Data Protection Malaysia - Move to monitor data protection law

THE STAR - KUALA LUMPUR: A new department is being established under the Information, Communication and Culture Ministry to oversee the implementation of the Malaysian Personal Data Protection Act 2010, scheduled to be enforced early next year.

Deputy Minister Datuk Joseph Salang said the new department was expected to start operating by next year or earlier.

“As you know, to establish the department, we need to do everything right and this will take time,” he told reporters after the launch of the Information Security Summit here yesterday.

He said there was an urgent need for the Government to establish personal data protection laws as there were currently 17 million Internet users in the country.

“The more than 58% of household broadband penetration in the country is also a factor for drawing up the Malaysian Personal Data Protection Act.

“Prior to the implementation of this Act, personal data is only bound by contractual agreement or common law,” he said, adding that the legislation would significantly alter the way personal data was collected, processed, stored and transmitted between individuals and commercial organisations in Malaysia.

“The people will be able to dictate how their data is used by a third party as well as have clearly defined rights to access and correct their personal data.

“I admit that our digital infrastructure is still at its infancy and years behind the more mature infrastructure of digital goliaths, such as the United States.

“But our digital infrastructure has a sound foundation through the establishment of the Multimedia Super Corridor and is reinforced by the Government's commitment to continually improve and upgrade our system through cooperation and smart partnership with the private sector,” he said. - Bernama

http://thestar.com.my/news/story.asp?sec=nation&file=/2011/6/21/nation/8938933

Teh Tai Yong

The Star: No personal data out without consent

THE House has passed the Personal Data Protection Bill 2009 which seeks to protect personal data from being misused through commercial transactions.

Information, Communications, Culture and Arts Minister Datuk Seri Dr Rais Yatim, in his winding-up speech, said the Bill placed high importance on the protection of sensitive personal data, such as information on a person’s health, physical attributes, mental status and religious preferences.

“A personal data protection commissioner will be appointed and an advisory committee created to advise the commissioner on the enforcement of the Bill.

“It will be their job to monitor the activities of commercial transactors of information, such as the Credit Tip Off Service Sdn Bhd (CTOS), in putting such information in their database.”
Rais said anyone found to have abused the data would face a RM200,000 fine or imprisonment of two years or both.

The minister told reporters later that private database collection agencies would have to strictly comply once the Bill becomes law.

“The Bill is a form of cyber-legislation and Malaysia is the first among Asean countries to introduce such a law.

“It’s modelled after the provisions that were outlined by some European countries in relation to the protection of national security, defence and basic human rights requirements,” he added.

Rais said the new law would ensure that personal data would not be given out except with the consent of their owners.

New EU Privacy Laws Could Hit Facebook

Technologies such as social networking, RFID, and even airport scanning have raced ahead of Europe's outdated data protection rules. Brussels aims to fix that

By Leigh Phillips

Two weeks ago, Mark Zuckerberg, the founder of social networking site Facebook told the world to just get over it—no one cares about privacy anymore—provoking a storm of protest across cyberspace.

On Thursday (28 January), the European Commission responded to the 24-year-old billionaire and announced plans for comprehensive new laws that have in their sights the massively popular website.

The commission is concerned that its existing rules on data protection date back to 1995, the very early days of what was at the time called the "information superhighway" and are extraordinarily out of date. Brussels is not just worried that the internet has sped ahead of its regulatory grasp, but also that many technologies, in particular Radio Frequency Identification (RFID), behavioural advertising and even airport security devices have proceeded apace, leaving EU legislation in the lurch.

The commission on Thursday, also the continent's official Data Protection Day, "warned that data protection rules must be updated to keep abreast of technological change to ensure the right to privacy."

Underscoring its new powers under the Lisbon Treaty and the legal basis given to the Charter of Fundamental Rights, the commission said it wants to create "a clear, modern set of rules" guaranteeing a high level of personal data protection and privacy.

Earlier legislation was also limited in that it was restricted to issues concerning the European Community—the so-called first pillar of the EU, but not foreign policy or policing and judicial affairs—the second and third pillars.

Mentioning Facebook, Myspace (NWS) and Twitter by name, EU Justice Commissioner Viviane Reding said she will start this year with a revision of the 1995 Data Protection Directive, in a speech that outlined the main principles and goals of her upcoming work as Europe's top fundamental rights watchdog. It is clear that privacy issues are at the forefront of her ambitions.

"Innovation is important in today's society but should not go at the expense of people's fundamental right to privacy," she said.

"Whether we want it or not, almost every day we share personal data about ourselves. These data are collected, processed and then stored out of our sight. By booking a flight ticket, transferring money, applying for a job or just using the Internet we are exposing our private lives to others. Sometimes it is necessary," she continued. "Data are being collected without our consent and often without our knowledge. This is where European law comes in."

