In the landmark case of Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60, the Singapore Court of Appeal (CA) clarified what type of ‘loss and damage’ would be sufficient to support a private action brought by an aggrieved individual under section 32 (now section 48O) (s32) of the Personal Data Protection Act 2012 (PDPA).  The CA also ruled on whether individuals must comply with the PDPA’s data protection obligations and whether employers are vicariously liable for their employees’ PDPA breaches.

Brief Facts of the Case

Mr. Alex Bellingham (AB) had contacted Mr. Michael Reed (MR) through the latter’s personal email address to offer investment opportunities.  In that email, AB specifically referred to MR’s investment activity with IP Investment Management Pte Ltd (IPIM), which is in the business of managing funds.  AB was previously employed by IPIM but subsequently transferred to IPIM’s competitor.

MR later filed a private action against AB under s32, which entitles “any person who suffers loss or damage” as a result of a breach of certain PDPA provisions to “have a right of action for relief in civil proceedings in a court”.  The District Court granted an injunction against AB pursuant to s32 and ordered AB to destroy MR’s personal data in AB’s possession.

AB filed an appeal to the High Court, questioning whether MR had suffered any actionable ‘loss or damage’ within the meaning of s32.  Although the High Court found that AB breached the PDPA, it ruled that emotional distress and loss of control over personal data are not actionable losses under s32 because under common law, ‘loss’ refers to pecuniary loss, damage to property or personal injury (e.g., psychiatric illness).  In addition, the High Court stated that, even assuming emotional distress is actionable, MR did not suffer any emotional distress.

Emotional Distress is Actionable ‘Loss or Damage’ under s32, But Loss of Control Over Personal Data is Not

On MR’s appeal, the CA rejected the High Court’s application of common law principles of loss to s32 because s32 is a statutory tort – that is, it grants a right of action based on a statute. Accordingly, the interpretation of the scope of that right should be determined by the principles of statutory construction, not by applying common law principles.

Accordingly, applying statutory construction principles, the CA ruled that emotional distress is an actionable loss under s32 because:

• The PDPA drafters could have excluded certain types of ‘loss or damage’ from s32, but the plain language ofs32 does not exclude emotional distress as a type of ‘loss or damage’.
• Excluding emotional distress as an actionable loss under s32 would negate the PDPA’s purpose and the Singapore Parliament’s intention of enabling individuals to protect their personal data, particularly because it would not be uncommon for emotional distress to be the only loss or damage caused to an individual whose personal data is misused.  In fact, s32 provides for injunctive and declaratory relief as a remedy, indicating that loss or damage caused by a PDPA breach may not be easily quantified or compensated with damages.
• The fact that an aggrieved individual may also seek relief by filing a complaint with the Personal Data Protection Commission (PDPC) (in addition to filing an action under s32) and the PDPC’s powers under section 29 (now sections 48I and 48J) of the PDPA are broad enough to provide protection to aggrieved individuals does not justify a narrower interpretation of ‘loss or damage’ under s32.

On the other hand, the CA found that loss of control of personal data is not a type of ‘loss or damage’ contemplated under s32 because any breach of the PDPA data protection provisions always involves some kind of loss of control over personal data.  In other words, a breach of a PDPA data protection provision will only be actionable under s32 if, in addition to the breach itself, there was a loss or damage caused to the aggrieved individual.

What Constitutes an Actionable Emotional Distress under s32

For emotional distress to be actionable under s32, it must be suffered directly as a result of the PDPA breach and it must not be a “trivial annoyance or negative emotion” forming part of ordinary life.

While the CA refused to define what constitutes emotional distress for the purpose of justifying an s32 action, it noted that courts should consider the following factors, among others, to determine if an individual has suffered an actionable emotional distress:

• the nature of the personal data involved in the PDPA breach (e.g., if it included sensitive data);
• whether the PDPA breach was one-off, recurring or continuing;
• whether the PDPA breach was accidental, or fraudulent or malicious;
• whether the offender unreasonably refuses to undertake not to misuse the aggrieved individual’s personal data;
• the risk of future PDPA breaches causing emotional distress to the aggrieved individual; and
• the actual impact of the PDPA breach on the aggrieved individual.

In this case, the CA found that MR suffered emotional distress taking into account the sensitive nature of the personal data (i.e., financial data) involved in AB’s breach, AB’s failure to provide an undertaking not to misuse MR’s personal data, AB’s dismissive attitude towards MR’s concerns regarding his personal data and the prospect of AB’s future misuse of MR’s personal data.

PDPA Obligations Apply to Individuals, Not Subject to the Doctrine of Vicarious Liability

The CA also confirmed that in general, individuals must also comply with the PDPA data protection provisions, which impose obligations on organisations when collecting and processing personal data. This is because the PDPA defines ‘organisation’ as including ‘any individual’.  Accordingly, the PDPA data protection obligations apply to individuals.

Furthermore, while section 4(1) of the PDPA (s4(1)) specifically provides that the data protection provisions do not apply to, among others, employees acting in the course of their employment with an organisation, it is the party accused of breaching the PDPA (in this case, AB) who has the burden of proving that the exception under s4(1) applies to them.  In this instance, evidence in support of the application of the s4(1) exception was not presented.

Finally, the CA noted that the doctrine of vicarious liability does not apply to s4(1).  Under that doctrine, an employee remains primarily liable for their own misdeed and the employer becomes secondarily liable even if there is no fault on the employer’s part (e.g., the employer was not negligent). However, the CA found that an employer’s liability under the PDPA is fault-based and the effect of s4(1) is to relieve an erring employee from liability for breaches carried out in the course of their employment, rather than to impose primary liability.

Key Takeaway

The CA’s ruling is significant in not only providing more protection to aggrieved individuals and setting out key factors in determining what constitutes an actionable emotional distress for purposes of s32 suits, but also for clarifying that employers’ liability under the PDPA is fault-based and that individual scan also be held liable for breaching the PDPA.

Given that the PDPA is fault-based, organisations should ensure that they comply with the PDPA when handling personal data, such as by having appropriate data protection policies, practices and protections in place and instilling a culture of data protection compliance among its employees.

For More Information 

OrionW regularly advises clients on data protection matters. For more information about how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.