‘Govt must also be held accountable’
Personal data protection law should apply to all parties, say legal experts
PETALING JAYA: With the rising number of cases involving government personal data leaks, it is time to extend the scope of the Personal Data Protection Act 2010 (PDPA), says legal experts.
As such, the PDPA must be amended soon because it does not apply to the Federal Government when it comes to data privacy, said Deepak Pillai, a technology, multimedia, telecommunications and data protection partner from Christopher & Lee Ong.
“The PDPA should also apply to any party that collects personal data, whether for commercial, governmental or charitable purposes, but amending the law is only part of the solution.
“In other jurisdictions, for example in the European Union, Hong Kong, South Korea and Australia, their governments are subject to personal data protection laws as well.
“In fact, they are directly liable to individuals who suffer a loss due to a breach of their personal data, but this is not the case in Malaysia,” he said.
Pillai also said Malaysia lacked a cybersecurity law which would impose minimum requirements on Critical National Information Infrastructure (CNII).
This law, he added, would make it mandatory for certain CNII such as the government, technology, banking, health and transportation sectors to comply with minimum IT security standards.
“This cybersecurity law will require designated CNII parties to report data breaches to the appropriate regulator. There also needs to be a mandatory data breach reporting regime covering all parties collecting personal data, including the government,” he said.
While the Personal Data Protection Commissioner has suggested this amendment be introduced only for commercial organisations, Pillai said this and other proposed amendments to the PDPA formulated in early 2020 had yet to be passed in Parliament.
“I urge the government to accelerate the process of amending the PDPA as there seems to be a worrying increase in the number of data breaches occurring in Malaysia,” he said.
Pillai added that there was much to be done from a legislative perspective.
“Without the law being in place and relevant parties such as the government being subjected to it, change will not occur at the rate it needs to,” he said.
Gan, Lee & Tan (GLT Law) partner Yeow Jie Han said it was also important to note that violation of the PDPA is punishable by way of fines, which are ultimately paid to the Federal Government, and/or imprisonment.
“Thus, a victim of a data breach or data leak will have to rely on the tort of negligence in order to obtain any form of compensation from the breaching party, regardless of whether it is the Federal or state governments or a private entity.
“This is significant as the requirements to establish negligence under tort are generally more onerous because there are more legal tests and considerations to take into account compared with establishing a breach of provisions under the PDPA.
“Therefore, the amendments required for better protection of the rakyat is not merely as straightforward as removing Section 3(1) of the PDPA,” he said.
Section 3(1) of the PDPA states that the PDPA “shall not apply to the Federal Government and State Governments”.
Yeow suggested that in order to instil a higher standard of accountability by the government and private entities entrusted with
handling voluminous personal data, legislators should consider allowing victims to recover damages from a breaching party solely on the breaching party contravention of the PDPA.
This position is taken with the General Data Protection Regulation (GDPR) applicable to all members of the European Union and the European Economic Area, he said.
Article 82 of the GDPR gives an individual the right to claim compensation from a data controller which specifically includes public authority, agencies or other bodies that determine the purposes and means of the processing of personal data if damages are suffered as a result of a breach of data protection law.
This includes both material damage such as losing money or non-material damage such as suffering emotional distress, said Yeow.
“A similar position was also taken by the United States, where a district court in 2019 overturned a lower court’s decision in a case involving a breach of sensitive personal information of more than 21 million people.
“It was decided that a federal agency is not entitled to immunity for breaches under the United States Privacy Act of 1974,” said Yeow.
On Wednesday, Home Minister Datuk Seri Hamzah Zainudin denied that the alleged data leak of 22.5 million Malaysians came from the National Registration Department (NRD) after investigations found that the data sold came from a collection of sellers from other sources.
In 2017, the website Lowyat.net revealed that a massive data breach had caused data of more than 46 million local mobile subscribers to be leaked on the dark web. The information included mobile numbers, unique phone serial numbers and home addresses.
Personal information from many Malaysian public sectors and commercial websites have also been stolen.
In September last year, another potential data breach at the NRD with a database containing close to four million Malaysian citizens was put on sale through an online forum. The data was obtained from the NRD and Inland Revenue Board through the Myidentity API.
The most recent data leak was reported by local tech portal Amanz, where the 160GB size database was being sold for US$10,000 (RM43,950) on the dark web. The seller claimed the new information was an expanded database compared to the one he sold last September, which was only up to 1998.