Monthly Archives: November 2013

Malaysia gazettes data protection act, effective immediately

I was quoted by ZDNet in their article “Malaysia gazettes data protection act, effective immediately“.

Malaysia gazettes data protection act, effective immediately

Summary: After almost a year delay, Malaysia finally gazettes its Personal Data Protection Act 2010 on Thursday and makes it effective Friday. Businesses have three months to comply and violation can result in fine and/or imprisonment.

By  |

Malaysia has quietly gazetted its Personal Data Protection Act 2010 (PDPA), effective immediately, and given businesses three months to ensure compliance.

The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010. An earlier note by the American Malaysian Chamber of Commerce indicated that the Act was scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia (PDPD) by November 15, 2013. This, however, apparently was also rescheduled.

According to Kuala Lumpur-based lawyer Foong Cheng Leong, the act has been gazetted and comes into force today, with Tuan Abu Hassan bin Ismail appointed the Personal Data Protection Commissioner. Foong noted that the Act outlined four new subsidiary legislation, including the class of data users and registration of data users. Businesses that fall under these categories include banking and financial institutions, communications service providers, insurance companies, transportation, and utilities.

Data users now have three months from November 15 to ensure compliance, he added.

The PDPA also provided some guidelines on the definition of consent, which must be in a form that can be recorded and maintained by the data user. Burden of proof for consent lies on the data user, Foong said.

Singapore-based tech lawyer and ZDNet blogger, Bryan Tan, said the sudden turn of events meant Malaysia has “stolen a march” on Singapore which passed its Personal Data Protection Act in October 2012, but its main regulations will come into effect only on July 2, 2014, when allorganizations must ensure complianceThe Act, however, includes a Do-Not-Call Registry which will be in force January 2, 2014.

Tan said: “The two countries’ PDPAs are different, but what it generally means for businesses is that a lot of time and effort will need to be spent on compliance. Perhaps it is a blessing in disguise that both come into force almost at the same time, so companies operating in Singapore and Malaysia can coordinate their compliance in one single project.”

PDF Creator    Send article as PDF   

Data protection act gazetted, effective today

I was quoted by the Malay Mail in their report “Data protection act gazetted, effective today” on 15 November 2013.


KUALA LUMPUR, Nov 15 — The much awaited Personal Data Protection Act (PDPA) 2010 has finally been gazetted and will take effect today, with businesses given three months to comply with the new law and violation will result in fine, or imprisonment, or both.

KL Bar Information Technology Committee chairman Foong Cheng Leong confirmed that the law will be effective today, with Abu Hassan Ismail appointed the Personal Data Protection commissioner.

“The law introduced seven principles, in these seven principles, you would need to, for example get consent if you possess any personal data, name, IC, address, pictures, email and phone numbers.

“Once you get the personal data, you need to give a written notification in BM and English and make sure it’s safe and give it to the relevant parties,” he told The Malay Mail Online when contacted.

Foong, who is also the member of the Malaysian Bar Intellectual Property Committee, also said that although businesses are given three months to comply, it would be a challenge to those which have not begun putting their houses in order.

“I think [businesses] are hit quite hard especially those not doing anything since 2009 because the law was introduced since 2009, but I know quite a bit of companies which have started to comply with the law since 2009.

“Most companies would need six months to complete the exercise, so those who have not done anything, need to move very quickly.

“For consumers, expect less phone calls, less SMSes and basically receiving any tele-marketing materials,” he said.

Foong noted however, that the Malaysian government is exempted from this law.

The PDPA also introduced four new subsidiary legislations, including the registration of data user and class of data users.

Businesses that are considered data users including banking and financial institutions, communications service providers, insurance companies, transportation, and utilities, will now have to register with the commissioner.

He also said that data subject, meaning individuals, would be able to request access to the type of personal data being processed.

“The law provides that there will be no transfer of data outside Malaysia, unless you get consent, or the country or jurisdiction you want to transfer data to is included in the list by the commissioner [which has yet to be released],” he said.

