Privasi dan Integritas Teknologi

Dr Sonny Zulhuda

This article, in Indonesian, was published in the national daily REPUBLIKA, on 3rd April 2018. This piece highlights the ultimate need to have a privacy-embedded technologies. Respecting privacy is a prerequisite to maintain the integrity in the use of technology. As I concluded, the connectivity that we currently enjoy shall not eliminate the identity and integrity that shape who we are, as individuals and nation.

================

boss-spying-on-youBerbagai isu kebocoran data pribadi seperti yang baru-baru ini berlaku pada data registrasi nomor telpon seluler di Indonesia, dan juga pada data pengguna Facebook di Amerika Serikat (AS), membawa kita kepada pertanyaan yang lebih fundamental, yaitu hak privasi terhadap data. Apakah hak privasi itu sendiri?

Jarang didefinisikan, namun sering diperdebatkan. Misalnya, dalam menyikapi isu penyadapan komunikasi oleh penegak hukum di Indonesia, masyarakat kita berpolemik sejauh mana penyadapan bisa dilakukan, mengingat efeknya yang mengoyak kebebasan dalam berkomunikasi. UUD 1945 menjamin hak kita untuk berkomunikasi dan menyampaikan pemikiran atau pendapat. Jika komunikasi kita disadap, maka hak kita sudah disunat. Dalam konteks inilah Dewan Keamanan Nasional AS dikritik tajam ketika mantan pekerjanya Edward Snowden mengungkap praktik Badan itu dalam mengawasi komunikasi dan data pribadi pengguna Internet AS dan global.

Di Malaysia, pengadilan memvonis salah perbuatan memasang kamera CCTV di pekarangan rumah sendiri namun mengarahkannya ke halaman rumah orang lain karena mengganggu privasi tetangganya. Di Afganistan, orang dilarang memanjat genteng rumahnya sendiri sebelum memberitahukan tetangganya agar si jiran tidak terlihat dalam kondisi yang memalukan. Di Korea, kamera telpon seluler harus disetting dengan suara yang cukup nyaring sehingga orang tahu jika ia difoto di kawasan publik. Semua contoh diatas muaranya sama, yaitu melindungi privasi orang.

Kita tidak ingin teknologi modern yang nisbi menggerus sisi kemanusiaan yang universal dan hakiki. Teknologi informasi kita di negeri ini tidak boleh bebas nilai, dan tidak boleh pula miskin nilai. Koneksitas dan mobilitas yang semakin baik merupakan anugerah yang harus kita syukuri. Namun perlu diingat, koneksitas tidak dapat menghapus identitas, dan mobilitas tidak bisa meminggirkan integritas. Majulah TI di Indonesia.

Berasal dari bahasa Inggris, “privacy” berarti hak untuk bersendirian dan untuk tidak diawasi oleh orang lain. Padanannya dalam bahasa Arab adalah “huquq fardiyyah” (hak-hak pribadi) atau “huquq al-hurmah” (dignity atau maruah).

Dalam dialektika Alquran, Continue reading

Advertisements

Data Breach a Test to Our Digital Resilience

By: Sonny Zulhuda
DSC_0025
Malaysian public has recently been perturbed by a series of personal data breach one after another. While the investigation is taking place, one can only expect that what has surfaced may only be a tip of an iceberg.
As the country embraces digital economy and aims at a cashless society by 2020, this data security crisis becomes a part of the equation. More digitised information and more synchronised data mean a bigger risk of data breach calamities. As a country, there is no backing out from this equation even though that means we have to learn it hard.
As a consequence, a data breach is not a matter of ‘whether’ but is a matter of ‘when’ it will happen. This requires us to adopt a risk management approach. Failure of managing the risks can be increasingly costly. The problem is, it is too often when we realise there is a data, it may be already too late. The alleged leak and illegal sale of Malaysian telecommunications data are said to have happened years ago. By now, we are already five years too late!
Time is of the essence here. As we start to learn about the breaches that took place, swift actions are warranted. There are few points to consider by all the stakeholders.
Firstly, data users can do the least by keeping the public informed about what is going on.
Even though our PDP law does not oblige data users to notify data subjects about any breach, this is warranted for transparency and trust preservation, and hence their business continuity plan.
Secondly, we should treat this as an issue of national security.
Not only because massive data of the majority of the public is affected, but also because those data come from the telecommunications and financial industries which are deemed among the ten critical national information infrastructures (CNII) as outlined by the Malaysian National Cyber Security Policy (NCSP) 2006. So, data security under this CNII must be given utmost priority. Both public and private sectors must cooperate in dealing with the crises.
Thirdly, it is time to test the mechanism of our law.
These incidents of a personal data breach either maliciously or negligently occurred, will need to be tested against the Personal Data Protection principles enshrined in the Act. The authority needs to speed up the activation of the Personal Data Protection Act (PDPA) 2010 after some “day-nap”. Other agencies need to help in accordance with the statutory powers granted to each of them.

