Emotional distress recognised as a form of “loss or damage” under Singapore’s Personal Data Protection Act

November 23, 2022

Singapore’s Personal Data Protection Act (“PDPA”) confers a right of private action on any person who suffers loss or damage directly as a result of the contravention of the PDPA. On 9 September 2022 in Reed, Michael v Bellingham, Alex [2022] SGCA 60, the Singapore Court of Appeal issued a ground-breaking decision that emotional distress, but not loss of control of personal data, is a form of “loss or damage”.

This is an important case for future litigants because of the guidance provided by Singapore’s highest court, on the kind of “loss or damage” an individual would need to prove to success in a private action under the PDPA.

Background

IP Investment Management Pte Ltd (“IPIM”) and IP Real Estate Investments Pte Ltd (“IPRE”) were connected companies in the business of managing funds. They and IP Investment Management (HK) Ltd (“IPIM HK”) were part of a group of companies.

Alex Bellingham was originally employed by IPRE as a marketing consultant, and then seconded to IPIM HK. His role included the management of an investment fund known as the “Edinburgh fund”.

Subsequently, Bellingham left IPRE and joined a competitor, Q Investment Partners Pte Ltd (“QIP”). He contacted some investors in the Edinburgh fund, including Michael Reed. He sent Reed an email at Reed’s personal e-mail address, referring to Reed’s upcoming exit from the Edinburgh Fund, and introduced investment opportunities with QIP. Bellingham had obtained Reed’s name in the course of his work with the employers, and Reed’s e-mail address from Reed’s LinkedIn account, a public source.

Reed was very surprised that Bellingham knew Reed’s name, personal e-mail address, and investment activity in the Edinburgh Fund (collectively, the “personal data”) and found it unacceptable that Bellingham used that personal data to market opportunities with QIP. Reed raised concerns with the Employers.

On 1 October 2018, the Employers commenced a private action in the District Court under Section 32 of the PDPA against Bellingham. (Note: Section 32 has since been repealed by the Personal Data Protection (Amendment) Act 2020, and replaced by a very similarly-worded section 48O of the PDPA). Reed was then added as a plaintiff in the action.

Decision of the District Court

The District Judge denied relief to the employers, He held that section 32 only conferred a right of private action upon the person whose personal data had been misused, and therefore the employers had no legal standing to bring the action. The District Judge granted Reed an injunction restraining Bellingham from using, disclosing or communicating the Personal Data, and an order that Bellingham undertake to destroy Reed’s personal data that was in his possession.

Bellingham filed an appeal in the High Court.

Decision of the High Court

The High Court Judge held Bellingham had contravened the PDPA. However, the ambit of “loss or damage” in section 32 excluded emotional distress and loss of control of personal data.

The Judge noted that Singapore’s Ministry of Information, Communication and the Arts (“MICA”) had studied the legislative frameworks of Canada, New Zealand, Hong Kong, and the United Kingdom before the PDPA was enacted. The relevant provisions in these jurisdictions allowing individuals to sue for emotional distress, contained express references to some form of emotional harm. UK cases had interpreted the relevant provision in the European Union to include compensation for distress, and the relevant provision in the UK to include compensation for distress and loss of control over personal data.

In contrast, the PDPA only referred to “loss or damage”. It did not refer to any form of emotional harm of loss of control. This signalled Parliament’s intention to exclude these losses from the ambit of section 32.

The Judge said there was good reason for not adopting the positions in these jurisdictions – the positions had been driven primarily by the need to recognise the right to privacy. In contrast, the PDPA was not driven by an absolute or fundamental right to privacy.

The Judge concluded that Parliament intended for the courts to determine the ambit of “loss or damage” by applying common law principles. This did not include distress or loss of control.

Finally, the Judge held that Reed did not suffer any relevant loss or damage. Even if distress was actionable under section 32, there was also no evidence that Reed suffered distress.

Reed appealed.

Decision of the Court of Appeal (CA)

The CA allowed Reed’s appeal, holding that emotional distress was a form of “loss and damage” within the meaning of section 32, and that Reed had experienced emotional distress that was significant enough to be actionable.

First, there was nothing in the text and context of section 32 that justified narrowing the meaning of “loss or damage” to exclude emotional distress.

Second, adopting the interpretation that “loss or damage” includes emotional distress (a wide interpretation) better promoted the general purpose of the PDPA and the specific purpose of section 32. This was because:

  • The relevant Parliamentary debates indicated that there was no intention to fetter the meaning of “loss or damage”.
  • Parliament had intended to provide robust protection for personal data.
  • There must have been an intention that remedial options in the PDPA, including section 32, be effective in guarding the right of individuals to protect their personal data. Section 32 would be significantly denuded of practical use if “loss or damage” excluded emotional distress (the narrow interpretation).

