Today, we are living in what has been commonly (and aptly) termed the “digital age”, a time where digital technologies leads rapid technology change. In a blink of an eye, our personal data has become one of the most valuable commodities for businesses.

From social media to sign up forms to website cookies, our personal data is constantly being collected and used BUT what happens if we discover or feel like our personal data is being misused?

This article seeks to provide some clarity on what you can / should do in such situations.

What Information is Protected?

The first step is to determine whether the data that is allegedly misused by an organisation is data that is protected under Singapore law.

The key legislation is the Personal Data Protection Act 2012 (“PDPA“), which governs the protection of personal data in Singapore. “Personal Data” refers to data about an individual or data from which an individual can be identified, regardless of whether such data is true or accurate, or whether it exists in electronic or other form. Accordingly, most kinds of personal data that can personally identify you or provide information about you (e.g., contact details) will constitute personal data that is protected.

However, one exception to note is that business contact information is NOT protected under the PDPA. This refers to information such as an individual’s name, title, business number, business address or other similar information, not provided by the individual solely for his or her personal purposes.

What Steps Can Be Taken If You Suspect a PDPA Breach?

The following are some of the steps you can consider taking if you suspect that your personal data has been / is being misused:

Step 1: Contact the Organisation Directly

In most cases, it may be helpful to first reach out directly to the organisation to enquire about the alleged breach. This will both allow you to understand that organisation’s position (if any), and also provide you with an opportunity to request or instruct them to cease the relevant activities in an amicable manner

Step 2: File Complaint with the Personal Data Protection Commission (“PDPC”)

You may also choose to file a complaint with the PDPC. Typically, the PDPC will open an investigation into the matter and contact the organisation to find out more information.

Step 3: Lodge Police Report

In certain circumstances, you may also wish to consider filing a police report. For instance, if you suspect that your personal data has been illegally accessed as a result of a computer hacking incident, cybersecurity breach or some other incident of that nature, then it may be possible that an offence under the Computer Misuse Act had been committed. The police may then conduct an investigation into the matter based on the evidence that you had provided that suggested the commission of such an offence.

Step 4: Commence Civil Proceedings

In more severe cases, and where an organisation has been found to have breached the PDPA, you may further consider commencing civil proceedings against the organisation for compensation.

There are 2 main, possible legal grounds which you may consider:

1. Right of Private Action (e.g., emotional distress)

Under Section 48O of the PDPA, any person who suffers loss or damage directly as a result of a contravention by an organisation of any provision of Part 4, 5, 6, 6A or 6B, has a right of action for relief in civil proceedings in a court.

Notably, the scope of ‘loss or damage’ under Section 48O includes emotional distress (Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60).

While feelings of anxiety or helplessness arising from an organisation’s breach of the PDPA (e.g., unauthorised disclosure to the public) may sufficient to qualify as emotional distress, not every hint of negative emotions will constitute emotional distress for the purpose of Section 48O. Some of the non-exhaustive considerations are:

(a) Nature of personal data involved in breach;

(b) Nature of breach (e.g., one-off, repeated or continuing);

(c) Nature of defendant’s conduct;

(d) Risk of future breaches causing emotional distress; or

(e) Actual impact of the breach on the claimant.

Ultimately, it is a fact-sensitive inquiry and the courts will adopt a multi-factorial approach.

2. Breach of Contract

The victim of a data breach may, in some cases, be entitled to damages for any breach of a contract with the breaching organisation. For instance, a cloud service provider’s terms and conditions may provide that it would implement and maintain reasonable / appropriate technical, organisational and physical measures to protect personal data. It may be possible for an individual to bring a claim against the organisation for a breach of this term.