The March 2022 PDPC Incidents and Undertaking decision of the Personal Data Protection Commission (PDPC) have been published on PDPC’s official Website. For this month, only one (1) case has been issued covering Neo Yong Xiang’s financial penalty.
It should be noted that the Personal Data Protection Act (PDPA) aims to balance the organizations’ needs to use data for legitimate purposes with the protection of individuals’ personal information as it is tasked with the administration and enforcement.
In doing so, the decisions conducted by PDPC are published on their Website that is open to all who want to read the latest data security standards set by the PDPC. With this, for the better observance of organizations with such standards, it is their duty to be kept updated with the latest PDPC incident and undertakings.
Let’s have a look at the March 2022 case with the latest cybersecurity updates to date.
Also Read: February 2022 PDPC Incidents and Undertaking
March 2022 PDPC Incidents and Undertaking: Breach of the Consent and Purpose Limitation Obligations by Neo Yong Xiang
Our only case of PDPC incidents and undertaking for the month of march involves Neo Yong Xiang (NYX). Between January 2020 and November 2020, there were 3,636 Do Not Call (DNC) complaints from persons who received specified messages even though their telephone numbers were registered with the DNC register. Further analysis revealed that 1,379 of the messages were sent from 98 SIM cards registered at Yoshi Mobile (YM).
Since 2013, NYX has run YM. NYX was issued a terminal device at YM’s premises as an exclusive reseller of M1 SIM cards for the purpose of SIM card registration, which should be carried out in accordance with the terms of M1’s telecommunications license granted under Section 5 of the Telecommunications Act.
When consumers purchased pre-paid SIM cards from a Geylang Road mobile phone shop, they had no idea their personal information would be utilized to register more SIM cards for illicit sale. Regrettably, this was the case for at least 78 persons who acquired pre-paid M1 SIM cards from Mr. Neo Yong Xiang (“NYX”), the sole proprietor of Yoshi Mobile (“YM”). The typical SIM card registration process in YM would be as follows:
(a) The M1 Terminal Device would be used to scan the customer’s identification document (such as an identity card, passport, or work pass), followed by a transaction. The system would record the customer’s personal information and indicate whether or not the customer had reached the maximum number of three prepaid SIM cards allowed by law.
(b) Following that, the barcodes of the SIM card(s) would be scanned in order for them to be associated with the registered client.
(c) Final step would be the use of a mobile application to load credit value onto the prepaid SIM card(s) in order to activate them for use in the future. Customers’ money was loaded onto their prepaid M1 SIM cards by shops, who were required to load a portion or all of the money they had paid to M1.
The Commission’s investigations established that NYX abused the sim card registration procedure by using customers’ personal information without their consent to register for multiple pre-paid M1 SIM cards that the consumers had not intended to purchase.
NYX acknowledged throughout the investigation that he registered the illicit SIM cards with the intent of selling them to gain additional money. NYX believed that he earned around $15,000 in three years of selling such unlawful SIM cards to unknown walk-in customers.
Personal data obtained and used by NYX to register illicit SIM cards include, but are not limited to, the following: 78 people’ personal data (used to register 94 SIM cards):
- (a) the customers’ names;
- (b) the customers’ addresses; and
- (c) the customers’ NRIC numbers and/or work permit numbers.
The PDPA’s section 2(1) broadly defines “organization” as “any individual, firm, association, or group of persons, corporate or unincorporated.” YM is a sole proprietorship with no legal personality distinct from NYX. As a result, NYX is considered an organization under the PDPA. Additionally, NYX is bound by the PDPA’s requirements because he was working in a commercial role, not a household capacity when he sold the SIM cards for profit.
Section 13 of the PDPA prohibits organizations from collecting, using, or disclosing any individual’s personal data unless the individual gives, or is deemed to have given, consent, an exception to the consent requirement applies, or the collection, use, or disclosure is otherwise authorized by the PDPA or any other written law (the “Consent Obligation”). Additionally, Section 14(1) of the PDPA specifies that an individual has not consented unless they have been informed of the objectives for which his or her personal data will be collected, used, or disclosed. If an organization does not comply with this requirement, any consent acquired from an individual is null and void.
Additionally, pursuant to Section 18 of the PDPA, an organization may collect, use, or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and only after the individual has been informed of the stated purposes pursuant to Section 20 of the PDPA.
On the facts of this case, NYX breached both the Consent Obligation and the Purpose Limitation obligation by using his customers’ personal data to register the illicit SIM cards for sale to anonymous buyers.
With this, the organization was originally made to pay a whopping S$35,000. However, given that NYX is facing several outstanding liabilities, it was reduced to S$21,000. When imposing financial penalties, the Commission may consider the personal and financial circumstances of the organization/individual, bearing in mind that financial penalties imposed should avoid imposing a crushing burden or cause undue hardship on organizations.
What we can, in this case, is the importance of obtaining the consent of an individual when collecting, using, and disclosing that person’s personal data. The organization should also bear in mind the obligation to inform the persons of the legal purpose as to why their data will be used. Given the fact that none of this was acquired, users can lodge a complaint when they receive unsolicited text messages considering that they registered their phone numbers under the DNC registry.
Also Read: January 2022 PDPC Incidents and Undertaking