The Sun Daily: End to data abuse

Posted on 23 October 2012 - 05:24am
Last updated on 23 October 2012 - 02:49pm

Pauline Wong
newsdesk@thesundaily.com

PETALING JAYA (Oct 23, 2012): Come Jan 1, you will be able to put an end to pesky telemarketers and report such harassment to the authorities.

This is because the Personal Data Protection (PDP) Act which criminalises unauthorised use of your personal data will finally be enforced after a two-year delay.

Information, Communications and Culture Minister Datuk Seri Rais Yatim told theSun recently that enforcement of the Act was held up due to a delay in the recruitment of personnel for the newly-formed Personal Data Department.

The department, which comes under his ministry, will oversee and be responsible for the enforcement of the Act.

"The department will be operational from Jan 1," Rais said in an SMS reply to queries from theSun as to the enforcement of the Act which had been gazetted in June 2010.

The law stipulates how personal data – phone numbers, identity card numbers, addresses and even DNA – is used and stored by any organisation.

It defines "personal data" as any information processed in respect of commercial transactions that relates directly or indirectly to a "data subject" (the consumer), including any sensitive personal data.

Data users – including banks, telecommunications providers and even employers – must comply with seven principles.

Failure to do so will make the data user liable to a fine of up to RM300,000, up to two years' jail, or both, upon conviction.

Once in force, the Act makes it a criminal offence for data users to reveal your phone number (for example) to third-party telemarketers, unless you had consented and were notified of their intention to do so.

The right to put an end to direct marketing is also provided for under the Act as a consumer may, by notice in writing, tell the data user to stop processing personal data for direct marketing.

He or she may also at any time withdraw any consent previously given to the data user.

However, legal experts point out that many aspects of the Act remain vague – which they say does not bode well for the wide-ranging impact of the Act.

Lawyer Adlin Abdul Majid, who heads the PDP compliance team at law firm Lee Hishammuddin Allen and Gledhill, said the Act is in need of more thorough guidelines before implementation.

"The Act was drafted in a very general manner. For example, even the definition of 'commercial transaction' is not specific.

"If someone goes to a small boutique and makes a purchase with a credit card, does this hold the boutique responsible for your data, and will it have to serve you a notice?" she said.

She added that in interpreting the law, employers are also considered data users.

"This could mean that even a small or medium enterprise (SME) with a few employees would have to adhere to the Act and conduct a privacy impact assessment to ensure full compliance, but that can be very costly for SMEs," she said.

Adlin said the government needs to draft very detailed guidelines in enforcing the PDP, or it would lead to a lot of confusion.

KL Bar IT Committee co-chairman Foong Cheng Leong said the Act does not address several key problems, especially when it comes to storing a person's personal data.

"With the digitalisation of records, the internet, and 'cloud' computing, the question is how does a data user deal with soft copies of personal information?" he asked.

He added that it is also not practical for data users to give written notice when data is collected over the phone, or captured via closed-circuit television (CCTV).

Foong urged the autorities to draw up specific guidelines to address these issues.

Source: 

http://www.thesundaily.my/news/522420

Personal Data Protection Act Malaysia - Why are we waiting?

Teh Tai Yong: Personal Data Protection Act Malaysia - Why are we waiting?

The Malaysian Personal Data Protection Act 2010 ("PDPA") has been passed and Gazetted for about 2 years ago. 

http://thestar.com.my/news/story.asp?file=/2010/4/5/nation/20100405210518&sec=nation

As of today, the PDPA status is "Not Yet In Force". Why are we waiting ... ?

Besides the Credit Reporting Agencies Act 2010, which has the same faith having the status "Not Yet In Force" as the PDPA , many other Acts of Parliament passed in 2010 or even 2011 & 2012 have come into force.

