December 29, 2009


By Eric Sylvers

MILAN — Lawyers for Google rested their case in defense of four executives charged in Italy with failing to comply with privacy laws, telling a judge that the company has a mechanism in place to rapidly remove objectionable video from its site.The attorneys, Giuliano Pisapia and Giuseppe Vaciago, said that Google removed a video showing high school students bullying an autistic classmate just hours after it learned it had been posted.

Italian prosecutors had argued at a hearing last month that Google, based in Mountain View, California, was negligent because the video remained on Google’s Italian-language video service for two months in 2006. Google did not dispute that in court. Mr. Pisapia and Mr. Vaciago argued that the company should not be held liable for not having known earlier that the video was on its site.

The attorneys said user complaints about a video are routed to a Google employee in Ireland who speaks Italian; the employee views the video and has the power to remove it if necessary. The hearing came during a controversy over the role played by Web sites in the attack that left Prime Minister Silvio Berlusconi with a broken nose and teeth this month. On Wednesday, the Italian interior minister, Roberto Maroni, said the country had dropped plans to seek out and close Web sites that were said to incite violence.

Last month, the Milan prosecutors asked for a one-year sentence for three current or former Google executives — David Drummond, senior vice president and chief legal officer; Peter Fleischer, global privacy counsel; and George Reyes, a former chief financial officer. Prosecutors are seeking a six-month sentence for Arvind Desikan, now head of consumer marketing for Google in Britain.

None of the four executives named in the suit had any direct involvement with the video. If found guilty, none would not serve time in jail because sentences of under three years are commuted in Italy for those without a criminal record. The prosecutors will respond to Google’s defense on Jan. 27. If only limited new material is presented, a ruling could come that day or soon after.


By Abu Bakar Munir

At the conclusion of the 31st International Conference of Data Protection and Privacy Commissioner in Madrid on 6 November 2009, over 50 countries adopted and approved “Madrid Resolution” on international privacy standard. The Madrid Resolution brings together all the multiple approaches possible in the protection of this right, integrating legislation from all five continents.

The approved resolution includes a series of principles, rights and obligations that any privacy protection legal system must strive to achieve. One of the most relevant chapters of the document is the one that refers to proactive measures, whereby States are encouraged to promote a better compliance with the laws applicable on data protection matters, and the need to establish authorities to guarantee and supervise the rights of citizens.

A group of 10 large companies (Oracle, Walt Disney, Accenture, Microsoft, Google, Intel, Procter & Gamble, General Electric, IBM and Hewlett-Packard) has signed a declaration in which they proudly welcome the initiative from the 31st International Conference for exploring frameworks to achieve an improved global coordination of the different privacy policies. In this declaration, the signing companies encourage Data Protection and Privacy Authorities to continue insisting and collaborating in the development of transparent systems that will allow the taking on of responsibilities and that will provide accurate information to the citizen, granting him/her the power to decide.

According to the Director of the Spain Data Protection Agency (AEPD), Artemi Rallo, these standards are a proposal of international minimums, which include a set of principles and rights that will allow the achievement of a greater degree of international consensus and that will serve as reference for those countries that do not have a legal and institutional structure for data protection. Even though the approved resolution is not directly binding at an international level, Artemi Rallo has pointed out that this document will have “immediate value” as a reference tool and, moreover, as a starting point for those countries that still lack legislation on the matter, and for the corporate world and international companies. He said that Madrid Resolution will, thus, become a “soft law” tool, widely demanded mainly by international companies, in order to respect the minimum privacy needs of citizens worldwide.

In existent, there are already several international instruments (binding and non-binding) which set up privacy standards to be observed by countries and companies around the world. They are the OECD Guidelines 1980, Council of Europe Convention 1981, EU Data Protection Directive 1995, EU E-Privacy Directive 2002, and APEC Privacy Framework 2004. Agreeably, the EU Data Protection Directive has set a very high privacy standard. Arguably, the APEC Privacy Framework provides the weakest standard of all the instruments. Where does the Madrid Resolution stand? Is it a step towards a universally binding privacy treaty?

The Madrid Resolution is available HERE.

December 27, 2009


BEIJING (Reuters) - China has issued new Internet regulations, including what appears to be an effort to create a "whitelist" of approved websites that could potentially place much of the Internet off-limits to Chinese readers. The Ministry of Industry and Information Technology ordered domain management institutions and internet service providers to tighten control over domain name registration, in a three-phase plan laid out on its website ( late on Sunday."Domain names that have not registered will not be resolved or transferred," MIIT said, in an action plan to "further deepen" an ongoing anti-pornography campaign that has resulted in significant tightening of Chinese Internet controls.

Only allowing Chinese viewers to access sites registered on a whitelist would give Chinese authorities much greater control, but would also block millions of completely innocuous sites. The rules did not specify whether the new measure applies to overseas websites, but local media reported the risk that foreign sites that have not registered could also be blocked. "If some legal foreign websites could not be accessed because they haven't registered with MIIT, it would be a pity for the Internet which is meant to connect the whole world," the Beijing News said on Tuesday.

Chinese Internet controls currently follow a blacklist strategy, whereby censors block sensitive sites as soon as they discover them. Earlier this summer, MIIT tried to require that all new Chinese computers be shipped with the Green Dam filter software, but partially backed off after an international outcry.


The anti-pornography drive since this summer has also netted many sites with politically sensitive or even simply user-generated content, in what many see as an effort by the Chinese government to reassert control over new media and its potential for citizens sharing information and organizing. "One interpretation is that all foreign websites would need to register in order not to be blocked in China," said Rebecca MacKinnon of the Journalism and Media Studies Center at the University of Hong Kong. "These are the folks who brought us Green Dam so anything is possible. They are people with a track record of emitting unreasonable schemes."

The registration requirements could constitute a barrier to trade, if Chinese citizens are prevented from accessing legitimate overseas businesses, added MacKinnon. China banned a number of popular websites and Internet services in 2009, including Google's Youtube, Twitter, Flickr and Facebook, as well as Chinese content sharing sites, including sites popular for music and film downloads.

Angry Chinese Twitter users flooded a Twitter look-alike service ( launched by the official People's Daily on Tuesday, causing it to be immediately shut down. Many virtual private network, or VPN, services used to get around Web restrictions have also become harder to use from China, while 20 million people living in the frontier region of Xinjiang have been cut off from the Internet and international telephone services since deadly ethnic riots in July.

