October 25, 2012

I've been invited by the University of Oxford

I will be giving a talk at the Oxford Internet Institute, University of Oxford on 19 November 2012. The title of my presentation is "Asia: Time to Talk Data Protection". For further information, please click here www.oii.ox.ac.uk/events/?id=546

October 18, 2012

French Regulator Says Google Violates EU Privacy Rules

In a ruling, France’s privacy-rights regulator said Google’s new privacy policy violated European data-protection rules. Google failed to set “any limit concerning the scope of the collection and the potential uses of the personal data,” and gave users inadequate means to opt out, the agency said.
    Read the article: Bloomberg Businessweek

April 19, 2012

KOREAN NEW DATA PROTECTION ACT

Professor Abu Bakar Munir

In March 2011, the South Korean government adopted a more comprehensive law titled the Personal Information Protection Act (PIPA). The new law contains comprehensive data protection principles, which will apply to all organizations and individuals handling personal data. The PIPA uses the term “Personal Information Processor” which includes a public institution, legal person, organization and individual that processes directly or indirectly personal information.

Interestingly, the PIPA requires privacy impact assessment to be carried out by the public institution in case of probable violation of personal information of data subjects in the processing of personal information. For non-public institution, the PIPA simply states that they “shall make efforts in a positive way to conduct Privacy Impact Assessment if the violation of personal information of data subjects is highly probable in operating the personal information files.” Two different test are used – “probable” for the public institution and “highly probable” for the private sector and other organizations and individual.

The personal information processor is required to notify the aggrieved data subjects without delay if personal information is leaked. In case of a large scale of data breach (above the level to be specified by the Presidential Decree), notification must also be given to the Minister of Public Administration and Security.

Article 40 of the PIPA establishes the Personal Information Dispute Mediation Committee which will mediate any dispute over personal information. The Committee shall consist of not more than 20 members to be appointed by the Minister of Public Administration and Security. The PIPA sets out in significant detail on the status of the committee members, processes, procedures of the mediation, etc.

The PIPA gives several rights to the data subjects. These include the right to access personal information, the right to correct and delete, and the right to suspend the processing. The new Act also allows class action against the processor.

Chapter 9 of the PIPA, from articles 70 – 75 provide for criminal offences and penalties. Any person who alters or deletes personal information processes by the public institution and causes suspension, paralysis or other severe hardship to the public institution commits an offence and shall be liable to imprisonment for not more than 10 years or by a fine not exceeding 100 million won. Other offences include providing personal information to a third party without the consent of the data subject or receiving such information, processing sensitive data, etc. A company and its employee, agent or representative can be held liable for the criminal offences unless the company or individual was not negligent in taking due care and supervisory duty to prevent the violation.

Article 75 provides a very long list of possible situations where someone can be made liable to be fined for negligence not exceeding 10, 30 and 50 million won. These include a person who has installed and operated visual processing devices and a person who has failed to destroy the personal information, etc.

March 17, 2012

TAIWAN'S NEW DATA PROTECTION ACT

Professor Abu Bakar Munir

On April 27, 2010, the Taiwan legislature amended the old Computer Processed Personal Data Protection Act and enacted the new Personal Data Protection Act (PDPA). This new law is expected to enter into force by November 2012.
The PDPA applies to public and private sectors. However, in two “specific circumstances” the PDPA is not applicable; (1) when an individual collects, use or processes personal information in the course of personal activity of a domestic nature, (2) if the audio-visual information is collected, processed or used in public places or public activities and not associated with the other personal information.
Personal information is defined broadly to cover name, date of birth, I.D. Card number, passport number, marital status, family, education, occupation, contact information, social activities and other information which may be used to identify a natural person, both directly and indirectly. The concept of “sensitive data” is introduced.
All types of agencies are subject to the general obligations in articles 5-14, but there are also obligations specific to public agencies in articles 15-18 and to private agencies in articles 19-27. Article 3 of the PDPA provides for the rights of data subjects. The PDPA requires mandatory notification on data breach. Article 12 states that when the personal information is stolen, disclosed, altered or infringed in other ways due to the violation of this Law, the government agency or non-government agency should notify the affected individuals.

The PDPA does not provide for single oversight body and does not create a data protection authority. Enforcement is left to the Ministries responsible for each industry sector. The Act in chapter V provides for provisions on the criminal offences. Interestingly, like the Korean new law, the PDPA allows damages action as well as class action be taken companies and organisations.

