by Rachel Suppiah
The Personal Data Protection Bill 2009 was recently passed by the Dewan Rakyat in Parliament. This is a radical act that will affect a large number of organisations and individuals alike.
To understand why there is a need for Personal Data Protection legislation, we must first understand why the need for such laws arose. The Personal Data Protection Bill by the way has no connection whatsoever with data protection of software in computers.
This area of law specifically relates to the dissemination and storage of personal data of people and is related to the law of privacy.
The Personal Data Protection Bill 2009 was recently passed by the Dewan Rakyat in Parliament. This is a radical act that will affect a large number of organisations and individuals alike.
To understand why there is a need for Personal Data Protection legislation, we must first understand why the need for such laws arose. The Personal Data Protection Bill by the way has no connection whatsoever with data protection of software in computers.
This area of law specifically relates to the dissemination and storage of personal data of people and is related to the law of privacy.
Privacy law is the area of law concerning the protecting and preserving of privacy rights of individuals. While there is no universally accepted privacy law among all countries, some organisations promote certain concepts be enforced by individual countries. For example, the Universal Declaration of Human Rights, article 12, states:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.
For Europe, Article 8 of the European Convention on Human Rights guarantees the right to respect for private and family life, one's home and correspondence. The European Court of Human Rights in Strasbourg has developed a large body of jurisprudence defining this fundamental right to privacy. The European Union requires all member states to legislate to ensure that citizens have a right to privacy, through directives such as the 1995 Directive 95/46/EC on the protection of personal data. It is regulated in the United Kingdom by the Data Protection Act 1998 and in France data protection is also monitored by a governmental body which must authorise legislation concerning privacy before them being enacted.
The protection of privacy here relates specifically to information privacy and in lay terms it means the protection of your personal details and information about you.
So the next question, what are the data protection principles? These are seven core principles in regards to the ethics of how personal private data is to be collected, processed and stored.
In a summary the seven principles governing the OECD’s guidelines recommendations for protection of personal data were:
1. Notice:data subjects should be given notice when their data is being collected;
2. Purpose: data should only be used for the purpose stated and not for any other purposes;
3. Consent: data should not be disclosed without the data subject’s consent;
4. Security: collected data should be kept secure from any potential abuses;
5. Disclosure: data subjects should be informed as to who is collecting their data;
6. Access: data subjects should be allowed to access their data and make corrections to any inaccurate data; and
7. Accountability: data subjects should have a method available to them to hold data collectors accountable for following the above principles.
Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose and proportionality.
Transparency
The data subject has the right to be informed when his personal data are being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11 EU Directives)
Data may be processed only under the following circumstances (art. 7):
· when the data subject has given his consent
· when the processing is necessary for the performance of or the entering into a contract
· when processing is necessary for compliance with a legal obligation
· when processing is necessary in order to protect the vital interests of the data subject
· processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
· processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn't being processed in compliance with the data protection rules. (art. 12)
Legitimate purpose
Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b)
Proportionality
Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6)
When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8)
The data subject may object at any time to the processing of personal data for the purpose of direct marketing. (art. 14)
A decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. (art. 15) A form of appeal should be provided when automatic decision making processes are used.The principles above are based on the OECD Guidelines and that of the European Union.
Why is there a need for such laws? Personally I feel it’s about time we had a Personal Data Protection Act in Malaysia, to stop abuse and to curtail the many marketeers who transfer sell and even barter personal data for profit. Many Malaysians are not aware that their personal data is being viewed, traded like a commodity and used by 3rd parties who should not have access to their personal information. How many of you have bought a new car, or applied for a oan or credit card and weeks later you find 3rd parties are approacing you with spam emails or trying to promote products to you? Isnt it scary to realise that even while you are asleep someone somewhere could be asseesing a data base and taking down your personal details?
The impact is very great- in the EU Data Protection Laws are viewed very seriously to such an extent that member states must ensure that they all have adequate Data Protection Laws, and further that when member states deal with non member states the non member state must have adequate data protection laws. Article 25 of the OECD states:
Art 25.1
‘The Member states shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the National provisions adopted pursuant to the other provisions of this Directive, the third country n question ensures an adequate level of protection…”
‘The Member states shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the National provisions adopted pursuant to the other provisions of this Directive, the third country n question ensures an adequate level of protection…”
Art 25.2
“ The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country”
“ The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country”
Now the next question is Malaysia has passed a Personal Data Protection Act. What will the impact of the Act be and would it be deemed adequate or provide adequate measures to ensure the spirit of Data Protection principles are entrenched?
