2010 - The Year of Data Protection and Privacy in Malaysia!

2010 is a year of technology laws' hope in Malaysia.

I remain with the above statement due to this chief reason: The Personal and Data Protection (PDP) Act 2010 was  gazetted on April 2010. As I write, the proposed Data Protection Commissioner's Office is still being planned. Rumours learned that it may be in place by the first (1st) quarter of 2011. This development means a lot to Malaysia in many ways. Three pointers of assertion are submitted. First, the PDP Act enables everyone (individuals) and stakeholders to collect, handle, manage, process, retain, share and expunge data in a responsible and compliant manner. Second, the PDP has pushed Malaysia (indirectly) to recognise 'informational privacy' as rights - although the incentive and motivation of this Act governs commercial transactions only. Third, the PDP will also trigger possible amendments or revisions of peacemeal legislations that contained the words "privacy" in Malaysian statutes.

The PDP Act (although, a very new law, to Malaysians) is a testimony of Malaysia in getting herself ready to be on board as par as others. In the Asia Pacific contours, Malaysia is the second (2nd) country, after Hong Kong having her own data protection and privacy legislation. Other countries' legislation are based on sectorial-specific and code/voluntary approaches. As some may have known, the global's privacy and data protection laws are generally motivated by these: The European Data Protection Directive 95/46/EC, American Safe Harbor approach, OECD Guidelines, APEC Privacy Principles, Industrial and technological approaches.

Besides the PDP, interesting developments that have taken place are the observations of Malaysian court judges on privacy protection. There are two cases that glanced through (generally) on this.

First, in Ultra Dimension Sdn Bhd v Kook Wei Kuan [2004] 5 CLJ 285, Justice Faiza Thamby Chik observed: "...English common law does not recognise the privacy rights; therefore invasion of privacy rights does not give right to a cause of action. Since English common law, pursuant to Section 3 of the Civil Law Act 1950, is applicable in Malaysia, privacy rights which is not recognised under English Law is accordingly not recognised under Malaysian Law.." However, in an interesting case of Dr Bernadine Malini Martin v MPH Magazine Sdn. Bhd. & Ors [2010] 1 LNS 694, Justice Hishamudin observed: "...it is unfortunate for the plaintiff, that the law of this country, as it stands presently, does not make an invasion of privacy as an actionable wrongdoing (it is actionable under the law of some other jurisdictions, for example, in the United States)..." 

These observations, seem to be interesting in one way; mainly that Malaysians are getting to recognising their privacy rights. Adding to this, there were headlines on Malaysian national dailies during the third (3rd) quarter of 2010, which highlighted the complaints of a mobile phone customer of a leading Government-linked telecommunications company. The complainant claimed that the mobile service provider did not secure her consent in sharing her confidential data that is retained in the database. Thus, it breaches certain aspects of her data confidentiality. When the case was brought to press, thus far, and to date, my research suggests that there's no "hard push" by, and from, consumer groups or organisations in issuing such statements representing consumer's rights. What more, in privacy!

After the PDP Act was passed, there were many trainings and workshops that took place mostly in Kuala Lumpur. Stakeholders and public were very much concerned how the Act would be affected and applied in their daily life and transactions. My observations from these eagerness are twofold. Firstly, practitioners, academics and consultants should collaborate to disseminate the basic principles first. Which means, besides explaining or paraphrasing the sections in the PDP Act, it's fundamentally focal to enlighten the public what these terminologies mean: data, personal data, privacy, informational privacy, the applications in daily life and the applications in commercial transactions. Secondly, after diffusing the meanings and differences in clarity, we must be able to explain clearly and coherently selected case by case basis from different perspectives. These observations, in my humble opinion, may take a longer time  to witness its maturity. Nonetheless, the practitioners, academics, consultants and researchers who are experts in this subject matter, must collectively offer the appropriate theoretical foundation to the Malaysian public. I am calling for a collective responsibility to disseminate a meaningful comprehension on this (for the purpose of nation building).

From the business strategy perspective, the PDP Act will provide potential opportunities in terms of 'commodotisation'. Technology companies may strategise to call their Research & Development (R&D) team to write a particular system that may be customised for their existing clients and potential clients. In other words, such systems now, should have certain checklists on privacy impact assessment. Also, privacy by design approach. Whatever perspectives of opportunities that Malaysian stakeholders (whether from business or consultancy) come from, it is indispensable for them to understand the basics. Then, move on to the next level of understanding (whether they have clearly understood what privacy and data protection is?).

And why I claim 2010 is the year of data protection and privacy in Malaysia?

The answer lies onto Malaysians' hands and minds. The Malaysians' Legislative and Executives (politicians) deserve a pat. The abstract and outlines of the laws have been exposed. Now, we will witness the implementation and enforcement (in anticipation) - which will be the subsequent chapters of how the laws will grow, develop and mature.

RFID is still "hot"

After almost fifteenth (15th) month of research, I have had reached to a preliminary analysis that RFID is still a hot topic.

Much of the progress and developments in RFID are surrounded by commercial and technological incentives. It is arguably a "commodotised technology". The world today, by way of economy's segregation, (The United States of America, The Euro zone and the emerging markets) have deployed RFID applications in many ways. Mostly, give benefits and yielded dividends to large companies and organisations which have the budget. Although recession took place in 2010 and silently taking place (to date) in some continents, the prediction on RFID applications' deployable expansion remains bullish. 

Interestingly, the European Union is very active to map a possible roadmap for RFID and its growth by 2020. The East Asia technological leaders - South Korea, Taiwan and Japan - by far, have been leading the game (in terms of the deployment). China, had handsomely deployed her RFID applications in the most spectacular Olympic games of 2008 in Beijing (through the enabled RFID ticket applications). It is predicted that London 2012, will anticipate to deploy the similar move. Not only deploying selected RFID applications, but also to potentially extend the technological infrastructure capacity through cloud computing (the Cloud).

