Data Sovereignty vs Data Localisation Law

By: Sonny Zulhuda

Transferring personal data beyond national boundaries has been a point of contention under many data protection laws across the globe. The European Union adopts this restriction that such transfer beyond EU boundaries cannot be done unless to the countries or places which have adequate protection on personal data of individuals.

Cloud-Data-SecurityThis rule is associated with the concept of “Data Sovereignty” which says that a country shall not lose a control or sovereignty over the processing of personal data pertaining to data subjects from that country. It also imposes that information which has been stored in digital form is subject to the laws of the country in which it is located. Therefore, a control over trans-border data flow is a form of upholding data sovereignty.

The concept of Data Sovereignty is reflected in the EU Data Protection Directives 1995 recitals whereas:

  • cross-border flows of personal data are necessary to the expansion of international trade;
  • the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection;
  • the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.

As much as we are concerned with personal data transferred beyond our border, we also appreciate that personal data is inherently needed for the International trade and International cooperation. Hence, when a personal data is subject to trans-border flow, there shall be no discriminatory treatment to the citizen’s personal data despite where it is processed.

Data Localisation Law

This data sovereignty is sometimes confused with the rules of “Data Localisation”, which is totally a different thing. Data localisation laws set forth requirements to keep and store data “locally” (i.e., within national or regional borders), and thus not allowing data users to transfer data beyond borders. Consequently, any foreign party who wishes to collect or process personal data of individuals will be required to establish a local data storage facilities in the country of those individuals. Continue reading


Social Media Policy and Regulation: A Network Governance Perspective

By: Sonny Zulhuda

The above is the name of the event in Tsinghua University, Beijing, on December 3-4, 2016, where I came as a speaker to the audience consisted of law, media and Internet governance academia and practitioners. Both Beijing-based School of Journalism and Communication of Tsinghua University and the School of Communication of Hong Kong Baptist University (HKBU) jointly organised this event.

The invitation came to me through Dr. Yik Chan Chin of the HKBU, who is with me at the Global Internet Governance Academic Network (GigaNet). Upon few exchanges of emails, I was then invited to come and present my views on the social media regulations in the Malaysian perspective. I must say that the event was really a rewarding experience; filled with substantial discussions, new perspectives and, of course, new friends and network!


This can be highlighted from the list of the speakers of the two-day workshop: Continue reading

Open Government and Cyber Security in Malaysia

By: Sonny Zulhuda

Open government is the notion that allows transparency of governments in running matters pertinent to public interests. According to that concept, the government shall allow its citizens an access to government documents and a right to obtaining information relating to public matters.

In Malaysia recently, the Open Government initiative was represented in the Public Sector Open Data Portal programme which was launched in September 2015 by MAMPU, a Unit under the Prime Minister’s Department. It declares that the aim of such initiative is to open and share government data to public and hence to enhance transparency and efficiency of government and to create a digital innovativeness.


With this background, the question of how the Government deals with the increasing demand of freedom of information and other challenges ranging from personal data to the government data security is worth examining. I was invited to talk about this at an international conference hosted by Sydney Cyber Security Network, the University of Sydney, Australia. In my presentation, I highlighted a recent initiative of open data in Malaysian public sector and the related challenges on data security, privacy and information surveillance.

I was also looking at the recent developments in Malaysia relating to the enactment of personal data protection law and recent policies relating to critical infrastructure protection. Lessons from cases and incidents surrounding information security and personal data breaches were discussed to trigger discussions on relevant solutions and best practice.

Among the key summary of my talk in Sydney was as following:

  • Open Government is underway, but more economically-motivated and narrowly looked at “open data”. A long way to the “open government”.
  • Cyber security governance enhances the security of data in the Malaysian cyberspace. However:
  • There is a striking imbalance in the legal framework between the protection of secret on one hand, and the freedom of information on the other.
  • The data privacy law boosts the transparency in the private & commercial sector, but it is a missed opportunity for an open government.
  • The open government initiative needs to be supported as national agenda, to be backed by a stronger law and national policy.