The law stipulates that consent for personal data processing should be required explicitly it has to be expressed, rather than implied or assumed. The organiser will also need to justify the reason they need the information they are asking for.

Under the law, consumers have the right to access, correct data, prevent damage or distress, withdraw from data processing, prevent direct marketing and bring complaint on data abuses to PDP commissioners.

Data users meanwhile, are obligated to provide the necessary mechanisms that will facilitate data subjects to exercise these rights.

The provisions also allows consumers to withdraw consent to personal data. If the data user continue to process the personal data, it will be liable to a fine of up to RM100,000 or a maximum of one-year jail, or both.

The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010.

The law was initially scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia by November 15, 2013.

PDF Download    Send article as PDF   

ITPC STARTUPS AND BUSINESS LAW CONFERENCE on 26.11.2013

The KL Bar Information Technology and Publications Committee (ITPC) will be organising a one-day Conference on 26 November 2013. The Conference will cover practical legal issues for start-ups with a particular emphasis on the emerging issues such as intellectual property, personal data protection and social media. The purpose is to provide the participants with the basic knowledge on essential legal issues for startups. Startups are highly encouraged to attend this Conference.

The details of the conference are as follows:

Date : 26 November 2013
Time : 9 a.m. – 6 p.m.
Place : KL Bar Auditorium, 10th Floor, Wisma Kraftangan, No.9 Jalan Tun Perak, 50050, Kuala Lumpur, Malaysia

Topics :

Incorporating a company: Choosing the Right Legal Entity by Sharin Kaur Veriah and Goh May Woei (Shook Lin & Bok)
Recognising your Intellectual Property and Protecting your Rights by Janet Toh Yoong San and Tamara Lee Ciai (Shearn Delamore & Co.)
Introduction to Cyber laws in Malaysia by Adlin binti Abdul Majid (Lee Hishammuddin Allen & Gledhill)
Personal Data Protection Act 2010: How to Prepare Yourself by Professor Abu Bakar Munir (University Malaya)
Contract Law: What to address in eCommerce Terms of Use by Tai Foong Lam (Gan Partnership)
E-commerce Taxation Laws by Siti Fatimah binti Mohd Shahrom (Lee Hishammuddin Allen & Gledhill)

REGISTRATION FEE
RM100.00 per participant

Only 120 Seats Available. Click here for more information.

Free PDF    Send article as PDF   

Enforcement of the Personal Data Protection Act 2010

It is official. The Malaysian Personal Data Protection Act 2010 (“PDPA”) will be in force on 15 November 2013. As expected, Tuan Abu Hassan bin Ismail is appointed as the Personal Data Protection Commissioner with effect from 15 November 2013.

Data users now have 3 months to comply with the PDPA in respect of personal data processed before 15 November 2013 and immediate compliance with the PDPA for personal data collected from 15 November 2013.

The enforcement of the PDPA also introduced four (4) new subsidiary legislations namely:-

1.Personal Data Protection (Fees) Regulations 2013;
2. Personal Data Protection (Registration of Data User) Regulations 2013;
3. Personal Data Protection (Class of Data Users) Order 2013; and
4. Personal Data Protection Regulations 2013.

For your easy reading, I have summarised the new regulations below.

Registration of Class of Data Users

The new regulations require certain class of data users to register with the Personal Data Protection Commissioner. They are:-

1. Communications
(a) A licensee under the Communications and Multimedia Act 1998 [Act 588].
(b) A licensee under the Postal Services Act 2012 [Act 741].

2. Banking and financial institution
(a) A licensed bank and licensed investment bank under the Financial Services Act 2013 [Act 758].
(b) A licensed islamic bank and licensed international islamic bank under the Islamic Financial Services Act 2013 [Act 759].
(c) A development financial institution under the Development Financial Institution Act 2002 [Act 618].

3. Insurance
(a) A licensed insurer under the Financial Services Act 2013.
(b) A licensed takaful operator under the Islamic Financial Services Act 2013.
(c) A licensed international takaful operator under the Islamic Financial Services Act 2013.

