The “I did not know I needed one” defence was used by the management of Bud Cosmetics in Re Bud Cosmetics Pte Ltd (2019) SGPDPC 1 when investigated about its data protection policies. This “defence” was of course, swiftly rejected by the Personal Data Protection Commission (PDPC) as the Commission stated that ignorance of the law is no excuse.
If you own a business, make sure you are not only fully aware of the Personal Data Protection Act (PDPA) passed in 2012 which contains compliance requirements for protecting personal data in Singapore, but you are also taking steps to actually comply with these requirements (we have posted another related article on recent amendments to the PDPA in 2020 – you may check out that article here). The Bud Cosmetics case is a good example of what happens if you do not do so.
Background
Bud Cosmetics operated a membership program which is typical for businesses to generate customer loyalty. Bud Cosmetics, again typically, sent out email blasts and newsletters to members who signed up after providing their personal details.
Subsequent to receiving a complaint from an affected individual about an exposed data list on the internet containing personal data of members (including the complainant’s) of Bud Cosmetics membership program, the PDPC investigated and concluded that Bud Cosmetics were in breach of several of their obligations under the PDPA.
Fined for Breaches of PDPA Obligations
Bud Cosmetics had an obligation under the law to comply with the PDPA and its regulations and they had failed to do so.
PDPC’s investigation resulted in Bud Cosmetics getting fined for breaching three sections of the PDPA, namely sections 12a, 24 and 26.
Section 12a requires an organisation to develop and implement policies and practices that are necessary for it to meet its data protection obligations under the PDPA and to communicate to its staff information about such policies and practices.
Section 24 requires an organisation to protect personal data in its possession or under its control by taking reasonable security measures to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Under section 26 of the PDPA, unless otherwise exempted, an organisation shall not transfer any personal data to a country or territory outside Singapore unless it ensures that each such receiving organisation provides a standard of protection to personal data that is comparable to the protection under the PDPA.
Insufficient Policies and Practices to Protect Personal Data
Although Bud Cosmetics had a privacy policy on their website, they only published their privacy policy because they saw many other companies do so. Their explanation was “I did not know about the legal obligations”. They assumed (wrongly) that the PDPA only contained provisions about the Do Not Call Registry- preventing them from sending marketing messages to registered Singapore numbers.
Furthermore, although Bud Cosmetic’s privacy policy notified customers as to how they would use and process the data subjects’ personal data, it did not mention how the company’s employees were going to handle their customers’ personal data.
Employees who are not informed of any requirement to protect personal data certainly cannot be expected to do so. Employees need proper data protection training, which Bud Cosmetics had not provided.
Absence of Adequate Security Measures to Protect Personal Data
Furthermore, Bud Cosmetics failed to consider whether the security of its website and technological systems was adequate and did not put in place any security measures to protect personal data in its possession. They said this was because they were unaware of the PDPA obligations at the time of the incident and therefore did not have such measures in place.
Remember even if you just own a small business, you still have to ensure the security of your systems and the protection of personal data in your possession or under your control.
Obligations when you Transfer Personal Data Overseas
Originally Bud Cosmetics engaged an Australian based service provider to host their membership program data list and subsequently they engaged a US based service provider to host the said data. Thus they transferred personal data outside Singapore without considering, as they should have, if the laws in the country where their service provider is based provided a standard of protection to personal data that is comparable to the protection under the PDPA.
If your business is transferring data to overseas hosting servers, please take note if the laws in the receiving country are comparable or better than that of the PDPA. If they are not, please include contractual obligations for the hosting servers to provide protection comparable to the PDPA. You might be pleased to note that with recent amendments to the Act, companies can now look for overseas hosting servers/organisations with “specified certification”. Overseas receiving organisations which have either of the two specified certifications, namely the Asia Pacific Economic Cooperation Cross Border Privacy Rules (APEC CBPR) System and the APEC Privacy Recognition for Processors (APEC PRP) System,automatically satisfy the PDPA’s section 26 obligation.
Conclusion
If you own a business, please learn from the lessons the Bud Cosmetic case provides. It is better to be safe than sorry when it comes to protecting important personal data of your customers. If you need support with this, please approach our helpful team at AT Law Practice LLP – click here.
Copyright © 2020 ATLaw Practice LLP. All Rights Reserved.