Malaysia Personal Data Protection Commissioner appoints Five Associations as Data User Forum

The Personal Data Protection Commissioner has appointed the following associations as data user forum for the following sectors:-

1. Institut Akauntan Malaysia for the accounting and audit sectors;
2. Persatuan Jualan Langsung Malaysia for the direct selling sector;
3. Persatuan Bank-bank Dalam Malaysia for the banking and financial sectors;
4. Institut Jurutera Malaysia for the engineering services sector;
5. Institut Insurans Hayat Malaysia for the insurance sector.

Source: Personal Data Protection Department Registration Unit.

PDF    Send article as PDF   

Meeting with the Personal Data Protection Department, Putrajaya (26 Nov 2014)

Article and photos contributed by Sarah Yong Li Hsien, Officer, Ad Hoc Committee on Personal Data Protection
Wednesday, 17 December 2014 09:43am

On 26 Nov 2014, the Bar Council Ad Hoc Committee on Personal Data Protection (“Committee”) visited the Personal Data Protection Department (“PDPD”) at the Ministry of Communication and Multimedia in Putrajaya. The delegation, led by Co-Chairpersons, Suaran Singh and Foong Cheng Leong, consisted of 11 persons, including committee officers, Sarah Yong Li Hsien and Anneliz Reina George.

Mazmalek b Mohamad, the newly-appointed Director General of PDPD and his Deputy, Dr Zainal Abidin b Sait were on hand to welcome the Committee. The purpose of the meeting was to introduce the Committee, and discuss various matters relating to the Personal Data Protection Act 2010 (“PDPA”).

The meeting started at 9:30 am and some of the matters discussed were whether the Malaysian Bar will be appointed as the data user forum for lawyers, and about the drafting of the code of practice for lawyers. The Committee informed PDPD that it has been working on the code and it may be ready by early next year.

PDPD informed the Committee that it is not necessary to obtain consent to process personal data of existing customers collected prior to the enforcement of the PDPA, and the privacy notice issued in accordance with the Notice and Choice Principle does not need to be sent via AR registered post, pursuant to section 136 of the PDPA.

It was also revealed during the discussion that investigations have been conducted on parties alleged to have breached the PDPA. However, none have been charged under the PDPA yet. Other technical and practical issues were also raised during the meeting.

The Committee will organise another meeting at a later date to discuss issues such as the data user forum and the issue of consent.

[Source]

PDF Creator    Send article as PDF   

Bread & Kaya: Tracing someone online

Bread & Kaya: Tracing someone online
Nov 17, 2014

- Getting the IP address is one way, but may not always be possible
– On issue of defamation, Section 114A has been applied retrospectively

ONE of the most difficult issues to deal with in cybercrime or cyber-bullying cases is finding the perpetrator online. My years of blogging have brought me some experience in dealing with this issue, especially when dealing with ‘trolls.’

I am glad to say that it is not impossible. Some guesswork is needed. Normally, such a perpetrator is someone you know, although he or she may or may not be close to you. Sometimes, however, it would be just a stranger.

There was one case where the perpetrator was found to be a friend’s spouse whom the victim had only met a few times. Strangely, there was no animosity between these parties.

In one case which I was personally involved, I made a guess on the possible perpetrator and worked from there. Eventually, the person confessed after being confronted.

Getting the Internet Protocol (IP) address of the perpetrator is one of the conventional ways to track someone down. Internet service providers (ISPs) assign unique IP address to each user account. However, IP addresses may not be retrievable if the person is on a proxy server.

Another problem is the jurisdictional issue. Many servers storing such IP addresses may be located overseas and owned by foreign entities. One may have to initiate legal action overseas to get such data, and many of these service providers do not release their user information easily due to data protection laws or their strict privacy practices.

In the recent case of Tong Seak Kan & Anor v Loke Ah Kin & Anor [2014] 6 CLJ 904, the Plaintiffs initiated an action for cyberspace defamation against the 1st Defendant.

In tracing the perpetrator, who had posted defamatory statements on two Google Blogspot websites, the Plaintiffs filed an action called a John Doe action in the Superior Court of California. In compliance with the Court order, Google traced the blogs to two IP addresses which were revealed by Telekom Malaysia Bhd to be IP addresses belonging to the 1st Defendant’s account.

In the same case, the High Court had held that the controversial Section 114A (2) of the Evidence Act 1950 applied retrospectively.

S. 114A (2) provides that the burden of proof lies on the subscriber of an ISP to prove that a certain statement was not published by him or her. The 1st Defendant failed to convince the Court that s. 114A (2) does not apply because the defamatory statements were published before the enforcement date of s. 114A(2).

This retrospective stand however was not followed in the case of PP v Rutinin Bin Suhaimin [2013] 2 CLJ 427 as the High Court held that s. 114A does not apply retrospectively.

Perhaps the distinguishing factor between these cases is that the first case involved a civil dispute whereas the latter is a criminal prosecution.

Readers may recall that the #Stop114A campaign was initiated to get this law repealed. I am proud to say that Digital News Asia (DNA) was one of the organisers and participants in shutting down its website for one day. The campaign attracted the attention of Prime Minister Najib Razak but unfortunately, the law remained.

