More than cheating husbands and ghost wives, the Ashley Madison debacle will be closely watched for how the legal system tangles with multiangular rage on whether Ashley Madison had taken sufficient measures to protect John Doe’s data, whether he can have legal recourse for his grievances only in Cyprus, and why people can still find out his middle name after having paid USD19 to scrub his particulars from their data base.
In this article, we ask one question: what liabilities might Ashley Madison face under Singapore’s comprehensive Personal Data & Protection Act, made fully enforceable on 2 July 2014, and what lessons might companies in Singapore learn from this.
How much is enough?
When Kevin Ashton coined the term the ‘Internet of Things’ in 1999, he envisioned a world where inter-connectivity breaks down the time and space barriers between machines, serving humanity’s end. It is safe to say that we are progressively realizing this state of civilization. However, this safety has not extended to insulation from the multifarious risks that individuals and corporations inadvertently expose themselves to, and in turn, are exposed to. Such risks, collectively termed as ‘cyber crime’ need not be a sophisticated enterprise. A 2014 IBM security report showed that attackers reach out for the lowest hanging fruit of human error, and that human error could reside in us doing the equivalent of leaving our office passes behind to reserve tables during lunch hour.
In the same year, a group of hackers calling themselves The Knowns breached K Box’s membership database and leaked over 300, 000 individual’s personal details including names, addresses, mobile phone numbers and identity card numbers. The Knowns had demanded for the Singapore government to rescind toll hikes at the borders. If this sounds benign, then on first principles, Avid Life Media, the company behind Ashley Madison, ought to be exonerated. However, Ashley Madison is a premonition of exactly what could go drastically wrong here. Credit card details were leaked, and cheeky cheaters suddenly found their marriages at the mercy of a group of unknowns.
The PDPA requires organizations to comply with Protection Obligation, namely that they adopt security arrangements that are reasonable and appropriate in the circumstance. Reasonability is a protean concept, and this means that Ashley Madison’s leak must be viewed through very piercing lenses. 3 factors are likely to weigh in how strict the imposed standard is: firstly, the data dump was huge. Almost 10 gigabytes of data was posted on the dark web which contained personal information of some 32 million users. Secondly, the data dump is highly likely to cause invidious damage once made public. The data identifies people who have pursued a course of infidelity, whether or not they saw it to the end. Just try explaining that to the spouses, that they were on the website “just for fun” (undoubtedly they were). Thirdly, by virtue of Ashley Madison’s pitch focal on discretionary adultery, there is an inherent expectation of trust and sensitivity when users provide their data.
Collectively, these factors lay a runway for escalating Ashley Madison’s liability under the PDPA in Singapore. At the current estimate, the companies behind Ashley Madison might be liable for a fine up to S$1 million.
Beyond our borders
The PDPA will only lend privacy protection an extra sheath if it can apply to the offending perpetrator. Herein lies the fog of doubt; it is moot whether the Personal Data Protection Commission (PDPC) will be able to take enforcement action if the data security measures implemented by Ashley Madison could be found insufficient under the PDPA. When users sign up to Ashley Madison, they agree that their relationship with Ashley Madison will be governed by Cypriot law and that it is based in Cyprus. As such, any transgression on the service provider’s end might be out of the PDPA’s reach.
Whether Avid Life Media, a company with first roots in Canada, can face liability under European laws might turn on 2 issues: firstly, whether Ashley Madison has any ‘establishment’ in a given European country; secondly, if it can be said that Ashley Madison ‘make[s] use of equipment’ in that country to process personal data. This might seem semantic. Its presence in any given country, and the proliferation of internet technologies, should render such considerations outdated. It seems that it is in this spirit that the PDPA was drafted.
Under the PDPA, legal action may be commenced in Singapore courts against offending companies located outside that are engaged in data collection or processing of data within the country. This cuts through the swathes of pre-existing piecemeal, industry-specific legislative frameworks, and casts a much wider net for the compliance of which organizations should be mindful of. The precise extent of the PDPA’s reach remains to be determined. However, its enactment ushers in an increased attention and emphasis on data security from which organizations might find hiding behind territorial boundaries increasingly difficult. This should provide the impetus for organizations to be cognizant about reviewing their existing data security systems regardless of where its data might be stored or where the bulk of its processing might operate in.
Yes, I do, till I don’t…
One final issue remains: several users (ex-users surely, by now) have come forth claiming that they have paid Ashley Madison USD19 for a ‘’hard-delete’, or ‘paid-delete’. The hackers behind the leak, calling themselves the Impact Team, have exposed Ashley Madison’s failure to do so and followed-up with the data dump. Ashley Madison have now promised to perform requests for hard-deletes for free, but it seems to be a case of too little too late. It then appears patently obvious that Ashley Madison ought to be held liable, but under what laws?
The underlying issue here is the withdrawal of consent, expressed via the mode of requesting a hard-delete and evidenced by payment thereof. This is one of the centrepieces of the PDPA legislation. When reviewing their data protection and privacy policy under the new regime, organizations should be mindful of 3 considerations: firstly, has express consent been given for the storage of the user’s private data? Mere silence on the part of the user may not be sufficient to constitute consent, and any consent is best recorded in writing. Secondly, a user has statutory rights to access his personal data, alter it and rescind it any time. This protection is made more palpable if the individual expressly withdraws his consent in writing. Herein lies Ashley Madison’s fall. Businesses should note that the onus is on them to respond in due time, and to perform those obligations. PDPC’s best practices guidelines suggest appointing a Data Protection Officer to specifically oversee compliance within the existing policy, and executing it. Thirdly, personal data obtained must be used solely for the purpose agreed upon. Practically, this might be subject to standard practices in industries. It is common for organizations to insert clauses into the TL;DR terms and conditions of use which stipulate your agreement to their conveying or selling your personal data during structural changes. However, as is with the case of Ashley Madison, whether those clauses are effective turns on whether the user is “on notice” of those risks. To businesses, this means that the more those clauses deviate away from industry standard, or tilt the risks towards the user, the more effort is expected to draw the user’s attention to those clauses.
Conclusion
The months ahead will be long for Ashley Madison; winter is coming. The PDPA signals a recognition that trust alone is insufficient to protect the individual; it has to be backed up with statutory steel. However, organizations need not then take all their data off any digital instruments and keep them under lock and key. Reasonable efforts are also judged by the costs of security measures. The PDPA does not impose on organizations to build a digital portcullis, but it does expect you not to give up a kingdom for a horse.
Is your company’s policies PDPA compliant?
If you’d like to be sure that your company or startup is PDPA compliant, it is always very helpful to get a lawyer to help interpret the word of the law and make sure that you are covered. Speak with a lawyer and get your questions on PDPA answered for a transparent, flat fee of S$49 today HERE.
This article is written by Johanna Tay from KF Property Network Pte Ltd.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.