Much of the global's progress in RFID is still segmented through the continents. Several issues are still being discussed at the higher level (means: policy, strategy and government). Three (3) issues are of relevance; firstly, interoperability. Secondly, standardisation and thirdly, data protection and privacy. Of course, there are other contributing and pressing issues that may add to the list. Nonetheless, by way of priority, the aforementioned issues are of significance that demand urging progress. 

In the leading RFID Journal and other RFID Service Providers' write ups and marketing collateral's -  they have had marketed sophisticated RFID applications to its existing customers and potential customers. The features seem to be appealing especially to the stakeholders that have benefited from its applications. These groups are merely tagged as the RFID-proponent. To the contrary, RFID-opponent seems to be quite quiet to demand for more awareness of this technology. Back 2002-2006, the push by public policy and civil liberties' groups in the US were so powerful. Now, the voices are less being heard. Maybe (arguendo), this is due to the other pressing issues that canvassed the US today. The developments in the European Union (EU) are largely still, at a higher level. In review of the EU's efforts, there is minimal progress that takes place. The recent one is the Article 29 Data Protection Working Party in relation to the Privacy Impact Assessment's response by the industries and stakeholders with regards to RFID. Although the responses seem to be a turning point for such a progress, however, it is submitted that much needs to be done not only at the EU level, but also, between and amongst the 27 Member States.

Across Asia; China, India, South Korea, Taiwan, Japan, Malaysia and Singapore have had gradually deployed and realised the importance of RFID. Out of these countries, taking Malaysia as example, the Malaysian Communications and Multimedia Commission (MCMC) has had issued an RFID survey to the stakeholders. Upon perusing the survey, it is adduced that it aims to gauge the technical understanding and perceptions only towards RFID, but lacks the data protection and privacy bit. Perhaps, MCMC would be able to issue another round of survey that touches the stakeholders' perceptions on RFID, Data Protection and Privacy.

As issues on RFID are still hot, I predict these will emerge in 2011:

1) That the EU's RFID progress will take its aggressive mode once the review of the European Commission's Data Protection Directive has completed. This means, once the revised European Directive 95/46/EC takes place, the Article 29 Working Party and related Directives will take RFID into a more serious tone/level;

2) That the RFID's standardisation and interoperability needs active involvement not only from the EU level, but also other international organisations such as the International Telecommunications Union (ITU). This prediction is based on the possibility that Mobile-RFID will boom and penetrate the market on gradual growth (by 2020); and

3) That the RFID's discussion from the perspectives of data protection and privacy are still important. Although there are such RFID technical guidance, codes, regulations and best practices, but, the efforts need to be beefed up. Especially, when the booming of cloud computing business takes place. This means data that are retained and kept in the RFID Service Provider or a Data Controller's server may also be parked and retained in the Cloud. Hence, issues of data protection, privacy and contractual liabilities may also arise.

RFID indeed, is still relevant and a "hot" topic, and will promise more progress in 2011 and the years ahead!

Call for public consultation: Strategy to strengthen EU Data Protection rules

On 4 November 2011, the European Commission has issued its call for public consultation in relation to its data protection rules. The call is retrievable HERE. Deadline for interested stakeholders to submit their views is on 15 January 2011. I will submit my proposal (for consideration) individually and also as a collective proposal under the banner of the Data Protection & Open Society Project's Oxford Centre for Socio-Legal Studies. On 2 December 2010, a total of 6 researchers brainstormed to reach certain consensus. Overall, the solicited views have been taken into account and the draft would be expected to be ready by end of December 2010 or early January 2011. Updates will follow suit when the time comes.

Visiting Researcher in Oxford

For the forthcoming 2011, I will be a visiting researcher in the esteemed Data Protection & Open Society Project (DPOS), at the Oxford University's Centre for Socio-Legal Studies. My visiting research status will be from 14 February 2011 - 4 April 2011. Further details on the DPOS are reachable HERE.

Forthcoming publication

I presented a paper on: "Cursing the Cloud (or) Controlling the Cloud. Briefly, this paper (generally) appraises the move by Microsoft in relation to the Cloud. In detail, it touches on the level of adequacy of data protection from the perspectives of the European Data Protection Directive 95/46/EC and Safe Harbor. It also extends the concern or adequacy to non EEA countries (where the level of adequacy) is still underdeveloped, immature and emerging. This paper also proffers a potential hypothetical model which is called as Cloud Compliant Strategy (CCS). The CCS aims to develop a theoretical base / framework that is usable to specific continents and market economies: particularly, the US, the Europe Zone and the emerging markets. Although the CCS is still at its embryonic stage, I endeavour to extend this in my next paper.

In the meantime, this paper has been published in: Kierkegaard & Kierkegaard (eds), Private Law: Rights, Duties and Conflicts (2010) ISBN: 978-87-991385-8-6 at pp 158-171. This paper will also be published in the Computer Law & Security Review's forthcoming 2011 publication.

In the interest of knowledge sharing, my paper is retrievable HERE. Such potential citation on this article is also appreciated (by letting me know through my e-mail: n o r i s w a d i [at] g m a i l . c o m.

Alas, for those who are keen to research related legal issues surrounding the Cloud, do visit this SITE. This project is undertaken by Queen Mary University of London (QMUL), branded as: QMUL Cloud Legal Project.

Article 29 Data Protection Working Party on RFID (in response to the Industry's proposal)

The Article 29 Data Protection Working Party on RFID has issued their Opinion 5/2010 in relation to the industry proposal for a Privacy Data Protection Impact Assessment Framework for RFID Applications. It's retrievable here.

Briefly, the Article 29 Data Protection Working Party does not endorse (technically: rejected) the proposed response from the industry mainly due to the absence of a CLEAR privacy and data protection approach in it's proposed framework. Besides, the Working Party opined that a rigorous consultation phases with stakeholders are of relevance - as to determine the viability - of the proposed framework. The industry proposal, in a way, failed to address the same.  In particular, the issue of tag deactivation in the retail sector needs a much more coherent and clarity explanation. Overall, the proposal failed to address the concerns on transparency of RFID usage ("information and transparency on RFID use") and the emphasis on "security and privacy by design".

