While the Government gets set to enforce the Personal Data Protection Act, all involved should comply with the provisions of the Act now instead of adopting a wait and see' attitude.
SINGAPORE recently had the first reading of its Personal Data Protection Act in Parliament. Many in the republic were buoyed by the development, confident that the passing of the bill “should be just around the corner”.
Surprisingly, Singapore lags behind Malaysia in this matter; Malaysia is the first country in the South-East Asian region to draft such a bill way back in 2000. Our Personal Data Protection Act (PDPA) was gazetted in 2010 after gestating through several public consultations and revisions.
However, now that the “sunrise period” before the law takes effect for the Information, Communications and Culture Ministry to train personnel and put procedures in place is fast fading, many are asking when our law will be enforced. Especially since it appears that the Ministry has just missed the “deadline”.
In February, Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim had announced that the Act would be enforced by the middle of this year.
We are now in the second half of the year and there has been no news of the impending implementation of the PDPA. When contacted, all that ministry sources would say is that enforcement details would be announced as early as next month.
Universiti Malaya's data protection law expert Prof Abu Bakar Munir says it is imperative that the Act is enforced soon as all our personal information is fast flowing out there, making its security a big concern.
“With petabytes of data transferred and stored on a daily basis, personal data is the new oil of the Internet and the new currency of the digital world. That is why people are concerned about privacy, especially when they transact online,” he said at a recent media forum on the PDPA's enforcement hosted by security firm Symantec.
Due to the growth of the social media network and mobile devices, users around the world send around 47 billion (non-spam) email and 95 million tweets daily. Each month, users share about 30 billion pieces of contents on Facebook.
Crucially, he stresses, people need an avenue to seek redress for violations of their personal data and privacy.
Although it has been highlighted numerous times, the selling and buying of data is still very rampant in Malaysia. Advertisements and email spam publicising the sale of email and phone lists are still widespread while many people are still being targeted through telemarketing calls and unsolicited messages or email.
Underlining the urgency for the enforcement of the PDPA, Symantec Malaysia systems engineering director Nigel Tan highlights that on average 1.1 million identities were exposed per breach globally in 2011.
The Symantec Internet Security Threat Report for the year showed that an approximate total of 232 million identities were exposed globally.
Tan also cites a survey they conducted with Ponemon Institute a leading research centre dedicated to privacy, data protection and information security policy in 2010 which showed that 88% of companies in the United States experienced data loss. The average cost of a breach is US$7.2mil (RM22mil).
Although the research was only conducted in the US, it should be treated as a warning to other countries as data breach is a threat everywhere in the world.
Subhendu Sahu, Symantec's director for Government and Public Sector (Asia South Region), concurs with Tan on the growing need for personal data protection.
The threat landscape is evolving rapidly, he argues.
“For one, hackers have moved from pure hacktivism to causing real damage to national infrastructure, so it has become extremely important for government and companies that deal with nationally important data to have significantly stronger security safeguards.”
However, when it comes to the enforcement of the PDPA, timing is not important he says.
“What is more important is that data protection is viewed as a serious issue.”
Having a policy is the first important step. Around 50% to 60% of all countries are in some stage of implementing data privacy legislation and framework, he notes.
In the region, Malaysia is the closest to fully implementing some semblance of legislation on personal data protection.
Admittedly, data protection is viewed as a serious issue in Malaysia.
Under the Act, personal data breach is a crime it is categorised under 13 criminal offences with penalties ranging from a maximum jail term of one year, a RM200,000 fine or both, to a maximum jail term of three years, a RM500,000 fine or both.
Prof Abu Bakar reveals that the decision to treat the offence for non-compliance to the act as criminal instead of civil was made based on the “local context”.
“For the Act to be able to be enforced effectively, taking into account the track record of the country, the penalties had to be criminal.
“In this part of the world, without criminal penalties, it will be difficult to enforce the PDPA,” he says.
Some of the offences detailed in the Act are processing of personal data after consent has been withdrawn, selling and offering to sell personal data and abetment to commit any of the offences.
However, for the Act to be enforced, the government would have to establish a Personal Data Protection Commission and appoint a commissioner.
A Personal Data Protection Department has been set up, and while it is taking on the responsibility of processing all matters concerning data protection in the country, including dealing with public grouses, its scope of powers is unclear.
The PDPA states for the enforcement mechanisms and power to be granted to the commissioner, Prof Abu Bakar points out, which includes the right to enter premises and seize equipment without a warrant for the purposes of investigation into offences, the power to arrest and recommend for prosecution.
Conceding that time is needed to ensure that the selection of the Commissioner and the finalisation of the rules and regulations of the Act are done properly, Prof Abu Bakar moots one solution, which is to “upgrade” the existing department into a commission.
He nonetheless stresses that while the onus is on the Government to get the PDPA ball rolling, it is also crucial that companies comply with the Act now instead of adopting a “wait and see” attitude.
“Once the enforcement date is announced, companies will only have three months to comply with the Act and that is too short a time.”
This includes implementing policies and supporting processes as well as revamping systems and applications to meet the requirements of the Act.
Among the main things that companies will have to do when the Act is enforced is to register with the commission to get the “licence” to collect and process data. Another is to get the consent of the “owners” of the personal information they have amassed.
This will no doubt cause a headache for organisations like financial services and telecommunication companies, which have collected and maintained a high volume of customer's personal data.
“Some organisations collect data too early online or have privacy policies which are too brief or not prominently located.”
Tan echoes Abu Bakar's observation of companies' lack of readiness in complying with the PDPA upon its enforcement.
“Based on my personal observations, I would put the percentage of companies doing so at less than 50%,” he says, noting that those that already are, have been working on compliance as early as two years ago when the Act was first gazetted.
Subhendu advises companies to constantly review their security policies, bring in external experts to vet internal processes, and set incident response and recovery practices.
Ultimately, Malaysia needs to take the next step enforcing the PDPA soon, as the digital technology has grown beyond expectations.
Subhendu makes a case in point: countries with more mature data protection and privacy legislation are reviewing their own laws to address new “problems” created by new digital developments.
One is the “right to be forgotten” law that is being deliberated in the European Commission that would allow people to demand their personal data, which organisations hold on them, be deleted as long as there is no legitimate ground for such organisations to hold such data.
“The inclusion of the right to be forgotten' is reflective of the rapid rise of social media. The speed and expansion of digital technology has gone beyond what legal frameworks had originally foreseen,” says Subhendu.
At the end of the day, however, it is all about respect and common sense, Prof Abu Bakar opines, anchoring the massive task at hand into perspective.
“Data protection is not rocket science. But there is a lot to do and time is running out.”
Next: Understand the law, protect your personal data.
Related Stories: Laws to act against data breach Woes mount as data protection enforcement sits idle