1 This appeal raises, among other issues, the interesting question of the scope of the phrase “loss or damage” in s 32(1) of the Personal Data Protection Act 2012 (Act 26 of 2012) (“PDPA”). Section 32(1) confers a right of private action on any person who suffers loss or damage directly as a result of the contravention of any provision in Part IV, V or VI of the PDPA. It is the appellant’s case that his emotional distress and the loss of control of his personal data fall within the meaning of “loss or damage”, and that he is therefore entitled to claim injunctive relief under s 32.

2 We take this opportunity to clarify the ambit of the right of private action in s 32(1) of the PDPA in relation to these two alleged heads of loss. Any reference to the PDPA in this judgment shall unless otherwise stated, be to the version of the Act in force in 2018. Further, unless otherwise expressly indicated references to s 32 or sub-sections thereof shall be to the following provisions:

3 By DC/OSS 170/2018 (“OSS 170”), IP Investment Management Pte Ltd (“IPIM”) and IP Real Estate Investments Pte Ltd (“IPRE”) (together, the “Employers”) commenced a private action in the State Courts under s 32 against their former employee, Alex Bellingham (the “respondent”). The Employers sought an injunction restraining the respondent from using certain personal data belonging to the appellant, Michael Reed, and other customers, and an order for the respondent to deliver up said data. OSS 170 was filed on 1 October 2018. On 8 March 2019, the Employers applied to join the appellant as a plaintiff in the action. This application was granted on 23 May 2019.

4 The District Judge (“DJ”) subsequently denied relief to the Employers on the basis that they lacked legal standing to bring the action. He reasoned that s 32 only confers a right of private action upon the person whose personal data has been misused and not on any other entity. The DJ, however, granted the appellant: (a) an injunction restraining the respondent from using, disclosing or communicating the appellant’s personal data (“the Injunction”); and (b) an order that the respondent undertake to destroy the appellant’s personal data that was in his possession (“the Undertaking Order”). The DJ’s decision is found in IP Investment Management Pte Ltd and others v Alex Bellingham [2019] SGDC 207 (the “DGD”).

5 Dissatisfied with the DJ’s decision, the respondent filed an appeal in the High Court. The High Court judge (“the Judge”) allowed the appeal. He noted that a plaintiff bringing an action under s 32(1) must show (a) contravention of one or more of the provisions in Parts IV, V or VI; and (b) that he has suffered loss or damage directly as a result of such contravention. The Judge accepted that the respondent had contravened ss 13 and 18 of the PDPA (which fall within Part IV) in respect of the appellant’s data but held that the appellant had not suffered any “loss or damage” within the meaning of s 32(1). While the appellant’s case was that he suffered loss of control of his personal data and emotional distress, the Judge held that neither of these two types of losses was recognised under s 32(1). The Judge thus set aside the DJ’s orders. The Judge’s decision is found in Bellingham, Alex v Reed, Michael [2021] SGHC 125 (“GD”). The appellant asks this court to reverse the decision of the Judge.

6 The Employers are connected companies in the business of managing funds. They and IP Investment Management (HK) Ltd (“IPIM HK”) are part of a group referred to as “IP Global”. Originally employed by IPRE as a marketing consultant in 2010, the respondent was seconded to IPIM HK in 2016. Among other things, the respondent’s role involved management of an investment fund known as the “Edinburgh Fund”. This was an investment fund set up in 2015 by IPIM and IPIM HK to acquire, develop and manage a student property. The Edinburgh Fund was an Accredited Investors only, single asset, close-ended fund. It was scheduled to be terminated in the second half of 2018.

7 In January 2017, the respondent left the employ of IPRE and joined a competitor of IPIM known as Q Investment Partners Pte Ltd (“QIP”) as its “Head of Fund Raising”. QIP was set up by one Peter Young, who had previously been Chief Executive Officer of IPIM.

8 In August 2018, the respondent contacted some investors in the Edinburgh Fund, including the appellant. The respondent claimed in OSS 170 that he came to know of the appellant through his employment with IPIM. His evidence was that the appellant’s name “must have been brought up during some conversations”. The respondent also stated that he obtained the appellant’s e-mail address from the latter’s LinkedIn account, which was a public source. In the absence of evidence to the contrary, the Judge accepted the respondent’s explanations and the appellant does not contest this portion of the GD on appeal.

9 On 15 August 2018, the respondent sent the following e-mail to the appellant at the latter’s personal e-mail address:

10 The appellant was “very surprised” that the respondent knew his name, personal e-mail address and investment activity in the Edinburgh Fund (collectively, “the Personal Data”). He found it “unacceptable” that the respondent had used the Personal Data to market “opportunities regarding [the appellant’s] impending exit from [the] Edinburgh Fund.” On 21 August 2018, the appellant sent the following e-mail to Mr Mark Ferguson (“Mr Ferguson”), IPIM’s Director of Investor Relations & Business Development, querying the fact that QIP had information about his investment in the Edinburgh Fund:

11 On the same day, IPIM’s solicitors, M/s Allen & Gledhill LLP (“A&G”), sent the respondent a letter alleging that he had breached his “obligations not to misuse confidential and/or personal data.” The letter demanded that the respondent (a) return all copies of confidential and/or personal data of IPIM’s customers; (b) confirm that he and QIP no longer retained any copies of such information; and (c) undertake that he and QIP would not make any further unauthorised use of such information.

12 On 28 August 2018, the appellant replied to the respondent’s e-mail of 15 August 2018. The appellant wanted to know how the respondent had come to access the Personal Data, and what steps the respondent would take to protect the Personal Data:

13 On 31 August 2018, the respondent sought further details of the alleged breaches from A&G. On 3 September 2018, A&G wrote to the respondent, repeating its earlier demands. The respondent replied to A&G on 10 September 2018 in these terms:

14 On 12 September 2018, the respondent replied to the appellant’s 28 August 2018 e-mail, stating as follows:

15 On 27 September 2018, the appellant forwarded the respondent’s e-mail to Mr Ferguson, noting that the respondent had failed to address the fact that he had misused “privileged information”. OSS 170 was started a few days later by the Employers as the plaintiffs. The appellant became the third plaintiff in May 2019.

16 Before the DJ, the appellant succeeded in obtaining the Injunction and Undertaking (collectively, the “Orders”). They read as follows:

17 On 6 November 2019, the respondent filed an affidavit attesting to his compliance with the DJ’s order to destroy the Personal Data that was in his possession. In oral submissions before us, the appellant’s counsel conceded that he had no basis on which to challenge the respondent’s averment sworn on affidavit.

18 Despite his compliance with the Undertaking Order, the respondent maintained his appeal to the Judge. He questioned whether the appellant had suffered actionable “loss or damage” under s 32(1). The Judge answered this question in the negative and held that the appellant, therefore, had no right of private action (GD at [23]).

19 Although the respondent has destroyed the Personal Data in his possession and the aim of the Undertaking Order has been accomplished, the question for us in this appeal is whether the appellant had a cause of action under s 32 in the first place.

20 The Judge identified three issues for his consideration (GD at [28]): (a) whether the respondent had contravened ss 13 and 18 of the PDPA; (b) what the scope of “loss or damage” under s 32(1) was; and (c) whether the appellant had suffered “loss or damage” within the meaning of s 32(1).

21 In relation to the first issue, the Judge considered the effect of ss 13 and 18 of the PDPA which state that:

22 The Judge concluded that the respondent had contravened both ss 13 and 18 (at [39]):

23 In respect of the second issue, the Judge held that the scope of “loss or damage” in s 32(1) excluded emotional distress and loss of control of personal data (GD at [40]–[88]).

24 The Judge stressed that while Canada, New Zealand, Hong Kong and the United Kingdom (“UK”) allow private persons to sue for emotional distress, the relevant legislative provisions in these jurisdictions contain “express references to some form of emotional harm”. Cases in the UK had also interpreted the relevant European Union (“EU”) statute to include compensation for distress. Given that Singapore’s Ministry of Information, Communication and the Arts (“MICA”) had studied the legislative frameworks in those jurisdictions before the PDPA was enacted, the Judge concluded that Parliament’s decision to refer only to “loss or damage” in s 32(1) without any reference to any form of emotional harm or loss of control over personal data signalled an intention to exclude these losses from the ambit of s 32(1) (GD at [53] and [56]). He added that those other jurisdictions were driven by the right to privacy granted by other instruments like the International Covenant on Civil and Political Rights (189 UNTS 137) or Directive 95/46/EC of the European Parliament on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive 95”). The Judge stressed that, in contrast, the PDPA was not driven by an absolute or fundamental right to privacy (GD at [71]–[72]). He concluded that Parliament intended for the courts to determine the ambit of “loss or damage” by applying common law principles (GD at [77]).