March 16, 2012

Lawmakers Focus on Cyberattacks on Infrastructure

During the five-month period between October and February, there were 86 reported attacks on computer systems in the United States that control critical infrastructure, factories and databases, according to the Department of Homeland Security, compared with 11 over the same period a year ago. The increase has prompted a new interest in cybersecurity on Capitol Hill, where lawmakers are being prodded by the Obama administration to advance legislation that could require new standards at facilities where a breach could cause significant casualties or economic damage.

Read the article: http://gigalaw.com/2012/03/14/lawmakers-focus-on-cyberattacks-on-infrastructure/ (Source: The New York Times)

March 1, 2012

French Agency Says Google’s Privacy Policy May Be Illegal

The French data protection authority said that Google’s new privacy policy appeared to violate European Union law, raising the stakes in a showdown with the company only days before it planned to put the new system into effect. Google announced the new policy last month, billing it as a way to streamline and simplify the privacy practices it employed worldwide across about 60 different online services, and to introduce greater clarity for users.

Read the article: http://gigalaw.com/2012/02/28/french-agency-says-googles-privacy-policy-may-be-illegal/ (Source: The New York Times)

February 23, 2012

British Judge Allows Serving Claims via Facebook

Legal authorities said that a High Court judge in England has approved the use of Facebook to serve legal claims. Lawyers in a commercial dispute were granted permission to serve a suit against a defendant via the popular social networking site.

Read the article: http://gigalaw.com/2012/02/21/british-judge-allows-serving-claims-via-facebook/ (Source: The Washington Post)


January 29, 2012

THE PROPOSED PHILIPPINES DATA PRIVACY ACT

Professor Abu Bakar Munir

In June 2011, the Philippines House of Representatives passed the Data Privacy Bill. Subsequently, the proposed law was considered by the Senate in its second regular session and some changes were adopted. Understandably, the proposed law seeks to protect personal information. Like the data protection laws around the world, the suggested Act, in both versions, specify the privacy or data protection principles, rights of the data subjects, and penalties for the breach of the law.

Under the General Data Privacy Principles, the processing of personal information must be based on the principles of transparency, legitimate purpose and proportionality. Specifically, personal information must be collected for specified and legitimate purpose. The personal information must be relevant, accurate, adequate and not excessive for the purposes that it is collected. Personal information can be retained as long as necessary for the fulfilment of the purposes.

The House of Representatives’ draft law requires that personal information must be processed fairly and lawfully. The Senate dropped out the word “fairly”. So, the Senate’s version only requires the data controller to ensure that the processing is lawful. The Senate added the Principle of Accountability, which is non-existence under the House of Representatives’ version. Under this Principle, every data controller is accountable to comply with the proposed Act and also be accountable for the action or inaction of the data processor. Each data controller is required to designate an individual that will be responsible to ensure compliance.

Both versions of the proposed law provide for several rights to the individual. They are the right to be informed whether an individual’s data is being processed, to have access to personal data and to correct. Remarkably, the proposed law gives a right to the data subject to suspend, block, remove or destruct personal information from the data controller’s filing system if the information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or direct marketing. Another interesting point is that the proposed law gives a right to the data subject to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.

The proposed Act distinguishes personal information and sensitive personal information. The latter, is defined, in a very broad manner by the House of Representatives to include an individual’s race, ethnic origin, marital status, age, genetic or sexual life and education. The Senate, however, does not regard factors such as age, marital status and education as sensitive information.

The major difference relates to the enforcement body. The House of Representatives desires to use the existing organisation, the Commission on Information and Communications Technology (CICT), to enforce the Act. In contrast, the Senate prefers a new entity called the National Privacy Commission to be established to do the job.

January 27, 2012

THE PROPOSED SINGAPORE DATA PROTECTION ACT

Professor Abu Bakar Munir

The Ministry of Information, Communications and the Arts of Singapore on 13 September 2011 issued a consultation paper on the proposed data protection regime for the Republic. Like other data protection laws around the world, the proposed law will have some rules concerning data processing. In many jurisdictions, the rules are called the data protection principles, which must be observed when organizations process personal data. The rules relate to transparency, collection, use, disclosure, protection, retention, accuracy, access and correction. 

There will be two types of exemptions – total and partial. A total exemption means that the Data Protection law (DP law) does not apply at all. Three circumstances are mentioned in the consultation paper, to be exempted under this category. First, when personal data has been made available by a public agency to a specific organization or to the public generally. Secondly, processing of personal data in the course of a news activity and thirdly, processing of personal data in relation to an individual’s business contact information if it is solely for the purposes of enabling the individual to be contacted in relation to the individual’s employment, business or profession. Besides, the major exemption is on the public sector. The proposed DP law will govern only private sector organizations. 

