THE PROPOSED SINGAPORE DATA PROTECTION ACT

By

Professor Abu Bakar Munir

The Ministry of Information, Communications and the Arts of Singapore on 13 September 2011 issued a consultation paper on the proposed data protection regime for the Republic. Like other data protection laws around the world, the proposed law will have some rules concerning data processing. In many jurisdictions, the rules are called the data protection principles, which must be observed when organizations process personal data. The rules relate to transparency, collection, use, disclosure, protection, retention, accuracy, access and correction.

There will be two types of exemptions – total and partial. A total exemption means that the Data Protection law (DP law) does not apply at all. Three circumstances are mentioned in the consultation paper, to be exempted under this category. First, when personal data has been made available by a public agency to a specific organization or to the public generally. Secondly, processing of personal data in the course of a news activity and thirdly, processing of personal data in relation to an individual’s business contact information if it is solely for the purposes of enabling the individual to be contacted in relation to the individual’s employment, business or profession. Besides, the major exemption is on the public sector. The proposed DP law will govern only private sector organizations.

Unlike the data protection laws in other jurisdictions, the proposed DP law provides only two rights to an individual - the rights to have access and to correct the personal data. A Data Protection Commission (DPC) will be established to enforce the Act. The DPC will have powers to issue orders and to impose penalty up to $1 million for non-compliance or breach of the Act.

Interestingly, the approach to be adopted is “complaint-based”, which means that the DPC will investigate any case of non-compliance based on a complaint. Arguably, a complaint-driven enforcement may not be an effective way to enforce the DP law. The potential complainants may not be able to recognize breaches and are unwilling to complaint. These could be the obstacles to enforce the DP law effectively.

More interestingly, the proposed DP law covers only consumers’ data. The data protection law, however, is about privacy and individuals. An individual may or may not be a consumer. Restricting the application of the DP law only to consumers’ data may not be wise and judicious.

See my submission on the consultation paper at http://www.mica.gov.sg/DPconsultation/responses/Individuals%20%2810%29/Munir,%20Abu%20Bakar.pdf

PERSONAL DATA PROTECTION ACT 2010: BUSINESS AS USUAL?

By

Professor Abu Bakar Munir

Malaysia is the first among the countries in ASEAN to have a law governing the processing of personal information. The Personal Data Protection Act (PDPA) passed in June 2010 is expected to be in force soon, this year. The PDPA sets out principles as a good information handling practice that must be followed whenever personal data is processed for commercial purposes. The law applies only if the data or information processed is a ‘personal data’, which is data or information that relate directly or indirectly to an individual.

At the heart of the Act are the seven data protection principles which must be observed by companies when processing personal data of their customers, staff members, etc. Non-compliance with any of these principles is a criminal offence. One of the most important prohibitions is the processing of personal data without the consent of the individual. Besides, the information must only be used for the purposes it was collected and it should be adequate for the purpose and not excessive.

Companies are also required to have privacy policy statements and not allowed to disclose information for other purpose or disclose it to a third party without the consent of the individual. Companies must take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Personal data collected can only be processed for the specified purpose and once such purpose is achieved, the personal data shall not be kept any longer by the data user. It is the responsibility of the company to destroy or permanently delete the personal data. An obligation is also imposed on companies to take reasonable steps to ensure that the personal data are accurate, complete, not misleading and kept up to date. More importantly, the individuals are given the right to have access to their data kept by companies. The other rights are: to correct the personal data, withdraw consent, prevent processing likely to cause damage or distress and prevent processing for the purposes of direct marketing.

The PDPA has created several new criminal offences. These include offences for contravening the data protection principles, processing data without certificate of registration, selling of personal data, etc. It must be noted that the Act allows an officer of a company to be charged severally or jointly with the body corporate. If the body corporate is found to have committed the offence, the officer of the company shall be deemed to have committed the offence unless he can prove that the offence was committed without his knowledge, consent or connivance and he had taken all reasonable precautions and exercised due diligence to prevent the commission of the crime.

When the enforcement date of the Act is fixed, all organizations in Malaysia are required to comply with the Act within a grace period of three months. This is indisputably too short a time to work towards compliance. Failing to comply with the Act would render these organizations liable to criminal penalties. The Act, however, was passed more than eighteen months ago. How many are aware of the existence of the Act? How many have made efforts to comply with it? To ‘wait and see’ is not a wise approach. Time is running out. The enforcement date will be announced very soon. Would business be as usual?

LAWMAKERS WANT MORE PRIVACY ANSWERS FROM FACEBOOK

Reps. Ed Markey, D-Mass., and Joe Barton, R-Tex., lashed out at Facebook for failing to clearly explain how — and why — the social networking giant systematically compiles tracking data on its 800 million members, and millions more non-members. Markey and Barton were left unsatisfied by a six-page explanation they recently received from Erin M. Egan, Facebook’s Chief Privacy Officer.