25 Finally, in respect of the third issue, the Judge held that the appellant did not suffer any relevant loss or damage. Even if distress was actionable under s 32(1), he found that “there was no evidence that [the appellant] suffered distress. [The appellant’s] affidavits did not show evidence of any distress.” (GD at [91]).

26 In this appeal, neither party is challenging the DJ’s finding that ss 13 and 18 of the PDPA were breached. The appellant seeks the reinstatement of the Injunction granted by the DJ. He wants the respondent to be subject to a continuing obligation not to misuse the Personal Data. In this connection, the appellant makes two main submissions. First, he argues that the Judge erred in holding that the scope of “loss or damage” in s 32(1) excludes loss of control over personal data and emotional distress. He submits that reading “loss or damage” broadly to encompass emotional distress and loss of control over personal data will further the statutory purpose of the PDPA by “enabling victims to obtain effective remedies for improper use of their personal data”. Secondly, the appellant argues that he indeed suffered “loss or damage”. He had lost control over the Personal Data due to the respondent’s conduct and was also emotionally distressed because data concerning his personal investments had been misappropriated by the respondent. In oral submissions, to buttress his case on distress, counsel for the appellant emphasised that before the start of proceedings the respondent had refused to undertake not to misuse the Personal Data in the future.

27 The respondent submits that the Judge’s interpretation of “loss or damage” in s 32(1) is “entirely correct and based on sound, precedented legal reasoning.” His case is that Parliament intended the courts to apply common law principles when interpreting “loss or damage”. Under the common law, he submits, “discomfort or displeasure” is part of the normal vicissitudes of life and would not be actionable. In any case, the respondent echoes the Judge’s finding that the appellant did not suffer emotional distress. The appellant failed to make any factual averment or to provide evidence in support of his allegation of emotional distress. The respondent argues that after he was joined as a party to OSS 170, the appellant merely adopted the Employers’ evidence that they were likely to suffer loss of custom as bodies corporate. As a natural person, the appellant could not sustain such loss.

28 In a letter dated 6 October 2021, this court sought clarification from the parties on an additional issue. This related to the relevance of s 4(1)(b) of the PDPA and whether the Judge was correct to hold at [31] of the GD that the obligations in ss 13 and 18 of the PDPA applied to the respondent as an individual.

29 Section 4(1)(b) provides as follows:

30 On this point, the appellant supports the Judge’s holding. In his submissions, the appellant accepts that if s 4(1)(b) of the PDPA applies, the respondent is not liable for any breach of ss 13 and 18 committed in the course of his employment. The liability would be that of the person who employed the respondent when he committed the breaches. The appellant also accepts that the respondent collected the Personal Data in the course of his employment with IPIM. The appellant submits, however, that the respondent no longer enjoyed the protection of s 4(1)(b) once he left IPIM. At the time he misused the Personal Data, therefore, he was in breach of ss 13 and 18 of the PDPA.

31 In relation to s 4(1)(b) of the PDPA, the respondent argues that it exempts him from liability. He argues that the Personal Data was first collected during his employment with IPIM or IPIM HK. He was thus not subject to any personal obligation to comply with ss 13 and 18.

32 The Attorney-General (“the AG”) was granted leave to intervene in the appeal on 18 October 2021. The AG was given leave to submit on the interpretation of “loss or damage” in s 32(1) and the phrase “employee acting in the course of his employment with an organisation” in s 4(1)(b) of the PDPA.

33 With regards to s 32(1), the AG submits that “loss or damage” only includes damage of the kind generally recognised at common law as actionable in a claim for breach of statutory duty. The AG’s position is that s 32(1) does not recognise: (a) emotional distress which falls short of a recognised psychiatric illness; and (b) loss of control over personal data.

34 As for s 4(1)(b) of the PDPA, the AG recommends importing common law principles governing the imposition of vicarious liability to determine when an employee is “acting in the course of his employment with an organisation” under the PDPA. The AG adds that the application of these common law principles should, however, be guided by the general approach of reading the protection in s 4(1)(b) broadly in favour of protecting employees from liability.

35 In light of the foregoing, the issues which arise for this court’s determination are as follows:

36 We deal first with an argument raised by the respondent in oral submissions. He argues that ss 13 and 18 of the PDPA do not apply to him, not by virtue of s 4(1)(b) of the PDPA, but because these provisions impose obligations only on organisations and not on individuals.

37 The chapeau to these provisions places the obligation formulated therein on an “organisation”. The respondent argues that the PDPA distinguishes between organisations and individuals and that therefore he, as an individual, is not subject to ss 13 and 18. In support of this argument, he relies primarily on Part 4 of the new First Schedule of the PDPA enacted in the Personal Data Protection (Amendment) Act 2020 (Act 40 of 2020) and ss 11 and 53(1) of the PDPA. Part 4 of the new First Schedule provides that where a business asset transaction is involved, there is no need to obtain an individual’s consent before his or her personal data is collected, used and/or disclosed: s 17(1) of the Personal Data Protection Act 2012 (2020 Rev Ed) (“PDPA 2020”) read with First Schedule. The respondent submits that the definition of a business asset transaction contemplates an organisation or corporation being involved. He appears to argue that because this exception to the consent obligation in s 13 is targeted at organisations, the consent obligation likewise applies only to organisations.

38 We reject the respondent’s interpretation of ss 13 and 18 of the PDPA. There is nothing in these provisions or in the PDPA more generally which supports reading down the scope of ss 13 and 18 in this manner. On the contrary, the definitions of “individual” and “organisation” in the PDPA show that individuals are subject to ss 13 and 18. While the chapeau of ss 13 and 18 impose the obligations formulated thereunder on an “organisation”, s 2(1) of the PDPA expressly includes an individual within the meaning of an “organisation”. Section 2(1) states as follows:

39 Additionally, the business asset transaction exception in the new First Schedule, on which the respondent relies, appears to be a specific exception to the consent obligation in s 13 of the PDPA (see s 17(1) of the PDPA 2020). Under the exception, when a business asset transaction is under consideration, an organisation is permitted to disclose to prospective parties certain personal data without the consent of individuals such as employees, shareholders and directors: Hannah YeeFen Lim, Data Protection in the Practical Context (Academy Publishing, 2017) at para 5.102. Business asset transactions include mergers, and the transfer or disposal of a corporate entity’s business or assets (see PDPA 2020, First Schedule Part 4 para 3). Even if this specific exception is only available to corporate entities, it is a non sequitur to say that s 13 itself applies only to corporate entities. It would be repugnant to one of the stated aims of the PDPA – to recognise the right of individuals to protect their personal data (s 3 of the PDPA) – if other individuals were not subject to s 13 and could therefore collect, use and disclose the personal data of others with impunity.

40 In our view, the proper recourse for individuals who seek to avoid an obligation under the PDPA is to satisfy the requirements of a relevant limb in s 4 of the PDPA.

41 Turning now to the more difficult question of the meaning of s 4(1)(b) of the PDPA, we begin our analysis with a few observations on the nature of the provision.

42 Firstly, we regard s 4(1) as being a defence that a party who is accused of breaching the PDPA may invoke to avoid liability for the putative breach. The corollary of this is that the burden of proof lies on the defendant to establish, on the balance of probabilities, the requirement(s) of the particular limb in s 4(1) on which reliance is placed. In the respondent’s case, he must prove that he was “acting in the course of his employment with an organisation” when the breaches of ss 13 and 18 PDPA occurred. Construing s 4(1) as a defence is consistent with principles of statutory construction.

43 Treating s 4(1)(b) of the PDPA as a defence also promotes consistency with other parts of the PDPA. Section 48(1) of the PDPA states that for criminal proceedings brought under Part IX of the PDPA (ss 36–48) against an employee, “it is a defence for the employee to prove that he did the act or engaged in the conduct in good faith” in the course of his employment or in accordance with his employer’s instructions in the course of his employment. Offences in Part IX of the PDPA include sending certain messages to a Singapore telephone number without confirming whether the said number is listed in a relevant Do Not Call Register (s 43(1) PDPA). While s 48(1) does not expressly reference s 4(1)(b), it is in substance an application of the rule in s 4(1)(b). We see no reason for the burden of proof under ss 4(1)(b) and 48(1) to differ simply because the latter is a defence to a criminal charge rather than to a civil claim. Therefore, whenever an employee seeks to rely on s 4(1)(b) to avoid liability, he or she bears the legal burden of bringing himself or herself within the sub-section.