I personally am glad that Malaysia is making a leap forward to enact the Personal Data Protection Act. However in my view there are certain grey areas that need to be scrutinised. My points of scrutiny towards the Act are these:
(a) Section 3 (1)- the act shall not apply to Federal government and state Governments. That means privatised bodies are still bound by the Bill. One major point of concern is that the Government – Federal and State are the biggest collectors of personal data. As such the data protection law must bind them to prevent abuse.
(b) As such if the bill is passed in its current form the result will be that there will be two different standards for data protection in Malaysia, that means there will be one standard based on the Bill for private companies and another standard for the Government and Government Bodies.
This would actually diffuse the strength of the Personal Data Protection Act, now supposing of a private company processed information and this company was in a business of dealing with the government - the risk is that whilst the personal data stored by the company in question adhered to the Bill, what would happen to the same data in the event it was transferred to the Government? This would give rise to any 3rd party to actually circumvent the effectives of the act by simply accessing the personal data when it is sent to the Government or the Government body in question. As such the Bill would be rendered a toothless tiger.
(c) My next concern is exactly what are the standards for monitoring the Malaysian Government's method of Data Protection? Is it the self-regulatory method aka the safe harbour method? (personally I think its even lower than that or non existent) A legal paper I have read seems to suggest that the self regulatory method has not been very effective - reason being the self regulatory method 's effectiveness all depends on the cooperation of the participants - hence if they have a set of self regulatory rules and do naught, then the end result is nil.
(d) Then that results in the question - will the bill be adequate data protection in accordance with the OECD guidelines and the standard adopted by the EU and other nations such as Australia, New Zealand and Japan to name a few. It is obvious that the Bill is not adequate. The Bill has its merits - but its still has many flaws as stated next;
The Act does not adopt all the seven core principles as I have mentioned above. A reference to Section 5,6,7,8,9,10,11 and 12 of the Act shows that Principle 1 and 7 are lacking from the Bill.
(e) From the Human Rights perspective – The act imposes penalties such as heavy fines and imprisonment - this is even stricter than the UK Data Protection Act 1998 and the Hong Kong Data Protection Act. I feel imprisonment should not be imposed. Instead it is suggested that the Directors and shareholders be made to pay fines personally if the company is found guilty. That way a person’s liberty will not be taken.
(f) As I mentioned earlier, the act imposes severe fines and sentences for companies and individuals who do not obey the Act, however an individual whose personal data has been exchanged or used has no personal recourse against the persons who involved. The act has no civil remedies available for individuals who may want to sue.
(g) One important issue that may have been missed out by the Drafters of the Bill is the fact that the right to privacy is not recognised by any statute in Malaysia. As such there is no real recourse for an individual whose privacy has been exposed or made public. It is thus imperative that the Bill be amended to include some form of compensation/ relied and remedy to those whose rights have been infringed. There must first be recognition of the right to privacy and then laws created to strengthen that right and give remedies to those in need.
(h) Section 47 of the Bill creates the existence of a Commissioner. The Commissioner's office must be an independent one - he cannot be attached to the executive arm, in this case the Ministry, but should be made accountable to Parliament. Independence is a fundamental aspect here as the Commissioner holds a very important position. This position in my view is similar to that of a fiduciary position and as such greater accountability is needed.
(i) Section 70 of the Personal Data Protection Advisory Committee. I feel the existence of the Advisory Committee is not necessary - it will merely be a waste of taxpayers money and burden the rakyat. The Committee serves no real purpose as its advice can be rejected and is not compulsory for the Commissioner to heed.
(j) Section 83 - the Appeal tribunal. I disagree with the creation of an appeal tribunal - I think all disputes should be brought to court . The purpose of having an Appeal Tribunal is to decide on appeals by dissatisfied individual towards rulings made by the Commissioner. I am of the view that any dissatisfied individual who is unhappy with the Commissioner's ruling should be able to take his case straight to court by way of Judicial Review. The reason is because the Tribunal would only lengthen the process for which disputes can be resolved.
(k) I would also suggest that the Bill should take into consideration and allow some form of private prosecution for individuals whose rights have been infringed. The Commissioner has powers to conduct prosecution, but in reality with the amount of infringements and investigations that are foreseen, it would take months if not years for a successful prosecution to be brought to Court. This would actually cause more harm than good as individuals whose rights have been violated will be denied the fruits of justice.
It is time for the Personal Data Protection Act to be passed, and I feel this law will give some recognition to the right of privacy, in this case, personal privacy. However, I feel the Bill in its current form will be severely lacking and may not be deemed as an acceptable or even adequate level of compliance with that of other countries. Malaysia, our homeland is now at the start of a new era with the impact of globalisation and the emergence of a new market we do need the Personal Data Protection Act 2009. However the standard of this act in my view leaves much to be desired. As such only time will be able to show us the effectiveness of this new high impact legislation. We are progressing in a direction, but is it the correct direction to take?