Love.Law.Robots.

Love.Law.Robots. is moving!

You're browsing the original version of the Love.Law.Robots. Check out the new site. It's prettier and packs loads of new features!

Three Things: Re Club the Chambers [2018] SGPDPC 24

Featured Image `

My newest edition of Three Things dives into the alternative world of LAN gaming. With the wide availability of the Internet in the last twenty years, there really is no need for a group of kids to get together just to play DOTA after school. What’s left is the rough world of teenage boys, their cliques and the desire to play computer games.

From the first paragraph:

[The LAN Shop Operator] had displayed A4-size notices comprising of photocopies of the identity documents of 11 individuals whom the Organisation had banned from entry, along with descriptions of why those individuals had been banned.

The LAN Shop Operator was ordered to pay a $7,000 financial penalty.

Thing 1: Sensitive, Sensitive, Sensitive#

As mentioned in the summary, the LAN Shop had displayed prominently personal information of the “banned” individuals, as well as the grounds for their banning.1 These grounds, along with personal information such as NRIC, mobile phone number, name of employer etc were rightly considered to be personal information by the PDPC.

Furthermore, NRIC numbers, pictures and shameful reasons are sensitive personal information, and the PDPC considered this to be “aggravating” in determining the financial penalty.

It is a tad disappointing that no reference was made to the new NRIC guidelines, especially whether the condition for collection and use, ie. was it necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity, was met. My guess is that the condition would not be met. Even so, given the purpose it was collected or used (maintaining an internal black list), an argument to meet this condition could be made.2

The PDPC appears to be focusing on organisations who use sensitive personal information to shame others recently. Other recent cases which feature this include Re Galaxy Credit and Investments. This means that if you plan to use sensitive personal information this way, you have to take extra care of your exposure in this area. People are more motivated to complain about your use of personal data if you are using it against them.

Any reasonable person would not voluntarily agree to be named and shamed. If I am using a commercial service, I do not want a proprietor to use data I provide against me in this manner.

Interestingly, as part of its defence, the LAN Shop claimed without evidence that “some parents… will give permission for us to put the personal data of their children up”.

Luckily the LAN Shop appeared to recognise that naming and shaming might not go down well with the PDPC, and gave a somewhat more reasonable excuse for placing posters of bad children in their shops.

In any case, the PDPC confidently found that no member gave consent for their personal data to be used in that manner.

Imagine this. If I were to run a LAN Shop and stated explicitly that personal data will be used to name and shame individuals who break the rules, can I still put up such posters? I am sure everyone will still sign my Privacy Policy. I would fulfil the notification and consent obligations for such collection and use under the PDPA.

Given the analysis of the PDPC in focusing on whether members were notified of the alleged purpose, it appears to be possible to consent to such a purpose.

Thing 3: But is it ever reasonable?#

Unlike cases such as Re Galaxy Credit and Investments, this case actually presents two purposes, one perfectly reasonable: “assist staff in identifying banned members and to inform banned members that they were prohibited entry into the LAN Shop” and the other at the margins of reason in a civilised society: to name and shame banned individuals, so that others are nudged to comply with the rules put up by the LAN Shop.

Interestingly, even though the breach was based on the duty to notify individuals of the purpose (there was no privacy policy), the PDPC stated that the purpose of disclosure was “inappropriate”. The PDPC reiterated that “an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances”. However, instead of explaining why naming and shaming was “inappropriate”, the PDPC explained how the use and disclosure was “inappropriate” for another, more reasonable purpose which the LAN Shop stated during investigations.

The PDPC should have stated what it appeared to suggest: it is unreasonable for any Organisation to collect and use personal data to name and shame its customers. For now, there is an incentive for organisations to cover up unreasonable, ulterior purposes by using reasonable purposes.3

Here’s a reason why I think this decision did not go so far. Making a judgement on the reasonableness of a purpose is a judgement on business and civil norms which the PDPC may not be well equipped to do. Is shaming an employee unreasonable?4 Or what about the case of a member of an Organisation who has an interest in finding out who is complying with the Organisation’s rules? The “reasonableness” requirement ultimately begins to be fact specific and of limited application. It would take a complainant filled with self-righteous rage to accept the immense risk of relying on the “reasonableness” requirement for the grounds of his complaints.

Conclusion#

Along with the limits of a consent-based system and the uncertainty of the exemptions under the PDPA, the “reasonableness” requirement remains one of the most vexing principles in the PDPA. It is able to stand for everything, yet stand for nothing at the same time. For the sake of clarity, hopefully there will be reform in this area in due course. Get rid of it.


  1. These reasons include “surfing pornography”, “skipping classes”, and “stealing money and captured by CCTV”. Good ole days. ↩︎

  2. It might go something like this — An internal black list harms me by preventing me from playing LAN at your shop. Not to mention, I would suffer reputation damage if I were banned. If I were to agree to being denied service, I would require that my identity (as a banned individual) be verified by a high degree. ↩︎

  3. The decision does state what would have been the best practice if the purpose was to maintain an internal black list. However, there is no principle of data minimisation or data protection by design and default under the PDPA, and it is difficult to see how this relates to section 18(a) of the PDPA. ↩︎

  4. See Re Executive Coach International. However, the PDPC found that there was no consent or notification, so the PDPC did not need to come to a decision whether it is reasonable to use personal data to name and shame in an employer-employee relationship. ↩︎