E-commerce is on the rise. The size of the global ecommerce market is projected to reach US$4.11 trillion in 2023, with an annual growth rate of 11.51% resulting in projected market volume of US$6.35 trillion by 20271.
A huge amount of data, a lot of them sensitive, is amassed during and sometimes even before and after an online purchase. It is therefore unsurprising that the Personal Data Protection Commission of Singapore (PDPC) has released various decisions pertaining to breaches within the e-commerce sector. The message is clear - whilst merchants typically utilise third party platforms to fuel their online sales, obligations under the Personal Data Protection Act 2012 (PDPA) cannot be delegated to such third party platforms regardless of the latter’s size and dominance of the e-commerce market.
This is underscored once again in the decision released by the PDPC in October 2022, pertaining to a company that is behind various indie lifestyle body care products (Merchant), Shopify Inc (Shopify) and Shopify Commerce Singapore Pte Ltd (Shopify SG) and certain non-compliance to personal data protection obligations under PDPA.
In brief
The Merchant uses Shopify, an e-commerce platform (Platform), to run its digitally native retail business. In the course of business, personal data was collected, both in relation to the Merchant’s customers, as well as in relation to users in general who used the Platform. The Merchant depended on Shopify (and at some point after, Shopify SG), as a data intermediary, to process its customers’ personal data; Shopify SG depended on Shopify, as data intermediary, to process user personal data on the Platform.
Between Jun to Sep 2020, two Shopify service contractors illegally accessed and exfiltrated certain customer personal data stored in Shopify’s systems, which included full names, email addresses, billing addresses, shipping addresses, phone numbers, bank identification numbers, IP addresses, last four digits of customer payment cards, and purchase histories of more than 20,000 individuals, thus constituting a personal data breach under the PDPA.
Important takeaways
Customers are increasingly aware of their rights with regards to their data. A breach poses a great threat to the reputation of merchants carrying out business online. Customer recovery including customer communication is vital in the event of breaches.
It is also important to note that the amendments to the PDPA took effect on 1 October 2022, where the financial penalty cap increased from the previously fixed S$1million to 10% of the organisation’s annual turnover in Singapore with annual local turnover exceeding S$10million, whichever is higher. However, in the case mentioned above, the PDPC did not levy fines on any of the parties in breach in view of their high level of cooperation and the PDPC’s power to accept voluntary undertakings as part of its enforcement regime. The assessment as to whether to notify the relevant authority and the communications with said authority (if notification is required) have to be prompt and effective.
Further, e-commerce often attracts customers from different countries. The applicable data laws are therefore varied, bringing about the potential need to seek counsel in different jurisdictions on an urgent basis.
Our Cyber Response+ offering provides clients with an aligned approach across multiple jurisdictions, taking into account the varying nuances in the applicable laws in across different jurisdictions.
.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
