Personal Data Protection Bill 2009
The data protection bill 2009 is to be tabled and debated in the March sitting of parliament. Please read and post any comments and feedbacks that can make the bill more effective in its purpose.
An act which regulate the processing of personal data in commercial transactions and to provide for matters therewith and incidental thereto.The aim of this bill is to regulate the collection, holding, processing and using of any data or information pertaining to an individual person, such as name, date of birth, address, sex, finances, preferences, etc.
Besides that, it is also to provide adequate security and privacy in handling personal information, create confidence among consumers and users of both networked and non-network environment, accelerate uptake of electronic transactions, and promote a secure electronic environment in line with the objectives of MSC. The Bill sets up the appointment of a Commissioner for personal data protection and a personal data protection tribunal.
Under the proposed Bill, all the data must be collected fairly and lawfully and the purpose of collecting the data must be specified and lawful.Personal data must only be used for the purpose in which the data is collected or any other purposes directly related to it.
Personal data must not be disclosed without the consent of the particular data subject unless in relation to the purpose in which it is collected. In practice, this Bill is to prevent misuse of person’s personal data in which will create loses ranging from financial to legal liabilities, to commercial and public embarrassment.
For example: misuse of social network website, and past decade people losing their money due to credit card abuses, company losing their reputation due to infringement of customer privacy, businesses ruined by data fraud, and government agencies concerned by personal data leakages.
Why do we need this protection in Malaysia.
Firstly, due to social-technology, the privacy of the individuals may be disregard or abused. (Ie: emails, atm card, etc)
Secondly is the necessary for global trade (electronic commerce and transactions) – in absence of this Act:
a) developers, local and foreign bank had been selling their customers personal information or allowed the data to be used by 3rd parties.
b) Adequate regulating on personal data is now a prerequisite by many countries for initiating or continuing bilateral trade.
And thirdly a need to respond to international and legislative developments
(ie) Art 25 of EU Data Protection Directive outline that “the transfer to a 3rd party country, of personal data which are undergoing processing, or are intended for processing after transfer, may take place only if the 3rd party country in question ensures an adequate level of protection.
Disadvantages of the Bill
1) Under clause 10 – the personal data processed for any purpose shall not be kept longer than necessary for the fulfilment of that purpose. -In uk, the time limit given to the data user is 40days. The sentence “shall not be kept longer than necessary” is too wide and vague – this clause gives the data user too much of priority.
2) Clause 2 – this Act shall not apply to the federal government and state government.
-We absolutely disagree with this clause and there is no reason why the government need to be excluded under this Act. As we know, the government, through its various registrations, tax and other agencies, is one of the largest collectors and also the custodians of personal data in the country. Thus, to exclude the federal and state government from the ambit of this Personal Data Protection Act would be deny the underlying objectives of such law.
3) Under this Bill, commissioner for personal data protection and personal data protection tribunal will be appointed. However, unlike the uk legislation, the commissioner in Malaysia is responsible and answerable to the minister – (clause 59 – the commissioner shall be responsible to the minister)
-Again we disagree to this clause as this question the neutrality of the commissioner as he would be expected to investigate complaints against government bodies for any breach under the law. Therefore, the commissioner and tribunal which will be appointing due the Personal Data Protection Act should act as independent bodies and perform their duty without any interference.
Instead of the clause 2 and 59, we need a broader application of the laws which would ensure that there is a comprehensive regime governing the holding, use, correction, disclosure, and transfer of information that applies to every entity that involves in such practices.
4) The term “sensitive data” is not defined under the Act and it is to be left entirely within the power of the ministry to decide.
– This will led the ministry in government to manipulate and exploit the term as they like and whenever they want. Therefore, the factors which can or might fall into this term should be listed certainly.
5) Clause 39(e) – notwithstanding s.8, personal data of a data subject may be disclosed by a data user for any purpose other than the purpose for which the personal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, only under the following circumstances:
(e) The disclosure was justified as being in public interest in circumstances as determined by the minister. -this subsection under s.39 should be remove as this would led the minister in government to have too much of power to decide which data will amount as public interest. The term public interest is wide and ambiguous, therefore this subsection shall be removed or the term of “public interest” should be listed certainly, which is tough to do so, or the ministry should not have any role in determining which data fall to the “public interest” term except the commissioner alone to decide.
6) Transfer of personal data to places outside Malaysia : s.129 (2)(a),(b).
The provision provides that the transfer of any personal data protection is not allowed unless to places which:
- Has in force any law which is substantially similar to, or serves the same purpose as the personal data protection law, or
- Ensures an adequate level of protection for the rights of the data subject
-the sentence adequate level of protection is not certain and is too wide to determine whether a particular jurisdiction has ‘adequate level of protection’ or ‘serves the same purpose’ as the personal data protection law. For example in Hong Kong, there is no personal data protection law, but they only practice the self regulations for personal data protection. Question is will the regulation sufficient to be adequate, similar or same?