郑大勇：办讲座提升国人觉醒 - Teh Tai Yong: Organise Seminars to Raise Public Awareness (Nanyang Siang Pau - 22 May 2010)

News publised in Nanyang Siang Pau on 22 May 2010
●南洋商报 刘秋仪


(吉隆坡21日讯）你是否经常收到一些不请自来的销售电话、推销电邮或广告电邮？这有可能你的私人资料已被人收集和出售给第三者。

如今市面上有太多人把我们的个人资料当作交易来买卖，确实是极危险的趋势，因在你无能力控制的情况下，你的私人资料已被截取盗用。

政府因认真看待私人资料被盗用的问题，因此提呈《个人资料保护法案》，并于今年4月5日在国会下议院通过；不过，我国政府迄今仍未成立个人资料保护委员会，以全面执行这项法令。

马大法律系教授阿布巴卡今日在“个人资料保护法令”讲座会上指出，此法令旨在管制私人资料商业交易。

他说，在这项法令下，当事人，即提供个人资料者有权拒绝、更正、通知、查阅及停止资料使用者处理其个人资料。

他举例，如果一位当事人向银行申请信用卡，惟该当事人突然决定取消申请，并已通知对方（资料使用者/银行）停止提呈其个人资料，对方应立即终止一切提呈及申请手续。

“如果该名资料使用者依旧进行提呈手续或将当事人个人资料出售给第三方，那前者已触犯《2010年个人资料保护法令》，必须受到法律制裁。”

他认为，资料保护并非火箭科学，反之，是涉及尊重对方及一项常识；而在资料使用与个人隐私之间必须作出公平及平衡的处理。

阿布巴卡也相信，一旦资料保护委员会成立后，政府将会在1年半后，全面执行此法令。



郑大勇：办讲座提升国人觉醒

主讲人之一兼PDP顾问私人有限公司顾问郑大勇指出，其他执行个人资料保护法令的国家，私人和政府机构都会受此法令的管制；不过，在大马，中央政府及州政府将不受此法令限制，因政府自有内部条例管制。

他认为，此法令不仅涉及私人机构，政府接着必须在全国各地以三语举办个人资料保护法令讲座会，向国人讲解个人资料隐私权，以提升他们的醒觉性。

“唯有当事人慎重看待本身的资料隐私权，才可进一步让资料使用者认真处理当事人的个人资料。”

他说，私人机构管理层有责任举行个人资料讲解会，以提升职员对资料使用及保护客户私隐的理解及醒觉性。此讲座会是由马来西亚国际工商会（MICCI）和PDP顾问私人有限公司联办。

个人资料保护法令不可不知的部分重点：

●在个人资料保护法令第127条文（逮捕权）下，执法人员或警方可在没有任何逮捕令的情况下，逮捕相信已触犯条例者。

●一旦此法令全面执行后，如果资料使用者在没有获得相关执法单位的允许或任何证书，出售当事人的个人资料，他将在第16（4）条文下被控，一旦罪成，将被罚款不超过50万令吉或监禁不超过3年，或两者兼施。

●管理层有责任向职员讲解个人资料保护的重要性及如何遵守条例，如果管理层没有进行任何讲解会，一旦发现个人资料外泄，那管理层将会受对付；反之，若执法者证明职员外泄客户资料，受对付的则是职员。

●一旦资料使用者罪成，可在此法令第5（2）条文下，被罚款不超过30万令吉或监禁不超过2年，或两者兼施。


新闻背景: 商业交易须获当事人同意

新闻通讯及文化部长拿督斯里莱士雅丁早前指出，若个人资料是涉及商业交易，必须获得当事人的同意，才能保持对方的个人资料，否则将抵触法律。

他说，至于那些个人敏感资料，如个人财务状况、健康状况、政治立场及宗教等，是不允许泄露给第三者。

他说，一旦法令生效，CTOS信贷情报服务私人有限公司必须向保护个人资料委员会注册，并征询当事人的允准存储他人的个人资料，否则可以在此法令下受到对付。

Link: http://www.nanyang.com.my/Newscenter/articledetail.asp?type=N&ID=152007&sID=7&cID=10

Malaysian Personal Data Protection Act - PDP Act

FINALLY. After years of waiting, the Malaysian Personal Data Protection (PDP) Bill has been passed by the Dewan Rakyat on 5 April 2010.

