Personal Data Protection Act 2010

Global Information Governance Summit (GIGS 2013)

I will be speaking at the Global Information Governance Summit (GIGS 2013) on the topic “Data Protection concerns in Social Media”.


Click on image for larger view

Download the brochure here.
Note: Fee is now RM100 per delegate and RM50 for students.

PDC Seminar on The Personal Data Protection Act on 28.05.2013

I will be speaking about the Personal Data Protection Act 2010 at the KL Bar on 28 May 2013. Details are below.


2 CPD Points ( 28052013/KLB/KLB1183/2 )

As part of its Professional Development Programme, the PDC is pleased to present the above Seminar by Mr Foong Cheng Leong on 28.05.2013 (Tuesday) from 3.00pm to 5.30pm. Venue: KL Bar Auditorium.

Areas to be covered:

• Introduction to Personal Data Protection Act 2010
• Highlights of the Personal Data Protection Act 2010
• 7 Principals
• Personal Data Protection Commissioner
• Registration of Data Users
• Transfer of Data Overseas
• Rights of Data Subjects
• Offences and Liability
• Transitional Period
• How would the Act affect Companies?
• Action Plan / Checklist
• Question & Answers
• Case Study

About the speaker
Foong Cheng Leong was called to the Malaysian Bar in 2005. He is currently the KL Bar Information Technology and Publications Chair and a member of the Bar Council Intellectual Property Committee. He is regularly featured in the media notably over topics regarding intellectual property, cyberlaw, data privacy and the like.

REGISTRATION FEE

Pupils-in-Chambers / Law Students – RM30.00 per participant

Members of the Bar – RM60.00 per participant

Non-Members – RM100.00 per participant

Registration Must be Accompanied With Payment to Guarantee Your Place

Only 120 Seats Available. Click here to register.

Malaysia’s data privacy Act slow to take off

I was quoted by ZDNet in their article “Malaysia’s data privacy Act slow to take off” on 5 February 2013. To date, our Malaysian Personal Data Protection Act 2010 is still not in force.


Summary: Country’s personal data protection Act was due to take effect last month, but is still pending formalities. Despite that, many companies do not appear to be ready yet.

By Liau Yun Qing | February 5, 2013 — 11:16 GMT (19:16 SGT)

Malaysia’s Personal Data Protection Act 2010 (PDPA) was due to take effect on January 1, 2013, but the law is still not in force due to legal formalities. Despite its impending introduction, many companies are still lacking in compliance while consumers doubt it will be strongly enforced.

Foong Cheng Leong, a Malaysian lawyer and co-chairman at Kuala Lumpur Bar Information Technology Committee, said despite the announcement by a minister that the act will take effect at the beginning of the year, it is technically still on hold as there needs to first be an official notification in the Government Gazette for the Act to be formalized.

In a report published in December 2012, Malaysian newspaper The Star cited deputy Information, Communications and Culture Minister Datuk Joseph Salang who said during a keynote the PDPA would be enforced on January 1, 2013 and companies will have three months to comply.

Malaysia’s law for personal data protection has been long in the making. The Personal Data Protection Bill was first drafted in 2001 and was expected to be in force in early-2010 but that did not materialize.

Despite the protracted lead up, many Malaysian companies are still not prepared for the eventual implementation of the law. Foong pointed out during his many talks on PDPA, he had noticed many companies have not started their compliance exercise.

Barry Ooi, president of the Marketing Research Society of Malaysia, said the Act will have a direct impact on the practice of market research in the country as it includes entities that process personal data. “All market research companies will need to be aware of the rules and regulations under this act,” he said.

Ooi pointed out most market research companies in Malaysia have been adopting the international research standards set by the World Association for Market, Social and Opinion Research (ESOMAR). “Many of the rules and procedures in the PDPA are similar to the ESOMAR guidelines,” he added.

“Nevertheless, our members are tightening up their procedures, particularly in the area of respondent consent and non-disclosure,” he noted.

Consumers lack confidence in enforcement of Act
Despite the government efforts, a few consumers in Malaysia were not confident about how the law would be eventually enforced.

IT systems engineer Ranjeeta Kaur said she knew that the country has such an act. However, she did not take much interest in reading the details mainly because of the lack of enforcement for most of the laws in Malaysia. “Enacting an act is simple but placing it into the actual corporate world and making sure that it’s followed is another story altogether,” she said.

“If we were to look at our daily Internet activities, most Malaysians don’t care about this Act. In fact they don’t even bother that the information they exchange with other parties could be leaked or used against them,” said Kaur.

