Monthly Archives: February 2012

Computing Professionals Bill 2011 – Latest Update

The Ministry of Science, Technology and Innovation (MOSTI) recently announced the concerns on Computing Professionals Bill 2011 highlighted by relevant stakeholders. The major issues of concern raised were:

(i) Clear definition of the powers of the Board and interpretation of the terms in the Bill;
(ii) Defining the rules and regulations of the Bill;
(iii) Consistency in relations to legal provisions and issues of replication with other existing Acts or Bills;
(iv) Pre-requisite for registration as a Computing professional for both local and foreign practitioners; and
(v) Implication of the Bill, particularly in terms of international commitment such as with WTO and FTA, brain drain, stifling creativity and innovation.

Read more at MOSTI’s Website.

Enforcement of the Malaysian Personal Data Protection Act 2010 (2)

In our earlier blog entry entitled, “Enforcement of the Malaysian Personal Data Protection Act 2010“, we mentioned that the Personal Data Protection Department stated that “it is best for us to wait for the Minister to make the announcement on the enforcement of the Act and notify in the Gazette”.

We recently came across a tweet by the Information, Communication and Culture Minister, Datuk Seri Utama Dr Rais Yatim that the Personal Data Protection Act 2010 (PDPA) will come into force “middle of the year”.

We look forward to the announcement of the date of operation of the PDPA in the Government Gazette.

Enforcement of the Malaysian Personal Data Protection Act 2010

In our earlier blog entry, we mentioned that Bernama reported that the Personal Data Protection Act 2010 (PDPA) will be enforced in June 2012 but this may not be correct in view of the Director General of Personal Data Protection Department’s (PDPD) statement.

We sought clarification with the PDPD and the PDPD informed us that “the newspaper reported that the Act [PDPA] is going to be enforce in June was based on the Secretary General’s closing ceremony speech in the evening eventhough the Minister did not state anything earlier. Despite of all that, it is best for us to wait for the Minister to make the announcement on the enforcement of the Act and notify in the Gazette “.

We look forward to the Minister’s announcement on the enforcement of the PDPA.

Proposal to have privacy officer to implement data protection law

KUALA LUMPUR: New Zealand’s Assistant Privacy Commissioner Katrine Evans has suggested that Malaysia have privacy officers to implement the data protection law.

She said a privacy officer is the person in an agency who can understand its business and, at the same time, help the agency get it right in handling personal information.

“I don’t know whether Malaysia has the requirement for every agency to have a privacy officer but, if it doesn’t, you should have one,” she said when delivering her talk on ‘First Steps for a Data Protection Commissioner: Some Suggestions from New Zealand’ at the inaugural seminar on personal data protection, here.

[Read More]

Protecting your personal data

By DATUK SERI DR RAIS YATIM

At long last, we now have a venue to bring up grouses about our personal data being given away without our knowledge – the Personal Data Protection Department, which was officially launched on Thursday.

ISSUES related to Personal Data Protection have been dabbled with for a long time in this part of the world. The Personal Data Protection Act 2010 (PDPA) is one of the cyber legislations aimed at regulating the processing of personal data in commercial transactions.

The Act was passed by Parliament in May 2010 and the Personal Data Protection Department was created a year later. At a cyber seminar in November 2001, I raised the importance of Malaysia creating an Act to protect the personal data of an individual.

Awareness had risen not only because of rapid commercial development involving violations of personal data such as credit status of individuals, but also invasion through the means of communication tools being detected and questioned.

During the seminar, I spoke on the rights and liabilities pertaining to information; protection of information from unlawful use; the right to information; the status of information belonging to individuals and the overall issues pertaining to the future of online trade and commerce using other people’s data.

“Under the law, the Federal and State Governments are exempted from the PDPA application. This is to give space and the right for the Government to use one’s basic personal data to be processed for legal administrative purposes.” – DATUK SERI DR RAIS YATIM

When you purchase an item online, your credit card data is online as well. Your banking activities precipitate the storage, retrieval as well as the movement of your credit and debit records.

To some quarters, these are useful if not valuable information. Wrongly used, your very own data could be the meat for a sly move or the subject matter of fraud.

Whichever way you look at it, modern life has involved us in a multi-faceted approach towards preserving our rights in respect of personal data.

Now, 11 years later, we are dealing with personal data again with the opening of the department (on Thursday) and a seminar on its legislation. In this context, our Government’s efforts to recognise individual interests through efforts to protect personal data should be given due recognition.

While the PDPA functions in the commercial environment, abuse of telephony communication networks or other channels through violations of personal data are also closely associated with the Communications and Multimedia Act (CMA) 1998.

For example, a person who intentionally infiltrates and gets without permission any information, including data through telephony or other means of communications under S.234 of the CMA, can be jailed up to one year or fined up to RM50,000 or both, if convicted.

The word “intercepts, attempts to intercept or procures through any other person, any communications” have very broad implications and applications to the extent of involving the personal data of an individual.

