1 / 59

PERSONAL DATA PROTECTION ACT 2010 TO COMPLY IS TO KNOW

PERSONAL DATA PROTECTION ACT 2010 TO COMPLY IS TO KNOW. Professor Abu Bakar Munir Faculty of Law, University of Malaya & Associate Professor Siti Hajar Mohd Yasin Faculty of Law, Universiti Teknologi MARA SEMINAR KESEDARAN AKTA PERLINDUNGAN DATA PERIBADI

aholmes
Download Presentation

PERSONAL DATA PROTECTION ACT 2010 TO COMPLY IS TO KNOW

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PERSONAL DATA PROTECTION ACT 2010 TO COMPLY IS TO KNOW Professor Abu Bakar Munir Faculty of Law, University of Malaya & Associate Professor SitiHajarMohdYasin Faculty of Law, UniversitiTeknologi MARA SEMINAR KESEDARAN AKTA PERLINDUNGAN DATA PERIBADI 9 February 2012 Kuala Lumpur

  2. Some of our books on ICT Law In Print Privacy and Data Protection Sweet & Maxwell (2002) Internet Banking: Law and Practice LexisNexis UK (2004) Cyber Law: Policies and Challenges Butterworths Asia (1999) Information & Communication Technology Law Legal & Regulatory Challenges Thomson Reuters (2010) 2

  3. Please read this book.

  4. THE WORLD’S GREATEST NEWSPAPER 1843-2011

  5. Reality Check • The efficiency of computer network has caused more and more personal data be stored in computers • The world has reaped the benefits of the fast flow information and personal data: • Ten years ago – gigabytes of data, • Five years ago – terabytes of data, • Today, petabytes of data, are being transferred and stored on daily basis. • Users globally send around 47 billion (non-spam) emails and submits 95 millions tweets • Each month users share about 30 billion pieces of contents on facebook • Personal data is the new oil of the Internet and the new currency of the digital world • Greater concerns about privacy invasion

  6. Types of Privacy The right to be left alone Bodily privacy Privacy of communications Territorial privacy Informational privacy

  7. Privacy as Human Rights Article 12 Universal Declaration on Human Rights 1948 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. Some Other Instruments Article 17, International Covenant on Civil and Political Rights 1966 Article 16, Conventions on the Rights of the Child 1989 Article 8, Convention for the Protection of Human Rights and Fundamental Freedoms 1950 Article 18, OIC Cairo Declaration on Human Rights in Islam 1990 Article 4.3, Declaration of Principles on Freedom of Expression in Africa 2002 Article 5, American Declaration of the Rights and Duties of Man

  8. Informational Privacy The rights of an individual to have control over his personal information Informational Privacy = Personal Data Protection

  9. Why countries protect personal data? • International obligation • Competitiveness • Human right • International influence

  10. Why Protect Personal Data? What Customers Say… Nearly 90% of online consumers want the right to control how their personal information is used after it is collected (Forrester Research 2003) 87 % of Americans are concern about the security of their information on the Internet (Zogby International 2010) 61 % of adult Americans said that they were extremely concerned about the privacy of their personal information when buying online (University of Southern California 2007)

  11. Cont…….. Our research shows that 80% of our customer would walk away if we mishandled their information (Royal Bank of Canada 2003) Concerns about the use of personal information led 64% of respondents to decide not to purchase from a company (Privacy and American 2005) 67% respondents decided not to register at a website or shop online because they found privacy policy to be too complicated or unclear (Privacy and American 2005)

  12. Malaysian Consumers Say….. 75.3% respondents say that they were “somehow concerned” and “very concerned” with their personal privacy even when not online 94.2 % respondents felt that their personal privacy might be threatened when using the Internet 50.8 % of non Internet Banking customers have not migrated to the online services mainly due to security, trust and privacy concerns (Muniruddeen Lallmahamood 2007/2008)

  13. Therefore…. • Trust and risk are major determinants towards purchasing and of intention to purchase • Trust is difficult to gain but easy to lose • Consumers are concern about their privacy • Consumers are very concern about privacy when transact online

  14. GOOD PRIVACY, GOOD BUSINESS “Privacy is good for business” Harriet Pearson IBM Chief Privacy Officer

  15. How? Potential Risks • Breaches of data protection law • Damage to organization’s reputation and brand • Physical, psychological and economic harm to customers • Financial losses associated with deterioration in quality and integrity of personal data due to customers’ distrusts • Loss of market share or a drop in stock prizes due to negative publicity/ failure or delay in the implementation of new product / service due to privacy concern

  16. Benefits • More positive organizational image and significant edge over the competition • Business development via expansion into jurisdiction requiring clear privacy standard • Enhanced data quality and integrity • Fostering better customer service and more strategic business decision making • Enhanced customer trusts and loyalty

  17. (Reuters) - HSBC Holdings, Europe's biggest bank, was fined 3.2 million pounds on Wednesday for information security breaches, the biggest fine the country's financial regulator has ever imposed for data security lapses. (2007, 2008)

  18. Insurance giant Norwich Union has been fined £1.26 million by the Financial Services Authority (FSA) for security systems failures (2007)

