2010 - The Year of Data Protection and Privacy in Malaysia!

2010 is a year of technology laws' hope in Malaysia.

I remain with the above statement due to this chief reason: The Personal and Data Protection (PDP) Act 2010 was  gazetted on April 2010. As I write, the proposed Data Protection Commissioner's Office is still being planned. Rumours learned that it may be in place by the first (1st) quarter of 2011. This development means a lot to Malaysia in many ways. Three pointers of assertion are submitted. First, the PDP Act enables everyone (individuals) and stakeholders to collect, handle, manage, process, retain, share and expunge data in a responsible and compliant manner. Second, the PDP has pushed Malaysia (indirectly) to recognise 'informational privacy' as rights - although the incentive and motivation of this Act governs commercial transactions only. Third, the PDP will also trigger possible amendments or revisions of peacemeal legislations that contained the words "privacy" in Malaysian statutes.

The PDP Act (although, a very new law, to Malaysians) is a testimony of Malaysia in getting herself ready to be on board as par as others. In the Asia Pacific contours, Malaysia is the second (2nd) country, after Hong Kong having her own data protection and privacy legislation. Other countries' legislation are based on sectorial-specific and code/voluntary approaches. As some may have known, the global's privacy and data protection laws are generally motivated by these: The European Data Protection Directive 95/46/EC, American Safe Harbor approach, OECD Guidelines, APEC Privacy Principles, Industrial and technological approaches.

Besides the PDP, interesting developments that have taken place are the observations of Malaysian court judges on privacy protection. There are two cases that glanced through (generally) on this.

First, in Ultra Dimension Sdn Bhd v Kook Wei Kuan [2004] 5 CLJ 285, Justice Faiza Thamby Chik observed: "...English common law does not recognise the privacy rights; therefore invasion of privacy rights does not give right to a cause of action. Since English common law, pursuant to Section 3 of the Civil Law Act 1950, is applicable in Malaysia, privacy rights which is not recognised under English Law is accordingly not recognised under Malaysian Law.." However, in an interesting case of Dr Bernadine Malini Martin v MPH Magazine Sdn. Bhd. & Ors [2010] 1 LNS 694, Justice Hishamudin observed: "...it is unfortunate for the plaintiff, that the law of this country, as it stands presently, does not make an invasion of privacy as an actionable wrongdoing (it is actionable under the law of some other jurisdictions, for example, in the United States)..." 

These observations, seem to be interesting in one way; mainly that Malaysians are getting to recognising their privacy rights. Adding to this, there were headlines on Malaysian national dailies during the third (3rd) quarter of 2010, which highlighted the complaints of a mobile phone customer of a leading Government-linked telecommunications company. The complainant claimed that the mobile service provider did not secure her consent in sharing her confidential data that is retained in the database. Thus, it breaches certain aspects of her data confidentiality. When the case was brought to press, thus far, and to date, my research suggests that there's no "hard push" by, and from, consumer groups or organisations in issuing such statements representing consumer's rights. What more, in privacy!

After the PDP Act was passed, there were many trainings and workshops that took place mostly in Kuala Lumpur. Stakeholders and public were very much concerned how the Act would be affected and applied in their daily life and transactions. My observations from these eagerness are twofold. Firstly, practitioners, academics and consultants should collaborate to disseminate the basic principles first. Which means, besides explaining or paraphrasing the sections in the PDP Act, it's fundamentally focal to enlighten the public what these terminologies mean: data, personal data, privacy, informational privacy, the applications in daily life and the applications in commercial transactions. Secondly, after diffusing the meanings and differences in clarity, we must be able to explain clearly and coherently selected case by case basis from different perspectives. These observations, in my humble opinion, may take a longer time  to witness its maturity. Nonetheless, the practitioners, academics, consultants and researchers who are experts in this subject matter, must collectively offer the appropriate theoretical foundation to the Malaysian public. I am calling for a collective responsibility to disseminate a meaningful comprehension on this (for the purpose of nation building).

From the business strategy perspective, the PDP Act will provide potential opportunities in terms of 'commodotisation'. Technology companies may strategise to call their Research & Development (R&D) team to write a particular system that may be customised for their existing clients and potential clients. In other words, such systems now, should have certain checklists on privacy impact assessment. Also, privacy by design approach. Whatever perspectives of opportunities that Malaysian stakeholders (whether from business or consultancy) come from, it is indispensable for them to understand the basics. Then, move on to the next level of understanding (whether they have clearly understood what privacy and data protection is?).

And why I claim 2010 is the year of data protection and privacy in Malaysia?

The answer lies onto Malaysians' hands and minds. The Malaysians' Legislative and Executives (politicians) deserve a pat. The abstract and outlines of the laws have been exposed. Now, we will witness the implementation and enforcement (in anticipation) - which will be the subsequent chapters of how the laws will grow, develop and mature.