Friday January 11, 2013
Of fresh starts and privacy
PUTIK LADA By THARISHNI ARUMUGAM
The Personal Data Protection Act has come into force but there are many issues that still need to be sorted out.
I HAVE a confession. Writing this article is part of my resolution for myself. As a young lawyer who spends 70% of her waking hours working, it seems that I would have to learn how to make time to pursue the things that I think make me more of a whole person – and writing is one of those things that I need to make time for.
It’s a conundrum that most young lawyers face, especially if they’ve recently transitioned from a hippie uni-student to a full-time lawyer.
I will not call this a new year resolution because the song-and-dance of such a resolution has a pretty predictable routine to it.
First, there’s the Excitement stage: full of hope with a hint of adrenaline. Fuelled by holiday season feel-good machinations, this is the “Can we do it? Yes we can!” stage, where optimism is at its brightest, enthusiasm levels are off the charts, and logic at its lowest.
The next stage is the Trying stage.
Yes, this is where the effort to sustain the resolution has hit home, and you’re starting to wonder – is this worth it? But you stick on anyway, because your motivation now is to not be called a quitter.
You don’t want to quit because you’ve quit before, every single year, and this year’s going to be different.
You bargain and you haggle with an audience of one, cutting down and giving yourself discounts because of an invisible bidder.
The last stage is Defeat. As the autumn leaves fall, or in Malaysia, as the monsoon season begins, and it gets colder and work gets more hectic due to the impending end-of-the-year holidays. You break down. You’re too busy. Too stressed. The equilibrium that your life exists on is hanging by a thread and you curse the heavens and cave in to temptation.
So there you go. The Dance. The Legal Profession has seen many of these dances, and we’re in danger of repeating the same old steps again.
In 2010, the Personal Data Protection Act (PDPA) was finally gazetted. When the announcement of the gazettement was made, the Government took the lead and started the first steps of the Dance, and we danced to the beat.
Practitioners delighted in the fact that we would now be able to join the global data protection community.
We were basking in the Excitement. The territory was unknown, but that was precisely what made it attractive. The PDPA was supposed to herald a new age of privacy for Malaysia, one that promised to do justice to data subjects (individuals who are identified by the data), by giving them their rights to have their data processed only when their consent has been sought, or when there is a clear necessity for the processing.
Under the PDPA, data subjects should also be protected from illegal processing – so no more calls and messages from telcos, clubs and massage parlours (unless, of course, you want them).
If the personal data of an individual is processed in a commercial transaction, that individual would, under the PDPA, have the right to limit how the data is processed, and to object to any sharing of their personal data to any unauthorised third parties.
Two years and a lot of questions later, the PDPA was in danger of being forgotten. This was because the PDPA was supposed to come into force a year later, but the date of enforcement kept being pushed back, as many were in favour of giving the practitioners, and the Executive, more time to get prepared for compliance.
We were all still convinced that this is indeed A Good Thing.
We were now at the Trying stage. We tried our very best to believe that the PDPA would soon come into force, that the necessary guidelines to interpret the rather broad and often vague provisions of the PDPA would soon be released by the powers that be.
Before we gave up and held up white flags signalling our Defeat however, there has been a ray of light. The Government has announced that the PDPA will come into force on Jan 1, 2013. Yes, like a blushing superstitious bride, the Government has chosen a rather symbolic date to herald a new beginning. Or rather, the second coming, of an earlier promised new beginning. However, this time around, one is sceptical. It is exciting times but yet, caution must be given. Guidelines, which have been promised, have yet to be released.
A PDPA Commissioner has yet to be elected. There is no list of countries that have been gazetted pursuant to s.129 of the PDPA, which means that data cannot be transferred overseas unless certain conditions are met.
It seems almost like announcing that a house has been built and you can move in tomorrow – yet there is no running water or electricity in the house. Habitable, but just barely so; and in need of some light, metaphorically speaking.
For compliance to happen, a lot more needs to be done for the PDPA’s implementation to be carried out with minimal confusion and fuss.
What is somewhat worrying is the fact that under s.145, organisations that collect and process data for their own usage in commercial transactions (known as “data users”) will have three months to comply with all seven principles under the PDPA for data that they have gathered prior to Jan 1, 2013.
Three months is a relatively short period of time for a company to figure out what it needs to do to comply, and to run the entire gamut of executing a compliance programme.
Privacy notices would have to be drafted and served to the relevant data users, consent sought for the processing, retention, security and access policies would have to be drafted as well… the list goes on.
A data user must also keep in mind that if a complaint is made to the PDPA Commissioner and the data user’s practices are found to not be PDPA-compliant, the data user will have to pay a hefty fine, of up to RM300,000, and/or face jail time.
And yes, liability may be personal. Under the PDPA, the individuals in charge may be held liable.
But we have hope that the enthusiasm and the initiatives by the Government will not burn out any time soon. That the dance really doesn’t end at the Defeat stage, and this New Year’s promises of a personal data-friendly Malaysia is more than just a New Year’s resolution.
> The writer is a young lawyer. Putik Lada, or pepper buds in Malay, captures the spirit and intention of this column – a platform for young lawyers to articulate their views and aspirations about the law, justice and a civil society. For more information about the young lawyers, visit www.malaysianbar.org.my.