Singapore Court of Appeal clarifies scope of private right to claim loss or damage under the PDPA

Singapore

This article is produced by CMS Holborn Asia, a Formal Law Alliance between CMS Singapore and Holborn Law LLC.

In Reed, Michael v Bellingham, Alex (Attorney-General, Intervener) [2022] SGCA 60, the Singapore Court of Appeal (“the CA”) was asked to interpret and clarify the scope of several key provisions of the Personal Protection Data Act 2012 (the “PDPA”), including to determine what constitutes ‘loss or damage’ under Section 32(1) (now Section 48O) of the PDPA.

Background

The respondent, Alex Bellingham, was initially employed by IP Real Estate Investments Pte Ltd (“IPRE”). In 2016, the respondent was seconded to a related company, IP Investment Management (HK) Ltd (“IPIM HK”), where he took charge of and managed an investment fund known as the “Edinburgh Fund”, an investment fund set up by IPIM HK and IP Investment Management Pte Ltd (“IPIM”). In January 2017, the respondent left his employment with IPRE to join a competitor company, Q Investment Partners Pte Ltd (“QIP”).

In August 2018, the respondent contacted some investors in the Edinburgh Fund, including the appellant, Michael Reed. The respondent sent an email to the appellant demonstrating that he knew the appellant’s name, personal email address, and the appellant’s investment activity in the Edinburgh Fund (collectively, “the Personal Data”).

IPIM and IPRE commenced a private action before the State Courts on 1 October 2018 under Section 32 of the PDPA against the respondent. The appellant subsequently joined the action as an additional plaintiff in 2019. While relief was denied for IPIM and IPRE, the appellant was granted: (a) an injunction restraining the respondent from using, disclosing or communicating the appellant’s personal data (“the Injunction”); and (b) an order that the respondent undertakes to destroy the appellant’s personal data that was in his possession (“the Undertaking Order”).

The respondent filed an appeal with the High Court, which allowed the appeal and held that the appellant had not suffered any “loss or damage” within the meaning of Section 32. In setting aside the earlier decision, the judge held that neither the loss of control of personal data nor the emotional distress pleaded by the appellant were types of losses recognised under Section 32.

The appellant appealed against the High Court’s decision. Three (3) main issues were before the CA.

Issue 1: Whether Section 4(1)(b) of the PDPA exempts the respondent from liability under the PDPA

While neither party is challenging the finding that Sections 13 and 18 of the PDPA were breached, the CA rejected the respondent’s argument that these sections applied only to “organisations” and not to him as an “individual”, pointing out that the definition of an “organisation” under the PDPA expressly includes an individual. As such, individuals who seek to avoid an obligation under the PDPA are to satisfy the requirement of the relevant limbs under Section 4 of the PDPA.

The CA focused on Section 4(1)(b) where the respondent must prove on the balance of probabilities that he was “acting in the course of his employment with an organisation” when the breaches occurred.

First, evidence needs to be adduced of what was done, what the employer required the employee to do, and, where appropriate, whether the employee deliberately evaded practices set up by the employer to deter such actions. After which, the CA can decide whether such action can be attributed to the employee’s employment, or if he was “off on a frolic of his own”.

The CA held that while the personal data was collected in the course of the respondent’s employment with IPRE, the respondent had misused such personal data after the respondent joined QIP. It was insufficient to prove that the breaches occurred in the course of the respondent’s employment and for the purposes of his employment rather than otherwise. The respondent therefore could not rely on Section 4(1)(b) to exempt him from liability for breaching the relevant sections of the PDPA.

Common law principles of vicarious liability should not be imported into Section 4(1)(b)

The CA also held that common law principles of vicarious liability should not be imported into Section 4(1)(b) of the PDPA. The CA held that – (1) the doctrine of vicarious liability, where an employee is not relieved of primary liability even when the law imposes secondary liability onto an employer, is incompatible with the effect of Section 4(1)(b), which is to exempt an employee acting in the course of employment from any obligation (and hence liability thereunder) under the PDPA, and (2) whereas the imposition of vicarious liability is strict, an employer’s liability under the PDPA is fault based.

Issue 2: Whether “loss or damage” includes emotional distress or the loss of personal data

Differentiating a statutory tort from a common law tort of breach of statutory duty

The CA provided guidance on differentiating a statutory tort from the common law tort of breach of statutory duty. In particular, a common law tort of breach of statutory duty allows a person injured by the breach to sue, even if a statute is silent as to whether a statutory duty gives rise to civil liability. The scope of the right of action is determined by common law, where the statute only provides the content of the duty.

Unlike the common law tort, where the statute creates the duty expressly that provides a civil right of action, the scope of that right of action is to be determined first and foremost by the principles of statutory construction. As Section 32 is a statutory tort, whether the common law conceptions of actionable loss or damage are adopted will depend on the application of the principles of statutory construction.

