1 Sometime in 2022, the appellant, Mr Martin Piper (“Mr Piper”), lodged a complaint with the respondent, Singapore Kindness Movement (“SKM”), about one Ms Carol Loi Pui Wan (“Ms Loi”). In investigating the complaint, SKM disclosed Mr Piper’s personal data, ie, his full name and e-mail address, to Ms Loi.

2 Alleging that SKM’s disclosure was wrongful, and that the disclosure directly caused him loss or damage, Mr Piper brought a statutory tort claim against SKM. The statutory tort is created by s 48O of the Personal Data Protection Act 2012 (2020 Rev Ed) (the “PDPA”), and it reads:

3 The learned District Judge (the “DJ”) dismissed the claim, providing his reasons in Martin Piper v Singapore Kindness Movement [2024] SGDC 292 (the “Judgment”). This is Mr Piper’s appeal against the DJ’s decision.

4 Having considered the matter, I find that, by disclosing Mr Piper’s personal data to Ms Loi, SKM acted in contravention of its obligations contained in Part 4, specifically ss 13 and 18(a), of the PDPA. With due respect to the DJ, I disagree with his conclusion that SKM did not breach its obligations under the PDPA. That said, I agree with the DJ that Mr Piper failed to show that he directly suffered actionable loss or damage as a result of SKM’s contravention of the PDPA. Therefore, I dismiss the appeal. I elaborate on my reasons below.

5 I begin by summarising the facts, which the parties are broadly agreed on.

6 On 27 August 2022, Mr Piper sent SKM an e-mail (the “27 August E-mail”), using his full name and e-mail address, in which he lodged a complaint against Ms Loi. Ms Loi was the co-founder of “SGFamilies Ground-up Movement” (“SGFamilies GUM”), an affiliate of SKM. Specifically, Mr Piper alleged that Ms Loi was promoting discriminatory and false material against the transgender community via a Telegram chat group/channel named “SG Families Watchgroup” (the “Telegram Group”). ¹

7 On 1 September 2022, SKM informed Mr Piper via e-mail (the “1 September E-mail”) that SKM had reached out to Ms Loi. It said Ms Loi explained to SKM, inter alia, that the Telegram Group was not associated with SGFamilies GUM, that she was not the founder or owner of the Telegram Group, and that she was involved in the Telegram Group in her personal capacity only. SKM added that Mr Piper could reach out to Ms Loi directly if he required further clarification. ²

8 On 4 September 2022, Mr Piper responded to the 1 September E-mail via two separate e-mails (the “4 September E-mails”), through which he sought to provide further evidence to show the Telegram Group’s connection with SGFamilies GUM. ³

9 On 7 September 2022, SKM sent Ms Loi an e-mail (the “7 September E-mail”) and copied Mr Piper using his personal email address (the “7 September Disclosure”). In this e-mail, SKM summarised its correspondence with Mr Piper from 27 August to 4 September 2022, and told Ms Loi that “[i]t is therefore best for you to respond to him directly as we are not in the position to speak for you”. ⁴

10 During the trial, it emerged that, prior to the 7 September 2022 E-mail, between 30 August and 1 September 2022, SKM disclosed Mr Piper’s identity to Ms Loi during the course of its investigations on three occasions (the “Prior Disclosures”):

(a) On 30 August 2022, SKM disclosed Mr Piper’s identity in a phone call with Ms Loi, after Ms Loi asked SKM to do so (“30 August Disclosure”). ⁵

(b) On 31 August 2022, SKM disclosed Mr Piper’s identity to Ms Loi during a meeting to discuss the 27 August E-mail (“31 August Disclosure”). ⁶

(c) On 1 September 2022, SKM blind copied Ms Loi in the 1 September E-mail, disclosing Mr Piper’s name and e-mail address to Ms Loi (“1 September Disclosure”). ⁷

11 In any event, on 5 September 2022, Ms Loi filed an action against Mr Piper under the Protection from Harassment Act 2014 (2020 Rev Ed) (“POHA”), alleging that he had caused her harassment by way of, amongst other things, his complaint to SKM about her association with the Telegram Group. ⁸ Mr Piper was served with the proceedings on 14 September 2022. Further, Ms Loi documented her process of preparing for the POHA claim by publishing a series of screenshots and photographs, along with written posts, in a public album on Facebook (the “Album”). ⁹ On 19 April, 25 April and 4 May 2023, Mr Piper received threatening messages directed at him. These messages referred to Ms Loi and her POHA claim. ¹⁰ On 24 May 2023, Ms Loi withdrew her application. ¹¹

12 In the proceedings below, Mr Piper argued that, by revealing his identity and e-mail address to Ms Loi in the 7 September E-mail, SKM breached ss 13, 14 (read with s 20), 15, 15A, and 18 (read with s 20) of the PDPA. ¹² He also argued in his closing submissions that the Prior Disclosures constituted similar breaches of the PDPA. ¹³ In making these arguments, Mr Piper sought to analogise the circumstances surrounding his complaint to SKM to a “whistleblowing situation” which would warrant greater care and caution in handling his personal data. ¹⁴ Further, Mr Piper argued that, as a result of SKM’s breaches, he suffered direct loss and/or damage, which included financial loss and emotional distress arising from responding to Ms Loi’s POHA claim, the death threats, and SKM’s “dismissive, cavalier and evasive response … in respect of its PDPA breaches”. ¹⁵

13 On the other hand, SKM argued that it did not contravene the PDPA. While it did not obtain express consent from Mr Piper, it relied on ss 13(a) and 15 of the PDPA to argue that Mr Piper should be deemed to have given his consent for the collection, use or disclosure of his personal data for the purposes of investigating his complaint. ¹⁶ In good faith, SKM reasonably disclosed Mr Piper’s personal data to Ms Loi in discharging its investigative duties, to authenticate the complaint and promote conciliation between the two of them. ¹⁷ In any event, SKM could avail itself of two exceptions under s 17 of the PDPA. These are provided under Part 1, para 1(1)(b) of the First Schedule of the PDPA (the “Vital Interests Exception”), and Part 3, para 3 of the First Schedule of the PDPA (the “Investigation Exception”). ¹⁸ SKM also argued that Mr Piper’s complaint to it was not a whistleblowing case. ¹⁹ In relation to the issue of loss or damage, SKM argued that Mr Piper did not suffer any direct actionable loss or damage due to the alleged PDPA breaches. ²⁰

