An examination of privacy laws and the recently passed Personal Data Protection Bill by the Dewan Rakyat in Parliament and its application, enforcement, and implications for Malaysia.
To understand why there is a need for Personal Data Protection legislation, we must first understand why the need for such laws arose. The Personal Data Protection Bill by the way has no connection whatsoever with data Protection of software in computers. This area of law specifically relates to the dissemination and storage of personal data of people and is related to the law of privacy.
Privacy law is the area of law concerning the protecting and preserving of privacy rights of individuals. While there is no universally accepted privacy law among all countries, some organizations promote certain concepts be enforced by individual countries. For example, The Universal Declaration of Human Rights, article 12, states:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.
For Europe, Article 8 of the European Convention on Human Rights guarantees the right to respect for private and family life, one’s home and correspondence. The European Court of Human Rights in Strasbourg has developed a large body of jurisprudence defining this fundamental right to privacy. The European Union requires all member states to legislate to ensure that citizens have a right to privacy, through directives such as the 1995 Directive 95/46/EC on the protection of personal data. It is regulated in the United Kingdom by the Data Protection Act 1998 and in France data protection is also monitored by a governmental body which must authorize legislation concerning privacy before them being enacted.
The protection of Privacy here relates specifically to information privacy; in lay terms it means the protection of your personal details and information about you.
These are seven core principles in the ethics of how personal private Data is to be collected, processed and stored.
The seven principles governing the Organisation for Economic Co-operation and Development’s (OECD) guideline for protection of personal data:
1. Notice: data subjects should be given notice when their data is being collected
2. Purpose: data should only be used for the purpose stated and not for any other purposes
3. Consent: data should not be disclosed without the data subject’s consent
4. Security: collected data should be kept secure from any potential abuses
5. Disclosure: data subjects should be informed as to who is collecting their data
6. Access: data subjects should be allowed to access their data and make corrections to any inaccurate data
7. Accountability: data subjects should have a method available to them to hold data collectors accountable for following the above principles.
Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: i) transparency, ii) legitimate purpose and iii) proportionality.
The data subject has the right to be informed when his personal data are being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11 EU Directives)
Data may be processed only under the following circumstances (art. 7):
- when the data subject has given his consent
- when the processing is necessary for the performance of or the entering into a contract
- when processing is necessary for compliance with a legal obligation
- when processing is necessary in order to protect the vital interests of the data subject
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are
- overridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn’t being processed in compliance with the data protection rules. (art. 12)
ii) Legitimate purpose
Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b)
Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; The data shouldn’t be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6)
When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8)
The data subject may object at any time to the processing of personal data for the purpose of direct marketing. (art. 14)
A decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. (art. 15)
A form of appeal should be provided when automatic decision making processes are used. The Principles above are based on the OECD Guidleines and that of the European Union.
Personally I feel it’s about time we had a Personal Data Protection Act in Malaysia to stop abuse and to curtail the many marketeers who transfer sell and barter personal data for profit. Many Malaysians are not aware that their personal Data is being viewed, traded like a commodity, and used by third parties who should not have access to their personal information.
How many of you have bought a new car or applied for a loan or credit card and weeks later you find third parties approaching you in an attempt to promote products or spam you with e-mails? Isn’t it is scary knowing that while you are asleep, someone somewhere could be assessing a data base and taking down your personal details?
The impact is great: In the EU Data Protection Laws are viewed very seriously to such an extent that member states must ensure that they all have adequate Data Protection Laws, and further that when member states deal with non member states the non member state must have adequate data protection laws. Article 25 of the OECD states :-
The Member states shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the National provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection …
The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country
Now that Malaysia is enacting a Personal Data Protection Act, what will the impact of the Act be and would it be deemed adequate or provide adequate measures to ensure the spirit of Data Protection principles are entrenched?
Editorial Note: In Part 2 tomorrow – Considering the Personal Data Protection Act’s implications, enforcement and efficacy for Malaysia.
“Years away from data protection bill” – The Sun
“No personal data out without consent” – The Star