I previously wrote about the dual nature of data intermediaries. In that post, I discussed how, under certain circumstances, a data intermediary may simultaneously be an organization in its own right, in relation to a particular set of personal data.
A recent decision (27 November 2017) from the Personal Data Protection Commission ("Commission") has raised yet another permutation in the ongoing development of case law relating to data intermediaries - the changing nature of the data intermediary. In this case, In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 and Social Metric Pte Ltd  SGPDPC 17, we see an organization's status change from "data intermediary" to "organization", in relation to a particular set of personal data.
The facts of the case salient to this point are as follows:
In this case, the Commission took the view that (i) the Company was a data intermediary because it was collecting personal data on behalf of its clients for their marketing campaigns; and (ii) posting the personal data online was also done in the Company's capacity as a data intermediary, as the webpages were also for the clients' marketing campaigns. Therefore, the Company was subject to only the Protection and Retention obligations in its capacity as a data intermediary, and was obliged to comply with these obligations from the Appointed Day onwards.
The Retention obligation is what this discussion focuses on. To briefly recap, the Retention obligation requires organizations to cease retaining the personal data where it is reasonable to assume that retention (i) no longer serves the purposes for which the personal data was collected; and (ii) is no longer necessary for legal or business purposes.
The Commission held that "it was when the marketing campaigns had ended, and Social Metric had held on to the personal data (which was still posted on the Website) for a longer period than was reasonable, that Social Metric can no longer be considered a data intermediary in relation to such activities".
Here we see the Commission articulating an interaction between the Retention obligation and the nature of the Company as a data intermediary. While the scope and application of the Retention organization is the same regardless of whether an organization is a data intermediary, the Commission seems to be saying that there is a consequence unique to data intermediaries if they retain personal data for longer than reasonable in their capacity as data intermediaries – that is, the data intermediary will no longer be considered a data intermediary in relation to that personal data.
To put this more bluntly – breaching the Retention obligation as a data intermediary can result in the "data intermediary" status being revoked in relation to a particular set of data.
This decision is not unprecedented. The UK and EU also take the position that a data processor (analogous to a "data intermediary") may become a data controller (analogous to an "organization") in its own right if it uses the personal data for its own purposes – in other words, beyond what is reasonable in its capacity as a data processor, including retaining it for longer than is reasonable.
Associate Director, Bernard & Rada Law Corporation
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.