Postgraduate student Chua Soon Hau questioned whether the Act would impact Internet companies such as Facebook or Instagram which were not based in Malaysia. “The Act will more likely tackle analytics companies that gather data and sell it to people who want it,” he said.

Chua wondered if the implementation of the law might even conflict with privacy agreements which users need to agree to before using a service.

Kaur said unlike the European countries, consumers in Malaysia were more “carefree” about their personal information. “Many folks are just happy to be given a computer and access the Internet with a carefree mind. We should actually be made aware of how our data is being handled, who is viewing it or has access to it,” she said.

Malaysia vs Singapore’s data privacy Act
Neighboring country Singapore passed its personal data protection billin October 2012 and was enforced in January this year.

Foong said while both countries’ personal data protection bill are similar, the details differ “quite a bit”.

The Malaysian law requires data collection parties to give subjects a written notification in the national language and English during the process. For Singapore, the notification is simpler as there is no rule the notification needs to be in the national language or English.

However, the Singapore Act requires the party collecting data to state the purpose for the collection, use or disclosure of the personal data, he noted. When requested, the party collecting data needs to give the business contacts of the person who is able to answer any questions the individual might have.

Foong added consent to process personal data is not defined in the Malaysian PDPA, while the Singapore law sets out in detail what amounts to consent and what type of consent is acceptable.

Bread & Kaya: Attention e-commerce businesses: Fraud, the law and you

My Bread & Kaya’s second column was published on Digital News Asia on 29 January 2013.


Attention e-commerce businesses: Fraud, the law and you
Jan 29, 2013

– A new law to protect users of online trading portals goes into effect July 1
– While it may cost them a bit, operators of such businesses will have to comply

Bread & Kaya by Foong Cheng Leong

E-COMMERCE is booming in Malaysia. Euromonitor International estimated that Internet retailing in Malaysia reached RM842 million (US$268.3 million) in 2011; Goldman Sachs forecasts that e-commerce in Malaysia is projected to hit RM3.4 billion (US$1.1 billion) this year with a 30% year-on-year growth.

Notwithstanding such growth, online fraud is rampant in Malaysia. If you scour our online auction or listing websites, you’ll find many dodgy sellers and buyers selling or offering to buy products and services.

But the long arm of the law recently caught Mohd Yunus Jan Muhammad for approaching six victims who had advertised to sell their gadgets through an Internet trading portal, by posing as a customer and setting up appointments. At these meetings, he would grab the merchandise and flee. He was sentenced to one year’s jail. The Court also fined and imposed a whipping on Mohd Yunud.

Sometime in 2011, the Ministry of Domestic Trade, Co-operatives and Consumerism proposed that the Electronic Commerce Act 2006, an act that regulates online commercial transactions, be amended to regulate the online market place industry. I am told that consultation was held with the industry and I understand that some industry players had taken steps to lobby against the amendment.

In April 2012, its minister Datuk Seri Ismail Sabri Yaakob announced that the amendment would ensure that electronic transactions could be done in a safer and secured environment.

The law came about in the form of the Consumer Protection (Electronic Trade Transactions) Regulations 2012 (“Regulation“), a regulation under the Consumer Protection Act 1999.

The Regulation will be in force on July 1, 2013. Under this Regulation, an online marketplace operator is required to, among others, provide their full details, terms of conditions of sale, rectification of errors and maintenance of records.

The new law applies to two (2) types of persons namely:

– A person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace (“Online Business Owner“). “Online marketplace” means a website where goods or services are marketed by third parties for the purpose of trade. This may include your typical blog shops and sellers with accounts with eBay, Lelong and Mudah online stores.

– A person who provides an online marketplace (“>Online Marketplace Operator“). This may include group buying websites operators such as GroupOn, auction and listing websites such as eBay, Lelong and Mudah, and online shopping websites where third party products as sold such as Zalora.

Online business owners

Under the Regulation, Online Business Owners shall disclose on the website where the business is conducted and the following information, failing which the operator commits an offence.

  • The name of the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace, or the name of the business, or the name of the company.
  1. The registration number of the business or company, if applicable.
  2. The e-mail address and telephone number, or address of the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace.
  3. A description of the main characteristics of the goods or services.
  4. The full price of the goods or services including transportation costs, taxes and any other costs.
  5. The method of payment.
  6. The terms and conditions.
  7. The estimated time of delivery of the goods or services to the buyer.

Any person who discloses or provides the above information that he knows or has reason to believe is false or misleading, commits an offence.

