abubakar munir iisf2011
DESCRIPTION
TRANSCRIPT
DATA PROTECTION LAW IS COMING TO ASIA
Professor Abu Bakar Munir
Faculty of Law, University of Malaya
Adviser to the Malaysian Government
(2007-2010)
INDONESIA INFORMATION SECURITY FORUM 2011
14 December 2011
Bandung, Indonesia
1 #IISF2011
2
THE WORLD’S GREATEST NEWSPAPER 1843-2011
#IISF2011
#IISF2011 3
Concept of Privacy
Definition
Privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.
4 #IISF2011
Types of Privacy
The right to be left alone
Bodily privacy
Privacy of communications
Territorial privacy
Informational privacy
#IISF2011 5
Privacy as Human Rights
Article 12 Universal Declaration on Human Rights 1948 No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Some Other Instruments Article 17, International Covenant on Civil and Political Rights 1966 Article 16, Conventions on the Rights of the Child 1989 Article 8, Convention for the Protection of Human Rights and
Fundamental Freedoms 1950 Article 18, OIC Cairo Declaration on Human Rights in Islam 1990 Article 4.3, Declaration of Principles on Freedom of Expression in Africa
2002 Article 5, American Declaration of the Rights and Duties of Man
#IISF2011 6
Informational Privacy
The rights of an individual to have
control over his personal information
Informational Privacy = Personal
Data Protection
#IISF2011 7
Why countries protect personal data?
International obligation
Competitiveness
Human right
International influence
8 #IISF2011
Why Protect Personal Data?
What Customers Say…
Nearly 90% of online consumers want the right to control how their personal information is used after it is collected
(Forrester Research 2003)
87 % of Americans are concern about the security of their information on the Internet
(Zogby International 2010)
61 % of adult Americans said that they were extremely concerned about the privacy of their personal information when buying online
(University of Southern California 2007)
#IISF2011 9
Cont……..
Our research shows that 80% of our customer would walk away if we mishandled their information
(Royal Bank of Canada 2003)
Concerns about the use of personal information led 64% of respondents to decide not to purchase from a company
(Privacy and American 2005)
67% respondents decided not to register at a website or shop online because they found privacy policy to be too complicated or unclear
(Privacy and American 2005)
#IISF2011 10
Malaysian Consumers Say…..
75.3% respondents say that they were “somehow concerned” and “very concerned” with their personal privacy even when not online
94.2 % respondents felt that their personal privacy might be threatened when using the Internet
50.8 % of non Internet Banking customers have not migrated to the online services mainly due to security, trust and privacy concerns
(Muniruddeen Lallmahamood 2007/2008)
#IISF2011 11
Therefore….
Trust and risk are major determinants towards purchasing and of intention to purchase
Trust is difficult to gain but easy to lose
Consumers are concern about their privacy
Consumers are very concern about privacy when transact online
12 #IISF2011
GOOD PRIVACY, GOOD BUSINESS
“Privacy is good for business”
Harriet Pearson
IBM Chief Privacy Officer
13 #IISF2011
How?