In addition, the aim of the PDPA to balance the interests of individuals and organisations, did not diminish the force of a wide interpretation. arguments that the adoption of a wide interpretation would disturb the balance that Parliament intended to strike since any minor or technically breach could expose an organisation to a frivolous lawsuit, were met by:

  • The requirement in section 32 that the “loss or damage” be suffered directly as a result of a contravention of the PDPA.
  • The principle that there is no legal recourse for minimal loss (which meant that trivial annoyance or negative emotions which formed part of the vicissitudes of life would not be actionable).
  • Litigants would be discouraged from making frivolous claims for emotional distress through the accretion of case law from section 32 lawsuits, and the imposition of cost orders.

Third, the specific purpose of section 32 was furthered by a wide interpretation. The CA reiterated that section 32, forming part of the PDPA’s enforcement regime, must be an effective means by which individuals may enforce the right to protect their personal data.

Fourth, the CA did not think that the laws of Canada, NZ, HK, and the Eu, displaced a wide interpretation in favour of a narrow one. The CA considered the foreign approaches to be a neutral factor.

The CA concluded Parliament did not intent to exclude emotional distress from the meaning of “loss or damage” in section 32, but on the contrary, had provided remedies for emotional distress arising from the breach of the new tort in section 32.

On the other hand, loss of control of personal data did not constitute “loss or damage” because every contravention of the relevant provisions of the PDPA would involve some form of loss of control over personal data.

General principles on what emotional distress under section 32 entails

Given the CA’s clarification that emotional distress was an actionable head of loss, it was very helpful that the CA set out these general principles in the same decision.

The CA said that whether emotional distress is proved will depend on the circumstances of the case. A few non-exhaustive considerations were:

  • The nature of the personal data involved in the breach: was it sensitive, or especially personal
  • The nature of the breach: for example, whether it was one-off, repeated, or continuing.
  • The nature of the defendant’s conduct. For example, proof of fraudulent or malicious intent may support an inference that the plaintiff was more severely affected. In contrast, an accidental breach by a single typographical error was unlikely to cause cognisable distress.
  • Risk or future breaches of PDPA causing emotional distress.
  • Actual impact of the breach on the claimant.

The CA emphasised that negative emotions that should be tolerated as part of the ordinary vicissitudes of life do not amount to emotional distress.

In this case, the factors that supported a finding of distress were Reed’s actions on the whole, Bellingham’s dismissiveness of Reed’s concerns about the safety of his personal data, that the personal data misused by Bellingham was sensitive, as well as Bellingham’s unreasonable refusal to give Reed an undertaking not to use it in future.

The CA upheld the District Judge’s grant of the injunction and undertaking.

Comments

I applaud the CA’s decision that emotional distress was a form of “loss or damage” within the meaning of section 32, and their recognition (alongside their empathy) that “distress is often the only real damage that is caused by a contravention”.

Three examples of such cases readily come to mind:

  • Where there is a breach of the data collected from a menstrual tracking app, from which it can be inferred that a woman received an abortion in a U.S. state with a ban against it. The woman could be facing two to five years in prison in that state.
  • Where a data leak outs someone as gay, lesbian or bisexual, or transgender. In 2010, an 18-year-old student jumped off a bridge after finding out that his sexual encounter with another man in his dorm room had been livestreamed by his roommate, which at the same time outed him as gay.
  • Where a data leak points to a female foreign worker who is married, having committed adultery. Following from this leak, she is under the threat of honour killing.

In all three examples, the individual probably would not suffer pecuniary loss, damage to property, personal injury, and maybe not psychiatric injury. But in this digital age where information (and gossip) can spread frighteningly fast, the individual could be undergoing a tremendous amount of emotional distress from the leak of data, especially if devastating consequences could ensue from the leak.

It is hard to believe that the Singapore Parliament would have intended that the only recourse available to an individual who only suffered emotional distress, was to file a complaint with the Personal Data Protection Commission (“PDPC”) and leave the matter in the PDPC’s hands. As the CA recognised, this does nothing to compensate the individual who, and further, the complainant has no control over whether and how the PDPC acts.

Indeed, the CA said that given the heightened risk of misuse of personal data arising from the vast and ever-increasing volume of it being collected and processed, the likelihood of distress being the only damage suffered, and the PDPA’s aim of strengthening individuals’ rights to protect their personal data, the CA did not believe that Parliament intended to limit the ambit of section 32 to exclude emotional distress.

Turning to the CA’s factors to be considered in dealing if emotional distress is proved, I thought it was interesting that the CA referred to the decisions of the Federal Court of Canada and the English High Court, in opining that financial data is likely to be sensitive. This suggests Singapore courts may look beyond the PDPC’s decisions and guidelines on what constitutes sensitive data when deciding if data is or is not sensitive, to positions taken in other jurisdictions.

I would also humbly suggest that other factors that the courts should consider, are the size and extent of the data breach (one piece of personal data as compared to twenty), whether the leak was to a small group of people who kept information confidential, versus that group of people sharing the personal data with others, or the personal data being shared in online forums or Pastebin.

Lastly, I am curious how monetary damages for emotional distress would be quantified, and the amounts that can be awarded, particularly where individuals may be vilified, or face stigmatisation or dire personal consequences arising from the data breach.

Darren Grayson Chng is our International Associate Editor for Singapore

The views expressed in this article are the author’s personal views only and should not be taken to represent the views or policy position of his employer.