With all the gripes concerning compliance with the GDPR (an acronym so infamous that I no longer remember what it stand for), there is an interesting article on the New York Times by Tim Wu highlighting a (possible?) American alternative to the GDPR. To summarise, Dr Wu suggests that we “rely on judges and state law to establish that the legal concept of “fiduciary duty” can apply to technology companies”.

I do not think that technology companies are going to be excited about that. The words ‘fiduciary duty’ have a stench that is far worse than ‘compliance’.

I do want to focus on another aspect of the argument, that is having judges and court make rules about data protection and privacy. Dr Tim does not make mention that there are in fact judgements from the US Supreme Court and even in the UK which might be said to be the case-by-case development of the law he advocates. (For a brief overview on common law developments concerning privacy, you can read the PDPC’s fascinating diversion at Re: My Digital Lock [2018] SGDPC 12).

In particular in Singapore, there was a judgement named Malcomson Nicholas Hugh Bertram v. Naresh Kumar Mehta [2001] 3 SLR(R) 379 which was described as establishing the tort of intentional harrassment and by the PDPC in the decision cited earlier ‘as perhaps a little ahead of its time’. I remembered studying it in law school with equal amounts of trepidation and fascination. Here was a judge made rule that created a right regarding privacy in Singapore!

It may not be clear what led to the creation of the tort, but it is quite clear what it could not do. Since that case was decided, there was hardly any mention of the tort or any report of anyone else successfully relying on the tort to punish a stalker. In the end, the Parliament in Singapore enacted the Protection from Harassment Act (Cap. 256A) which expressly abolished the tort of intentional harassment created earlier. Now POHA is a weapon of choice used by bloggers to escalate their wars.

There are limitations on relying on judges to create and interpret a law, and the biggest stumbling block is that it requires a litigious society that is willing to test its laws. This is not the case here in Singapore. If we had waited for courts to come up with solutions, the technology train would have left the station far too long ago. Even if the US was that litigious society where Dr Tim Wu’s alternative may plausibly work, I still think that court process will not be able to react fast enough to changes in technology.

Compare this to the PDPA and the ‘bureaucracy’ called the Personal Data Protection Commission (which has issued almost 15 decisions to date in this year alone), and it is clear that our needs were far better served this way. The GDPR and PDPA has also brought a lot of attention to such issues in a comprehensive and general way that could not be done by just a judge. More importantly, the GDPR and PDPA has made several companies sit up and listen to individual consumers.

So maybe while one is complaining about the work one has to do to adhere to the GDPR, it is worth taking a step back and realising what this has achieved for ordinary people everywhere.