44 Further, the purpose of the PDPA supports reading s 4(1)(b) as a defence. The PDPA aims to strike a balance between “the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances” (s 3 of the PDPA). In our view, to put the burden of proving that s 4(1)(b) is not engaged on the individual claiming a breach of the PDPA would unfairly tilt the balance in favour of the purpose of collecting, using and disclosing personal data. The evidence needed to establish the requirements in s 4(1)(b) of the PDPA will often, if not always, reside with the defendant. A deserving defendant should not have inordinate difficulty invoking s 4(1)(b).

45 Hence, for s 4(1)(b) to exempt him from liability, the burden was always on the respondent to prove that when ss 13 and 18 of the PDPA were breached, he was: (a) an employee; and (b) acting in the course of his employment in committing the breach.

46 Secondly, we are unable to agree with the AG that common law principles on vicarious liability should be imported into s 4(1)(b) of the PDPA. The AG argues that since the PDPA does not define the phrase “in the course of his employment”, Parliament intended for it to be interpreted in accordance with established common law principles. The AG points specifically to the principles governing the second limb of the test for vicarious liability where a plaintiff seeking to extend liability to the tortfeasor’s employer has to prove that the tortfeasor was acting in the course of employment.

47 In our view, however, the doctrine of vicarious liability is incompatible with the true meaning of s 4(1)(b) of the PDPA. By the doctrine of vicarious liability, for various policy reasons, the law imposes secondary liability for a tort committed by an employee upon an employer even though the employer is not personally at fault: Munshi Mohammad Faiz v Interpro Construction Pte Ltd and others and another appeal [2021] 4 SLR 1371 at [64]. Even if the employer is vicariously liable, the employee is not relieved of primary liability: Halsbury’s Laws of Singapore vol 18 (LexisNexis, 2022) (“Halsbury’s Singapore (Tort)”) at para 240.019. In contrast, the effect of s 4(1)(b) of the PDPA is to exempt the employee who is acting in the course of employment from any obligation under the PDPA, and hence any liability thereunder. Only his employer remains subject to obligations under the PDPA.

48 Further, the imposition of vicarious liability is strict, in that no fault on the employer’s part need be proved in order for vicarious liability to arise. In this way, it is an anomaly in the common law: Skandinaviska Enskilda Banken AB (Publ), Singapore Branch v Asia Pacific Breweries (Singapore) Pte Ltd and another and another appeal [2011] 3 SLR 540 at [78].

49 In contrast, the employer’s liability under the PDPA is, in our judgment, fault based. Section 11(1) of the PDPA indicates that an employer will only be held to be in breach of the PDPA if it fails to do “what a reasonable person would consider appropriate in the circumstances”. Similarly, the Personal Data Protection Commission (“the Commission”) noted that s 11(1) connotes a standard of “reasonable diligence” (Progressive Builders Private Limited and another [2021] SGPDPC 2 (“Progressive Builders”) at [12]). Indeed, the AG also accepts that an employer’s liability under the PDPA is not strict. By way of an example, if an employer has developed and implemented policies and practices necessary for the organisation to meet its obligations under the PDPA (see s 12 PDPA), but a rogue employee takes pains to evade such supervision and thereby breaches the PDPA, it appears highly artificial to say that the rogue employee was nevertheless acting within the course of his employment. Such an errant individual should properly be regarded as having acted outside the course of his employment, thereby precluding his having recourse to s 4(1)(b).

50 In light of these conceptual differences between vicarious liability and s 4(1)(b), we decline to import common law principles of vicarious liability into the PDPA.

51 We turn to the factual issue here of whether the respondent can now claim the protection afforded by s 4(1)(b). In our judgment, he cannot. It is too late for him to do so. The issue of whether, in taking a particular action, an employee acted in the course of his employment is a question of mixed fact and law. Evidence has to be adduced of what was done; what the employment required the employee to do and, in appropriate cases, whether the employee deliberately evaded practices set up by the employer to deter such action. Only then would the court be able to determine whether the employee’s action should be attributed to the employment or whether the employee was, as has often been said in this context, “off on a frolic of his own”. Once relevant evidence had been adduced by the employee, the claimant would be able to challenge or rebut it with evidence of his own. Nothing of the sort happened here.

52 This paucity of evidence can be primarily attributed to the fact that the respondent did not invoke s 4(1)(b) as a defence in OSS 170 or RAS 24/2019. In his Respondent’s Case, the respondent stated the sole issue in the appeal before us in these terms: whether the appellant suffered “loss or damage” falling within s 32(1). The respondent only sought to rely on s 4(1)(b) after we brought it to the parties’ attention on 6 October 2021. As such, the respondent did not adduce evidence in OSS 170 with the objective of proving that he had acted within the course of employment at the time that he misused the Personal Data.

53 Unsurprisingly, therefore, the evidence before us is insufficient to prove that the respondent breached ss 13 and 18 of the PDPA in the course of his employment with either employer. Granted, the DJ found that the respondent had collected the Personal Data in the course of his employment with IPRE. This finding was not challenged before the Judge and therefore could not be challenged by the respondent in this appeal. However, the respondent’s wrongful conduct under ss 13 and 18 of the PDPA included misusing the Personal Data. Such misuse took place after the respondent joined QIP. Therefore, even if s 4(1)(b) exempted the respondent from the obligation to collect the Personal Data in compliance with the PDPA, thereafter he remained subject to the obligations in ss 13 and 18 governing the use of personal data. The respondent’s submissions, which are confined to demonstrating that the Personal Data was collected in the course of his employment with IPRE, thus miss the point.

54 While the respondent had commenced employment with QIP by the time he first contacted the appellant on 15 August 2018, this temporal connection between employment and the breaches of the PDPA per se is insufficient to prove that the breaches occurred in the course of employment and for the purposes of his employment rather than otherwise. More evidence would be required (see [51] above).

55 In sum, the respondent cannot now rely on s 4(1)(b) of the PDPA to exempt him from liability for breaching ss 13 and 18 of the PDPA by misusing the appellant’s personal data. Accordingly, the DJ’s finding that the respondent had contravened ss 13 and 18 should not be disturbed.

56 The next part of the discussion relates to the nature of the right of action conferred on a claimant by s 32. The full text of s 32 is set out in [2] above. For ease of reference, we will call a claim thereunder a “s 32 action”.

57 Although the respondent was correctly found to be liable for breaching ss 13 and 18 of the PDPA, there is still an issue as to whether the appellant was entitled to bring a s 32 action against him and apply for the injunctive relief provided for under s 32(3). It is plain from the language of s 32(1) that a right of action thereunder is only conferred on a claimant who has suffered “loss or damage directly” from the contravention of the PDPA.

58 The Judge held that the scope of “loss or damage” in s 32(1) excludes distress and loss of control over personal data (GD at [40]–[88]). He overturned the DJ’s holding to the contrary. The DJ held as follows (DGD at [141]):

In support of this conclusion, the DJ also cited at [139] the Commission’s view in My Digital Lock Pte. Ltd. [2018] SGPDPC 3 (“My Digital Lock”) (at [33]) that the “right of private action under the PDPA protects informational privacy” [emphasis in original].

59 For the reasons that follow, we have a different view from the Judge on the scope of “loss or damage”. The nature of the s 32 action is the foundation of our analysis of the scope of “loss or damage”.

60 The Judge held that the s 32 action is a statutory tort (GD at [49]). This view is also expressed by Lanx Goh & Jansen Aw (“Goh & Aw”) in Data Protection Law in Singapore (Simon Chesterman ed) (Academy Publishing, 2nd Ed, 2018) (“Data Protection Law in Singapore”) at para 4.78. The Judge explained (GD at [76]):

61 Like the Judge, the AG and the respondent hold the view that common law principles of tort law should inform the interpretation of “loss or damage” in s 32(1). The appellant accepts that s 32(1) creates a statutory tort. However, he distinguishes a statutory tort from the tort of breach of statutory duty. He argues that only the latter is a common law claim and that a statutory tort like the s 32 action should be interpreted by reference to the statute that creates it and its purpose.