14 As stated at [3] above, the DJ dismissed Mr Piper’s claim (see Judgment at [118]–[119]).

15 Preliminarily, the DJ allowed Mr Piper to rely on the Prior Disclosures even though they were not pleaded. As these disclosures were only revealed during the trial through the evidence led by SKM, SKM would not have been taken by surprise or have suffered any prejudice as a result of Mr Piper’s reliance on them (Judgment at [19]). After observing that the parties were agreed that Mr Piper did not expressly consent to SKM disclosing his personal data (Judgment at [24]), the DJ then held that there was deemed consent under s 15 of the PDPA (Judgment at [38]). He explained that since Mr Piper deliberately disclosed his personal data to SKM to file a complaint against Ms Loi and wanted SKM to investigate the matter, he was deemed to have consented to the disclosure of his identity by SKM for the purpose of acting on the complaint (Judgment at [33] and [36]−[39]).

16 In coming to his decision, the DJ rejected Mr Piper’s argument that SKM could have investigated the complaint without disclosing his personal data, explaining that it was for SKM to decide how to most effectively conduct its investigations (Judgment at [39] and [47]). The DJ also held that since Mr Piper did not request for anonymisation, it was reasonable for SKM to have disclosed his identity to Ms Loi during investigations. The onus was on Mr Piper to have expressly requested for anonymisation if he did not want his identity to be revealed (Judgment at [40]−[42]).

17 For similar reasons, the DJ held that SKM did not breach s 18(a) of the PDPA (Judgment at [53]). As for ss 14(1)(a) and 18(b) of the PDPA, they were no longer applicable by virtue of s 20(3) of the PDPA, given the finding of deemed consent (Judgment at [51]).

18 For completeness, the DJ also observed that the Vital Interests Exception and Investigation Exception were inapplicable, respectively, because the background surrounding Mr Piper’s complaint lacked the necessary urgency (Judgment at [61]), and because Mr Piper’s complaint lacked the requisite clear actionability in law (Judgment at [64]). He also observed that Mr Piper’s complaint did not constitute whistleblowing, as, inter alia, whistleblowing only “concern[ed] matters relating to management or staff within the organisation”, and neither Mr Piper nor Ms Loi were SKM’s employees (Judgment at [68]−[69] and [71]).

19 As for loss or damage, the DJ observed, citing Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] 2 SLR 1156 (“Reed”), that, for claims made under s 48O of the PDPA, there had to be a direct causal link between the contravention and the loss or damage suffered (Judgment at [81]). This requirement was to be stringently applied (Judgment at [89]). In Mr Piper’s case, his emotional distress arose as a direct result of Ms Loi’s POHA claim and the Album, rather than from SKM’s alleged breaches per se. The requisite direct causal link was thus not established, and Mr Piper could not recover these damages under s 48O of the PDPA (Judgment at [91], [98] and [101]).

20 Finally, the DJ held that Mr Piper had not, in any event, sufficiently proven that he suffered emotional distress within the meaning of s 48O of the PDPA. In this regard, Mr Piper’s witnesses, Ms Carissa Cheow Hui Ying (“Ms Cheow”) and Ms Loh Ai Ming Vivian (“Ms Loh”), did not assist his case as their evidence was based purely on their observations of Mr Piper through text messages and/or calls (Judgment at [107]−[109]). Mr Piper’s claim of having been diagnosed with post-traumatic stress disorder (“PTSD”) was also not sufficiently proven (Judgment at [110]). Applying the multi-factorial approach canvassed in Reed, the DJ concluded that Mr Piper did not suffer any emotional distress as a result of SKM’s breaches of the PDPA (Judgment at [111]).

21 On the question of whether SKM contravened the PDPA, Mr Piper makes four broad arguments. First, Mr Piper argues that the DJ erred in finding that he was deemed to have consented to the disclosure of his personal data by SKM to Ms Loi. Specifically, he argues that he provided his identity to SKM to lend credibility to his complaint and as required by SKM’s privacy policy, which states that it is generally unable to deal with anonymous complaints. It is unreasonable for Mr Piper to expect that his identity would be disclosed during investigations. ²¹

22 Second, Mr Piper argues that the DJ erred by applying SKM’s subjective standard of reasonableness, instead of the objective standard of reasonableness, in coming to his findings. ²² Since SKM could have acted on Mr Piper’s complaint without disclosing his personal data to Ms Loi, it was objectively unreasonable for it to have disclosed Mr Piper’s personal data. ²³ Further, it was objectively unreasonable for SKM to have sought to put Mr Piper and Ms Loi in touch to promote conciliation since he never asked for it. ²⁴

23 Third, Mr Piper argues that the DJ erred in failing to analogise his original complaint to SKM to a whistleblowing situation. Specifically, Mr Piper argues that, contrary to the DJ’s decision, such an analogy is merely descriptive and need not be pleaded. ²⁵ Further, whistleblowers are not limited to employees. ²⁶

24 Fourth, Mr Piper argues that the DJ erred in placing the onus on him to expressly instruct SKM to keep his identity confidential. Such a proposition raises grave public policy concerns as it “will reduce the scope of governance afforded by the PDPA by allowing organisations … to shirk its obligations under the PDPA as the responsibility would lie on the individual to ‘expressly request’ how they would want their personal data to be dealt with”. ²⁷

25 In relation to the issue of damage or loss, Mr Piper makes two broad arguments. First, Mr Piper argues that the DJ erred in applying the direct causal requirement stringently and taking an overly narrow reading of the word “directly”. In fact, SKM’s disclosure of Mr Piper’s personal data cannot be neatly disconnected with Ms Loi’s filing of her POHA claim against Mr Piper as it was the direct cause of the same. ²⁸

26 Second, Mr Piper argues that, applying the approach as established in Reed, the DJ failed to consider that SKM’s disclosure of his personal data to Ms Loi would (and did) in and of itself cause him emotional distress within the meaning of s 48O of the PDPA. ²⁹ Specifically, Mr Piper points to the following three factors: ³⁰

(a) Nature of the personal data involved in the breach: Considering the seriousness of Mr Piper’s complaint, his identity constitutes sensitive personal data.

(b) Nature of SKM’s conduct: SKM disclosed Mr Piper’s personal data on four occasions in close proximity, and was evasive or dismissive of his concern about the disclosure of his personal data.