  19. DATA PROTECTION COMMISSIONER’S OFFICE PressRelease For immediate release Date: 13 November 2012 2007 XYZ SDN. BERHAD ISIN BREACH OF THE PERSONAL DATA PROTECTION ACT 2010 The Data Protection Commissioner's Office (DPCO) has found that the XYZ SDN. BERHAD is in beach of the Personal Data Protection Act 2010 following an investigation into the complaint of  ……………………………………………… ………AB H……….. DATA PROTECTION COMMISSIONER

  20. International Instruments • OECD Guidelines 1980 • Council of Europe Convention 1981 • European Directive 1995 • APEC Privacy Framework 2004 • Madrid Resolution 2009 • EU Proposed Directive (25 Jan 2012)

  21. OECD Guidelines 1980 (8 Principles) • Collection limitation • Data Quality • Purpose Specification • Use Limitation • Security • Openness • Individual Participation • Accountability

  22. Council of Europe Convention 1981 Personal Data shall be: • obtained fairly and lawfully • stored for specified and legitimate purposes and not used in a way incompatible with those purposes • adequate, relevant and not excessive • accurate and, where necessary kept up to date • preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored

  23. European Directive 1995 Personal data must be; • Processed fairly and lawfully • Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes • adequate, relevant and not excessive • accurate and, where necessary kept up to date

  24. APEC Privacy Framework 2004 (9 Principles) • Preventing harm • Notice • Collection Limitation • Uses of personal information • Choice • Integrity • Security safeguards • Access and correction • accountability

  25. Madrid Resolution 2009 (6 Principles) • Lawfulness and fairness • Purpose specification • Proportionality • Data quality • Openness • Accountability

  26. EU Proposed Directive On Data Protection with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the executions of criminal penalties, and the fee movement of such data. • Known as The Police and Criminal Justice Data Protection Directive • January 25, 2012, the European Commission released a proposed data protection regulation to replace the current EU Data Protection Directive (95/46/EC). The proposed regulation would drastically alter the data protection landscape for companies

  27. National Approaches • Comprehensive Legislation • Legislation + Self-Regulatory • Self–Regulatory • Doing Nothing

  28. Comprehensive Legislation • All EU countries, including the 10 new member states (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia) • Japan, Korea, New Zealand, Australia, Hong Kong, Macao, Taiwan, Philippines, Singapore • Chile, Argentina, Brazil, Mexico, etc. • In Middle East, only Israel and Dubai Financial Centre

  29. Legislation + Self-Regulatory • USA – Privacy Act 1974 + 12 federal sectoral based legislation + State Laws + Safe Harbour Self-Regulatory • Singapore - Does not work – To have a data protection law by 2012

  30. Doing Nothing so far • Brunei • Vietnam • Laos • Cambodia • Many more

  31. Our Part of the World : What’s Happening ? • Macao enacted her Personal Data Protection Act in 2006 • China has came out with several drafts of the law, and the latest in 2007 • India amended her Information Technology Act in December 2008. Some new provisions are added to protect privacy and personal data. In April 2011, the third draft of the Privacy Bill was issued. • Indonesia came out with an academic draft in 2009 • Thailand has developed a draft Bill in 2010 • Taiwan amended her old law and passed a more comprehensive Personal Data Protection Act in April 2010 • Malaysia has passed the Personal Data Protection Act in June 2010 • Korea came out with a more comprehensive law in March 2011 • The Philippines Congress has came out with the draft Act • Australia and Hong Kong are reviewing their Privacy Act and Privacy Ordinance respectively • Singapore is currently developing a law and is expected to be ready by 2012. On 13 Sept 2011, a Consultation Paper was released • In April 2011, the EU Working Party decided that the New Zealand Privacy Act is adequate

  32. PDPA 2010: Applicability

  33. Exemptions

  34. Offences by a body corporate A director, chief executive officer, chief operating officer, manager, secretary; or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management - may be charged severally or jointly in the same proceeding with the body corporate; and If the body corporate is found to have committed the offence, he shall be deemed to have committed the offences unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves : - that the offences was committed without his knowledge, consent or connivance; and - that he had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence. (s.133)

  35. Abetment and Attempt to Commit Offence A person who abets the data user in the commission of any offence under this Act commits an offence, and shall, on conviction, be liable to the punishment provided for that offence.(s.132(1) A person who attempts to commit an offence punishable under this Act commits an offence and shall be liable to imprisonment not exceeding one half of the maximum term provided for that offence.

  36. Transfer of Data to Outside Malaysia What PDPA says… • Sect 129 No transfer unless to such places specified by the Minister • The Minister may specify if: a) there is a law substantially similar to PDPA, or b) there is a law that serves the same purpose as PDPA, or c) that place ensures an adequate level of protection equivalent to the protection afforded by PDPA

  37. Enforcement Mechanisms • Data Protection Commissioner • Advisory Committee • Appeal Tribunal • Codes of Practice • Enforcement Notice • Prosecution • Revocation of Registration

  38. Enough is Enough

  39. The Star Malaysia 18 Sept 2011

More Related