1. WHISTLEBLOWER PROTECTION ACT 2010 (ACT 711)   CRIME, LITIGATION   Date of coming into force: 15 December 2010 [PU(B) 537/2010]

2  COMPETITION ACT 2010 (ACT 712)   CONSUMER   Date of coming into force: 1 January 2012 [PU(B) 410/2010]

3 RENEWABLE ENERGY ACT 2011 (ACT 725)   ENERGY & MINING   Date of coming into force: 1 December 2011

4 PEACEFUL ASSEMBLY ACT 2012 (ACT 736)   CIVIL AND HUMAN RIGHTS   Date of coming into force: 23 April 2012 [PU(B) 147/2012]

On 22 November 2011, it was reported in The Star that "The long awaited Personal Data Protection Act 2010 will be enforced next year. Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim said the Ministry was in the process of getting "the right personnel with the right expertise" to set up the Personal Data Protection Department." 

http://thestar.com.my/news/story.asp?file=/2011/11/22/nation/20111122122708&sec=nation

(Photo obtained from
http://foongchengleong.com)

                                             

However, when the Minister launched the new Personal Data Protection Department on 12 February 2012, despite much anticipation that he would announce the date of enforcement of PDPA, he did not do so. Instead, he highlighted the importance of the law.

Mr Minister, Why are we waiting? What are we waiting for? 

Data Protection Malaysia - Move to monitor data protection law

THE STAR - KUALA LUMPUR: A new department is being established under the Information, Communication and Culture Ministry to oversee the implementation of the Malaysian Personal Data Protection Act 2010, scheduled to be enforced early next year.

Deputy Minister Datuk Joseph Salang said the new department was expected to start operating by next year or earlier.

“As you know, to establish the department, we need to do everything right and this will take time,” he told reporters after the launch of the Information Security Summit here yesterday.

He said there was an urgent need for the Government to establish personal data protection laws as there were currently 17 million Internet users in the country.

“The more than 58% of household broadband penetration in the country is also a factor for drawing up the Malaysian Personal Data Protection Act.

“Prior to the implementation of this Act, personal data is only bound by contractual agreement or common law,” he said, adding that the legislation would significantly alter the way personal data was collected, processed, stored and transmitted between individuals and commercial organisations in Malaysia.

“The people will be able to dictate how their data is used by a third party as well as have clearly defined rights to access and correct their personal data.

“I admit that our digital infrastructure is still at its infancy and years behind the more mature infrastructure of digital goliaths, such as the United States.

“But our digital infrastructure has a sound foundation through the establishment of the Multimedia Super Corridor and is reinforced by the Government's commitment to continually improve and upgrade our system through cooperation and smart partnership with the private sector,” he said. - Bernama

http://thestar.com.my/news/story.asp?sec=nation&file=/2011/6/21/nation/8938933

Teh Tai Yong

The Star: Personal Data Protection Act to be introduced next year

KUALA LUMPUR: The long awaited Personal Data Protection Act 2010 will be enforced next year. 

Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim said the Ministry was in the process of getting "the right personnel with the right expertise" to set up the Personal Data Protection Department.

The Act was gazetted into law in June last year.

Dr Rais said the Act, when enforced, would safeguard people's personal information from being abused by organisations that collect and process personal data of individuals.

He said this after the Get Malaysian Business Online (GMBO) launch Tuesday.

The Star: No personal data out without consent

THE House has passed the Personal Data Protection Bill 2009 which seeks to protect personal data from being misused through commercial transactions.

Information, Communications, Culture and Arts Minister Datuk Seri Dr Rais Yatim, in his winding-up speech, said the Bill placed high importance on the protection of sensitive personal data, such as information on a person’s health, physical attributes, mental status and religious preferences.

“A personal data protection commissioner will be appointed and an advisory committee created to advise the commissioner on the enforcement of the Bill.

“It will be their job to monitor the activities of commercial transactors of information, such as the Credit Tip Off Service Sdn Bhd (CTOS), in putting such information in their database.”
Rais said anyone found to have abused the data would face a RM200,000 fine or imprisonment of two years or both.

The minister told reporters later that private database collection agencies would have to strictly comply once the Bill becomes law.

“The Bill is a form of cyber-legislation and Malaysia is the first among Asean countries to introduce such a law.

“It’s modelled after the provisions that were outlined by some European countries in relation to the protection of national security, defence and basic human rights requirements,” he added.

Rais said the new law would ensure that personal data would not be given out except with the consent of their owners.

