Case Note on Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60
By Edison Lee, Ang Wei Siong and Ronald JJ Wong
BACKGROUND
By way of background, IP Investment Management Pte Ltd ("IPIM") and IP Real Estate Investments Pte Ltd ("IPRE") are connected companies engaging in the business of fund management. With IP Investment Management (HK) Ltd ("IPIM HK"), IPIM and IPRE form part of a group referred to as IP Global.
The Respondent, Alex Bellingham ("Respondent") was employed as a marketing consultant at IPRE, where he later rose to the position of director before being seconded to IPIM HK. The Respondent's role at IPIM HK included the management of a fund scheduled to terminate in the latter half of 2018, i.e., the Edinburgh Fund. The investors had disclosed their personal data in confidence to the corporate entities managing and overseeing their investments, i.e. IPIM and IPIM HK.
The Respondent left IPRE and was later employed as "Head of Fund Raising" at a competing corporation, Q Investment Partners Pte Ltd ("QIP"). Following the termination of the Edinburgh Fund, the Respondent reached out to some investors in the Edinburgh Fund by email, including, the Appellant, Michael Reed ("Appellant") in an attempt to introduce potential investment opportunities with QIP.
In the Respondent's email to the Appellant, the Respondent referred to the Appellant's impending exit from the Edinburgh Fund, which drew the Appellant's concerns as to how the Respondent had knowledge of his name, personal email address, as well as his investment activity in the Edinburgh Fund.
The case was heard in the District Court, where the Appellant successfully obtained an injunction to restrain the Respondent from using or disclosing his personal data, and an order that the Respondent undertakes to destroy his personal data. However, the High Court on appeal set aside the District Court's orders as it found that the Appellant did not suffer any "loss or damage" necessary for him to bring a private action for breach of the Personal Data Protection Act 2012 ("PDPA"). The High Court held that neither emotional distress nor loss of control of personal data were types of "loss or damage" recognised under the PDPA. The Appellant appealed to the Court of Appeal.
HOLDINGS AND ANALYSIS
1. Exemption of Obligation under s 4(1) of the PDPA
Scope of Obligation under the PDPA
The Respondent argued that s 13 and s 18 of the PDPA does not impose obligations on individuals but on organisations. As such, he could not have breached those provisions.
The Court rejected this argument at [38]. The term "organisation" is defined in the PDPA to include an "individual". Further, the argument is a non-sequitur as it would be repugnant to one of the aims of the PDPA if other individuals could collect, use, and disclose personal data of others with impunity: [39].
Instead, individuals can only avoid PDPA obligations by satisfying the requirements of any of the four limbs prescribed under s 4 of the PDPA: [40].
Meaning of s 4(1)(b) of the PDPA
(a) Nature of s 4(1)(b) of the PDPA
The Court considered that s 4(1) is intended to be a defence for a party accused of breaching the PDPA: [42]. The burden of proving the defence lies on the defendant.
In this case, for the Respondent to succeed in a defence under s 4(1)(b), he would have to prove he was: (a) an employee; and (b) acting in the course of his employment in committing the breach: [45].
(b) Importation of common law principles of vicarious liability
On this, the Attorney-General intervened and argued that common law principles on vicarious liability should be imported into s 4(1)(b). However, the Court rejected this argument.
The Court considered that s 4(1)(b)'s effect is to exempt the employee who is acting in the course of employment from any obligation under the PDPA and hence any liability thereunder. Only the employer remains subject to the obligations under the PDPA: [47].
On the other hand, the common law imposes secondary liability for a tort committed by an employee upon an employer even though the employer is not personally at fault; even if the employer is vicariously liable, the employee is not relieved of primary duty.
Further, vicarious liability is strict in that no fault on the employer's part is required, whereas the employer's liability under the PDPA is fault-based: [49].
(c) Respondent's inability to rely on s 4(1)(b)
The Court considered at [51] that the issue of whether an employee "acted in the course of his employment" or had instead gone "off on a frolic of his own" is a question of mixed fact and law. Evidence on the following as regards a particular action is required:
(a) what was done;
(b) what the employment required the employee to do; and
(c) in appropriate cases, whether the employee deliberately evaded practices set up by the employer to deter such action.
On the facts, the Respondent had failed to adduce sufficient evidence to rely on the defence: [52].
2. Scope of "loss and damage" under the PDPA
The Court then considered that to succeed in private action under s 32(1) of the PDPA (now, s 48O of the current version of the PDPA) ("PDPA private action"), the aggrieved party must establish that:
(1) they had suffered "loss and damage"; and
(2) there is a direct causal link between the "loss and damage" suffered and the contravention of the PDPA.
(a) Nature of the s 32 action
The Court considered that the PDPA private action is a statutory tort and not a tort of breach of statutory duty.