62 While we accept that the s 32 action is indeed a statutory tort, in so far as the Judge suggested that this is sufficient reason to restrict the meaning of “loss or damage” by reference to actionable heads of loss or damage under common law, we respectfully disagree.

63 In this regard, it is crucial to distinguish a statutory tort from the common law tort of breach of statutory duty. The latter is a cause of action created by the common law. Where a statute imposes a duty on a party, even if the statute is silent on whether a breach of a statutory duty gives rise to civil liability, the common law has developed the tort of breach of statutory duty to allow a person injured by the breach to sue: see Animal Concerns Research & Education Society v Tan Boon Kwee [2011] 2 SLR 146 at [24]; Gary Chan & Lee Pey Woan, The Law of Torts in Singapore (Academy Publishing, 2016) (“Law of Torts in Singapore”) at para 9.006. To establish the tort of breach of statutory duty, the plaintiff must prove that: (a) the statutory duty was imposed for the protection of a limited class of the public; and (b) Parliament intended to confer on that class a private right of action for a breach of the statutory duty (Law of Torts in Singapore at para 9.007).

64 Where the statute creating the duty expressly provides a civil right of action for injured parties, however, in our view, the juridical basis of the action is no longer the common law, but the statute itself. This distinction was recognised by Lord Toulson in Campbell v Peter Gordon Joiners Ltd and another [2016] AC 1513 (“Campbell”). The issue in Campbell was whether the Employers' Liability (Compulsory Insurance) Act 1969 (c 57) (UK), which expressly imposed criminal liability on a director of a company which failed to adequately insure its employees, was also intended to impose civil liability on the said director. While outlining the principles relevant to the determination of this question, Lord Toulson said that “the cause of action is at common law (except in cases where a statute expressly creates a civil right of action)” [emphasis added in bold italics] (at [35]). Lord Toulson, who opined that the act was intended to impose civil liability on directors, was in the minority with respect to the outcome of that case. As a matter of legal theory, however, the distinction he drew between what we have termed the tort of breach of statutory duty and statutory torts is not less persuasive. Halsbury’s Laws of Singapore (Tort) at para 240.401 also states that the “common law action for breach of statutory duty, being based on a cause of action arising at common law, is to be distinguished ... from cases in which a statute itself expressly confers a right to claim damages” [emphasis added].

65 In our view, the significance of the distinction between a statutory tort and the tort of breach of statutory duty is this. For statutory torts, as the statute expressly creates the right of private action, the scope of that right of action is to be determined first and foremost by the principles of statutory construction. Common law principles are relevant only in so far as the rules of statutory construction permit. Conversely, for the tort of breach of statutory duty, the scope of the right of action and its attendant requirements are determined by the common law. The statute only provides the content of the duty which is alleged to have been breached.

66 The approach we take is consistent with that of the UK Supreme Court (“UKSC”) in Lloyd v Google LLC (Information Comr and others intervening) [2021] 3 WLR 1268 (“Lloyd (SC)”) at [114]. There, the court was concerned with whether s 13 of the Data Protection Act 1998 (c 29) (UK) (“DPA 1998”) allowed an individual to recover compensation for “loss of control” of personal data. The court stressed that the kind of “damage” which is actionable under s 13 is not determined by reference to common law principles, but by interpreting the words of the statute (at [114]):

For reference, s 13 DPA 1998 provides as follows:

67 Therefore, that the s 32 action is a statutory tort does not necessarily entail that common law conceptions of actionable loss or damage should be adopted. At common law the recognised heads of actionable damage for tort claims are pecuniary loss, damage to property and personal injury which includes psychiatric injury (see Pickering v Liverpool Daily Post and Echo Newspapers plc and others [1991] 2 AC 370 (“Pickering”). Whether these heads alone are relevant in the present context will depend on the application of the principles of statutory construction, to which we now turn.

68 In our judgment, once a purposive interpretation of s 32(1) is adopted, it is plain that emotional distress can found the s 32 action.

69  The process of statutory interpretation consists of three steps (Tan Cheng Bock v Attorney-General [2017] 2 SLR 850 (“Tan Cheng Bock”) at [37] and [54]):

(a) First, ascertain the possible interpretations of the provision, having regard not just to the text of the provision but also to the context of that provision within the written law as a whole (“Step 1”).

(b) Second, ascertain the legislative purpose or object of the statute (“Step 2”).

(c) Third, compare the possible interpretations of the text against the purposes or objects of the statute. The interpretation which furthers the purpose of the written text should be preferred to the interpretation which does not (“Step 3”).

70 For present purposes, the alternative interpretations of “loss or damage” in s 32(1) are that: (a) the phrase includes emotional distress (“Wide Interpretation”); and (b) the phrase excludes emotional distress (“Narrow Interpretation”).

71 The AG submits that the Narrow Interpretation should prevail because it is a canon of statutory interpretation that the court “should not construe a statutory provision to have modified or altered a common law principle or right unless Parliament has by express words, or necessary implications, done so”: Ng Boo Tan v Collector of Land Revenue [2002] 2 SLR(R) 633 (“Ng Boo Tan”) at [76]. The AG argues that there is nothing in the text of s 32 or the wider statutory context to show clearly that Parliament intended to recognise additional heads of damage beyond those known to the common law (ie, the heads of damage recognised in Pickering). The respondent takes a similar position.

72 The appellant responds that the cited canon only applies if there is “already a specific existing general common law surrounding the relevant wording of the statute”. He argues that “loss” and “damage” are not terms of art and that there is no universally or generally applicable meaning of “loss or damage” that is of mandatory application across the entire breadth of common law. He raises, as an example, that in an action based on breach of confidence, the plaintiff who suffers injured feelings can use such injury as a basis for monetary damages.

73 With respect, we have difficulty accepting the AG’s analysis. Firstly, in this case, Parliament has expressly created a new cause of action. Our task is to ascertain from the purpose and language of the statute what the elements of that cause of action are. In that regard, the canon of construction the AG refers to is of limited help, if not inapplicable altogether, since Parliament is perfectly able to provide a remedy for damage that the common law does not recognise. Secondly, it is not an immutable rule of the common law that emotional distress can never ground a cause of action in tort. In that sense, s 32 is not changing the common law and the cited canon is no obstacle to adopting the Wide Interpretation.

74 No doubt, the general principle is that emotional or mental distress is not actionable: Behrens and another v Bertram Mills Circus Ltd [1957] 2 QB 1 at 28, cited in James Edelman, McGregor on Damages (Sweet & Maxwell, 21st Ed, 2020) (“McGregor”) at para 5-012. As we alluded to in ACB v Thomson Medical Pte Ltd and others [2017] 1 SLR 918 (“ACB”), however, the heads of actionable “damage” in civil law are not set in stone but are instead shaped by questions of policy. In particular, we observed that “the concept of ‘damage’ is nebulous and defies easy definition” and that whether a particular head of damage is actionable “will depend greatly on the cause of action raised” (at [45] and [46]). We further explained that “[i]n any state of society, it is ultimately a question of policy to decide the limits of liability” (at [1]). These remarks were made generally in reference to “damage” in both tort and contract. On the facts of that case, we accepted, for the first time in Singapore, loss of genetic affinity as a cognisable head of damage in the tort of negligence. There, the appellant underwent in-vitro fertilisation but discovered after the birth of her baby that her ovum had been fertilised using sperm from an unknown third party instead of from her husband. We held that “the Appellant’s interest in maintaining the integrity of her reproductive plans in this very specific sense – where she has made a conscious decision to have a child with her Husband to maintain an intergenerational genetic link and to preserve ‘affinity’ – is one which the law should recognise and protect” (at [135]).

75 As ACB demonstrates, Singapore law can, where appropriate, recognise heads of actionable damage beyond those enumerated in Pickering. The persuasiveness of Pickering is also undermined by Lord Millet’s dictum in Cullen v Chief Constable of the Royal Ulster Constabulary and another suit [2003] 1 WLR 1763 (“Cullen”). In Cullen, a claim was brought for the breach of the statutory duty in s 15 of the Northern Ireland (Emergency Provisions) Act 1987 (c 30) (UK) to inform a detained person of the reasons for the delay in permitting him access to counsel. The claim failed because the plaintiff did not prove that he had suffered distress (at [31]). Pertinently, Lord Millett said (at [69]), albeit in obiter dictum, that the kinds of loss or injury for which the law normally awards damages “may be wider than the formulation … that the claimant must have suffered personal injury, injury to property or economic loss”.

