Malaysia is the most recent country to enact overarching data protection legislation as the much anticipated Malaysian Personal Data Protection Act (PDPA) finally came in to force on 15 November. Malaysia joins a host of other countries in the Asia-Pacific region, including Singapore, Japan and South Korea (to name just a few!) that have passed comprehensive data protection laws in recent times. But why the sudden proliferation?
The Reasons
Data protection laws are essential for countries to become trusted and reliable business hubs
Datuk Seri Dr Rais Yatim, the Minister of Information, Communication and Culture in Malaysia, stated in February 2012 that the data protection law in Malaysia will ‘speed up the development of electronic connection and transactions like e-commerce and e-business…[it will] help Malaysia to become a communication and electronic trade centre; an attractive location for investment in the multimedia and communications industry and an international trade partner which is able to offer personal data protection assurance according to international standards’.
I concur with the Minister. Countries that recognise the value of personal data and the importance of data privacy will not only be perceived as reputable but will enhance the competitiveness and strength of countries in this region as trusted and reliable business hubs since so many businesses are so dependent on the ability to transfer personal data around the world.
People care!
When Hong Kong’s Octopus Holdings (an e-payment provider) admitted to selling its customers’ personal information without their consent, for which it pocketed around US$5.7 million, there was political outrage. Edith Lai, a trainee solicitor at Speechly Bircham, who is from Hong Kong, explains that, at the time of the incident, ‘not a lot of people understood the importance of their privacy and the value attached to it’. The public’s main consternation arose from the fact that they had not realised that their data had a value and that that value had not come back to them. However, since the implementation of the Personal Data Privacy Ordinance (PDPO), which was triggered by the scandal, people in Hong Kong are now much more aware of their data privacy rights. The new law prohibits companies from using personal data for direct marketing purposes without the consent of individuals. Edith explains that ‘since the new law, people are being bombarded by consent statements so people now know their rights. People are now more likely to think again before they give away their personal data’.
The fight for cyber-security
According to a 2010 study by Symantec, 75% of Asia-Pacific enterprises experienced cyber-attacks in the preceding 12 months. The same report stated that the top three reported losses were theft of intellectual property, theft of customer credit card information or other financial information and theft of customer personally identifiable information. In addition, when the cost to businesses of dealing with a data breach is increasing year on year and the long-lasting reputational damage is incalculable, countries in this region must demonstrate to their international counterparts that data protection is taken seriously. The implementation of stringent data protection laws sends a clear message that businesses that send personal data to the region can be assured that it will be adequately protected.
What are the main features of the data protection laws in this region?
Most data protection laws that have been enacted in this region are based upon the fundamental principles of the European Data Protection Directive. However, as anyone who has ever co-ordinated a pan-European data protection project will know, similarity of data protection principles does not mean that it is possible to find ‘one-size-fits-all’ solutions when dealing with the data protection laws of 28 member states! The same applies in the Asia-Pacific region; as far as data protection is concerned, ‘the United States of Asia’ does not exist! Here are a few of the peculiarities that need to be considered when implementing data protection compliance in this region:
Hong Kong
Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) came into force on 1 April.
Under the PDPO, companies cannot use personal data in direct marketing campaigns without obtaining the express consent of the people being targeted. This will include asking new customers for their consent and going back to old customers to whom new products or services are being marketing and asking for their consent. This requirement is believed to be a direct result of the Octopus scandal.
Malaysia
The Malaysian Personal Data Protection Act (PDPA) was officially gazetted on 15 November; businesses now have a three-month sunrise period to comply.
A wide range of organisations will be required to register their data processing activities with the Malaysian data protection department and have until the end of the sunrise period, ie 14 February 2014, to do so.
It is also worth highlighting that if an organisation breaches the PDPA, individuals within the management of the business may be jointly and severally liable with the corporation for the non-compliance. Considering that organisations that are required to register with the Malaysian data protection department but which fail to do so could be fined up to 500,000 Malaysian Ringgit (almost £100,000) and/or have individuals imprisoned for up to three years, data protection should be a high agenda item for all businesses in Malaysia this quarter!