German Federal Constitutional Court overturns law on data retention

Privacy International: 09/03/2010

Last week the German Federal Constitutional Court overturned a law on the retention of telecommunications data for law enforcement purposes, stating that it posed a "grave intrusion" to personal privacy and must be revised. In their ruling the judges found that the law stands in contradiction to the basic right of private correspondence and does not protect the principle of proportionality, as it fails to balance the need to provide security with the right to privacy. All data on telephone calls, email and internet traffic as well as on the location of mobile phones that have so far been stored by telecommunication providers have to be deleted immediately. 

According to the Federal Constitutional Court the communications retention law does not provide adequate protection of personal data and it does not make sufficiently clear what it would be used for. The case was originally brought to the court in 2008, by a record number of almost 35.000 people, including the current Justice Minister Sabine Leutheusser –Schnarrenberger.

The Court, however, did not rule out data retention as such. The judges did not question the admissibility of the EU directive, on which the German law is based. This would have been outside the court’s competences. It merely stated that the law went far beyond the requirements of the EU directive.

The storage and usage of telecommunications data allows to draw conclusions reaching far beyond the private sphere, from which significant personal profiles can be established and people’s movements be tracked. The storage of data could "cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one’s basic rights in many areas," said the president of the court, Hans Jürgen Papier. Therefore, such interference will have to come with strings attached. The German law has not fulfilled these requirements and thus has been suspended by the Federal Constitutional Court. 

The Court requires the German legislature to establish strict measures for the retention of data, which have to be implemented by telecommunication providers, which are responsible for storing the data. In addition, the legislature has to clarify that data retention is only to be used for the prosecution of severe criminal offences. Strict measures have to be established with regard to the usage of retained data by the police for the prevention of crime. The court also demands greater "transparent control" of what the information was used for. 

A significant limitation to the Federal Constitutional Court decision is their stance that IP addressing information is not worthy of strong protections under law. According to the court, although it is possible to identify internet users through IP addresses, personal profiles, however, cannot be established, as every time when the user connects to the internet a different IP address is assigned to him. 

German civil society groups are not entirely satisfied with last week’s judgment. "The court did not find the retention of data as such unconstitutional and declared that implementing the EU directive on data retention in conformity with the German Constitution is indeed possible. For now the retention of data has been overturned, but there will be new rules", Werner Huelsmann from the German Working Group on data retention told the newspaper Sueddeutsche. "A massive amount of data about German citizens who pose no threat and are not suspects is being retained,"Germany’s Federal privacy commissioner, Peter Schaar told the German television channel ARD. 

In response to the ruling the German Working Group on data retention has announced a Europe-wide campaign to end the permanent logging of internet and phone use. With the signatures of one million opponents the group wants to persuade the EU to repeal its data retention directive. 

Source: http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-566038&als[theme]=Data%20Protection%20and%20Privacy%20Laws

Google Chrome to do away with unique IDs

From the forthcoming version 4.1, Google is doing away with the Chrome feature which has attracted the most criticism: unique IDs. Until now, this token has been stored in the user_experience_metrics.user_id key in the User Data\Local State file in the Chrome installation folder (C:\User\[Name]\AppData\Local\Google\Chrome under Vista).

Supplementing other measures to improve the browser's reputation for data protection, in a white paper on Chrome data protection, Google has announced that it will in future delete the token once Google Chrome runs and checks for updates the first time. From version 4.1, the allegedly anonymous ID will only be used to report successful installation of the browser to Google.

This step is largely symbolic, as Chrome has never attempted to identify users using the client ID, which is reassigned each time the browser is updated. Investigations using network sniffers have failed to refute Google's privacy statement that this ID is used exclusively for checking for updates and for the crash reporter (which is disabled by default) – discussions over alleged attempts by Chrome to identify users have nonetheless occasionally taken on extreme dimensions.

Far more problematic from a data protection point of view is the comparison of what is typed into the address bar with search engine results, although this can also be disabled, or switched to competitors such as Yahoo! or Bing from the browser settings screen. The white paper looks at the details of this issue, as well as redirection of 404 pages to the search engine and phishing and malware protection.

Source:

http://www.h-online.com/security/news/item/Google-Chrome-to-do-away-with-unique-IDs-953601.html

New EU Privacy Laws Could Hit Facebook

Technologies such as social networking, RFID, and even airport scanning have raced ahead of Europe's outdated data protection rules. Brussels aims to fix that

By Leigh Phillips

Two weeks ago, Mark Zuckerberg, the founder of social networking site Facebook told the world to just get over it—no one cares about privacy anymore—provoking a storm of protest across cyberspace.

