Personal Data Protection Act 2010

Advisable for management bodies of high-rise residences to abide by act

I was asked by The Star to comment on whether the Personal Data Protection Act 2010 (PDPA) binds management bodies of high-rises from disclosing details about residents who contracted Covid-19. I said-

Bar Council Intellectual Property Committee co-chairperson Foong Cheng Leong said it was unclear if management bodies were involved in the processing of personal data for commercial purposes.

“There are different views to this. Nevertheless, there is no blanket exemption for JMBs and MCs.

“In light of this uncertainty, it’s advisable for them to comply with the PDPA.

“In any event, disclosure of information of residents with Covid-19 is highly discouraged as it could breach the PDPA and even amount to an invasion of privacy, ” he said.

There are views that management bodies collecting monthly maintenance fee to service the building providing is a form of a “commercial transaction” and thus the PDPA applies. The PDPA only applies to personal data in respect of a commercial transaction.

However, it is noted that the Strata Management Act 2013 empowers a management body to collect charges for the purpose of maintenance and management of the building. It is therefore arguable that they are merely exercising a legal duty and not conducting a “commercial transaction”.

Digital Edge: Techtalk: Rapid digitalisation — what happens to privacy?

I was asked by The Edge to comment about the the current state of Malaysia’s own Personal Data Protection Act 2010.

Sonia Ong of Wong & Partners, Maneesh Chandra, chief technology officer of Firmus Sdn Bhd and Vernon Chua, CEO of enterprise data analytics start-up Innergia Labs Sdn Bhd are also featured in this article. The full article can be viewed at The Digital Edge’s website.

1 The PDPA explained
The PDPA, in a nutshell, is meant to legislate protection around the collection, storage and usage of personal data collected by the private sector, according to lawyer Foong Cheng Leong. The public sector and, generally speaking, contractors operating on behalf of the government are exempt from the provisions of the PDPA.

“The laws require that any personally identifiable data, collected in the course of commercial transactions, be stored safely, along with additional requirements to be transparent about its use to individuals who provided the data in the first place.”

One key issue, however, has to do with a lack of clarity on what constitutes a “commercial transaction”, Foong says. While personal data collected in the course of completing a contractual agreement — for example, swiping a credit card or signing up for a broadband service — is protected under the PDPA, it is not certain what else, if anything, constitutes a commercial transaction in Malaysia.

“It is unclear, for example, in the case of a company that might be required to collect personal data, for security purposes, from individuals they don’t have a direct contractual or commercial relationship with. Right now, there isn’t much additional guidance from the Data Protection Commission, the body enacted by the PDPA to oversee administration and enforcement of the law.”

While the PDPA is meant to regulate what businesses are allowed to do with personal data, the law confers certain rights on so-called “data subjects”. This is a term used to denote anyone who is able to be identified from the personal data collected.

An individual, for example, is conferred the right to revoke consent from the “data user” — this being the entity that collected the personal data in the first place.

Failure by the data user to respect this request could attract fines, jail terms or both.

Department of Personal Data Protection’s Advisory on the collection, processing and storage of personal data by business premises during the Conditional Movement Control Order period

The Department of Personal Data Protection has issued an advisory on the collection, processing and storage of personal data by business premises during the Conditional Movement Control Order period (“Advisory“).

According to the Advisory, businesses are only permitted to record minimal information – name, contact number, as well as dates and times of visit – for the purpose of contract tracing. The recordal can be made manually or digitally. It cannot be used for other purposes such as marketing.

The information must be processed for six (6) months after the expiry of the Conditional Movement Control Order (to be announced by the Government of Malaysia). It must be destroyed or disposed permanently thereafter.

Appendix A of the Advisory provides a sample notice for businesses to adopt in their data collection forms. The notice states that the collection of the details is required under the Prevention and Control of Infectious Diseases Act 1988. Although the Act does not specifically provide for the collection of personal data, s. 31 of the Act gives power to the Minister to make regulations. Reg. 13 of the Prevention and Control of Infectious Diseases (Measures within the Infected Local Areas) (No. 6) Regulations 2020 provides that an authorised officer may request for any information relating to the prevention and control of infectious disease from any person or body of persons. The act of requiring the collection of personal data may be granted by the implied powers under s. 40 of the Interpretation Act 1948 and 1967.

Any business who fails to comply with the Advisory and is found guilty under the Personal Data Protection Act 2010 may be subject to a fine of not more than RM300,000 or jail of not more than two years, or to both. However, it is noted that Advisory has no force in law under the Personal Data Protection Act 2010.

Prior to the publication of the Advisory, I was asked by The Star to comment on the introduction of an advisory to regulate the processing of personal data by business premises.

In the article “Experts: Safeguards needed for contact tracing info“, I said-

Bar Council Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong said this included keeping the data secure, not disclosing it to third parties without consent, and within the purpose of which the data is collected.