(c) Actual impact of breach: Due to SKM’s breach, Mr Piper felt nervous and uneasy as he was worried about potential retaliation by Ms Loi. Indeed, Ms Loi filed a retaliatory POHA claim, and documented the process publicly. This further led to Mr Piper receiving death threats.

27 During the hearing, counsel for Mr Piper confirmed that, other than emotional distress, he was no longer seeking to rely on other heads of loss such as “financial losses”.

28 In relation to whether SKM acted in contravention of the PDPA, SKM first argues that the DJ correctly applied an objective (and not subjective) analysis. In fact, the DJ re-emphasised the objective standard by referring to what a reasonable person would consider appropriate in the circumstances. ³¹ Further, SKM argues that the disclosure of Mr Piper’s personal data was necessary and reasonable as part of its investigations, specifically, to authenticate his complaint so that Ms Loi would better understand the same and respond appropriately. ³² It was also reasonable for SKM to have attempted to put Mr Piper in touch with Ms Loi directly to facilitate conciliation, since SKM could neither conclude its investigations on Mr Piper’s grave complaint due to his persistence in pursuing it (see [8] above), nor could it speak on Ms Loi’s behalf. ³³

29 In the alternative, SKM argues that it can avail itself of the Investigation Exception. It argues that the DJ erred in holding that this exception could only apply when the relevant investigation related to an identified and specified wrong that was actionable in law (see [18] above). In fact, the Investigation Exception is broader, and can apply so long as the relevant investigation relates to a circumstance or conduct that may be actionable by law. ³⁴ In the present case, given the gravity of Mr Piper’s allegations against Ms Loi, the outcome of SKM’s investigations may result in a criminal or civil remedy against Ms Loi (either by Mr Piper and/or SKM), or a remedy by Ms Loi against Mr Piper (eg, under POHA). ³⁵

30 Next, SKM argues that Mr Piper did not plead his case on whistleblowing, which is in any event not a legal cause of action, and goes “way beyond the statutory purpose of the PDPA and is bereft of supporting legal authority”. Ultimately, the key question remains whether Mr Piper consented to the disclosure of his personal data. ³⁶ SKM also argues that a whistleblowing situation typically involves management or staff within an organisation (which Mr Piper and Ms Loi are not vis-à-vis SKM), ³⁷ and, in any event, that Mr Piper has not identified any whistleblowing policy to substantiate his argument. ³⁸

31 Finally, SKM submits that the DJ was correct to hold that, in situations involving deemed consent, the onus would be on the affected individual to take the additional step to expressly instruct the organisation to keep his identity confidential if he so wishes. ³⁹ This approach does not reduce the scope of governance afforded by the PDPA, given the presence of safeguards like the requirements of “voluntariness” and “reasonableness” in s 15 of the PDPA. ⁴⁰

32 Turning to damage or loss, SKM makes two broad arguments. In response to Mr Piper’s first broad argument, SKM essentially argues that the DJ correctly applied the direct causal requirement stringently, and that Ms Loi’s legal action and Facebook posts constituted a novus actus interveniens which broke the chain of causation. In any event, Mr Piper has not proven that he had suffered PTSD that was linked to SKM’s conduct. ⁴¹

33 In response to Mr Piper’s second broad argument, after preliminarily highlighting that Mr Piper’s argument (that SKM’s disclosures of his personal data per se caused him emotional harm) should be dismissed as it is a new case advanced on appeal in breach of O 19 r 18(1)(b) of the Rules of Court 2020 (the “ROC”), SKM argues that Mr Piper’s argument is logically and legally flawed, as well as evidentially unsubstantiated. ⁴² Specifically, SKM highlights the following in relation to the three factors relied upon by Mr Piper:

(a) Nature of the personal data involved in the breach: The personal data disclosed, ie, Mr Piper’s name and e-mail address, is relatively non-sensitive compared to the financial data disclosed in Reed. ⁴³

(b) Nature of SKM’s conduct: SKM’s breach was one-off, and its disclosure of Mr Piper’s data was only to a single individual. SKM was not evasive or dismissive. Instead, there was a genuine lapse in response by SKM to Mr Piper, especially as SKM prioritised internal investigations and reviewing internal procedures following the incident. ⁴⁴

(c) Actual impact of breach: Mr Piper has not adduced sufficient evidence to prove any emotional distress as a direct result of SKM’s disclosure of his personal data, which would entitle him to damages under s 48O of the PDPA. ⁴⁵

34 For convenience, I group the parties’ arguments into two main issues. The first relates to whether SKM contravened the PDPA, and I shall refer to this as the “Breach Issue”. Within the Breach Issue, there are five sub-issues: ⁴⁶

(a) whether the DJ erred in finding that Mr Piper should be deemed to have consented to the disclosure of his personal data by SKM to Ms Loi;

(b) whether the DJ erred as a matter of law in applying SKM’s subjective standard of reasonableness instead of the objective standard of the reasonable person in considering if SKM breached the PDPA;

(c) whether Mr Piper’s original complaint to SKM constituted a whistleblowing situation;

(d) whether the DJ erred in placing the onus on Mr Piper to expressly instruct SKM to anonymise his complaint; and

(e) whether the DJ erred in finding that SKM cannot rely on the Investigation Exception.

35 The second issue deals with whether there is actionable loss or damage, and I shall refer to this as the “Loss Issue”. There are two sub-issues here:

(a) whether the DJ erred in applying the direct causal link requirement stringently; and

(b) whether the DJ failed to consider that SKM’s disclosure of Mr Piper’s personal data to Ms Loi would per se cause him emotional distress actionable under s 48O of the PDPA.

36 With that, I turn to the Breach Issue.

37 I begin with the applicable law. Under s 13 of the PDPA, an organisation must not collect, use or disclose personal data about an individual unless consent is given (or deemed given), or unless permitted under the PDPA or by any other written law. Specifically, s 13 reads:

38 In relation to s 13(b) of the PDPA, s 17 of the PDPA (read with the First Schedule and the Second Schedule) provides for certain situations when an organisation may collect, use or disclose an individual’s personal data without consent. These include the Vital Interests Exception and the Investigation Exception.