On Thursday (28 January), the European Commission responded to the 24-year-old billionaire and announced plans for comprehensive new laws that have in their sights the massively popular website.

The commission is concerned that its existing rules on data protection date back to 1995, the very early days of what was at the time called the "information superhighway" and are extraordinarily out of date. Brussels is not just worried that the internet has sped ahead of its regulatory grasp, but also that many technologies, in particular Radio Frequency Identification (RFID), behavioural advertising and even airport security devices have proceeded apace, leaving EU legislation in the lurch.

The commission on Thursday, also the continent's official Data Protection Day, "warned that data protection rules must be updated to keep abreast of technological change to ensure the right to privacy."

Underscoring its new powers under the Lisbon Treaty and the legal basis given to the Charter of Fundamental Rights, the commission said it wants to create "a clear, modern set of rules" guaranteeing a high level of personal data protection and privacy.

Earlier legislation was also limited in that it was restricted to issues concerning the European Community—the so-called first pillar of the EU, but not foreign policy or policing and judicial affairs—the second and third pillars.

Mentioning Facebook, Myspace (NWS) and Twitter by name, EU Justice Commissioner Viviane Reding said she will start this year with a revision of the 1995 Data Protection Directive, in a speech that outlined the main principles and goals of her upcoming work as Europe's top fundamental rights watchdog. It is clear that privacy issues are at the forefront of her ambitions.

"Innovation is important in today's society but should not go at the expense of people's fundamental right to privacy," she said.

"Whether we want it or not, almost every day we share personal data about ourselves. These data are collected, processed and then stored out of our sight. By booking a flight ticket, transferring money, applying for a job or just using the Internet we are exposing our private lives to others. Sometimes it is necessary," she continued. "Data are being collected without our consent and often without our knowledge. This is where European law comes in."

She said that people should have the right "to say no…whenever they want."

The commissioner is frustrated that companies are tackling privacy issues—or, more commonly being forced to tackle privacy issues—only after a product or service has been developed.

"We need a change of approach: Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle," she said.

Ms Reding finished by saying that Europe must set the global agenda in terms of privacy protection.

The commissioner also warned that body scanners at airports have not escaped her gaze. "I am convinced that body scanners have a considerable privacy-invasive potential. Their usefulness is still to be proven. Their impact on health has not yet been fully assessed. Therefore I cannot imagine this privacy-intrusive technique being imposed on us without full consideration of its impact."

The forceful speech comes just two weeks after Facebook's CEO made his own speech at the Consumer Electronics Show in Las Vegas, which has been widely interpreted as announcing "the end of privacy."

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that's evolved over time," Mr Zuckerberg said in a speech on 11 January, referring to the company's recent privacy policy change that made user's main information accessible by default. He described these changes as merely reflecting "current social norms" wherein young people have a much more relaxed attitude to privacy.

Across the Atlantic on Wednesday, Canada's privacy commissioner also announced a fresh investigation of Facebook after receiving complaints about the company's new privacy policy.

Source: Business Week

MALAYSIAN DATA PROTECTION LAW IS INADEQUATE

By Prof Abu Bakar Munir

Soon, Malaysia will have a comprehensive data protection law governing the processing of personal data. As mentioned elsewhere, the Personal Data Protection Bill (PDP) has been tabled for the first reading in November 2009. The second reading will take place in March 2010. This discussion is based on the assumption that the PDP Bill is passed in its current form.

The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.

The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.

Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.

In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.

Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.

The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.

As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.

 

Source: http://profabm.blogspot.com/2010/01/malaysian-data-protection-law-is.html

ICO consults on online privacy

The Information Commissioner's Office (ICO) has launched an online consultation on a new draft code of practice to help organisations protect individuals' privacy online.

The draft code of practice explains data privacy law and calls on organisations to give people "the right degree" of control over their personal information.

The report suggests organisations give clear privacy choices to making it easier for people to erase their personal information at the end of a browsing session.