Singapore
Singapore enacted the Personal Data Protection Act 2012 (No. 26 of 2012) on 15 October 2012.
The law takes effect in three phases: (i) provisions relating to the formation of the Personal Data Protection Commission came into force on 2 January 2013; (ii) provisions relating to the National Do-Not-Call Registry (‘DNC Registry’) will come into force in early 2014; and (iii) the main data protection provisions will come into force in mid-2014. Organisations will be given a transitional 18 months to comply with the PDPA, before the data protection provisions enter into force (projected mid-2014).
The DNC Registry, expected to be ready for public registration by early 2014, will allow individuals to register their phone numbers enabling them to opt-out of receiving unsolicited telemarketing calls, SMS and fax messages from all organisations in Singapore. It essentially prohibits organisations from sending messages to those individuals via such means. Organisations ignoring the rules will face financial penalties of up to SGD1 million (nearly £500,000) for non-compliance.
South Korea
South Korea’s Personal Information Protection Act (PIPA) became effective as of 30 September 2011.
This law is described as the ‘strictest’ data protection law in the world!!
Data breach notification to data subjects is mandatory and almost all organisations in South Korea are required to appoint a Data Protection Officer.
Organisations in South Korea are prohibited under the PIPA from denying an individual access to a certain service because of the individual’s refusal to provide legally unnecessary information. Businesses cannot therefore decline to provide an individual with a service if they refuse to provide more than the minimum data allowed to be collected. In practice this means that if, for example, an individual wished to sign up for a newsletter, the organisation could not require the individual to provide more personal information than his or her e-mail address if the individual did not want to provide it.
Japan
Japan’s Act on the Protection of Personal Information (APPI) came into force on 1 April 2005.
Under the APPI, explicit consent (ie opt-in) is required for all disclosures of personal data to third parties, even when the third party is affiliated in some way with the data controller.
The use of express consent mechanisms should therefore be used whenever data is collected as a rule of thumb and it must be ensured that it is crystal clear to data subjects that their personal data may be disclosed to a third party, even if that third party is intra-group.
Will these laws really be enforced?
The extent of enforcement activity of data protection authorities varies greatly across the EU; whilst some vigorously fine, others suffer from a severe lack of resources meaning that it can be very difficult to sanction non-compliant organisations.
I asked Noriswadi Ismail, who is head of the Data Protection Academy Advisory Board in Malaysia, how the Malaysian data protection department will actively enforce the law:
‘The Malaysian Personal Data Protection Department (PDPP) has beefed up its enforcement team by recruiting more than 40 enforcement officers. This indicates a positive and welcoming enforcement message to the marketplace. Thus far, the PDPP has a staff strength of almost 100 officials.
Although the sunrise period of 3 months has been officially gazetted (from 15 November 2013 to 14 February 2014), the PDPP will arguably face three main teething enforcement challenges. First, greater clarity on the Regulations/Guidelines and guidance that are still absent for the marketplace to comply; Second, absence of practical illustrations relating to concepts in the Personal Data Protection Act (PDPA) 2010; and Third, the enforcement approach (whether it shall be by way of naming and shaming or selective enforcement).
Nonetheless, 14 February 2014 onwards will be an intriguing test bed for the PDPP and the marketplace’.
Going forward, it will be interesting to observe how enforcement is carried out in this region, especially in countries like Malaysia where there is less public awareness of data privacy issues than in other parts of the Asia-Pacific region, such as Hong Kong.
My prediction? As organisations start to comply with the new laws, individuals will incidentally become more aware of their rights – leading to increased complaints to the authorities when rights are not protected, and subsequently increased investigations and enforcement actions by the authorities. Only time will tell.
Janine Regan is a data protection lawyer at Speechly Bircham.