On the other hand, the CMA is complementary to the PDPA and the expedient should be used in the best interest of the people in terms of integrity and security of personal data of an individual. The promulgation of the personal data protection legislation was also mentioned in the CMA to “ensure information security, and network strength and reliability”.

Defining personal data

To ordinary citizens, a common question is: What is actually personal data? Under Section 4 of the PDPA, personal data means any information concerning commercial transactions stored or recorded and which can be managed automatically or as a file system.

It does not matter whether the information is being processed, stored automatically or filed by any party. But it will only be an offence if the information data is used in the commercial environment.

The next question is: If certain personal data are not involved in any commercial transaction, does the question of offence or abuse arise? This seems to be the implications and applications of the new law. Hence, the commercial environment should be involved before a criminal offence is recognised under the PDPA.

Generally, personal data has a very wide scope, covering sensitive and personal information such as blood type, health records and descriptions, political and religious beliefs, mental or physical conditions, or any other data needed by the authority from time to time.

Normal personal data also involves details on bank accounts, credit cards, telecommunication links like telephone or any other information stipulated by the minister under the PDPA from time to time.

The lists of personal data under the PDPA could also be expanded by the authority based on the demands of the living environment. However, details or information of one’s credit ratings are put under the Credit Rating Agency Act 2010 and so are not covered by the PDPA. It is clear that while the register or lists of personal data could be added according to the needs and interests of the consumers in the commercial environment in the future, the public need to know their rights under the new law.

It should also be stressed that the PDPA comprises seven key principles that must be adhered to under S.5(1) to protect the integrity of personal data. They are:

> A user is not allowed to process the personal data of another user without permission. The process here simply means data handling through an automated or computerised system or method or any other process;

> The user must comply with the Principle of Notice and Choice in which the information and purpose of the preliminary communication are conveyed to the data subject;

> The Principle of Disclosure spells out the need to disclose the use of personal data;

> The Principle of Security states that when processing personal data of any subject, precautionary measures must be taken so that the data is safe, and not tampered with, abused, missing or given to irrelevant parties;

> The Principle of Storing specifies that any personal data shall not be kept in a processing system longer than needed;

> The Principles of Data Integrity: all personal data must be accurate, complete, non-confusing and up-to-date in line with the purpose of storing and processing; and

> The Principle of Access: a user must be given access to his/her own personal data, which is kept by another user, and to be allowed to update the data.

With these principles in place, users and e-commerce practitioners will be more confident that their personal information are well protected. In the meantime, a practical and reasonable code of practice can be formulated by private effort or on the initiatives of Personal Data Commissioner.

Scope of the Act

Under the law, the Federal and State Governments are exempted from the PDPA application. This is to give the space and the right for the Government to use one’s basic personal data to be processed for legal administrative purposes.

The law will also speed up the development of electronic connection and transactions like e-commerce and e-business. It can be concluded that the existence of the law will, among others, help Malaysia to become a communication and electronic trade centre; an attractive location for investment in multimedia and communications industry; and an international trade partner which is able to offer personal data protection assurance according to international standards.

More than 100 countries have or are in the process of introducing personal data protection legislation as the borderless transaction environment entails a free flow of information through electronic networks worldwide to cater to the needs to comply with international standards.

The activities and scopes of the Personal Data Protection Act, among others, cover the Registration of Personal Data Users; Creation of the Consumer Data Forum; Creation of the Personal Data Practice Code; Appointment, Functions and Powers of Personal Data Protection Commissioner, including Financial Provisions; Creation of the Personal Data Protection Provident Fund; Creation of the Personal Data Protection Advisory Committee; Creation of the Appeal Tribunal; Inspection Procedures, Complaints and Investigation; and Enforcement.

Personal data processed by an individual for the purpose of personal, family or household affairs, including for recreational purposes, are excluded from the provisions of this Act.

The security, integrity and protection of personal data are a fundamental factor to shift the country from a manufacturing-based economy to high-value knowledge economy through the support of ICT infrastructure. The rise of electronic-based transactions has assailed the status of personal data which previously did not have a high commercial value.

This Act, of course, is able to strengthen personal data protection as a social obligation. This is important in order to protect the privacy of an individual, apart from the objective of producing dignified, integral and responsible traders in daily practices hinged on widespread use of e-commerce characteristics.

The importance of decisiveness and efficiency in all matters pertaining to enforcement must be stressed. May the Personal Data Protection Commissioner implement this principle in an effort to produce a resilient society for the benefit of future generations.

> Datuk Seri Dr Rais Yatim, who is Information, Communication and Culture Minister, officially opened the new Personal Data Protection Department in Kuala Lumpur on Thursday.

Source: The Star Newspaper

Seminar for awareness of personal data protection 2012

The Personal Data Protection Department of Malaysia (PDPD) (Jabatan Perlindungan Data Peribadi Malaysia) held the above event on 9 February 2012 at Royale Chulan Hotel, Kuala Lumpur.