It marks the end of waiting, and starts a new chapter in personal data protection for Malaysia, which is the first nation to have such law in ASEAN countries.

Of course, I would not miss the opportunity to witness the debates in Parliament when the PDP Bill was tabled for reading. Sharp at 5.00pm on 5 April 2010, the Minister (Dato’ Seri Utama Dr. Rais Yatim) introduced the Bill for second reading. The debate took about 2 1/2 hours and ended at 7.32pm.

As the Minsiter said, the is not a contoversial Bill. This is evidenced that MP's from the government and opposition side have supported the fact that we need such law. In fact, this tabling of such law is long overdue, as pointed out by Datuk Bung Moktar bin Radin (MP for Kinabatangan). 

Many MP's took part in the debate relate to their personal experiences (pengalaman peribadi) on the issue on personal data protection. Puan Hajah Nancy binti Haji Shukri (MP for Batang Sadong) received unsolicited calls and sms inviting her to invest on illegal schemes. Datuk Abd. Rahman Dahlan (MP for Kota Belud) said that when he went to a bank to collect his cheque book, he was asked why he has not invested in the investment instruments offered by the bank. The bank officer informed him that YB has money in the account and wanted him to invest in the instruments. Prof. Dr. P. Ramasamy (MP for Batu Kawan) was asked why he has not taken a loan by a bank officer. When questioned, the officer informed him that they have the data.

Undeniably, the data users (like banks, insurance companies, telcos etc) have personal data. The real question is how they deal with the personal data. This is the crux of the PDP law.

MP's from the opposition raised issues regarding the applicability of the PDP law. One of the issue raised was why the PDP law does not apply to Federal Government and State Governments. In my opinion, that is a valid question and it should be discussed even though such law has been passed. If we agree that such law in important, why shouldn't it apply to Government as well?

The answer provided by the Minister was that the law is meant for data protection in "commercial transactions", and the Government does not process personal data of such nature. With due respect, this may not be entire accurate. Federal Government and State Governments do have links with business community, such as banks. Give an example, if one uses MyKad as ATM as well, the accounts information stored in MyKad is not commercial in nature?

Moving forward, we hope that the Government would establish relavant mechanism or procedure which is consistent with the Data Protection Principles in their departments/ agencies.

Another issue raised by Fong Po Kuan (MP for Batu Gajah) was in relation to Retention Period. She viewed that the law should expressly state the Retention Period, which the data could be retained and thereafter the data user must destroy the data. It is opined that such fixed retention period is not possible as the reasonable Retention Period relates to the specific circumstances. For example, the retention period for CCTV recording in retail shop would be different from the Telco's record on telephone calls/ sms by individuals. If there is no crime happened, the recording should be deleted within days by business operator, whereas Telco would retain the telephone/ sms records for at least a month for billing purpose. Take another example, students' results in universities. Understandbly, the record would be kept for years before it is deleted. Would it be possible to fix a time frame for retention for all circumstances? The answer is clearly, no.

Sitting in the Parliament, it is interesting to see how MP's took on CTOS as the bashing ground when debating the PDP Bill. Of course, one of the reason that raised public awareness on PDP law is the occurance of CTOS Saga in 2007. But it should be noted that the Government has drafted a specific law - Credit Reference Agencies Bill 2009 to deal with CRA's like CTOS. If the CRA Bill is passed, CTOS would be governed under such law.

After the Bill is passed, it is now implementation time! The task will be put on the shoulder of the Data Protection Commissioner. Effective implementation would ensure the success of the PDP Act.