Processing personal data in ways that were not compliant with the PDPA could lead to a fine of not more than RM300,000 or jailtime of not more than two years, or both.

However, there is a lack of awareness on personal data protection among Malaysians, said Fong.

“I don’t think many people are fully aware of their rights as stated in the PDPA. The custodians who are collecting or holding people’s personal information also have to be aware of their responsibilities and liabilities, ” he said.

Further, in article Advisory on protecting contact tracing information approved, I said-

Experts welcomed the decision to introduce an advisory to help protect contact tracing info given by visitors to various establishments.

“It’s good to have a standard approach for businesses that process personal data. It also removes any uncertainty, ” said Foong Cheng Leong, the Bar Council Information Technology and Cyber Laws Committee deputy chairman.

He hoped that the advisory would introduce standard operating procedures that are suitable for both small medium enterprises (SMEs) and large businesses.

“It should not be too onerous on businesses especially for small outfits with fewer employees, ” he said, suggesting that the government encourage larger businesses like shopping malls to use a designated online platform to register visitors, as it could help to prevent the misuse of personal data.

“The data should only be maintained by a specific department with the sole purpose of aiding the Health Ministry with contact tracing.”

Don’t misuse private info in Covid-19 apps, Putrajaya urged

I was quoted by FreeMalaysiaToday regarding the collection of data by the Government through from people using official mobile application aimed at efforts to curb Covid-19. I said-

A lawyer specialising in privacy laws has urged the government to regulate the collection of data from people using official apps for mobile phones aimed at efforts to curb Covid-19.

Putrajaya should review existing laws on data collection, and should set out the steps taken to protect private information provided by users, says lawyer Foong Cheng Leong.

It was necessary to make sure that the information is used only to deal with infectious diseases “and not for other purposes like political campaigning or police investigations for other crimes,” he said.

Punishments should be set out for those who misuse the data, and there should be provisions to guarantee redress for those harmed by the abuse of the data.

Yesterday the health minister launched the MySejahtera app which allows users to perform health self-assessments, monitor their health and enables the health ministry to also monitor the user’s health.

Two other apps, to trace contacts of infected people, are also being developed separately.

Foong said public health and safety should take precedence during a pandemic. However, there was a need to review existing laws to regulate data collection.

“Any laws passed should take into account the rights of the data subject,” he said.

Public Consultation Paper No 01/2020 – Review of Personal Data Protection Act 2010 (Act 709) [14 – 28 February 2020]

Personal Data Protection Commissioner has issued the above consultation paper on 14 February 2020 to obtain feedback on the proposed amendments to the Personal Data Protection Act 2010.

Notably, the Commissioner is intending to introduce a data breach notification requirement, civil action against data user, right of data user to make first direct marketing call and exemption of business contact from the Act.

I am very much interested in the amendment to include right to initiate civil action a data user. The introduction of the same would be a boost to data privacy litigation in Malaysia.

Currently, there is no remedy for an aggrieved data subject for non-compliance of the Personal Data Protection Act 2010 other than filing a complaint to the Commissioner. There is no provision similar to s. 13 of the United Kingdom Data Protection Act 1998 (now repealed by the United Kingdom Data Protection Act 2018), ss. 167 to 168 of the United Kingdom Data Protection Act 2018) and s. 32 of the Singapore Personal Data Protection Act 2010.

An aggrieved data subject can still pursue civil litigation under the common law. However, this would depend on the circumstances of the case. Invasion of privacy is one possible action but the law is not settled whether invasion of privacy is an actionable tort. The other possible action would be a breach of confidence. These two (2) torts have similar basic requirement i.e. that the information must be private or possesses the necessary quality of confidence. Not all personal information will have or has such elements, especially, when the data subject had published them themselves e.g on their social media page. The proposed civil action under the Personal Data Protection Act 2010 will cover the gap especially matters concerning misuse of personal data which are not or no longer confidential or private.

Deadline to file a response to the consultation has been extended to 10 March 2020.

Malindo Air’s Data Breach

I was asked to comment on Malindo Air’s latest data breach incident by South China Morning Post, Malaysian Reserves and Global Data Review.

Malindo Air, a subsidiary of low-cost airline Lion Air, has suffered a massive data breach, resulting in the information of millions of passengers – including passport details, home addresses and phone numbers – being leaked onto data exchange forums last month.

In South China Morning Post’s article title ” Malindo Air confirms data breach, exposing millions of passengers’ personal data“, it was reported-

Cyber law and technology lawyer Foong Cheng Leong said that companies in breach of Malaysia’s Personal Data Protection Act are not under any legal obligation to notify the authorities, the public, or the victim of the leak, although this lacuna is being reviewed.

There is no data breach notification rule in Malaysia under this Act. However, there is of course a moral obligation on the part of the company to notify the subject and the public,” said Foong.

