From Privacy Suit to EU GDPR: Data Protection Updates from Malaysia – As reported in the Borneo Post

By: Sonny Zulhuda

The beginning of the year saw my interview with the Malaysian daily the Borneo Post that was published on 1st January 2019. This interview was initiated by my colleagues from the consultancy firm Straits Interactive. The report was entitled “Malaysians increasingly aware of risks with data breach.” It can be found in this link.

The article started to to note that Malaysians now are more aware about the risks associated with breaches of their personal data. In fact, we in Malaysia have seen in the past five years, that there is a sharp increase in data privacy civil suits in the local Malaysian courts.

Among the points I highlighted in the interview are as follows:

What are the costs of data breaches?

  • The cost of data breaches can be seen in many areas. In terms of legal liabilities, companies in breach of the Malaysian PDP Act 2010 can be fined up to RM500,000 – for offences such as unlawful sale or unlawful collection of personal data, as well as collection of data without the required certificate of registration.
  • And when a data breach occurs, costs can also be incurred through technical repairs and loss of reputation. Business can also suffer because of bad publicity.
  • Civil suits can also be brought against companies, and these can cost businesses a lot of money. Malaysians are becoming increasingly more aware of the risks associated with breaches of their personal data, and we have seen a sharp increase in data privacy civil suits in the local Malaysian courts in the past five years.

Are we prepared? Here is what I said:

  • Unlike companies in the US and Europe, many companies in the Asean have yet to reach an acceptable level of preparedness. Data protection does not tend to be a part of the business culture, however some industries (banking and finance) are more prepared due to legislation and legal requirements.
  • To bolster the understanding and preparedness of other industries, we need more public awareness, training, and certified professionals in the field of data protection.

What are among the common concerns?

  • One major concern in Malaysia is how much our MyKad (ID cards) details are easily and unnecessarily exposed. Many people needlessly impose the collection or retention of MyKad details before people start business communication or interactions, enter premises, or participate in events. Unfortunately, lots of people are happy to submit these details and this gives the impression that these practices are approved and not an issue.
  • Another problem is direct marketing, as well as unsolicited commercial calls, emails and text messages. While it’s clear individuals have the right to refuse direct marketing, it still regularly happens.

What has been prepared?

  • I highlighted that leading consultant like Straits Interactive plays the role to champion a public-private partnership by establishing alliance with academia, industries and the government. This partnership will ensure Malaysia as a nation moves together and responds to data privacy issues with a common understanding and comprehensive programmes.

Does the European Union GDPR (General Data Protection Regulations) have anything to do with the Malaysians?

  • With the passing and enforcement of the EU General Data Protection Regulation (GDPR) in May 2018, Malaysia needs to gear up for these stronger laws and better enforcement.
  • The GDPR applies to companies who also interact with European citizens, and this requires short-term training programmes and certifications in the field of data protection.
  • A collaboration at the regional level is also timely and necessary. We are heading towards that.

Credit on this Interview to the Straits Interactive and the Borneo Post.

Advertisements

January 8, 2019
Categories: All Articles, Uncategorized . Tags: , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Intellectual Property Rights and Open Data in the Digital Environment

By: Sonny Zulhuda

postermaker-1541067967396

A close forum named Focus Group Discussion (FGD) on IPR and Open Data in the Digital Environment was recently held on 9th November 2018 at Al-Nawawi Conference Room, Ahmad Ibrahim Kuliyyah of Law, International Islamic University Malaysia (IIUM). The event was involving two universities from two countries which are the International Islamic University Malaysia (IIUM) and Universitas Padjadjaran (UNPAD), Indonesia.

In his welcoming remarks, the Dean of Ahmad Ibrahim Kuliyyah of Laws, Prof. Dato’ Sri Dr. Ashgar Ali Ali Mohamed extended his gratitude and warm welcome to the delegations from UNPAD. He believed that this two-way discussion should be conducted more regularly in promoting the intellectual discourse between two countries. In a reciprocal gesture, Prof Dr H Ahmad M. Ramli from the Faculty of Law, UNPAD in his keynote address appreciated the initiative by IIUM in conducting this group discussion.

This FGD was part of the research work under the Fundamental Research Grant Scheme, funded by the Ministry of Education, Malaysia. The group discussion was divided into 4 sessions, involving 11 speakers altogether; 7 from UNPAD and 4 from IIUM. Here are some excerpts:

Session 1: IPR Between Tradition and Innovation Continue reading

December 20, 2018
Categories: Content regulation, Cyberlaw Indonesia, ICT Policy & Governance, Intellectual Property, Uncategorized . Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Privasi dan Integritas Teknologi

Dr Sonny Zulhuda

This article, in Indonesian, was published in the national daily REPUBLIKA, on 3rd April 2018. This piece highlights the ultimate need to have a privacy-embedded technologies. Respecting privacy is a prerequisite to maintain the integrity in the use of technology. As I concluded, the connectivity that we currently enjoy shall not eliminate the identity and integrity that shape who we are, as individuals and nation.

