2010 - The Year of Data Protection and Privacy in Malaysia!

2010 is a year of technology laws' hope in Malaysia.

I remain with the above statement due to this chief reason: The Personal and Data Protection (PDP) Act 2010 was  gazetted on April 2010. As I write, the proposed Data Protection Commissioner's Office is still being planned. Rumours learned that it may be in place by the first (1st) quarter of 2011. This development means a lot to Malaysia in many ways. Three pointers of assertion are submitted. First, the PDP Act enables everyone (individuals) and stakeholders to collect, handle, manage, process, retain, share and expunge data in a responsible and compliant manner. Second, the PDP has pushed Malaysia (indirectly) to recognise 'informational privacy' as rights - although the incentive and motivation of this Act governs commercial transactions only. Third, the PDP will also trigger possible amendments or revisions of peacemeal legislations that contained the words "privacy" in Malaysian statutes.

The PDP Act (although, a very new law, to Malaysians) is a testimony of Malaysia in getting herself ready to be on board as par as others. In the Asia Pacific contours, Malaysia is the second (2nd) country, after Hong Kong having her own data protection and privacy legislation. Other countries' legislation are based on sectorial-specific and code/voluntary approaches. As some may have known, the global's privacy and data protection laws are generally motivated by these: The European Data Protection Directive 95/46/EC, American Safe Harbor approach, OECD Guidelines, APEC Privacy Principles, Industrial and technological approaches.

Besides the PDP, interesting developments that have taken place are the observations of Malaysian court judges on privacy protection. There are two cases that glanced through (generally) on this.

First, in Ultra Dimension Sdn Bhd v Kook Wei Kuan [2004] 5 CLJ 285, Justice Faiza Thamby Chik observed: "...English common law does not recognise the privacy rights; therefore invasion of privacy rights does not give right to a cause of action. Since English common law, pursuant to Section 3 of the Civil Law Act 1950, is applicable in Malaysia, privacy rights which is not recognised under English Law is accordingly not recognised under Malaysian Law.." However, in an interesting case of Dr Bernadine Malini Martin v MPH Magazine Sdn. Bhd. & Ors [2010] 1 LNS 694, Justice Hishamudin observed: "...it is unfortunate for the plaintiff, that the law of this country, as it stands presently, does not make an invasion of privacy as an actionable wrongdoing (it is actionable under the law of some other jurisdictions, for example, in the United States)..." 

These observations, seem to be interesting in one way; mainly that Malaysians are getting to recognising their privacy rights. Adding to this, there were headlines on Malaysian national dailies during the third (3rd) quarter of 2010, which highlighted the complaints of a mobile phone customer of a leading Government-linked telecommunications company. The complainant claimed that the mobile service provider did not secure her consent in sharing her confidential data that is retained in the database. Thus, it breaches certain aspects of her data confidentiality. When the case was brought to press, thus far, and to date, my research suggests that there's no "hard push" by, and from, consumer groups or organisations in issuing such statements representing consumer's rights. What more, in privacy!

After the PDP Act was passed, there were many trainings and workshops that took place mostly in Kuala Lumpur. Stakeholders and public were very much concerned how the Act would be affected and applied in their daily life and transactions. My observations from these eagerness are twofold. Firstly, practitioners, academics and consultants should collaborate to disseminate the basic principles first. Which means, besides explaining or paraphrasing the sections in the PDP Act, it's fundamentally focal to enlighten the public what these terminologies mean: data, personal data, privacy, informational privacy, the applications in daily life and the applications in commercial transactions. Secondly, after diffusing the meanings and differences in clarity, we must be able to explain clearly and coherently selected case by case basis from different perspectives. These observations, in my humble opinion, may take a longer time  to witness its maturity. Nonetheless, the practitioners, academics, consultants and researchers who are experts in this subject matter, must collectively offer the appropriate theoretical foundation to the Malaysian public. I am calling for a collective responsibility to disseminate a meaningful comprehension on this (for the purpose of nation building).

From the business strategy perspective, the PDP Act will provide potential opportunities in terms of 'commodotisation'. Technology companies may strategise to call their Research & Development (R&D) team to write a particular system that may be customised for their existing clients and potential clients. In other words, such systems now, should have certain checklists on privacy impact assessment. Also, privacy by design approach. Whatever perspectives of opportunities that Malaysian stakeholders (whether from business or consultancy) come from, it is indispensable for them to understand the basics. Then, move on to the next level of understanding (whether they have clearly understood what privacy and data protection is?).

And why I claim 2010 is the year of data protection and privacy in Malaysia?

The answer lies onto Malaysians' hands and minds. The Malaysians' Legislative and Executives (politicians) deserve a pat. The abstract and outlines of the laws have been exposed. Now, we will witness the implementation and enforcement (in anticipation) - which will be the subsequent chapters of how the laws will grow, develop and mature.

RFID is still "hot"

After almost fifteenth (15th) month of research, I have had reached to a preliminary analysis that RFID is still a hot topic.

Much of the progress and developments in RFID are surrounded by commercial and technological incentives. It is arguably a "commodotised technology". The world today, by way of economy's segregation, (The United States of America, The Euro zone and the emerging markets) have deployed RFID applications in many ways. Mostly, give benefits and yielded dividends to large companies and organisations which have the budget. Although recession took place in 2010 and silently taking place (to date) in some continents, the prediction on RFID applications' deployable expansion remains bullish. 