Statutory Construction

The CA had to first ascertain the possible interpretations of the provision, having regard not just to the text of the provision but also to the context of that provision within the written law as a whole. The CA found that Parliament had intended to displace the starting position at common law that emotional distress is not actionable, as the PDPA does not expressly exclude emotional distress as a type of damage covered by “loss or damage”. The only control mechanism expressed is the direct causation requirement (i.e. “directly as a result of a contravention”) (“direct causal requirement”). Further, there are no contextual indicators that weigh against including emotional distress, and in fact, the statutory scheme appears designed to allow an aggrieved individual to choose how the breach should be dealt with (“de minimis principle”).

Dealing with the argument that Parliament’s intention is to strike a balance instead of allowing any minor or technical breach to expose organisations to frivolous lawsuits, the CA held that such a concern is overstated as a strict causal link is prescribed. In response to the floodgates argument, the CA held that the principle that there is no legal recourse for minimal loss would apply even if emotional distress is an actionable head of loss. Trivial annoyance or negative emotions which form part of the vicissitudes of life will not be actionable.

Finally, the CA held that “loss or damage” should include emotional distress as it better promotes the general and specific purposes of the PDPA:

  1. the relevant Parliamentary debates indicate that there was no intention to fetter the meaning of “loss or damage”;
  2. such interpretation better promotes the general purpose, i.e. to provide robust protection for personal data belonging to individuals, and the specific purpose of the PDPA, i.e. to be effective in guarding the right of individuals to protect their personal data;
  3. the floodgates argument is met as there are control mechanisms, i.e. the direct causal requirement and the de minimis principle will keep the scope of Section 32(1) within reasonable bounds, and the imposition of cost orders will discourage individuals from making frivolous claims for emotional distress;
  4. the foreign legislation cited did not displace the interpretation that “loss or damage” should include emotional distress.

Loss of control

The CA rejected the argument that a loss of control of personal data is another head of “loss or damage” recognised under Section 32(1). As every contravention of Parts IV to VI of the PDPA inevitably involves some loss of control over personal data, interpreting loss of control as a head of “loss or damage” would render the “loss or damage” tautologous or unnecessary, as every breach will inevitably give rise to “loss or damage”.

Issue 3: Whether the appellant actually suffered emotional distress

While whether emotional distress is proved will turn on the circumstances of the particular case, the CA considered that such a test should not be a fully objective one. The inquiry must be anchored on whether the individual before the CA subjectively suffered emotional distress because remedies are awarded to compensate the person aggrieved or to ameliorate the injury. However, the CA may consider how a reasonable person would have reacted in the relevant circumstances as an evidential tool to assess the individual claimant’s subjective state of mind. Greater weight would be attached to objective indicia of emotional distress rather than bald assertions. The following non-exhaustive considerations will guide the Court’s inquiry:

  1. the nature of the personal data involved in the breach: for e.g., financial data is likely to be sensitive.
  2. the nature of the breach: e.g., whether the breach of the PDPA was one-off, repeated and/or continuing.
  3. the nature of the defendant’s conduct: for e.g., proof of fraudulent or malicious intent may support an inference that the plaintiff was more severely affected. Further, if the claimant reasonably seeks an undertaking from the defendant not to misuse his or her personal data, but the defendant unreasonably refuses, this is a weighty factor in favour of the existence of emotional distress.
  4. the risk of future breaches of the PDPA causing emotional distress to the claimant.
  5. the actual impact of the breach on the claimant.

Negative emotions that should be tolerated as part of the ordinary vicissitudes of life do not amount to emotional distress.

Applying the above, the CA found that the appellant had suffered “loss or damage” within the meaning of Section 32(1) directly resulting from the respondent’s breaches of Sections 13 and 18:

  1. while the appellant’s responses to the respondent’s emails seemed restrained, the appellant’s and respondent’s conduct over the entire episode has to be taken into account. In particular, the unreasonable refusal to give the appellant an undertaking not to use the Personal Data in the future tips the scales in the appellant’s favour of finding emotional distress;
  2. the nature of personal investments (which the CA found would likely draw scrutiny from prying eyes, taking into account the appellant’s business standing) would have elevated the appellant’s distress;
  3. it was reasonable that the appellant perceived a real prospect of future misuse of the Personal Data at the time the initial suit was commenced, since the respondent refused to offer any assurances that the Personal Data would be protected and would not be spread to third parties; and
  4. the respondent was evasive when confronted about the use of the Personal Data and dismissive of the appellant’s concerns about the safety of the Personal Data.

Conclusion

This judgment is significant in that it explores various underlying issues surrounding the application of Section 32(1) (now Section 48O) of the PDPA.

While emotional distress may fall within the scope of “loss or damage” under the PDPA, trivial annoyance or negative emotions forming part of the vicissitudes of life remains unactionable.

To reduce the risk of claims, organisations (or individuals, as seen in this case) should take reasonable steps to ensure that the affected individual does not suffer emotional distress, including by providing easy access to care or support helplines, information on the breach, how the organisation is taking steps to prevent such breach(es) from happening, and steps that the affected individual can take to protect him or herself from potential harm.

Article co-authored by Jun Han Png, Trainee at CMS Holborn Asia