================

boss-spying-on-youBerbagai isu kebocoran data pribadi seperti yang baru-baru ini berlaku pada data registrasi nomor telpon seluler di Indonesia, dan juga pada data pengguna Facebook di Amerika Serikat (AS), membawa kita kepada pertanyaan yang lebih fundamental, yaitu hak privasi terhadap data. Apakah hak privasi itu sendiri?

Jarang didefinisikan, namun sering diperdebatkan. Misalnya, dalam menyikapi isu penyadapan komunikasi oleh penegak hukum di Indonesia, masyarakat kita berpolemik sejauh mana penyadapan bisa dilakukan, mengingat efeknya yang mengoyak kebebasan dalam berkomunikasi. UUD 1945 menjamin hak kita untuk berkomunikasi dan menyampaikan pemikiran atau pendapat. Jika komunikasi kita disadap, maka hak kita sudah disunat. Dalam konteks inilah Dewan Keamanan Nasional AS dikritik tajam ketika mantan pekerjanya Edward Snowden mengungkap praktik Badan itu dalam mengawasi komunikasi dan data pribadi pengguna Internet AS dan global.

Di Malaysia, pengadilan memvonis salah perbuatan memasang kamera CCTV di pekarangan rumah sendiri namun mengarahkannya ke halaman rumah orang lain karena mengganggu privasi tetangganya. Di Afganistan, orang dilarang memanjat genteng rumahnya sendiri sebelum memberitahukan tetangganya agar si jiran tidak terlihat dalam kondisi yang memalukan. Di Korea, kamera telpon seluler harus disetting dengan suara yang cukup nyaring sehingga orang tahu jika ia difoto di kawasan publik. Semua contoh diatas muaranya sama, yaitu melindungi privasi orang.

Kita tidak ingin teknologi modern yang nisbi menggerus sisi kemanusiaan yang universal dan hakiki. Teknologi informasi kita di negeri ini tidak boleh bebas nilai, dan tidak boleh pula miskin nilai. Koneksitas dan mobilitas yang semakin baik merupakan anugerah yang harus kita syukuri. Namun perlu diingat, koneksitas tidak dapat menghapus identitas, dan mobilitas tidak bisa meminggirkan integritas. Majulah TI di Indonesia.

Berasal dari bahasa Inggris, “privacy” berarti hak untuk bersendirian dan untuk tidak diawasi oleh orang lain. Padanannya dalam bahasa Arab adalah “huquq fardiyyah” (hak-hak pribadi) atau “huquq al-hurmah” (dignity atau maruah).

Dalam dialektika Alquran, Continue reading

April 23, 2018
Categories: Uncategorized . Tags: , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Speak Privacy an Asian Way — at Asia Privacy Bridge Forum in Korea

By: Sonny Zulhuda

seoul.jpg

Last week I received this invitation letter to speak at the Third Asia Privacy Bridge Forum, hosted by Barun ICT Research Centre, Yonsei University, Seoul, South Korea towards the end of June 2017. The Director of the Centre, Dr. Beomsoo Kim noted that this Forum is supported also by KISA (Korea Internet and Security Agency) and the Korean Ministry of Interior. I am asked to speak about the development of the data protection laws in two countries Malaysia and Indonesia.

This is an exciting surprise. Not only because it would be my first visit to Korea, but also because I will have an invaluable opportunity to mingle with the Asia Pacific and international network on privacy and data protection; and to share with them what is up in Malaysia and Indonesia on this subject.

There are other speakers who are expected to speak from different jurisdictions: Korea, Japan, Singapore and China including: 1. Dr. Beomsoo Kim (Yonsei University, South Korea); 2. Jongsoo Yoon (Lee & Ko, South Korea); 3. Dr. Kaorii Ishii (University of Tsukuba, Japan); 4. Dr. Warren B. Chick (Singapore Management University); 5. Dr. Sonny Zulhuda (International Islamic University Malaysia); 6. Mr. Eunsil Lee (Seoul Metropolitan Police Agency); and Rona Morgan, Singapore-based IAPP Asia Director.

After all, the event sets as an ultimate aim a common desire to move forward collectively and globally in addressing the challenges of enforcing data privacy laws.

From the Malaysian perspective, this is the time to showcase what it has done or set to do beyond the initial period of public education on the law. What has been done towards enforcement? That is specifically questions that I would like to share during the Conference. Besides, the fact that the industries have moved further to issue self-regulatory Codes of Practice is also a stimulating development.