Online Business Owners shall also:

  • – provide the appropriate means to enable the buyer to rectify any errors prior to the confirmation of the order made by the buyer; and
  • – shall acknowledge receipt of the order to the buyer without undue delay.

The order and the acknowledgement of receipt shall be deemed to have been received by the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace and the buyer, respectively, when the person and the buyer are able to access to such order and the acknowledgement of receipt.

The Online Marketplace Operator shall take reasonable steps to keep and maintain a record of the names, telephone numbers and the address of the person who supplies goods or services in the online marketplace, for a period of two years, failing which an offence is committed.

In addition to the terms and conditions, Online Business Owners and Online Marketplace Operators must comply with the Notice and Choice Principal provided by Personal Data Protection Act 2010 by inserting a privacy notice, in the National and English languages, on their website before the collection of any personal data.

Extra costs for businesses

Although this law seeks to protect consumers from unscrupulous traders, the introduction of this new law increases the startup costs and cost of operation of an e-commerce business.

Engaging lawyers to draft terms and conditions for e-commerce businesses can be expensive. But it is something any e-commerce business should invest in to protect themselves and their users.

The new law doesn’t specify in detail how the terms and conditions should be. Therefore, one can have a very simple set of terms and conditions.

Alternatively, one may opt to adopt the terms and conditions of other e-commerce businesses provided that one is well versed in drafting and amending agreements. But one should take note that every set of terms and conditions is customized for specific businesses.

It would be ideal if we have affordable online services to draft terms and conditions and privacy policies for SMEs (small and medium enterprises) like SnapTerms, which allows start-up companies the opportunity to customize their website’s terms and conditions without having to pay the fees typically associated with having the documents drafted by a lawyer.

But one must bear in mind that SnapTerms is a service provided by people who are well versed in the laws of their country and perhaps not Malaysia.

To digress a little, e-commerce businesses should also protect their intellectual property such as their trademarks, copyright and patents. These rights are registerable and one can protect these rights in Malaysia by filing them with the Intellectual Property Corporation of Malaysia or MyIPO.

Other than that, it is pertinent to protect your brand from being taken in well-known social media websites like Facebook and Twitter. You can use Knowem to check for the use of your brand, product, personal name or username instantly on over 550 popular and emerging social media websites.

Closing

The introduction of laws to track and record Internet transactions is nothing new. Last year, Section 114A of the Evidence Act 1950 and Cyber Centre and Cyber Cafe (Federal Territory of Kuala Lumpur) Rules 2012 were introduced to track and record such transactions.

These laws will not be the last. I foresee that many more such laws will be introduced in the near future.

Download:
Consumer Protection (Electronic Trade Transactions) Regulations 2012

Podcast: Resource Centre: The Personal Data Protection Act 2010

I was interviewed by Freda Liu of BFM Radio on the topic of Personal Data Protection Act 2010 (“PDPA”) on 15 January 2013.


The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.
PDPA came into force January 1, 2013.

PDPA: Businesses have responsibilities and burdens

I was invited to contribute to a monthly column in Digital News Asia which I named it as Bread & Kaya. The column will have legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

My first article “PDPA: Businesses have responsibilities and burdens” was published on 31 December 2012.



Dec 31, 2012

  • PDPA comes into force Jan 1, 2013, and companies have three months to comply
  • Many have waited, and now may not have enough time to processes in place
  • Bread & Kaya by Foong Cheng Leong

    WELCOME to the inaugural Bread & Kaya column! The term is a Malaysianized version for bread-and-butter. This column aims to be your bread-and-kaya serving of legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

    You may have read some of my articles in The Star’s Putik Lada column or in LoyarBurok. If this is the first time you’re reading my articles, “Hello.”

    Without a doubt, 2013 will be an interesting year for businesses. Many new laws and regulations will be introduced, and the Personal Data Protection Act 2010 (PDPA) is one of them.

    It was reported that the PDPA would come into force on Jan 1, 2013. Businesses have three months from the date of enforcement to comply with the Act. Similarly, Singapore will have its own Personal Data Protection Act 2012 coming into force on Jan 2, 2013.

    Notwithstanding the reported enforcement date of Jan 1, 2013, there is no official government gazette confirming this as I write this column. Thus, the PDPA would still not be in force until such a government gazette is published.

    What is the PDPA?

    The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.

    A person who processes personal data is called a data user. Companies processing individual customers or employees’ personal data must comply with the PDPA.