"What usually happens when suddenly compiled rules appear without warning is that they are rarely enforced. My gut reaction is that this is yet another of those cases," said Beijing-based technology commentator Kaiser Kuo.

December 22, 2009


PARIS (Reuters) - A Paris court on Friday found U.S. Internet giant Google guilty of violating copyright by digitizing books and putting extracts online, following a legal challenge by major French publishers. The court ruled against Google's French unit after the La Martiniere group, which controls the highbrow Editions du Seuil publishing house, argued that publishers and authors were losing out in the latest stage of the digital revolution.

Google was ordered to pay 300,000 euros ($431,700) in damages and interest, far less than the 15 million euro fine sought by plaintiffs. It must stop reproducing any copyrighted material by French publishers it has not struck deals with. The popular search engine announced it would appeal, but Friday's ruling will be enforced immediately pending any further court action. "We believe giving online users access to very short extracts from works is in line with copyright," Google lawyer Benjamin du Chauffaut said. "French online users will be the only ones deprived of a great part of their literary heritage."

Shares in Google were up 2.24 percent at $596.19 by 11:15 a.m. EST (1615 GMT). An executive said they would need to study the ruling before being able to comment on the business impact.La Martiniere, the French Publishers' Association and authors' groups SGDL had argued that Google was exploiting that heritage, and called scanning an act of reproduction."Even if we can't undo the process of digitalization, this means they cannot use any of the digitized material any more," Yann Colin, lawyer for La Martiniere told Reuters.


The publishing houses accused Google of scanning the books free of charge, letting users browse the content for free, reaping revenues from advertisers but not adequately compensating the creators and original publishers of the works. Philippe Colombet, head of partnerships for Google Books in France, could not give details on how many books might be affected, though he pointed out in a conference call that French was one of the most widely used languages on the Internet. "More than ever, we're determined to collaborate with editors in all commercial areas," he said.

As electronic readers gain popularity and online libraries expand, companies and governments are keen to learn from the mistakes that the film and music businesses made when their content moved online.

French politicians including President Nicolas Sarkozy have been particularly vocal, pushing for a broader public digitization program that would be partly funded through a big national loan. Google has so far scanned 10 million books through partnerships with libraries. It displays searchable snippets of books in copyright and whole texts of out-of-copyright works. "Google Books gives access to a greater number of works and therefore contributes to marketing," lawyer du Chauffaut said.

The project has been praised for breathing new life into out-of-print works but has attracted more than one lawsuit for scanning books without permission from rights holders. Google recently reached a settlement in the United States after lengthy negotiations with authors and publishers led by the U.S. Authors Guild who had sued it. The settlement, which includes measures to track down and compensate authors, covers books published in North America, Britain and Australia, and any books registered with the U.S. Copyright Office. It has yet to be approved by a U.S. court.

December 19, 2009



In a complaint filed with the Federal Trade Commission on Thursday, a privacy organization is charging that Facebook’s recent changes to its privacy policies constitute “unfair and deceptive trade practices.”

The Electronic Privacy Information Center, or E.P.I.C., says that Facebook’s recent changes “violate user expectations, diminish user privacy, and contradict Facebook’s own representations.”

I wrote about those changes last week. The most controversial among them is that a Facebook user’s photo, gender, geographic region, the pages they are a fan of and their lists of friends are now open and available to the entire Web public. Facebook made these changes partly to make individual users more findable among the massive haystack of 350 million users.

Ten other privacy organizations signed the complaint, including the Privacy Rights Clearinghouse, the American Library Association and the Consumer Federation of America. The Office of the Privacy Commissioner in Canada has also been looking into Facebook’s privacy guidelines.

Among other charges, the complaint alleges that a person’s list of friends constitutes highly sensitive information. It can, for example, reveal a person’s sexual preference, or expose their loved ones to persecution by hostile governments, the complaint says.

E.P.I.C. is asking the commission to investigate the company and force it to give users more control over their privacy. It previously had success in complaining to the F.T.C. about the data broker Choicepoint, which resulted in a $15 million fine.

Facebook said in response that it was “disappointed” that E.P.I.C. had chosen to share its concerns with the commission without talking to Facebook directly. A Facebook spokesman, Barry Schnitt, sent this statement:

Facebook’s plan to provide users control over their privacy and how they share content is unprecedented in the Internet age. We have gone to great lengths to inform users about our platform changes, beginning with our July announcement; founder Mark Zuckerberg’s open letter to our 350 million users; our robust press and analyst outreach; the notice-and-comment framework for our new privacy policy; and simple customization tools for users.

We’re pleased that so many users have already gone through the process of reviewing and updating their privacy settings and are impressed that so many have chosen to customize their settings, demonstrating the effectiveness of Facebook’s user empowerment and transparency efforts. Of course, the new tools offer users the opportunity to decide on privacy with every photo, link or status update they wish to post, so the process of personalizing privacy on Facebook will continue.

We discussed the privacy program with many regulators, including the F.T.C., prior to launch and expect to continue to work with them in the future.

December 15, 2009


In the latest collision of cyberspace and justice, Florida's Judicial Ethics Advisory Committee has ruled that it is unseemly for judges to be Internet "friends" with lawyers who could have cases in their court. "The committee believes that listing lawyers who may appear before the judge as 'friends' on a judge's social networking page reasonably conveys to others the impression that these lawyer 'friends' are in a special position to influence the judge," it wrote in an opinion.
Read the article: Palm Beach Post


The United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace. American and Russian officials have different interpretations of the talks so far, but the mere fact that the United States is participating represents a significant policy shift after years of rejecting Russia's overtures.
Read the article: The New York Times

December 14, 2009


By Abu Bakar Munir

Much of the debate on cyber war is happening behind closed doors. However, recently at the ITU’s Telecom World 2009 in October, the UN telecommunication agency chief openly reminded the international community that the next world war could take place in cyberspace. He said, “The next world war could happen in cyberspace and that would be a catastrophe. We have to make sure that all countries understand that in that war, there is no such thing as a superpower. Loss of vital networks would quickly cripple any nation, and none is immune to cyberattack”.

Cyber warfare poses new challenges in the field of cyber security. A large majority of identified cyber attacks have been the work of individuals acting alone or in groups, independently or possibly on behalf of a government or intelligence service, or of industrial or private economic interest groups. The United Nations Institute of Research and Training (UNITAR) asserts that not only will cyber-war be a force in future warfare, it may also turn out to be the great equalizer for nations attacking adversaries with superior conventional military power. Most nations lack the resources to build a military machine and may use information technologies to overcome their battlefield inferiority.