Unfortunately in Malaysia these data breaches happen often, but if nobody knows about it nothing happens. During past breaches, there were some investigations but no prosecutions and no repercussions.

In the Malaysian Reserve’s article titled “Experts call for tougher law on data breach as Malindo Air becomes latest victim“, I said-

“There should be a data breach notification law. Data subjects have the right to know that their information has been compromised and take steps to secure the data,” Bar Council’s information technology and cyber laws committee deputy chairman Foong Cheng Leong told The Malaysian Reserve in an earlier report.

He added that the Personal Data Protection Commissioner had introduced a consultative paper to propose the mandatory disclosure, but the progress has been muted so far.

Currently, parties suffering from a data leak in Malaysia are not obliged to notify the authorities or the victims.

“In Europe, under the general data protection regulation, any companies including foreign firms with an office and/or serve the European region are required to lodge a report of any data breach within 72 hours.

“Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach,” Foong said.

Lastly, in Global Data Review’s article titled “Lion Air Group data breach affects more than 30 million customers“, it was reported-

Foong Cheng Leong, a partner at Foong Cheng Leong & Co in Kuala Lumpur, said Malindo Air may have fallen foul of the country’s Personal Data Protection Act. This can attract criminal sanctions: a fine up to 300,000 ringgit (€65,000) and prison sentences of up to two years.

In spite of this, Leong said enforcement may not be forthcoming. He said that the government has yet to make a prosecution under the law for a data breach in spite of “numerous high-profile data breaches” in Malaysia since the law came into force.

….

Leong said Malindo Air might be liable under other data protection laws in the region. “However, it is not known if the data protection authorities will take or have the power to take any action against Malindo Air”, he said.

Leong said that the issue has drawn attention to the absence of notification requirements in Malaysia’s data protection law.

Pay just RM150 for details of 200,000 people, RM350 for 10 million

I was interviewed by Free Malaysia Today on the issue of the unlawful sale of personal data in Malaysia which is an offence under the Personal Data Protection Act 2010 (PDPA), in particular, s. 130 of the PDPA.

A lawyer told FMT that the sale of personal data is not surprising.

Foong Cheng Leong, who chairs the Kuala Lumpur Bar’s information technology committee, said while the sale of data is common, it is no longer done as openly as before due to PDPA which came into force in 2013.

But he said enforcement has been poor.

Despite media reports on data breaches such as the leakage of millions of mobile phone numbers two years ago, no action has been taken, Foong said.

In 2017, mobile phone numbers, identification card numbers, home addresses, IMEI and SIM card data of 46.2 million customers of at least 12 Malaysian mobile phone operators were leaked online.

“We do not know why there has been no prosecution. Perhaps due to the difficulty of conducting a data leakage investigation, data may be held by numerous data processors and rogue employees may have accessed them without permission,” said Foong.

E-hailing firms must protect data

I was interviewed by The Star and Free Malaysia Today on an e-hailing firm’s new user requirement to submit “selfie” for verification purposes.

In The Star’s article titled “E-hailing firms must protect data“, it was reported-

Weak enforcement of the Personal Data Protection Act (PDPA) has made it vital for e-commerce firms and e-hailing providers to protect such information, according to the Bar Council.

Its Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong said there had not been much news on the enforcement of the Act .

There were cases of companies being fined, but high-profile cases such as the data breach involving telecommunications companies two years ago have yet to be resolved,’’ he said.

Welcoming the requirement of selfie verification on e-hailing passengers as an effective mechanism to protect the drivers, he said those concerned with data privacy breaches could not do much if they wanted to use the service.

Foong’s comments were in light of the concerns over data privacy following a law introduced by the Transport Ministry in July last year, requiring passengers to submit their identity credentials upon registration with any e-hailing platform

While in Free Malaysia Today’s article titled “Password better than selfie for Grab driver safety, says consumer group“, it was reported-

Foong Cheng Leong, a lawyer, says the requirement does not run afoul of the Personal Data Protection Act 2010 as it involved obtaining the user’s consent.

“The use of Grab or any ride-hailing service is optional. Those who do not wish to submit their picture may opt not to use the service.”

In addition to the above, I would like to add that the submission of “selfie” can be a concern if there is a high risk that the data is misused. The selfie can be paired with other data for profiling purposes. Such data can be used for surveillance purpose, matching with other data, etc.

Perhaps such providers should announce how, in detail, personal data is protected, where exactly it will be stored, what measures are taken to ensure data is safe, and report whenever there is a data leakage or third party request. Most data users publish such information on their privacy policy. However, most data users publish very general information and the bare minimum, as required by the Notice & Choice Principle provided by the Personal Data Protection Act 2010.

Since it is mandatory for e-hailing users, the only choice available for users now is to not use such e-hailing services unless there is a change in policy. Users should consider filing a complaint to the Personal Data Protection Commissioner or Transport Ministry over the new rules.

1 2 3 7  Scroll to top