Section 114a

PDPA: Businesses have responsibilities and burdens

I was invited to contribute to a monthly column in Digital News Asia which I named it as Bread & Kaya. The column will have legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

My first article “PDPA: Businesses have responsibilities and burdens” was published on 31 December 2012.



Dec 31, 2012

  • PDPA comes into force Jan 1, 2013, and companies have three months to comply
  • Many have waited, and now may not have enough time to processes in place
  • Bread & Kaya by Foong Cheng Leong

    WELCOME to the inaugural Bread & Kaya column! The term is a Malaysianized version for bread-and-butter. This column aims to be your bread-and-kaya serving of legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

    You may have read some of my articles in The Star’s Putik Lada column or in LoyarBurok. If this is the first time you’re reading my articles, “Hello.”

    Without a doubt, 2013 will be an interesting year for businesses. Many new laws and regulations will be introduced, and the Personal Data Protection Act 2010 (PDPA) is one of them.

    It was reported that the PDPA would come into force on Jan 1, 2013. Businesses have three months from the date of enforcement to comply with the Act. Similarly, Singapore will have its own Personal Data Protection Act 2012 coming into force on Jan 2, 2013.

    Notwithstanding the reported enforcement date of Jan 1, 2013, there is no official government gazette confirming this as I write this column. Thus, the PDPA would still not be in force until such a government gazette is published.

    What is the PDPA?

    The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.

    A person who processes personal data is called a data user. Companies processing individual customers or employees’ personal data must comply with the PDPA.

    Under the PDPA, a data user, in processing personal data, must comply with the following principles:

    (1) General Principle;
    (2) Notice and Choice Principle;
    (3) Disclosure Principle;
    (4) Security Principle;
    (5) Retention Principle;
    (6) Data Integrity Principle; and
    (7) Access Principle.

    Failure to abide by any of the above principles amounts to an offence. Upon conviction, the data user is liable to a fine not exceeding RM300, 000 or to imprisonment for a term not exceeding two (2) years or to both (S. 5(2) PDPA).

    [RM1 = US$0.33]

    Under these principles, the collection and use of personal data must be consented to by the data subject and steps must be taken to ensure that the data is stored securely. The processing of personal data cannot be excessive in relation to the purpose or related purpose of which the personal data is collected.

    Adequate notice must be given to data subjects that their personal data will be processed, used, and the purpose of the same. Such notice must be in writing and in the Malay and English languages. Personal data no longer in use has to be destroyed.

    Further, personal data cannot be transferred outside Malaysia unless such a place is specified by the Government, consented to by the data subject, or is necessary for the performance of a contract between the data user and the data subject.

    The PDPA only applies to personal data processed in relation to “commercial transactions.”

    What do you need to do?

    If you are processing employees or individuals customers’ personal data, you are advised to, among others:-

  • Access how the PDPA affects your organization;
  • Prepare a privacy notice, in Malay and English, to be issued to potential and current employees or customers;
  • Prepare a Personal Data Policy to govern the processing and handling of personal data by employees;
  • Prepare a Retention Policy for employees or customers’ personal data and audit the personal data of previous employees or customers in order to dispose personal data that are no longer in use;
  • Establish a data access procedure for employees or customers to access their personal data;
  • Ensure that the storage of the employees and customers’ personal data is secure;
  • Ensure that personal data is only disclosed for the purpose in which the personal data is collected and not disclosed to unrelated parties;
  • Ensure that the relevant personnel such as Human Resource or customer relationship staff are adequately trained in data protection laws and practice;
  • Review data collection forms so that personal data is not collected excessively; and
  • Ensure that personal data are transferred overseas lawfully.
  • Consent

    The word consent is not defined in the PDPA. However, in early December 2012, Deputy Minister of Information, Communications and Culture Datuk Joseph Salang announced that “whenever consent is required for data processing, it’ll have to be given expressly rather than impliedly or be assumed.”

    This would mean that there must be some sort of active communication between the parties. For example, if a company wishes to obtain more information about an individual, the former would need to get the individuals’ express consent by contacting the individual.

    In this regard, all companies will need to ensure that all possible purposes for processing the personal data are set out before the collection of the data. Additional procedures may need to be established to ensure consent is captured.

    Express consent can be gained in a variety of ways — for example by filling in a form, ticking a box on a website, over the phone and face-to-face.

    Although express consent seems to give individuals added protection, this is not necessarily true. Malaysia’s restricted view on the definition of consent will have an impact on businesses and individuals. Additional cost will be incurred in establishing new procedures and practices such as new forms, storage, impact analysis and compliance exercises. Individuals may also be swamped with requests for consent from time to time, although the individual would ultimately consent.

    Companies will need to wait for individuals’ express consent before they can roll out new projects.

    To give an example on how the PDPA will affect business:

    Company X wishes to roll out a new security system to enter the office. The system utilizes the employees’ personal data as unique identifiers. In view of the express consent requirement, Company X will need to get the employees’ express consent to use employees’ personal data. If certain employees refuse to do so, such system cannot be fully utilized.

    In the event that a data subject disputes that express consent had been given, the data user will need to show that express consent had been given. Assuming that we adopt the implied consent regime, it is arguable that a data subject had implied consent to processing of personal data if the data subject uses the data user’s services.