Gadi Evron, a cyber-crime expert, and a recognized leader in Internet security, commented that to most critics, and particularly state officials and policy makers, the possibility that the Internet could one day suddenly disappear is no more than a mere speculation, a highly improbable concept. He argues that the events that took place in Estonia proved everyone wrong and that on that Estonia fell victim to the first ever, real Internet war.

Estonia and Georgia were attacked in 2007 and 2008 respectively. Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. Some believe that such efforts exceed the skills of individual activists or even organized crime as they require a co-operation of a state and a large telecom company. As stated by the European Security Defence Assembly, “These events triggered renewed public interest in an area that hitherto had been the preserve of specialists, both civil and military. The once hypothetical possibility of a cyber assault or even cyber warfare against individual countries is now a reality.” The attack on Estonia is a conflict frequently referred to as the “Cyber War 1”. The second war is, perhaps, the attack on Georgia. Who will be next?

Estonia is a member of both NATO and the European Union. This raises the question of whether, if a member state of two powerful organizations in the world can suffer an attack of this kind, all other states might in future fall victim to similar types of actions on various scales. Many countries of the world have realised the importance of cyber security. They recognised that what happened in Estonia is possible to take place in other countries. The 2008 U.K Cabinet Office report states that no state threatens the United Kingdom directly. However, according to the report, “the overall international security landscape has become more complex and unpredictable, and although the probability remains very low, over the longer term we cannot rule out a possible re-emergence of a major state-led threat to the United Kingdom. That could come about through…or other forms of threats which render distance irrelevant, for example state-sponsored cyber-attack”.

The United States viewed the attacked on the Twin Towers in 2001 as an act of war and launched the global war against terrorism and invaded Iraq and Afghanistan. Should cyber attacks be treated as acts of war? Do the cyber attacks against Estonia and Georgia constitute as the “use of force” and an “armed attack” under the United Nations Charter? If it can be established and proved that the attacks on Estonia and Georgia received support from the Russian Government, would this justify the countries the right of self-defense under the Charter? Or, should the international community view the attacks as the mere criminal acts for the criminal justice system to address?

December 12, 2009


SAN FRANCISCO (AFP) – Privacy advocates slammed revamped Facebook privacy controls on Thursday, saying the change masks a move to get members to expose more information online. "These new privacy changes aren't so great for privacy," said Nicole Ozer, northern California technology and civil liberties policy director for the American Civil Liberties Union (ACLU) rights group. "It's great that 350 million people are being asked to think about privacy, but if what Facebook says is true about giving people more control over their information, they have a lot more work to do."

Online rights organization Electronic Frontier Foundation (EFF) labeled aspects of Facebook's privacy change "downright ugly. "The world's leading online social network fired back, saying its critics are wrong and that time will prove that Facebook is taking "a giant step forward."

The controversy came a day after Facebook began requiring users to refine settings with a new software tool that lets them specify who gets to be privy to each piece of content uploaded to the website. While the Facebook privacy overhaul has laudable features, there is a push to get the online community's members to expose information, according to EFF. "Facebook's new changes are obviously intended to get people to open up even more of their Facebook data to the public," EFF lawyer Kevin Bankston said in a blog post. "The Facebook privacy transition tool is clearly designed to push users to share much more of their Facebook info with everyone, a worrisome development that will likely cause a major shift in privacy level for most of Facebook's users, whether intentionally or inadvertently."

Prior to the change, Facebook users could keep everything but their names and networks private. A newly created "public" category at Facebook now includes names, profile pictures, home cities, pages users have joined as "fans," gender and friend lists. "There is a whole lot more information that users have no ability to keep private," Ozer noted.

Software that walks people through modifying privacy settings recommends making more personal information public and doesn't allow stricter settings than were previously in place, according to the ACLU. "If users aren't careful, the transition tool will transition them to less privacy," Ozer said.

The privacy change doesn't address the ability of third-party applications installed in Facebook profiles to mine data from the social network, according to the ACLU. "Facebook's system now is if I am friends with you, I am friends with all the stupid apps you run too," Ozer said. "Even if your friend takes a quiz, they could be giving away your personal information." Names, profile pictures and claimed home cities are public, so people can find friends, colleagues, and other acquaintances they want to connect with in the online community, according to Facebook. Users are not required to provide profile photos or specify the town where they live. "It is not that big of a change," said Facebook director of global communications Barry Schnitt. "The vast majority of users have already made this information available to everyone."

More than 20 million Facebook members used the new privacy tool Wednesday night and more than half selected their own settings instead of relying on automated recommendations, according to Schnitt. "This data shows that privacy advocates are wrong and that users are much smarter in paying attention to privacy than advocates think," he said. "The process is more transparent and transformative than they give us credit for. When they see how many people around the world have made choices about privacy this will be hailed as a giant step forward."

Facebook said its privacy settings let members avoid being listed in Internet search engines or receiving unsolicited messages. "People come to Facebook to connect and share, not to hide," Schnitt said. "When users find their friends or are found by friends, they get a much better experience and that is what they want."

December 11, 2009


Facebook has revamped and simplified its privacy controls.

Users of the social networking website can now designate content they post as being viewable to just friends, or friends of their friends, or everyone. "We're adding something that many of you have asked for — the ability to control who sees each individual piece of content you create or upload," Facebook chief exec Mark Zuckerberg explained in an open letter to Facebook users.

Michael Richter, Facebook’s deputy general counsel for intellectual property, product, and regulatory affairs, explained the decision at the Official Facebook Blog, said, "While a lot of people participated, the total number of people commenting did not reach the threshold of 7,000 that makes a vote necessary according to our Statement of Rights and Responsibilities. Because of this — and the fact that many of the comments were positive — we’ve decided to adopt the revised policy."

December 10, 2009


My new book, Information and Communication Technology Law: State,Internet and Information by Sweet & Maxwell Asia is already out. This book critically introduces and discusses the legal and regulatory challenges faced by the state and the society in relation to the Internet and information. It also deals with how ICT can be utilized to deliver justice more efficiently. Among the chapters are - Information: Oxygen for Democracy, Sunshine is the Best of Disinfectants,Right to Information:Foundational and Fundamental,Freedom of Information: The Case for Malaysia. Other topics examined include phishing, cyber warfare, cyber crime and cyberporn, social networking sites, e-Justice, e-commerce,the conflict between Google and EU Working Party, DNA law and account aggregation.