39 As for s 13(a) of the PDPA, the requirement of consent can be satisfied in three ways: (a) when the individual has given his express consent (s 14 of the PDPA); (b) when the individual is deemed to have given his consent (s 15 of the PDPA); or (c) when the individual is deemed to have given his consent by notification (s 15A of the PDPA). Since the parties are agreed that express consent and deemed consent by notification were absent at the material time (Judgment at [24] and [28]), I will only proceed to consider deemed consent under s 15 of the PDPA, specifically deemed consent by conduct as encapsulated in s 15(1) of the PDPA.

40 Section 15(1) of the PDPA reads as follows:

41 Therefore, to establish deemed consent under s 15 of the PDPA, there are two inter-related requirements. First, it must be shown that an individual voluntarily provided his personal data for a purpose. Second, it must be shown that it is reasonable that he would voluntarily provide such data.

42 In my view, the first requirement involves a factual inquiry which focuses on the purpose for the voluntary provision of personal data by a person. In this inquiry, the court should ensure that the purpose is objectively obvious. In arriving at this proposition, I draw from the Personal Data Protection Commission (“PDPC”), Advisory Guidelines on Key Concepts in Personal Data Protection Act (revised 16 May 2022) (the “PDPC Advisory”) at para 12.20, which states as follows:

43 As for the second requirement, it again involves an objective inquiry. In this inquiry, amongst other factors, the nature of the personal data must be weighed against the purpose to be achieved in providing such data. For instance, it would be reasonable for an individual to voluntarily provide his name and contact details within a form for the purpose of participating in a free-to-enter competition, where no prize money is involved. Should the same form require the individual’s bank account details, and the individual somehow complies, it would not be reasonable to consider that he volunteered the bank account details for the same purpose, since such sensitive personal data will not be required in relation to the purpose. As I will explain below, such an approach coheres with a check and balance mechanism inherent within s 15 of the PDPA.

44 When the two requirements in s 15(1) of the PDPA are satisfied, the individual is deemed to have consented to the collection, use or disclosure of personal data for that purpose by the organisation.

45 I make two observations about the scope of deemed consent. First, it is wide in that it potentially enables the organisation not only to collect, but also to use or disclose the personal data which has been provided by the individual for a purpose. However, and secondly, it is narrow in that it imposes a restriction by permitting the organisation to collect, use or disclose the personal data only for that purpose, and I would suggest only to the extent that is required for that purpose. This is an important control mechanism inherent within the deemed consent framework, and it aligns with a limitation imposed within s 18 of the PDPA which I shall discuss at [51] below.

46 To illustrate, I set out the following examples set out in the PDPC Advisory (at para 12.21; see also, eg, Universal Travel Corporation Pte Ltd [2016] SGPDPC 4 at [10] and [13]):

47 From these examples, it can be gleaned that when an individual reasonably provides his personal data to an organisation for a purpose, he is deemed to have consented to the collection, use or disclosure of the data by the organisation but only as required for that purpose. This approach has also consistently been applied by the PDPC: see, eg, Actxa Pte. Ltd. [2018] SGPDPC 5 at [31] and [34]; Starhub Mobile Pte Ltd, M1 Limited and Singtel Mobile Singapore Pte. Ltd. [2019] SGPDPC 12 at [21]; German European School Singapore [2019] SGPDPC 8 at note 4; H3 Leasing [2019] SGPDPC 9 (“H3 Leasing”) at [11]. For example, in H3 Leasing, the PDPC held (at [11]) that:

48 As observed by the authors in Steve Tan & Victoria Tan, “Understanding How the PDPA Permits Organisations to Leverage on Personal Data in Achieving Innovation” [2022] PDP Digest 162 at para 5, “[t]he deemed consent mechanism alleviates the operational difficulties that may be encountered by an organisation in seeking to obtain express consent”. Indeed, in the second reading of the Personal Data Protection Bill, the then Minister for Information, Communications and the Arts, Assoc Prof Dr Yaacob Ibrahim, explained (see Singapore Parl Debates; Vol 89, Sitting No 8; Page 830; [15 October 2012] (the “Second Reading”)) that:

49 Hence, to reiterate, once the two requirements under s 15(1) of the PDPA are satisfied, the individual would be deemed to have consented to the collection, use or disclosure of his personal data by the organisation. However, such deemed consent only extends to what is required for the purpose for which the individual provided his personal data in the first place.

50 I now turn to s 18 of the PDPA, which states:

51 Given that this case turns on deemed consent, it is not disputed that s 18(b) of the PDPA does not apply: see s 20(3)(a) of the PDPA. As for s 18(a), it permits organisations to collect, use or disclose personal data but only for purposes that a reasonable person would consider appropriate in the circumstances (the “Purpose Limitation”). As alluded to above at [45], this is in line with the inherent limitation concerning the scope of deemed consent.

52 To recapitulate, I have set out the ambit of deemed consent, and the limitation placed on organisations to collect, use or disclose personal data “only for purposes that a reasonable person would consider appropriate in the circumstances”. Further, by s 11(1) of the PDPA, “[i]n meeting its responsibilities under the [PDPA], an organisation must consider what a reasonable person would consider appropriate in the circumstances”. In other words, organisations would, in seeking to comply with the PDPA regime, be held to the standard of reasonableness (see Second Reading at p 830).

53 As Mr Piper argues, this is an objective standard. ⁴⁷ More specifically, as the PDPC Advisory provides (at paras 9.1−9.5), the standard of reasonableness is ascertained by considering the particular circumstances and societal norms, and that a possible step that an organisation could take is to consider the affected individual’s perspective:

54 With that, I return to the facts of this case. Preliminarily, I note that the parties have not disputed the DJ’s finding that it would be appropriate to consider the Prior Disclosures, notwithstanding that these were not pleaded (see [15] above). As I highlighted above, the Prior Disclosures were only made known to Mr Piper at the trial through the evidence led by SKM (see [10] and [15] above). Hence, I proceed on the same basis. For the avoidance of doubt, while Ms Loi was the recipient of the information on all occasions, each instance remains a distinct act of disclosure; each instance should be assessed on its facts and circumstances.

55 To address the sub-issues set out at [34(a)] and [34(b)] above, the relevant inquiries are: (a) whether the two requirements under s 15(1) of the PDPA are satisfied such that Mr Piper can be deemed to have consented to the collection, use or disclosure of his personal data (and, if so, what the purpose for which such deemed consent has been given is); and (b) whether SKM’s disclosure of the personal data to Ms Loi fell within the scope of the deemed consent and the Purpose Limitation. In undertaking the latter inquiry, SKM will be held to an objective standard of reasonableness (see [52]−[53] above). I turn to the first inquiry.

