Relying on the Legitimate Interests Exception under the Personal Data Protection Act 2012

In a recent decision (the Decision),[1] the Personal Data Protection Commission (PDPC) considered for the first time a company’s reliance on the Legitimate Interests Exception (as defined below) under the Personal Data Protection Act 2012 (PDPA) when the consent procured is invalid.

The General Legitimate Interests Exception

The general Legitimate Interests Exception was introduced to the PDPA as part of a number of amendments to the PDPA in November 2020 that came into effect on February 1 2021.[2] The exception allows organisations to collect, use and disclose personal data without consent in certain situations. In order to take advantage of the Legitimate Interests Exception, an organisation must satisfy a two-pronged test:

the collection, use or disclosure of an individual’s personal data must be in the legitimate interests of the organisation or another person (including other organisations); and
the organisation must weigh its legitimate interests against any adverse effects on the individual and conclude that its legitimate interests would outweigh any adverse effect on the individual,[3]

(the Legitimate Interests Exception).

In order to rely on the Legitimate Interests Exception, the organisation must also disclose its reliance on such exception to the relevant individuals.

Reliance on the Legitimate Interests Exception

The matter arose from a complaint to the PDPC alleging that the organisation in question (the Organisation) had collected photographs of NRICs and other identification documents (the Personal Data)from suppliers who delivered goods and produce to the Organisation’s warehouses, without the suppliers’ valid consent. The Organisation’s response was that it collected the Personal Data for the purposes of managing food safety risks and investigating any food safety incidents, and that Personal Data was collected only from suppliers entering high-risk areas.

The PDPC held that the Organisation could rely on the Legitimate Interest Exception. In reaching its conclusion, the PDPC considered:

the Organisation’s purported legitimate interests;
the possible adverse effects on the affected individuals, as well as the measures the Organisation put in place to eliminate, mitigate or reduce these adverse effects; and
whether the legitimate interests of the Organisation outweighed the adverse effects on the individuals (the Balancing Assessment).

Legitimate Interests

The PDPC accepted that the Personal Data was collected for a legitimate purpose of public food hygiene and safety, which was “a legitimate interest of the Organisation, and also of its business partners and ultimately, consumers.”[4] The PDPC considered the Organisation’s assessment that the benefit of collecting the Personal Data was “significant”, having regard to the potential harm that could be caused to the public by a food contamination incident.[5]

Adverse effects and mitigating measures

The PDPC clarified that the Organisation would need to identify the possible adverse effects on the individuals, and implement reasonable measures to eliminate, mitigate or reduce the adverse effects.[6]

In this regard, the Organisation had mitigated the likelihood of adverse effects by reducing the risk of misuse of the Personal Data. Among other measures, the Organisation implemented access controls, limited the areas where the Personal Data would be collected, restricted access to the devices containing the Personal Data, implemented IT measures to ensure safe storage on a backend server, and enforced data retention policies to require deletion within one year. Given the above measures, the Organisation assessed that the adverse impact on users was “low”.[7]

The Balancing Assessment

On the facts, the PDPC accepted that the Organisation had met the requirements for reliance on the Legitimate Interests Exception as its legitimate interests outweighed the adverse effects. The PDPC accepted that the Organisation had a legitimate interest in deterring food security incidents as well as in implementing enhanced identification requirements to regulate access to high risk areas, and that the collection of the Personal Data promoted these legitimate interests. The PDPC also recognised that the risks of unauthorised access, use and/or disclosure of the Personal Data had been significantly lowered on account of the enhanced access controls implemented by the Organisation.[8]

Providing Reasonable Access to Information

Separately, the PDPC also emphasised the need to provide the suppliers with reasonable access to information about the collection, use or disclosure of Personal Data.[9] The PDPC accepted the Organisation’s confirmation that it would notify affected individuals of its reliance on the Legitimate Interests Exception by posting notices at the relevant security post.[10] The PDPC indicated that this requirement could have been fulfilled by way of disclosure in the Organisation’s public data protection policy.[11]

Comments on other exceptions under the PDPA

Separately, the PDPC commented on various other exceptions that the Organisation had sought unsuccessfully to rely on if there was no valid consent:

National Interest Exception: The National Interest Exception[12] provides that collection, use and disclosure can be carried out without consent if it is in the national interest. The PDPC rejected the Organisation’s claim that collecting the Personal Data to enhance food safety was in the “national interest” [13] as it referred to “national defence, national security, public security, the maintenance of essential services and the conduct of international affairs” – the food safety risk posed to the Organisation did not meet this test.[14]

Investigations Exception: The Investigations Exception[15] provides that the collection, use or disclosure of personal data can be conducted without consent where necessary for investigation or proceedings. The Organisation attempted to rely on this exception by asserting that the collection of personal data was necessary for food safety investigations. However, the PDPC rejected this argument, and clarified that such an exception applies only to ongoing investigations and not a “hypothetical future investigation”.[16]

Deemed Consent: The PDPC also rejected the Organisation’s argument that there was deemed consent under section 15 of the PDPA. The Organisation argued that the Personal Data was volunteered and collected for the reasonable purposes of ensuring food security. The PDPC disagreed, and stated that the suppliers were not given a choice to not provide their identification documents, and that it would not have been obvious to the suppliers that photographs of their identification documents would be taken and stored.

The PDPC’s comments on the other exceptions are helpful, as they serve as useful markers of the extent to which the PDPC is willing to apply such exceptions to the facts.

Significance of the Decision

This Decision is significant as it is the first time the PDPC has interpreted and applied the Legitimate Interests Exception. The PDPC has provided helpful guidance on the analysis of the Legitimate Interests Exception, and clarified the measures that organisations can take to mitigate, reduce or eliminate the adverse effects on individuals. The methodical analysis undertaken by the PDPC to assess the Legitimate Interests Exception in this case provides a useful roadmap for organisations in assessing whether it may rely on the exception in other circumstances.

Critically, the Decision highlights the PDPC’s focus on safeguards and measures to protect individuals from the adverse effects that may ensue. This is consistent with Parliament’s stated purpose of implementing strict process safeguards to foreclose potential abuse of the Legitimate Interests Exception. In this regard, the PDPC has provided guidance on the application of the Legitimate Interests Exception within its Advisory Guidelines on Key Concepts in the PDPA.[17] Organisations seeking to rely on the Legitimate Interests Exception will need to pay close attention to safeguards and measures that they can impose in order to mitigate and minimise potential adverse effects on individuals arising out of their reliance on the exception.

The PDPC has also released a standalone Assessment Checklist for Legitimate Interests Exception,[18] which Organisations can rely on when conducting their assessments and when seeking to rely on the Legitimate Interests Exception.

We would like to thank Karyn Ooi, practice trainee at Ascendant Legal LLC, for her assistance with the preparation of this update.

[1] [2023] SGPDPC 1.

[2] Our previous post discussing the changes introduced by the amendments to the PDPA in November 2020 can be accessed here.

[3] Paragraph 1(1) of Part 3 of the First Schedule of the PDPA.

[4] The Decision at paragraph 6.

[5] The Decision at paragraph 16.

[6] The Decision at paragraphs 7 and 15.

[7] The Decision at paragraphs 15 and 16.

[8] The Decision at paragraphs 16 and 17.

[9] The Decision at paragraph 7. See also paragraph 2(b) of Part 3 of the First Schedule of the PDPA.

[10] The Decision at paragraph 16.

[11] The Decision at paragraph 7.