LONDON (Reuters) - Britain is to make online safety lessons for children over 5 compulsory under a new scheme which aims to echo road safety campaigns of the past.

The lessons are part of a "Click Clever Click Safe" strategy which will produce guidelines for government, industry and charities on how to protect children using the web. "The internet provides our children with a world of entertainment, opportunity and knowledge -- a world literally at their fingertips," said Prime Minister Gordon Brown. "But we must ensure that the virtual world is as safe for them as this one. We hope that "zip it, block it, flag it' will become as familiar to this generation as "stop, look, listen' did to the last." The government says that 99 percent of British children aged 8 to 17 now have access to the internet. However research has shown that 18 percent of young people had come across "harmful or inappropriate" content online, and 33 percent of children said their parents were unaware of their web activities.

The new plans, drawn up by the UK Council for Child Internet Safety (UKCCIS) which is made up of over 140 organizations, including Google, Microsoft, and Bebo, would make online safety lessons compulsory for those over 5 from September 2011. Brown said the aim was to make advice as well-known as the "green cross code" which was designed in the 1970s to give children information about road safety. Professor Tanya Bryon, whose report last year formed the basis for the plans, said failing to tell children about online risks made them more vulnerable. "This is the first time in the world any country has a national strategy for child internet safety," she told Sky News.

(Reporting by Michael Holden; Editing by Steve Addison)

December 9, 2009


SYDNEY (Reuters) - Teenagers who are addicted to the Internet are more likely to engage in self-harm behavior, according to an Australian-Chinese study.

Researchers surveyed 1,618 adolescents aged 13 to 18 from China's Guangdong Province about behavior such as hitting themselves, pulling their own hair, or pinching or burning themselves, and gave them a test to gauge Internet addiction. Internet addiction has been classified as a mental health problem since the mid-1990s with symptoms similar to other addictions. The test found that about 10 percent of the students surveyed were moderately addicted to the Internet, while less than one percent were severely addicted. The students ranked as moderately addicted to the Internet were 2.4 times more likely to have self-injured one to five times in the past 6 months than students without an addiction, said Dr. Lawrence Lam from the University of Notre Dame Australia.

The moderately-to-severely addicted students were almost five times more likely than non-addicted students to have self-injured six or more times in the past 6 months, Lam and his colleagues from Guangzhou's Sun Yat-Sen University reported. "In recent years, with the greater availability of the Internet in most Asian countries, Internet addiction has become an increasing mental problem among adolescents," the researchers said in their study published in the journal Injury Prevention. "Many studies have reported associations between Internet addiction, psychiatric symptoms and depression among adolescents."

They said their results suggested a "strong and significant" association between Internet addiction and self-injury in adolescence even after accounting for other variables previously associated with the behavior, including depression, family dissatisfaction, or stressful life events. They said this suggested that Internet addiction is an independent risk factor for self-injurious behavior. Experts interpret Internet addiction, among other things, as feelings of depression, nervousness, moodiness when not online, which only go away when the addict gets back online. Fantasizing or being preoccupied about being online are other signs of Internet addiction. "All these behaviors may be rooted in some common ... factors that require further exploration," they said.

(Reporting by Laura Buchholz of Reuters Health, Editing by Belinda Goldsmith and Miral Fahmy)

December 8, 2009


By Abu Bakar Munir

The European Union has established a comprehensive legislative privacy framework to protect individuals’ personal data. The regime applies to a wide range of data held by both the public and private entities. Privacy is recognized as the fundamental human rights by various legal instruments, including the Universal Declaration of Human Rights 1948 and the European Convention on Human Rights (ECHR) 1950. Based on the fundamental right of privacy guaranteed by article 8 of the ECHR, the EU Commission started working on the data protection legislation in the late 1980’s. In 1995, the EU enacted the Directive 95/46/EC on the Protection of Individual with regard to the Processing of Personal Data and on the Free Movement of Such Data (Data Protection Directive-DPD). Various national and international normative instruments based on a set of conditions or principles were incorporated into the Directive.

The Directive comprises of 34 articles and its provisions include the data quality, special categories of processing, rights of data subjects, confidentiality, security, liability and sanctions, codes of conduct and supervisory authorities. Article 1 sets out the objective of the Directive, which is to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data. Article 32 requires all Member States to bring into force the laws, regulations and administrative provisions to enforce and comply with the Directive. All the EU countries have adopted a legislation for this purpose.

The European Union supplemented its 1995 DPD with the 1997 Telecommunications Privacy Directive (TPD). Article 5 of the TPD protects the confidentiality of communications and prohibits listening, tapping and storage of communications. It states that all Member States shall ensure via national regulations the confidentiality of communications by means of a public telecommunications network and publicly available telecommunication services. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications. The TPD prescribes that all traffic data shall be erased or deleted if they are no longer needed for the purpose of the transmission of a communication. Such data may be further retained when it is necessary for billing purposes only up to the end of the period during which the bill may lawfully be challenged or payment pursued.

The events of September 11 have changed the legal and political landscapes not only in the U.S but also in the Europe and elsewhere. On September 20, the European Commission requested the Council of the European Union to submit the proposals “for ensuring that the law enforcement authorities are able to investigate criminal acts involving the use of electronic communications systems and to take legal measures against the perpetrators”. At a specifically called meeting of the EU’s Justice and Home Affairs, the Council adopted a series of ‘Conclusions’ which included requiring the service providers to retain traffic data and for legal enforcement authorities to have access to it.

The 1997 TPD was later replaced by the 2002 Electronic Privacy Directive 2002 (EPD). Article 15 of the EPD provides that the Member States may adopt legislative measures to restrict such rights “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard the national security, defense, public security, and prevention, investigation, detection and prosecution of criminal offences or of authorized used of electronic communication system”. This Directive explicitly allows the EU countries to retain the communications data. It must be noted that the retention is only voluntary.

After the terrorist attacks of March in Madrid and July in London, the EU saw the need to create a framework in harmonizing the obligation to retain the communications data. On March 15, 2006, the European Parliament and Council of the European Union passed the Data Retention Directive (DRD). The Directive directs the Member States to pass a law in compelling each provider of telecommunications services to retain the communications data (traffic and location data) for at least the past six, and at most, the last 24 months. Thus, the data retention has moved from something which was voluntary to mandatory.

