By Abu Bakar Munir
Malaysians have had to wait for a decade, but on 19 November 2009, the Personal Data Protection Bill (PDPB) was tabled for the first reading. The proposed law seeks to regulate the processing of personal data of individuals involved in commercial transactions. This article examines briefly the PDP Bill. The discussion is based on the assumption that the Bill is passed in its current form. The paper discusses the applicability and non-applicability of the Act. Then, it briefly elaborates on the Data Protection Principles and the exemptions provided. This will be followed by an analysis on the rights of individuals and new criminal offences created by the Act. In concluding, the paper discusses the enforcement mechanisms.
APPLICABILITY OF THE PDP LAW: WHO, WHAT AND HOW
The PDP Bill states that the Act shall apply to any person who processes or any person who has control over or authorizes the processing of any personal data in respect of commercial transactions. The person who processes or has control over or authorizes the processing is called the data user. The Bill defines data user as a person who either alone or jointly or in common with other persons processes or authorizes the processing of any personal data or has control over personal data.
Personal data is defined to mean any information in respect of a commercial transaction, which: (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.
The PDPA applies to any person who processes personal data. ‘Processing’ is defined to mean ‘collecting, recording, holding, or storing the personal data or carrying out any operation or set of operations on the personal data, including the organization, adaptation or alteration of personal data, the retrieval, consultation or use of personal data, the disclosure of personal data by transmission, transfer, dissemination or otherwise making available, or the alignment, combination, correction, erasure or destruction of personal data.
The PDPA will apply to data users in three circumstances. Firstly, where the data user is established in Malaysia and the data user processes data, whether or not in the context of the establishment. Secondly, when the processing is done by any person employed or engaged by the data user established in Malaysia. Thirdly, when the data user who is not established in Malaysia, but uses equipment in Malaysia to process personal data.
NON-APPLICATION OF THE ACT
Federal and State Government
Clause 3 states that the Act shall not apply to the Federal and State Governments. This surely has a far - reaching implication as there are massive amount of personal data held and processed by the Federal and State Government.
Data Processed Wholly Outside Malaysia
The PDPA does not apply to data processed wholly outside Malaysia unless that personal data is intended to be further processed in Malaysia. The PDPA has no application to data “processed” wholly outside Malaysia, provided that the data are not intended to be further processed in Malaysia. The effect of this provision is that the PDPA is not applicable to the Internet-based data gatherers, unless the personal data are used or intended to be used in Malaysia.
The law applies only to the processing of personal data in respect of commercial transactions. A commercial transaction in turn is defined to mean any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance. For the PDPA to apply, the personal data must be processed for the purpose of commercial transactions.
Personal Data processed under the Credit Reporting Agencies Act 2009
The definition of personal data excludes the information that is processed for the purpose of a credit reporting business. Furthermore, section 79 of the Credit Reporting Agencies Act 2009 (CRAA) (which was tabled for the first reading on 18 November 2009) explicitly states that the provisions of the PDPA shall not apply to any registered credit reporting agency. The PDPA does not apply to the credit reporting business and companies. Part V of the CRAA contains some rules on the processing of personal data.
DATA PROTECTION PRINCIPLES AND EXEMPTIONS
At the heart of the Malaysia’s PDP law are the personal data protection principles. There are seven of them. They are the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle.
The PDPA provides for two types of exemptions - total and partial. Total exemption means that the Act does not apply at all. Partial exemption means for some processing activities, certain principles do not apply. For the former, the Act allows two exemptions. First, if the data is processed for the purposes of personal, family or household affairs. Second, if the personal data is processed for recreational purposes. The partial exemptions are; (1) personal data processed for the prevention or detection of crime, apprehension or prosecution of offenders and assessment or collection of tax and duty, (2) personal data processed in relation to information of the physical or mental health of a data subject, (3) data processed for preparing statistics or carrying out research, and (4) personal data processed only for journalistic, literary or artistic purposes.