Potential Risks
Breaches of data protection law
Damage to organization’s reputation and brand
Physical, psychological and economic harm to customers
Financial losses associated with deterioration in quality and integrity of personal data due to customers’ distrusts
Loss of market share or a drop in stock prizes due to negative publicity/ failure or delay in the implementation of new product / service due to privacy concern
14 #IISF2011
Benefits
More positive organizational image and significant edge over the competition
Business development via expansion into jurisdiction requiring clear privacy standard
Enhanced data quality and integrity
Fostering better customer service and more strategic business decision making
Enhanced customer trusts and loyalty
15 #IISF2011
16 #IISF2011
17 #IISF2011
International Instruments
OECD Guidelines 1980
Council of Europe Convention 1981
European Directive 1995
APEC Privacy Framework 2004
Madrid Resolution 2009
18 #IISF2011
OECD Guidelines 1980 (8 Principles)
Collection limitation
Data Quality
Purpose Specification
Use Limitation
Security
Openness
Individual Participation
Accountability
19 #IISF2011
Council of Europe Convention 1981
Personal Data shall be:
obtained fairly and lawfully
stored for specified and legitimate purposes and not used in a way incompatible with those purposes
adequate, relevant and not excessive
accurate and, where necessary kept up to date
preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored
20 #IISF2011
European Directive 1995
Personal data must be;
Processed fairly and lawfully
Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes
adequate, relevant and not excessive
accurate and, where necessary kept up to date
21 #IISF2011
APEC Privacy Framework 2004 (9 Principles)
Preventing harm
Notice
Collection Limitation
Uses of personal information
Choice
Integrity
Security safeguards
Access and correction
accountability
22 #IISF2011
Madrid Resolution 2009 (6 Principles)
Lawfulness and fairness
Purpose specification
Proportionality
Data quality
Openness
Accountability
23 #IISF2011
Innovative ideas on proactive measures to protect personal data:
Procedures to prevent and detect breaches
Appointment of data protection or privacy officers
Training, education and awareness programmes
Audit
Adaptation of information systems and /or technologies
Implementation of privacy impact assessment prior to implementing new systems or technologies
Adoption of codes of practice
Implementation of a response plan
The Madrid Resolution has received support from Oracle, Walt Disney, Accenture, Microsoft, Google, Intel, Procter & Gamble, General Electric, IBM and Hewlett Packard
24 #IISF2011
25
National Approaches
Comprehensive Legislation
Legislation + Self-Regulatory
Self–Regulatory
Doing Nothing
#IISF2011
Comprehensive Legislation
All EU countries, including the 10 new
member states (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia)
Japan, Korea, New Zealand, Australia, Hong Kong, Macao, Taiwan, Philippines
Chile, Argentina, Brazil, Mexico In Middle East, only Israel
26 #IISF2011
Legislation + Self-Regulatory
USA – Privacy Act 1974 + 12 federal sectoral based legislation + State Laws + Safe Harbour
Self-Regulatory
Singapore - Does not work – To have a data protection law by 2012
27 #IISF2011
28
Doing Nothing so far
Brunei
Vietnam
Laos
Cambodia
Many more
#IISF2011
29 #IISF2011
Our Part of the World : What’s Happening ?
• Macao enacted her Personal Data Protection Act in 2006 • China has came out with several drafts of the law, and the latest in 2007 • India amended her Information Technology Act in December 2008. Some new provisions are added
to protect privacy and personal data. In April 2011, the third draft of the Privacy Bill was issued. • Indonesia came out with an academic draft in 2009
• Thailand has developed a draft Bill in 2010
• Taiwan amended her old law and passed a more comprehensive Personal Data Protection Act in
April 2010 • Malaysia has passed the Personal Data Protection Act in June 2010 • Korea came out with a more comprehensive law in March 2011 • The Philippines Congress has came out with the draft Act • Australia and Hong Kong are reviewing their Privacy Act and Privacy Ordinance respectively • Singapore is currently developing a law and is expected to be ready by 2012. On 13 Sept 2011, a
Consultation Paper was released • In April 2011, the EU Working Party decided that the New Zealand Privacy Act is adequate
#IISF2011 30
31
Korea
Data Protection Act 2011
• Data Protection Principles
• Rights of Data Subjects
• Organization to designate someone to take charge
• Special entity to enforce the Act (Data Protection Commission/DPC)
• Mandatory reporting of significant breach to DPC
• Data breach notification (to the Data Subject)
• Mediation to resolve dispute.
• Differentiate personal data & sensitive data
• PIAs are encouraged
Malaysia
Personal Data Protection Act 2010
• Data Protection Principles
• Rights of Data Subjects
• Special entity to enforce the Act (Data Protection Commissioner)
• No mandatory data breach notification.