The DRD requires the telecoms and Internet providers to retain the communications data and make them available to the authorities for the purposes of investigation, detection and prosecution of serious crimes. The DRD lists out the types of data to be retained and specifies the retention period. The DRD faced the protestations by the Member European Parliaments (MEPs), resistance from the industry players and criticisms of the Data Protection Working Party and many other organizations. It was passed with 378 in favour, 197 against and 30 abstentions – a majority of 181. The European Telco and ISP industry association issued a press release on the day the DRD was passed which states, “This Directive will impose a significant burden on the European e-communications industry, impacting on its competitiveness. Beyond their economic consequences, the far reaching data retentions may also undermine the European’ confidence in the new technologies and thus slow further down the ICT take ups, putting at risk the Europe’s ICT sector competitiveness and hence the success of the Commission’s 2010 initiative.”

Meanwhile the Data Protection Working Party states that the decision to retain the communications data for the purpose of combating serious crimes is an unprecedented one with a historical dimension. Most importantly the Working Party is of the view that this encroaches into the daily life of every citizen and may endanger the fundamental values and freedoms that all European citizens enjoy and cherish. More fundamentally, the Privacy International argues that the indiscriminate collection of traffic data offends a core principle of the rule of law: that citizens should have a notice of the circumstances in which the State may conduct surveillance, so that they can regulate their behavior to avoid unwanted intrusions. Moreover, the data retention requirement would be so extensive as to be out of all proportion to the law enforcement objectives served.

In the U.K, in the debate on the Data Retention (EC Directive) Regulations to implement the DRD, Lord West of Spithead (Parliamentary Under-Secretary (Security and Counter-terrorism) acknowledges the benefits that law enforcement derives from the retained communications data. He argued that the Directive as implemented in the U.K has already saved many innocent lives. However, as the Earl of Northesk has argued, the problem lies in the fact that it applies to a “mandatory whole-of-population” scheme, namely, that detailed whole-of-life profiles of every single citizen of a member state are made available to their respective Governments.


11-25 January 2010
To undertake research work at NTU, Singapore

Mid February 2010
To provide talk/s at Ulster University, Northern Ireland

End February to early March 2010
To undertake research work and to teach at Bond University, Australia

Mid March to mid April 2010
To undertake research work and to provide seminars at Waikato University, New Zealand

December 7, 2009


By Abu Bakar Munir & Siti Hajar Mohd. Yasin

The Social Networking Sites (SNSs) is one of the most remarkable technology phenomena of the 21st century. If MySpace alone were a country and each of its profiles a person, it would be the 12th most populous nation in the world. Socialising in cyberspace through SNSs has become a culture especially among the youngsters.

The SNSs bring benefits to the world and its populations. They allow and facilitate relationship building and identity exploration. They encourage creativity and development of the arts, information-sharing, education and grassroots advocacy. Communication is made easy on SNSs. Users can connect with groups of friends, colleagues and relatives by a click of a button. Users identify their beliefs, interests and hobbies on their profiles. Individuals are expressing and sharing their creativity on SNSs. They are uploading and discussing their writings, movies, and visual art, etc.

The SNSs, however, have also been linked, directly or indirectly to many issues and problems. In the US, Lori Drew was charged in the Central District of California with violating the Computer Fraud and Abuse Act (CFAA). The allegation was that the Defendant created a MySpace account under the name of “Josh Evans”. Through the “Josh Evans” account, the defendant communicated and developed an online relationship with Megan Meier, a 13-year-old girl. At some points during their communications “Josh Evans” said hurtful things to Miss Meier. Tragically, as a result, Miss Meier took her own life. The federal jury on 26 November 2008 convicted Lori Drew of unauthorized computer access under the CFAA for violating the MySpace terms of service. MySpace was not a defendant in the action. It is, however, a part of the problem.

In January 2008, the U.S Federal Trade Commission (FTC) charged, a SNS specifically targeting kids and “tweens,” for the violation of the Children’s Online Privacy Protection Act (COPPA). The COPPA prohibits unfair and deceptive acts or practices in connection with the collection, use, or disclosure of personally identifiable information from and about children on the Internet. The most popular SNS in Brazil, Orkut, is said to have become a paradise for pedophiles. According to the SaferNet Brazil, the number of new reports involving Orkut profiles and communities with child sexual abuse contents has grown dramatically since June 2005.

Some initiatives have been or being taken to address the issue. The International Working Group on Data Protection in Telecommunications has issued a Report and Guidance on Privacy in Social Network Services in March 2008. According to this Working Group, while it is possible to identify some risks associated to the provision and use of social network services, it is very likely that we are at present only looking at the tip of the iceberg.

Meanwhile, the U.K Office of Communications (OFCOM) lists out several areas of potentially risky behaviour of SNSs members. These include; (1) giving out sensitive personal information, photographs and other content ; (2) posting content (especially photos) that could be reputationallly damaging; and (3) contacting people they didn’t (and/or didn’t know well) online/accepting people they didn’t know as ‘friends’.

Mainly, too much and too detailed information of the SNSs visitors have been posted online. Having too many “friends” is risky as some of these ‘friends’ are less friendly or very unfriendly. According to the U.K Home Office, “Most children and young people use the Internet positively but sometimes behave in ways that may place them at risk. Some of these actions to them may be harmless but could expose them to potential harm”.

It is not an exaggeration to argue that it is more difficult to protect children online than offline today. The European Union has been very active in the efforts of protecting children online. It introduced the Safer Internet Action Plan (SIAP) which ran from 1999-2004 with a total budget of 38.3 million Euros. Thirty seven projects were co-funded in the first 4 years of the SIAP. In 2005, as a continuation of the SIAP, the Safer Internet plus Programme (2005-2008) was introduced. The aims were to promote safer use of the Internet and new online technologies, particularly for children and to fight against illegal content and content unwanted by the end-user.

Following the success of the SIAP and Safer Internet plus Programme, on 9 December 2008, the European Council of Ministers adopted the new Safer Internet Programme (SIP)(2009-2013) with the budget of 55 million Euros. The focus is on the practical help for the end-user particularly children, parents, carers and educators. The SIP seeks to involve and bring together the different stakeholders including content providers, Internet Service Providers, mobile network operators, regulators, industry self-regulatory bodies, education, families and many more.

