MALAYSIAN DATA PROTECTION LAW IS INADEQUATE

By Prof Abu Bakar Munir

Soon, Malaysia will have a comprehensive data protection law governing the processing of personal data. As mentioned elsewhere, the Personal Data Protection Bill (PDP) has been tabled for the first reading in November 2009. The second reading will take place in March 2010. This discussion is based on the assumption that the PDP Bill is passed in its current form.

The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.

The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.

Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.

In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.

Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.

The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.

As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.

 

Source: http://profabm.blogspot.com/2010/01/malaysian-data-protection-law-is.html

Two Bills withdrawn for next sitting - Malaysia Star

DECEMBER 18, 2009: TWO Bills – the Personal Data Protection Bill and the Credit Reporting Agencies Bill – which are scheduled to be tabled at the Dewan Rakyat have been withdrawn due to time constraint.

They will be tabled at the next sitting scheduled for mid-March next year.

Minister in the Prime Minister’s Department Datuk Seri Nazri Abdul Aziz said the withdrawal would also give MPs more time to study the Bills and prepare for debates.

The Personal Data Protection Bill is aimed at regulating personal data processing in commercial transactions.

The Credit Reporting Agencies Bill, meanwhile, is aimed at providing the mechanism to register and supervise all credit tip-off agencies involved in processing credit information of clients.

Apart from Budget 2010, the other Bills passed by the Dewan Rakyat included the Judges Ethics Committee Bill, Malaysia Deposit Insurance Corporation (Amendment) Bill, Rubber Industry Smallholders Development Authority (Amendment) Bill and the Capital Markets and Services (Amendment) Bill.

The Dewan Rakyat adjourned sine die yesterday after sitting for 36 days.

 

Source: The Star

Bill to address concerns over personal information - Malaysia Star

THE people’s concerns over how their personal data are processed and stored during commercial transactions will be addressed in a new Bill, which was tabled in Parliament.

Once passed, it will prevent such data from falling into the wrong hands and safeguard the rights of individuals.

Users of such data will be required to register themselves under the Personal Data Protection Bill, which will regulate the processing of the personal data of individuals involved in commercial transactions and also to protect such information.

The Bill was tabled by Deputy Infor­m­ation, Communications and Culture Minister Datuk Joseph Salang Gandum.

Under the Act, a Personal Data Prot­ection Commissioner will be appointed and the person will be advised by a Personal Data Advisory Commit-tee.

An appeals tribunal will also be established to allow the people to submit their complaints if they were unhappy with the management of their data.

A register of data user forums and a register of codes of practice will also be established under the Act, where users who failed to comply with a code of practice can be fined up to RM100,000 or jailed for a year, or both.

A heavier penalty awaits data users if they were found to have contravened provisions in the Bill, where they can be fined a maximum of RM200,000 or jailed for two years, or both.

The Bill seeks to prevent the occurrences of people losing their money through credit card fraud, customer-privacy infringements and data theft.

 

Source: The Star