    Under the PDPA, a data user, in processing personal data, must comply with the following principles:

    (1) General Principle;
    (2) Notice and Choice Principle;
    (3) Disclosure Principle;
    (4) Security Principle;
    (5) Retention Principle;
    (6) Data Integrity Principle; and
    (7) Access Principle.

    Failure to abide by any of the above principles amounts to an offence. Upon conviction, the data user is liable to a fine not exceeding RM300, 000 or to imprisonment for a term not exceeding two (2) years or to both (S. 5(2) PDPA).

    [RM1 = US$0.33]

    Under these principles, the collection and use of personal data must be consented to by the data subject and steps must be taken to ensure that the data is stored securely. The processing of personal data cannot be excessive in relation to the purpose or related purpose of which the personal data is collected.

    Adequate notice must be given to data subjects that their personal data will be processed, used, and the purpose of the same. Such notice must be in writing and in the Malay and English languages. Personal data no longer in use has to be destroyed.

    Further, personal data cannot be transferred outside Malaysia unless such a place is specified by the Government, consented to by the data subject, or is necessary for the performance of a contract between the data user and the data subject.

    The PDPA only applies to personal data processed in relation to “commercial transactions.”

    What do you need to do?

    If you are processing employees or individuals customers’ personal data, you are advised to, among others:-

  • Access how the PDPA affects your organization;
  • Prepare a privacy notice, in Malay and English, to be issued to potential and current employees or customers;
  • Prepare a Personal Data Policy to govern the processing and handling of personal data by employees;
  • Prepare a Retention Policy for employees or customers’ personal data and audit the personal data of previous employees or customers in order to dispose personal data that are no longer in use;
  • Establish a data access procedure for employees or customers to access their personal data;
  • Ensure that the storage of the employees and customers’ personal data is secure;
  • Ensure that personal data is only disclosed for the purpose in which the personal data is collected and not disclosed to unrelated parties;
  • Ensure that the relevant personnel such as Human Resource or customer relationship staff are adequately trained in data protection laws and practice;
  • Review data collection forms so that personal data is not collected excessively; and
  • Ensure that personal data are transferred overseas lawfully.
  • Consent

    The word consent is not defined in the PDPA. However, in early December 2012, Deputy Minister of Information, Communications and Culture Datuk Joseph Salang announced that “whenever consent is required for data processing, it’ll have to be given expressly rather than impliedly or be assumed.”

    This would mean that there must be some sort of active communication between the parties. For example, if a company wishes to obtain more information about an individual, the former would need to get the individuals’ express consent by contacting the individual.

    In this regard, all companies will need to ensure that all possible purposes for processing the personal data are set out before the collection of the data. Additional procedures may need to be established to ensure consent is captured.

    Express consent can be gained in a variety of ways — for example by filling in a form, ticking a box on a website, over the phone and face-to-face.

    Although express consent seems to give individuals added protection, this is not necessarily true. Malaysia’s restricted view on the definition of consent will have an impact on businesses and individuals. Additional cost will be incurred in establishing new procedures and practices such as new forms, storage, impact analysis and compliance exercises. Individuals may also be swamped with requests for consent from time to time, although the individual would ultimately consent.

    Companies will need to wait for individuals’ express consent before they can roll out new projects.

    To give an example on how the PDPA will affect business:

    Company X wishes to roll out a new security system to enter the office. The system utilizes the employees’ personal data as unique identifiers. In view of the express consent requirement, Company X will need to get the employees’ express consent to use employees’ personal data. If certain employees refuse to do so, such system cannot be fully utilized.

    In the event that a data subject disputes that express consent had been given, the data user will need to show that express consent had been given. Assuming that we adopt the implied consent regime, it is arguable that a data subject had implied consent to processing of personal data if the data subject uses the data user’s services.

    However, with express consent, evidence must be provided and this may be difficult, especially in electronic transactions.

    In such a case, Section 114A of the Evidence Act 1950 may be helpful to data users as it puts a presumption of publication by a person if his or her name appears on a particular content. The affected individual will need to prove that he did give express consent. This may be costly, highly bureaucratic and time consuming.

    Closing

    The PDPA is supposed to bring an end to unsolicited communication, but it will cause drastic changes to Malaysian businesses.

    Much valuable commercial data will be lost due to the PDPA. It is noted that many Malaysian industries had taken the wait-and-see approach. This is alarming considering that three months to comply with the PDPA will probably be not enough.

    The Personal Data Protection Department recently issued Malaysian Personal Data Protection Department’s Public Consultation No. 2/2012 entitled “Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees” which sets out the class of data users that is required to register with the Commission. [Click here to download].

