Amidst a global push towards personal data protection there seems to have been an element of complacency by companies when it comes to the ability of data protection commissions to enforce the rulings, regulations and legislation around the issue. That complacency is now being tested with a slew of judgements against organisations that have stepped over the boundaries.
Singapore and Hong Kong take the lead
Southeast Asian companies will have to start taking data protection a lot more seriously if the examples of Singapore and Hong Kong are any indication of an enforcement trend.
Singapore’s Personal Data Protection Commission (PDPC) served notice on a number of companies during April 2016 for transgressing the rules and regulations set out in the Personal Data Protection Act (PDPA). The actions taken by the PDPC included direct warnings to 11 organisations, four of which were also faced with financial penalties.
Hitting companies where it hurts
The fines were no slap on the wrist. Karaoke chain, K Box Entertainment Group faces a financial penalty of S$50,000 (US$36,500). The Group was found guilty of not adequately protecting the personal data of 37,000 members after hackers accessed member details including contact numbers, email addresses, NRIC numbers and dates of birth from the Groups public site.
In a telling indictment of the ‘lasses faire’ attitude that has until recently characterised the approach of private enterprise to data protection issues, the data protection commission said that the fact that the Group had not appointed a data protection officer was a contributing factor to the breach.
We have spoken about compliance on a number of occasions in this newsletter and the details of K Box’s approach to security show a company that is guilty of not employing the most rudimentary of security protocols and procedures. The data protection commission noted that K Box did not update patches to ensure that its security was ‘sufficiently robust’ and that it also had weak control of access to personal data.
In a related move that will have vendors worried, a S$10,000 (US$7,300) fine was levied against the vendor in charge of K Box’s content management system – Finantech Holdings for ‘failing to implement proper and adequate protective measures for the personal data in the system’. In a flagrant example of either laziness or a simple ignorance of the dangers posed by hackers, the PDPC added that K Box’s IT systems were extremely vulnerable due to the password for the administrator account being set as ‘admin’.
The example of K Box should provide companies with all the motivation in the world to appoint a data protection officer – as is required by Singapore’s PDPA. It is likely that the executives in charge of these companies would have claimed ignorance about just how lackadaisical the organisation’s approach to security was, a situation that would have been avoided with the appointment of a professional to implement and manage suitable security measures.
Unfortunately for K Box and other companies who have faced sanction, the legal principle of Ignorantia juris non excusat – “ignorance of the law excuses not” is increasingly going to be applied by organisations such as the PDPC which police personal data protection issues. The principle holding that a person (or in this case organisation) is unaware of a law is not any excuse. Those organisations will not escape liability for violating that law merely because it was unaware of its content. No matter what the jurisdiction we believe that this approach is completely justified.
Hong Kong data protection commission gets proactive
The Hong Kong Privacy Commissioner has recently shared some insights into the state of privacy in the Special Administrative Region and the activities of the Office of the Privacy Commissioner for Personal Data (PCPD). Businesses were instructed to take heed of the announcement – another sign that the patience of Hong Kong authorities is running short when it comes to those organisations which have been slow to transform the way in which they treat personal data.