Date post: | 18-Dec-2015 |
Category: |
Documents |
Upload: | theodore-dickerson |
View: | 215 times |
Download: | 1 times |
PERSONAL DATA PROTECTION ACT 2010 TO COMPLY IS TO KNOW
Professor Abu Bakar MunirFaculty of Law, University of Malaya
&Associate Professor Siti Hajar Mohd Yasin Faculty of Law, Universiti Teknologi MARA
SEMINAR KESEDARAN AKTA PERLINDUNGAN DATA PERIBADI9 February 2012
Kuala Lumpur
1
Privacy and Data ProtectionSweet & Maxwell
(2002)
Internet Banking: Law and Practice
LexisNexis UK(2004)
Cyber Law: Policies and Challenges
Butterworths Asia(1999)
Some of our books on ICT Law
In Print
Information & Communication Technology Law
Legal & Regulatory Challenges
Thomson Reuters(2010)
2
Please read this book.
4
THE WORLD’S GREATEST NEWSPAPER 1843-2011
Reality Check
The efficiency of computer network has caused more and more personal data be stored in computers
The world has reaped the benefits of the fast flow information and personal data: Ten years ago – gigabytes of data, Five years ago – terabytes of data, Today, petabytes of data, are being transferred and stored on daily basis.
Users globally send around 47 billion (non-spam) emails and submits 95 millions tweets
Each month users share about 30 billion pieces of contents on facebook
Personal data is the new oil of the Internet and the new currency of the digital world
Greater concerns about privacy invasion
6
7
8
Types of Privacy
The right to be left alone Bodily privacy Privacy of communications Territorial privacy Informational privacy
Privacy as Human Rights
Article 12 Universal Declaration on Human Rights 1948
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Some Other Instruments
Article 17, International Covenant on Civil and Political Rights 1966 Article 16, Conventions on the Rights of the Child 1989 Article 8, Convention for the Protection of Human Rights and Fundamental
Freedoms 1950 Article 18, OIC Cairo Declaration on Human Rights in Islam 1990 Article 4.3, Declaration of Principles on Freedom of Expression in Africa
2002 Article 5, American Declaration of the Rights and Duties of Man
Informational Privacy
The rights of an individual to have control over his personal information
Informational Privacy = Personal Data Protection
Why countries protect personal data?
International obligation Competitiveness Human right International influence
12
Why Protect Personal Data? What Customers Say…
Nearly 90% of online consumers want the right to control how their personal information is used after it is collected
(Forrester Research 2003)
87 % of Americans are concern about the security of their information on the Internet
(Zogby International 2010)
61 % of adult Americans said that they were extremely concerned about the privacy of their personal information when buying online
(University of Southern California 2007)
Cont……..
Our research shows that 80% of our customer would walk away if we mishandled their information
(Royal Bank of Canada 2003)
Concerns about the use of personal information led 64% of respondents to decide not to purchase from a company
(Privacy and American 2005)
67% respondents decided not to register at a website or shop online because they found privacy policy to be too complicated or unclear
(Privacy and American 2005)
Malaysian Consumers Say…..
75.3% respondents say that they were “somehow concerned” and “very concerned” with their personal privacy even when not online
94.2 % respondents felt that their personal privacy might be threatened when using the Internet
50.8 % of non Internet Banking customers have not migrated to the online services mainly due to security, trust and privacy concerns
(Muniruddeen Lallmahamood 2007/2008)
Therefore….
Trust and risk are major determinants towards purchasing and of intention to purchase
Trust is difficult to gain but easy to lose Consumers are concern about their privacy Consumers are very concern about privacy
when transact online
16
GOOD PRIVACY, GOOD BUSINESS
“Privacy is good for business”
Harriet PearsonIBM Chief Privacy Officer
17
How?
