MALAYSIA HAS LONG WAY TO GO
Existing data privacy laws are not specific enough to provide protection
THE promise of the Internet — as an accelerator of education, knowledge and growth — is being deliberately exploited by certain quarters through the inappropriate use of data.
In an explosive exposé last March, political consulting firm Cambridge Analytica (CA) had harvested personal data from about 50 million Facebook users for micro-targeting political campaigns.
This event, among many others, had led to governments debating the premise of the Internet itself, and whether it is flawed.
Finding themselves in the United States Congressional hearing “firing line” are Facebook superstar Mark Zuckerberg and Google CEO Sundar Pichai.
Across the North Atlantic, the United Kingdom’s Parliamentary Committee had also inquired on CA’s alleged dubious operations, with a similar process occurring closer to home in Singapore, specifically by the Parliamentary Select Committee on Deliberate Online Falsehoods.
This raises an important question: should governments develop and devise national information privacy laws?
In Malaysia, the Personal Data Protection Act (PDPA) 2010 is meant to be the vanguard of protection for information collected of an individual.
Notably, the PDPA 2010 only protects against the inappropriate use of personal data for commercial purposes.
Even then, 2017 saw a massive data breach affecting the customer data of more than 46 million mobile subscribers in Malaysia to an online community forum.
This highlights that despite the PDPA 2010, severe gaps in data management and protection remain.
Besides, it is worth noting that PDPA has no provisions that specifically address the issue of online privacy, which includes data such as geolocation, and cookies, for example.
Making matters worse is that the PDPA 2010 is inapplicable if the personal data is processed outside Malaysia.
Relevantly, as things stand with technological advancements and an essentially borderless cyber realm, Malaysia is unprepared to deal with data privacy matters and in danger of future data breaches happening on larger scales.
Since data is the currency of the 21st century, and with the mainstreaming of the Internet of Things (IoT), which will make data even more personal (and intrusive), it should be the government’s priority to strengthen existing data privacy laws.
The government should also consider introducing other protection laws, drawing inspiration from the approaches taken by other countries on the matter.
For example, Europe considers data privacy as a top priority, leading to the European Union’s adoption of the General Data Protection Regulation (GDPR) in May 2018. The GDPR, which supersedes the 20-year-old Data Protection Directive, establishes more stringent rules than before, and governs how companies harvest and manage data, and posing hefty penalties to violators.
In the US, regulations pertaining to the Internet are often probusiness and loosely regulated. The primer legislation for this is the Communications Decency Act 1996, which lays out provisions on the liability of online platforms, among other things. This legislation essentially absolves tech companies of any liability regarding the conduct of third parties on user data.
Meanwhile, governments in Canada and Australia have specific laws for online individual privacy protection with their Digital Privacy Act and Privacy Act 1988 respectively.
On the other end of the spectrum is the cyber landscape in China. Case in point is China’s “Great Firewall” — the Chinese government’s efforts to assert data-sovereignty.
This is in part an attempt to ensure that the data remains within Chinese borders at all times, giving Beijing jurisdiction over the use and regulation of these data. Furthermore, under China’s 2017 Cybersecurity Law, authorities have enshrined its jurisdiction to access data without due process.
Notwithstanding the “Great Firewall” which restricts access to foreign websites and platforms, there remain ways to bypass these restrictions, including the use of Virtual Private Networks (VPNs) and proxy, among others.
Despite the rigid legal framework governing the Internet in China, it has not hindered the Chinese technology industry’s ability to spur and ultimately create local competition to match Silicon Valley. The burgeoning tech industry is also in line with China’s aim of becoming a world leader in key technological industries through its “Made in China 2025” plan.
Yet, robust technological dependency in China also means that they too are vulnerable to data leakages. For instance, the Financial Times reported that a survey by the China Consumer Association showed 85 per cent of respondents have had their data leaked, phone numbers solicited illegally, or bank account information compromised.
To address these compounding issues, the Chinese government is in the early stages of devising data management regulations. These include consent for data collection, data usage and sharing user-requested deletion of information they consider personal through their data protection system known as the Personal Information Security Specification.
It is quite obvious that the PDPA 2010 lags behind similar data protection and regulation initiatives elsewhere. Moving forward, the Department of Personal Data Protection (DPDP) should at the very least devise specific guidelines on handling data breach incidents. This is to mitigate the negative consequences of a data breach for individuals and organisations, be they public or private.
Recently, Communications and Multimedia Minister Gobind Singh Deo stated that the government is committed to a review of its data protection laws by mid2019 to prevent data breaches from happening. This renewed commitment is timely to fill the gaps with regard to data privacy and protection.
Such measures are needed not just to protect individual freedom and rights, but also for national security.
This is especially given how data around the world has been manipulated, influencing even local politics and illicit financial flows.
The ability to harvest personal data irresponsibly either by individuals or organisations may trigger the government to introduce more holistic data regulations.
While more measures can be considered, the matter has to be approached delicately without compromising public interests.
... the Department of Personal Data Protection (DPDP) should at the very least devise specific guidelines on handling data breach incidents ... to mitigate the negative consequences of a data breach for individuals and organisations ...