• Differentiate personal data & sensitive data.
• Does not apply to Federal and States Goverments
Taiwan
Personal Data Protection Act 2010
• Data Protection Principles
• Rights of Data Subjects
• Mandatory data Breach Notification (to the Data Subject)
• Enforcement by Ministries responsible for each industry sector
#IISF2011
Malaysian PDPA : An Overview
Non-Application
Federal & States Govts
Non-Commercial Transactions
Personal, Family,
Household Affairs
Data Processed
Outside Malaysia
Credit Reference Agencies
32 #IISF2011
DATA PROTECTION PRINCIPLES
General Principle
Notice and Choice
Principle
Disclosure Principle
Security Principle
Retention Principle
Data Integrity Principle
Access Principle
33 #IISF2011
Exemptions
•Crime Prevention/Detection
•Offenders Apprehension/Prosecution
•Tax/Duty Assessment/Collection
•Physical/Mental Health
•Statistics/Research
•Court Order/Judgment
•Regulatory Functions
•Journalistic/Literary/Artistic
Partial
•Personal
•Family
•Household
•Recreational Total
34 #IISF2011
35
RIGHTS OF DATA
SUBJECTS
Right to be Informed
Right to Access
Right to Correct
Right to Withdraw Consent
Right to Prevent
Processing Likely to
Cause Distress
Right to Prevent
Processing for Direct
Marketing Purposes
#IISF2011
No. Section Offences Penalty
1 S. 16(4) Processing without a certificate of registration
Fine <RM500,000.00/
Imprisonment < 3 years/ Both
2 S 18(5) Processing after registration is revoked
Fine <RM500,000.00/
Imprisonment < 3 years/Both
3 S.5 Contravening Data Protection Principles
Fine <RM500,000.00/
Imprisonment < 2 years/Both
4 S. 29 Non-Compliance with Code of Practice
Fine <RM100,000.00/
Imprisonment < 1 year/Both
5 S. 37(4)
Failure to Inform the Refusal to Comply with the Data
Correction Request
Fine <RM100,000.00/
Imprisonment < 1 year/Both
6 S. 38(4) Processing after consent been withdrawn
Fine <RM100,000.00/
Imprisonment < 1 year/Both
7 S.40(3) Processing of Sensitive Data
Fine <RM200,000.00/
Imprisonment < 2 years/Both
8. S.42(6)
Failure to Comply with the Commissioner’s
Requirement
(Processing likely to cause damage or distress)
Fine <RM200,000.00/
Imprisonment < 2 years/Both
9 S. 43(4)
Failure to Comply with the Commissioner’s
Requirement
(Direct Marketing)
Fine <RM200,000.00/
Imprisonment < 2 years/Both
10. S. 129(5)
Transfer of Data to Places Outside Malaysia without
any law or adequate protection
Fine <RM300,000.00/
Imprisonment < 2 years/Both
11 S. 130(3)
Collects, disclose or procure to disclose data without
consent of Data User
Fine <RM500,000.00/
Imprisonment < 3 years/Both
12 S. 130(4) and (5) Selling or offer to sell
Fine <RM500,000.00/
Imprisonment < 3 years/Both
13 S. 131(1) and (2) Abetment and Attempt to commit any of the offences
Half of the maximum term provided for
that offence
#IISF2011 36
37
Enforcement Mechanisms
Data Protection Commissioner
Advisory Committee
Appeal Tribunal
Codes of Practice
Enforcement Notice
Prosecution
Revocation of Registration
#IISF2011
May I
recommend you to
read this!
#IISF2011 38
Privacy and Data Protection Sweet & Maxwell
(2002)
Internet Banking: Law and Practice
LexisNexis UK (2004)
Cyber Law: Policies and Challenges
Butterworths Asia (1999)
My other books on ICT Law
In Print
Information & Communication Technology Law
Legal & Regulatory Challenges
Thomson Reuters (2010)
39 #IISF2011 39