In a speech to delegates at the Personal information online conference in Manchester, Information Commissioner Christopher Graham said: "Customers can always vote with their feet and punish organisations that they feel have let them down - which serves as a very real reminder that getting privacy online wrong is a risky game to play. People should have control over what happens to their personal information online whether it's correcting inaccuracies, deleting profiles or choosing the privacy settings that suit them."

The draft code of practice includes guidance on when to collect information and when not to, cloud computing and improving individuals access to data held on them.

Iain Bourne, Head of Data Protection Projects at the ICO, said: "Collecting information about people in the proper way, including making them fully aware of what will happen to their personal information and how they can access it and keep it accurate, lies at the heart of good privacy protection.

"The draft code of practice explains a difficult area of the law and provides practical advice on a range of online privacy issues. It urges organisations to do more to explain what they do with the information they collect about people and to make sure they use it in line with individuals' wishes."

The consultation ends on 5 March 2010. A link to the online consultation can be found at http://www.ico.gov.uk/

Read more at Publicservice.co.uk

EU Data Protection Meets U.S. Discovery

By DANIEL SCHIMMEL
New York Law Journal

December 18, 2009

AS a result of an increase in U.S. lawsuits requiring the transfer of personal data from France to the United States, the French Data Protection Agency (CNIL) published a recommendation in August 2009, which is designed to offer guidance on data transfers in connection with U.S. civil discovery proceedings. The CNIL's recommendation expands on the guidelines adopted by the body of European data protection agencies (the Article 29 Data Protection Working Party) in February 2009.

EU member states increasingly enforce their data protection laws. For instance, in 2008, the Spanish data protection agency imposed fines amounting in total to €22.6 million. In France and other EU countries, companies are under pressure to comply with U.S. discovery requests, which frequently call for the production of personal data about employees, clients, or customers. The CNIL's recommendation reflects a tension between a company's obligation to respond to U.S. discovery requests and its obligation to comply with EU data protection laws. Because data protection laws pursue a legitimate interest and are increasingly enforced in Europe, courts and litigants in the U.S. should take them into account when ordering discovery abroad.

Read more at Law.com

Two Bills withdrawn for next sitting - Malaysia Star

DECEMBER 18, 2009: TWO Bills – the Personal Data Protection Bill and the Credit Reporting Agencies Bill – which are scheduled to be tabled at the Dewan Rakyat have been withdrawn due to time constraint.

They will be tabled at the next sitting scheduled for mid-March next year.

Minister in the Prime Minister’s Department Datuk Seri Nazri Abdul Aziz said the withdrawal would also give MPs more time to study the Bills and prepare for debates.

The Personal Data Protection Bill is aimed at regulating personal data processing in commercial transactions.

The Credit Reporting Agencies Bill, meanwhile, is aimed at providing the mechanism to register and supervise all credit tip-off agencies involved in processing credit information of clients.

Apart from Budget 2010, the other Bills passed by the Dewan Rakyat included the Judges Ethics Committee Bill, Malaysia Deposit Insurance Corporation (Amendment) Bill, Rubber Industry Smallholders Development Authority (Amendment) Bill and the Capital Markets and Services (Amendment) Bill.

The Dewan Rakyat adjourned sine die yesterday after sitting for 36 days.

 

Source: The Star

Bill to address concerns over personal information - Malaysia Star

THE people’s concerns over how their personal data are processed and stored during commercial transactions will be addressed in a new Bill, which was tabled in Parliament.

Once passed, it will prevent such data from falling into the wrong hands and safeguard the rights of individuals.

Users of such data will be required to register themselves under the Personal Data Protection Bill, which will regulate the processing of the personal data of individuals involved in commercial transactions and also to protect such information.

The Bill was tabled by Deputy Infor­m­ation, Communications and Culture Minister Datuk Joseph Salang Gandum.

Under the Act, a Personal Data Prot­ection Commissioner will be appointed and the person will be advised by a Personal Data Advisory Commit-tee.

An appeals tribunal will also be established to allow the people to submit their complaints if they were unhappy with the management of their data.

A register of data user forums and a register of codes of practice will also be established under the Act, where users who failed to comply with a code of practice can be fined up to RM100,000 or jailed for a year, or both.

