More than cheating husbands and ghost wives, the Ashley Madison debacle will be closely watched for how the legal system tangles with multiangular rage on whether Ashley Madison had taken sufficient measures to protect John Doe’s data, whether he can have legal recourse for his grievances only in Cyprus, and why people can still find out his middle name after having paid USD19 to scrub his particulars from their data base.
In this article, we ask one question: what liabilities might Ashley Madison face under Singapore’s comprehensive Personal Data & Protection Act, made fully enforceable on 2 July 2014, and what lessons might companies in Singapore learn from this.
How much is enough?
When Kevin Ashton coined the term the ‘Internet of Things’ in 1999, he envisioned a world where inter-connectivity breaks down the time and space barriers between machines, serving humanity’s end. It is safe to say that we are progressively realizing this state of civilization. However, this safety has not extended to insulation from the multifarious risks that individuals and corporations inadvertently expose themselves to, and in turn, are exposed to. Such risks, collectively termed as ‘cyber crime’ need not be a sophisticated enterprise. A 2014 IBM security report showed that attackers reach out for the lowest hanging fruit of human error, and that human error could reside in us doing the equivalent of leaving our office passes behind to reserve tables during lunch hour.
In the same year, a group of hackers calling themselves The Knowns breached K Box’s membership database and leaked over 300, 000 individual’s personal details including names, addresses, mobile phone numbers and identity card numbers. The Knowns had demanded for the Singapore government to rescind toll hikes at the borders. If this sounds benign, then on first principles, Avid Life Media, the company behind Ashley Madison, ought to be exonerated. However, Ashley Madison is a premonition of exactly what could go drastically wrong here. Credit card details were leaked, and cheeky cheaters suddenly found their marriages at the mercy of a group of unknowns.
The PDPA requires organizations to comply with Protection Obligation, namely that they adopt security arrangements that are reasonable and appropriate in the circumstance. Reasonability is a protean concept, and this means that Ashley Madison’s leak must be viewed through very piercing lenses. 3 factors are likely to weigh in how strict the imposed standard is: firstly, the data dump was huge. Almost 10 gigabytes of data was posted on the dark web which contained personal information of some 32 million users. Secondly, the data dump is highly likely to cause invidious damage once made public. The data identifies people who have pursued a course of infidelity, whether or not they saw it to the end. Just try explaining that to the spouses, that they were on the website “just for fun” (undoubtedly they were). Thirdly, by virtue of Ashley Madison’s pitch focal on discretionary adultery, there is an inherent expectation of trust and sensitivity when users provide their data.
Collectively, these factors lay a runway for escalating Ashley Madison’s liability under the PDPA in Singapore. At the current estimate, the companies behind Ashley Madison might be liable for a fine up to S$1 million.
Beyond our borders
The PDPA will only lend privacy protection an extra sheath if it can apply to the offending perpetrator. Herein lies the fog of doubt; it is moot whether the Personal Data Protection Commission (PDPC) will be able to take enforcement action if the data security measures implemented by Ashley Madison could be found insufficient under the PDPA. When users sign up to Ashley Madison, they agree that their relationship with Ashley Madison will be governed by Cypriot law and that it is based in Cyprus. As such, any transgression on the service provider’s end might be out of the PDPA’s reach.
Whether Avid Life Media, a company with first roots in Canada, can face liability under European laws might turn on 2 issues: firstly, whether Ashley Madison has any ‘establishment’ in a given European country; secondly, if it can be said that Ashley Madison ‘make[s] use of equipment’ in that country to process personal data. This might seem semantic. Its presence in any given country, and the proliferation of internet technologies, should render such considerations outdated. It seems that it is in this spirit that the PDPA was drafted.
Under the PDPA, legal action may be commenced in Singapore courts against offending companies located outside that are engaged in data collection or processing of data within the country. This cuts through the swathes of pre-existing piecemeal, industry-specific legislative frameworks, and casts a much wider net for the compliance of which organizations should be mindful of. The precise extent of the PDPA’s reach remains to be determined. However, its enactment ushers in an increased attention and emphasis on data security from which organizations might find hiding behind territorial boundaries increasingly difficult. This should provide the impetus for organizations to be cognizant about reviewing their existing data security systems regardless of where its data might be stored or where the bulk of its processing might operate in.
Yes, I do, till I don’t…
One final issue remains: several users (ex-users surely, by now) have come forth claiming that they have paid Ashley Madison USD19 for a ‘’hard-delete’, or ‘paid-delete’. The hackers behind the leak, calling themselves the Impact Team, have exposed Ashley Madison’s failure to do so and followed-up with the data dump. Ashley Madison have now promised to perform requests for hard-deletes for free, but it seems to be a case of too little too late. It then appears patently obvious that Ashley Madison ought to be held liable, but under what laws?
The months ahead will be long for Ashley Madison; winter is coming. The PDPA signals a recognition that trust alone is insufficient to protect the individual; it has to be backed up with statutory steel. However, organizations need not then take all their data off any digital instruments and keep them under lock and key. Reasonable efforts are also judged by the costs of security measures. The PDPA does not impose on organizations to build a digital portcullis, but it does expect you not to give up a kingdom for a horse.
Is your company’s policies PDPA compliant?
If you’d like to be sure that your company or startup is PDPA compliant, it is always very helpful to get a lawyer to help interpret the word of the law and make sure that you are covered. Speak with a lawyer and get your questions on PDPA answered for a transparent, flat fee of S$49 today HERE.