Potential Risks Breaches of data protection law Damage to organization’s reputation and brand Physical, psychological and economic harm to
customers Financial losses associated with deterioration in
quality and integrity of personal data due to customers’ distrusts
Loss of market share or a drop in stock prizes due to negative publicity/ failure or delay in the implementation of new product / service due to privacy concern
18
Benefits
More positive organizational image and significant edge over the competition
Business development via expansion into jurisdiction requiring clear privacy standard
Enhanced data quality and integrity Fostering better customer service and more
strategic business decision making Enhanced customer trusts and loyalty
19
20
21
(Reuters) - HSBC Holdings, Europe's biggest bank, was fined 3.2 million pounds on Wednesday for information security breaches, the biggest fine the country's financial regulator has ever imposed for data security lapses. (2007, 2008)
22
Insurance giant Norwich Union has been fined £1.26 million by the Financial Services Authority (FSA) for security
systems failures (2007)
23
24
DATA PROTECTION COMMISSIONER’S OFFICE
Press Release For immediate release Date: 13 November 2012
2007 XYZ SDN. BERHAD IS IN BREACH OF THE PERSONAL DATA
PROTECTION ACT 2010
The Data Protection Commissioner's Office (DPCO) has found that the XYZ SDN. BERHAD is in beach of the Personal Data Protection Act 2010 following an
investigation into the complaint of ………………………………………………
………AB H……….. DATA PROTECTION COMMISSIONER
International Instruments
OECD Guidelines 1980 Council of Europe Convention 1981 European Directive 1995 APEC Privacy Framework 2004 Madrid Resolution 2009 EU Proposed Directive (25 Jan 2012)
25
OECD Guidelines 1980 (8 Principles)
Collection limitation Data Quality Purpose Specification Use Limitation Security Openness Individual Participation Accountability
26
Council of Europe Convention 1981
Personal Data shall be:
obtained fairly and lawfully stored for specified and legitimate purposes and not
used in a way incompatible with those purposes adequate, relevant and not excessive accurate and, where necessary kept up to date preserved in a form which permits identification of the
data subjects for no longer than is required for the purpose for which those data are stored
27
European Directive 1995
Personal data must be;
Processed fairly and lawfully Collected for specified, explicit and legitimate purposes
and not further processed in a way incompatible with those purposes
adequate, relevant and not excessive accurate and, where necessary kept up to date
28
APEC Privacy Framework 2004 (9 Principles)
Preventing harm Notice Collection Limitation Uses of personal information Choice Integrity Security safeguards Access and correction accountability
29
Madrid Resolution 2009 (6 Principles)
Lawfulness and fairness Purpose specification Proportionality Data quality Openness Accountability
30
EU Proposed Directive
On Data Protection with regard to the processing of personal data by competent authorities for the
purposes of prevention, investigation, detection or prosecution of criminal offences or the executions of criminal penalties, and the fee movement of such data.
Known as The Police and Criminal Justice Data Protection Directive
January 25, 2012, the European Commission released a proposed data protection regulation to replace the current EU Data Protection Directive (95/46/EC). The proposed regulation would drastically alter the data protection landscape for companies
31
32
National Approaches
Comprehensive Legislation Legislation + Self-Regulatory Self–Regulatory Doing Nothing
Comprehensive Legislation
All EU countries, including the 10 new member states (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia)
Japan, Korea, New Zealand, Australia, Hong Kong, Macao, Taiwan, Philippines, Singapore
Chile, Argentina, Brazil, Mexico, etc. In Middle East, only Israel and Dubai Financial
Centre
33
Legislation + Self-Regulatory USA – Privacy Act 1974 + 12 federal
sectoral based legislation + State Laws + Safe Harbour
Self-Regulatory Singapore - Does not work – To have a
data protection law by 2012
34
35
Doing Nothing so far
Brunei Vietnam Laos Cambodia Many more
36
Our Part of the World : What’s Happening ?
• Macao enacted her Personal Data Protection Act in 2006
• China has came out with several drafts of the law, and the latest in 2007
• India amended her Information Technology Act in December 2008. Some new provisions are added to protect privacy and personal data. In April 2011, the third draft of the Privacy Bill was issued.
• Indonesia came out with an academic draft in 2009
• Thailand has developed a draft Bill in 2010
• Taiwan amended her old law and passed a more comprehensive Personal Data Protection Act in April 2010
• Malaysia has passed the Personal Data Protection Act in June 2010
• Korea came out with a more comprehensive law in March 2011
• The Philippines Congress has came out with the draft Act
• Australia and Hong Kong are reviewing their Privacy Act and Privacy Ordinance respectively
• Singapore is currently developing a law and is expected to be ready by 2012. On 13 Sept 2011, a Consultation Paper was released
• In April 2011, the EU Working Party decided that the New Zealand Privacy Act is adequate
38
Korea Data Protection Act
2011• Data Protection
Principles• Rights of Data Subjects• Organization to
designate someone to take charge
• Special entity to enforce the Act (Data Protection Commission/DPC)
• Mandatory reporting of significant breach to DPC
• Data breach notification (to the Data Subject)
• Mediation to resolve dispute.
• Differentiate personal data & sensitive data
• PIAs are encouraged
Malaysia Personal Data
Protection Act 2010
• Data Protection Principles
• Rights of Data Subjects
• Special entity to enforce the Act (Data Protection Commissioner)
• No mandatory data breach notification.
• Differentiate personal data & sensitive data.
