Malaysia to enforce data protection law

KUALA LUMPUR--Some eight years after it was first mooted, Malaysia's Personal Data Protection Bill will finally be tabled in parliament later this month and is expected to be in force early-2010.

According to Information Communication and Culture Deputy Minister II Heng Seai Kie, the proposed law aims to regulate the collection, processing, storage as well as exploitation of people's personal data.

Heng said the bill shows the government's concern about the importance of global business and trade, while at the same time giving emphasis to the protection of consumers and the public at large.

The bill will be tabled when Parliament sits again starting Oct. 19, she said.

First drafted in 2001, the Personal Data Protection Bill was later circulated to various parties for feedback. However, it was never tabled in parliament after meeting resistance from various parties.

Asked why it took eight years for the revised bill to be tabled, Heng told reporters at the sidelines of the National Conference on Personal Data Protection Law conference here this week: "We had to do a survey to get feedback from stakeholders and interested parties, including government agencies, non-governmental organizations and the corporate sector."

Under the proposed act, offenders will face fines as well as jail sentences, she said. A personal data protection commission will also be established to enforce provisions outlined in the act.

During her keynote address at conference, Heng noted that when personal data falls into irresponsible hands, the misuse of personal data will create losses ranging from financial to legal liabilities, to commercial and public embarrassment.

"In the past decade, we have been reading horrifying stories about people losing their money due to credit card abuses, or companies losing their reputation due to infringement of customer privacy, businesses ruined by data fraud, government agencies concerned by personal data leakages, and national e-government readiness undermined by data privacy concerns.

Necessary for global trade
"All these incidents are a small tip of the iceberg that threatens the integrity of Malaysia as an emerging knowledge economy," she said. "The current trend of global trade would give Malaysia no chance to backtrack, as personal data protection law is now a trade prerequisite recognized by international communities.In fact, adequate regulation on personal data is now a prerequisite by many countries for initiating or continuing bilateral trade."

For example, she explained, Article 25 in the European Union's Data Protection Directive 1995 outlines that "the transfer to a third-party country, of personal data which are undergoing processing or are intended for processing after transfer, may take place only if… the third-party country in question ensures an adequate level of protection".

Heng said: "It is this adequacy requirement that has forced years of negotiation and contention between Brussels and Washington before safe harbor principles were finally agreed. This adequacy requirement will affect the trade in this region as the countries that constitute the Asia-Pacific Economic Cooperation (APEC) have also recognized the importance of this legal development."

According to Professor Abu Bakar Munir at the University of Malaya's Faculty of Law, countries in the region that have implemented comprehensive data protection legislation include Japan, Korea, Taiwan, Thailand, the Philippines, New Zealand and Australia. In the Middle East, only Israel has similar bills while Indonesia and China are in the process of drafting such legislation, said Abu Bakar, who was also a speaker at the conference.

He said EU nations, Chile, Argentina and Brazil were the other countries with comprehensive data protection legislation in place. In the United States, data protection is governed by the Privacy Act 1974 and 12 federal sectoral-based legislations and individual state laws, and the safe harbor provision, he noted.

Singapore, he added, was among the countries that have adopted a self-regulatory approach to personal data protection. However, the Singapore government has since acknowledged this approach is not effective and is contemplating plans for a comprehensive data protection law, said Abu Bakar. The professor was asked by the Malaysian government to assist in the drafting of the revised bill.

In the absence of a data protection act, he said various parties in Malaysia including developers, local and foreign banks had been selling their customers' personal information or allowed the data to be used by third parties.

"Currently, it is not illegal because we don't have personal data protection legislation, but [the banks] should be observing international best practices that prohibit such practices," he noted. "Hopefully, this new law will put a stop to all such practices."

According to Abu Bakar, the revised bill contains provisions for a data protection commissioner who will have investigative powers and responsibility for enforcing it.

He said the proposed act would allow individuals to take civil action to seek redress if they feel their personal data have been compromised.

Lee Min Keong is a freelance IT writer based in Malaysia.