By: Sonny Zulhuda
Legal Responses and Liabilities to the Personal Data Protection
The apprehension of consumers regarding the use of their personal data is increasing. A survey on March 2001 published by the Asian Wall Street Journal and Harris Interactive found that 73% Net users are concerned with their personal privacy on the Internet (AWSJ, 22/3/2001). This fact and many more similar surveys conducted worldwide brought policy makers to ponder on how, and to what extent, the state can make laws and regulations to protect people’s right to control the use and exploitation of their personal data in the networked world.
Questions as to which approach is more effective arise. And there are at least two different approaches being championed by different jurisdictions, and eventually inspired others in the world to adopt. The choice is between having state’s legislation to regulate this problem or to leave the Internet industries to regulate themselves. It is submitted that a working knowledge of those legal requirements is essential for parties in a business organizations involved with data systems that store or process the personal data of members of the public.
Personal Information: to regulate or not to regulate
In comparison to the industry’s self-regulation, which is market-friendly, the legislative measure mandates government to control the use and flow of personal data and information. It has been argued by private industries that such legislative approach does not only restrict their movement but also tend to reduce the potential benefits of electronic commerce.
The United States has not traditionally been among the leading jurisdictions with regard to protection of personal data privacy. Until recently, the European Community has been perhaps the most active jurisdictions on this subject. Legislations in the US were passed rather sporadically and not comprehensively addressing the general protection of privacy, let alone online privacy (Lessig, 1998). There are some laws that are passed to resolve certain particular problems of privacy.
The Privacy Act 1974, for example, is concerned about the misuse of burgeoning government databases on information about individuals. However, the principles for privacy protections that are brought out by this piece of legislation do not apply to private sectors (Henderson, 1999). In 1998, an important law named Children’s Online Privacy Protection Act was passed. It requires operators of web sites directed at children to obtain parental permission before collecting personally identifiable information from children under 13 years of age. This is said to be the only law that explicitly controls the privacy online (Hirschman). It nevertheless is aimed only to protect children.
Regarded as among the most important legislation passed in this subject is the Financial Modernization Act 1999, also known as Gramm-Leach-Bliley Act. By virtue of this Act, financial institutions are required to inform customers of how online and offline personal data is being used and by whom, with an opportunity to opt out of information sharing. This Act however does not apply to information sharing between subsidiaries and affiliates of a parent company. This Act took effect in July 1, 2001. Although many more draft legislations were introduced to the Congress, many have not survived the Congress committees. The only comprehensive piece of legislation passed by the Congress was the Children’s Online Privacy Protection Act that came into effect in 2000.
This situation is in contrast with that of most of legislatures of the European countries –including the European Union. These countries have passed strict and comprehensive set of rules governing the protection of individuals’ privacy in the sense of personal data protection. That is why Lessig has dubbed that a legislative response to the informational privacy or personal data protection is a ‘European’ response.
The European Community’s Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (‘Directive’) was adopted in 1995 and given effect and enforced three years later on 25th October 1998. The Directive establishes a clear and stable regulatory framework to ensure both a high level of protection for the privacy of individuals in all member states and the free movement of personal data within the European Union. By fostering consumer confidence and minimizing differences between member states’ data protection rules, the Directive will facilitate the development of electronic commerce.
The Directive also establishes rules to ensure that personal data is only transferred to countries outside the EU when its continued protection is guaranteed, so as to ensure the high standards of protection introduced by the Directive within the EU are not undermined. The legislative approach in the protection of personal data and information is highly appreciated and adopted in most of European countries. The majority of them have specific and comprehensive national legislation on data protection, while some others are in the process of drafting and tabling the bills in the parliament. By 2002, more than seventy percent of the EU Member States have adopted and implemented the EU Directive on the Data Protection 1995 into their respective national law.
It is noted here that the existence of EU has made this trend widely and relatively easily accepted, because this economic union has binding power upon its members. It is due to this reason also that one hears of relatively few and minor resistance or objection from other parts of community within the Europe (e.g. the private sectors and liberal activists) compared to the continuing debate in the US on this issue.
All these approaches are bound to fail if the response to online privacy problems is taken partially, ignoring the global nature of it. Conflict of jurisdictions is already imminent in cyberspace issues, thus it should not be given the chance to widen.
The current negotiation between the US and the EU provides the best example. For many years since the enforcement of the EU Directive on Data Protection in 1998, Washington and Brussels have been trying to agree on trans-border data transfer from the EU countries to other than the EEA territories. The negotiations have been taking a long time and incurring substantial cost. This tension has lessened after the EU and the US agreed on Safe Harbor term, enabling data to be transferred to the US under specific conditions. However, though Washington and Brussels have agreed on certain terms, private industries in the US are still reluctant to join. They are not sure whether the agreed term would favor them in their business or otherwise (Informationweek, 25/6/2001).
On the other side of the continent, the European industries are of the view they are not confident of the legislative measures introduced in their countries. They point out that the American industries’ self-regulation seems to be more successful (Infoworld.com 24/1/2001). Apparently, with the existing disagreement on some practical aspects, the workability of Safe Harbor agreement remains to be seen.
Malaysia also sees the threat to online privacy as a global problem that necessitates international effort. Even though its Personal Data protection Bill has invited several criticism and comments, most critics agree that government should intervene in this issue. Being a progressive developing country, it is expected that movement of data will be substantial for Malaysia. The fact is the majority of South East Asian and Eastern Asian countries –the main export and import destinations for Malaysia- do not have any equivalent and adequate law on data protection. This will invite special concern as the PDP Bill restricts personal data to be transferred in cases like this. The workability and success of the law are yet to be attested, at least not yet until the law is passed by Parliament. However, Malaysia can learn from Europe, especially on the issue of trans-border data transfer.
Legal Principles on Personal data Protection
Although the US and EU approach legal measures in a different manner, there are nevertheless common principles of personal data protection that can be summarized. It is pertinent and very timely for every organizations engaged in collecting and processing personal data to understand the gist the ambit of the principles. The focal key points of the principles can be summarized in the following:
Fair and lawful process of the personal data
Restriction of data collection only for specified, explicit and legitimate purposes
Principles of adequacy, relevance, and non-excessive use of the data
Accuracy and completeness of the data
Personal data to be retained no longer than necessary
In the term of American Industries self-regulatory approach, the principles are called Fair Information Practices that include the principles of notice and choice. That means, consumers should be given proper and adequate notices as to what the businesses do with their personal information. Furthermore, the consumers shall also be given choice as to whether or not they consent on such use(s) by the industries.