Soon, Malaysia will have a comprehensive data protection law governing the processing of personal data. As mentioned elsewhere, the Personal Data Protection Bill (PDP) has been tabled for the first reading in November 2009. The second reading will take place in March 2010. This discussion is based on the assumption that the PDP Bill is passed in its current form.
The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.
The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.
Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.
In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.
Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.
The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.
As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.
The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.
The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.
Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.
In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.
Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.
The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.
As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.
I really love it and amazing information in this blog. it's really good and great information well done. Data protection law india,
ReplyDeleteGreat Article
DeleteIEEE Projects on Information Security
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
I see your write-up as a well researched article. I can feel the great dedication in you when I read this post. Web Designing Course Training in Chennai | Web Designing Course Training in annanagar | Web Designing Course Training in omr | Web Designing Course Training in porur | Web Designing Course Training in tambaram | Web Designing Course Training in velachery
ReplyDeleteHello sir nice to read your all blogs and learned a lot of new knowledge. Thank you sir
ReplyDeleteJava Training in Chennai
Java Course in Chennai
Hi, nice to read your all blogs and learned a lot of new knowledge. Thank you sir
ReplyDeleteJava Training in Chennai
Java Course in Chennai
ReplyDeleteNice blog! Thanks for sharing this valuable information
RPA Training in Bangalore
RPA Training in Pune
RPA Training in Hyderabad
RPA Training in Gurgaon
Happy to read the informative blog. Thanks for sharing
ReplyDeletepython coaching centre in chennai
best python coaching centre in chennai
Great post. Thanks for sharing such a useful blog.
ReplyDeleteEthical Hacking Course in Anna Nagar
Ethical Hacking Course in Chennai
Very good article with very useful information. Visit our website for
ReplyDeletecyber security courses in malaysia