Singapore Court of Appeal’s clarification on scope of private actions under the Personal Data Protection Act: implications for organisations that suffer data breaches

The Singapore Court of Appeal’s recent decision in Reed, Michael v Bellingham, Alex (AG, intervener) [2022] 2 SLR 1156 (“Reed v Bellingham”) clarifies the ambit of the right of private action under Section 32 (now Section 48O) of the Singapore Personal Data Protection Act 2012 (“PDPA”). This can potentially increase the risk of litigation for organisations that suffer data breaches in the future.

Under the Singapore Personal Data Protection Act 2012, individuals have the right to bring a private legal action against an organisation for any contravention of the PDPA provisions if they suffered any loss or damage as a result of a breach of those. Individuals can claim relief by way of an injunction or declaration, or compensation for any damages suffered. The Court of Appeal in Reed v Bellingham has clarified that the pre-requisite of “loss or damage” can include emotional distress. 

Background

Alex Bellingham, a marketing consultant, used personal data collected by his former employers to present new investment opportunities to Michael Reed under his new employment. This prompted Mr Reed to question how Mr Bellingham was able to obtain such information, and Mr Reed subsequently joined Mr Bellingham’s former employers in an application for an injunction under the PDPA to restrain Mr Bellingham from using, disclosing or communicating to any person any personal data of Reed.
The High Court found that although Mr Bellingham had breached the PDPA, Mr Reed was not entitled to injunctive relief for mere distress and loss of control over personal data. The High Court found that Mr Reed had not suffered any loss or damage, which would entitle him to pursue a private action under s 32(1) of the PDPA (as it stood in 2018), and that such “loss or damage” must refer only to the heads of loss or damage applicable to torts under common law. Mr Reed applied and was granted leave to appeal against the High Court’s decision to the Court of Appeal. 

Court of Appeal's decision

On appeal, having established that Mr Bellingham had breached Section 13 (i.e., consent required for collection, use or disclosure of personal data) and Section 18 (i.e., limitation of purpose and extent of collection, use or disclosure of personal data) of the PDPA, the Court of Appeal had to consider whether the phrase “loss or damage” under Section 32(1) includes emotional distress.
Taking into account Parliament’s intention behind the remedial options in the PDPA (including the right of private action) to “enable victims to obtain effective remedies for misuse of their personal data”, the Court of Appeal found that a wider, purposive interpretation should be adopted for the section and emotional distress ought to be an actionable loss or damage under the PDPA. 
On whether this decision would open the floodgates of private actions by aggrieved individuals, the Court of Appeal did highlight that there were control mechanisms in place in that the loss or damage must have been suffered directly as a result of the breach, and there is no recourse for minimal loss such as “trivial annoyance or negative emotions”.  
The Court of Appeal provided the following non-exhaustive considerations to guide courts in the ultimately fact-sensitive enquiry into whether a claim of emotional distress can be established:

• The nature of the personal data involved in the breach (e.g., financial data is likely to be deemed sensitive data for instance).
• The nature of the breach (e.g., whether it was a one-off occurrence, repeated or continuing).
• The nature of the defendant’s conduct (e.g., whether there was proof of fraudulent or malicious intent).
• Risk of further breaches of the PDPA causing emotional distress to the claimant.
• Actual impact of the breach on the claimant. 

In this case, considering Mr Bellingham’s conduct over the entire episode, including his evasive and cavalier response to Mr Reed, the Court of Appeal was satisfied that Mr Reed had indeed been “perturbed” and experienced emotional distress, and that it was directly caused by Mr Bellingham’s breaches of the PDPA.
On this basis, the Court of Appeal restored the District Court’s first instance decision to grant an injunction restraining Mr Bellingham from using, disclosing or communicating Mr Reed’s personal data and an order to destroy Mr Reed’s personal data that was in Mr Bellingham’s possession.

Our comments

The Court of Appeal’s decision in Reed v Bellingham highlights the multifarious legal risks that companies might face following a data breach. In addition to the risk of affected individuals filing complaints with the Personal Data Protection Commission, which could trigger regulatory investigations, impacted individuals can now also separately and in addition, bring private actions against companies for compensation for damages resulting from emotional distress caused by any beach of the PDPA. 
Companies must, therefore, as a matter of priority, take a more comprehensive approach to data protection to mitigate the potential legal fallout from such. Companies should actively review their existing data protection policies and practices and ensure compliance with the PDPA. It would also be prudent for companies to review their employment contracts and implement control measures to prevent unauthorised migration of personal data by departing employees.  
In the unfortunate event of a data breach, companies should be mindful of the above-mentioned litigation risks and work with legal advisors on a proactive and considered approach in engaging and communicating with impacted individuals (especially where sensitive data has been impacted such as salary information or medical information) to mitigate such risks.