76 Thirdly, if Parliament intended by s 32 to provide a head of damage that was additional to the common law heads, that intention should be given effect (Ng Boo Tan at [76]; see also Diggory Bailey & Luke Norbury, Bennion on Statutory Interpretation (LexisNexis, 7th Ed, 2017) (“Bennion”) at p 703).

77 In the present instance, we are satisfied that Parliament intended to displace the starting position at common law that emotional distress is not actionable. The learned authors of Bennion state that whether a statute displaces the common law is “ultimately one of construction, having regard to all relevant interpretive criteria (including the presumption against changes to the common law)”. They note that “one test … the courts have used is to ask whether the existence of a common law rule or principle in relation to a particular matter would cut across the legislative scheme or undermine its legislative purpose” (Bennion at p 670; see, eg, Wilson v First County Trust Ltd (No 2) [2004] 1 AC 816 at [49]). In our case, considering the scheme and purpose of the PDPA as a whole, excluding emotional distress as a head of “loss or damage” under s 32(1) would cut across Parliament’s intention to promote the right of individuals to protect their personal data. Such Parliamentary intent supersedes the presumptive position at common law that emotional distress per se is not actionable. Later, in the remaining steps of the Tan Cheng Bock framework, we detail how we arrive at this conclusion. For now, we make two observations on the text and context of s 32(1) PDPA.

78 Firstly, there is nothing in the plain language of the PDPA that expressly excludes emotional distress as a type of damage covered by “loss or damage” in s 32(1). The only control mechanism that is expressly provided for to limit the availability of the s 32 action is the direct causation requirement (see [93] below).

79 Secondly, there are no contextual indicators that weigh against the adoption of the Wide Interpretation. The AG and the respondent submit that the availability of recourse under s 29 of the PDPA to the Commission set up by the PDPA points towards the Narrow Interpretation. That provision states as follows:

80 As the Judge recognised, the Commission’s power to “give the organisation such directions as the Commission thinks fit in the circumstances” under s 29(1) arises in every case of a contravention of any provision in Parts III to VI, without the requirement for any person to have suffered “loss or damage” (GD at [46]). This can be contrasted with the s 32 action, where proof of such “loss or damage” is required. The AG argues that, therefore, Parliament intended the Commission to be the primary body responsible for determining when action should be taken in respect of the breach of any of the provisions in Parts III to VI. The AG refers to s 29 as the “first port of call” for a complainant. It claims that s 32 is merely for individuals acting in their self-interest and that litigants must prove material damage so as to shut out trivial and frivolous lawsuits.

81 We do not agree that recourse to the Commission under s 29(1) justifies reading down the meaning of “loss or damage” in s 32(1). The enforcement regime in the PDPA as a whole (viz, Part VII of the PDPA, ss 27–32) does not support this argument. The proper way to understand ss 29 and 32 in relation to each other, in our view, is that they are complementary rather than that s 29 takes priority over s 32. Section 29 allows an individual whose personal data has been misused to bring a complaint to the Commission for it to investigate whether the allegedly delinquent organisation has complied with the PDPA and thereafter to take such action as it sees fit to punish and/or deter contravention of the statute. While such action by the Commission serves both the purposes of specific and general deterrence and is well designed to deal with systemic abuse or inadequate systems, it does nothing to compensate the individual who may have suffered loss or damage by reason of the breaches. That is where the s 32 action kicks in – it serves a different purpose from s 29. It is significant that there is nothing in the PDPA obliging a complainant to complain to the Commission before litigating under s 32(1). The AG accepts this. In fact, s 50(3) of the PDPA contemplates the possibility of an individual commencing an action under s 32(1) before referring a complaint to the Commission:

82 Further, that the Commission has a wide discretion to suspend, discontinue or refuse to conduct an investigation into an alleged breach of the PDPA is an added caution against restricting the s 32 action. Section 50(3) sets out a non-exhaustive list of circumstances in which the Commission may halt an investigation. In particular, s 50(3)(e) provides that the Commission may decline to investigate if “any other circumstances warrant refusing to conduct, suspending or discontinuing the investigation”.

83 As such, the statutory scheme appears designed to allow an aggrieved individual to choose how the breach should be dealt with. If an individual elects to refer a complaint to the Commission first, s 32(2) indicates that he may still commence an action under s 32(1). The only additional constraint he faces is that if the Commission has made a decision, no action under s 32(1) shall be commenced until that decision has become final under s 32(2). Section 32(2) is simply a procedural safeguard against parallel proceedings.

84 The AG’s argument comes down to asserting that since a complainant who suffered emotional distress (and no other form of damage) can obtain, in substance, injunctive relief under s 29, there is no reason to widen the ambit of “loss or damage” in s 32(1) to allow the same complainant to obtain the same relief from the courts. But the complainant has no control over whether the Commission acts or how it does so. The type of directions the Commission gives the contravening organisation is up to it. If it issues a restraining order and thereafter the complainant goes to court under s 32 to ask for the very same relief, there is no doubt that he will face an uphill battle to persuade the court to duplicate the relief already in place. On the other hand, the Commission might not in the circumstances see the need for such a direction and, in that case, the complainant should be free to bring the issue to the courts. Reading ss 29(1) and 32(1) of the PDPA together simply does not answer the question of whether Parliament intended to exclude emotional distress from the meaning of “loss or damage” in s 32(1). The crux, therefore, is whether the general and specific purposes in question are better advanced by the Wide or the Narrow Interpretation.

85 We are satisfied that there is nothing in the text and context of s 32(1) that justifies narrowing the meaning of “loss or damage”.

86 Section 3 of the PDPA articulates the general purpose of the PDPA as being: “to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances”.

87 Relevant extraneous material confirms that Parliament intended the PDPA to strike a balance between the interest of individuals in protecting their data and the economic interests that are served in an environment where data can be collected, used and disclosed. Assoc Prof Dr Yaacob Ibrahim, the Minister for Information, Communication and the Arts (“the Minister”) said in the second reading of the Personal Data Protection Bill (Bill No 24/2012) (“PDP Bill”) that the PDPA seeks to “balance individuals’ interests with the need to keep compliance costs manageable for organisations” [emphasis added in bold italics] (Singapore Parliamentary Debates, Official Report (15 October 2012) vol 89 (“Second Reading of the PDP Bill”) at p 828). The following portion of the debate during the Second Reading of the PDP Bill is illuminating (at p 828):

88 It is, therefore, clear that the PDPA is intended to provide safeguards for the protection of personal data. That other interests have been recognised as well should not be misconstrued as evincing an intention to confer weak protection on individuals. On the contrary, the Minister’s remarks call for a degree of robustness in the protection afforded to individuals. The Minister stated that the PDPA would provide an “adequate level of protection for [Singapore’s] consumers” (Second Reading of the PDP Bill at p 880). He also noted that the PDPA would “address growing concerns over the misuse of personal data and provide much needed protection for individuals in Singapore” (Second Reading of PDP Bill at p 834).

89 We next consider the specific purpose of s 32. The Judge held that the specific purpose of s 32(1) is to create a statutory tort and to allow a right of private action on that basis (GD at [49] and [76]). We do not disagree. This right of private action is one of the practical ways by which the PDPA empowers individuals to protect their personal data. In this connection, the Minister noted that: “[t]he [PDP Bill] ... allows individuals to seek compensation for damages directly suffered from a breach of the data protection rules through private rights of action” (Second Reading of the PDP Bill at p 832).

90 The parties’ submissions focussed on the specific purpose of the “loss or damage” requirement in s 32(1). The AG and the respondent submit that this requirement was inserted into s 32(1) to impose reasonable limits on the scope of private claims that organisations may be exposed to. The AG submits that if individuals who are not materially affected by a breach may nonetheless commence a private action, the balance that Parliament intended to strike would be disturbed since any minor or technical breach could expose an organisation to a frivolous lawsuit. We refer to this as the “Floodgates Argument”.

91 The appellant shares the floodgates concern, but argues that the way to stem the tide is not to read down the scope of “loss and damage”. He proposes instead to limit the right of private action to certain categories of personal data that are “reasonably sensitive” (eg, financial data).

92 All parties are in agreement that Parliament intended to build in controls to limit the ambit of the s 32 action. We share this view. That, however, does not take us very far because the real question is whether one such intended control is the exclusion of emotional distress as a head of actionable damage.