Going back to the case, the Court held that the 1st Defendant had failed to prove that he was not the publisher of the content. The 1st Defendant is now liable for a payment of RM600,000 (US$180,000) as damages to the Plaintiffs.

Not all tracing of a perpetrator requires an IP address. In Datuk Seri Anwar Bin Ibrahim v Wan Muhammad Azri Bin Wan Deris [2014] 3 MLRH 21, Opposition leader Anwar Ibrahim (pic) sued Wan Muhammad Azri Bin Wan Deris, allegedly a well-known blogger called Papagomo, for defamation.

In proving the identity of Papagomo, instead of tracing the IP address of Papagomo, the Court relied on the statement of a person who had met Papagomo in person before. The former also took a picture with Papagomo and this picture was tendered in Court.

There are other unconventional methods to identify a person online. I have heard of a private investigator entering a person’s home without knowledge to gain access to the computer of that person.

Many people do not password-protect their home computers and leave their email and other online accounts still logged into. This allows the private investigator to easily access a person’s emails and other online accounts without any technical skills.

One method that I always use is to find something unique in the content posted by the perpetrator. For example, I recently concluded that a website was held by a cyber-squatter by doing a Google search on certain sentences that appeared on the website. The cyber-squatter’s website looked like a legitimate website, but the search revealed that the same facade had been employed by the cyber-squatter on several websites using well-known brand names.

If there are images involved, a Google Image search would be useful to find whether other websites are hosting the same image.

It is of utmost importance that one must have reliable evidence to prove the identity of a perpetrator before suing or charging them. The person doing such investigation should be knowledgeable enough to conduct the investigation, know the rules of producing evidence and testifying in Court, and to thwart all challenges by the perpetrator’s lawyers.

Failure to do so would result in the case being dismissed or in a worst scenario, an innocent person being charged or sued in Court.


First published on Digital News Asia on 17 November 2014.

PDF Printer    Send article as PDF   

Survey Relating to Compounding Regulations

The Malaysia Personal Data Protection Commissioner Office wishes to enforce compounding regulations pursuant to the Personal Data Protection Act 2010. They have now issued a survey for the members of the public and organisations.

Any response to the survey should be submitted before 14 November 2014. For more details, go to www.pdp.gov.my

Download: Survey Form (in Malay language only)

Free PDF    Send article as PDF   

Retirement of Haji Abu Hassan Ismail

With the retirement of Haji Abu Hassan Ismail as the Director General of the Personal Data Protection Department, Encik Mazmalek bin Mohamad has been appointed as the new Director General of the Personal Data Protection Department effective from 1st October 2014.

PDF    Send article as PDF   

Guidelines On Taxation of Electronic Commerce

In early 2013, the Inland Revenue Board (IRB) of Malaysia’s issued a guideline on how income derived from e-commerce is to be taxed. This guideline seeks to provide some guidance on basic tax issues and income tax treatment in respect of electronic commerce (e-commerce) transactions.

Notably, the IRB stated that a server / website itself do not carry any meaning in determining derivation of income. Business income from e-commerce would be considered as Malaysian income if the operations test shows that the person is carrying on a business in Malaysia. Even though the server is fully automated in performing business activities, the substantial part of the business activities such as updating and maintaining the current information on the website is still managed by a human (Paragraph 5.1). For more details, please visit Digital News Asia.

The Royal Malaysian Customs (RMC) also released the GST Guides on E-Commerce and Web Hosting to assist in understanding the upcoming Goods and Services Tax and its implications on e-commerce and web hosting businesses.

Under an e-commerce transaction, the RMC stated that if a business is supplying goods or services in Malaysia via the Internet, the business is accountable for the collection of GST as in conventional commerce. This also applies regardless that the transactions are done through a third party e-commerce service provider (e.g. web hosting company).

As for web hosting business, all provisions of services whether it originates in the country or imported from other countries are under the scope of GST. The principal rule with regards to place of supply for services provided by web host is where the supplier belongs. In this context, if the supplier of web host services belongs to Malaysia, such services have to be standard rate. On the other hand if the supplier belongs to another country, the supply of service is out of scope. However, if the recipient of the services provided by overseas supplier belongs to Malaysia, the imported service will be subjected to GST.

Download
Inland Revenue Board – Guidelines On Taxation of Electronic Commerce
Royal Malaysian Customs – Goods and Services Tax – Guide on E-Commerce
Royal Malaysian Customs – Goods and Services Tax – Guide on Web Hosting Services

Create PDF    Send article as PDF   

Malaysian Bar releases feedback to Personal Data Protection Commissioner’s Proposal Papers

On behest of the Malaysian Bar Ad Hoc Committee for the Personal Data Protection Act, the Malaysian Bar has published the feedback by Ad Hoc Committee on Personal Data Protection to Personal Data Protection Commissioner’s following proposal papers.

1) Guideline on Compliance of Personal Data Protection Act 2010;
2) Guide on the Management of Employee Act Data under Personal Data Protection Act 2010;
3) Advisory Guideline related to Consent requirement under the Personal Data Protection Act 2010; and
4) Guide on Management of CCTV under Personal Data Protection Act 2010.

Download the feedback.

PDF Printer    Send article as PDF   
1 2 3 20  Scroll to top