    However, with express consent, evidence must be provided and this may be difficult, especially in electronic transactions.

    In such a case, Section 114A of the Evidence Act 1950 may be helpful to data users as it puts a presumption of publication by a person if his or her name appears on a particular content. The affected individual will need to prove that he did give express consent. This may be costly, highly bureaucratic and time consuming.

    Closing

    The PDPA is supposed to bring an end to unsolicited communication, but it will cause drastic changes to Malaysian businesses.

    Much valuable commercial data will be lost due to the PDPA. It is noted that many Malaysian industries had taken the wait-and-see approach. This is alarming considering that three months to comply with the PDPA will probably be not enough.

    The Personal Data Protection Department recently issued Malaysian Personal Data Protection Department’s Public Consultation No. 2/2012 entitled “Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees” which sets out the class of data users that is required to register with the Commission. [Click here to download].

    The release of such consultation paper is commendable. I hope that the Commission or the Personal Data Protection Department will issue more of these consultation papers and guidelines on the interpretation of the PDPA.

    Grave repercussions for internet users

    Published on LoyarBurok on 24 April 2012.

    Dissecting the presumption of fact relating to publication in the controversial new Bill.

    The Evidence (Amendment) (No. 2) Bill 2012 was one of the bills rushed and passed by the Parliament recently. Minister in the Prime Minister’s Department, Datuk Seri Mohamed Nazri Aziz, when winding up the Evidence (Amendment) Bill 2012, said the use of pseudonyms or anonymity by any party to do cyber crimes had made it difficult for the action to be taken against them. Hence, the Evidence Act 1950 must be amended to address the issue of Internet anonymity.

    The amendments introduced s. 114A into the Evidence Act 1950 to provide for the presumption of fact in publication in order to facilitate the identification and proving of the identity of an anonymous person involved in publication through the internet. In simple words, s. 114A introduces 3 circumstances where an Internet user is deemed to be a publisher of a content unless proven otherwise by him or her.

    Although it is stated that the amendment is to cover anonymous persons on the internet, the effect of the amendment is quite wide. You see, we, especially social media network users, generally do not use our real names on the Internet. We use nicknames and pseudonyms. Our home addresses do not appear on our account. We sometimes use fictional characters or even digitalized images of ourselves as our profile picture. All these are done to protect our own privacy. So, if none of my personal details appear on my account, does this mean I am anonymous? If someone’s identity cannot be directly ascertained from his account, I would think that he would be anonymous.

    The new s. 114A(1) states that “A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host , administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”. In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content. So, for example, if someone creates a blog with your name, you are deemed to have published the articles there unless you prove otherwise. If you have a blog and someone posts a comment, you are deemed to have published it. If you have a Facebook page and an user posts something on your wall, you are deemed to have published it!

    Subsection (2) provides a graver consequence. If a posting originates from your account with a network service provider, you are deemed to be the publisher unless the contrary is proved. In simple terms, if a posting originates from your TM Unifi account, you are deemed to be the publisher. In the following scenarios, you are deemed to be the publisher unless you prove the contrary:-

    (1) You have a home network with a few house mates sharing one internet account. You are deemed to be the publisher even though one of your house mates posts something offensive online.
    (2) You have wireless network at home but you did not secure your network. You are deemed to be the publisher even though someone “piggybacks” your network to post something offensive.
    (3) You have a party at home and allows your friends to access your PC or wireless network.You are deemed to be the publisher even though it was a friend who posted something offensive.
    (4) Someone use your phone or tablet to post something offensive. You are deemed to be the publisher.

    As for subsection (3), you are presumed to have published a content if you have custory or control of any computer which the publication originates from. Here, you are deemed to be the publisher so long your computer was the device that had posted the content. So if someone “tweetjacks” you or naughtily updates your Facebook with something offensive, you are deemed to be the publisher unless you prove otherwise.

    Admittedly, the amendments certainly saves a lot of the investigator’s time. It is very difficult to trace someone on the Internet. It will make prosecution for, among others, defamation, offences under the Communication and Multimedia Act 1998 and Computer Crimes Act 1997 and, election offences much easier. But it is not impossible to trace someone. There are many cases where perpetrators are caught and charged.

    I do not see the logic to deem someone to be a publisher. If an investigator is unable to trace the anonymous internet user, then why should the innocent Internet user take the rap? The onus of proof should always be on the prosecuting side. In the English case of Applause Store Productions Limited & Anor v Grant Raphael [2008] EWHC 1781 (QB), the claimants were awarded £22,000 in damages against Raphael, an old school friend, who had created a false personal profile of the claimants on Facebook. The claimants convinced the Court that Raphael was the person who created the fake profile even though he claimed that he had a party at his house and someone in that party created the account.

    In summary, the new amendments force an innocent party to show that he is not the publisher. Victims of stolen identity or hacking would have a lot more problems to fix. Since computers can be easily manipulated and identity theft is quite rampant, it is dangerous to put the onus on internet users. An internet user will need to give an alibi that it wasn’t him. He needs to prove that he has no access to the computer at that time of publication and he needs to produce call witnesses to support his alibi.

    Clearly, it is against our very fundamental principal of “innocent until proven guilty”. With general election looming, I fear this amendment will be used oppressively. Fortunately, the amendment is not in force yet. I strongly hope that the government will relook into this amendment.

     

     Scroll to top