7E3A8212

The year 2017 is notably the beginning of some successful prosecutions under the Act, which is a crucial milestone in itself. On a positive note, we should take this crisis as an opportunity to also prove our legal mechanism. 

On top of that, what we are facing now is something bigger: it is testing our resilience as a nation. The challenge is more than a damage control: it is to deal efficiently with the massive data crisis like what is happening now.

This is not a one-off duty as data security is a process rather than a result. As Vince Lombardi was once famously quoted, it is not so much about how we fall down, but rather on how to raise back. And by “we” I mentioned in this last paragraph, it is you and me and every one of us the individuals to whom the personal data actually belong to.

Apapun Disiplin Ilmumu, Pelajarilah Ekonomi Digital!

APAPUN DISIPLIN ILMUMU, PELAJARILAH EKONOMI DIGITAL!

Oleh: Sonny Zulhuda

APAC Cyber Summit 2016_1

1. Indonesia dan Malaysia melalui pemimpinnya masing-masing telah menetapkan bahwa Ekonomi Digital menjadi fokus utama dalam membangun negara dan meningkatkan ekonomi bangsa. Tidak hanya jalur lebar Internet yang diperhebat, namun penguasaan konten lokal dan industri kreatif kini menjadi generator baru bagi kemajuan bangsa.

2. Pengalaman saya selama 15 tahun sebagai peneliti, akademisi dan praktisi hukum teknologi informasi, melihat semakin perlunya kita untuk memparalelkan segala ilmu, pengetahuan dan teori yang kita pelajari dengan perkembangan dunia digital. Ekonomi digital yang didominasi dengan penguasaan teknologi informasi dan optimalisasi data mengharuskan kita menjawab berbagai tantangan digital.

3. Saya saksikan sendiri di berbagai universitas top di dunia seperti Oxford, Sydney, UNSW, Tsinghua, Toronto dan Yonsei University mereka sudah mendirikan lembaga kajian yang fokus terhadap isu konvergensi teknologi informasi dalam berbagai aspeknya. Universitas Indonesia dan UNPAD saya pikir sudah memulai lebih awal dalam konteks Indonesia. Yang lainnya, belum kelihatan! Sementara, semakin banyak pula lembaga internasional yang menyediakan program, beasiswa, fellowship dan event-event yang bertujuan mencari bakat-bakat muda dalam kajian konvergensi informasi ini.  Continue reading

Speak Privacy an Asian Way — at Asia Privacy Bridge Forum in Korea

By: Sonny Zulhuda

seoul.jpg

Last week I received this invitation letter to speak at the Third Asia Privacy Bridge Forum, hosted by Barun ICT Research Centre, Yonsei University, Seoul, South Korea towards the end of June 2017. The Director of the Centre, Dr. Beomsoo Kim noted that this Forum is supported also by KISA (Korea Internet and Security Agency) and the Korean Ministry of Interior. I am asked to speak about the development of the data protection laws in two countries Malaysia and Indonesia.

This is an exciting surprise. Not only because it would be my first visit to Korea, but also because I will have an invaluable opportunity to mingle with the Asia Pacific and international network on privacy and data protection; and to share with them what is up in Malaysia and Indonesia on this subject.

There are other speakers who are expected to speak from different jurisdictions: Korea, Japan, Singapore and China including: 1. Dr. Beomsoo Kim (Yonsei University, South Korea); 2. Jongsoo Yoon (Lee & Ko, South Korea); 3. Dr. Kaorii Ishii (University of Tsukuba, Japan); 4. Dr. Warren B. Chick (Singapore Management University); 5. Dr. Sonny Zulhuda (International Islamic University Malaysia); 6. Mr. Eunsil Lee (Seoul Metropolitan Police Agency); and Rona Morgan, Singapore-based IAPP Asia Director.