93 In our view, the Floodgates Argument does not support such exclusion. That concern is instead addressed by other control mechanisms and is, with respect, an overstated concern in the context of s 32(1). For one, a strict causal link is prescribed in s 32(1). The “loss or damage” must have been suffered “directly as a result of a contravention” [emphasis added] of identified provisions in the PDPA. Secondly, even if emotional distress is an actionable head of loss, there is no reason for the principle that there is no legal recourse for minimal loss (see Rothwell v Chemical & Insulating Co Ltd and another and other suits [2008] 1 AC 281 at [8]) not to apply. Thus, trivial annoyance or negative emotions which form part of the vicissitudes of life will not be actionable. The UKSC in Lloyd (SC) took a similar view in respect of s 13 DPA 1998. The court opined that the damage alleged by a claimant invoking s 13 DPA 1998 must be “more than trivial” (at [153]).

94 As for the appellant’s proposal to limit recourse to s 32(1) by reference to the category of data, we agree with the respondent that the language of the provision does not support the imputation of such a requirement. However, this is not to say that the type of personal data involved in the breach is not a relevant factor when assessing whether actionable loss was sustained.

95 We now arrive at the pivotal step in purposive statutory construction. The gist of each party’s case is as follows. The appellant argues for the Wide Interpretation as this furthers the statutory purpose of the PDPA – to enable victims to obtain effective remedies for misuse of their personal data. He cautions that the Narrow Interpretation will “severely compromise the right of individuals to protect their personal data”. The respondent re-iterates the Judge’s reasoning that importing only the Pickering conception of material damage promotes the specific purpose of s 32(1) – to constitute a statutory tort. The AG adds that in order for “loss or damage” to fulfil its specific purpose of being an effective bulwark against frivolous claims, Parliament intended to exclude emotional distress (and loss of control) from being actionable under s 32(1).

96 We hold that the Wide Interpretation better promotes the general purpose of the PDPA and the specific purpose of s 32(1). We have several reasons for this.

97 Firstly, the relevant Parliamentary debates indicate that there was no intention to fetter the meaning of “loss or damage”. During the Second Reading of the PDP Bill, Mr Lim Biow Chuan Chuan (then Member of Parliament (Mountbatten)) specifically asked the Minister “what kind of loss or damage [was] envisaged before an individual may commence such an action [under s 32]”. However, no response was provided (Second Reading of the PDP Bill at p 878). If the drafters intended to exclude certain heads of “loss” from s 32(1), this could easily have been said then. Further, the Minister stated at the Second Reading of the PDP Bill that the bill would bring Singapore “in line with international standards for data protection”. This was a reference to the data protection frameworks in key jurisdictions which MICA had studied (see [24] above).

98 Secondly, we consider that the general purpose of the PDPA is better promoted by the Wide Interpretation than the Narrow one. Parliament intended to provide robust protection for personal data belonging to individuals. During the Second Reading of the PDP Bill, Parliament was briefed on the following features of the social and technological contexts which had spurred the drafting of the PDP Bill:

(a) The “vast amounts” of personal data collected, used and transferred for a “variety of reasons”;

(b) The technology factor: the use of “infocomm technologies like high-speed computing and business analytics”, was expected to grow the amount of data used exponentially as organisations acquired the ability to process large amounts of personal data;

(c) If the data protection regime failed to govern the collection, use and disclosure of personal data adequately, individuals may lose trust in organisations that manage data. If individuals lost trust in data controllers and withheld such data from organisations, the PDPA’s aim of “[enhancing Singapore’s] status as a trusted hub and choice location for global data management and processing services” [emphasis added in bold italics] would be undermined.

Viewed in this context, the Wide Interpretation is not antithetical to the economic interest that the PDPA also seeks to promote.

99 The confluence of these factors favours the Wide Interpretation. The vast and ever-increasing volume of personal data being collected and processed increases the risk of misuse of personal data. Remedial options in the PDPA, including s 32, must have been intended to be effective in guarding the right of individuals to protect their personal data. Section 32 will be significantly denuded of practical use if the Narrow Interpretation is adopted. We say this because, in our view, it will not be uncommon for emotional distress to be the only loss or damage suffered. We do not think “minor or non-malicious” PDPA breaches will often result in personal or psychiatric injury (ie, a recognised psychiatric illness) or pecuniary loss. This observation is consonant with the view expressed in Vidal-Hall and others v Google Inc (Information Commissioner intervening) [2016] QB 1003 (“Vidal-Hall”) at [77] and [92]:

100 For context, the issue in Vidal-Hall was whether damage had been suffered within the jurisdiction by virtue of misuse of personal data under the DPA 1998, where the only alleged loss was distress and anxiety. This issue affected the question of whether the claim form could be served on the defendant out of jurisdiction. Although the distress in Vidal-Hall was said to emanate from an invasion of privacy, we do not find the court’s views any less persuasive in Singapore simply because there is no fundamental right to privacy here. The observation made in Vidal-Hall is rooted in ordinary human experience and resonates with this court.

101 That damage in the Pickering sense will not often flow from a breach of the PDPA assumes greater significance when considered alongside the breadth of the court’s remedial powers under s 32(3). The court is empowered to grant injunctive and declaratory relief and any other relief it thinks fit. That Parliament expressly provided for injunctive and declaratory relief under s 32(3)(a) signals its recognition that the loss or damage caused by breaches of the PDPA may not be adequately compensated by an award of damages or may not be susceptible to easy quantification. Parliament’s appreciation of the need to afford individuals flexible forms of relief in addition to damages is indicative, we think, of its cognisance that many breaches of the PDPA will not inflict damage in the Pickering sense. Given the heightened risk of abuse of personal data, the likelihood of distress being the only damage suffered and the aim of the PDPA being to strengthen the right of individuals to protect their personal data, we do not believe that Parliament intended to circumscribe the ambit of s 32(1) so significantly by importing the Pickering conception of “loss or damage” from the common law to the exclusion of recognition of other heads of damage as well.

102 Further, that the interests of individuals and organisations must be balanced does not diminish the force of the Wide Interpretation. The AG argues that if emotional distress is actionable, individuals may bring claims in a manner which imposes “excessive costs on business and other organisations, contrary to the balance Parliament intended to strike”. However, the Floodgates Argument is met by the following:

(a) The two control mechanisms we identified at [93] above – the direct causal requirement and the de minimis principle – will keep the scope of the s 32(1) action within reasonable bounds; and

(b) Through the accretion of case law from actions commenced under s 32(1), and the imposition of cost orders in the normal course of litigation, individuals will be discouraged from making frivolous claims for emotional distress. This point was also made by the Law Reform Commission of Hong Kong (Hong Kong, The Law Reform Commission of Hong Kong, Report: Reform of the Law Relating to the Protection of Personal Data (Topic 27) (August 1994) at para 16.71):

Sections 66(1) and (2) of the Hong Kong Personal Data (Privacy) Ordinance (Cap 486) (HK) provide that an individual who suffers damage, which “may be or include injury to feelings”, due to a contravention of that statute is entitled to compensation for that damage.

103 For these reasons, the general purpose of the PDPA is better advanced by the Wide Interpretation.

104 Thirdly, as indicated at [99] above, the specific purpose of s 32(1) PDPA is furthered by the Wide Interpretation. It bears reiterating that s 32, forming part of the enforcement regime of the PDPA, must be an effective means by which individuals may enforce the right to protect their personal data. As the PDPA aims to provide robust protection for individuals’ personal data, it would be surprising if Parliament intended s 32(1) to be a dead letter in the not insubstantial proportion of cases where no material damage in the Pickering sense is suffered.

105 Finally, we do not think the pieces of legislation in Canada, New Zealand, Hong Kong and the EU displace the Wide Interpretation in favour of the Narrow one. The Judge was persuaded otherwise. In the main, the Judge juxtaposed these foreign statutes which contain “express references to some form of emotional harm” with the PDPA. The Judge concluded that since the PDPA contains no reference to emotional distress, Parliament intended to exclude emotional harm from s 32(1) PDPA (GD at [56]–[72]). The salient part of his reasoning reads as follows:

With respect, we think the Judge placed undue reliance on these foreign statutes. They do not uniformly provide for emotional distress per se to be actionable. In particular, the DPA 1998 and Directive 95 of the EU do not expressly make emotional distress actionable. It is the courts which have inferred that emotional distress is actionable (see Vidal-Hall at [77], [79], [83], [91] and [105]). This attenuates the weight to be placed on the foreign statues, which in any event do not play much part in the interpretation of local legislation unless worded in practically identical terms. We consider these foreign approaches to be a neutral factor in the overall analysis.