She said that people should have the right "to say no…whenever they want."

The commissioner is frustrated that companies are tackling privacy issues—or, more commonly being forced to tackle privacy issues—only after a product or service has been developed.

"We need a change of approach: Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle," she said.

Ms Reding finished by saying that Europe must set the global agenda in terms of privacy protection.

The commissioner also warned that body scanners at airports have not escaped her gaze. "I am convinced that body scanners have a considerable privacy-invasive potential. Their usefulness is still to be proven. Their impact on health has not yet been fully assessed. Therefore I cannot imagine this privacy-intrusive technique being imposed on us without full consideration of its impact."

The forceful speech comes just two weeks after Facebook's CEO made his own speech at the Consumer Electronics Show in Las Vegas, which has been widely interpreted as announcing "the end of privacy."

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that's evolved over time," Mr Zuckerberg said in a speech on 11 January, referring to the company's recent privacy policy change that made user's main information accessible by default. He described these changes as merely reflecting "current social norms" wherein young people have a much more relaxed attitude to privacy.

Across the Atlantic on Wednesday, Canada's privacy commissioner also announced a fresh investigation of Facebook after receiving complaints about the company's new privacy policy.

Source: Business Week

MALAYSIAN DATA PROTECTION LAW IS INADEQUATE

By Prof Abu Bakar Munir

Soon, Malaysia will have a comprehensive data protection law governing the processing of personal data. As mentioned elsewhere, the Personal Data Protection Bill (PDP) has been tabled for the first reading in November 2009. The second reading will take place in March 2010. This discussion is based on the assumption that the PDP Bill is passed in its current form.

The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.

The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.

Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.

In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.

Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.

The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.

As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.

 

Source: http://profabm.blogspot.com/2010/01/malaysian-data-protection-law-is.html

Facebook backtracks on privacy

By Maija Palmer and Tim Bradshaw in London and David Gelles in San Francisco, published on December 11, 2009

FACEBOOK has been forced to retreat on some changes to its privacy settings after the move created an outcry from data protection campaigners and left users confused and irate.

The social networking site rolled out simplified privacy controls to its 350m users this week, but faced a barrage of complaints that the new settings were leading users to reveal more information than they wanted to.

Users were particularly critical of the way Facebook opted to make “friend lists” – the catalogue of all the people users are connected to on the site – visible to the public.

Facebook quickly backtracked on that on Thursday night, allowing users to hide the information if they wished.

Richard Alan, Facebook’s director of policy for Europe, would not rule out further tweaks to the settings in response to the public outcry.

“We have people monitoring comments from blog posts and all the feedback is going back to the team. They are still looking at it,” he said.

This is the latest privacy controversy for Facebook, which was forced to scrap a targeted advertising programme in 2007 and which came under scrutiny by the Canadian Privacy Commission last summer.

The Facebook blog page was flooded with thousands of comments asking how to put the new privacy settings to work.

“I was very confused by the new privacy settings on Facebook,” said Megan Brown, a lawyer in New York City. “When I logged on, it asked me whether I wanted my old settings or new settings. I didn’t know what the old settings were, so I was unable to make an informed decision.”

Chris Applegate, a Cambridge computer science graduate who works at We Are Social, an agency dispensing advice about sites such as Facebook, was dismayed to discover that applications installed by his friends could see his data unless he chose to opt out, an option not given in Facebook’s latest reminder.

“I’ve always kept a tight rein on the apps I install. But it only takes one friend to install a malicious app and . . . my information is compromised,” he said. “There is a great potential for leakage.”

Several protest groups have been formed on the site, with titles such as “Stop Facebook from exposing our privacy. Restore security now!” and “We want the old privacy settings back!!”

Facebook insisted the change enhanced rather than detracted from privacy. It said that previously only 15-20 per cent of users had made any adjustments to their privacy settings. Yet, following the roll-out this week, 50 per cent of users had made changes.

“Millions [of users] have picked new settings and are comfortable with it,” Mr Alan said.

Source: Financial Times

Users Warned of Following Facebook Privacy Recommendations

Boston, MA - infoZine - IT security and data protection firm Sophos has warned Facebook users of the dangers of blindly following Facebook's new privacy settings.


Facebook has announced a dramatic change to the privacy options, encouraging its 350 million users to share more information with everybody on the internet. However, Sophos warns that some users may not be aware that Facebook's recommendations include third party search engines and external websites, and changes to privacy settings that they may have previously enabled to better protect themselves from identity thieves.


These could be the most important clicks you ever make on Facebook," said Graham Cluley, senior technology consultant at Sophos. "If you don't read carefully you could find that every post you make on Facebook, and your personal information, is visible to everyone in the world who has a computer rather than just your Facebook friends."