• Does not apply to Federal and States Governments
TaiwanPersonal Data
Protection Act 2010
• Data Protection Principles
• Rights of Data Subjects
• Mandatory data Breach Notification (to the Data Subject)
• Enforcement by Ministries responsible for each industry sector
PDPA 2010: Applicability
Non-Applicatio
n
Federal & States Govts
Non-Commercial Transactions
Personal, Family,
Household Affairs
Data Processed
Outside Malaysia
Credit Reference Agencies
39
DATA PROTECTION PRINCIPLES
General Principle
Notice and Choice
Principle
Disclosure Principle
Security Principle
Retention Principle
Data Integrity Principle
Access Principle
40
Exemptions
• Crime Prevention/Detection• Offenders Apprehension/Prosecution• Tax/Duty Assessment/Collection• Physical/Mental Health• Statistics/Research• Court Order/Judgment• Regulatory Functions• Journalistic/Literary/Artistic
Partial
• Personal• Family• Household• RecreationalTotal
41
PurposesGeneralPrinciple
Notice &ChoicePrinciple
DisclosurePrinciple
Security Principle
Retention Principle
Data IntegrityPrinciple
Access Principle
Crime Prevention/Detection
x x x x
OffendersApprehension/Prosecution
x x x x
Tax/dutyAssessment/Collection
x x x x
Physical/Mental Health
x
Statistics/Research
x x x x
Court Order/Judgment
x x x x
Regulatory Functions
x x x x
Journalistic/Literary/Artistic
x x x x x x42
43
RIGHTS OF DATA
SUBJECTS
Right to be Informed
Right to Access
Right to Correct
Right to Withdraw Consent
Right to Prevent
Processing Likely to
Cause Distress
Right to Prevent
Processing for Direct
Marketing Purposes
No. Section Offences Penalty
1S. 16(4) Processing without a certificate of registration
Fine <RM500,000.00/Imprisonment < 3 years/ Both
2S 18(5) Processing after registration is revoked
Fine <RM500,000.00/Imprisonment < 3 years/Both
3S.5 Contravening Data Protection Principles
Fine <RM500,000.00/Imprisonment < 2 years/Both
4S. 29 Non-Compliance with Code of Practice
Fine <RM100,000.00/Imprisonment < 1 year/Both
5S. 37(4)
Failure to Inform the Refusal to Comply with the Data Correction Request
Fine <RM100,000.00/Imprisonment < 1 year/Both
6S. 38(4) Processing after consent been withdrawn
Fine <RM100,000.00/Imprisonment < 1 year/Both
7S.40(3) Processing of Sensitive Data
Fine <RM200,000.00/Imprisonment < 2 years/Both
8.S.42(6)
Failure to Comply with the Commissioner’s Requirement
(Processing likely to cause damage or distress)
Fine <RM200,000.00/Imprisonment < 2 years/Both
9S. 43(4)
Failure to Comply with the Commissioner’s Requirement
(Direct Marketing)
Fine <RM200,000.00/Imprisonment < 2 years/Both
10.S. 129(5)
Transfer of Data to Places Outside Malaysia without any law or adequate protection
Fine <RM300,000.00/Imprisonment < 2 years/Both
11S. 130(3)
Collects, disclose or procure to disclose data without consent of Data User
Fine <RM500,000.00/Imprisonment < 3 years/Both
12S. 130(4) and (5) Selling or offer to sell
Fine <RM500,000.00/Imprisonment < 3 years/Both
13S. 131(1) and (2) Abetment and Attempt to commit any of the offences
Half of the maximum term provided for that offence
Offences by a body corporate
A director, chief executive officer, chief operating officer, manager, secretary; or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management - may be charged severally or jointly in the same proceeding with the body corporate; and
If the body corporate is found to have committed the offence, he shall be deemed to have committed the offences unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves :
- that the offences was committed without his knowledge, consent or connivance; and
- that he had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence. (s.133)
45
Abetment and Attempt to Commit Offence
A person who abets the data user in the commission of any offence under this Act commits an offence, and shall, on conviction, be liable to the punishment provided for that offence.(s.132(1)
A person who attempts to commit an offence punishable under this Act commits an offence and shall be liable to imprisonment not exceeding one half of the maximum term provided for that offence.
46
Transfer of Data to Outside Malaysia
What PDPA says…
Sect 129No transfer unless to such places specified by the Minister
The Minister may specify if:a) there is a law substantially similar to PDPA, orb) there is a law that serves the same purpose as PDPA, orc) that place ensures an adequate level of protection
equivalent to the protection afforded by PDPA
48
Enforcement Mechanisms
Data Protection Commissioner Advisory Committee Appeal Tribunal Codes of Practice Enforcement Notice Prosecution Revocation of Registration
49
Enough is Enough
50
The Star Malaysia 18 Sept 2011
51
Telco A
“Personal information held by Telco A may include your name, date of birth, current address, telephone/mobile phone number, email address, credit cards details, occupation, user ID or password… as well as certain details about your personal interest.”
“Telco A complies with and is registered under the data protection law in Malaysia and…”
Bank A
“Any information sent to Bank A Bhd through the use of this site will be deemed not to be confidential and be deemed to remain the property of Bank A Bhd who shall be free to use, copy, publish, reproduce, distribute and/or transmit all such information at Bank A Bhd’s absolute discretion for any purpose and…”
52
Bank C
“Bank C Group may also use your personal information to market Bank C Group’s products, and services to you based on your interest and…”
“Our use of your information may also extend to other purposes… which may at our sole discretion be made available to our third party vendors, advertisers, affiliates or relevant third parties”
53
Bank Z“… the Bank does not warrant the security of any
information transmitted by the Customer using the Bank’s Internet Banking Services. Accordingly, the Customer hereby accepts the risk that any information transmitted or received using the Bank’s Internet Banking Services may be accessed by unauthorised third parties and the Customer agrees not to hold the Bank liable for any such unauthorised access or any loss or damage suffered as a result thereof.”
54
The STAR headline 03 May 200955
56
57
58