Data Protection and the Internet

My article on data protection on the internet was published in The Star newspaper on 5 August 2010. Unfortunately, they changed my title to Personal Data and the Law. It was originally Data Protection and The Internet. My article was only in respect of internet and not the law in general!! Wtf!!!

Anyway, here’s a reproduction of the article which is obtained from here.

Personal data and the law

Putik Lada

As the Personal Data Protection Act 2010 will be in force any time soon, data users are advised to be familiar with, and to start adhering to, its principles.

THE Personal Data Protection Act 2010 that is set to be enforced regulates the collection of personal data by parties for commercial transactions and will change the way we do business.

In brief, personal data is defined as any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.

A data user is basically the party using the personal data of an individual, which is referred to as data subject in the Act.

Personal data may take various forms and may be a name combined with other information, passport/identity card number, telephone number, photograph, fingerprint, or DNA.

A name itself cannot be personal data as there may be many individuals with the same name. However, where the information is combined with other information such as an address, this may be sufficient to identify an individual.

Unfortunately, the Act is only limited to personal data in respect of commercial transactions. Social media networking websites such as Facebook and Twitter, and foreign website owners are not subject to the Act.

This limits the type of personal data that are protected, for example, intimate photographs of individuals. As such data is normally not collected through commercial transactions, their distribution may not contravene the Act.

In Hong Kong, such data is covered. In an incident relating to the online circulation of nude photos of certain celebrities, the Privacy Commissioner for Personal Data decreed that such photographs are caught under the Hong Kong Personal Data (Privacy) Ordinance.

The Act sets out seven principles which a data user must adhere to when dealing with personal data. They are General, Notice and Choice, Disclosure, Security, Retention, Data Integrity and Access.

Failure to comply with any of the seven principles amounts to an offence punishable with a fine not exceeding RM300,000 or imprisonment not exceeding two years or both.

Under these principles, the collection and use of personal data must be consented to by the data subject, and steps must be taken to ensure that they are updated, correct and stored securely.

Further, adequate notice must be given to data subjects that their personal data will be used, and the purpose of the same. Data subjects should also be given the choice to opt out from giving certain personal data. Personal data no longer in use has to be destroyed.

Consent is not defined in the Act but a positive consent — written, oral or electronic — would be sufficient. However, positive consent would not apply in a scenario where a data user sends a form requesting consent and the form states that consent is assumed if no response is given. Failure to respond may not be considered as consent under the Act.

As the Act only applies to personal data in respect of commercial transactions, whether blogs would fall under its purview would depend on the circumstance of the case. If a blog is established purely for a recreational purpose, the Act may not apply due to the limitation of the definition of personal data.

A website generally collects personal data in two situations: when a user visits the website, and when a user provides information to the website operator, e.g. through an online form.

Information collected from a visitor to the website would include the IP address of the visitor and also cookies. Cookies are files used by websites to collect information about a user’s online activity. It can recognise a computer when a user logs on and can allow a website to store and remember usernames and passwords. Such information must be properly kept and not revealed to third parties.

As for the latter situation, website operators should inform the visitor that his or her information will be kept and used by them and their related parties. If website operators wish to use the information for other purposes, such as for marketing, they should obtain consent from the data subject.

Also, if personal data will be transferred outside Malaysia, consent should be obtained, otherwise any reference to the owner should be removed as it is an offence under the Act for a data user to transfer personal data outside Malaysia.

Companies need to be careful when sending out marketing materials. Under the Act, data users may be liable to a fine not exceeding RM200,000 or imprisonment not exceeding two years or both if they refuse to cease sending unsolicited marketing materials.

Following the security principle, personal data collected by website operators must be kept properly to ensure that they are not leaked. Proper security measures such as encryption must be in place.

If personal data is meant to be revealed to the public, notice should be given ahead and consent obtained. For example, a web forum should indicate to its users that information will be revealed to the public if requested. However, if the personal data is requested by a competent authority, consent may not be required.

In addition, website operators should also consider inserting a privacy policy statement on their websites in a specific page accessible by a visitor.

