Sunday October 16, 2011
Personal data still open to abuse
By SHAHANAAZ HABIB
The Personal Data Protection Act (PDPA) offers some semblance of information privacy but it will not address other important aspects like non-commercial use of data or territorial or bodily privacy.
DATA protection law expert Prof Abu Bakar Munir waved a list that contained 600 names, identity card numbers, addresses, phone numbers of house owners, addresses of the property they own, the selling price, how much has already been paid, and details of the housing loans.
One of his students had bought the list from a developer and passed it to him.
“The selling and buying of data is still very rampant here,” he told a public forum on privacy and personal data protection organised by the Centre for Independent Journalism.
For a few ringgit more, data of those living in elite areas is also available.
You don't have to look very far either to get your hands on people's personal data. One local newspaper carries a blatant advertisement on data for sale in its classifieds almost daily.
The ad reads: “We have more than one million Malaysia updated e-mail & phone list to boost up your business. 10,000 e-mail list for RM200 & 1,000 phone list for RM200.” The ad carries the mobile numbers of a Mr Goh and a Mr Yap for those who are interested.
Two years ago, the going price for that 1,000 phone list in a similar ad was RM100.
And, says Sonya Liew, co-deputy chairperson of the Human Rights Committee of the Bar Council, if you pay a private investigating agency RM3,000 and give the full name of a person, the agency will be able to give you details of that person's bank accounts, including the types, numbers, and balance in the accounts “down to the last sen”, plus his home address!
Under the Personal Data Protection Act (PDPA), which was passed and gazetted last June, selling a customer's personal data or using it for commercial gain for a different purpose other than what it was collected for, without the person's consent, is an offence.
This makes direct marketing a clear violation under the Act if it is done without the person's consent.
Those convicted of committing the offence can be fined up to RM200,000 or jailed for up to two years or both.
Many should breathe a sigh of relief knowing that banks or companies would no longer be able to use their personal data to make unsolicited calls to sell insurance and other products and services.
But you have to be on the lookout for the fine print!
For example, a local bank here recently put up its client's charter stating that it fully complies with regulations of the PDPA.
But there is a catch, as it goes on to add: “We will not use your personal information for our own marketing purposes IF you inform us that you object to this practice.” That, in effect, puts the onus back on the customer.
These banks would state in fine print that a person's data can be used by that bank or its related companies to research, launch, promote or market existing or other banking and financial services and products of the bank, related companies or selected parties, while some others state that they can give the information to third party vendors, advertisers, affiliates or relevant third parties, he says.
And how many people read the fine print when opening an account?
“It's very unfair to customers. How can banks say that the customers' data is their property and they can use, transfer or pass on the data for whatever purpose to third parties? That is not right and not in line with the data protection law,” he stresses.
With the PDPA, when a person gets phone calls from people trying to sell him stuff, he can complain to the PDPA Commissioner stating that someone got hold of his data without his consent and it is causing him distress. It is then up to the Commissioner to investigate.
Unchecked abuse of data
But the problem right now is that a Commissioner has not been appointed yet, so the Act cannot be enforced and the sale and abuse of data continues unabated, unchecked and unpunished.
Prof Abu Bakar points out that the sale of data has serious ramifications.
“It's a breach of privacy of the individual. If someone managed to get hold of a data list, he can always contact the individuals in the list for whatever purpose.”
There are other limiting aspects of the PDPA, one of which is that it applies only to “commercial transactions”. This means that if a person's personal data such as intimate photos of himself, his marital status, home address, mobile number, etc., are disclosed, distributed and transferred for no commercial gain, he has no grounds under the PDPA to seek redress.
Prof Abu Bakar was instrumental in advising the government and helping them develop the PDPA. But even for him, the law falls short and he is “not quite satisfied” that the Act does not apply to non-commercial activities, that the Federal and state governments and their agencies are excluded, and that the yet-to-be appointed Commissioner would not be independent.
Under the Act, the Commissioner is answerable to the Information, Communication and Culture Minister.
“The problem with this is that the Commissioner may not be able to enforce the act effectively without fear or favour unlike in other countries. In other countries, the Commissioner is not accountable to the minister but is directly accountable to Parliament.”
According to Prof Abu Bakar, these Commissioners compile annual reports which are tabled in parliament and made available to the general public. Everyone can have access to the report, he says. “Basically, there is transparency.”
For Malaysia, he explains, under the PDPA, the Commissioner is not required to produce an annual report “but that doesn't mean it can't be done” and “ideally that should be the situation”.
As for the exclusion of the Federal and state governments from the Act, he believes Malaysia is the only country with a data protection act that excludes the public sector.
