MGDC 2010 - A Brief Retrospective

Last week, (20-21 January 2010), I had the privilege to present a paper on: "Malaysian Data Protection Bill; Some Useful Headways from the United Kingdom (UK) and the European Union (EU)" at the Malaysia-Glasgow Doctoral Colloquium. My 20 minutes presentation was scheduled at the Social Science Stream parallel session 4.

My presentation slides are viewable HERE.

It was the inaugural colloquium, jointly hosted by the Glasgow-based Universities; University of Strathclyde, University of Glasgow and Glasgow Caledonian University. The colloquium was sponsored by the Ministry of Higher Education, some benefactors and sponsors of the Universities. Overall, it was a well-managed one, albeit, the first time, such a Malaysian postgraduate research colloquium took place in Scotland. Congratulations to the resources and all who were involved with this colloquium directly and indirectly.

During the presentation, I have shared:-

1. The current Data Protection Bill's position in Malaysia - that will be potentially to undergo a third (3rd) reading in the Parliament.

2. The Executive Summary of my research and the link with my PhD research in RFID, data protection and privacy in the UK and EU.

3. Literature Review and Research Methodology (content analysis, data analysis and observations)

4. Research Limitation.

5. Substantial issues under the Malaysian Bill: Governance, Corporate Binding Rules, Enforcement, Application of the Bill only to commercial and private sectors - not the State and the Government, Dissemination, Diffusion and Standard of adequacy protection.

6. Cross references to issues and challenges posed by the UK and EU by responding to the potential issues under item number 5 above.

7. A way forward for Malaysia.

8. What's next in my research.

The above are related substantial pointers that I have had presented. In the interest of time, I managed to complete the presentation and called for more questions and discussions. It was exceedingly an eye opener to have had witnessed interactive members of the audience that were very much interested to share their insights and opinions on data protection and privacy. The reviewer (panel) had provided useful comments too. I was asked four (4) questions. But, I have selected two (2) leading questions (not in verbatim, but have been proof edited by myself) that captured my next stage of research, as follows:-

Question 1: Whether should there be an extension of data protection and privacy from the perspective of pyschology and the professionals in this area ? (as the questioner is an expert from one of the local universities in Malaysia).

Answer: Yes. However, the notion of data protection and privacy was not yet embedded as a culture, generally, in Malaysia. However, some professions have been abiding with the confidentiality clauses in relation to the client's confidentiality alike of lawyers and doctors. However, at times, there is a tendency for one to share the information and prying a client's privacy to someone that they trust in a relationship (like to their spouses, families or siblings). The intrusion and prying indirectly happened without knowing the condition that the more one speaks and talks about their works, the higher, his or her client's privacy is intruded. However, for the time being, it is also best to propose a code of conduct or code of ethics that may self-regulate any professions whilst awaiting the Bill's translation to be transformed into a Law, restrospectively. If there are such codes,  not only to the aforementioned professionals, but to all, a harmonised application should be adopted by looking into the spirit and motivation of data protection bill.

Question 2: What do you think about the current MyKad ID, wondering whether are there any data protection and privacy issues that may potentially arise?

Answer: MyKad ID has been developed through and by different service providers and platforms. Thus, there are several and selected deployed technologies embedded. However, the issues that may arise is whether; what would be the security risks of the respective parties when it comes to issues of data protection and privacy breach. Taking an example of four (4) different companies, having deployed four (4) different platforms, in a MyKad deployment. The important notion is whether all companies are able to share the collective risks in the event there shall be security and data breach. In the absence of data protection legislation, I may argue that the technology and controls prevail (like encryption and other security technology methods and standards). However, should the Data Protection Bill be a reality, the respective parties should make a compliance checklist in accommodating the data protection and privacy priorities. So much so, in this context, the technical liabilities of data protection and privacy apply.

Besides the two (2) questions above, the Reviewer has commented on my research methodology and proposed a feasible alternative as to ensure the research should be mapped for a PhD research as opposed to a Post Doctoral research. The similar sentiment was also mooted out by a PhD colleague (also a Presenter) from Warwick Institute of Education. His insightful comments, observations and views motivated me to revisit and relook my research coherently pragmatic. A mouthful thanks for the inspiration.