Cyber Security in the Era of Open Government: A note from the University of Sydney

By: Sonny Zulhuda

I was honored to be invited by the University of Sydney to talk about this on November 2016. The event, called “Cyber Security in the Era of Open Government”, sought to identify innovative solutions for improving the security of open government services and their users. 

Several keynoters were invited to provide for the best practices from the public and private sectors, both locally and internationally on issues surrounding the cyber security challenges associated with increasing citizens’ access to government data. The preview of the program can be traced in the USyd’s website page here.

The conference was split up into 3 thematic panels:

1. Open Government and Cyber Security in Australia. Three renowned personalities from Australian regulators spoke, namely Tim Pilgrim (Acting Australian Information Commissioner and Australian Privacy Commissioner); Elizabeth Tydd, (NSW Information Commissioner and Head of the Information and Privacy Commission); and Rolf Green, who was the Director of Information, ICT and Digital Government Division, Australian Department of Finance, Services and Innovation.

2. Open Government from Global Perspectives. In this session, I spoke alongside with an American Charles Bell, CEO of Startup Policy Lab (SPL); Dr. Janet Xu, Associate Researcher of the University of Oxford; and the Canadian Dr Khaled El Emam, himself a Professor at the University of Ottawa. I also like to note that this session was chaired by my friend Dr Adam Molnar, a lecturer in criminology at the Deakin University, Victoria, Australia.

3. Privacy, Surveillance and Government Services. This afternoon session presented a speakers from a diverse background, namely Dr. Elizabeth Coombs, NSW Privacy Commissioner; Professor Fleur Johns, Associate Dean (Research) UNSW; Bernard Keane, Crikey’s political editor.

Cerdas Digital (1)


Oleh: Sonny Zulhuda

Sejak masyarakat disibukkan berbagai isu terutama di alam maya dan media sosial, ada beberapa hal yang perlu kita perhatikan dalam hal pergaulan digital kita. Yuk kita introspeksi.

Tanpa disadari, kita sering menyebarkan informasi tanpa meyakini validitas isi berita tersebut. Yang lucunya, kadang2 di ujung pesan tersebut ditambahkan dengan kata2: “apakah info ini valid/benar?” hehee.. Alih-alih ingin verifikasi, yang terjadi malah menyebarkan rumor, fitnah atau disinformasi publik.

Kalau memang ingin klarifikasi, ya jangan ‘nafsu’ langsung forward, apalagi kalau sdh berubah niat supaya dianggap ‘lebih update’  atau ‘punya koneksi’ (na’udzu billah)..

Jika pesan itu berupa pernyataan seorang tokoh masyarakat, maka sebaiknya ditanyakan dulu secara khusus ke pihak2 terkait baik sumbernya langsung, ataupun orang2 terdekatnya. Jangan langsung dilempar ke group! Itukan sama saja menyebar gosip ya ikhwan 🙂

Jika pesan itu berupa tautan/link ke sebuah sumber di Internet, maka kita bisa cek dan baca dulu link itu. Jangan2, lain di judul lain di isinya. Atau bisa jadi itu berita lama yg kebetulan dicocok2in dengan isu2 baru. Kalau rasanya masih blm yakin (misalnya karena kita meragui media penerbit berita tsb) maka kita bisa lakukan perbandingan berita secara simple, dengan melakukan Google search uyk keywordnya (kata2 kuncinya). Dari situ kita bisa ukur sejauh mana akurasi dan kredibilitas pemberitaan tsb.

Jika kita tidak bisa melakukan klarifikasi dan verifikasi diatas. Jangan lupa gunakan akal sehat dan common sense! Exercise your honest judgment. Malah kadang2, filter akurasi jika dikombinasikan dengan filter akal sehat akan semakin meningkatkan pertimbangan kita: yaitu filter kepatutan. Pertanyaannya nanti, tidak hanya ‘benar atau tidak’ tapi sudah menjadi ‘patut atau tidak saya sebarkan?’..’ perlu atau tidak saya share?’ Kadang pertanyaan ini sering luput dari pertimbangan kita.
Jika filter-filter diatas (akurasi dan kepatutan) sudah luput, maka yang terjadi adalah rentetan upaya klarifikasi dan koreksi atas pesan yang sudah terlanjur menyebar. Jika kelalaian ini terjadi pada anda, maka yang harus anda lakukan:

1. Segera sampaikan koreksi pesan tsb;

2. Mohon maaf atas pencatutan narasumber yang salah, dan

3. Mohon semua anggota group yg sudah ikut menyebarkan agar mengoreksinya juga di group2 mereka masing2.

Kok repot ya? Ngga repot kok, kita cuma perlu lebih cerdas digital saja. Jangan hanya hp kita yg ‘smart’, tp penggunanya juga harus ‘naik kelas’ hehe.. Gitu ya MasBro dan MbakSis..
Mari kita tunjukkan bahwa kita bukan robot alias buzzer digital, tapi kita adalah pengguna medsos yg berakhlak dan berkemajuan. Kemenangan bukan pada hasil, tapi lebih pada upaya menuju hasil itu.

Pesan medsos kita juga akan dipertanggungjawabkan kelak. Disitulah Allah sudah mengingatkan (mgkin tafsir progresifnya ‘menyindir’ – bukan benang merahnya ya) bahwa sesungguhnya “pendengaranmu, penglihatanmu, dan suara hatimu” (yg terakhir ini pas untuk ujaran digital kita) semuanya akan ditanyakan kelak tentang apa yg diperbuatnya.
Ayooo.. kerja lagi 🙂

Personal Data Governance from A Cyber Security Perspective

By: Sonny Zulhuda

Data privacy and data security are two sides of a coin – unseparable. Despite efforts by experts to explain this, yet the misunderstanding that they defeat each other is still widely looming.  In this APAC Cyber Security Summit held in on 3rd June 2016 in Kuala Lumpur and attended by more than two-hundred regional participants, I took another attempt to explain this: How protecting one’s data privacy can contribute to a larger information security practices. Not coincidentally, one can see it from the other side: In order to afford maximum protection of one’s privacy, efforts must be taken to secure his data. Thus, data security is part of a bigger personal data privacy protection. Confused? Don’t be.

APAC Cyber Summit 2016_1The truth is, personal data management does include protecting its confidentiality, integrity and availablity. And doing so, it means one must ensure the privacy and security of personal data goes side by side.

In a report released by the PriceWaterhouseCoopers (PWC) in 2016 on Personal Data Use Governance – Mitigate Risk while Unlocking Business Value, there is a sfift (or more sutiably, an expansion) of personal data risks landscape from merely a security and regulatory issue, to an intersection of issues of ethical, regulatory, litigation, security and serivce quality.

At this Conference, I highlighted the latest status and implementation of the Malaysian Personal Data Protection Act 2010 and tried to show how the new regulatory framework reshape the landscape of information security in Malaysia.

The points can be summarised as follows:

  1. Perspective #1. PDPA 2010 creates data management principles
  2. Perspective #2. PDPA 2010 spells out the duties throughout data lifecycle
  3. Perspective #3. PDPA 2010 identifies data risks
  4. Perspective #4. PDPA 2010 creates new data offences
  5. Perspective #5. PDPA 2010 creates duty of data due diligence

Privacy – How to be Assured in Cyberspace

By: Sonny Zulhuda

This year’s ISACA Malaysia’s Conference is renamed a CyberSecurity, IT Assurance & Governance (CIAG) Conference 2016, held on 30th May 2016, in Le Méridien hotel, Kuala Lumpur. My friends and colleagues in ISACA Malaysia are kind enough to invite me for the fourth time in their annual national conference. Last year, I was invited to speak about the pros and cons of Internet of Things (IoT) in the form of a debate, together with a representative from the Malaysian Digital Economy Corporation (MDec).


In this year’s edition, I was seated in a panel discussion to speak about the protection (or  Assurance) of privacy in the cyberspace. With me as panelists are Mr. Retnendran Subramaniam CISA, CRISC (former ISACA Malaysia chairman) and Mr. Victor Lo, the Head of Information Security, InfoTech Division, MDeC. The panel was moderated by Mr. Jason Yuen from the Ernst & Young Malaysia. Continue reading

  • October 2017
    M T W T F S S
    « Jul    
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,574 other followers