A graphic from the interior ministry’s Anti Cyber Crime Police
For some who love to show off just everything online, maybe not. Luckily, you are not one of them. You care for a reasonable protection before a naughty kid with a laptop begins to screw up your life for fun.
Recently, in the mouths of some Singapore-based customers, Starbucks Caramel Macchiato might have tasted bitter-sweet. Perhaps the sweet caramel was not doing what it should. The feeling, if it had occurred, would have been perfectly justified. How would you feel if your name, home address, date of birth…etc. were up for sale on the dark web? This incident occurred around September last year due to failure by Ascentis Pte. Ltd, an IT solution company that Starbucks in Singapore had hired to develop the rewards program which typically collects personal information of customers.
The breach in data security resulted in personal information of hundreds of thousands of Singapore-based customers being improperly accessed. In the words of the Personal Data Protection Commission, Ascentis Pte. Ltd had contravened the Protection Obligation set forth in the Personal Data Protection Act (PDPA) and has now been punished to pay a financial penalty of S$10,000 (Case No. DP-2209-C0193 / DP-2209-C0217). The fact that the Commission in Singapore is busy with complaints and regularly issues decisions every month is quite telling: even a close-knit and very well-governed state remains prone to cybercrimes.
You probably have at least one App of a popular coffee brand in Cambodia installed. You can assess your bank account or credit card while on the platform. What can you do? Convenience sticks like glue. To be fair, the tension between the need to make information available as openly as possible (otherwise AI won’t work that well) and the desire to feel safe within reasonable bounds means that we must forever take risks. As a new and evolving legal term, the complexity already plays out right from the start: what exactly constitutes personal information?
Under Singapore’s PDPA, “personal data” means data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organization has or is likely to have access. This vaguely open approach leaves plentiful room for interpretations, for better or worse.
In the UK, on the other hand, personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Thus, the UK’s recipe seems to provide more ingredients which could, when mixed together, help to identify an individual.
Yet, California, as the first state in the US that enacted a statute requiring notification of a data security breach, recognizes personal information in the following specific manners: (1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social security number, Driver’s license number, California ID number, tax ID number, passport number, military ID number, or other unique ID number, Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, Medical information, Health insurance information, Unique biometric data, Information or data collected through the use or operation of an automated license plate recognition system, Genetic data; and (2) A username or email address, in combination with a password or security question and answer that would permit access to an online account. Similar laws in all the other states in the US are more or less modelled on the California’s law.
You have by now noticed that the term personal is solely used in conjunction with a natural person, an individual. Thus, in Singapore, for instance, information about a limited liability company cannot be called “personal” because such a company is a legal entity. If follows that when an employee attends a conference in her corporate capacity and leaves her business name card at the registration desk, the conference organizer who collects the business name cards does not need to treat her name, position, phone number, email address as a protected personal information at all since the information on the card is considered business contact information rather than hers.
The spa that she might go to after the conference for her personal pleasure must, however, treat the very same information within the scope of PDPA. Moreover, whatever Singapore’s PDPA regards as “organization” must protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored. In relation to the Rewards programme for Starbucks Singapore, Ascentis Pte. Ltd was found in breach of such obligation.
Reading laws isn’t always exciting, I know. A justified reason for drinking coffee. Now that we have taken another look at our smartphone and seen all the Apps on it, we wonder how effective Cambodia’s future law on personal information protection would be. A reasonable guess is that, given the various issues in legal compliance, subjective interpretations and the cost in maintaining a strong IT infrastructure to fit the purpose, law enforcement officers would be busy. But in order that small businesses (those that can’t keep up with the appropriate IT infrastructure) won’t go bankrupt just because of a heavy financial penalty, a good law should lay down the principle of reasonableness at its foundation when dealing with potentially significant harm.
Virak Prum, LLB, LLM, PhD (2006 Nagoya University) teaches law at CamEd Business School.
The views expressed are solely his own.