The privacy policy should state:

> WHAT will be done with the personal data;

> WHO is collecting the personal data;

> WHAT personal data is being collected;

> whether the personal data will be transferred out of Malaysia: AND

> whether the personal data will be disclosed to third parties.

As the Act will be in force any time soon, data users are advised to start adhering to its principles. Notice and consent of data subjects are the keys to allow a data user to use personal data. As such, data users should revise their data collecting system to be in line with the seven principles.

Unfortunately, at this stage, the extent and applicability of the Act is unknown and it seems to be wide and far reaching and, to a certain extent, excessive. In this regard, a Personal Data Protection Commissioner should be appointed soon to address these uncertainties.

In many jurisdictions with data protection legislation, the respective Commissioners play a vital role in determining the scope and applicability of the Act and will from time to time issue good practice notes or clarifications to the public.

Keeping it Private

w00t! I’m featured in The Star newspaper!

Keeping it private

The pluses and minuses of the Personal Data Protection Bill 2009.

It is past midnight and you are sleeping soundly. Suddenly, an SMS beeps in. It turns out to be a message from a hotel, which you have never been to in your life, giving away a free one-night stay. Annoyed, you go back to bed. But you toss and turn. You can’t get back to sleep and get even more irritated.

Many of us have experienced similar ­incidents with these unsolicited phone calls, SMSes and e-mail messages. And many have also noticed that these nuisance calls or messages are almost always after they had divulged their personal contact information.

It could have been a warranty card you filled up, or you handed over your business card to participate in a “lucky draw” ­somewhere, or you had just subscribed to some service. In any case, someone either sold your contact information or is misusing it.

At the very least, such misuse means you are inconvenienced or irritated by sales ­pitches. But more worrying is that your ­information could be used for more ­nefarious activities, such as scams, identity theft, and cheating.

The Personal Data Protection (PDP) Bill 2009, which was passed in the Senate (Dewan Negara) recently, is aimed at putting a stop to such misuse of your personal information, as well as the malicious use of the data.

Abu Bakar: It makes it illegal for anyone – ­companies or individuals – to give out or sell someone else’s personal information without prior consent.

University Malaya law professor Abu Bakar Munir, who played an advisory role in the drafting of the Bill, said it plays a crucial role in protecting a person’s details in commercial transactions whether online or offline.

“It makes it illegal for anyone – ­companies or individuals – to give out or sell someone else’s personal information without prior consent,” he said, adding that it stipulates penalities for such ­transgressions.

The Bill is expected to be gazetted into law this year. When it is, Malaysia will be among the first in Asean to have introduced such legislation.

Personal information, under the Bill, means any data that can identify an ­individual – name, age, MyKad details, photo, passport number, video and images captured via closed-circuit television.

“If you receive any unsolicited direct marketing messages or advertisements, you will be able to lodge a complaint with the personal data protection commissioner, who will investigate,” Abu Bakar said. At the time of writing, the mechanism for lodging such complaints had yet to be set up.

Those found guilty of contravening the rules could be fined a sum not exceeding RM200,000 or be jailed for a period not exceeding two years, or both.

Abu Bakar believes those penalities should be sufficient to dissuade anyone from illegally sharing someone else’s personal information.

Foong: Companies need to ensure that their customer forms have a section that seeks consent from the customers to collect their personal information.

Wide impact
But the ramifications of the PDP Bill 2009 becoming law has great depth and breadth. Foong Cheng Leong, an advocate and solicitor with Lee, Hishammuddin, Allen & Gledhill, sees it even affecting the way ­businesses and other organisations store the personal data of their customers.

He said the contents of the Bill would apply to local and foreign companies ­operating in this country, as long as the personal ­information in question is being processed in Malaysia.

It will require businesses to clearly tell customers that their personal information is being collected, why the data is being amassed, and what they want to do with the details.

“By doing this, the personal information of the customers is protected and it helps to control abuse of the data, such as selling the contact numbers to a third party,” said Foong, who specialises in intellectual ­property and information technology legal issues.

