January 29, 2012


Professor Abu Bakar Munir

In June 2011, the Philippines House of Representatives passed the Data Privacy Bill. Subsequently, the proposed law was considered by the Senate in its second regular session and some changes were adopted. Understandably, the proposed law seeks to protect personal information. Like the data protection laws around the world, the suggested Act, in both versions, specify the privacy or data protection principles, rights of the data subjects, and penalties for the breach of the law.

Under the General Data Privacy Principles, the processing of personal information must be based on the principles of transparency, legitimate purpose and proportionality. Specifically, personal information must be collected for specified and legitimate purpose. The personal information must be relevant, accurate, adequate and not excessive for the purposes that it is collected. Personal information can be retained as long as necessary for the fulfilment of the purposes.

The House of Representatives’ draft law requires that personal information must be processed fairly and lawfully. The Senate dropped out the word “fairly”. So, the Senate’s version only requires the data controller to ensure that the processing is lawful. The Senate added the Principle of Accountability, which is non-existence under the House of Representatives’ version. Under this Principle, every data controller is accountable to comply with the proposed Act and also be accountable for the action or inaction of the data processor. Each data controller is required to designate an individual that will be responsible to ensure compliance.

Both versions of the proposed law provide for several rights to the individual. They are the right to be informed whether an individual’s data is being processed, to have access to personal data and to correct. Remarkably, the proposed law gives a right to the data subject to suspend, block, remove or destruct personal information from the data controller’s filing system if the information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or direct marketing. Another interesting point is that the proposed law gives a right to the data subject to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.

The proposed Act distinguishes personal information and sensitive personal information. The latter, is defined, in a very broad manner by the House of Representatives to include an individual’s race, ethnic origin, marital status, age, genetic or sexual life and education. The Senate, however, does not regard factors such as age, marital status and education as sensitive information.

The major difference relates to the enforcement body. The House of Representatives desires to use the existing organisation, the Commission on Information and Communications Technology (CICT), to enforce the Act. In contrast, the Senate prefers a new entity called the National Privacy Commission to be established to do the job.

January 27, 2012


Professor Abu Bakar Munir

The Ministry of Information, Communications and the Arts of Singapore on 13 September 2011 issued a consultation paper on the proposed data protection regime for the Republic. Like other data protection laws around the world, the proposed law will have some rules concerning data processing. In many jurisdictions, the rules are called the data protection principles, which must be observed when organizations process personal data. The rules relate to transparency, collection, use, disclosure, protection, retention, accuracy, access and correction. 

There will be two types of exemptions – total and partial. A total exemption means that the Data Protection law (DP law) does not apply at all. Three circumstances are mentioned in the consultation paper, to be exempted under this category. First, when personal data has been made available by a public agency to a specific organization or to the public generally. Secondly, processing of personal data in the course of a news activity and thirdly, processing of personal data in relation to an individual’s business contact information if it is solely for the purposes of enabling the individual to be contacted in relation to the individual’s employment, business or profession. Besides, the major exemption is on the public sector. The proposed DP law will govern only private sector organizations. 

Unlike the data protection laws in other jurisdictions, the proposed DP law provides only two rights to an individual - the rights to have access and to correct the personal data. A Data Protection Commission (DPC) will be established to enforce the Act. The DPC will have powers to issue orders and to impose penalty up to $1 million for non-compliance or breach of the Act. 

Interestingly, the approach to be adopted is “complaint-based”, which means that the DPC will investigate any case of non-compliance based on a complaint. Arguably, a complaint-driven enforcement may not be an effective way to enforce the DP law. The potential complainants may not be able to recognize breaches and are unwilling to complaint. These could be the obstacles to enforce the DP law effectively.

More interestingly, the proposed DP law covers only consumers’ data. The data protection law, however, is about privacy and individuals. An individual may or may not be a consumer. Restricting the application of the DP law only to consumers’ data may not be wise and judicious.

January 25, 2012


Professor Abu Bakar Munir

Malaysia is the first among the countries in ASEAN to have a law governing the processing of personal information. The Personal Data Protection Act (PDPA) passed in June 2010 is expected to be in force soon, this year. The PDPA sets out principles as a good information handling practice that must be followed whenever personal data is processed for commercial purposes. The law applies only if the data or information processed is a ‘personal data’, which is data or information that relate directly or indirectly to an individual.

At the heart of the Act are the seven data protection principles which must be observed by companies when processing personal data of their customers, staff members, etc. Non-compliance with any of these principles is a criminal offence. One of the most important prohibitions is the processing of personal data without the consent of the individual. Besides, the information must only be used for the purposes it was collected and it should be adequate for the purpose and not excessive. 

Companies are also required to have privacy policy statements and not allowed to disclose information for other purpose or disclose it to a third party without the consent of the individual. Companies must take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Personal data collected can only be processed for the specified purpose and once such purpose is achieved, the personal data shall not be kept any longer by the data user. It is the responsibility of the company to destroy or permanently delete the personal data. An obligation is also imposed on companies to take reasonable steps to ensure that the personal data are accurate, complete, not misleading and kept up to date. More importantly, the individuals are given the right to have access to their data kept by companies. The other rights are: to correct the personal data, withdraw consent, prevent processing likely to cause damage or distress and prevent processing for the purposes of direct marketing.

The PDPA has created several new criminal offences. These include offences for contravening the data protection principles, processing data without certificate of registration, selling of personal data, etc. It must be noted that the Act allows an officer of a company to be charged severally or jointly with the body corporate. If the body corporate is found to have committed the offence, the officer of the company shall be deemed to have committed the offence unless he can prove that the offence was committed without his knowledge, consent or connivance and he had taken all reasonable precautions and exercised due diligence to prevent the commission of the crime. 

When the enforcement date of the Act is fixed, all organizations in Malaysia are required to comply with the Act within a grace period of three months. This is indisputably too short a time to work towards compliance. Failing to comply with the Act would render these organizations liable to criminal penalties. The Act, however, was passed more than eighteen months ago. How many are aware of the existence of the Act? How many have made efforts to comply with it? To ‘wait and see’ is not a wise approach. Time is running out. The enforcement date will be announced very soon. Would business be as usual?

January 11, 2012

Reps. Ed Markey, D-Mass., and Joe Barton, R-Tex., lashed out at Facebook for failing to clearly explain how — and why — the social networking giant systematically compiles tracking data on its 800 million members, and millions more non-members. Markey and Barton were left unsatisfied by a six-page explanation they recently received from Erin M. Egan, Facebook’s Chief Privacy Officer.

January 5, 2012


A group of Saudi hackers dubbed Group-XP claimed to have posted the personal information of nearly half a million Israelis online, though credit card companies said the number of compromised records is actually much lower. The hackers said they broke into one of Israel’s top sports Web sites, One.co.il, and redirected visitors to a site where they could download a file containing the personal information of 400,000 Israelis.

Read the article: http://gigalaw.com/2012/01/03/saudi-hackers-post-personal-info-on-israelis/ (Source: PCMag.com)