4. Health
(a) A licensee under the Private Healthcare Facilities and Services Act 1998 [Act 586].
(b) A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998.
(c) A body corporate registered under the Registration of Pharmacists Act 1951 [Act 371].

5. Tourism and hospitalities
(a) A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992 [Act 482].
(b) A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992.

6. Transportation
(a) Malaysian Airlines System (MAS).
(b) Air Asia.
(c) MAS Wings.
(d) Air Asia X.
(e) Firefly.
(f) Berjaya Air.
(g) Malindo Air.

7. Education
(a) A private higher educational institution registered under the Private Higher Educational Institutions Act 1996 [Act 555].
(b) A private school or private educational institution registered under the Education Act 1996 [Act 550].

8. Direct selling
A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993 [Act 500].

9. Services
(a) A company registered under the Companies Act 1965 [Act 125] or a person who entered into partnership under the Partnership Act 1961 [Act 135] carrying on business as follows:
(i) legal;
(ii) audit;
(iii) accountancy;
(iv) engineering; or
(v) architecture.

(b) A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961 [Act 122].
(c) A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981 [Act 246].

10. Real estate
(a) A licensed housing developer under the Housing Development (Control and Licensing) Act 1966 [Act 118].
(b) A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah.
(c) A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak.

11. Utilities
(a) Tenaga Nasional Berhad.
(b) Sabah Electricity Sdn. Bhd.
(c) Sarawak Electricity Supply Corporation.
(d) SAJ Holding Sdn. Bhd.
(e) Air Kelantan Sdn. Bhd.
(f) LAKU Management Sdn. Bhd.
(g) Perbadanan Bekalan Air Pulau Pinang Sdn. Bhd.
(h) Syarikat Bekalan Air Selangor Sdn. Bhd.
(i) Syarikat Air Terengganu Sdn. Bhd.
(j) Syarikat Air Melaka Sdn. Bhd.
(k) Syarikat Air Negeri Sembilan Sdn. Bhd.
(l) Syarikat Air Darul Aman Sdn. Bhd.
(m) Pengurusan Air Pahang Berhad.
(n) Lembaga Air Perak.
(o) Lembaga Air Kuching.
(p) Lembaga Air Sibu.

Personal Data Protection Regulations 2013

Personal Data Protection Regulations 2013 provided some guidelines on the definition of consent of a data subject in the PDPA. In this regard, consent must be in a form that can be recorded and maintained properly by the data user. Burden of proof for consent lie on the data user.

Any privacy policy must also provide the designation of the contact person, phone number, fax number (if any), e-mail address (if any) and such other related information.

Data user shall develop and implement a security policy to comply with Security Principal.

The Personal Data Protection Regulations 2013 also stated that the Personal Data Protection Commissioner may notify a data user of his intention to carry out an inspection on a personal data system used by a data user.

PDF    Send article as PDF   

Bread & Kaya: Sharing images of crime victims

Bread & Kaya: Sharing images of crime victims

Nov 01, 2013

– No doubt the dissemination of gruesome images is distasteful and disrespectful of victims and their families
– However, when the MCMC cited legislation against it, the industry regulator may have been stretching it

Bread & Kaya by Foong Cheng Leong

IT was with great interest that I read the following Facebook posting by industry regulator the Malaysian Communications and Multimedia Commission (MCMC):

Assalamu’alaikum dan Selamat Sejahtera,

Orang ramai dinasihatkan untuk tidak menyebarkan gambar dan rakaman CCTV pembunuhan kejam seorang pegawai bank atau gambar-gambar mangsa di mana-mana media sosial seperti Facebook dan Whatsapp .

Jika anda telah berbuat demikian sila padamkan post tersebut. Ini adalah untuk menghormati mangsa dan keluarga beliau. Ia mungkin juga mengakibatkan gangguan emosi kepada orang ramai terutamanya kanak-kanak.

Kami telah pun meminta kerjasama YouTube untuk mengeluarkan video berkenaan dengan seberapa segera.

