By Tom Chou
Breakdown of Data Protection: A Nightmare for Consumers?

When Citigroup announced that it lost 3.9 million of its client’s personal data in 2005,  some questioned the bank’s date protection capabilities. Unfortunately, Citigroup’s incident was simply the tip of the ice-berg.

In 2008, HSBC lost a computer disc containing the details of 370,000 customers. Consequently, the Financial Services Authority (FSA) of the United Kingdom imposed a fine of more than £3m on HSBC for failing to have appropriate systems to shield customers’ confidential details from being lost or stolen.

Public outcry against data leakages and the likelihood of customer details being used for fraudulent purposes have compelled the government to impose draconian measures by punishing banks for failing to have adequate security systems. These incidents beg the question of what legislations are in place to protect consumers’ and individuals’ confidential information.

National Provincial & Union Bank of England: Implied Duty of Confidentiality

The English decision of National Provincial & Union Bank of England was the first to establish that an implied contractual duty of confidentiality exists between a bank and its customers. In this case, the bank disclosed to Mr. Tournier’s employer that he had made frequent overdrafts . When Mr. Tournier was not hired at the end of his probationary term, he alleged that an implied contractual term prevented the bank from disclosing information about his account to third parties.

The English Court of Appeal held that there was no contractual requirement of complete confidentiality between a bank and its customers. However, the court determined that there was an implied term of the banker-customer contract which required that customer information be kept confidential, subject to four qualifications. This principle, by extension, covers the relationships between other financial institutions and their customers.

More importantly, the implied duty of confidentiality recognized in Tournier has been applied and interpreted in England, Canada, the United States and other Commonwealth countries. In one regard, the principle stemming from Tournier served as a building block in restricting financial institutions from disclosing information to third parties. Countries have since taken either a sectoral or a comprehensive approach in strengthening such protection.

Sectoral v. Comprehensive Approach

The European approach is a comprehensive one as exemplified in the Council of

Europe’s Convention on Data Protection, and the EU Data Directive. In effect, European states have adopted either a registration or licensing regime for data protection that applies to both the public and private sectors. In a registration regime, a public or private sector institution which collects or uses personal information must register with a central data protection registrar. An institution needs to obtain a license before processing personal information.

The United States, on the other hand, does not have comprehensive data protection legislation. Instead, a mix of legislation, regulation and self-regulation such as the Privacy Act of 1974 and the Computer Matching and Privacy Act are in place. To complement, narrowly applicable laws on privacy and data protection such as 42 U.S.C. 242 protects against the disclosure of personal information gathered by the National Centers for Health Services Research and for Health Statistics for research purposes.

In practice, different federal and state levels have differing statutes protecting personal information in credit reporting, electronic funds transfer, and confidential information. However, there is no comprehensive private-sector privacy legislation in the United States, nor is there any independent agency responsible for monitoring or overseeing privacy or data-protection rights. Such an approach can be explained by the entrenched American  belief in private rights and libertarian governance.

The United States has recently developed Safe Harbor Principles in consultation with the European Commission to establish a framework compatible with the standards stipulated in the European Directive. Such a step is necessary to ensure the transferring of data is in compliance with the law.

Singapore: The Need for a Comprehensive Data Protection Law?

Currently, Singapore does not have a general data protection law in place. Instead, implied terms of confidence at common law, contract law and sector-specific laws and practice directions serve the purpose of data protection. Remedies for breach of confidence include injunctions and damages, whereas the breach of sector-specific laws may constitute a criminal offence.

Although the idea of data protection legislation has been discussed for the past 14 years, there is no concrete date set for such a framework. With the advancement of technology and increased dependence on the Internet in conducting international business transactions, governments should legislate comprehensive data protection laws to secure an individual’s privacy.

Moreover, having a robust system of data protection is necessary to attract foreign investments and facilitate data sharing between Singapore and other states. As Hong Kong has a comprehensive regulatory regime for data protection, Singapore should bridge the gaps with Hong Kong in terms of data protection to remain competitive.

Likewise, with the European Union already having advanced data protection laws, one would expect that similar protections are necessary in countries that have commercials relations with the European Union.

In order to secure consumer trust and confidence, especially in the age of the Internet, data protection laws are necessary. The ever-changing e-commerce and the establishment of databases with interlinked information technologies have raised the awareness of building a sound legal framework to address data protection. Accordingly, this is an area of the law that deserves much attention.