Apart from this inter - governmental initiatives, many tips, guidance and recommendations have been issued by many entities and organizations. The International Working Group on Data Protection in Telecommunications has issued some guidance and recommendations to regulators as well as providers and users of social network services. The Working Group recommends regulators to consider: (1) introduce the option of a right to pseudonymous use, (2) ensure that service providers are honest and clear about what information is required for the basic service so that users can make an informed choice, (3) introduction of an obligation to data breach notification for social network services, (4) re-thinking the current regulatory framework with respect to controllership, and (5) improve integration of privacy issues into the educational system.

The Working Group urges the social network services providers to have vital interest in preserving the security and privacy of the personal data of their users. The recommendations to the service providers are: (1) transparent and open information of users, (2) introduce the creation and use of pseudonymous profiles as an option, (3) living up to promises made to users, (4) improve user control over use of profile data, (5) introduce appropriate complaint handling mechanisms, (6) improve and maintain security of information systems, (7) devise and/or further improve measures against illegal activities, such as spamming, and ID theft, and (8) offer encrypted connections for maintaining user profiles.

The U.S National Cyber Alert System (US-Cert) has issued a general, simple and practical tips to protect children and young people socializing through SNSs. Firstly, limit the amount of personal information to be posted online. Do not post information that would make children vulnerable (e.g. address, information about schedule or routine). Secondly, remember that Internet is a public resource - only post information that children are comfortable with anyone seeing. Thirdly, be wary of strangers – the Internet makes it easy for people to misrepresent their identities and motives. Consider limiting the people who are allowed to be in contact with children. Fourthly, be skeptical – do not believe everything written online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent, it could be unintentional, a product of exaggeration, or a joke.

The FTC has issued Safety Tips for Social Networking Online. One of the tips for parents is to keep the computer in an open area, such as the kitchen or family room, so that the parent can keep an eye on where their kids are going online and what they are doing.

The U.K Home Office offers significantly elaborative and comprehensive recommendations for good practices to service providers as well as safety tips for parents, carers, children and young people. Among others, the Home Office recommends that the service providers should: (1) make safety information for users, parents and carers, prominent, easily accessible and clear, (2) offers links to relevant online resources that provide users with additional information about online safety and security, (3) be particularly sensitive to the context in which younger user’s sites are presented and avoid inappropriate juxtaposition, (4) provide clear information about how details collected in registration will be used, (5) meet their obligations in respect of the amount of personal information collected from minors at registration, including informed consent, (6) consider emphasizing, in accessible and easily understood language, ‘what behavior is and is not acceptable on the service’, (7) where possible and appropriate, request and validate personal information from users, and (8) provide warnings to users about uploading photos to their profile.

To the children and young people, the Home Office, among others, advises: (1) that particular care should be taken to ‘think before you post’ to avoid compromising privacy or safety, (2) think about who you want to see your personal information before setting up your profile, (3) do not post images of yourself posing in a sexual or provocative way.

In conclusion, social networking sites bring tremendous benefits and opportunities. Admittedly, they,however, have contributed to the problems of many teenagers across the globe. Sharing too much information and with too many ‘friends’ could be risky. Much have been done in the US and Europe to protect the children online while not in many other countries. Protecting the children is protecting our future.

December 5, 2009


By Abu Bakar Munir and Siti Hajar Mohd. Yasin

Three weeks ago, on 18 November 2009, the Malaysian Parliament tabled for the first reading, the Credit Reference Agencies Bill (CRAB). According to its explanatory statement, the proposed law seeks to provide for the registration and regulations of persons carrying on a credit reporting business that involves the processing of credit information. The Malaysian Bar in its response states, “The long-standing issue of people being wrongly blacklisted by banks due to inaccurate information given by credit reporting agencies, such as Credit Tip Off Services Sdn. Bhd. ( CTOS) is finally being addressed”.

While the effort to introduce the law is commendable, the law, in our opinion is in a mess. The CRAB adopted the New Zealand Credit Reporting Privacy Code 2004 which is established under the Privacy Act 1993. Some of the provisions of the CRAB were taken directly from the New Zealand Code (NZC) with and without modifications.

The definition of credit information in the CRAB is from the NZC with a longer list of information and it includes information about business and companies. This means that a credit reference agency can collect information about companies to be sold to the credit providers. We believe that the definition is overly prescriptive. Sensibly, the definition to be adopted should be open and principles based. We submit that a better definition is something like, “Credit information means any information that is being or has been prepared by a credit reporting agency that has any bearing on an individual’s eligibility to be provided with credit or capacity to repay credit and is used, has been used, or has the capacity to be used for the purpose of serving as a factor of an individual’s eligibility for credit”. (see Veda Advantage, submission to the Australian Law Reform Commission, Issues Paper 32 – Credit Reporting, March 2007).

The provisions of the CRAB in clause 22 provide some basic principles on the collection of credit information. In subsection (1) it provides that no credit reference agency shall collect any credit information about a customer unless: (1) it is collected for a specific and lawful purpose directly related to an activity of the credit reporting agency; (2) the collection is necessary for or directly related to that purpose; and (3) the credit information is adequate but not excessive in relation to that purpose. Clause 22 (3) of the proposed law has a far-reaching implication on the consumers in Malaysia. It provides, “the collection and use of credit information by a credit reporting agency under subsection (1) shall not require the consent of the customer concerned”. In contrast, the NZC provides that “Where a credit reporter collects credit information, it must collect the information directly from the individual concerned.”

Clause 23 (1) of the CRAB requires the credit reference agency to provide a notice to the customer on the processing of credit information. The provision lists out what a credit reference agency is required to do if they collect information from an individual. This is ironic. A consent to collect the information from an individual is not needed, yet the credit reference agency is required to provide a notice with some prescriptive requirements and details. Similarly, under clause 24, a credit reference agency is required to have the consent of the customer before disclosing the information for any purpose or to any person.

The CRAB adopts the NZC concept of Summary of Rights. For an example, the written notice to be sent to a customer must contain a summary of the customer’s right. These rights are established by the Summary of Rights. In New Zealand, this Summary of Rights is established and derived from the Code. Ironically, in Malaysia, the Summary of Rights, as provided for under clause 2 is to be determined by the Registrar, the enforcement authority of the law. Can rights be created by the executive?

The Bill is available HERE

A more comprehensive analysis will be made available soon.