Overall, it is great that PDP Bill is passed by the Parliament, albeit with some shortcomings. This is not a perfect Bill, but it is definately a Giant leap forward in the legal framework for protecting personal data in Malaysia.

Finally, we have it now - the Malaysian Personal Data Protection Act.

Teh Tai Yong 

April 2010 


[Note: The Bill was passed unamended. Click the link to read the full text of the PDP Bill http://www.parlimen.gov.my/billindexbi/pdf/DR352009E.pdf ]

The Star: No personal data out without consent

THE House has passed the Personal Data Protection Bill 2009 which seeks to protect personal data from being misused through commercial transactions.

Information, Communications, Culture and Arts Minister Datuk Seri Dr Rais Yatim, in his winding-up speech, said the Bill placed high importance on the protection of sensitive personal data, such as information on a person’s health, physical attributes, mental status and religious preferences.

“A personal data protection commissioner will be appointed and an advisory committee created to advise the commissioner on the enforcement of the Bill.

“It will be their job to monitor the activities of commercial transactors of information, such as the Credit Tip Off Service Sdn Bhd (CTOS), in putting such information in their database.”
Rais said anyone found to have abused the data would face a RM200,000 fine or imprisonment of two years or both.

The minister told reporters later that private database collection agencies would have to strictly comply once the Bill becomes law.

“The Bill is a form of cyber-legislation and Malaysia is the first among Asean countries to introduce such a law.

“It’s modelled after the provisions that were outlined by some European countries in relation to the protection of national security, defence and basic human rights requirements,” he added.

Rais said the new law would ensure that personal data would not be given out except with the consent of their owners.

German Federal Constitutional Court overturns law on data retention

Privacy International: 09/03/2010

Last week the German Federal Constitutional Court overturned a law on the retention of telecommunications data for law enforcement purposes, stating that it posed a "grave intrusion" to personal privacy and must be revised. In their ruling the judges found that the law stands in contradiction to the basic right of private correspondence and does not protect the principle of proportionality, as it fails to balance the need to provide security with the right to privacy. All data on telephone calls, email and internet traffic as well as on the location of mobile phones that have so far been stored by telecommunication providers have to be deleted immediately. 

According to the Federal Constitutional Court the communications retention law does not provide adequate protection of personal data and it does not make sufficiently clear what it would be used for. The case was originally brought to the court in 2008, by a record number of almost 35.000 people, including the current Justice Minister Sabine Leutheusser –Schnarrenberger.

The Court, however, did not rule out data retention as such. The judges did not question the admissibility of the EU directive, on which the German law is based. This would have been outside the court’s competences. It merely stated that the law went far beyond the requirements of the EU directive.

The storage and usage of telecommunications data allows to draw conclusions reaching far beyond the private sphere, from which significant personal profiles can be established and people’s movements be tracked. The storage of data could "cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one’s basic rights in many areas," said the president of the court, Hans Jürgen Papier. Therefore, such interference will have to come with strings attached. The German law has not fulfilled these requirements and thus has been suspended by the Federal Constitutional Court. 

The Court requires the German legislature to establish strict measures for the retention of data, which have to be implemented by telecommunication providers, which are responsible for storing the data. In addition, the legislature has to clarify that data retention is only to be used for the prosecution of severe criminal offences. Strict measures have to be established with regard to the usage of retained data by the police for the prevention of crime. The court also demands greater "transparent control" of what the information was used for. 

A significant limitation to the Federal Constitutional Court decision is their stance that IP addressing information is not worthy of strong protections under law. According to the court, although it is possible to identify internet users through IP addresses, personal profiles, however, cannot be established, as every time when the user connects to the internet a different IP address is assigned to him. 