A heavier penalty awaits data users if they were found to have contravened provisions in the Bill, where they can be fined a maximum of RM200,000 or jailed for two years, or both.

The Bill seeks to prevent the occurrences of people losing their money through credit card fraud, customer-privacy infringements and data theft.

 

Source: The Star

Personal Data Protection Bill Tables In Parliament - Bernama

KUALA LUMPUR, Nov 19 (Bernama) -- The Personal Data Protection Bill 2009 aimed at protecting public interests with regard to processing of personal data was tabled in the Dewan Rakyat on Wednesday.

In tabling the bill for the first reading, Deputy Information Communication and Culture Minister Datuk Joseph Salang Gandum said the bill consisted of 146 clauses and 11 sections.

The bill, among others, is aimed at regulating personal data processing in commercial transactions by users to protect the owners, and as such, protecting their interest.

According to the bill, as new technology and changes in market trend contributed to the growing importance of knowledge in the global economy, personal data in commercial transaction were becoming a valuable commodity.

This adds pressure in regulating data processing in efforts to enhance consumers confidence in the global economy, it noted.

The bill provides for the appointment of the personal data protection commissioner and the setting up of an advisory committee to advise the commissioner on the enforcement of the act.

A tribunal will also be set up under the bill to enable offenders to appeal against decisions made by the commissioner.

The second section of the bill spells out provisions on personal data protection.

Among them, Section 5(1) states that personal data processing must adhere to the personal data protection principles, namely the general, notice, choice, due diligence, security, storage, integrity and access principles.

A personal data user faces imprisonment up to two years jail or a fine up to RM300,000 or both, if convicted under the act.

Read more at Bernama.com

Bill to better protect your personal data

The Star: Technology & News (Thursday October 8, 2009)

By STEVEN PATRICK

KUALA LUMPUR: Some banks, insurance companies and property developers have been selling your personal data to third parties, says University Malaya law professor Abu Bakar Munir.

With it, the parties can bother you with advertisements at the least. Worse is if your data is bought by others who use it to steal your identity and sign up for loans or make purchases.

Abu Bakar, who played an advisory role in the drafting of the soon-to-be tabled Personal Data Protection bill, is confident that the bill, when made into law, will put a stop to such sales of information on individuals.

There is currently no law to stop or curtail such activities, he told In.Tech. “This type of thing has to stop,” he said.

Earlier, Abu Bakar showed a list — containing the personal data of 500 people which he alleged that his friend had purchased from a property developer — to a packed auditorium where the National Conference on Personal Data Protection Law was taking place yesterday.

According to him, the data is sold according to the social and financial standing of the individuals. “The rate for an ordinary person’s details is 10sen. If he’s a Datuk, it’s RM1,” he said. The lists can contain anything from a few hundred to a few thousand names.

The Personal Data Protection bill has been in the works for the past nine years and Abu Bakar blames the delay on interference from the financial sector in the early years.

He said the sector believed then that such a law would be unnecessary because there was enough regulations in place to govern the use of personal data. “This view changed about a year ago after it became clear that the situation was getting out of hand.

“The financial institutions are now behind our efforts to have this law,” Abu Bakar said.

Abu Bakar said the bill calls for the Government to make it illegal for anyone to sell someone else’s personal data without prior consent. “There are stiff penalties for those found guilty of breaching this condition, which include jail terms and hefty fines,” he said.

He could not give a more detailed account of the bill’s content because it is not yet tabled and is covered by the Official Secrets Act.

Vital step

The bill is scheduled to be tabled in Parliament on Oct 19, according to Senator Heng Seai Kie, Deputy Information, Communications and Culture Minister 2, who officiated at the conference.

Heng said the drafting and enactment of a law that regulates the collection, processing and storage of people’s personal data is critical in this age of e-commerce.

“We have read horrifying stories about people losing their money due to credit card fraud, customer-privacy infringements and data theft,” she said. “Such incidents threaten the integrity of Malaysia as an emerging market economy.”

“Without clear rights and obligations on the collection and storing of personal data, individuals (inside and outside the country) will be reluctant to carry out (electronic) transactions,” she added.

Heng said the country is also embarassed when incidents involving someone’s personal data falling into the wrong hands occur. Then, there are the financial and legal liabilities that rear up as well.

