On January 3, 2019, Singapore's Personal Data Protection Commission issued two grounds of decision against Bud Cosmetics and AIG Asia Pacific Insurance Pte Ltd & Toppan Forms (S) Pte Ltd.

Bud Cosmetics

The facts of this case were as follows:

  • Bud Cosmetics is an organic and natural skincare retailer with retail outlets in Singapore and an online store.
  • It collected customer information for membership registration and maintained two separate databases: one for online registrations and another for registrations in person at its retail outlets.
  • As part of its marketing activities, Bud Cosmetics sent its customers e-newsletters with its latest promotional offers and products. Such e-newsletters were generated by selecting members' email addresses from both online and offline databases based on certain criteria. After an e-newsletter was sent out, the customer mailing list for that particular e-newsletter would be stored in an archive folder.
  • An individual complainant discovered a URL link to a member list of Bud Cosmetics' when she conducted a search using her name on the Internet. The list contained the names, dates of birth, contact numbers, email addresses and residential addresses of approximately 2,300 persons.
  • The member list was located in the image folder for an e-newsletter that was sent out in 2012 and hosted on a third-party server based in Australia. This system was hacked in April 2012. Bud Cosmetics switched web hosting companies in 2013, and engaged a U.S. entity with servers located in Provo, Utah.

The commission's findings were as follows:

  • It was incumbent on Bud Cosmetics to take "proactive steps" to comply with its obligations under the Personal Data Protection Act (PDPA) not only for new personal data in its possession or control but also for any existing personal data held in its possession or control.
  • Bud Cosmetics' privacy policy failed to set out any procedures or practices as to how it and its employees should handle and protect personal data in their possession or control. The commission opined that "it is a trite principle of law that ignorance of the law is no excuse." As such, Bud Cosmetics' lack of awareness of its obligations cannot excuse it and is not a legitimate defense of a breach of the PDPA. It was found to be in breach of the openness obligation under section 12(a) of the PDPA.
  • With regard to the cause of the incident, the commission noted that the fact remains that the member list was generated and inserted into the 2012 image folder, and hence applied the common law maxim res ipsa loquitur. Bud Cosmetics, by its own admission, did not consider the adequacy of the security of its website or information technology (IT) system. Accordingly, the commission found that the company had breached its obligation to protect personal data in its possession or control pursuant to section 24 of the PDPA.
  • The commission further determined that Bud Cosmetics had also breached the transfer limitation obligation under section 26 of the PDPA. Given that it had chosen to engage IT vendors with servers located outside Singapore, it was required to ensure that the recipient of the personal data outside Singapore is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to that under the PDPA. To this point, an organization must consider whether foreign law provides comparable protection and if not, it should impose contractual obligations on the recipient to comply with the PDPA. This was entirely omitted to be done by Bud Cosmetics.
  • For its various breaches, the commission imposed a financial penalty of SGD 11,000 on Bud Cosmetics, as well as regulatory directions to conduct a security audit and to implement an IT security policy and employee training to comply with the PDPA.

AIG Asia Pacific Insurance Pte Ltd & Toppan Forms (S) Pte Ltd

The facts of this case were as follows:

  • AIG is a general insurance company in Singapore. It had engaged Toppan as its printing vendor.
  • Toppan had mailed out 87 policy renewal letters addressed to individual AIG policyholders, enclosing incorrect business reply envelopes that were addressed to another entity instead of AIG.
  • The personal data in each renewal form included printed personal data such as a customer's name, address, make of vehicle and registration number, leasing company (if any), policy number, premium payable, excess, renewal and expiry dates. It also included data the customer would need to fill in such as marital status, identification number or passport number, address, contact number and payment details such as credit card number and expiry date.

The commission's findings were as follows:

  • Toppan had been engaged to provide printing, collation and delivery services for AIG pursuant to a written agreement and was its data intermediary insofar as it was processing AIG's customers' personal data on behalf of AIG.
  • Although it was unlikely to have control over the purposes for which such data was processed, Toppan touted on its website that it has the relevant expertise, knowledge and tools for handling and protecting personal data, and hence would be in control over the manner in which the personal data was processed. For instance, it stated on its website that its service is "a high security business process outsourcing service specialising in data handling. ISO 9001:2008 Quality Management Certification and ISO 27001:2005 Information Security Management Systems Certification guarantee that our operations are up to certified international standards. We help you maximize the value of data asset while minimizing handling cost and data leakage risk".
  • The commission concluded from its investigations that Toppan was solely responsible for the enveloping process that directly caused the incident, and that AIG had no part to play in the actual breach. It was also unreasonable to expect AIG to micromanage its data intermediary's activities by conducting audits of Toppan's enveloping process given this was a seemingly minor part of the complete outsourcing process. Hence, AIG was not in breach of the PDPA.
  • On Toppan's part, however, there were weak internal work process controls that fell short of the standard of protection required for its processing of personal data in compliance with the PDPA, particularly in light of the fact that Toppan processed a significant volume of personal data on behalf of AIG. The commission found that Toppan had breached the protection obligation under section 24 of the PDPA, and imposed a financial penalty of SGD 5,000 on it.

Key takeaways

  • It is evident from the Bud Cosmetics case that organizations can no longer claim to be ignorant of the PDPA or their obligations thereunder. Organizations should also look to putting in place good governance in managing any information and communications technology systems as well as the risks related to data breaches. Where data is stored in overseas servers, organizations should ensure that the recipients of such data are bound by legally enforceable obligations to protect such data to a standard that is at least comparable to that of the PDPA.
  • From the AIG and Toppan decision, it is crucial for organizations in outsourcing relationships to consider the extent to which an outsourced provider may be a data intermediary with respect to any personal data that is processed. The parties can then provide for appropriate representations, and the allocation of risks and liability, in the relevant data processing agreement accordingly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.