Cloud Security Summit

I confirm to attend the forthcoming Cloud Security Summit.

As part and parcel of my data protection and privacy research. This will be useful from the context of cloud computing. Currently, I am examining to what extend, and how RFID (being the Internet of Things) may be able to integrate within a cloud computing environment - whether, it only applies in front-end, middleware or bank-end applications. If exists, how shall be the privacy impact assessment applies and how data protection is being controlled. Technology seems to be integrated from one end to the other end, hence, laws, regulations and policies (arguably) should be able to adopt this too.

I hope to be able to secure some insights for such a "legal integration answer"

Keywords in my research:

Data, Privacy, RFID, Cloud Computing, Privacy Impact Assessment and Security.

Cursing the Cloud (or) Controlling the Cloud?

On March 2010, I presented on "Cloud Computing Got Talent! - A Nemesis to Data Protection?". Further to the presentation, I have been developing substantial comments, feedbacks and detailed analysis from various stakeholders. To share these, I will be presenting the Version 2, titled: "Cursing the Cloud (or) Controlling the Cloud?". The abstract is readable here. It could be retrievable HERE. This paper will be presented in the forthcoming Fifth (5th) International Conference on Legal, Security and Privacy Issues in IT at Barcelona, Spain.

Information Technology Law - The Law and Society by Andrew Murray (Selected Chapter Reviews)

I was at Hammicks Legal Bookshops in Lincoln's Inn with a Professor from Malaysia. My eyes zoomed onto a newly published book: "Information Technology Law: The Law and Society" (Oxford, 2010), by Andrew Murray.

Andrew Murray is a Reader in the Law Department, London School of Economics and Political Science. He is teaching, researching and supervising students of various levels (undergraduates and postgraduate research) in areas of technology laws, intellectual property, media laws policies and regulations.

The chief motivation in buying this book was due to his writings on; PART VI PRIVACY IN THE INFORMATION SOCIETY.

Prior to reading the latter religiously, Andrew Murray's introductory works on PART I INFORMATION AND SOCIETY has given an impeccable insights to the many taxonomies relating to bits, network of networks and digitisation and society (information, convergence and cross border challenge of information law) by inferring to laws and regulations as the backbone. Whilst Andrew's style of writing is akin to story telling, he has never failed to mesmerise his analysis referencing to many comparative literatures - ranging from the United States of America selected states' jurisdictions and in between, to interweaving it with socio-economic aspects, incentives and social sciences' approaches.

This is the Key difference of Andrew's book as compared to the previous IT Law book authors that have had taken precedence, such as Professor Ian Lloyd's, David Bainbridge's, Chris Reed and John Angel's. The another key difference that distinguishes Andrew's writing is through the incorporation of pictorial diagrams, highlights, examples, case studies and further reading lists, in which, the look and feel runs away from typical black letter treatises! This gives indepth clarity to readers who may not come from a legal background. What makes it more innovative is its guidance to the online resource centre that could be retrievable vide:

http://www.oxfordtextbooks.co.uk/orc/murray

which also extends regular audio updates, web links, flashcard glossary of key items and a link to an IT law blog. This approach, in my speculative opinion, will become a hype and precedence for any forthcoming legal publications. Welcome to the Web 3.0!

Whilst PART 1 touched mainly on taxonomies and grounded theories, there is slightly an untouched area when it comes to other leading jurisdictions' technology evolution that may comparatively be relevant; such as Germany, France, and East Asia (Japan, Taiwan and South Korea). On the one hand, arguably, Andrew's focus of analysis is largely based on the UK and the USA leading authors and perspectives. That, in particular, carries invaluable anecdotes of theories and practices. On the other hand, arguably, a fair balance could also be inferred to the non-UK and USA invaluable anecdotes of theories and practices. Such comparative balancing between these two maybe worth mentioning. If the latter materialises, PART 1 looks beyond immaculate.

I escaped reading most of the substantive parts and spent three (3) working days to read PART VI. In comparing the previous IT Law book authors, Andrew has enticed and enlightened me with constructive ideas and useful cross referencing. The Chapter on Data Protection has been addressed precisely clear without detailed paraphrasing of Sections of the UK Data Protection Act 1998. The coverage and analysis of the history, progress and trails are explained on pragmatic approach, instead of, arguing and attempting to emphasize on pure legal reasonings of the Act. Chapter 19 on Data and personal privacy, nevertheless, falls short on certain composition that readers deserve to be educated. Primarily, on the RFID tracking section.

Arguendo (assuming), Andrew's intention to illustrate the technology is naturally motivated by the previous data protection chapter, I, however and persuasively opine, a brief technical illustration on what consists RFID might be useful to be illustrated. This, from my observation, shall provide broader comprehension to a first timer who needs to know what is RFID all about. The only, impressive findings, that may warrant me to further expand my research relates to Andrew's footnote number 65 on page 514: CAGARAS (read as: Coordination And Support Action for Global RFID-related Activities and Standardisation). That compels me to gauge and analyse; to what extend shall the (present) British Government perceives and reacts upon.

Andrew has further written a section on Data retention and identity; by highlighting the Code of Practice on Location Services. He has also highlighted the types of Data to be retained. Much of these analysis and cursory discussions on this section stemmed out from media laws' viewpoints - where, convergence in mobile communications technology, being made as a strong reference. The attempt is slightly brief and arguably, as a reader and a Doctoral researcher, I implore more from this section. As mitigation, Andrew has satisfied me with his foregoing conclusions by ending these:-

 "...The law cannot keep pace with technological development; it always lags some months or years behind. The internet of things is coming; we will become part of the network. What is not clear is whether this will give us greater or less freedom."