She reminded businesses that any personal data that is collected belongs to the individual and that the companies do not have the right to redistribute such information. She said the onus is on these businesses to protect such information on behalf of the individuals.

“We must have a law that enforces this,” she said.

Heng hopes the Personal Data Protection bill will be gazetted into law by early next year.

The bill was drafted by a group that includes representatives from the Attorney-General’s chambers, the former Ministry of Water, Energy and Communications, as well as the academia.

In support

Sonny Zulhuda, 33, a law lecturer at the Multimedia University who chaired the conference, said the sale of personal data is not just a Malaysian problem. “It’s a bane worldwide. The new law will definitely help all of us,” he said.

Conference attendee Sharifah Afas, 28, group general counsel for Malaysia Airlines Bhd group legal practices, sees the selling of personal data as worrying. “Also, people would think twice before doing online transactions,” she said.

Another attendee, Teh Tai Yong, 28, said he was surprised to get a phone call from an insurance company shortly after applying for a credit card recently.

“It could have been coincidence but these occurences are quite rampant. They should be stopped,” said the advocate and solicitor for Teh Kim Teh, Salina and Co.

National Conference on Personal Data Protection Law

(From left: Sonny Zulhuda, Prof. Abu Bakar Munir, Datuk Dr. Hj. Abdul Raman Saad, Mohd Shamir Hashim)

(From left: Sonny Zulhuda, Steward J. Forbes, Prof. Ir. Dr. Mohamed Amin Alias, Prof. Abu Bakar Munir, Teh Tai Yong, Sonya Liew Yee Aun)

ON 7 October 2009, I attended the National Conference on Personal Data Protection Law organised by Institute Sultan Iskandar (ISI), Universiti Teknologi Malaysia. I was invited to chair the second session of the Conference.

The issue of data protection law is not new in Malaysia. The 1st draft personal data protection Bill was drafted back in 2000 but it was not passed as a law at that time. It is known that the Bill has been revised but at this moment, however the current bill is yet to be circulated for public consultation.

This topic has been widely discussed in recent months, mainly due to the fact that the the Bill is scheduled to be tabled, and hopefully passed in the upcoming parliamentary session, which will start in about 2 weeks from now.

In her keynote speech, YB Senator Heng Seai Kie, Deputy Minister of the Ministry of Information, Communication and Culture stated that the law, when its passed, would be beneficial to everyone.

The following topics were discussed during the 1 day Conference:

1) "Personal Data Protection Law in Malaysia: Where It Is, Where It's Going, Where It Should Be" - A Personal Data Protection Law has to be enacted as well as an amendment to the constitution enshrining the right to privacy By Professor Abu Bakar Munir, Faculty of Law, Universiti Malaya

2) "Identity theft, phishing and cybercrimes- Can Data Protection Law be of any help?" - A fact that so many security attacks are directed at the personal data. How do we ensure this problem will be encountered. There is an increasing demand for organisation to understand the need for information security
By Mohd Shamir Hashim, Head, Cyber Security Research & Policy Division, CyberSecurity Malaysia

3) "The impact of International Protection & Privacy Law to Malaysian Businesses" - For instance EU Data Privacy Directive impact on Malaysian Companies and what measures must be taken By Datuk Dr. Hj. Abdul Raman Saad, ARSA & Associates

4) “Privacy and Security of Personal Data” - Identifying the intersection for better compliance
By Mr. Sonny Zulhuda, Multimedia University

5) “Consumer Protection: Where does the Consumer stands in Protecting their Privacy” - Invasion of privacy: Personal data can be bought from various sources and Malaysian consumers are vulnerable under the current legal framework.
By Ms. Sonya Liew Yee Aun, Human Rights Committee of the Malaysian Bar Council

6) “The Data Protection Law - Understanding the Business Impact” - Does the compliance with data protection legislation is seen as increasing red tape bureaucracy for local business.
By Mr. Steward J. Forbes, Executive Director, Malaysian International Chamber of Commerce & Industry

Overall, I think it was a very good event which discusses the issue of data protection from different perspective, i.e. from the legal practitioners' perspective, from the academics' perspective as well as from the business community's perspective.

I look forward to the tabling of Personal Data Protection (PDP) Bill in coming weeks.

