By: Sonny Zulhuda
Transferring personal data beyond national boundaries has been a point of contention under many data protection laws across the globe. The European Union adopts this restriction that such transfer beyond EU boundaries cannot be done unless to the countries or places which have adequate protection on personal data of individuals.
This rule is associated with the concept of “Data Sovereignty” which says that a country shall not lose a control or sovereignty over the processing of personal data pertaining to data subjects from that country. It also imposes that information which has been stored in digital form is subject to the laws of the country in which it is located. Therefore, a control over trans-border data flow is a form of upholding data sovereignty.
The concept of Data Sovereignty is reflected in the EU Data Protection Directives 1995 recitals whereas:
- cross-border flows of personal data are necessary to the expansion of international trade;
- the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection;
- the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.
As much as we are concerned with personal data transferred beyond our border, we also appreciate that personal data is inherently needed for the International trade and International cooperation. Hence, when a personal data is subject to trans-border flow, there shall be no discriminatory treatment to the citizen’s personal data despite where it is processed.
Data Localisation Law
This data sovereignty is sometimes confused with the rules of “Data Localisation”, which is totally a different thing. Data localisation laws set forth requirements to keep and store data “locally” (i.e., within national or regional borders), and thus not allowing data users to transfer data beyond borders. Consequently, any foreign party who wishes to collect or process personal data of individuals will be required to establish a local data storage facilities in the country of those individuals.
A recent development of data localisation laws has been further solicited by the NSA spying revelations (“Snowden’s saga”). Some countries like Russia, South Korea, China, Brazil, and Vietnam were quoted to have some form of data localisation laws in place. This trend, though internationally unpopular, may be increasingly adopted by other countries either in specific or general data processing laws.
The changes will have a huge potential impact on the companies because current data flows, storage, and IT infrastructure and solutions will have to be rethought, e.g. on the provision of cloud services and the need to hire local talents.
Data Sovereignty in Malaysia?
In Malaysia, it is noted that the notion of data sovereignty is reflected in some of the existing legal and policy framework. This includes provisions under the MSC Policy, the Communications and Multimedia Act 1998, National Cyber Security Policy (NCSP) 2006, as well as the Personal Data Protection Act 2010.
- National Policy Objectives of Communications and Multimedia Act 1998: (To) promote a civil society where information-based services will provide the basis of continuing enhancements to the quality of work and life.. (while) Ensure information security and network reliability and integrity.
- NCSP 2006 envisions that Malaysia’s Critical National Information Infrastructure shall be secure, resilient and self-reliant. Infused with a culture of security, it will promote stability, social well-being and wealth creation’.
- PDPA 2010: A data user shall not transfer any personal data of a data subject to a place outside Malaysia unless to such place as specified by the Minister, upon the recommendation of the Commissioner, by notification published in the Gazette.
Section 129(1) of the Personal Data Protection Act (PDPA) 2010 provides that a data user shall not transfer any personal data of a data subject to a place outside Malaysia unless to such place as specified by the Minister, upon the recommendation of the Commissioner, by notification published in the Gazette.
For the purposes of subsection (1), the Minister may specify any place outside Malaysia if— (a) there is in that place in force any law which is substantially similar to this Act, or that serves the same purposes as this Act; or (b) that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by this Act.
It is found that the PDPA 2010 does have a clear stand on the issue of data sovereignty in Malaysia, especially relating to the personal data protection of individuals. Malaysia does not impose any data localisation law for now, neither is it expected that it will have any in near future. The next thing to do is, perhaps, to ensure that there is a clear enforcement of this provision. One emerging question will be whether we should urgently require a Ministerial order on the places outside Malaysia to which data users can transfer personal data to. We shall write about this soon, inshaAllah.