    The release of such consultation paper is commendable. I hope that the Commission or the Personal Data Protection Department will issue more of these consultation papers and guidelines on the interpretation of the PDPA.

    Malaysia Personal Data Protection Act to come into force Jan 1

    The Star Newspaper reported that the Malaysian Personal Data Protection Act 2010 will be in force on 1 January 2013.

    However, at the time of publication of this blogpost, the date of enforcement has not been gazetted in the Government Gazette.

    It’s alarming that the Deputy Minister has taken the view that consent to process personal data must be express and cannot be implied or assumed. It is certainly impractical to obtain express consent for all sorts of commercial transactions. For example, when someone visits an eCommerce website and transacts on the website, the website owner must obtain express consent for each personal data collected from the user. This may be some form of pop up or option for the user to click before he can proceed further. Imagine this popup and option appearing everytime new data is collected. Some data are collected in the background in order for the website to work. It’s disruptive to both the owner and user.

    Another example is when data is passed to a service provider of the data user for the former to provide services to the data subject. Assuming express consent is required, the service provider will need to approach the data subject for consent. Data subject will have a lot of calls asking for consent!

    I hope that the Commissioner will take a different approach ie by recognising implied consent.

    End to data abuse

    I was quoted in The Sun Daily regarding the weaknesses of the Personal Data Protection Act 2010 (PDPA). Note that The Sun Daily also reported that the PDPA will be in force come 1 January 2013.

    End to data abuse
    Posted on 23 October 2012 – 05:24am
    Pauline Wong
    newsdesk@thesundaily.com

    PETALING JAYA (Oct 23, 2012): Come Jan 1, you will be able to put an end to pesky telemarketers and report such harassment to the authorities.

    This is because the Personal Data Protection (PDP) Act which criminalises unauthorised use of your personal data will finally be enforced after a two-year delay.

    Information, Communications and Culture Minister Datuk Seri Rais Yatim told theSun recently that enforcement of the Act was held up due to a delay in the recruitment of personnel for the newly-formed Personal Data Department.

    The department, which comes under his ministry, will oversee and be responsible for the enforcement of the Act.

    “The department will be operational from Jan 1,” Rais said in an SMS reply to queries from theSun as to the enforcement of the Act which had been gazetted in June 2010.

    The law stipulates how personal data – phone numbers, identity card numbers, addresses and even DNA – is used and stored by any organisation.

    It defines “personal data” as any information processed in respect of commercial transactions that relates directly or indirectly to a “data subject” (the consumer), including any sensitive personal data.

    Data users – including banks, telecommunications providers and even employers – must comply with seven principles.

    Failure to do so will make the data user liable to a fine of up to RM300,000, up to two years’ jail, or both, upon conviction.

    Once in force, the Act makes it a criminal offence for data users to reveal your phone number (for example) to third-party telemarketers, unless you had consented and were notified of their intention to do so.

    The right to put an end to direct marketing is also provided for under the Act as a consumer may, by notice in writing, tell the data user to stop processing personal data for direct marketing.

    He or she may also at any time withdraw any consent previously given to the data user.

    However, legal experts point out that many aspects of the Act remain vague – which they say does not bode well for the wide-ranging impact of the Act.

    Lawyer Adlin Abdul Majid, who heads the PDP compliance team at law firm Lee Hishammuddin Allen and Gledhill, said the Act is in need of more thorough guidelines before implementation.

    “The Act was drafted in a very general manner. For example, even the definition of ‘commercial transaction’ is not specific.

    “If someone goes to a small boutique and makes a purchase with a credit card, does this hold the boutique responsible for your data, and will it have to serve you a notice?” she said.

    She added that in interpreting the law, employers are also considered data users.

    “This could mean that even a small or medium enterprise (SME) with a few employees would have to adhere to the Act and conduct a privacy impact assessment to ensure full compliance, but that can be very costly for SMEs,” she said.

    Adlin said the government needs to draft very detailed guidelines in enforcing the PDP, or it would lead to a lot of confusion.

    KL Bar IT Committee co-chairman Foong Cheng Leong said the Act does not address several key problems, especially when it comes to storing a person’s personal data.

    “With the digitalisation of records, the internet, and ‘cloud’ computing, the question is how does a data user deal with soft copies of personal information?” he asked.

    He added that it is also not practical for data users to give written notice when data is collected over the phone, or captured via closed-circuit television (CCTV).

    Foong urged the autorities to draw up specific guidelines to address these issues.

    1 2 3 4 5  Scroll to top