Read the article: http://gigalaw.com/2012/01/09/lawmakers-want-more-privacy-answers-from-facebook/ (Source: USA Today)

SAUDI HACKERS POST PERSONAL INFO ON ISRAELIS

A group of Saudi hackers dubbed Group-XP claimed to have posted the personal information of nearly half a million Israelis online, though credit card companies said the number of compromised records is actually much lower. The hackers said they broke into one of Israel’s top sports Web sites, One.co.il, and redirected visitors to a site where they could download a file containing the personal information of 400,000 Israelis.

Read the article: http://gigalaw.com/2012/01/03/saudi-hackers-post-personal-info-on-israelis/ (Source: PCMag.com)

FACEBOOK CHANGES PRIVACY RULES AFTER IRISH PROBE

Facebook agreed to overhaul privacy protection for more than half a billion users outside North America, after a three-month investigation found that its privacy policies were overly complex and lacked transparency. The probe by the Irish Data Protection Commissioner (DPC) at the U.S. group’s international headquarters in Dublin said users were at risk of unknowingly publicizing personal details.

Read the article: http://gigalaw.com/2011/12/21/facebook-changes-privacy-rules-after-irish-probe/ (Source: Reuters)

CHINESE HACKERS BREAK INTO U.S CHAMBER OF COMMERCE

A group of hackers in China breached the computer defenses of America’s top business-lobbying group and gained access to everything stored on its systems, including information about its three million members, according to several people familiar with the matter. The break-in at the U.S. Chamber of Commerce is one of the boldest known infiltrations in what has become a regular confrontation between U.S. companies and Chinese hackers.

Read the article: http://gigalaw.com/2011/12/21/chinese-hackers-break-into-u-s-chamber-of-commerce/ (Source: The Wall Street Journal)

JUDGE SAYS BLOGGER DOESN'T QUALIFY AS JOURNALIST

A U.S. District Court judge in Portland, Ore., ruled that a blogger who wrote about an investment firm that subsequently accused her of defamation must pay the company $2.5 million because she’s a blogger who doesn’t legally qualify as a journalist. Crystal Cox, whose blogs are a mixture of fact, opinion, and commentary, wrote several posts that were critical of Obsidian Finance Group and its co-founder, Kevin Padrick.

· Read the article: http://gigalaw.com/2011/12/07/judge-says-blogger-doesnt-qualify-as-journalist/ (Source: CNET News)

FACEBOOK SETTLES PRIVACY CHARGES WITH FTC

Facebook has settled charges with the Federal Trade Commission that it deceived users by telling them they could keep their information on Facebook private and then repeatedly making it public, according to the agency. The settlement of an eight-count complaint requires Facebook to warn users about privacy changes and to get their permission before sharing their information more broadly, according to the FTC. Read the article: http://gigalaw.com/2011/11/29/facebook-settles-privacy-charges-with-ftc/ (Source: Los Angeles Times)

DATA PROTECTION LAW IS COMING TO ASIA

By Abu Bakar Munir

Thirty one years after the adoption of the first international instrument, the data protection law is now coming to Asia. Singapore is expected to have the data protection law in 2012 and currently busy consulting the public. The Philippines Congress very recently wrapped up the debate and tabling of the Bill. Malaysia is the first country in ASEAN to do it in June 2010 and its Personal Data Protection Act is likely to be enforced in 2012. Two months earlier than Malaysia, the Taiwanese Parliament passed a comprehensive regulation called the Personal Information Protection Act. Korea follows suit and enacted a new Data Protection Act in March 2011. Who's next?

PORN COMPANY SUES ICANN OVER .XXX DOMAIN

One of the largest purveyors of pornography on the Web has filed suit to block or overhaul the new dot-xxx suffix on Internet addresses, accusing organizations that assign online addresses of running a monopoly that creates unnecessary costs. The lawsuit was filed by Luxembourg-based Manwin Licensing International SARL, which owns a network of websites including YouPorn.com and manages Playboy Enterprises Inc.’s brand on the Web, along with adult filmmaker Digital Playground Inc.

Read the article: http://gigalaw.com/2011/11/16/porn-company-sues-icann-over-xxx-domain/ (Source: The Wall Street Journal)

GERMANY SUSPECTS FACEBOOK OF ILLEGAL TRACKING

Facebook may be tracking the Internet activity of users even after they cancel their accounts, the German data privacy watchdog said. After an investigation of the way cookies are installed after a user opens and then closes a Facebook account, the Hamburg Data Protection agency said on its Web site that it suspected the company was unlawfully tracking subscribers.