And I concur no more.

By Noriswadi Ismail
MPhil/PhD Candidate
Institute of Computer and Communications Law
Centre for Commercial Law Studies
School of Law, Queen Mary, University of London

Think Privacy Toolkit for Employees

The UK Information Commissioner's Office has issued a Toolkit on the above. It is very much useful for organisation and companies to initiate a privacy-friendly environment amongst the employees. This toolkit is considered as best practices (though non-binding), in legal effect, but, it carries the notion of "soft law" approaches.

Forthcoming Workshop: Data Protection & Privacy Law

I will be conducting a workshop on 29 June 2010.

The details are downloadable HERE.

Selected Issues on Data Protection & Privacy

Throughout my 3 weeks stint in Malaysia, I have had presented to four (4) stakeholders namely:-

1) Ahmad Ibrahim Kulliyyah of Laws and Kulliyyah of ICT, International Islamic University Malaysia. Audience: Professors, Senior Academic Fellows and Lecturers. Constructive comments and feedbacks were gauged and are currently being incorporated in my research and chapter writing;

2) Malaysian Institute of Management. Audience: Managers, Lawyers and Directors. Constructive responses were received. The session was recorded and I am awaiting for the DVD;

3) Azmi & Associates. Audience: Pupil-in-Chambers and Associates. Received constructive views on Data Protection & Privacy Strategies & Management. Issue currently researching: what's and where's next after the Malaysian Personal Data Protection Bill shall come into effect. Currently, I am comparing the analysis made by Professor Graham Greenleaf's; and

4) Multimedia University Malaysia. Audience: General Counsel of MMU, Researchers and Lecturers in Law & Business. MBA students. Received excellent feedbacks especially in relation to approaching data protection & privacy issues from cultural paradigm angle, human rights as well as philosophical perspectives. Currently, I am writing the pointers for an article (to be published).

The slides of the above are retrievable HERE. (file: Kulliyyah of ICT Talk 300410)

Malaysia leads ASEAN's data protection & privacy?

Thanks to my colleague, Sonny Zulhuda of Multimedia University, Malaysia for a comprehensive update on this awaiting news.

The next array of anticipating issues shall be: Implementation & Enforcement. Oh. It's also compliance cost and awareness. Much to be done. But, well done Malaysia! After twelth years of waiting.

So much so, the above map's colour on Malaysia should change it's colour to blue instead of red!

Cloud Computing's Got Talent! - A Nemesis to Data Protection?

I have just completed my slides on the above. It's viewable HERE

RFID Privacy Law in the US

The Washington HB1011 is, arguably, and perhaps, a precedent for some. The RFID Journal reports.

In the United States, Nevada, New York, New Hampshire and Virginia are adopting the Washington effort towards a similar motivation. Comparatively, UK and EU RFID Technical guidance via the Information Commissioner's Office and the Article 29 Working Party should relook into some of the provisions in those  States. Maybe, UK and EU could learn something from the US. Or, alternatively, inferring to the Canadian approach, may also lead to something insightful.

By and large, personally, I would anticipate that in few years time, a review will take place in the UK and EU on this matter. The latter may also correspond the latest ICO report on "Privacy Dividend". Alas, it's not that too late for recognising RFID as a dividend of the Internet of Things!

Image source: Google Images

New release by ICO: The Privacy Dividend Report

I am pleased to share the recent release of Information Commissioner's Office literature on: The Privacy Dividend Report. It will be interesting to note the findings. Hopefully, potential headways could be linked towards commercial interests and technologists' motivation. Three (3) observations came in mind. First, how can RFID fits in the setting of a balanced or return of dividend (if any)? Second, whether proactive privacy protection is an indirect translation of a privacy code for technology? Third, will the business case being sustainable should more sophisticated Privacy Enhancing Technologies (PETs) come into being? I will only be able to answer once analysed and substantiated it.

Image Source: ICO Website (Cover Report of The Privacy Dividend Report)

RFID is not bad? But, the intention matters?

I read this article between the lines.

There were several observations that popped out. First, the writer's position in RFID deployment is linked towards the political landscape of his home country. Second, maybe, the writer should be able to understand the brief taxonomy of RFID applications in-depthly. Third, the writer maybe, could also extract whether the nationals of his home country regard RFID as a threat or a bad innovation? I think, on this point, intention matters. Oh, by looking into his profile religiously, I sense that he is running for an important post in his home country. If elected, maybe brainy technology, legal abd public policy advisers should educate him on RFID and other related issues against the country's backdrop.

Image source: Google (illustration: an RFID Car Key)

Identity Theft Test - a gateway to profiling

I am so impressed with the designed online Identity Theft Self-Assessment Test that was devised by the Norwegian Data Inspectorate. Do attempt the test HERE. Identity theft could happen everywhere, whether online and offline. It's a gateway to profiling the authencity of a person/user/pseudonym and any parties who are deemed to be an under cover person. Zooming into the lens of an RFID environment, I am unsure whether the test would provide the necessary controls in view of the Privacy Enhancing Technologies (PeTs). Maybe it is a different element altogether. Nevertheless, it is best to recommend this test to consumers and customers of all industries (via their websites), especially service-based and consumer-based businesses. Then, it would provide added value, useful diffusion and dissemination so that the message will reach them ideally well.

RFID in McDonald's (Japan)

This YouTube video features how a customer could utilise his/her Mobile-RFID in a McDonald's restaurant. What constitutes the capability? They are:-

i) Mobile-RFID (some Japanese models have embedded RFID chip inside their mobile phones)
ii) Subscription with the Internet Service Provider (via the line subscriber) - Wifi/3G/4G/5G enabled - only in Japan; and
iii) Reader (normally, attached in front of the cashier).

And the customer will get his/her order without queuing during the peak hours!

Pondering: What are the data protection and privacy issues that could be anticipated here?

Image source: Google Images.

