their reproductive plans in the sense of preserving the “affinity” of their offspring with their partners. 

Notably, the court in ACB observed that: “… [t]he list of legally cognisable injuries has evolved with time because the world has changed, and the law must… 'adapt itself to the changing circumstances of life' (ACB at [2])”. 

ACB demonstrates that novel types of harm may emerge with advancements in technology and that tort law will have to evolve to recognise and protect persons from these emerging forms of harm.

The same considerations are particularly apposite in the context of data protection. Thus, in addition to finding that emotional distress or loss of control over personal data are not heads of damage recognised under common law, the court in Bellingham could perhaps have taken a further step to examine why emotional distress and loss of control over personal data did not justify expanding the closed list of the recognized heads of damage. 

Emerging forms of harm 

There are arguably many ways in which an individual may suffer harm as a result of a data breach. The Personal Data Protection Commission (PDPC) has pointed out in its "Guide on Managing and Notifying Data Breaches under the Personal Data Protection Act"  that data breaches may result in harm to physical safety, psychological or emotional harm, discrimination, identity theft or fraud, loss of business or employment opportunities, significant financial loss, and damage to reputation or relationships. 

Recognising that the unauthorised exposure of certain types of personal data may cause harm to an individual, the PDPA was amended to introduce provisions to manage the aftermath of data breaches. These amendments (which came into effect on 1 February 2021) include new provisions pertaining to the obligation of an organization to notify data subjects in the event of a data breach. 

Section 26B(1) of the amended Act provides that where the data breach results in, or is likely to result in “significant harm” to an affected individual, the data breach is a notifiable data breach. 

In section 26B(2), a data breach is deemed to result in significant harm to an individual if the breach is in relation to any prescribed personal data or class of personal data relating to the individual. The subsidiary legislation, Personal Data Protection (Notification of Data Breaches) Regulations 2021 at Section 3(1), prescribes certain categories of data in respect of which a data breach is deemed to result in significant harm, including:

• The individual’s full name, NRIC, and any of the personal data or classes of personal data set out in Part 1 of the Schedule, subject to Part 2 of the Schedule; and 
• Data relating to an individual’s account with an organization that relates to the individual's account identifier (e.g. account name) and password.

Expansion of actionable-damage categories

Is there a case for the expansion of the categories of actionable damage?  Conceivably, the purpose of the new mandatory notification provision is to allow affected individuals who have had their personal data leaked to take swift action to change passwords and secure their accounts in order to prevent further consequential damage. This reflects a concern for protecting individuals from harm that may result from data breaches. 

Given the recognition in the PDPA that certain kinds of data breaches may result in, or are likely to result in ''significant harm'', there seems to be a better case now for allowing individuals to claim monetary relief if they have suffered emotional distress and loss of control over personal data in data breaches deemed to result in significant harm. This may be achieved by either recognising emotional distress and loss of control as actionable heads of damage or, alternatively, by treating "significant harm" as a statutory head of damage peculiar to a cause of action under the PDPA.

Measure of damages for 'significant harm'

If the categories of recognised damage are expanded to include significant harm as a new head or category of damage, a complex question arises as to whether damages for significant harm should be general or special damages, or both. 

Under the former, there would be little precedent to assist in quantification. Damages awardable could depend on the categories of personal data leaked. However, this leads to another difficult question of whether it is possible to assign values to each category of personal data that may cause significant harm if leaked. 

The alternative would be to classify significant harm as special damages, and require that the individual prove the monetary loss. For example, where the leak of an individual’s bank details leads to financial loss, the individual will be required to quantify his pecuniary losses. 

However, such an approach would arguably render the widening of the scope of “loss or damage” nugatory, since the end result would be return to the requirement that the data subject must prove that he suffered some form of quantifiable loss, which does not recognize that the types of “significant harm” may be open-ended and impossible to financially quantify at law. 

A possible solution would be to allow claims for both types of damages – to award a flat rate of compensation for breaches of personal data (which may scale up depending on several factors – for instance, whether the data breach involved financial information or health information that may cause greater loss), but to allow the individual to claim further special damages if such losses can be quantified. 

Interpretation of 'person'

The District Court in Bellingham (DC) (at [74]) held that the right of private action in section 32 may only be exercised by the data subject. 

The court arrived at this interpretation after examining the context in which section 32 was promulgated. It considered that the approach in the PDPA is prophylactic rather than remedial in nature (Bellingham (DC) at [74]) and opined that Parliament could not have intended for section 32 to be extended to organisations. In the court's view, this would allow organisations to use section 32 as a substitute for contractual or other arrangements that they would otherwise be expected to put in place to protect personal data in their possession, which would undermine the aim of the PDPA to regulate the proper management of data (Bellingham (DC) at [86]). 

Furthermore, given that one of the purposes of promulgating the PDPA was to bring Singapore law in line with that of other jurisdictions, the fact that laws in other jurisdictions confine the right of private action to data subjects militated against a construction of section 32 that would allow any party to bring an action (see Bellingham (DC) at [97-98]). 

While the court’s inference of legislative intent is reasoned, the court could arguably have arrived at a different conclusion. 

Section 32 of the PDPA confers the right of private action on a “person”. Although the PDPA does not define “person”, the term is defined in the Interpretation Act, and includes "any company or association or body of persons, corporate or unincorporated". By contrast, under the PDPA, it is the word “individual” which is defined instead, and refers to “a natural person, whether living or deceased”.

Had the legislature intended to allow only the data subject to bring a private action, it could have used the term “individual” in section 32 instead. The PDPA is clear that “individual” refers to the data subject, given that “personal data” is defined as data about an individual who can be identified from that data (see PDPA at section 2) and Parts IV, V, VI and VIA all include provisions aimed at the protection of the data of the “individual”. 

The use of “person” in section 32 might suggest that the intended scope of the right of private action was not intended to be restricted to data subjects. After all, on the face of it, "person" is a concept wide enough to encompass both "individual" and "organization" within PDPA.

Osborne Clarke comment

The High Court in Bellingham granted Reed leave to appeal against the decision to the Court of Appeal. 

The comments raised in this article may ultimately have no bearing on the appeal, since the provisions pertaining to “significant harm” were not yet introduced when the incident in Bellingham took place and the parties did not appeal on the point of the interpretation of “person”.

Nonetheless, the Court of Appeal’s decision is expected to have significant implications on the rights to redress of data subjects and the consequential compliance costs for organizations under the PDPA.