Among the first question people would ask about Personal Data Protection Act (PDPA) 2010 is “whether or not this Act applies to me?” or, if one could answer it in affirmative, “in what why the Act implicates me?”
The PDPA 2010 provides for definition of certain entities that would be in one way or another “implicated.” They are (1) Data User; (2) Data Processore and (3) Data Subject. Thus, the PDPA 2010 operates on these classes of person. It is in this frame you can have your answer whether the Act applies to you, or, in what why it implicates you.
Now everyone can “fly”! Yes we know that. But when you fly, will your personal information fly away in the sky? That, not everyone knows. This is the simple question that makes the backdrop of my recent paper, to be presented in Singapore’s International Conference of Social Science and Humanities (ICSSH2011) at the end of this month.
The paper is entitled: “Personal Data “Up in the Air” – A Tale of Two Malaysian Airlines in Dealing with Consumers Online Privacy.” It is a joint effort with one of my former students Ms. Maryam Delpisheh.
We know that uncertainties and concerns surrounding the privacy of personal information in Malaysia in the wake of many data abuse incidents had led to the passing of Personal Data Protection Act (PDPA) 2010. In a market where personal data has long been widely traded and unjustifiably exploited, the coming of this law could resemble the arrival of a long-awaited messiah expected to correct the evils and rectify people’s problem in a very immediate manner.
The above is the title of my presentation at IT LAW FORUM organised by KL BAR jointly held with KDU University College on 12 November 2010. I spoke at the panel after Prof. Abu Bakar Munir who was the adviser for the Government of Malaysia on the drafting of PDP Act 2010 (See: the unamended PDP Bill).
While Prof. Abu Bakar talked mainly on the duties and obligation of Data Users as well as Data Protection Principles, I presented the topic from another perspective, i.e. the data subject which refers to the individuals whose personal data become the object of business by data users. That simply means you, me and everyone!.
For the recall of the event in general, you may want to check at the KL BAR blog site here.
What would you do when you realised an unknown has in his/her possession records of your SMS exchanges and a the actual recordings of your telephone conversations and sent them to your own desktop? Shocked, fear, terrorised, humiliated (somehow), and so on, you name it. But yes, it’s a nightmare! A lady who experienced this had brought a lawsuit against her telecommunication provider for allegedly revealing the content of her private communication to a third party.
Read the news report here. This particular lawsuit is the first that could trigger the provisions of Personal Data Protection Act 2010. Since the case proceeding has not started yet, nothing much can be heard from the case. Hopefully we can hear more updates in near future.
Meanwhile, the telecommunications company involved had issued a statement that they would carry out an investigation relating to the said allegation. Read the statement here.
This is particularly a court decision that will attract many who are curious about law on invasion of privacy in Malaysia. The timing could not be more intriguing that now when the first privacy-related legislation was recently passed in the form of the Personal Data Protection Act 2010. No, this Act was not in the case (yet?), not even possibly so because the Act is still now not enforced. This case was instead dealt with under the civil law of torts.
As reported by the Sun Daily (3/9/2010), Judicial Commissioner Chew Soo Ho who sit in Penang High Court heard this suit brought about by a female writer against the doctors who were involved in a haemorrhoid surgery back in 2006. The point of concern was the fact that a doctor had taken photographs of her private parts while she was unconscious — without getting her prior consent.
As you could see from the above, the Personal Data Protection (PDP) Act 2010 has been officially given a Royal assent on 2 June 2010 and has been gazetted on 10 June 2010. The Act is known as PDP Act 2010 and is numbered as Act 709. For the full view of the draft Bill (which was passed unchanged), click here.
In the week that passed I spoke in one national seminar on Personal Data Protection Act that took place in the The Ritz Carlton Kuala Lumpur, July 21, 2010. The audience came from various industries including banks, regulators, insurance, medical services, investment as well as legal firms.
My session that went between 12.00 -01.00 pm focused on the Rights of Individuals as Data Subjects under the newly-passed Personal Data Protection Act 2010 of Malaysia. Those rights of data subjects were provided in Part Two, division 4, sections 30-44. In short, those rights can be enlisted as follows:
Right to access
Right to correct data
Right to withdraw consent for data processing
Right on sensitive data
Right to prevent distress/damage
Right to prevent direct marketing
The session was ended with discussing some prominent issues that confronted individuals such as issues of workplace monitoring, junk mail/spam, data theft, and pictures taken at public places. One important message (of many) that I discussed with audience was that, in order to achieve better implementation of law, organizations should see and manage it using the perspective of individuals, not merely that of the organisation; because in organisations, their people (employers, employees, business partners) are all data subjects too.
Understanding data protection principles is crucial to (re)formulate the business processes. For companies and organisations that in any way involve the use and exploitation of personal data of their employees, customers (actual and potential) and business partners, series of actions need to be taken to comply with the legal regime on data protection.
In Malaysia, this is particularly a cause of concern nowadays as the new law on personal data protection clearly requires data users to take certain actions.
Laid in the main body of the law is the prescription of data protection principles from which stemming all the rights, duties and liabilities of each of data user and data subject (Note: ‘data user’ is those who use, collect, process, etc. the personal data that belong to certain individuals. Those individual are called ‘data subject’).
Much have been said and written in the past two days regarding the passing of the Personal Data Protection (PDP) Act by the Dewan Rakyat on Monday this week. Of those hypes and hits, the name CTOS has been among the top, even days and months before the lawmakers finally okays the law.
Not less than parliament members from both sides (ruling and oppositions) as well as the Minister in charge of the law had indicated that with the birth of this Act, people’s suffering and distress due to the alleged misuse of their data by credit reporting agencies (also known as credit rating agency), such as CTOS (Credit Tip-Off Service Sdn Bhd) will see the end.
So happy ending, or is it? I do not think so. And I think this is a mistake, which is unfortunately echoed by the press and media.
It is official now, that the long-awaited personal data protection (PDP) Bill had been passed by the Malaysian House of Representative (Dewan Rakyat). I personally attended the debate that was held yesterday, Monday, 5 April 2010 in the Dewan Rakyat. I am particularly glad that I could make it to the Parliament to watch the passing of the Bill that had filled much of my research time since I was doing my Masters dissertation on PDP law back in 2000.
The debate that took place between 17.00 hrs-19.30 hrs was to me more than just a formality of legislative process. MPs from both sides took turn to present their views, experiences, concerns and arguments on many aspects of the law. Some took even lengthy time to establish their points, citing a number of provision of the Bill.