South Korea & RFID

I have been keeping in touch with the South Korea RFID progress for the past five (5) months of my research. Today, by accident, I have stumbled upon the translated version of their Articles / Provisions in relation to RFID Privacy Protection Guideline (Republic of Korea). It is interesting to note that the guideline's coverage is quite concise. If one is to dissect the Articles, I wonder whether it achieves the adequacy protection terms under the Directive 95/46/EC. In the interim, it may not reach the adequacy level of protection, arguendo, taking into account the detailed analysis of compliance checklist by the Directive.

(Image Source: Google Images) - A marketing campaign (integrating RFID capability) via credit card at a Petrol Station somewhere in Korea. 

Mobile-RFID Cloud Computing in East Asia

This blog aptly mentioned the Mobile Cloud Computing environment that will be tested and trialled in South Korea by 2014. In my research, I have also looked into Mobile-RFID and Near Field Communications (NFC) that is known as pairing technology. Mobile-RFID environment is quite new in certain countries. But, Japan and South Korea are already on track. Now, South Korea, or maybe, Japan too, are looking into the possibility to extend it to cloud computing. I anticipate that should such plan takes place, security and data privacy issues will be more sophisticated. On one hand, these countries are too advanced (comparably to others). On the other hand, in my humble opinion, the EU and US need to collectively agree on a certain reformation within their states' or federal's legislation and how to respond to the South Korea and Japan's progress. A trilateral data protection initiative between US-Europe-Asia maybe a good start? So much so, public policy lobbying is much needed.

In the meantime, I am sharing an image (imported from Google images) - copyright by Gartner on what's holding cloud computing back. Maybe another point that should be stressed upon in that image is on - data privacy, security and retention - or in a trendy way - Information Governance on the cloud!

Cloud Computing and RFID - Data privacy at stake?

In the midst of refining my research, I have stumbled upon this interesting write up that generally narrates about cloud computing. Most of the issues discussed were on data privacy, security and less on liability. The regime was largely focusing on the United States. There are also several interesting discussions that have taken place. One of them, lately, is Microsoft's proposal towards potential legislative reform on cloud computing. The proposal seems to be intuitive, yet, needs added substance. Especially, how, the third (3rd) countries and other continents / regimes response towards the reform. It would be very much interesting to witness what shall be the legal impact of a service provider based in the US, which is outsourced by a company in a country (within South East Asia contour) where both countries have had not reached the adequate data protection under the EU data protection standards (EC 95/46 Directive). In corresponding to that, the company manages RFID deployment for its client / customer (which is a governmental agency). Question: How cloud computing liabilities respond? And how the data protection laws apply? And when to draw the technical compliance, information security and risks between these? It needs some brainstorming and rethink.

Maybe, as a start. Johnathan Zittrain of Harvard Law School's article on: "Lost In The Cloud" is a recommended casual reading.

Image source: Google. Copyright belongs to the owner. The illustration is for informational purpose only.

MGDC 2010 - A Brief Retrospective

Last week, (20-21 January 2010), I had the privilege to present a paper on: "Malaysian Data Protection Bill; Some Useful Headways from the United Kingdom (UK) and the European Union (EU)" at the Malaysia-Glasgow Doctoral Colloquium. My 20 minutes presentation was scheduled at the Social Science Stream parallel session 4.

My presentation slides are viewable HERE.

It was the inaugural colloquium, jointly hosted by the Glasgow-based Universities; University of Strathclyde, University of Glasgow and Glasgow Caledonian University. The colloquium was sponsored by the Ministry of Higher Education, some benefactors and sponsors of the Universities. Overall, it was a well-managed one, albeit, the first time, such a Malaysian postgraduate research colloquium took place in Scotland. Congratulations to the resources and all who were involved with this colloquium directly and indirectly.

During the presentation, I have shared:-

1. The current Data Protection Bill's position in Malaysia - that will be potentially to undergo a third (3rd) reading in the Parliament.

2. The Executive Summary of my research and the link with my PhD research in RFID, data protection and privacy in the UK and EU.

3. Literature Review and Research Methodology (content analysis, data analysis and observations)

4. Research Limitation.

5. Substantial issues under the Malaysian Bill: Governance, Corporate Binding Rules, Enforcement, Application of the Bill only to commercial and private sectors - not the State and the Government, Dissemination, Diffusion and Standard of adequacy protection.

6. Cross references to issues and challenges posed by the UK and EU by responding to the potential issues under item number 5 above.

7. A way forward for Malaysia.

8. What's next in my research.

The above are related substantial pointers that I have had presented. In the interest of time, I managed to complete the presentation and called for more questions and discussions. It was exceedingly an eye opener to have had witnessed interactive members of the audience that were very much interested to share their insights and opinions on data protection and privacy. The reviewer (panel) had provided useful comments too. I was asked four (4) questions. But, I have selected two (2) leading questions (not in verbatim, but have been proof edited by myself) that captured my next stage of research, as follows:-

Question 1: Whether should there be an extension of data protection and privacy from the perspective of pyschology and the professionals in this area ? (as the questioner is an expert from one of the local universities in Malaysia).

Answer: Yes. However, the notion of data protection and privacy was not yet embedded as a culture, generally, in Malaysia. However, some professions have been abiding with the confidentiality clauses in relation to the client's confidentiality alike of lawyers and doctors. However, at times, there is a tendency for one to share the information and prying a client's privacy to someone that they trust in a relationship (like to their spouses, families or siblings). The intrusion and prying indirectly happened without knowing the condition that the more one speaks and talks about their works, the higher, his or her client's privacy is intruded. However, for the time being, it is also best to propose a code of conduct or code of ethics that may self-regulate any professions whilst awaiting the Bill's translation to be transformed into a Law, restrospectively. If there are such codes,  not only to the aforementioned professionals, but to all, a harmonised application should be adopted by looking into the spirit and motivation of data protection bill.