There are also three (3) questions that were posed by some of the presenters in relation to the retrospective effect of the Malaysian Data Protection Bill towards the banking industries. A presenter of Durham asked me the latter. I aptly responded that banking industries should be able to anticipate the compliance costs as to make themselves compliant and relevant. Road shows, awareness and diffusion are the key towards that. Issues of governance, resource, implementation and enforcement should also be prioritised.

A different presenter of Durham asked me about Radio Frequency Identification Technology (RFID) by inferring to the United States' recent surveillance limbo. I briefly responded that when it comes to surveillance issues, there are mixed responses, especially when it comes to RFID. It used to be a military technology. Now, it is a commercialised technology. Yet, the world (one day) will witness the ambient intelligence (Ai) communications that are surrounded by objects and things communicable via RFID chips. It maybe harmful and prying one's privacy if there are no controls. It may also be useful for our daily lives' activities. It may depend on how one looks at a particular RFID technology. It goes back to purpose. He, then, passed the remark: "...we are living in an Orwellian world" - during the introductory part of his presentation, by relating to my presentation topic earlier. I might partly agree.

A presenter of Glasgow Caledonian asked: how RFID technology works, the interrelationship within an RFID environment. Within my knowledge, reading and exposure, I shared with her the generic illustration on the RFID tag categories - active and passive. It is depending upon the frequency usage of the tags, database management and notification to the stakeholders/consumers (I have cited the examples of some leading retailers in the UK that have deployed RFID). I hope my brief technological explanation to her was succintly clear.

After one (1) week of analysing my paper. I have made some improvements to my current works (research and writing). This paper, shall be submitted to the Malaysian Government and stakeholders by June 2010. For a long term strategy and plan, I will cite this paper in one of the PhD chapters (under the Data Protection and Privacy Chapter).

Thank you very much indeed for the experience, networking, discussions and opportunities. I look forward to attending my next paper presentation in BILETA 2010, to be held at the University of Vienna.

Respectfully reported.

Noriswadi Ismail
MPhil/PhD Candidate
Institute of Computer and Communications Law
Centre for Commercial Law Studies
School of Law, Queen Mary, University of London

Happy Data Privacy Day!

I am taking this opportunity to greet a very Happy Data Privacy Day. 28 January every year, is the designated date for such a must-to-celebrate Data Privacy day not only in the United States, but also in some parts of the world - Canada, Australia and some European Union countries too. Stakeholders representing the corporate organisations, universities, Information Commissioners' Office, Privacy Commissioners and all have joint this celebration with its collective mission in data protection and privacy. Detailed history of its birth, the reports of 2008 and 2009 are respectively readable here. In a related development, I have just discovered a Privacy Project website that focuses their discussions, research and consultations in the area of data protection privacy as well. It will be quite fascinating to gauge the progress of these efforts, not only at the United States' level, but also, at the global level.

Security, At What Cost - A study by RAND

Thanks to Dr. Ian Brown for posting this quantitative research / study by RAND on the above. I will map it based on the lense of RFID in my research.

RFID SEC 2010 Asia

Singapore Management University will be hosting the RFID SEC 2010 on February 2010. Do peek the details.

Technology Predictions for 2010 - GPS and RFID

These predictions are interesting. We will see and await the next eleven (11) months of translation - whether it hit, or otherwise.

Cloud-based RFID; A privacy crawler?

It is always about the cost factor for companies. But, it maybe partly due to technology trend as well. In Australia, the proposition to design a cloud-based RFID was mooted. I am unsure whether the idea has been translated into a proof of concept. If it has, it maybe a privacy crawler, especially, at this point of time - where people around the world has been advocating on cloud computing's chief issues: security, data protection and privacy.

RFID interoperability within healthcare

This American healthcare solutions' commentator views that RFID will be linking its deployment to other predicted technology growth. It's very interesting to look into the top ten (10) predictions of the healthcare IT trends:-

Electronic Medical Records (EMRs) will gain momentum

Personal Health Records (PHRs) earn legitimacy

Cost containment is a paramount

Alternative care delivery models emerge

War waged on Medicare fraud

Increased focus on outbreak preparedness

Patient safety initiatives intensify

Healthcare professionals in short supply

Storage and business continuity concerns abound

Physician groups join healthcare systems

As cliche' as it sounds, predictions may hit and it may not hit. If one is to bring RFID within one of these predictions, stakeholders should also consider the privacy impact assessment and its respective informational privacy responses. 