After all, the event sets as an ultimate aim a common desire to move forward collectively and globally in addressing the challenges of enforcing data privacy laws.

From the Malaysian perspective, this is the time to showcase what it has done or set to do beyond the initial period of public education on the law. What has been done towards enforcement? That is specifically questions that I would like to share during the Conference. Besides, the fact that the industries have moved further to issue self-regulatory Codes of Practice is also a stimulating development.

From the Indonesian perspective, there is quite a few development to share. In the past year, it is noteworthy that the 2008 Law on Information and E-Transaction (“UU-ITE”) was amended by the  Parliament to strengthen some aspects of the law, including on the “Right to be Forgotten”. Then, still in 2016, the Information Minister issued a new Ministerial Regulation on the Protection of Personal Data Processed Electronically. This regulatory piece is indeed a milestone to the data privacy law in Indonesia, albeit that it is a subsidiary legislation, rather than a parliamentary statute. Beyond this, there is this Bill draft of the Personal Data Protection Act that has been consolidated in early 2017.

With all these development, I hope I can portray insightful updates to the Forum and ultimately to everyone who shares the interest on this subject. But first, let’s hope my visa is ready on time.

UPDATE: the visa was ready on 23rd June, and I’m scheduled to fly on Sunday night.

“Can my lecturer access my personal information?” – And Other Issues of Data Protection at the Higher Learning Institutions 

By: Sonny Zulhuda 

In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).

In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.

IMG_20170319_095449

The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.

Continue reading

Data Sovereignty vs Data Localisation Law

By: Sonny Zulhuda

Transferring personal data beyond national boundaries has been a point of contention under many data protection laws across the globe. The European Union adopts this restriction that such transfer beyond EU boundaries cannot be done unless to the countries or places which have adequate protection on personal data of individuals.

Cloud-Data-SecurityThis rule is associated with the concept of “Data Sovereignty” which says that a country shall not lose a control or sovereignty over the processing of personal data pertaining to data subjects from that country. It also imposes that information which has been stored in digital form is subject to the laws of the country in which it is located. Therefore, a control over trans-border data flow is a form of upholding data sovereignty.

The concept of Data Sovereignty is reflected in the EU Data Protection Directives 1995 recitals whereas:

  • cross-border flows of personal data are necessary to the expansion of international trade;
  • the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection;
  • the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.

As much as we are concerned with personal data transferred beyond our border, we also appreciate that personal data is inherently needed for the International trade and International cooperation. Hence, when a personal data is subject to trans-border flow, there shall be no discriminatory treatment to the citizen’s personal data despite where it is processed.

Data Localisation Law

This data sovereignty is sometimes confused with the rules of “Data Localisation”, which is totally a different thing. Data localisation laws set forth requirements to keep and store data “locally” (i.e., within national or regional borders), and thus not allowing data users to transfer data beyond borders. Consequently, any foreign party who wishes to collect or process personal data of individuals will be required to establish a local data storage facilities in the country of those individuals. Continue reading

Social Media Policy and Regulation: A Network Governance Perspective

By: Sonny Zulhuda

The above is the name of the event in Tsinghua University, Beijing, on December 3-4, 2016, where I came as a speaker to the audience consisted of law, media and Internet governance academia and practitioners. Both Beijing-based School of Journalism and Communication of Tsinghua University and the School of Communication of Hong Kong Baptist University (HKBU) jointly organised this event.

The invitation came to me through Dr. Yik Chan Chin of the HKBU, who is with me at the Global Internet Governance Academic Network (GigaNet). Upon few exchanges of emails, I was then invited to come and present my views on the social media regulations in the Malaysian perspective. I must say that the event was really a rewarding experience; filled with substantial discussions, new perspectives and, of course, new friends and network!

IMG_3014

This can be highlighted from the list of the speakers of the two-day workshop: Continue reading

  • November 2018
    M T W T F S S
    « Oct    
     1234
    567891011
    12131415161718
    19202122232425
    2627282930  
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,602 other followers