New EU Privacy Laws Could Hit Facebook

Technologies such as social networking, RFID, and even airport scanning have raced ahead of Europe's outdated data protection rules. Brussels aims to fix that

By Leigh Phillips

Two weeks ago, Mark Zuckerberg, the founder of social networking site Facebook told the world to just get over it—no one cares about privacy anymore—provoking a storm of protest across cyberspace.

On Thursday (28 January), the European Commission responded to the 24-year-old billionaire and announced plans for comprehensive new laws that have in their sights the massively popular website.

The commission is concerned that its existing rules on data protection date back to 1995, the very early days of what was at the time called the "information superhighway" and are extraordinarily out of date. Brussels is not just worried that the internet has sped ahead of its regulatory grasp, but also that many technologies, in particular Radio Frequency Identification (RFID), behavioural advertising and even airport security devices have proceeded apace, leaving EU legislation in the lurch.

The commission on Thursday, also the continent's official Data Protection Day, "warned that data protection rules must be updated to keep abreast of technological change to ensure the right to privacy."

Underscoring its new powers under the Lisbon Treaty and the legal basis given to the Charter of Fundamental Rights, the commission said it wants to create "a clear, modern set of rules" guaranteeing a high level of personal data protection and privacy.

Earlier legislation was also limited in that it was restricted to issues concerning the European Community—the so-called first pillar of the EU, but not foreign policy or policing and judicial affairs—the second and third pillars.

Mentioning Facebook, Myspace (NWS) and Twitter by name, EU Justice Commissioner Viviane Reding said she will start this year with a revision of the 1995 Data Protection Directive, in a speech that outlined the main principles and goals of her upcoming work as Europe's top fundamental rights watchdog. It is clear that privacy issues are at the forefront of her ambitions.

"Innovation is important in today's society but should not go at the expense of people's fundamental right to privacy," she said.

"Whether we want it or not, almost every day we share personal data about ourselves. These data are collected, processed and then stored out of our sight. By booking a flight ticket, transferring money, applying for a job or just using the Internet we are exposing our private lives to others. Sometimes it is necessary," she continued. "Data are being collected without our consent and often without our knowledge. This is where European law comes in."

She said that people should have the right "to say no…whenever they want."

The commissioner is frustrated that companies are tackling privacy issues—or, more commonly being forced to tackle privacy issues—only after a product or service has been developed.

"We need a change of approach: Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle," she said.

Ms Reding finished by saying that Europe must set the global agenda in terms of privacy protection.

The commissioner also warned that body scanners at airports have not escaped her gaze. "I am convinced that body scanners have a considerable privacy-invasive potential. Their usefulness is still to be proven. Their impact on health has not yet been fully assessed. Therefore I cannot imagine this privacy-intrusive technique being imposed on us without full consideration of its impact."

The forceful speech comes just two weeks after Facebook's CEO made his own speech at the Consumer Electronics Show in Las Vegas, which has been widely interpreted as announcing "the end of privacy."

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that's evolved over time," Mr Zuckerberg said in a speech on 11 January, referring to the company's recent privacy policy change that made user's main information accessible by default. He described these changes as merely reflecting "current social norms" wherein young people have a much more relaxed attitude to privacy.

Across the Atlantic on Wednesday, Canada's privacy commissioner also announced a fresh investigation of Facebook after receiving complaints about the company's new privacy policy.

Source: Business Week

MALAYSIAN DATA PROTECTION LAW IS INADEQUATE

By Prof Abu Bakar Munir

Soon, Malaysia will have a comprehensive data protection law governing the processing of personal data. As mentioned elsewhere, the Personal Data Protection Bill (PDP) has been tabled for the first reading in November 2009. The second reading will take place in March 2010. This discussion is based on the assumption that the PDP Bill is passed in its current form.

The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.

The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.

Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.

In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.

Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.

The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.

As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.

 

Source: http://profabm.blogspot.com/2010/01/malaysian-data-protection-law-is.html