RFID Cluster in Songdo Korea

In an ambitious move and plan, Songdo, a city in Korea will be an enabled-RFID-city. The Korea IT Times reports. In the absence of such primary English literature on RFID, I am unsure whether Korea has a strong data protection / privacy laws (if any). Or, whether the country has a guideline, code or any piecemeal legislation that is related to informational privacy. It would be very much interesting to gauge certain discovery on this matter. Having said that, I anticipate and predict that Korea needs to address informational privacy issues vis-a'-vis RFID from various spectrum and viewpoints. Wondering whether the Songdo RFID development is taking a gradual and progressive phase.

RFID & NFC pairs for Digital Monies' evolution?

What sparks the move on having digital monies in place? I have reached into varying contexts and views after reading this. One of the contributing factors, amongst others, is also due to the evolution of Near Field Communications (known as NFC). In my RFID research and reading, I have come across how NFC has been developed as a standard for technology applications.

Thus, whilst pre-empting and anticipating the NFC hype, many technology companies lobbied to get engaged with its development globally. In South Korea and Japan, NFC applications within mobile phones have taken place as early as 2002 (trial stage). Today, some locations are deployed with readers that are read-enabled with NFC, and of course, with the integration of RFID chip. Concurrently, my research and reading have ideally outlined that the pairing of such technology - NFC and RFID will transform consumers and users' convenient almost to perfection. My thought hit and affirmed it. As the commentator suggested, by 2020, one shall gradually witness the usage of cash to reach the stage of extinction. It's interesting to see how possible the prediction of a cashless consumer shall be. Today, we have been using Debit cards and Credit cards. PanPal, on the other hand, seems to lead the cashless environment intermediary convincingly acceptable by its customers and users via online (secured, fast and cashless).

Now,what the future lies on digital monies or digital cash is a significant question that policy makers should anticipate from various viewpoints - technology, legal, regulations, business and social. I may predict that there should be a public consultation or white paper on technology coupling (alike of NFC and RFID) that links towards various aforementioned viewpoints. The call for such a viewpoint should be brainstormed skeletally without further ado.

Germany leads the world's first RFID ID card (by 2010)

I am so interested with the potential acceptance by stakeholders once the RFID ID card would have been issued. "The Local" Germany News In English reports.

My three (3) chief predictions:-

i) Invidious acceptance: It maybe partly harmful and maybe partly okayed by certain segments. However, awareness and notification on how RFID works should be diffused. It's the primary role of the Data Protection Commissioner to do so;


ii) Controlled surveillance: potential cases on terrorism will be inhibited and minimised in that sense. Border control shall be beefed up and percentage of illegal immigrant cases maybe plummeted;


iii) Periodic updates: Maybe, it's best for the Data Protection Commissioner through their higher level representation to be able to voluntarily update the status of post implementation to the Article 29 Working Party and the RFID consultative group. This may provide useful guidance and case study on the effectiveness of implementation and how well Germany manages their stakeholders' perception.

The EU Data Protection Review - What's Next?

I have read, religiously, and between the lines on "The Review of EU Data Protection Law" - both the technical report and the summary report.

There are flows of anticipating questions emerged, as I was reading it. Nevertheless, I think, it's best to put the crux of the concerns at a later stage in my proposed written paper (or hopefully, a publication, by end of 2010). My impression after reading these reports are partly mixed. The positive and ambitious part was the timeframe taken by the commissioned Consultants in addressing the interviewees' responses, which I think, may lead to certain ideas - on who's who to approach in my research. The uncertain part is the effectiveness of post-report or review pursuant to the recommendations that have been put forward. Most, or largely, are all practicable and insightful constructive. I duly hope the national EU Member States have adopted, at least, some of it or at least, the minimum implementation.

Congratulations to the Consultants for the thorough works, in depth analysis, research, study and recommendations.