German civil society groups are not entirely satisfied with last week’s judgment. "The court did not find the retention of data as such unconstitutional and declared that implementing the EU directive on data retention in conformity with the German Constitution is indeed possible. For now the retention of data has been overturned, but there will be new rules", Werner Huelsmann from the German Working Group on data retention told the newspaper Sueddeutsche. "A massive amount of data about German citizens who pose no threat and are not suspects is being retained,"Germany’s Federal privacy commissioner, Peter Schaar told the German television channel ARD. 

In response to the ruling the German Working Group on data retention has announced a Europe-wide campaign to end the permanent logging of internet and phone use. With the signatures of one million opponents the group wants to persuade the EU to repeal its data retention directive. 

Source: http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-566038&als[theme]=Data%20Protection%20and%20Privacy%20Laws

ECJ: Supervisory authorities must be completely independent

By Sophie Mosca

The EU Court of Justice validated the principle of the independence of the authorities charged with guaranteeing the protection of personal data in Europe in a judgement handed down, on 9 March, against Germany for subjecting these authorities to state scrutiny (Case C-518/07 Commission v Germany). The court endorsed the position of the European Commission, which brought the action against Germany for its failure to apply correctly Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data (Directive of the Parliament and Council, of 25 October 1995) by making the authority responsible for ensuring compliance with data protection provisions subject to scrutiny by the German Länder, ie a public authority.

Directive 95/46 requires that such authorities exercise their powers with “complete independence,” an expression the Commission interprets in the broad sense. Germany applied a narrower interpretation, arguing that the directive requires only the functional independence of the supervisory authorities, who must not be exposed to outside influence. It claimed that the scrutiny exercised in the German Länder does not constitute an outside influence but rather the administration’s internal monitoring mechanism, which is not in breach of the directive.

The court first identified the scope of the requirement of independence of the supervisory authorities, explaining that as a key element of data protection, they must enjoy independence that enables them to act without influence by the supervised bodies, but also without any direct or indirect external influence that could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to privacy and the free movement of personal data.

The court considers that the scrutiny exercised by the Länder is incompatible with the requirement of independence set by the directive. It also rejected Germany’s argument that the Commission’s position would lead in its case to a violation of the principles of democracy, conferred powers, subsidiarity and proportionality. The judges held that granting these supervisory authorities complete independence from political authorities does not deprive them of their democratic legitimacy nor does it violate conferred powers or exceed what is necessary to achieve the objectives of the EC Treaty.

The Commission welcomes this first ruling in this field, noting that Commissioner Viviane Reding has made the independence of supervisory authorities a priority.

Source: Europolitics.
http://www.europolitics.info/sectorial-policies/ecj-supervisory-authorities-must-be-completely-independent-art265573-16.html

Google Chrome to do away with unique IDs

From the forthcoming version 4.1, Google is doing away with the Chrome feature which has attracted the most criticism: unique IDs. Until now, this token has been stored in the user_experience_metrics.user_id key in the User Data\Local State file in the Chrome installation folder (C:\User\[Name]\AppData\Local\Google\Chrome under Vista).

Supplementing other measures to improve the browser's reputation for data protection, in a white paper on Chrome data protection, Google has announced that it will in future delete the token once Google Chrome runs and checks for updates the first time. From version 4.1, the allegedly anonymous ID will only be used to report successful installation of the browser to Google.

This step is largely symbolic, as Chrome has never attempted to identify users using the client ID, which is reassigned each time the browser is updated. Investigations using network sniffers have failed to refute Google's privacy statement that this ID is used exclusively for checking for updates and for the crash reporter (which is disabled by default) – discussions over alleged attempts by Chrome to identify users have nonetheless occasionally taken on extreme dimensions.

Far more problematic from a data protection point of view is the comparison of what is typed into the address bar with search engine results, although this can also be disabled, or switched to competitors such as Yahoo! or Bing from the browser settings screen. The white paper looks at the details of this issue, as well as redirection of 404 pages to the search engine and phishing and malware protection.