Question 2: What do you think about the current MyKad ID, wondering whether are there any data protection and privacy issues that may potentially arise?

Answer: MyKad ID has been developed through and by different service providers and platforms. Thus, there are several and selected deployed technologies embedded. However, the issues that may arise is whether; what would be the security risks of the respective parties when it comes to issues of data protection and privacy breach. Taking an example of four (4) different companies, having deployed four (4) different platforms, in a MyKad deployment. The important notion is whether all companies are able to share the collective risks in the event there shall be security and data breach. In the absence of data protection legislation, I may argue that the technology and controls prevail (like encryption and other security technology methods and standards). However, should the Data Protection Bill be a reality, the respective parties should make a compliance checklist in accommodating the data protection and privacy priorities. So much so, in this context, the technical liabilities of data protection and privacy apply.

Besides the two (2) questions above, the Reviewer has commented on my research methodology and proposed a feasible alternative as to ensure the research should be mapped for a PhD research as opposed to a Post Doctoral research. The similar sentiment was also mooted out by a PhD colleague (also a Presenter) from Warwick Institute of Education. His insightful comments, observations and views motivated me to revisit and relook my research coherently pragmatic. A mouthful thanks for the inspiration.

There are also three (3) questions that were posed by some of the presenters in relation to the retrospective effect of the Malaysian Data Protection Bill towards the banking industries. A presenter of Durham asked me the latter. I aptly responded that banking industries should be able to anticipate the compliance costs as to make themselves compliant and relevant. Road shows, awareness and diffusion are the key towards that. Issues of governance, resource, implementation and enforcement should also be prioritised.

A different presenter of Durham asked me about Radio Frequency Identification Technology (RFID) by inferring to the United States' recent surveillance limbo. I briefly responded that when it comes to surveillance issues, there are mixed responses, especially when it comes to RFID. It used to be a military technology. Now, it is a commercialised technology. Yet, the world (one day) will witness the ambient intelligence (Ai) communications that are surrounded by objects and things communicable via RFID chips. It maybe harmful and prying one's privacy if there are no controls. It may also be useful for our daily lives' activities. It may depend on how one looks at a particular RFID technology. It goes back to purpose. He, then, passed the remark: "...we are living in an Orwellian world" - during the introductory part of his presentation, by relating to my presentation topic earlier. I might partly agree.

A presenter of Glasgow Caledonian asked: how RFID technology works, the interrelationship within an RFID environment. Within my knowledge, reading and exposure, I shared with her the generic illustration on the RFID tag categories - active and passive. It is depending upon the frequency usage of the tags, database management and notification to the stakeholders/consumers (I have cited the examples of some leading retailers in the UK that have deployed RFID). I hope my brief technological explanation to her was succintly clear.

After one (1) week of analysing my paper. I have made some improvements to my current works (research and writing). This paper, shall be submitted to the Malaysian Government and stakeholders by June 2010. For a long term strategy and plan, I will cite this paper in one of the PhD chapters (under the Data Protection and Privacy Chapter).

Thank you very much indeed for the experience, networking, discussions and opportunities. I look forward to attending my next paper presentation in BILETA 2010, to be held at the University of Vienna.

Respectfully reported.

Noriswadi Ismail
MPhil/PhD Candidate
Institute of Computer and Communications Law
Centre for Commercial Law Studies
School of Law, Queen Mary, University of London

Happy Data Privacy Day!

I am taking this opportunity to greet a very Happy Data Privacy Day. 28 January every year, is the designated date for such a must-to-celebrate Data Privacy day not only in the United States, but also in some parts of the world - Canada, Australia and some European Union countries too. Stakeholders representing the corporate organisations, universities, Information Commissioners' Office, Privacy Commissioners and all have joint this celebration with its collective mission in data protection and privacy. Detailed history of its birth, the reports of 2008 and 2009 are respectively readable here. In a related development, I have just discovered a Privacy Project website that focuses their discussions, research and consultations in the area of data protection privacy as well. It will be quite fascinating to gauge the progress of these efforts, not only at the United States' level, but also, at the global level.

Security, At What Cost - A study by RAND

Thanks to Dr. Ian Brown for posting this quantitative research / study by RAND on the above. I will map it based on the lense of RFID in my research.

RFID SEC 2010 Asia

Singapore Management University will be hosting the RFID SEC 2010 on February 2010. Do peek the details.

Technology Predictions for 2010 - GPS and RFID

These predictions are interesting. We will see and await the next eleven (11) months of translation - whether it hit, or otherwise.

Cloud-based RFID; A privacy crawler?

It is always about the cost factor for companies. But, it maybe partly due to technology trend as well. In Australia, the proposition to design a cloud-based RFID was mooted. I am unsure whether the idea has been translated into a proof of concept. If it has, it maybe a privacy crawler, especially, at this point of time - where people around the world has been advocating on cloud computing's chief issues: security, data protection and privacy.

RFID interoperability within healthcare

This American healthcare solutions' commentator views that RFID will be linking its deployment to other predicted technology growth. It's very interesting to look into the top ten (10) predictions of the healthcare IT trends:-

Electronic Medical Records (EMRs) will gain momentum

Personal Health Records (PHRs) earn legitimacy

Cost containment is a paramount

Alternative care delivery models emerge

War waged on Medicare fraud

Increased focus on outbreak preparedness

Patient safety initiatives intensify

Healthcare professionals in short supply

Storage and business continuity concerns abound

Physician groups join healthcare systems

As cliche' as it sounds, predictions may hit and it may not hit. If one is to bring RFID within one of these predictions, stakeholders should also consider the privacy impact assessment and its respective informational privacy responses. 