Note: In a related development, the work on The Future Of Privacy was released on December 2009. Special thanks to Hunton & Williams for the dissemination via their blog.

RFID for London Olympics 2012?

Suddenly, Olympics came into mind. Beijing 2008 was a huge success, in many ways. It also includes the deployed RFID infrastructure during the Olympics. Main reasons were largely on security and surveillance. I personally think London 2012 may emulate the Beijing's success if painstaking caution is put in place. Despite the mixed views on its potential deployment and privacy concerns, I anticipate, there shall be some reactions by the Information Commissioner's Office to respond.

My predictions for London Olympics 2012 surrounding RFID, data protection and privacy are:-

i) Tapping the RFID investment: The ruling Government shall invest considerably large on security and surveillance. RFID and other biometrics technology will take place gradually;

ii) Road show on RFID: The Information Commissioner's Office shall play active roles for public notification and awareness. If possible, guidance on related RFID devices that will be deployed for London Olympics should be well-informed.

iii) Post Olympics 2012 report on RFID deployment: By having this report, it will instill stakeholders' confidence that this technology has advantages for the British public and the world.

Accepted Abstracts in Quarter 1 of 2010

Happy New Year and welcome to the new decade of 2010!


For the past one month, I have been busy with writing, reading and researching. The results of which, are tremendously engaging. New facts. New discoveries. And new arguments. For the first (1st) quarter of 2010, I will be presenting two (2) papers:-


Conference 1: Malaysia Glasgow Doctoral Colloquium 


Paper 1:-

 Malaysia’s Data Protection Bill; Some Useful Headway From The United Kingdom (UK) And European Union (EU)

Noriswadi Ismail

MPhil/PhD Candidate

The Institute of Computer and Communications Law

The Centre for Commercial Law Studies

School of Law, Queen Mary, University of London

E-mails: n.ismail@qmul.ac.uk, noriswadi@googlemail.com

Profile: http://www.law.qmul.ac.uk/people/research/ismail.html

Abstract

In the nearest future, the Data Protection Act will take place in Malaysia’s legal regime. It is anticipated that there shall be potential compliance costs to be accommodated by the stakeholders. This paper anticipates substantive concerns that Malaysia should learn from the UK and EU. Selected case studies shall be appraised.

Summary

On 8 October 2009, there are series of online and hardcopy of highlights that surrounded data protection concerns, issues and the need for enforcements in Malaysia. Some authors, experts and critiques have rightfully opined that it is about time for Malaysia to be vigorous on this subject matter. Whilst the feedbacks are very much a triangulation, this paper shall anticipate further what and how Malaysia should endlessly learn from the UK and EU on these similar concerns. From the country’s perspective, Malaysia is not far behind from her other Association of South East Asian Nation (ASEAN)’s counterparts in giving the birth of a data protection legislation. Whilst some ASEAN’s member states legal regime are sector-specific based, self-regulatory via other existing legislations and prevalent soft-law approaches, Malaysia has to anticipate series of fundamental issues once the Data Protection Bill is in force.

Appropriately, data protection and privacy involves its actors and stakeholders. Their participation in daily activities, commerce, trade and communications are engaging – be it virtual, physical and in our real lives. Extensive virtual navigation via Web 2.0 sphere has triggered concerns to our lives today and leads to such chilling effects to all countries. Malaysia is not an exception to this effect. Potential strategies must be pre-empted for Malaysia once the Bill will be a gazetted legislation. This paper shall cursorily analyse selected cases and progressive experiences from the UK and EU within different periods of era (from 1990s to 2000 and to date), being the decade of data protection’s maturity in the UK and EU. These cases and experiences are indispensable for Malaysia’s roadmap. The author has personally opted for not paraphrasing the draft Bill or any of the UK and EU Directives. Instead, pragmatic analysis, rationales and reasons will be enlightened to support such assertions and views to support as to why Malaysia should learn from these jurisdictions and regimes.