· Read the article: http://gigalaw.com/2011/11/03/germany-suspects-facebook-of-illegal-tracking/ (Source: The New York Times)

PRIVACY LAW PROMPTS KIDS TO LIE, REPORT SAYS

A federal law aimed at protecting the privacy of children under 13 has instead resulted in millions of kids lying about their age — often with their parents’ knowledge — in order to join Facebook, social media guru Danah Boyd says in a new report. Facebook officially bans kids under 13 — a move that Boyd attributes to the Children’s Online Privacy Protection Act, which prohibits publishers from collecting personal information from users 12 and under without their parents’ permission.

· Read the article: http://gigalaw.com/2011/11/02/privacy-law-prompts-kids-to-lie-report-says/ (Source: MediaPost)

U.K.,U.S. REJECTS CALLS FOR MORE INTERNET CONTROLS

Britain and the United States rejected calls from China and Russia for greater Internet controls at the opening of a major cyberspace conference, but Western states faced accusations of double standards. Ministers, tech executives and Internet activists are meeting over two days in London to discuss how to tackle security threats and crime on the Internet without stifling economic opportunities or freedom of speech.

· Read the article: http://gigalaw.com/2011/11/01/u-k-u-s-reject-calls-for-more-internet-controls/ (Source: Reuters)

Apple Sued for Location Privacy in South Korea

Apple has been sued by a group of about 27,000 South Koreans in a class-action lawsuit over alleged privacy violations related to location services on iPhones, iPads and the iPod Touch. The suit, filed in Changwon, South Korea, seeks about 27 billion won, or about $26 million, in damages, which would work out to about $930 for each plaintiff, the Associated Press reports. Read the article: http://gigalaw.com/2011/08/17/apple-sued-for-location-privacy-in-south-korea/ (Source: Los Angeles Times)

‘Anonymous’ Says It Plans to ‘Kill’ Facebook

The Anonymous Internet hacking group is planning to “kill” Facebook and has announced the date it will attempt do so, in a statement gaining prominence. In a YouTube video, the hacking group warns, “Your medium of communication you all so dearly adore will be destroyed.” Read the article: http://gigalaw.com/2011/08/09/anonymous-says-it-plans-to-kill-facebook/ (Source: Fox News)

Teen Problems Linked to Excessive Tech Use

Facebook is great for reconnecting with old friends from high school and college. But for those still in school, the popular networking site could do more harm than good. That’s according to Larry Rosen, a psychologist at Cal State Dominguez Hills who’s been studying the effect of technology on people for more than 25 years.· Read the article: http://gigalaw.com/2011/08/08/teen-problems-linked-to-excessive-tech-use/ (Source: Los Angeles Times)

European Study Finds Faults with Minors’ Privacy Online

The European Commission, which is still finding its way in regulating the Internet, published a study on how social networking sites treat minors. The most compelling result it found: Only Bebo and Myspace (which is owned by News Corp., publisher of this blog) “have default settings to make minors’ profiles accessible only to their approved list of contacts.

Read the article: http://gigalaw.com/2011/06/21/european-study-finds-faults-with-minors-privacy-online/ (Source: The Wall Street Journal)

PENTAGON SAYS COMPUTER SABOTAGE EQUALS ACT OF WAR

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country’s military.

IS SONY SORRY?

By Abu Bakar Munir

Following the attack, Sony’s CEO apologized to millions of PlayStation Network and Qriocity users. In the letter posted on the PlayStation blog, Howard Stringer states, “I know this has been a frustrating time for all of you…..Let me assure you that the resources of this company have been focused on investigating the entire nature and impact of the cyber-attack we’ve all experienced and on fixing it. We are absolutely dedicated to restoring full and safe services as soon as possible and rewarding you for your patience. We will settle for nothing less…As a company we – and I - apologize for the inconvenience and concern caused by this attack.”

Criticisms of Sony was for several reasons, among others, (1) the delay between discovering the problem and notifying customers, (2) the lack of meaningful updates as to when service would be restored, and (3) the seeming confusion over exactly what information had or had not been stolen. On the first issue, Sony’s CEO responded by saying, “This was an unprecedented situation. Most of these breaches go unreported by companies. Forty – three percent notify victims within a month. We reported in a week. You’re telling me my week wasn’t fast enough?”

What are the reactions of the privacy advocate and security professionals? Senior technology consultant at Sophos said that the breach “certainly ranks as one of the biggest data losses ever to affect individuals”. The Australian Privacy Minister, Brendan O’Connor, said he was “very concerned” about the theft of personal information and expressed disappointment that Sony took “several days” to inform about the breach. He further stated that this meant a mandatory “data breach notification” system now “appears necessary”.

Similarly, the Canada Privacy Commissioner said, “I was very disappointed that Sony did not pro-actively notify my office of the breach”. The British Information Commissioner’s Office stated that Sony will be questioned, and that an investigation will take place to discover whether Sony had taken adequate precautions to protect customer details. US Senator Richard Blumenthal of Connecticut demanded answers from Sony about the data breach. Sony had been asked to testify before a congressional hearing on May 2, 2011, but sent a letter instead.