Unlike the data protection laws in other jurisdictions, the proposed DP law provides only two rights to an individual - the rights to have access and to correct the personal data. A Data Protection Commission (DPC) will be established to enforce the Act. The DPC will have powers to issue orders and to impose penalty up to $1 million for non-compliance or breach of the Act. 

Interestingly, the approach to be adopted is “complaint-based”, which means that the DPC will investigate any case of non-compliance based on a complaint. Arguably, a complaint-driven enforcement may not be an effective way to enforce the DP law. The potential complainants may not be able to recognize breaches and are unwilling to complaint. These could be the obstacles to enforce the DP law effectively.

More interestingly, the proposed DP law covers only consumers’ data. The data protection law, however, is about privacy and individuals. An individual may or may not be a consumer. Restricting the application of the DP law only to consumers’ data may not be wise and judicious.
 


January 25, 2012

PERSONAL DATA PROTECTION ACT 2010: BUSINESS AS USUAL?

Professor Abu Bakar Munir

Malaysia is the first among the countries in ASEAN to have a law governing the processing of personal information. The Personal Data Protection Act (PDPA) passed in June 2010 is expected to be in force soon, this year. The PDPA sets out principles as a good information handling practice that must be followed whenever personal data is processed for commercial purposes. The law applies only if the data or information processed is a ‘personal data’, which is data or information that relate directly or indirectly to an individual.

At the heart of the Act are the seven data protection principles which must be observed by companies when processing personal data of their customers, staff members, etc. Non-compliance with any of these principles is a criminal offence. One of the most important prohibitions is the processing of personal data without the consent of the individual. Besides, the information must only be used for the purposes it was collected and it should be adequate for the purpose and not excessive. 

Companies are also required to have privacy policy statements and not allowed to disclose information for other purpose or disclose it to a third party without the consent of the individual. Companies must take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Personal data collected can only be processed for the specified purpose and once such purpose is achieved, the personal data shall not be kept any longer by the data user. It is the responsibility of the company to destroy or permanently delete the personal data. An obligation is also imposed on companies to take reasonable steps to ensure that the personal data are accurate, complete, not misleading and kept up to date. More importantly, the individuals are given the right to have access to their data kept by companies. The other rights are: to correct the personal data, withdraw consent, prevent processing likely to cause damage or distress and prevent processing for the purposes of direct marketing.

The PDPA has created several new criminal offences. These include offences for contravening the data protection principles, processing data without certificate of registration, selling of personal data, etc. It must be noted that the Act allows an officer of a company to be charged severally or jointly with the body corporate. If the body corporate is found to have committed the offence, the officer of the company shall be deemed to have committed the offence unless he can prove that the offence was committed without his knowledge, consent or connivance and he had taken all reasonable precautions and exercised due diligence to prevent the commission of the crime. 

When the enforcement date of the Act is fixed, all organizations in Malaysia are required to comply with the Act within a grace period of three months. This is indisputably too short a time to work towards compliance. Failing to comply with the Act would render these organizations liable to criminal penalties. The Act, however, was passed more than eighteen months ago. How many are aware of the existence of the Act? How many have made efforts to comply with it? To ‘wait and see’ is not a wise approach. Time is running out. The enforcement date will be announced very soon. Would business be as usual?

January 11, 2012

LAWMAKERS WANT MORE PRIVACY ANSWERS FROM FACEBOOK
Reps. Ed Markey, D-Mass., and Joe Barton, R-Tex., lashed out at Facebook for failing to clearly explain how — and why — the social networking giant systematically compiles tracking data on its 800 million members, and millions more non-members. Markey and Barton were left unsatisfied by a six-page explanation they recently received from Erin M. Egan, Facebook’s Chief Privacy Officer.

January 5, 2012

SAUDI HACKERS POST PERSONAL INFO ON ISRAELIS

A group of Saudi hackers dubbed Group-XP claimed to have posted the personal information of nearly half a million Israelis online, though credit card companies said the number of compromised records is actually much lower. The hackers said they broke into one of Israel’s top sports Web sites, One.co.il, and redirected visitors to a site where they could download a file containing the personal information of 400,000 Israelis.

Read the article: http://gigalaw.com/2012/01/03/saudi-hackers-post-personal-info-on-israelis/ (Source: PCMag.com)