An examination of privacy laws and the recently passed Personal Data Protection Bill by the Dewan Rakyat in Parliament and its application, enforcement, and implications for Malaysia.
Continued from Part 1
I am glad that Malaysia is making a leap forward to enact the Personal Data Protection Act. However in my opinion there are several grey areas that need to be scrutinised. My points of scrutiny towards the Act are:
1) Section 3 (1) of the act shall not apply to Federal government and state governments. This means that privatised bodies are still bound by the Bill. One major point of concern is that the Government – Federal and State – are the biggest collectors of personal data. As such the data protection law must bind them to prevent abuse.
2) In effect, if the bill is passed in its current form the result will be that there will be 2 different standards for data protection in Malaysia. This means there will be one standard based on the Bill for private companies and another standard for the Government and government bodies – diffuse the strength of the Personal Data Protection Act. E.g., a private company processed information and this company was in a business of dealing with the government, the risk is that whilst the personal data stored by the Company in question adhered to the Bill, what would happen to the same data in the event it was transferred to the Government? This would give rise to any 3rd party to actually circumvent the effectives of the act by simply accessing the personal data when it is sent to the Government or the Government body in question. As such the Bill would be rendered a toothless tiger.
3) What are the standards for monitoring the Malaysian Government’s method of Data Protection? Will it be the self regulatory method a.k.a. the safe harbour method? (I think its even lower than that or non-existant) A legal paper I have read seems to suggest that the self-regulatory method has not been very effective. The reason being the effectiveness of the self-regulatory method depends entirely on the cooperation of the participants. Hence if they have a set of self-regulatory rules and do naught, then the end result is nil.
4) Adequacy of the bill. Will the is bill be adequate data protection in accordance with the OECD guidelines and the standard adopted by the EU and other Nations such as Australia, New Zealand and Japan to name a few. It is obvious that the Bill is not adequate. The Bill has its merits but its still has many flaws as stated next – The Act does not adopt all the 7 core principles as I have mentioned above. A reference to Section 5,6,7,8,9,10,11 and 12 of the Act shows that Principle 1 and 7 are lacking from the Bill.
5) From a Human Rights perspective, the act imposes penalties such as heavy fines and imprisonment that are even stricter than the UK Data Protection Act 1998 and the Hong Kong Data Protection Act. My view is that imprisonment should not be imposed, instead Directors and shareholders should be made to pay fines personally if the company is found guilty. That way a person’s liberty will not be taken.
6) Right to privacy is not recognised in Malaysia. One important issue that may have been missed out by the Drafters of the Bill is the fact that the right to privacy is not recognised by any statute in Malaysia. As such there is no real recourse for an individual whose privacy has been exposed or made public. It is thus imperative that the Bill be amended to include some form of compensation/relied and remedy to those whose rights have been infringed. There must first be recognition of the right to privacy and then laws created to strengthen that right and give remedies to those in need.
7) The act has no civil remedies for individuals who may want to sue. As mentioned earlier, the act imposes severe fines and sentences for companies and individuals who do not obey the Act but an individual whose personal data has been exchanged or used has no personal recourse against the persons who involved. The Bill should consider allowing some form of private prosecution for individuals whose rights have been infringed. The Commissioner has powers to conduct prosecution, but in reality with the amount of infringements and investigations that are foreseen, it would take months if not years for a successful prosecution to be brought to Court. This would actually cause more harm than good as individuals whose rights have been violated will be denied the fruits of justice.
8) Section 47 of the Bill creates the existence of a Commissioner. The Commissioner’s office must be an independent one; he cannot be attached to the executive arm, in this case the Ministry, but should be made Accountable to Parliament. Independence is a fundamental aspect here as the Commissioner holds a very important position. This position in my view is similar to that of a fiduciary position and as such greater accountability is needed.
9) Section 70- the Personal data Protection Advisory Committee. The existence of the Advisory Committee is not necessary – it will merely be a waste of taxpayers money and burden the Rakyat. The Committee serves no real purpose as its advice can be rejected and is not compulsory for the Commissioner to heed.
10) Section 83 – the Appeal tribunal. I disagree with the creation of an appeal tribunal. All disputes should be brought to court. The purpose of having an appeal tribunal is to decide on appeals by dissatisfied individual towards rulings made by the Commissioner. Any dissatisfied individual who is unhappy with the Commissioner’s ruling should be able to take his case straight to court by way of Judicial Review because the Tribunal would only lengthen the process for which disputes can be resolved.
It is high time for the Personal Data Protection Act to be passed, and this law will give some recognition to the right of privacy, in this case, personal privacy. However, the Bill in its current form will be severely lacking and may not be deemed to be of acceptable and adequate level of compliance with that of other countries.
Malaysia, our homeland is now at the start of a new era with the impact of globalisation and the emergence of a new market we do need the Personal Data Protection Act 2009. The standard of this act leaves much to be desired. Only time will be able to show us the effectiveness of this new high-impact legislation. We are certainly progressing, but is this the right direction?