To the extent that individuals and companies supply, offer to supply, transmit or make available, by any means (each an "act of supplying") such Hacked Personal Data, they must (i) ensure that any act of supplying the Hacked Personal Data is only for a legitimate purpose, and (ii) be able to prove that they did not know, or have any reason to believe, that the hacked personal data will be, or is likely to be used, to commit, or facilitate the commission of, any offence.
In other words, dealings in Hacked Personal Data could attract criminal liability under Singapore law, unless it is collected and used only for a legitimate purpose, and due care has been exercised in its disclosure, both in terms of the nature of the contents actually disclosed and the party to whom it was disclosed.
When Public Domain is Not Public Knowledge
In addition to the issues that could attract criminal liability under the CMCA, individuals and companies dealing with Hacked Personal Data for legitimate purposes need to be aware of other concurrent legal obligations.
Under the Singapore Personal Data Protection Act 2012 (PDPA), the collection, use and disclosure of any personal data by an organisation requires the consent of the individual to which the person data pertains, unless the organisation can rely on exemptions under the PDPA, for example, where:-
1) the collection, use and/or disclosure of the personal data is necessary:
- to respond to an emergency that threatens the life, health or safety of the individual or another individual; or
- for any investigation or proceedings; or
- for evaluative purposes; or
2) the personal data is publicly available.
The application of these exemptions under the PDPA may not be straightforward with regard to dealings with Hacked Personal Data, as the PDPA has ascribed specific meanings and parameters on what constitutes "investigation", "proceedings", "evaluative purposes", and "publicly available".
Individuals and organisations also must not forget that confidential data do not automatically lose their confidential status when they are made available in the public domain. This was clarified by the Singapore Court of Appeal in the recent decision of Wee Shuo Woon v HT S.R.L.  SGCA 23 ("Wee Shuo Woon") last March, where the confidential data in question was accessible by the public at large as a result of hacking. In that case, the defendant sought to strike out parts of his ex-employer's Statement of Claim by relying on copies of certain emails that were made available on WikiLeaks as a result of hacking by an unknown party.
Significantly, the Court of Appeal in Wee Shuo Woon reiterated that the concept of "public domain" is not a freestanding rule to be mechanistically applied, as there is a distinction between (a) the extent to which the confidential information in question "has become accessible", and (b) the extent to which it "has in fact been accessed by the general public". The court recognised that much of the information on the Internet, although accessible, is not in fact accessed by the public, whether from lack of interest or time or even ignorance. In that regard, a party could still be restrained, from making use and/or disclosures of, confidential information which has not become public knowledge despite being made accessible in the public domain.
Sign up for Computerworld eNewsletters.