In the former, the scope of that right is to be determined by principles of statutory construction; common law principles are relevant only in so far as the rules of statutory construction permit. In the latter, the scope of right of action and its attendant requirements are determined by common law and the statute merely provides the content of the duty which is alleged to have been breached: [65].
Where a statute expressly provides a civil right of action for aggrieved parties, the juridical basis of the action is no longer the common law but the statute itself: [64]. A purposive approach is needed to interpret the statute to determine the scope of "loss and damage"; not common law principles.
(b) Statutory Construction (to include emotional distress)
(i) Emotional Distress
Under common law, it has been established that emotional or mental distress which falls short of a recognised psychiatric illness is not actionable.
However, the Court considered that: (1) there is nothing in the PDPA that expressly excludes emotional distress as a type of damage covered by "loss and damage" in s 32(1) (see [78]); and (2) there are no contextual indicators that weigh against an interpretation of the PDPA to include emotional distress as a type of loss or damage (see [79]).
Turning to the legislative purposes of the PDPA, the Court reviewed extraneous parliamentary materials and considered that the general purpose of the PDPA is to strike a balance between the interest of individuals in protecting their data and the economic interests that are served in an environment where data can be collected, used and disclosed (see [87]). The specific purpose of s 32 of the PDPA is to create a statutory tort and allow a right of private action on that basis (see [89]).
For completeness, the Court clarified that the inclusion of emotional distress as an ambit of "loss and damage" does not include trivial annoyance or negative emotions which form part of the vicissitudes of life (see [93]). There are control mechanisms to this head of loss, viz., (1) the strict direct causal requirement: "loss or damage must have been suffered directly as a result of a contravention of identified provisions in the PDPA" (see s 32(1) of the PDPA); and (2) the de minimis principle i.e. no action for minimal or insignificant loss.
Thus, the Court held that interpreting the PDPA to include emotional distress as a head of loss serves the general purpose of the PDPA and the specific purpose of s 32(1) of the PDPA (see [96]).
(ii) Loss of Control
The Court considered that loss of control of personal data is not a type of actionable loss under the PDPA (see [111]).
This is because every contravention of Parts IV to VI of the PDPA will inevitably involve some form of loss of control over personal data. Including this would render 32(1) tautologous.
3. Framework for ascertaining emotional distress
Whether emotional distress is established will turn on the circumstances of the particular case (see [115]).
The Court cautioned that the test is not a fully objective one. The individual must have subjectively suffered emotional distress. However, the court can direct its mind to how a reasonable person would have reacted in the relevant circumstances as an evidential tool to assess the individual claimant's subjective state of mind: [114].
However, negative emotions that should be tolerated as part of the ordinary vicissitudes of life does not amount to emotional distress (see [116]). As stated by G P Selvam J in Arul Chandran v Gartshore and others [2000] 1 SLR(R) 436 at [13]: "pure mental suffering without physical injury [is] an inevitable fact of interpersonal relationships in private and public life alike [...] people must learn to accept with a certain degree to stoicism the slings and arrows of this vale of tears".
The Court then laid out a few non-exhaustive considerations relevant to the inquiry:
(a) the nature of the personal data involved in the breach (see [115(a)]);
(b) the nature of breach (e.g., whether the breach of the PDPA was one-off, repeated and/or continuing) (see [115(b)]);
(c) the nature of the defendant's conduct (see [115(c)]);
(d) the risk of future breaches of the PDPA causing emotional distress to the claimant (see [115(d)]); and
(e) the actual impact of the breach on the claimant (see [115(e)]).
On the evidence, the Court accepted that the Appellant had indeed suffered emotional distress amounting to "loss or damage" within the meaning of s 32(1) of the PDPA directly resulting from the Respondent's breaches of s 13 and 18 of the PDPA (see [133]).
COMMENTS
In the current digital age, with the ease of access to voluminous personal data, the law must keep up to afford protections and rights regarding personal data and digital identity.
Cybercrime and data breaches are also increasing. About 33% of Singapore organisations suffered up to S$1.348 million in both direct and indirect damages owing to data breaches (2022, Singapore Business Review).
The legal development in this case is welcomed to allow individuals to take legal action to protect their personal data. This is especially in scenarios where the wrongdoer or associated organisation is unwilling to take corrective action.
That said, it does not necessarily follow that we will see a floodgate of private action from individuals for breaches of PDPA. In many instances, the cost-benefit analysis would tilt against prosecuting private action and the requisites for establishing that emotional distress is suffered and directly result from the PDPA breach are not a low bar.
This case also highlights that individuals such as employees of organisations should not think that they can get away with being flippant with personal data in their control or possession. Depending on the facts, it is plausible that an individual employee is sued for their PDPA violation, whether alongside or independent of their employer or organisation. On the other hand, organisations should ensure that their policies and procedures are robustly drafted and rigorously implemented to protect themselves from PDPA-related litigation and/or reputational damage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