56 In relation to the first requirement under s 15(1)(a) of the PDPA, that Mr Piper must have voluntarily disclosed his personal data for a purpose, I agree with the DJ that he provided his identity and e-mail address through the 27 August E-mail for the objectively obvious purpose of investigating his complaint. As the DJ highlights, in this e-mail, Mr Piper told SKM that he hoped they “reach out to [Ms Loi], gain control of the Telegram group, and remove all of the nasty content in that group that she and her associates have posted” (Judgment at [34]). This was confirmed at trial by Mr Piper: ⁴⁸

57 I thus agree with the DJ that Mr Piper voluntarily provided his name and e-mail address to SKM for the purpose of investigating his complaint against Ms Loi.

58 I turn to consider the second requirement under s 15(1)(b) of the PDPA, namely whether it was reasonable that Mr Piper would voluntarily provide his name and e-mail address to SKM for the purpose of investigating the complaint. Having regard to the nature of the personal data provided, and how necessary this was to achieve the purpose for which it was provided, I agree with the DJ (see Judgment at [37]) that it was objectively reasonable for Mr Piper to have done so.

59 As Mr Piper explained (see [21] above), he had to provide his name as SKM’s personal data protection policy stipulated that “[g]enerally, [it was] unable to deal with anonymous complaints” because it would not be able to investigate such complaints. ⁴⁹ Mr Piper also had to provide his e-mail address for SKM to correspond with him to provide updates and/or seek further information following its investigations into the matter.

60 Hence, it was reasonable for Mr Piper to have provided his name and e-mail address to SKM for the purpose of investigating his complaint. Since both requirements under s 15(1) of the PDPA are satisfied, I agree with the DJ (see Judgment at [38]) that Mr Piper should be deemed to have consented for his personal data to be collected, used, or disclosed for the purpose of investigating his complaint against Ms Loi.

61 It then follows that SKM could only have collected, used or disclosed Mr Piper’s full name and e-mail address for the sole purpose of investigating his complaint against Ms Loi. I turn to the next inquiry, namely, whether the disclosure of Mr Piper’s personal data to Ms Loi fell within the purpose of investigating the complaint.

62 On this issue, I depart from the DJ’s findings. While it does appear that the DJ had in mind an objective test (as evidenced from his reference to the “reasonable person” standard stipulated in s 11(1) of the PDPA (see Judgment at [43]−[44])), I find that, substantively, the DJ applied the wrong test or erred in applying the reasonableness test contemplated under ss 11(1) and 18(a) of the PDPA. In determining whether the investigation process was reasonable, the DJ appears to have left the matter almost entirely to SKM’s discretion, or at the very least, accorded a great deal of deference to SKM. To elaborate, he held, inter alia, that “[i]t is for [SKM] to decide how to go about the investigation in the most effective manner” and that “[i]t is not for [Mr Piper] to dictate how [SKM] should go about it” (Judgment at [39]).

63 In my view, the problem with this approach is that it would render the reasonableness standard nugatory. Effectively, it would mean that so long as an individual is deemed to have provided his consent to the organisation to collect, use or disclose his personal data for a purpose, the organisation will be allowed to proceed in relation to the purpose however it wishes. There would be no scrutiny into whether, objectively speaking, the organisation’s actions are (or are not) reasonable for such a purpose. That cannot be right. Instead, in its conduct, the organisation must still be held to an objective standard of reasonableness.

64 Here, contrary to the DJ’s findings (Judgment at [40] and [53]), I find that it was not reasonable for SKM to have disclosed Mr Piper’s identity and e-mail address to Ms Loi in the course of investigations. While Mr Piper is deemed to have consented to SKM’s disclosure of his personal data to investigate the complaint against Ms Loi, it was not objectively reasonable for SKM to have disclosed the personal data to Ms Loi, unless the information was required or necessary for investigating the matter.

65 Contrary to SKM’s argument (see [28] above) and the DJ’s finding (Judgment at [39]), that is not the case here. In relation to the 30 August Disclosure and the 31 August Disclosure, as Mr Piper argues (see [22] above), it was completely unnecessary, and hence unreasonable, for SKM to have disclosed Mr Piper’s personal data to Ms Loi to investigate his complaint. Neither would disclosing such personal data facilitate investigations. I pause to observe that the complaint was not about Ms Loi’s conduct in relation to Mr Piper specifically. Therefore, SKM could simply have approached Ms Loi, stated the allegations that it was investigating her for, and sought the necessary clarifications from Ms Loi.

66 Upon receiving Ms Loi’s clarifications, SKM could have come to its findings, before taking the appropriate remedial action, if any. Had Ms Loi refused to cooperate, SKM could have considered other means to escalate the matter for investigations (given that the complaint seemingly implicated SKM). There was simply no need for SKM to have authenticated Mr Piper’s identity with Ms Loi before carrying out its investigations, because no part of the investigations would have turned on the identity or e-mail address of the complainant. Put another way, it was immaterial whether Ms Loi knew Mr Piper’s personal data. Thereafter, on 1 September 2022, it was completely unnecessary for SKM to blind copy Ms Loi in its reply to Mr Piper, giving rise to the 1 September Disclosure. Again, if required, SKM could simply have updated Ms Loi on the contents of its response.

67 The fact that Mr Piper remained persistent in his complaints by sending the 4 September E-mails does nothing to change the analysis. SKM could have carried out further investigations using the fresh material provided by Mr Piper with equal efficiency and efficacy without disclosing Mr Piper’s personal data to Ms Loi. Alternatively, if SKM was of the view the Mr Piper’s further complaints were without merit, it could simply have told him the same. Even at that stage, there would have been no reason for SKM to disclose Mr Piper’s identity and e-mail address to Ms Loi. Thus, the 7 September Disclosure was not reasonable.

68 Further, while SKM might, out of goodwill, have wanted to facilitate conciliation between Mr Piper and Ms Loi (see [28] above), such a purpose would not have fallen within that for which Mr Piper is deemed to have given his consent, ie, to investigate his complaint. This argument therefore does not assist SKM, in relation to the 7 September Disclosure (see [9] above).