106 In any event, a perusal of the foreign instruments studied by the MICA discloses diverse approaches:

(a) Hong Kong expressly provides that emotional distress is actionable;

(b) Canada and New Zealand expressly provide that damages may be awarded for emotional distress;

(c) The DPA 1998 excluded emotional distress from the notion of “damage”, but English courts nevertheless read distress into the meaning of “damage” so as to bring the DPA 1998 in line with European law (see Vidal-Hall at [83], [91] and [105]); and

(d) Directive 95 of the EU is silent on whether distress is actionable, but the English courts have inferred that this is so (see Vidal-Hall at [77] and [79]).

107  In conclusion, the Wide Interpretation is more consistent with both the general and specific purposes of the PDPA and s 32(1) itself. We thus hold that Parliament did not intend to exclude emotional distress from the meaning of “loss and damage” in s 32(1). On the contrary, this is a case where, having regard to the statute as a whole and relevant extraneous material, Parliament has provided remedies for emotional distress arising from breach of the new tort which Parliament has created by s 32(1).

108 The appellant argues in the alternative that loss of control of personal data is another head of “loss or damage” recognised by s 32(1). On this issue, we agree with the Judge that loss of control of personal data does not constitute “loss or damage” under the section.

109 We share the Judge’s view that every contravention of Part IV to VI of the PDPA inevitably involves some form of loss of control over personal data (see GD at [44]–[47]). While there is no definition of “control” in the PDPA, the Commission defined control as the ability, right or authority to determine (a) the purposes for; and/or (b) the manner in which, personal data is processed, collected, use or disclosed: AIG Asia Pacific Insurance Pte Ltd & Toppan Forms (S) Pte Ltd [2019] SGPDPC 2 at [18]; AIG Asia Pacific Insurance Pte. Ltd. [2018] SGPDPC 8 at [18]; see also Goh & Aw at para 4.22. Parts IV to VI of the PDPA concern the “Collection, Use and Disclosure of Personal Data”, “Access to and Correction of Personal Data” and “Care of Personal Data” respectively. The respondent has not shown how a contravention of any of these parts will not result in loss of control of personal data.

110 Accepting the respondent’s submission would render the requirement of “loss or damage” in s 32(1) tautologous as the breach of any provision in Part IV to VI will inevitably give rise to cognisable “loss or damage”. Since Parliament shuns tautology and does not legislate in vain, and the courts should concomitantly endeavour to give significance to every word in an enactment, we do not agree that loss of control of personal data is actionable.

111 We draw support for our view from Lloyd (SC). In Lloyd (SC), the plaintiff claimed that Google had breached s 4(4) DPA 1998 by secretly tracking the internet activity of millions of Apple iPhone users and using this data for commercial purposes. Section 4(4) states that “[s]ubject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”. The plaintiff’s case there was that any contravention of the DPA 1998 would necessarily involve “loss of control” for which compensation would be payable under s 13. The UKSC rejected this argument. It held that in order to recover compensation under the DPA 1998, the claimant had to prove both that Google misused personal data and that the individual suffered some damage (at [8]). It explained that “damage” did not include loss of control over personal data because s 13(1) DPA 1998 provided a right to compensation only if “damage” was proved in addition to a contravention of the DPA 1998. This wording was regarded as “inconsistent with an entitlement to compensation based solely on proof of the contravention” (at [115]).

112 Before turning to the evidence in this case, we lay down some general principles in relation to what emotional distress under s 32(1) entails.

113 The appellant proposes a multi-factorial approach for determining when loss or damage, including emotional distress, has been proved under s 32(1). He argues that whether loss or damage is suffered must be assessed from the perspective of the reasonable person in the position of the victim.

114 In our view, the test cannot be a fully objective one. We know of no principle in law that entitles a complainant to relief if no personal loss is proved, but a reasonable person in the complainant’s shoes would have been harmed. The inquiry must be anchored in whether the very individual before the court subjectively suffered emotional distress because remedies are awarded to compensate the person aggrieved or to ameliorate the injury. The same point was made about the relevant New Zealand statute in The Director of Human Rights Proceedings v Slater [2019] NZHRRT 13 at [170]. This is not to say, however, that the court cannot direct its mind to how a reasonable person would have reacted in the relevant circumstances as an evidential tool to assess the individual claimant’s subjective state of mind (see Adili Chibuike Ejike v Public Prosecutor [2019] 2 SLR 254 at [53]). It will also often be the case that greater weight will be attached to objective indicia of emotional distress, as compared with bald assertions in an affidavit.

115 Given the fact-sensitive nature of the inquiry, we agree with the respondent that a multi-factorial approach is suitable for determining whether an individual has suffered emotional distress. We provide a few non-exhaustive considerations to guide courts in this inquiry:

(a) The nature of the personal data involved in the breach: for instance, financial data is likely to be sensitive (see Mirza Nammo v Transunion of Canada Inc. [2010] FC 1284 at [68] where an individual’s credit ratings were deemed to be sensitive; and Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (“Rolfe”) at [12] where, in obiter dictum, the court said that bank details are “especially personal”).

(b) The nature of breach: eg, whether the breach of the PDPA was one-off, repeated and/or continuing.

(c) The nature of the defendant’s conduct: for instance, proof of fraudulent or malicious intent may support an inference that the plaintiff was more severely affected: see Halliday v Creation Consumer Finance Ltd [2013] EWCA Civ 333 at [33]; Randall v Nubodys Fitness Centres 2010 FC 681 at [58]; A.T. v Globe24h.com and another 2017 FC 114 at [103]. In contrast, an accidental breach by a single typographical error is unlikely to cause cognisable distress: Rolfe at [2] and [11]–[12]. In addition, if the claimant reasonably seeks an undertaking from the defendant not to misuse his or her personal data, but the defendant unreasonably refuses to furnish an undertaking, this is a weighty factor in favour of the existence of emotional distress.

(d) Risk of future breaches of the PDPA causing emotional distress to the claimant.

(e) Actual impact of the breach on the claimant.

116 Ultimately, whether emotional distress is proved will turn on the circumstances of the particular case. We do not deem it appropriate at this point to prescribe a general standard as to what constitutes emotional distress and think it best to allow the law to develop on a case-by-case basis. However, it is timely to emphasise, as the respondent and the AG urge, that negative emotions that should be tolerated as part of the ordinary vicissitudes of life do not amount to emotional distress. As eloquently put by G P Selvam J in Arul Chandran v Gartshore and others [2000] 1 SLR(R) 436 at [13], “pure mental suffering without physical injury [is] an inevitable fact of interpersonal relationships in private and public life alike” and “people must learn to accept with a certain degree of stoicism the slings and arrows of this vale of tears”. With this in mind, we turn to consider whether the Judge’s finding that the appellant did not suffer emotional distress was against the weight of the evidence.

117 The Judge overturned the DJ’s finding that the appellant suffered “loss or damage”. In the Judge’s view, the appellant had not suffered distress as his affidavits did not bear this out. He accepted, however, that the appellant’s e-mails showed that he was “concerned over the security of his personal data and [the respondent’s] misuse of that data” (GD at [91]). With respect, the DJ’s basis for finding that the appellant had suffered cognisable “loss or damage” and the nature of that loss or damage are not entirely clear to us (DGD at [138]–[141]). In fairness to the DJ, it does not appear that the respondent argued before him that the appellant had not suffered actionable loss or damage (DGD at [140]).

118 Upon further scrutiny of the evidence, we are of the view that the Judge erred in dismissing the appellant’s allegation of distress. Admittedly, the appellant’s restrained language in his e-mails of 21 August 2018, 28 August 2018 and 27 September 2018 (“the E-mails”), at first blush militates against a finding of distress. However, what tips the scales in the appellant’s favour is the respondent’s unreasonable refusal to give the appellant an undertaking not to use the Personal Data in the future. Other factors also point towards a finding of distress. We now elaborate on our reasons.

