Asia gets serious about enforcing data protection laws
SINGAPORE has fined its first “data monger” for selling personal data in violation of the nation’s Personal Data Protection Act (PDPA) established in 2014.
According to the Personal Data Protection Commission’s case file, Sharon Assya Qadriyah Tang is the first individual to be fined under this act for selling personal data without consent.
The case file revealed that Tang served as a telemarketing executive between 2012 and 2014 and bought leads consisting of an individual’s name, National Registration Identity Card (NRIC) number, mobile number and annual income range. She paid about SGD0.20 to 0.30 for each lead – and came to be in possession of 30,990 leads by the end of 2014.
Between 2012 and February 2017, Tang re-sold the leads about nine to 10 times via different websites on the Internet. The Commission found she had charged anywhere between SGD0.05 to 0.20 per lead and had earned a profit of about SG$5,000 from the activity.
While conducting the sales transactions, Tang concealed her true identity by using an alias and a corresponding email address, her husband’s bank account number, and a mobile phone number registered under her friend’s name.
The Commission noted that the data bought and sold by Tang was defined as personal data under the PDPA, and found her in breach of the Act since the transactions were not carried out by her in a personal or domestic capacity.
Authorities decided to levy a fine of SG$6,000 since they believed Tang did not transact on a large-scale and only sold the leads to supplement her income.
However, the commissioner has emphasized that the low fine charged is an “exception and should not be taken as setting any precedent for the extension of the same leniency or indulgences in other cases”.
This is a case that should be taken seriously by new entrepreneurs and small business owners, some of whom are known to resort to such tactics, obtaining leads in the black market or on the Internet, and using them for business. When buying leads, they must not only make sure that the consent of each individual has been obtained before adding their details to the database but also that the seller is authorised to sell these details.