69 To round off, in the context of complaints, one would reasonably contemplate the possibility of the person complained against feeling aggrieved, bearing some grudge and even taking some form of retaliatory action against the complainant. Even if a complainant should be expected to stand by his complaint, one would also reasonably contemplate the complainant being concerned about any such repercussions. Hence, it would, whether from the complainant’s perspective (see [53] above) or from an objective commonsensical perspective, be reasonable for an organisation to disclose the complainant’s personal data to the person complained against, only if it is required or necessary for the purpose of investigating the matter. The nature of the allegations would be important. One instance where such disclosure may be required or necessary is if the complainant alleges wrongdoing specifically committed against himself or herself.

70 In these premises, I agree with Mr Piper that the DJ erred in finding that SKM’s disclosure of Mr Piper’s identity and e-mail address to Ms Loi was reasonable. Instead, unless SKM can avail itself of one of the exceptions in the PDPA, it has breached ss 13 and 18(a) of the PDPA as the disclosure of Mr Piper’s personal data did not fall within the scope of his deemed consent and the Purpose Limitation.

71 Having reached the outcome above, I do not propose to deal with Mr Piper’s arguments (see the sub-issue at [34(d)] above) that the DJ erred in the suggestion that, in situations involving deemed consent, the onus would be on the affected individual to take the additional step to expressly instruct the organisation to keep his identity confidential if he so wishes (Judgment at [42]). I also see no need to engage with the parties’ arguments on whether Mr Piper’s initial complaint to SKM is analogous to a whistleblowing situation. These arguments are not entirely helpful, and I thus make no further comment on this sub-issue set out at [34(c)] above.

72 For completeness, I turn to consider SKM’s alternative argument, that it can, contrary to the DJ’s decision, avail itself of the Investigation Exception (see the sub-issue at [34(e)] above). The Investigation Exception allows the collection, use or disclosure of personal data about an individual without the individual’s consent, when it is “necessary” for any “investigation”, which is defined in s 2(1) of the PDPA as follows:

73 From the plain wording of its definition, the applicable forms of “investigation” which would fall under the Investigation Exception is broadly defined, and includes those which may result in any remedy or relief available under any law. I hence agree with SKM (see [29] above) that the DJ’s interpretation of the applicable forms of investigations to only include those that relate to a wrong that is actionable in law is too narrow.

74 However, SKM is still precluded from relying on the Investigation Exception. For reasons already explained above (at [64]−[69]), and as Mr Piper argues, ⁵⁰ it was unnecessary for SKM to have disclosed Mr Piper’s name and e-mail address to Ms Loi. Hence, it remains that SKM has acted in contravention of ss 13 and 18(a) of the PDPA. With that, I turn to consider the Loss Issue.

75 Having considered the DJ’s reasoning and the parties’ arguments, I am unable to accept both of Mr Piper’s broad arguments (see [25]–[26] above). I explain, beginning with Mr Piper’s first broad argument that the DJ erred by applying the direct causal requirement too stringently.

76 In Reed, the Court of Appeal held (at [90], [93], [102] and [107]), in relation to the then-equivalent provision to s 48O of the PDPA, that while s 48O(1) of the PDPA does not exclude emotional distress from the meaning of “loss and damage”, a “strict causal link” is required for such a claim to succeed. This means that the “loss or damage” (including emotional distress) must have been suffered “directly as a result of a contravention” of the PDPA [emphasis in original]. Such a requirement serves as a control mechanism to prevent individuals from commencing frivolous lawsuits against organisations even for minor or technical breaches of the PDPA.

77 In my view, the DJ did not err in applying the strict causal link test stringently (Judgment at [89]). As the DJ correctly observed (Judgment at [90]), such an approach also coheres with Parliament’s intent (see Second Reading at p 832):

78 Applying this test, I agree with the DJ that SKM’s breach of the PDPA did not directly lead to the purported emotional distress suffered by Mr Piper arising from Ms Loi’s filing of her POHA claim against him and her publication of the process via the Album (Judgment at [94]−[100]). In this regard, I broadly accept SKM’s argument (see [32] above) that Ms Loi’s actions broke the chain of causation between SKM’s breach and Mr Piper’s purported emotional distress, much like a novus actus interveniens in the context of common law torts. As observed in Gary Chan Kok Yew & Lee Pey Woan, The Law of Torts in Singapore (Academy Publishing, 2nd Ed, 2016) at para 07.078, in assessing whether the intervening action of a third party constitutes a novus actus interveniens sufficient to break the chain of causation at law, it is relevant to consider the likelihood of the third party’s act occurring:

79 In the present case, while I have earlier found (at [69] above) that one would reasonably expect the possibility of a person who is the subject of a complaint taking some form of retaliatory action against the complainant if the latter’s identity is leaked to the former, I do not think that Ms Loi’s retaliatory behaviour, ie, to have commenced an action against Mr Piper and to have documented this process publicly via the Album, can be said to be “likely to occur” or “glaringly obvious”, or to have posed a “manifest and obvious risk”. My finding is bolstered by Mr Piper’s submission that Ms Loi had, in publicly documenting the process of her POHA claim, further revealed details such as Mr Piper’s surname and the case number assigned to her POHA claim (through which Mr Piper’s identity can be established through a search of the hearing list via the Judiciary’s website). ⁵¹

80 Given this, I find that Ms Loi’s behaviour broke the legal chain of causation between SKM’s breaches of the PDPA and the purported emotional distress suffered by Mr Piper. Indeed, I note that Mr Piper has commenced his own POHA claim against Ms Loi on 27 July 2023. ⁵² For the avoidance of doubt, I make no comment on this claim in this judgment.

81 I turn to consider Mr Piper’s second broad argument, that he suffered emotional distress actionable under s 48O of the PDPA due to SKM’s breaches of the PDPA per se. Preliminarily, I accept that this head of damages could have been better pleaded (see [33] above). However, I also note that Mr Piper has pleaded that SKM’s “response … in respect of its PDPA breaches exacerbated the emotional distress” he suffered, ⁵³ which could, when interpreted charitably, be understood as averring that he suffered actionable emotional distress due to SKM’s breaches per se. I hence proceed to consider this argument substantively.