119 As a starting point, we agree with the Judge that the E-mails taken on their own provide insufficient basis to support a finding of distress. The appellant relied on, among others, the following portions of the E-mails:

(a) In his e-mail of 28 August 2018 the appellant confronted the respondent in these terms:

(i) “… I am curious how you know of my dealings with IP Global and, equally relevantly, how you are aware of the timing of the maturity of one of my holdings with IP Global?”;

(ii) “… I am equally curious how you have my personal e-mail address and have been able to cross-reference this address to my specific involvement with IP Global, namely, the Edinburgh project”;

(iii) “ … it strikes me that my personal information has been incorrectly accessed”;

(iv) “ … this activity would breach the main thrust of the relevant data privacy regulations in force in Hong Kong …”; and

(v) “[i]n view of my comments and concerns on the security of my personal information, I would welcome your guidance and insights as to how you have accessed my data and how you will protect it …”.

(b) In his e-mail of 27 September 2018 to IPIM, the appellant complained that the respondent “fail[ed] to address the fact that he has used privileged information … ”.

120 In the E-mails, the appellant comes across as measured and cool-headed. Even in his reply to the respondent on 28 August 2018, after flagging the potential misuse of the Personal Data, the appellant closed by saying “I would be delighted to discuss the options to which you refer.” These options refer to the range of “GBP opportunities” that the respondent had pitched in his e-mail of 15 August 2018 to the appellant. The appellant’s tone in the E-mails did not display emotional distress. Subsequently, in his affidavit in relation to that e-mail of 15 August 2018, the appellant only said that he was “very surprised” by that e-mail and that the respondent’s conduct was an “unacceptable use of [his] personal data”. However, the appellant’s reaction still comes across as being restrained.

121 While the E-mails on their own and the appellant’s restrained use of language do not indicate emotional distress, the appellant’s and the respondent’s conduct over the entire episode has to be taken into account. The relevant sequence of events is as follows. The first thing the appellant did after receiving the respondent’s initial e-mail was, on 21 August 2018, to inform IPIM of what had occurred and confront IPIM with the possibility that QIP had taken the Employers’ client list. That same day, A&G, acting for IPIM, sent a letter to the respondent demanding that he “undertake that [he] and/or QIP will not make any further unauthorised use” of “all copies of confidential and/or personal data on [IPIM’s] customers”.

122 Then, on 28 August, the appellant wrote directly to the respondent. At that stage the appellant did not know how the respondent had obtained the information, so it is not surprising that his e-mail had an inquisitorial rather than an accusative tone. He was trying to elicit information, not to spook the respondent.

123 The respondent replied to A&G on 10 September 2018 to say that:

124 On 12 September 2018, the respondent replied to the appellant’s e-mail of 28 August 2018. He stated that:

125 The respondent obviously considered that that reply should appease the appellant. We agree with the appellant, however, that he would still have been in an anxious state as the respondent’s letters of 10 and 12 September 2018 do not contain an undertaking not to make unauthorised use of the Personal Data in the future nor a reply to the appellant’s question as to how the Personal Data would be protected. The respondent merely promised to cease contact with the appellant. But the Personal Data was still in the respondent’s possession and vulnerable to misuse. There was nothing to prevent the respondent from revealing the Personal Data to third parties.

126 The appellant was indeed disturbed by the respondent’s e-mail of 12 September 2018. On 27 September 2018, the appellant forwarded that e-mail to IPIM and complained that the respondent had failed to address the misuse of his Personal Data:

127 We can think of no reasonable explanation for the respondent’s failure to assure the appellant that his Personal Data would be protected or to furnish the undertaking sought by A&G. This is especially so because the respondent purports to have come into possession of the Personal Data innocently and to have taken a chance by cold calling the appellant. If the respondent sincerely had no intention of further using the Personal Data, we struggle to appreciate why he would turn down these opportunities to put the matter to rest amicably. The respondent’s case is that he overheard the appellant’s name while conversing with some relationship managers at IPRE or IPIM, obtained the appellant’s e-mail address from the latter’s LinkedIn profile, and deduced the appellant’s investment activity in the Edinburgh Fund from the Edinburgh Fund brochure which he received in the course of his role as a marketing consultant. The respondent claimed below that he merely took a chance that the appellant would have spare liquidity once he exited the Edinburgh Fund and characterised his e-mail of 15 August 2018 to the appellant as a “cold call”. In that light, it is all the more surprising that he refused to provide an undertaking to the appellant or to A&G. Further, when OSS 170 was filed on 1 October 2018, the respondent challenged the injunction sought by the Employers. It would not have been unreasonable for an observer to view that challenge as an indication that the respondent did not perceive his actions as having been wrongful ones that should not be repeated.

128 Pulling all the threads together, the appellant was undoubtedly perturbed by the respondent’s 15 August 2018 E-mail in which the potential misuse of his Personal Data first surfaced. He was anxious enough to flag the matter to IPIM on 21 August 2018. IPIM was persuaded to demand an undertaking from the respondent on the very same day. In separate letters to IPIM and the appellant, the respondent refused to undertake not to misuse the Personal Data in the future and instead attempted to sever contact with the appellant. Even to an outside observer, the respondent would have come across as dismissive and cavalier about the need to protect the Personal Data. Upon receiving the respondent’s evasive response, the appellant again reported to IPIM and sought guidance on how to protect his Personal Data. He also joined OSS 170 as a plaintiff to prevent the chance of injunctive relief from being defeated by the lack of standing on the part of the Employers. Taking the appellant’s actions in the round, and bearing in mind the dismissiveness of the respondent’s responses which would have worked to increase the appellant’s anxiety, the Judge’s conclusion that no emotional distress arose, with respect, was against the weight of the evidence.

129 There are other factors that support a finding of distress. Firstly, as mentioned earlier, the Personal Data included information about the appellant’s personal investments. The respondent was aware of the appellant’s investments in the Edinburgh fund and his impending exit therefrom (DGD at [41]). Information about investment activity falls within the category of financial data which we readily regard as sensitive. The nature of personal investments that one makes, especially for a business leader like the appellant (who is the CEO of Manulife Asset Management (Thailand) Company Limited in Bangkok), will likely draw scrutiny from prying eyes. The sensitive nature of the Personal Data misused by the respondent would have elevated the appellant’s distress.

130 Secondly, at the time OSS 170 was commenced, it was reasonable for the appellant to have perceived a real prospect of future misuse of the Personal Data. This is because the respondent refused to offer any assurances in his e-mail of 12 September 2018 that the Personal Data would be protected and would not be spread to third parties. The respondent’s promise not to contact the appellant again missed the point and would have been cold comfort for the appellant.

131 Thirdly, while we do not go so far as to characterise the respondent’s conduct as fraudulent or malicious, as noted at [128] above, it would have been apparent to the appellant that the respondent was being evasive when confronted about the use of the Personal Data and dismissive of the appellant’s concerns about the safety of the Personal Data.

132 Having regard to all these circumstances we set aside the Judge’s finding that the appellant did not suffer any emotional distress and replace it with a finding that the appellant did experience emotional distress that is significant enough to be actionable. We are also satisfied that the sequence of events above demonstrates a direct causal link between the appellant’s emotional distress and the respondent’s contravention of ss 13 and 18 of the PDPA.

133 Therefore, the appellant indeed suffered “loss or damage” within the meaning of s 32(1) directly resulting from the respondent’s breaches of ss 13 and 18. He thereby obtained a right of private action under s 32(1). We need not delve into the principles surrounding the grant of an injunction under s 32(3) because the only issue raised by the parties in this appeal is whether the appellant suffered cognisable “loss or damage”. However, we see no reason not to uphold the DJ’s grant of the Injunction and Undertaking Order because, in this case, monetary damages would have been inadequate in light of the risk of further misuse of the Personal Data and the concomitant need to prevent additional emotional distress. The appellant was therefore entitled to the grant of the Orders to prevent further misuse of his Personal Data.

134 For all of the foregoing reasons, we allow the appeal in full and restore the orders made by the DJ on the ground that the appellant’s emotional distress is a form of “loss or damage” within the meaning of s 32(1).

135 Having considered the parties’ submissions on costs, we award the appellant costs of $25,000 all-inclusive in respect of the appeal. The usual consequential orders are to apply. As for the costs below and in the District Court, we reverse the orders made by the Judge and direct the respondent to refund any amounts that the appellant may have paid him to account for costs. The respondent before us shall pay the appellant’s costs before the Judge fixed at $10,000 and his costs of OSS 170 fixed at $4,000. As for disbursements at both levels these are to be agreed and, if not agreed, to be fixed by the Judge.