RFID Cluster in Songdo Korea

In an ambitious move and plan, Songdo, a city in Korea will be an enabled-RFID-city. The Korea IT Times reports. In the absence of such primary English literature on RFID, I am unsure whether Korea has a strong data protection / privacy laws (if any). Or, whether the country has a guideline, code or any piecemeal legislation that is related to informational privacy. It would be very much interesting to gauge certain discovery on this matter. Having said that, I anticipate and predict that Korea needs to address informational privacy issues vis-a'-vis RFID from various spectrum and viewpoints. Wondering whether the Songdo RFID development is taking a gradual and progressive phase.

RFID & NFC pairs for Digital Monies' evolution?

What sparks the move on having digital monies in place? I have reached into varying contexts and views after reading this. One of the contributing factors, amongst others, is also due to the evolution of Near Field Communications (known as NFC). In my RFID research and reading, I have come across how NFC has been developed as a standard for technology applications.

Thus, whilst pre-empting and anticipating the NFC hype, many technology companies lobbied to get engaged with its development globally. In South Korea and Japan, NFC applications within mobile phones have taken place as early as 2002 (trial stage). Today, some locations are deployed with readers that are read-enabled with NFC, and of course, with the integration of RFID chip. Concurrently, my research and reading have ideally outlined that the pairing of such technology - NFC and RFID will transform consumers and users' convenient almost to perfection. My thought hit and affirmed it. As the commentator suggested, by 2020, one shall gradually witness the usage of cash to reach the stage of extinction. It's interesting to see how possible the prediction of a cashless consumer shall be. Today, we have been using Debit cards and Credit cards. PanPal, on the other hand, seems to lead the cashless environment intermediary convincingly acceptable by its customers and users via online (secured, fast and cashless).

Now,what the future lies on digital monies or digital cash is a significant question that policy makers should anticipate from various viewpoints - technology, legal, regulations, business and social. I may predict that there should be a public consultation or white paper on technology coupling (alike of NFC and RFID) that links towards various aforementioned viewpoints. The call for such a viewpoint should be brainstormed skeletally without further ado.

Germany leads the world's first RFID ID card (by 2010)

I am so interested with the potential acceptance by stakeholders once the RFID ID card would have been issued. "The Local" Germany News In English reports.

My three (3) chief predictions:-

i) Invidious acceptance: It maybe partly harmful and maybe partly okayed by certain segments. However, awareness and notification on how RFID works should be diffused. It's the primary role of the Data Protection Commissioner to do so;


ii) Controlled surveillance: potential cases on terrorism will be inhibited and minimised in that sense. Border control shall be beefed up and percentage of illegal immigrant cases maybe plummeted;


iii) Periodic updates: Maybe, it's best for the Data Protection Commissioner through their higher level representation to be able to voluntarily update the status of post implementation to the Article 29 Working Party and the RFID consultative group. This may provide useful guidance and case study on the effectiveness of implementation and how well Germany manages their stakeholders' perception.

The EU Data Protection Review - What's Next?

I have read, religiously, and between the lines on "The Review of EU Data Protection Law" - both the technical report and the summary report.

There are flows of anticipating questions emerged, as I was reading it. Nevertheless, I think, it's best to put the crux of the concerns at a later stage in my proposed written paper (or hopefully, a publication, by end of 2010). My impression after reading these reports are partly mixed. The positive and ambitious part was the timeframe taken by the commissioned Consultants in addressing the interviewees' responses, which I think, may lead to certain ideas - on who's who to approach in my research. The uncertain part is the effectiveness of post-report or review pursuant to the recommendations that have been put forward. Most, or largely, are all practicable and insightful constructive. I duly hope the national EU Member States have adopted, at least, some of it or at least, the minimum implementation.

Congratulations to the Consultants for the thorough works, in depth analysis, research, study and recommendations.

Note: In a related development, the work on The Future Of Privacy was released on December 2009. Special thanks to Hunton & Williams for the dissemination via their blog.

RFID for London Olympics 2012?

Suddenly, Olympics came into mind. Beijing 2008 was a huge success, in many ways. It also includes the deployed RFID infrastructure during the Olympics. Main reasons were largely on security and surveillance. I personally think London 2012 may emulate the Beijing's success if painstaking caution is put in place. Despite the mixed views on its potential deployment and privacy concerns, I anticipate, there shall be some reactions by the Information Commissioner's Office to respond.

My predictions for London Olympics 2012 surrounding RFID, data protection and privacy are:-

i) Tapping the RFID investment: The ruling Government shall invest considerably large on security and surveillance. RFID and other biometrics technology will take place gradually;

ii) Road show on RFID: The Information Commissioner's Office shall play active roles for public notification and awareness. If possible, guidance on related RFID devices that will be deployed for London Olympics should be well-informed.

iii) Post Olympics 2012 report on RFID deployment: By having this report, it will instill stakeholders' confidence that this technology has advantages for the British public and the world.

Accepted Abstracts in Quarter 1 of 2010

Happy New Year and welcome to the new decade of 2010!


For the past one month, I have been busy with writing, reading and researching. The results of which, are tremendously engaging. New facts. New discoveries. And new arguments. For the first (1st) quarter of 2010, I will be presenting two (2) papers:-


Conference 1: Malaysia Glasgow Doctoral Colloquium 


Paper 1:-

 Malaysia’s Data Protection Bill; Some Useful Headway From The United Kingdom (UK) And European Union (EU)

Noriswadi Ismail

MPhil/PhD Candidate

The Institute of Computer and Communications Law

The Centre for Commercial Law Studies

School of Law, Queen Mary, University of London

E-mails: n.ismail@qmul.ac.uk, noriswadi@googlemail.com

Profile: http://www.law.qmul.ac.uk/people/research/ismail.html

Abstract

In the nearest future, the Data Protection Act will take place in Malaysia’s legal regime. It is anticipated that there shall be potential compliance costs to be accommodated by the stakeholders. This paper anticipates substantive concerns that Malaysia should learn from the UK and EU. Selected case studies shall be appraised.