82 I am unable to find that Mr Piper suffered actionable emotional distress. In Reed, the Court of Appeal held (at [114] and [116]) that, in ascertaining the presence of actionable emotional distress, the test cannot be a fully objective one. Instead, the inquiry must be anchored in whether the very individual before the court subjectively suffered emotional distress. That is not to say, however, that the court cannot direct its mind to how a reasonable person would have reacted in the relevant circumstances as an evidential tool to assess the individual claimant’s subjective state of mind. Further, negative emotions that should be tolerated as part of the ordinary vicissitudes of life do not amount to actionable emotional distress. It will also often be the case that greater weight will be attached to objective indicia of emotional distress, as compared with bald assertions in an affidavit.

83 With these principles in mind, the Court of Appeal held (at [115]) that a multi-factorial approach is suitable for determining whether an individual has suffered emotional distress, and provided a few non-exhaustive considerations to guide the court in this inquiry:

(a) the nature of the personal data involved in the breach: for instance, financial data is likely to be sensitive;

(b) the nature of breach: eg, whether the breach of the PDPA was one-off, repeated and/or continuing;

(c) the nature of the defendant’s conduct: for instance, proof of fraudulent or malicious intent may support an inference that the claimant was more severely affected. In contrast, an accidental breach by a single typographical error is unlikely to cause cognisable distress. In addition, if the claimant reasonably seeks an undertaking from the defendant not to misuse his or her personal data, but the defendant unreasonably refuses to furnish an undertaking, this is a weighty factor in favour of the existence of emotional distress;

(d) risk of future breaches of the PDPA causing emotional distress to the claimant; and

(e) actual impact of the breach on the claimant.

84 In Reed, the appellant was an investor of an investment fund (the “Edinburgh Fund”) managed by a company in the business of managing funds, namely “IPIM” (Reed at [6] and [8]). The respondent was originally employed under a company connected to IPIM, to be referred to as “IPRE”, before being seconded to another associated company (Reed at [6]). He subsequently left the employ of IPRE to join a competitor set up by the former chief executive officer of IPIM (Reed at [7]). Subsequently, the respondent contacted some investors in the Edinburgh Fund, including the appellant (Reed at [8]). In doing so, he misused the personal data regarding the appellant’s name, personal e-mail address and investment activity in the Edinburgh Fund (see Reed at [10] and [53]), and was thus found to have breached ss 13 and 18 of the PDPA (Reed at [55]).

85 The Court of Appeal further found, applying the multi-factorial approach, that the claimant suffered actionable emotional distress:

(a) Nature of personal data: The personal data misused by the respondent included information about the appellant’s personal investments, which was sensitive, especially for a business leader like the appellant (Reed at [129]).

(b) Nature of defendant’s conduct: The respondent was evasive and dismissive when confronted about his misuse of the appellant’s personal data (Reed at [131]).

(c) Risk of future breaches: The respondent refused to offer any assurances that the appellant’s personal data would be protected and not spread to third parties (Reed at [130]).

(d) Claimant’s contemporaneous behaviour: Six days following the respondent’s breaches of the PDPA, the appellant sent an e-mail to IPIM, confronting IPIM on what had occurred (Reed at [9], [10] and [121]). A week later, the appellant wrote to the respondent directly asking him how he managed to access his personal data (Reed at [12] and [122]). In his e-mail reply to the appellant, the respondent failed to undertake not to make further unauthorised use of the appellant’s personal data, or address how the data would be protected (Reed at [125]). The appellant forwarded this e-mail to IPIM, complaining that the respondent had failed to address his concerns (Reed at [126]). He further joined a suit commenced by IPIM and IPRE against the respondent to prevent the chance of injunctive relief being defeated by the lack of standing on the companies’ part (Reed at [128]).

86 In my view, the present case is distinguishable from Reed, and the facts here suggest that Mr Piper did not suffer actionable emotional distress. I explain the various factors I have considered.

87 I accept Mr Piper’s arguments (see [26(a)] above), contrary to the DJ’s findings (see Judgment at [111]), that in the context of a serious complaint, the name of the complainant would constitute sensitive data: see Credit Counselling Singapore [2017] SGPDPC 18 at [11]. I do not place much weight on SKM’s argument that it only revealed Mr Piper’s data to a single individual. While this is true, in the context of a complaint, it may be especially inappropriate to reveal the complainant’s identity to the individual being complained against. That said, while SKM’s breach was not one-off (given the Prior Disclosures), I appreciated that the damage would already have been caused to Mr Piper on SKM’s first disclosure of his identity to Ms Loi on 30 August 2022.

88 A perusal of the evidence suggests that Mr Piper did not, as a matter of fact, suffer any actionable emotional distress as a direct result of SKM’s breaches of the PDPA per se (ie, independent of Ms Loi’s conduct). Instead, Mr Piper was mainly indignant over SKM’s breaches of the PDPA, and any emotional distress he suffered stemmed primarily from Ms Loi’s actions following Mr Piper’s initial complaint against her to SKM. I say so for three reasons.

89  First, Mr Piper was served the relevant court documents notifying him of Ms Loi’s POHA claim against him on 14 September 2022, which was just a week after he came to find out about SKM’s breaches of the PDPA. ⁵⁴ Further, by Mr Piper’s account, Ms Loi visited him at his workplace and viewed his LinkedIn profile as early as on 9 September, just two days after SKM sent the 7 September Email. ⁵⁵ While these facts do not in themselves negate the possibility or plausibility of Mr Piper suffering from actionable emotional distress due to SKM’s PDPA breaches per se, they are important because they show that a significant intervening event was introduced shortly following the breaches. From as early as 9 September 2022, if not 14 September 2022, it would be less clear whether any emotional distress suffered by Mr Piper stemmed from SKM’s breaches of the PDPA per se, or from Ms Loi’s subsequent actions, or from both.

