Personal data is public data in Malaysia. Imagine this: every two days an advertisement appears in the dark web putting on sale all things personal, as this newspaper reported yesterday.
This is no surprise given the screaming headlines in the newspapers of this and that leak. Just this month, from Feb 7 to 10, millions of personal data went on sale.
Why does this keep happening? As always, we are lax on protection and enforcement. Our law, the Personal Data Protection Act 2010 (PDPA), while promising "protection", doesn't punish negligent companies. What's worse, they are not even required to report such breaches.
The PDPA might as well have been drafted by the legal departments of our corporate giants. Ministers come and go helming the Malaysian Communications and Multimedia Commission, but not much changes happen except promises to curb breaches. But it remains a story of many miles to go and promises to keep.
The European Union and Britain do a better job at protecting personal data. The strange thing is Malaysia's PDPA is modelled on the United Kingdom's Data Protection Act 1998, which reflects the dictates of the European Union's data protection directive. Why the difference here?
In wanting to be business-friendly, Malaysia often opts for laxity. Consider data users and data processors, two entities that one would think would be covered by the PDPA. Be surprised. Only data users are covered, leaving the data processors to escape the obligations imposed on the former under the legislation.
True, data users often include some diluted version of such obligations in their contracts with data processors, but who monitors them? If the PDPA allows companies to not report breaches, why should they bother to go after data processors? The frequent personal data breaches involving telecommunications service providers, financial institutions, broadcasters and others tell us that the PDPA's trust is misplaced. And as for data users, the penalty for non-compliance is RM300,000, or two years' imprisonment, or both.
The paltry penalty aside, have we ever heard of directors or mighty shareholders being imprisoned? Trafficking in personal data is both easy and made easy here.
The PDPA must mean protection if it wants to be an effective piece of legislation. As it is, it's much bark and very little bite. The law must go beyond giving people the right to withdraw their consent or complain to the authorities. Bite requires more.
One way is to enable redress against data users and data processors for the people whose data has been breached. Deterrence is made of this. Companies may scream "hackers" and "worms", but aren't they making it easy for them to mine such data for sale with lax cybersecurity measures? Nothing less than their best efforts in preventing data breaches should set them free. The rise and rise of data breaches is an indication of corporate slack. We must rein them in.
Our habit of dispensing slaps on the corporate wrists must stop. Malaysia has the UK's data protection law, but not an entity like the Information Commissioner's Office, an independent body set up to uphold information rights in the public interest.
There may be a corporate versus public interest battle at play here, but Putrajaya would do well to tilt the balance towards the latter if it wants privacy to prevail.