By Eugene Oscapella

Eugene Oscapella explains how Facebook agreed to limit the sharing of personal data with application developers. Despite her lack of direct enforcement powers, Canada’s Federal Privacy Commissioner has secured important privacy measures from Facebook, not only for its Canadian users, but for users around the world. At the same time, Jennifer Stoddart became the first privacy commissioner to complete a comprehensive investigation into the privacy practices of the world’s most popular social networking site. Facebook has 12 million users in Canada – one third of the population.

In May 2008, Stoddart’s office received a wide-ranging complaint about Facebook from the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. The complaint, made under Canada’s federal private sector data protection legislation, the Personal Information Protection and Electronic Document Act (PIPEDA), was set out in a detailed, 36-page letter. The letter alleged that Facebook violated the principles of PIPEDA by failing to do the following: identify all the purposes for which it collects users’ personal information-obtain informed consent from users and non-users to all uses and disclosures of their personal information;allow users to use its service without consenting to supply unnecessary personal information; obtain express consent to share users’ sensitive information; allow users who have deactivated their accounts to easily withdraw consent to share information; limit the collection of personal information to that which is necessary for its stated purposes; be up front about its advertisers’ use of personal information and the level of users’ control over their privacy settings; destroy personal information of users who terminate their use of Facebook services; safeguard users’ personal information from unauthorised access; and explain policies and procedures on the range of personal information.

The Privacy Commissioner’s investigation focused on whether Facebook was providing sufficient information for users to give meaningful consent to the collection, use and disclosure of their personal information. This involved examining how Facebook documented its purposes for collecting, using or disclosing such information, and also if Facebook was bringing those purposes to the public’s attention in a “reasonably direct and transparent” way. Retention of personal information was an issue for users who wanted to deactivate or delete their accounts, and for non-users. Concerns were also raised about disclosure of personal information to third-party application developers and about Facebook Mobile, which allows people to use mobile devices to connect to Facebook.

According to Facebook, the service is now used by 65 million people. The complainant alleged that Facebook Mobile failed to safeguard personal information properly. Representatives from the Privacy Commissioner’s office met with Facebook officials on several occasions as the investigation progressed. In July 2009, some 14 months after the complaint was presented to the office, Stoddart issued a press release. “It’s clear,” she said in the release, “that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates.” Assistant Privacy Commissioner Elizabeth Denham, responsible for investigations under PIPEDA, concluded that there was no evidence of any contravention of PIPEDA in four areas raised in the complaint, including alleged deception and misrepresentation. Denham did find that Facebook had contravened PIPEDA in other areas, for example, default privacy settings and the collection and use of users’ personal information for advertising. However, she concluded that Facebook had resolved the problems raised in the allegations. On several other issues, however, Denham found that Facebook activities did not comply with PIPEDA – third party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information.

Here, Facebook did not immediately agree to adopt the Assistant Commissioner’s recommendations. Among her most significant findings 14 OCTOBER 2009 PRIVACY LAWS & BUSINESS INTERNATIONAL NEWSLETTER ANALYSIS was that Facebook did not have adequate safeguards to prevent the excessive sharing of personal information with more than one million third-party developers of popular Facebook applications, including games and quizzes. As well, Facebook was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers. Developers had almost unrestricted access to Facebook users’ personal information and that of their online “friends”.

Denham asked Facebook to reconsider her recommendations about these issues and advised that her office would check within the next month for evidence that Facebook had implemented the recommendations or introduced acceptable alternatives. Facebook relented and agreed to redesign its application platform to address the relatively free flow of personal information to application developers around the world. Developers using the platform would also need to adapt their applications. Facebook expected the necessary changes to take a year to implement. Once the changes are implemented, application developers will no longer be able to obtain access to users’ personal information without the users’ explicit consent. The new process will also allow users to control the types of personal information that applications can obtain. Facebook also agreed to changes to help users better understand how their personal information would be used and to make better informed decisions about how widely to share that information. The Commissioner indicated that she would be following up with Facebook as the changes are introduced.

At a press conference in late August, Stoddart praised Facebook for its response to her office’s investigation, stating that Facebook could “show other online companies that you can have an incredibly successful online company that’s responsible and respectful of privacy rights”. Speaking at the same press conference, Denham reminded users that protecting privacy was not Facebook’s responsibility alone. Many of the changes she had been discussing with Facebook, she said, were about empowering users. She encouraged users to learn about and take advantage of the information and mechanisms that Facebook was introducing.

Users of Facebook and other social networking sites, she stressed, have a responsibility to inform themselves about how their personal information will be used and shared. This meant reading privacy policies and using the privacy settings the sites offer. Before an audience of lawyers in Toronto in mid-September, Stoddart noted that her office had been able to obtain significant privacy improvements from Facebook, despite the lack of enforcement powers in PIPEDA.

She reminded the audience that the experience with PIPEDA since it began to come into force in stages in 2001 has been that lack of a direct enforcement power did not prevent her office from securing compliance with the Act. She noted that her office rarely needed to go to court: “Organisations – even giants like Facebook – tend to implement our recommendations. They recognise that it’s the right thing to do.” The original letter of complaint can be found at The Commissioner’s letter to the complainant outlining the resolution of the Facebook complaint can be found at let_090827_e.cfm

Eugene Oscapella is a Consultant at
Privacy Laws & Business, Canada


Survey: One-Third of Youths Engage in Sexting

December 4, 2009


By Abu Bakar Munir


Malaysians have had to wait for a decade, but on 19 November 2009, the Personal Data Protection Bill (PDPB) was tabled for the first reading. The proposed law seeks to regulate the processing of personal data of individuals involved in commercial transactions. This article examines briefly the PDP Bill. The discussion is based on the assumption that the Bill is passed in its current form. The paper discusses the applicability and non-applicability of the Act. Then, it briefly elaborates on the Data Protection Principles and the exemptions provided. This will be followed by an analysis on the rights of individuals and new criminal offences created by the Act. In concluding, the paper discusses the enforcement mechanisms.


Data User

The PDP Bill states that the Act shall apply to any person who processes or any person who has control over or authorizes the processing of any personal data in respect of commercial transactions. The person who processes or has control over or authorizes the processing is called the data user. The Bill defines data user as a person who either alone or jointly or in common with other persons processes or authorizes the processing of any personal data or has control over personal data.

Personal Data

Personal data is defined to mean any information in respect of a commercial transaction, which: (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.