90 Second, the evidence suggests that, on his own case, any emotional distress suffered by Mr Piper stemmed mainly from Ms Loi’s subsequent actions. Whether in his Statement of Claim or Affidavit of Evidence-in-Chief (“AEIC”), the general tenor of Mr Piper’s case is that he suffered from emotional distress due to Ms Loi’s actions, and that SKM’s breaches of the PDPA (with its subsequent “dismissive, cavalier and evasive response”) merely “exacerbated” his emotional distress. ⁵⁶ The same can be said about the evidence of Ms Loh and Ms Cheow on this issue as deposed in their respective AEICs (and as stated in the exhibits contained therein). ⁵⁷ Even in his Letter of Demand sent to SKM through his lawyers on 6 October 2022 (the “6 October Letter”), Mr Piper makes no reference to any emotional distress caused by SKM’s breaches of the PDPA per se. Instead, the letter stated that “[a]s a result of [SKM’s breach of] ... the PDPA obligations, [Mr Piper] is now subject to a frivolous POHA Claim by [Ms Loi]”. ⁵⁸ Most tellingly, at trial, Mr Piper testified that “the initial emotional distress came on or about with the start of the initial POHA claim by [Ms Loi] against [him] ...” [emphasis added]. ⁵⁹

91 Third, the evidence suggests that SKM’s breaches of the PDPA per se and its subsequent response caused Mr Piper some offence. However, they do not demonstrate that he suffered emotional distress. For example, on 22 June 2023, Mr Piper sent Ms Loh a text message stating that SKM was “trying to ignore [his] lawyer’s letters”, that “they won’t be able to ignore a summons”, and, tellingly, that “they self sabo [ie, they sabotaged themselves] anyway”. ⁶⁰ Such a tone points to Mr Piper feeling indignant. Indeed, Ms Loh deposed that she “sensed that some of the stress felt by [Mr Piper] was also due to his sense of misjustice” [emphasis added]. ⁶¹

92 From the reasons just canvassed, I am also of the view that the present case is distinguishable from Reed. In Reed, as the DJ correctly alluded to (Judgment at [112(b)] and [112(c)]), it was reasonable for the appellant to have subjectively perceived a real prospect of future misuse of personal data, especially since the respondent refused to assure the appellant that his personal data would be protected and not spread to third parties and was instead evasive in addressing his concerns.

93 In this regard, at first glance, I see the force in Mr Piper’s position (see [26(b)] above) that SKM was, especially from Mr Piper’s subjective perspective, somewhat evasive in managing the aftermath of its PDPA breaches. Specifically, it is not entirely satisfactory (especially when a subjective approach from Mr Piper’s perspective is adopted – see [82] above) that SKM only replied to address Mr Piper’s 6 October Letter eight months later on 5 June 2023. The reply came after Mr Piper’s lawyers sent a chaser to SKM on 13 October 2022 (the “13 October E-mail”), and Mr Piper’s second chaser on 28 May 2023. ⁶² Further, in its reply, SKM did not respond substantively to the 6 October Letter, but merely apologised for missing Mr Piper and his lawyers’ prior emails, and stated that it did not receive the 6 October Letter which was attached to the 13 October E-mail. ⁶³

94 When Mr Piper’s lawyers later replied to SKM, re-attaching the 6 October Letter and clarifying that the 13 October E-mail in fact contained the same, SKM provided no further response. ⁶⁴ This was on the instruction of Dr William Wan, SKM’s Senior Consultant, who, on 13 June 2023, instructed the data protection officers not to respond directly to Mr Piper’s lawyers until further notice. ⁶⁵

95 While I can accept that SKM might have adopted this course of action because it was conducting internal investigations (see [33(b)] above), it appears that SKM did not subsequently update Mr Piper regarding the outcome of such investigations. It also appears that SKM’s internal investigations pertained only to its failure to respond to Mr Piper within two working days of the 6 October Letter, rather than to its actual breaches of the PDPA. ⁶⁶ Following its investigations, from Mr Piper’s perspective, SKM merely updated its privacy policy to give itself “a reasonable period of time” instead of the original “two days” to respond to any PDPA complaints. ⁶⁷ It is, in my view, reasonable for Mr Piper to have subjectively perceived this series of actions by SKM as being evasive. It might hence, at first blush, be said that the present case is analogous to Reed.

96 However, the facts in Reed differ from those in the present case in one key aspect. There, the appellant perceived a real prospect of future misuse of personal data, and this subjective perspective was reasonable considering the respondent’s evasiveness in addressing the appellant’s concerns (see Reed at [121]−[128]). Under such circumstances, one can intuitively appreciate why the appellant in Reed would have felt particularly anxious about the respondent further abusing his personal data (see also [83(c)] and [83(d)] above).

97 In the present case, there is no evidence to suggest that Mr Piper faced any prospect of future misuse of his personal data, especially since Mr Piper’s complaint pertained only to Ms Loi. Given this, I am of the view that SKM’s somewhat evasive response to Mr Piper’s demands for an explanation of why his personal data was disclosed to Ms Loi is not a factor which would tip the scales in favour of finding that Mr Piper suffered actionable emotional distress from SKM’s breaches of the PDPA per se.

98 Finally, I agree with SKM (see [33(c)] above) that the DJ was correct in finding that Mr Piper has not adduced sufficient evidence to prove the actual impact which he claims SKM’s PDPA breaches had caused him emotionally (see Judgment at [107]−[110]). As the DJ observed, Ms Loh and Ms Cheow’s evidence on this issue was insufficiently particularised and substantiated. The purported medical evidence presented by Mr Piper also say nothing about his emotional state. ⁶⁸

99 Balancing the above considerations, I am of the view that, on a subjective multi-factorial approach, Mr Piper did not suffer any emotional distress that is actionable under s 48O of the PDPA. To be clear, that is not to say that Mr Piper did not suffer any emotional harm from the material events. The court must, however, be cautious not to award damages for emotional distress too readily, especially since mental distress by itself does not traditionally constitute sufficient damage to found a cause of action (Arul Chandran v Gartshore and others [2000] 1 SLR(R) 436 (“Arul Chandran”) at [13]).

100 As the Court of Appeal emphasised in Reed (at [116], citing Arul Chandran at [13]), “pure mental suffering without physical injury [is] an inevitable fact of interpersonal relationships in private and public life alike” and “people must learn to accept with a certain degree of stoicism the slings and arrows of this vale of tears”. The de minimis principle is meant to be a control mechanism which will keep the scope of s 48O PDPA claims within reasonable bounds (Reed at [102(a)]). Indeed, and without going into details, within the PDPA, there are other measures available to enforce compliance by organisations with their PDPA obligations.

101 For the reasons above, I find, contrary to the DJ’s decision, that in disclosing Mr Piper’s name and e-mail address to Ms Loi through the Prior Disclosures and the 7 September Disclosure, SKM breached ss 13 and 18(a) of the PDPA. However, I agree with the DJ that Mr Piper did not suffer any actionable loss under s 48O of the PDPA. In light of the latter finding, the appeal is dismissed. Parties are to file written submissions on costs within two weeks of this decision.