IN March, Communications and Multimedia Minister Gobind Singh Deo told reporters that his ministry was reviewing the Personal Data Protection Act (PDPA) 2010. The objective was to streamline it with the European Union’s (EU) General Data Protection Regulation (GDPR).
The minister had said PDPA, which was formulated a decade ago, must be amended to ensure that it keeps pace with current developments. However, there is no time frame and the review is still ongoing.
Much has been bandied about over the GDPR, but most Malaysians are unaware of what it actually entails. GDPR, which is a new set of regulations replacing the earlier 1995 EU Data Protection Directive, requires us to carry out “comprehensive changes” and the private sector must take note of this new level of privacy law on data protection.
Any business entity or government-linked company having business dealings in the European Union (EU) or with EU citizens must comply with them.
GDPR was adopted by the European Parliament on April 14, 2016 and came into effect in May last year. The primary objective is to protect the security and privacy of EU citizens online.
The regulations apply if the data controller (any entity that collects data from EU residents) or processor (any entity that processes data on behalf of a data controller) or the data subject is based in the EU.
They also apply to entities based outside the EU if they collect or process personal data of individuals located inside the EU. However, they do not apply to the processing of data by a person for a “purely personal or household activity with no connection to a professional or commercial activity”.
In short, they apply to Malaysian entities having business dealings with EU citizens. If you hold, store or process the personal data of any EU citizen, even their email addresses, you are affected by these new regulations. If their personal data which you hold is accessed and stolen by hackers (because of your failure to protect your sites), then you are liable for such loss.
GDPR introduces the concept of privacy by design and privacy by default. “Privacy by design” means that every time you introduce a new service or business process that makes use of personal data, you must take into account the protection of such data — and be able to document it. “Privacy by default” means that when a customer buys a product or service from you, the strictest privacy settings automatically apply.
These new regulations require you to put in place the appropriate “technical and organisational measures” to ensure no personal data of your EU customers is accessible to the wrong party.
If your user database is vulnerable to hacking or account takeovers because of your failure to install adequate protective measures, you are in breach of these new regulations.
Heavy fines are imposed (in some cases fines of up to €20 million or RM95 million ) to ensure that EU citizens’ personal data are protected against unauthorised or unlawful processing, as well as against accidental loss, destruction or damage.
The term “personal data” has been defined to mean “any information relating to an identified or identifiable natural (data subject)”. Apart from a person’s name, personal data includes his home address, photo, bank details, postings on social media, medical information, or a computer’s IP address.
In the past several well-known companies had become victims of hackers. Yahoo was attacked in 2014 when three billion user accounts were hacked.
Others who were attacked in 2014 were eBay (142 million user accounts hacked) and JP Morgan Chase (personal data of 76 million households were exposed).
FriendFinder Network was attacked in 2016 when 412 million user accounts were hacked. In November 2017, a local newspaper reported that 50 million customers’ personal data were illegally obtained from Malaysian telecommunication databases. The data breach had apparently occurred as early as 2012.
Under the Malaysian Personal Data Protection Act 2010 (Act 709), the term “personal data” is defined differently. Malaysians should take note of this.
Our law on personal data protection (Act 709) is one tiny segment in the much wider Malaysian law of privacy, which, unfortunately, is still grounded in common law.
There have been calls by several quarters (including by this writer) for Parliament to enact a modern Privacy Act, as had been done in many jurisdictions, but there has not been any positive response.
I was, therefore, pleasantly surprised to read a recent news report quoting Datuk Liew Vui Keong, the Minister in the Prime Minister’s Department, that a new privacy law is in the pipeline. A committee had been set up to study the proposed legislation on stalking and intrusion of privacy, but there was no time frame on when it would be tabled in Parliament.
Given that we have been occasionally “exposed” to private videos on the various social media platforms in recent times by “resentful partners” or those with malicious intent, it is timely that a new privacy law is put in place. In fact, the process should be expedited.
It’s time too that we have a law to criminalise the non-consensual filming or recording of intimate videos and bring the perpetrator to book.
The writer formerly served the Attorney-General’s Chambers before he left for private practice, the corporate sector and academia.