From the Indonesian perspective, there is quite a few development to share. In the past year, it is noteworthy that the 2008 Law on Information and E-Transaction (“UU-ITE”) was amended by the  Parliament to strengthen some aspects of the law, including on the “Right to be Forgotten”. Then, still in 2016, the Information Minister issued a new Ministerial Regulation on the Protection of Personal Data Processed Electronically. This regulatory piece is indeed a milestone to the data privacy law in Indonesia, albeit that it is a subsidiary legislation, rather than a parliamentary statute. Beyond this, there is this Bill draft of the Personal Data Protection Act that has been consolidated in early 2017.

With all these development, I hope I can portray insightful updates to the Forum and ultimately to everyone who shares the interest on this subject. But first, let’s hope my visa is ready on time.

UPDATE: the visa was ready on 23rd June, and I’m scheduled to fly on Sunday night.

June 21, 2017
Categories: Uncategorized . Tags: , , , , , , , , , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Ransomware Attack: How a PDP law compliance can be of any help

By: Sonny Zulhuda

Ransomware

No! We are not talking about how to cure a ransomware attack such as “WannaCry” after it happens. That is not going to happen. Legal compliance is, from the perspective of business continuity and data disaster management, always at the “preventive” side rather than “curative” or “recovery” domain. Just like how technically a data backup is more preventive rather than reactive.

Then, are we saying that complying with Personal Data Protection law is going to prevent incidents like ransomware attack? Not necessarily true. But obviously, by keeping yourself updated about legal requirements pertaining to personal data protection, you will activate a “standby” mode.

Complying with the legal requirements on data protection such as Data Security and Data Retention standards, for example, people in your organisation are made aware that some security measures had to be put in place to protect the personal data system, which often overlaps with other database or information systems in your organisation: payroll system, human resources system, financial system, CRM system, and so on, because in each of those there are personal data of data subjects that you or your organisation process/processes.

That is why, a compliance with PDP law such as the Malaysian Personal Data Protection Act 2010, can be a gateway to better data protection in your organisation from unwanted attacks or other risks to the data integrity and security. In fact, the PDPA 2010 hints that a data due diligence

In fact, the PDPA 2010 hints that a data due diligence such as your data risk management that you conduct in your organisation will not only mitigate the risk to data attack but also will be your “legal defence” in case such attack takes place despite your mitigating measures. This is what transpires from the provisions of the PDPA 2010.

So, the equation is not complicated:

Data due diligence = legal compliance + risk management = legal defence

Good luck! 🙂

May 16, 2017
Categories: Uncategorized . Tags: , , , , , , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

“Can my lecturer access my personal information?” – And Other Issues of Data Protection at the Higher Learning Institutions 

By: Sonny Zulhuda 

In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).

In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.

IMG_20170319_095449

The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.

Continue reading

March 19, 2017
Categories: data privacy, My Speaking Engagement, Uncategorized . Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Data Sovereignty vs Data Localisation Law

By: Sonny Zulhuda

Transferring personal data beyond national boundaries has been a point of contention under many data protection laws across the globe. The European Union adopts this restriction that such transfer beyond EU boundaries cannot be done unless to the countries or places which have adequate protection on personal data of individuals.

Cloud-Data-SecurityThis rule is associated with the concept of “Data Sovereignty” which says that a country shall not lose a control or sovereignty over the processing of personal data pertaining to data subjects from that country. It also imposes that information which has been stored in digital form is subject to the laws of the country in which it is located. Therefore, a control over trans-border data flow is a form of upholding data sovereignty.

The concept of Data Sovereignty is reflected in the EU Data Protection Directives 1995 recitals whereas:

  • cross-border flows of personal data are necessary to the expansion of international trade;
  • the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection;
  • the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.

As much as we are concerned with personal data transferred beyond our border, we also appreciate that personal data is inherently needed for the International trade and International cooperation. Hence, when a personal data is subject to trans-border flow, there shall be no discriminatory treatment to the citizen’s personal data despite where it is processed.

Data Localisation Law

This data sovereignty is sometimes confused with the rules of “Data Localisation”, which is totally a different thing. Data localisation laws set forth requirements to keep and store data “locally” (i.e., within national or regional borders), and thus not allowing data users to transfer data beyond borders. Consequently, any foreign party who wishes to collect or process personal data of individuals will be required to establish a local data storage facilities in the country of those individuals. Continue reading

February 12, 2017
Categories: data privacy, Uncategorized . Tags: , , , , , , , , , , , , , , , , , , , , . Author: Sonny Zulhuda . Comments: Leave a comment

Previous page Next Page »
  • March 2019
    M T W T F S S
    « Feb    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,613 other followers