Personal data such as customer database has become so valuable that is now being traded as a form of commodity.
The European Consumer Commissioner described personal data as the new oil of the Internet and the new currency of the digital world. The Economist said that personal data is becoming a new type of raw material that is on par with capital and labour.
It was reported that a list of 1,000 entries containing names, phone numbers, types of credit cards owned and even place of works can be bought for a mere RM100, while a list containing the personal data of Datuks and Tan Sris can be bought for RM4 for each individual.
How many of you are tired of receiving spam emails and unsolicited cold-calls from banks, property agents, insurance agents who try to sell you more insurance products, properties, or offer you more credit cards/personal loans?
This has escalated to a stage where even politicians were sending out SMSes and emails begging for votes during the recent 13th General Election.
Have you always been wondering how or where these people get hold of your personal data? Would you wish to have a say on how your personal data should be handled?
The solution is finally here.
Very soon, we will have legal protection to cover those unwanted activities. The Personal Data Protection Department of Malaysia (“PDPD”) has intimated that the Personal Data Protection Act 2010 (“PDPA”), which was passed in June 2010, will come into force in the next 1-2 months.
The advancement of technology, the growing problems of misuse of personal data and the lack of comprehensive data protection law were amongst the reasons that pushed the Malaysian Government to finally enact and pass the PDPA.
The objective of the PDPA is to regulate the processing of personal data in commercial transactions and to safeguard the rights and interests of individuals.
What this means is that anyone who processes personal data in commercial transactions, be it online or offline, must comply with the PDPA once it comes into force. The consequences for breaching the PDPA are severe. Aside from the negative publicity, penalties for non-compliance with the PDPA include fines for companies and/or fines and imprisonment for directors and officers of the company.
Application of the PDPA
The PDPA applies to anyone who processes personal data (“data user”) of an individual (“data subject”) in commercial transactions. Essentially, data user must comply with the seven (7) personal data protection principles, which form the fundamental backbone of the PDPA, as well as other relevant provisions of the PDPA. Non-compliance with any of the principles is an offence.
An overview of the principles is set out as follows:
- General principle – a data user must only process personal data with the consent of a data subject, for a lawful purpose and the personal data collected must not be excessive or beyond that is required for the purpose it was collected;
- Notice and choice principle – a data user must inform the data subject that his personal data is being processed and provide a description of the personal data, the purpose of collection and choice for him to decide whether he wants to provide his data;
- Disclosure principle – a data user must only disclose personal data for purposes or to another third party to which the data subject has consented to;
- Security principle – a data user must take practical steps to protect personal data from loss, misuse, modification, unauthorized or accidental access or disclosure;
- Retention principle – a data user must not retain personal data longer than it is necessary to fulfil the purpose for which it was collected;
- Data integrity principle – a data user must take reasonable steps to ensure that all personal data is accurate, complete, not misleading and kept-up-to-date; and
- Access principle – a data user must allow data subject to have access to his own personal data and to correct it if it is inaccurate, incomplete, misleading or outdated.
The PDPA also confers a number of rights to a data subject, as set out below:
- a data subject is entitled to be informed by a data user whether his personal data is being processed by or on behalf of the data user;
- a data subject is entitled to correct his personal data it if it is inaccurate, incomplete, misleading or outdated;
- a data subject is entitled to withdraw his consent to the processing of personal data;
- a data subject is entitled to request the data user to cease or not begin the processing of his personal data based on the reasons that the processing of that personal data is causing or likely to cause substantial damage or substantial distress to him or to another; and the damage or distress is or would be unwarranted; and
- a data subject is entitled to request the data user to cease or not begin processing his personal data for purposes of direct marketing.
Compliance with the PDPA
As the PDPA will come into force very soon, data users must understand the PDPA and its legal and commercial implications on their businesses. They should begin reviewing their policies, processes, contractual rights and obligations as well as standard forms and notices which relate to processing of personal data in order to ensure that they are in compliance with the PDPA.
It is no longer “business as usual”. If companies do not have any data protection policies yet, they must put in place sound policies that are consistent with the provisions of the PDPA, and make sure that the policies are actually implemented accordingly. There is no “one-size-fits-all” type of policies, and each policy will need to be drafted according to the specific business nature and operations.
The PDPA has commercially far-reaching implications and severe penalties in the event of non-compliance. However, one should note that the intent of the PDPA is not to inhibit business or to stifle the legitimate use of personal data, but rather it is meant to grow business by giving consumers confidence that their personal data will be protected and processed in good hands.
Malaysia has come a long way to finally pass and implement the PDPA after a wait of more than a decade. The Government has indicated that the PDPA will help Malaysia to become a communication and electronic trade centre; an attractive location for investment in multimedia and communications industry as well as an international trade partner which is able to offer personal data protection assurance.
At the end of the day, privacy matters, good privacy conduct would really mean good business, and for data subject like you and me, the PDPA is indeed a welcoming piece of law that would afford greater privacy protection to all.