Some would argue that people should trust their government and the public sector not to sell or misuse their data.
“But can we trust the Government in this respect because they are the biggest collectors of data?
“Ideally, the act should cover everybody be it government or private entities,” Prof Abu Bakar insists.
The exclusion also raises interesting questions for the general public.
For example, if the police install CCTVs around Selangor and Kuala Lumpur to prevent snatch thefts and crimes and collect data from the CCTV for that purpose, what is to stop them from sharing this data with other state agencies like the Federal Territory Islamic Affairs Department and the Selangor Islamic Religious Department which could use the data to nab Muslim couples for vice, khalwat or other so-called immoral activities?
Being government agencies, the police and local religious authorities are not bound by the PDPA.
“I beg you not to blame me. I objected to this. I told the Government there should be no exemption and that the act should apply to federal, state governments, their agencies as well as charitable organisations,” Prof Abu Bakar told the public forum,
A discrepancy that is bound to crop up is the sharing of data between government departments and the private sector.
“We would have a situation where one party (private sector) will be governed by the Act and the other (public sector) that is not,” says Prof Abu Bakar.
He points out that some countries like Canada have a separate regime and regulations for the private and public sectors.
“It is acceptable to have a separate regime for private and public sectors which is on par with each other. But having a law that applies only to the private sector is not ideal and not in line with international norms.”
There are also serious implications when it comes to international trade, investments and agreements with other countries including the European Union, which is very particular about data protection.
The EU requires all its member states to have adequate Data Protection Laws. For trade with non-member countries, these countries must show they have adequate Data Protection Laws before the transfer of personal data is allowed. Prof Abu Bakar is thus concerned that the PDPA might not meet EU standards.
He believes the EU approaches the data adequacy requirement from two points procedural and substantive.
“For the procedural, the enforcement authority must be independent. But for ours, the Commissioner which is the enforcement authority is accountable to the minister, so we may fail on that ground.
“We may also fail when it comes to the substance because of the exemption given to federal and state governments and that the Act doesn't apply to non-commercial activities,” he says, adding that these are his personal views.
He says there are two solutions to the problem.
One is to extend the scope of the law to cover the federal and state governments and agencies and the second is to have separate rules and regulations for the Government which is on par with the PDPA.
With the PDPA, there is a certain amount of protection for information privacy but when it comes to other aspects of privacy such as territorial privacy or bodily privacy, protection is sorely lacking.
The Bar Council's Liew says the right to privacy is not expressly stated in the Federal Constitution and even judges themselves differ in opinion as to whether people have privacy protection.
“There is no specific legislation in the country that allows us to sue, for example, if our privacy is infringed in private areas like the bedroom or in our house,” she explains.
“If an individual comes with a video camera and starts to shoot me while I am in my toilet, and I find out but he's not a data collector and is not doing it for a business, I can't really sue him. There is no specific penal code to act on it.”
Similarly, if a voyeur films you in a public toilet or changing room and puts the video up on the Internet, even if you find out who he is, there is no direct act to deal with it.
And what if a neighbour puts a CCTV camera in front of his house but it also records who is going in and out of your house?
Citing the Lew Cher Phow case in Johor Baru, Liew says the court ruled that there is no such thing as privacy in Malaysia and that the CCTV camera was allowed.
Last year, Selangor Mentri Besar Tan Sri Khalid Ibrahim discovered a CCTV camera planted in his office. He would not be able to seek redress under the PDPA even if he knew who put the camera there unless he is able to show that the person made money or there was some commercial benefit in doing it.
As for bodily privacy, Liew stresses that the DNA Identification Act impinges on that.
“If I am suspected of stealing a toothpick, the police now have a right to swab my saliva for DNA.”
She says that while Malaysia now has fixed rights for information, there is a need to look at fixed rights for territorial and bodily privacy especially when government agencies are excluded from the Act.
The case of Mazlinda Ishak, a GRO who was detained during a raid on a club in 2003 is a case in point. She needed to ease herself but was refused permission by the authorities and told to urinate in the truck.
When her friends used a shawl to shield her while she eased herself, a Rela officer rushed in, pulled the shawl away and took photos of her.
This is a clear case of invasion of privacy. Although she went to court and won damages for the wrongdoing, there is no specific act to seek redress.
“We really need the Privacy Act to tie up loose ends,” says Liew.
For Prof Abu Bakar, with the PDPA at least one aspect of privacy, that is informational privacy, is covered.
“Having something is better than nothing,” he says.
Data protection Act can't be enforced without commissioner