"Let's make this clear. If you make your information available to "everyone", it actually means "everyone, forever". Because even if you change your mind, it's too late - and although Facebook say they will remove it from your profile they will have no control about how it is used outside of Facebook," added Cluley.


"There's one very simple rule you should follow - if you don't want everyone in the world to read it, don't post it on the internet," continued Cluley. "If you dig around on Facebook you can find out what the privacy changes mean. The problem is that most people won't bother reading and simply follow Facebook's recommendations without understanding how a split-second decision could hit them hard in the future."


Watch video


Read more at infoZine.com

Keep personal data personal

[This article was published in The Star on 1 October 2009]

In a world where personal data has become commoditised, there is need for a governing law on the right to privacy.

A FEW days ago, I received this text message: “Good news! Credit Card Debts, restructuring reduced to 7% p.a. 100% approved! Or cash out, 12 banks available. Direct instalment to bank. Easy payment 24-36 months. More info, call me. Jane”.

I do have friends named Jane, but this Jane was not registered among my phone contacts. Curious, I called Jane, who introduced herself to be from “OTS Company” based in Subang.

She claimed that her company had wide contacts with as many as 12 banks and could “help” get me out of my credit card debt problem by restructuring the debt through an affordable financial package.

I was most puzzled with what Jane said as, firstly, I do not have a credit card debt problem, and my second, and main, problem is how did Jane have my personal information. When questioned, Jane said she did not know the source of her “list of customers” data, which she was given each day; she was just doing her job calling the names on the list.

As such, who then is feeding this company with the personal information, which appears to be supplied on a regular basis? I am quite certain that this scenario is not new to many of us.
Have you ever received calls from telemarketeers to whom you have not provided your name and telephone number? Or received spam email from unknown parties?

Have you ever realised that Internet search engines seem to carry advertisements of products and services similar to those on websites you have visited?

If any of the above is in the affirmative, do you wonder who has your personal data and how much they know about you? Who released your personal data to these people? Where did they obtain the data from?

More importantly, do you know what right you have over your own personal data?
Public awareness of personal data protection laws has increased over the years due to the rampant misuse and misappropriation of personal data. In Malaysia, one of the main reasons is the lack of a governing law.

Personal data protection is an element of right to privacy. In this digital age, gigabytes of personal data could be collected and transmitted across the globe with just a click.
Information such as your name, address, telephone number, medical record, salary, employment record, marital status, academic performance, body size etc. Your personal data is valuable to organisations.

There is no doubt that personal data ought to be protected. But the real question is whether our personal data has been and is being possessed and processed by these organisations in accordance with data protection principles.

The issue of personal data law is not new in Malaysia. The Government circulated a draft of a personal data protection Bill in 2000 for public consultation. However, the Bill has yet to be tabled in Parliament.

Protection of personal data gained public attention again in 2007 after the incident of CTOS saga, involving Credit Tip Off Service.

The public was concerned over how the credit reporting agency collected, processed, stored and disseminated personal data such as credit standing or credit history of a person. CTOS was at that time widely used by banks and financial institutions as the guide for approving financing.

Subsequent to that incident, the Government revived the effort to enact a personal data protection law to safeguard personal data in line with rights to privacy.

From the international perspective, there are several instruments governing protection of personal data, for example (i) the Council of Europe Convention 1981, (ii) the Organisation for Economic Cooperation and Development Guidelines 1980, and (iii) the European Community Directive 1995.

So far, quite a number of countries have put in place comprehensive laws governing personal data protection, such as Data Protection Act 1998 in the UK, Privacy Act 1988 in Australia, Personal Data (Privacy) Ordinance in Hong Kong, Privacy Act 1982 in Canada, Personal Information Protection Law 2003 in Japan, etc.

Countries such as China, Indonesia and India have started efforts on enacting data protection laws. Evidently, there is a rise in action around the world to promote personal data protection.

Personal data protection laws have great impact on international trade and business, particularly in transborder data transfer and processing.

The enactment of data protection laws is not aimed at stifling business activities, including telemarketing. The public could be interested in receiving marketing calls for various products and services.

The need for a comprehensive law to govern dealings in personal data is not questioned. However, organisations should only be allowed to have access to or to utilise our personal data after we have given our consent for them to do so.

The law should incorporate, among other things, such data protection principles as: manner of collection, purpose of collection, use of data, accuracy of data, duration of retention, access to and correction of data, security, data user’s policy and practices.

Such a law would be a giant leap in Malaysia. The effectiveness of a data protection law depends very much on public awareness of both data users and data subjects.

Malaysia is decades behind those countries which have enacted personal data protection laws.

However, it is better to be late than never, and it is hoped a personal data protection Bill will be tabled and passed in the next sitting of Parliament.