“It also forbids the businesses to transfer the personal information outside Malaysia without the consent of the customer or the designated countries which is provided by the personal data protection commissioner,” he said.

In this way, the customers will know where their personal information is ­residing.

According to Foong, it would be in the interest of the companies and organisations having people’s personal information now to already start ensuring that their data-­collecting mechanisms are in sync with the requirements stated in the Bill.

“For a start, the companies need to ensure that their customer forms have a section that seeks consent from the customers to collect their personal information, as well as stating why the data is needed and what it will be used for,” he said.

“Any company that has been collecting such information before the law comes into force must still comply with the provisions of the Bill within three months thereof.”

Also, under the Bill, a customer can ask the company, from which he or she has bought products or services from, to show what personal data it has collected on him or her.

But there are exceptions to this rule, according to lawyer Tong Lai Ling, a partner at Raja, Darryl & Loh.

Tong said one exception is when providing that information will disclose confidential commercial data, in which case the company is not obligated to meet the ­customer’s request.

“Another exception is when the burden or expense of retrieving the data is disproportionate with the risk to the ­customer’s privacy in relation to personal data,” she said. Tong has 10 years of ­experience in cyberlaw.

Under the Bill, the collection of sensitive personal data such as medical reports, ­political ­affiliations and religious beliefs is also subject to conditions.

“For example, a housing ­developer cannot ask for a medical report when entering into a sales and purchase agreement with a buyer,” she said.

Not perfect

The Bill isn’t as encompassing as it could be, said Tong at Raja, Darryl & Loh.

“For example, it only applies to personal data gathered as a result of commercial ­transactions. As such, it would seem that only companies, religious bodies, ­political parties and charitable organisations that engage in ­business will be subject to Personal Data Protection rules if they collect customer data,” she said.

The general consensus is that any and every organisation that collects your personal data should be subject to the rules in the Bill.

Also, it is not easy in some ­circumstances to draw a line between commercial and non-commercial transactions, said Foong at Lee, Hishammuddin, Allen & Gledhill.

He and Tong pointed out that according to the Bill, information collected by federal and state governments is not subject to the ­stipulations provided for.

“What if the Selangor State Development Corporation (PKNS) forms a business joint venture with the Government.

“PKNS, created under the Selangor State Development Corporation Enactment, 1964, means it should be treated as a separate legal entity,” said Foong.

“But it is not clear whether or not PKNS in such a situation would be bound by the data protection rules in the Bill. A ­similar ­predicament arises with any other local ­authority, statutory body, or state corporate entity.”

Also, the fact that the Bill exempts the Government from personal data protection rules should be of great concern to everyone, he said. “The Government is the biggest ­collector of personal data – from the time we are born to the day we die.”

Foong believes the Government should play its role as the ­protector of the personal ­information of its citizens.

He said the Government has stated that it has its own mechanism for protecting the ­personal data of its citizens. But it has not revealed if the mechanism is as extensive as that set down in the Bill for the handling of personal data.

The Bill stipulates seven ­principles ­governing the handling of such data – ­covering ­everything from getting permission from the citizen to why the information is needed, to what can be stored, to how long it can be stored, and to how much of it can be shared.

University Malaya’s Abu Bakar ­recommends that the Government develop a set of rules and ­regulations, i.e. a code of ­practice, to protect the personal ­information of the rakyat, or have separate ­legislation to that respect.

Last bit

Despite some shortcomings, the Personal Data Protection Bill 2009 is still a good start towards empowering Malaysians to ­maintain their privacy.

When it becomes law, it will need to be finetuned from time to time so that it provides better protection and does not become antiquated.

So, the next time you get an SMS or phone call in the middle of the night or any other time for a free night’s stay or another ­unsolicited service or product, it could be the other guy that gets the wake-up call.

Note: The Personal Data Protection Act 2009 has received the Royal Assent on June 2, 2010 which now makes it an Act. However, the Act will only take effect when the Government gazettes it.