By: Sonny Zulhuda
Much have been said and written in the past two days regarding the passing of the Personal Data Protection (PDP) Act by the Dewan Rakyat on Monday this week. Of those hypes and hits, the name CTOS has been among the top, even days and months before the lawmakers finally okays the law.
Not less than parliament members from both sides (ruling and oppositions) as well as the Minister in charge of the law had indicated that with the birth of this Act, people’s suffering and distress due to the alleged misuse of their data by credit reporting agencies (also known as credit rating agency), such as CTOS (Credit Tip-Off Service Sdn Bhd) will see the end.
So happy ending, or is it? I do not think so. And I think this is a mistake, which is unfortunately echoed by the press and media.
This is a misunderstanding, because as a matter of fact, the PDP Act as it is enacted and passed, excludes from its application the credit reporting agencies (CRA).
But don’t jump to the conclusion yet, because by excluding the CRA’s from its application, the authorities plan to have ANOTHER law that deals with the personal data protection that specifically relates to CRA. The draft bill is already table for first reading last year, and it would be tabled again soon. [A note on this draft law was provided by Prof. Abu Bakar Munir from Law Faculty, University of Malaya (UM). An international perspective on this can be found in a New York Law Journal article by Sack & Juris, here>
Let me share with you the quotes from the PDP Act that explains that:
Section 2 on the Application of the Act:
2. (1) This Act applies to—
(a) any person who processes; and
(b) any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.
The meaning of “commercial transactions” under section 4 of the Act:
“commercial transactions” means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2009.
The meaning of “personal data” under section 4 of the Act:
“personal data” means any information in respect of commercial transactions, which—
(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2009 [emphasis added].
The meaning of “credit reporting agency” under section 4 of the Act:
“credit reporting agency” has the meaning assigned to it in the Credit Reporting Agencies Act 2009 [Act ___ ].