Source:

http://www.h-online.com/security/news/item/Google-Chrome-to-do-away-with-unique-IDs-953601.html

New EU Privacy Laws Could Hit Facebook

Technologies such as social networking, RFID, and even airport scanning have raced ahead of Europe's outdated data protection rules. Brussels aims to fix that

By Leigh Phillips

Two weeks ago, Mark Zuckerberg, the founder of social networking site Facebook told the world to just get over it—no one cares about privacy anymore—provoking a storm of protest across cyberspace.

On Thursday (28 January), the European Commission responded to the 24-year-old billionaire and announced plans for comprehensive new laws that have in their sights the massively popular website.

The commission is concerned that its existing rules on data protection date back to 1995, the very early days of what was at the time called the "information superhighway" and are extraordinarily out of date. Brussels is not just worried that the internet has sped ahead of its regulatory grasp, but also that many technologies, in particular Radio Frequency Identification (RFID), behavioural advertising and even airport security devices have proceeded apace, leaving EU legislation in the lurch.

The commission on Thursday, also the continent's official Data Protection Day, "warned that data protection rules must be updated to keep abreast of technological change to ensure the right to privacy."

Underscoring its new powers under the Lisbon Treaty and the legal basis given to the Charter of Fundamental Rights, the commission said it wants to create "a clear, modern set of rules" guaranteeing a high level of personal data protection and privacy.

Earlier legislation was also limited in that it was restricted to issues concerning the European Community—the so-called first pillar of the EU, but not foreign policy or policing and judicial affairs—the second and third pillars.

Mentioning Facebook, Myspace (NWS) and Twitter by name, EU Justice Commissioner Viviane Reding said she will start this year with a revision of the 1995 Data Protection Directive, in a speech that outlined the main principles and goals of her upcoming work as Europe's top fundamental rights watchdog. It is clear that privacy issues are at the forefront of her ambitions.

"Innovation is important in today's society but should not go at the expense of people's fundamental right to privacy," she said.

"Whether we want it or not, almost every day we share personal data about ourselves. These data are collected, processed and then stored out of our sight. By booking a flight ticket, transferring money, applying for a job or just using the Internet we are exposing our private lives to others. Sometimes it is necessary," she continued. "Data are being collected without our consent and often without our knowledge. This is where European law comes in."

She said that people should have the right "to say no…whenever they want."

The commissioner is frustrated that companies are tackling privacy issues—or, more commonly being forced to tackle privacy issues—only after a product or service has been developed.

"We need a change of approach: Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle," she said.

Ms Reding finished by saying that Europe must set the global agenda in terms of privacy protection.

The commissioner also warned that body scanners at airports have not escaped her gaze. "I am convinced that body scanners have a considerable privacy-invasive potential. Their usefulness is still to be proven. Their impact on health has not yet been fully assessed. Therefore I cannot imagine this privacy-intrusive technique being imposed on us without full consideration of its impact."

The forceful speech comes just two weeks after Facebook's CEO made his own speech at the Consumer Electronics Show in Las Vegas, which has been widely interpreted as announcing "the end of privacy."

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that's evolved over time," Mr Zuckerberg said in a speech on 11 January, referring to the company's recent privacy policy change that made user's main information accessible by default. He described these changes as merely reflecting "current social norms" wherein young people have a much more relaxed attitude to privacy.

Across the Atlantic on Wednesday, Canada's privacy commissioner also announced a fresh investigation of Facebook after receiving complaints about the company's new privacy policy.

Source: Business Week

MALAYSIAN DATA PROTECTION LAW IS INADEQUATE

By Prof Abu Bakar Munir

Soon, Malaysia will have a comprehensive data protection law governing the processing of personal data. As mentioned elsewhere, the Personal Data Protection Bill (PDP) has been tabled for the first reading in November 2009. The second reading will take place in March 2010. This discussion is based on the assumption that the PDP Bill is passed in its current form.

The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.

The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.

Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.

In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.

Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.

The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.

As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.

 

Source: http://profabm.blogspot.com/2010/01/malaysian-data-protection-law-is.html