Keep personal data personal

[This article was published in The Star on 1 October 2009]

In a world where personal data has become commoditised, there is need for a governing law on the right to privacy.

A FEW days ago, I received this text message: “Good news! Credit Card Debts, restructuring reduced to 7% p.a. 100% approved! Or cash out, 12 banks available. Direct instalment to bank. Easy payment 24-36 months. More info, call me. Jane”.

I do have friends named Jane, but this Jane was not registered among my phone contacts. Curious, I called Jane, who introduced herself to be from “OTS Company” based in Subang.

She claimed that her company had wide contacts with as many as 12 banks and could “help” get me out of my credit card debt problem by restructuring the debt through an affordable financial package.

I was most puzzled with what Jane said as, firstly, I do not have a credit card debt problem, and my second, and main, problem is how did Jane have my personal information. When questioned, Jane said she did not know the source of her “list of customers” data, which she was given each day; she was just doing her job calling the names on the list.

As such, who then is feeding this company with the personal information, which appears to be supplied on a regular basis? I am quite certain that this scenario is not new to many of us.
Have you ever received calls from telemarketeers to whom you have not provided your name and telephone number? Or received spam email from unknown parties?

Have you ever realised that Internet search engines seem to carry advertisements of products and services similar to those on websites you have visited?

If any of the above is in the affirmative, do you wonder who has your personal data and how much they know about you? Who released your personal data to these people? Where did they obtain the data from?

More importantly, do you know what right you have over your own personal data?
Public awareness of personal data protection laws has increased over the years due to the rampant misuse and misappropriation of personal data. In Malaysia, one of the main reasons is the lack of a governing law.

Personal data protection is an element of right to privacy. In this digital age, gigabytes of personal data could be collected and transmitted across the globe with just a click.
Information such as your name, address, telephone number, medical record, salary, employment record, marital status, academic performance, body size etc. Your personal data is valuable to organisations.

There is no doubt that personal data ought to be protected. But the real question is whether our personal data has been and is being possessed and processed by these organisations in accordance with data protection principles.

The issue of personal data law is not new in Malaysia. The Government circulated a draft of a personal data protection Bill in 2000 for public consultation. However, the Bill has yet to be tabled in Parliament.

Protection of personal data gained public attention again in 2007 after the incident of CTOS saga, involving Credit Tip Off Service.

The public was concerned over how the credit reporting agency collected, processed, stored and disseminated personal data such as credit standing or credit history of a person. CTOS was at that time widely used by banks and financial institutions as the guide for approving financing.

Subsequent to that incident, the Government revived the effort to enact a personal data protection law to safeguard personal data in line with rights to privacy.

From the international perspective, there are several instruments governing protection of personal data, for example (i) the Council of Europe Convention 1981, (ii) the Organisation for Economic Cooperation and Development Guidelines 1980, and (iii) the European Community Directive 1995.

So far, quite a number of countries have put in place comprehensive laws governing personal data protection, such as Data Protection Act 1998 in the UK, Privacy Act 1988 in Australia, Personal Data (Privacy) Ordinance in Hong Kong, Privacy Act 1982 in Canada, Personal Information Protection Law 2003 in Japan, etc.

Countries such as China, Indonesia and India have started efforts on enacting data protection laws. Evidently, there is a rise in action around the world to promote personal data protection.

Personal data protection laws have great impact on international trade and business, particularly in transborder data transfer and processing.

The enactment of data protection laws is not aimed at stifling business activities, including telemarketing. The public could be interested in receiving marketing calls for various products and services.

The need for a comprehensive law to govern dealings in personal data is not questioned. However, organisations should only be allowed to have access to or to utilise our personal data after we have given our consent for them to do so.

The law should incorporate, among other things, such data protection principles as: manner of collection, purpose of collection, use of data, accuracy of data, duration of retention, access to and correction of data, security, data user’s policy and practices.

Such a law would be a giant leap in Malaysia. The effectiveness of a data protection law depends very much on public awareness of both data users and data subjects.

Malaysia is decades behind those countries which have enacted personal data protection laws.

However, it is better to be late than never, and it is hoped a personal data protection Bill will be tabled and passed in the next sitting of Parliament.