Arguably, there are three main terms of reference that are substantiated towards this paper. First, as Malaysia is very new to this peace of legislation, a thorough overview should be inferred to disseminating potential data protection issues to the stakeholders. This is to gauge a clear apprehension on its inter-relationship with various actors and stakeholders. In this paper, the actors and stakeholders are referred to any individuals and the roles may interchangeably apply. Second, as Malaysia’s government has its own preferred approaches to focusing and retaining it’s governmental data via other existing legislation, the author shall appraise the broad analysis of the UK Freedom of Information Act 2000, that, in a way, relates and cross refers to certain intersection of data protection concerns. Third, as Malaysia has targeted 6% of annual Gross Domestic Product (GDP) by 2020, it is undeniably paramount that the growth contribution factors are derived from domestic and international trades and investments. Due to the latter, the exchanges of data, data retention, security and trans border data flows will be aggressive or maybe uncontrollable. – if due care and diligent of data protection is not adopted seriously Thus, it needs special painstaking attention by the actors and stakeholders in dealing with different data protection approaches, principles and enforcements with and amongst Malaysia’s trading partner. All of these references shall be discussed via the UK and EU’s actors and stakeholders’ experiences.

Conclusion

This paper shall be concluded via proposing a data protection strategy roadmap to Malaysian actors and stakeholders. It is hoped that the future Data Protection Commissioner or the equivalent Privacy Commissioner will be able to consider the rationales of such an adoption for Malaysia in a localised context and setting. In the second part of the conclusion, the author shall suggest proposed regional and international collaboration, networks and diffusion that relates to data protection at the regional and international foray.

Keywords: Data Protection. Privacy. Malaysia. United Kingdom. European Union.

References

Books

Chris Reed (ed), Reed and Angel: Computer Law (5th rev OUP, Oxford 2003) 417-453.

Ian J. Lloyd, Information Technology Law (OUP, Oxford 2008) 3-180.

Ian Walden, Computer Crimes and Digital Investigations (OUP, Oxford 2007).

Rosemary Jay and Angus Hamilton, Data Protection Law and Practice, (Sweet & Maxwell, 1999).

Ruth Boardman and Richard Morgan, Data Protection Strategy, (Sweet & Maxwell, 1st Edition, 2003).

Websites

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data accessed 9 November 2009.

Review of EU Data Protection Directive: Summary < http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/review_of_eu_dp_directive_summary.pdf> accessed 9 November 2009.

Conference 2: BILETA 2010

Paper:-

Mobile Radio Frequency Identification Technology (Mobile-RFID);

where is privacy?

___________________________________________________________________

By Noriswadi Ismail

MPhil/PhD Candidate

The Institute of Computer and Communications Law

The Centre for Commercial Law Studies

School of Law, Queen Mary, University of London

E-mails: noriswadi@googlemail.com, n.ismail@qmul.ac.uk

Profile: http://www.law.qmul.ac.uk/people/research/ismail.html

Blog: http://the-rfid-nexus.blogspot.com

Abstract

i2010 is aimed towards the European Information Society for growth and employment. There shall also be priorities for new strategy for European information society (2010-2015). These ambitious aims are part and parcel of the digitalizing Europe vision for the next 5 years. One of the significant growths in this sphere is Mobile Commerce (M-Commerce) and Radio Frequency Identification Technology (RFID). Mobile Commerce or technically termed as M-Commerce has been deployed widely by mobile operators in their present business models. In the United Kingdom (UK) and Europe, stakeholders and consumers have had a mixed bag of responses on its effectiveness, quality of service, functionalities and liabilities. As M-Commerce evolves, Radio Frequency Identification Technology (RFID) has been put into trials within the M-Commerce environment. The main motivation is purely on convenience to the stakeholders and consumers – as the top priority list. Nevertheless, there are two main concerns surrounding this trials and deployment. First, it may spark the issue of data surveillance in a greater context. And second, it may question the issue of privacy in a broader context. This paper shall narrate potential challenges that shall be faced by mobile operators based on these concerns. Careful substantiated reasons are also outlined. At a generic level, this paper shall also touch documented trials on Mobile-RFID in selected East Asian Countries as cross border and comparative analysis. At a specific level, it shall appraise the Mobile-RFID trials and developments and proposing potential considerations within the ambit of data protection and privacy concerns in Mobile-RFID that are prevalent to the existing consultative member states of the European Union.