In this seminar, Tuan Haji Abu Hassan Ismail, the Director General of the PDPD announced that the enforcement date of the Personal Data Protection 2010 (PDPA) will be announced in due course as the PDPD is at the midst of setting up. He has also added that there will be no guidelines issued at the time being.

[Postscript: Bernama reports that the PDPA will be in force in June 2012. This may not be correct in view of Director General’s statement]

What lies ahead for social media

Published in Putik Lada column, The Star on Friday February 3, 2012

It is going to be a tempestuous year with more developments in the social media scene, and a digital war may erupt between Internet users, companies and governments.

MALAYSIA’S social media sphere hit a milestone last year. Facebook users reached 12 million in Malaysia as at Decem­ber and Twitter users reached about 470,000 as at October.

Defamation actions and criminal charges against people for alleged misuse of social media have also become normal. There have been interesting developments in the social media and Internet legal scene.

Last year saw an increase in the use of social media by the legal profession to market their services. Some lawyers, law firms and courts have their own Twitter accounts.

Former Bar Council president Datuk Ambiga Sreenevasan (@Ambiga_S) has over 6,000 followers, international law firm Allen & Overy (@AllenOvery) has more than 6,600 followers and the US Supreme Court (@USSupremeCourt) has 23,000 followers and counting.

With such extensive use by legal practitioners, the Law Society of England and Wales issued a practice note for the use of social media by lawyers.

Back home, Cybersecurity Ma­­laysia introduced a new Internet guideline called Best Practice on Social Networking Sites (SNS).

The guideline is used as acceptable practices in usage of SNS with heightened ethics as well as in protecting the security of users and privacy needs. It is very useful for companies as guidance when drafting their social media policies.

Interestingly, the High Court of Malaya recognised that misappropriation of a domain name by a former employee is actionable under conversion of and trespass to property and breach of fiduciary duty in the 2008 case of Ogawa World Bhd & Anor v Ch’ng Wai Loong.

Normally, misappropriated Top Level domain names are recoverable through the WIPO Arbitration and Mediation Centre.

In Canada, the Su­­preme Court of Canada in Crookes v Newton (2011) delivered an important decision on the status of hyperlinks.

The Court held that creating hyperlinks to allegedly defamatory articles does not amount to a publication of defamatory information.

In India, the owners of a hotel sued Google over the auto-complete function on its search engine for defamation. When users typed the hotel’s name into Google, the word “receivership” is a suggested search term. However, the suit was later withdrawn.

“Who owns your followers?” was an issue to be determined when mobile phone website PhoneDog sued a former employee, writer Noah Kravitz, over the 17,000 Twitter followers that he had built up on a Twitter account called @PhoneDog_Noah.

Noah filed a motion to dismiss PhoneDog’s case but the US District Court ruled that PhoneDog could proceed with the lawsuit.

Many commentators are of the opinion that PhoneDog should have established a social media policy to determine the issue of ownership of the Twitter account when the account was created.

In a similar case, Eagle v Edcomm, Inc, et al., the Eastern District Court of Pennsylvania held that a former employee’s LinkedIn account be­­longed to the employer, even though the LinkedIn account contained the name, professional history and accomplishments of the employee.

Facebook had a busy year in 2011. Friendster repositioned itself as a social gaming site and discontinued its user social network accounts, leaving Facebook with one less competitor. However, Google introduced a new social networking site, Google Plus.

Facebook was subjected to a thorough and detailed audit by the Office of Irish Data Protection Commissio­ner, which gave a dozen recommendations for how Facebook can im­­prove privacy protection and data-handling practices. The audit report is available online in the interest of transparency.

Last year also saw the battle for Facebook page www.facebook.com/Merck. Merck KGaA, a German drug maker, suddenly lost its Facebook page to US rival Merck & Co.

Merck KGaA initiated an action against Facebook for details on how the page was lost. Facebook subsequently apologised to Merck KGaA for the mix-up.

We all know that it is very difficult to remove information published online. Some argue that confidential information posted online will lose its quality of confidence.

However, in AMP v Persons Unknown (2011), the UK High Court granted a superinjunction to restrain the further publication of stolen intimate pictures of a woman which were leaked online.

Arguably, this case implicitly determined the position of confidential information which has been leaked online.

On the criminal front, a US Federal Judge in USA v William Lawrence Cassidy dismissed a criminal case against Cassidy for “tweet stalking” a religious leader on Twitter.

Cassidy allegedly posted 8,000 tweets, almost all of them about the leader and her religious group, which caused the leader to claim that she had suffered “substantial emotional distress”.

The Judge held that although the tweets were uncomfortable, Cassidy’s right to tweet was protected under the US Constitution.

This year will see more developments in the social media legal scene. We may also see more Internet censorship and crackdowns on websites for sharing files – just like what happened to MegaUpload.

As a result, a digital war may erupt between Internet users and companies and governments. It is going to be a tempestuous year ahead.

 Scroll to top