Untuk makluman, penyebaran gambar dan video sebegini adalah suatu kesalahan di bawah Seksyen 211 dan 233 Akta Komunikasi dan Multimedia 1998. Jika didapati bersalah, denda yang dikenakan tidak melebihi RM50,000 dan satu tahun penjara atau kedua-duanya sekali.

Sekian, terima kasih

In brief, the MCMC stated that the dissemination of gruesome images or video recordings of crime victims is an offence under the ss. 211 and 233 of the Communications and Multimedia Act 1998 (CMA). Reference was made to the CCTV recording of the deadly shooting of Ambank officer Norazita Abu Talib.

There is no doubt that the dissemination of such gruesome recordings and images is distasteful and disrespectful of the victim and her family. But for the MCMC to state that it is an offence under ss.211 and 233 of the CMA is stretching the applicability of these laws too far.

For there to be an offence under s. 233 of the CMA, the case of PP v Rutinin Bin Suhaimin has clearly set out that the following ingredients must be proven:

– The accused person initiated the communication in question.
– The communication in question is either indecent, obscene, false, menacing, or offensive in character; and
– The accused had intention to annoy, abuse, threaten or harass any person.

Section 211 of the CMA is similar to s. 233 of the CMA.

A person who posted the offensive materials must have the intention to annoy, abuse, threaten or harass any person. I doubt the people who have shared such images or recording had such intentions. Perhaps bloggers or portals that had done so had the intention to gain more visitors. Or perhaps some netizens share them to satisfy the morbid curiosities of other netizens.

But certainly this is not an intention to annoy, abuse, threaten or harass any person.

In short, the dissemination of gruesome recording and images is not an offence under ss.211 and 233 of the CMA unless it was disseminated with an intention to annoy, abuse, threaten or harass any person.

No doubt it is a calamity to have images of your late loved ones being disseminated online; but there are other laws to govern the dissemination of such information. Section 292 of the Penal Code makes it an offence to disseminate obscene material. The person who caused the leak of gruesome image (e.g. autopsy pictures) could be subject to a civil suit for negligence.

Even the soon-to-be introduced law s. 203A of the Penal Code, which punishes, among others, a civil servant for disclosing information obtained by him in his performance of his functions with a fine of not more than RM1 million (US$317,000), or imprisonment for a term which may extend to one year, or both.

However, I do not think that Parliament should introduce a law to curb the dissemination of gruesome recording of victims, especially if there are benefits of doing so. For example, for education purposes (e.g. study of forensic science) or even to highlight the extent of injuries suffered by inmates due to alleged police brutality.

The purpose of this article is not to justify the dissemination of gruesome images or videos but to highlight the extent of our laws. The MCMC should ensure that its statement, in particular, the last paragraph, is accurate and not leave room for misinterpretation.


First published on Digital News Asia on 16 August 2013

PDF Printer    Send article as PDF   

Compendium of Malaysian Intellectual Property Cases – Trade Marks

My first book, Compendium of Malaysian Intellectual Property Cases, will be launched this month or early next month. It is now available for pre-order. Click here to order!

This book contains more than seventy (70) reported and unreported cases on Trade Marks from the Malaysian High Court, Court of Appeal and Federal Court. For ease of reference the cases have been divided into sections such as infringement, passing off, rectification and opposition. The cases also cover other issues such as non-compliance of pre-trial case management, stay of proceedings, defamation, striking out and assessment of damages in these intellectual property cases. Many of these judgments are not published by the local law journals and they contain many important points of laws.

This is the first publication of a series of books containing reported and unreported Malaysian intellectual property cases.

– This title acts as a handy and mobile casebook
– Catchphrases are comprehensive and helpful in focusing the readers on the specific issue of Trade Marks
– This title is an indispensible tool for lawyers, in-house counsels, patent attorneys, intellectual property practitioners and students.

Download:
1. Detailed Flyer
2. Extract of the Book

Create PDF    Send article as PDF   
 Scroll to top