RIGHTS OF DATA SUBJECT
The PDPA establishes certain rights afforded to the data subject. They are the right of access to personal data, right to correct personal data, right to withdraw consent, right to prevent processing likely to cause damage or distress, and right to prevent processing for the purposes of direct marketing.
Right of Access to Personal Data
The right of access to personal data is provided under clauses 30-33 of the PDPB. These clauses give effect and enforce the Access Principe as stated in clause 12 of the PDPB. Clause 30(1) provides that an individual is entitled to be informed by the data user whether personal data of which that individual is the data subject is being processed by or on behalf of the data user.
Right to Correct Personal Data
If the personal data has been supplied by the data user in compliance with the data access request and the requestor considers that the personal data is inaccurate, or the data subject knows that his personal data being held by the data user is inaccurate, the requestor or the data subject may make a data correction request in writing to the data user that the data user make the necessary correction to that personal data.
Right to Withdraw Consent
Clause 38 allows a data user to withdraw his consent to the processing of the personal data in respect of which he is the data subject. The data user shall upon receiving the notice thereto, cease the processing of the personal data.
Right to Prevent Processing Likely to Cause Damage or Distress
Clause 42(1) allows a data subject, at any time by notice in writing to the data user, to cease or not to begin the processing of or processing for a specified purpose or in a specified manner, of any personal data on the ground that (i) it causes or likely to cause substantial damage or substantial distress to him or to another; and (ii) the damage or distress is or would be unwarranted.
This provision gives a right to the data subject to prevent the data user from collecting, holding, processing or using his personal data. The data subject must prove that the collection, holding, processing or use of the personal data is causing or is likely to cause damage or distress. Damage or distress must be caused or likely to be caused to the data subject or to another individual. The extent of the damage or distress caused must be substantial and unwarranted.
Right to Prevent Processing for Purposes of Direct Marketing
Clause 43(1) states that a data subject may, at any time by notice in writing to the data user, require the data user at the end of such reasonable period in the circumstances, cease or not to begin the processing his personal data for the purposes of direct marketing.
OFFENCES AND LIABILITY
The PDPA has created several new criminal offences for the failure to comply with the provisions of the law. Some of the criminal offences are; (1) contravention of the Personal Data Protection Principles, (2) failure to register as data user for specified class of data users, (3) data users continue to process personal data after the registration is revoked, (4) unlawful collection or disclosure of personal data, (5) processing of personal data after data subject withdraws consent, (6) failure to comply with Commissioner’s requirements to cease processing of personal data likely to cause damage or distress, and (7) failure to comply with Commissioner’s requirements to cease processing of personal data for purposes of direct marketing.
Personal Data Protection Commissioner
The Minister shall appoint any person as the Personal Data Protection Commissioner to enforce the law. The law empowers the Commissioner to investigate any possible breach on the part of the data user, upon a complaint from an individual or on its own initiative. When the Commissioner is of the opinion that a data user has contravened or is contravening a provision of the Act, the Commissioner may serve him with an enforcement notice.
In the enforcement notice, the Commissioner will state his opinion that the provision/s of the PDPA has/have been contravened. The Commissioner will specify the provision/s and the basis of his opinion. The Commissioner will direct the data user to take steps to rectify the breach within specified period. The Commissioner may also direct the data user to cease the processing of the personal data pending the rectification of the contravention. The decision of the Commissioner on this issue and on other matters can be appealed to the Appeal Tribunal.
Malaysians have waited long enough to see the personal data protection law to be in force. It looks like we will still have to hang on. The current parliamentary session will soon end when there are still several other new and amendments bills on the list of the Order Paper of the Dewan Rakyat (House of Representative). Malaysia and Malaysians, perhaps, would have to wait for another few months before the PDPB can proceed to the second reading, debated and passed. The next Parliamentary session will take place in March 2010. It is hoped that the PDPB will not miss the boat. A decade is already too long a wait.
The Bill is available at HERE