Summary

On 8 October 2009, there are series of online and hardcopy of highlights that surrounded data protection concerns, issues and the need for enforcements in Malaysia. Some authors, experts and critiques have rightfully opined that it is about time for Malaysia to be vigorous on this subject matter. Whilst the feedbacks are very much a triangulation, this paper shall anticipate further what and how Malaysia should endlessly learn from the UK and EU on these similar concerns. From the country’s perspective, Malaysia is not far behind from her other Association of South East Asian Nation (ASEAN)’s counterparts in giving the birth of a data protection legislation. Whilst some ASEAN’s member states legal regime are sector-specific based, self-regulatory via other existing legislations and prevalent soft-law approaches, Malaysia has to anticipate series of fundamental issues once the Data Protection Bill is in force.

Appropriately, data protection and privacy involves its actors and stakeholders. Their participation in daily activities, commerce, trade and communications are engaging – be it virtual, physical and in our real lives. Extensive virtual navigation via Web 2.0 sphere has triggered concerns to our lives today and leads to such chilling effects to all countries. Malaysia is not an exception to this effect. Potential strategies must be pre-empted for Malaysia once the Bill will be a gazetted legislation. This paper shall cursorily analyse selected cases and progressive experiences from the UK and EU within different periods of era (from 1990s to 2000 and to date), being the decade of data protection’s maturity in the UK and EU. These cases and experiences are indispensable for Malaysia’s roadmap. The author has personally opted for not paraphrasing the draft Bill or any of the UK and EU Directives. Instead, pragmatic analysis, rationales and reasons will be enlightened to support such assertions and views to support as to why Malaysia should learn from these jurisdictions and regimes.

Arguably, there are three main terms of reference that are substantiated towards this paper. First, as Malaysia is very new to this peace of legislation, a thorough overview should be inferred to disseminating potential data protection issues to the stakeholders. This is to gauge a clear apprehension on its inter-relationship with various actors and stakeholders. In this paper, the actors and stakeholders are referred to any individuals and the roles may interchangeably apply. Second, as Malaysia’s government has its own preferred approaches to focusing and retaining it’s governmental data via other existing legislation, the author shall appraise the broad analysis of the UK Freedom of Information Act 2000, that, in a way, relates and cross refers to certain intersection of data protection concerns. Third, as Malaysia has targeted 6% of annual Gross Domestic Product (GDP) by 2020, it is undeniably paramount that the growth contribution factors are derived from domestic and international trades and investments. Due to the latter, the exchanges of data, data retention, security and trans border data flows will be aggressive or maybe uncontrollable. – if due care and diligent of data protection is not adopted seriously Thus, it needs special painstaking attention by the actors and stakeholders in dealing with different data protection approaches, principles and enforcements with and amongst Malaysia’s trading partner. All of these references shall be discussed via the UK and EU’s actors and stakeholders’ experiences.

Conclusion

This paper shall be concluded via proposing a data protection strategy roadmap to Malaysian actors and stakeholders. It is hoped that the future Data Protection Commissioner or the equivalent Privacy Commissioner will be able to consider the rationales of such an adoption for Malaysia in a localised context and setting. In the second part of the conclusion, the author shall suggest proposed regional and international collaboration, networks and diffusion that relates to data protection at the regional and international foray.

Keywords: Data Protection. Privacy. Malaysia. United Kingdom. European Union.

References

Books

Chris Reed (ed), Reed and Angel: Computer Law (5th rev OUP, Oxford 2003) 417-453.

Ian J. Lloyd, Information Technology Law (OUP, Oxford 2008) 3-180.

Ian Walden, Computer Crimes and Digital Investigations (OUP, Oxford 2007).

Rosemary Jay and Angus Hamilton, Data Protection Law and Practice, (Sweet & Maxwell, 1999).

Ruth Boardman and Richard Morgan, Data Protection Strategy, (Sweet & Maxwell, 1st Edition, 2003).

Websites

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data accessed 9 November 2009.

Review of EU Data Protection Directive: Summary < http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/review_of_eu_dp_directive_summary.pdf> accessed 9 November 2009.

Conference 2: BILETA 2010

Paper:-

Mobile Radio Frequency Identification Technology (Mobile-RFID);

where is privacy?

___________________________________________________________________

By Noriswadi Ismail

MPhil/PhD Candidate

The Institute of Computer and Communications Law

The Centre for Commercial Law Studies

School of Law, Queen Mary, University of London

E-mails: noriswadi@googlemail.com, n.ismail@qmul.ac.uk

Profile: http://www.law.qmul.ac.uk/people/research/ismail.html

Blog: http://the-rfid-nexus.blogspot.com

Abstract

i2010 is aimed towards the European Information Society for growth and employment. There shall also be priorities for new strategy for European information society (2010-2015). These ambitious aims are part and parcel of the digitalizing Europe vision for the next 5 years. One of the significant growths in this sphere is Mobile Commerce (M-Commerce) and Radio Frequency Identification Technology (RFID). Mobile Commerce or technically termed as M-Commerce has been deployed widely by mobile operators in their present business models. In the United Kingdom (UK) and Europe, stakeholders and consumers have had a mixed bag of responses on its effectiveness, quality of service, functionalities and liabilities. As M-Commerce evolves, Radio Frequency Identification Technology (RFID) has been put into trials within the M-Commerce environment. The main motivation is purely on convenience to the stakeholders and consumers – as the top priority list. Nevertheless, there are two main concerns surrounding this trials and deployment. First, it may spark the issue of data surveillance in a greater context. And second, it may question the issue of privacy in a broader context. This paper shall narrate potential challenges that shall be faced by mobile operators based on these concerns. Careful substantiated reasons are also outlined. At a generic level, this paper shall also touch documented trials on Mobile-RFID in selected East Asian Countries as cross border and comparative analysis. At a specific level, it shall appraise the Mobile-RFID trials and developments and proposing potential considerations within the ambit of data protection and privacy concerns in Mobile-RFID that are prevalent to the existing consultative member states of the European Union.