The PDPA applies to any person who processes personal data. ‘Processing’ is defined to mean ‘collecting, recording, holding, or storing the personal data or carrying out any operation or set of operations on the personal data, including the organization, adaptation or alteration of personal data, the retrieval, consultation or use of personal data, the disclosure of personal data by transmission, transfer, dissemination or otherwise making available, or the alignment, combination, correction, erasure or destruction of personal data.


The PDPA will apply to data users in three circumstances. Firstly, where the data user is established in Malaysia and the data user processes data, whether or not in the context of the establishment. Secondly, when the processing is done by any person employed or engaged by the data user established in Malaysia. Thirdly, when the data user who is not established in Malaysia, but uses equipment in Malaysia to process personal data.


Federal and State Government

Clause 3 states that the Act shall not apply to the Federal and State Governments. This surely has a far - reaching implication as there are massive amount of personal data held and processed by the Federal and State Government.

Data Processed Wholly Outside Malaysia

The PDPA does not apply to data processed wholly outside Malaysia unless that personal data is intended to be further processed in Malaysia. The PDPA has no application to data “processed” wholly outside Malaysia, provided that the data are not intended to be further processed in Malaysia. The effect of this provision is that the PDPA is not applicable to the Internet-based data gatherers, unless the personal data are used or intended to be used in Malaysia.

Non-commercial Transactions

The law applies only to the processing of personal data in respect of commercial transactions. A commercial transaction in turn is defined to mean any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance. For the PDPA to apply, the personal data must be processed for the purpose of commercial transactions.

Personal Data processed under the Credit Reporting Agencies Act 2009

The definition of personal data excludes the information that is processed for the purpose of a credit reporting business. Furthermore, section 79 of the Credit Reporting Agencies Act 2009 (CRAA) (which was tabled for the first reading on 18 November 2009) explicitly states that the provisions of the PDPA shall not apply to any registered credit reporting agency. The PDPA does not apply to the credit reporting business and companies. Part V of the CRAA contains some rules on the processing of personal data.


At the heart of the Malaysia’s PDP law are the personal data protection principles. There are seven of them. They are the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle.

The PDPA provides for two types of exemptions - total and partial. Total exemption means that the Act does not apply at all. Partial exemption means for some processing activities, certain principles do not apply. For the former, the Act allows two exemptions. First, if the data is processed for the purposes of personal, family or household affairs. Second, if the personal data is processed for recreational purposes. The partial exemptions are; (1) personal data processed for the prevention or detection of crime, apprehension or prosecution of offenders and assessment or collection of tax and duty, (2) personal data processed in relation to information of the physical or mental health of a data subject, (3) data processed for preparing statistics or carrying out research, and (4) personal data processed only for journalistic, literary or artistic purposes.


The PDPA establishes certain rights afforded to the data subject. They are the right of access to personal data, right to correct personal data, right to withdraw consent, right to prevent processing likely to cause damage or distress, and right to prevent processing for the purposes of direct marketing.

Right of Access to Personal Data

The right of access to personal data is provided under clauses 30-33 of the PDPB. These clauses give effect and enforce the Access Principe as stated in clause 12 of the PDPB. Clause 30(1) provides that an individual is entitled to be informed by the data user whether personal data of which that individual is the data subject is being processed by or on behalf of the data user.

Right to Correct Personal Data

If the personal data has been supplied by the data user in compliance with the data access request and the requestor considers that the personal data is inaccurate, or the data subject knows that his personal data being held by the data user is inaccurate, the requestor or the data subject may make a data correction request in writing to the data user that the data user make the necessary correction to that personal data.

Right to Withdraw Consent

Clause 38 allows a data user to withdraw his consent to the processing of the personal data in respect of which he is the data subject. The data user shall upon receiving the notice thereto, cease the processing of the personal data.

Right to Prevent Processing Likely to Cause Damage or Distress

Clause 42(1) allows a data subject, at any time by notice in writing to the data user, to cease or not to begin the processing of or processing for a specified purpose or in a specified manner, of any personal data on the ground that (i) it causes or likely to cause substantial damage or substantial distress to him or to another; and (ii) the damage or distress is or would be unwarranted.

This provision gives a right to the data subject to prevent the data user from collecting, holding, processing or using his personal data. The data subject must prove that the collection, holding, processing or use of the personal data is causing or is likely to cause damage or distress. Damage or distress must be caused or likely to be caused to the data subject or to another individual. The extent of the damage or distress caused must be substantial and unwarranted.

Right to Prevent Processing for Purposes of Direct Marketing

Clause 43(1) states that a data subject may, at any time by notice in writing to the data user, require the data user at the end of such reasonable period in the circumstances, cease or not to begin the processing his personal data for the purposes of direct marketing.


The PDPA has created several new criminal offences for the failure to comply with the provisions of the law. Some of the criminal offences are; (1) contravention of the Personal Data Protection Principles, (2) failure to register as data user for specified class of data users, (3) data users continue to process personal data after the registration is revoked, (4) unlawful collection or disclosure of personal data, (5) processing of personal data after data subject withdraws consent, (6) failure to comply with Commissioner’s requirements to cease processing of personal data likely to cause damage or distress, and (7) failure to comply with Commissioner’s requirements to cease processing of personal data for purposes of direct marketing.


Personal Data Protection Commissioner

The Minister shall appoint any person as the Personal Data Protection Commissioner to enforce the law. The law empowers the Commissioner to investigate any possible breach on the part of the data user, upon a complaint from an individual or on its own initiative. When the Commissioner is of the opinion that a data user has contravened or is contravening a provision of the Act, the Commissioner may serve him with an enforcement notice.

In the enforcement notice, the Commissioner will state his opinion that the provision/s of the PDPA has/have been contravened. The Commissioner will specify the provision/s and the basis of his opinion. The Commissioner will direct the data user to take steps to rectify the breach within specified period. The Commissioner may also direct the data user to cease the processing of the personal data pending the rectification of the contravention. The decision of the Commissioner on this issue and on other matters can be appealed to the Appeal Tribunal.


Malaysians have waited long enough to see the personal data protection law to be in force. It looks like we will still have to hang on. The current parliamentary session will soon end when there are still several other new and amendments bills on the list of the Order Paper of the Dewan Rakyat (House of Representative). Malaysia and Malaysians, perhaps, would have to wait for another few months before the PDPB can proceed to the second reading, debated and passed. The next Parliamentary session will take place in March 2010. It is hoped that the PDPB will not miss the boat. A decade is already too long a wait.

The Bill is available at HERE