Interestingly, the European Union is very active to map a possible roadmap for RFID and its growth by 2020. The East Asia technological leaders - South Korea, Taiwan and Japan - by far, have been leading the game (in terms of the deployment). China, had handsomely deployed her RFID applications in the most spectacular Olympic games of 2008 in Beijing (through the enabled RFID ticket applications). It is predicted that London 2012, will anticipate to deploy the similar move. Not only deploying selected RFID applications, but also to potentially extend the technological infrastructure capacity through cloud computing (the Cloud).

Much of the global's progress in RFID is still segmented through the continents. Several issues are still being discussed at the higher level (means: policy, strategy and government). Three (3) issues are of relevance; firstly, interoperability. Secondly, standardisation and thirdly, data protection and privacy. Of course, there are other contributing and pressing issues that may add to the list. Nonetheless, by way of priority, the aforementioned issues are of significance that demand urging progress. 

In the leading RFID Journal and other RFID Service Providers' write ups and marketing collateral's -  they have had marketed sophisticated RFID applications to its existing customers and potential customers. The features seem to be appealing especially to the stakeholders that have benefited from its applications. These groups are merely tagged as the RFID-proponent. To the contrary, RFID-opponent seems to be quite quiet to demand for more awareness of this technology. Back 2002-2006, the push by public policy and civil liberties' groups in the US were so powerful. Now, the voices are less being heard. Maybe (arguendo), this is due to the other pressing issues that canvassed the US today. The developments in the European Union (EU) are largely still, at a higher level. In review of the EU's efforts, there is minimal progress that takes place. The recent one is the Article 29 Data Protection Working Party in relation to the Privacy Impact Assessment's response by the industries and stakeholders with regards to RFID. Although the responses seem to be a turning point for such a progress, however, it is submitted that much needs to be done not only at the EU level, but also, between and amongst the 27 Member States.

Across Asia; China, India, South Korea, Taiwan, Japan, Malaysia and Singapore have had gradually deployed and realised the importance of RFID. Out of these countries, taking Malaysia as example, the Malaysian Communications and Multimedia Commission (MCMC) has had issued an RFID survey to the stakeholders. Upon perusing the survey, it is adduced that it aims to gauge the technical understanding and perceptions only towards RFID, but lacks the data protection and privacy bit. Perhaps, MCMC would be able to issue another round of survey that touches the stakeholders' perceptions on RFID, Data Protection and Privacy.

As issues on RFID are still hot, I predict these will emerge in 2011:

1) That the EU's RFID progress will take its aggressive mode once the review of the European Commission's Data Protection Directive has completed. This means, once the revised European Directive 95/46/EC takes place, the Article 29 Working Party and related Directives will take RFID into a more serious tone/level;

2) That the RFID's standardisation and interoperability needs active involvement not only from the EU level, but also other international organisations such as the International Telecommunications Union (ITU). This prediction is based on the possibility that Mobile-RFID will boom and penetrate the market on gradual growth (by 2020); and

3) That the RFID's discussion from the perspectives of data protection and privacy are still important. Although there are such RFID technical guidance, codes, regulations and best practices, but, the efforts need to be beefed up. Especially, when the booming of cloud computing business takes place. This means data that are retained and kept in the RFID Service Provider or a Data Controller's server may also be parked and retained in the Cloud. Hence, issues of data protection, privacy and contractual liabilities may also arise.

RFID indeed, is still relevant and a "hot" topic, and will promise more progress in 2011 and the years ahead!

Call for public consultation: Strategy to strengthen EU Data Protection rules

On 4 November 2011, the European Commission has issued its call for public consultation in relation to its data protection rules. The call is retrievable HERE. Deadline for interested stakeholders to submit their views is on 15 January 2011. I will submit my proposal (for consideration) individually and also as a collective proposal under the banner of the Data Protection & Open Society Project's Oxford Centre for Socio-Legal Studies. On 2 December 2010, a total of 6 researchers brainstormed to reach certain consensus. Overall, the solicited views have been taken into account and the draft would be expected to be ready by end of December 2010 or early January 2011. Updates will follow suit when the time comes.

Visiting Researcher in Oxford

For the forthcoming 2011, I will be a visiting researcher in the esteemed Data Protection & Open Society Project (DPOS), at the Oxford University's Centre for Socio-Legal Studies. My visiting research status will be from 14 February 2011 - 4 April 2011. Further details on the DPOS are reachable HERE.

Forthcoming publication

I presented a paper on: "Cursing the Cloud (or) Controlling the Cloud. Briefly, this paper (generally) appraises the move by Microsoft in relation to the Cloud. In detail, it touches on the level of adequacy of data protection from the perspectives of the European Data Protection Directive 95/46/EC and Safe Harbor. It also extends the concern or adequacy to non EEA countries (where the level of adequacy) is still underdeveloped, immature and emerging. This paper also proffers a potential hypothetical model which is called as Cloud Compliant Strategy (CCS). The CCS aims to develop a theoretical base / framework that is usable to specific continents and market economies: particularly, the US, the Europe Zone and the emerging markets. Although the CCS is still at its embryonic stage, I endeavour to extend this in my next paper.

In the meantime, this paper has been published in: Kierkegaard & Kierkegaard (eds), Private Law: Rights, Duties and Conflicts (2010) ISBN: 978-87-991385-8-6 at pp 158-171. This paper will also be published in the Computer Law & Security Review's forthcoming 2011 publication.

In the interest of knowledge sharing, my paper is retrievable HERE. Such potential citation on this article is also appreciated (by letting me know through my e-mail: n o r i s w a d i [at] g m a i l . c o m.

Alas, for those who are keen to research related legal issues surrounding the Cloud, do visit this SITE. This project is undertaken by Queen Mary University of London (QMUL), branded as: QMUL Cloud Legal Project.