Your SlideShare is downloading. ×
  • Like
Abubakar munir iisf2011
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply


Published in Technology , News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. DATA PROTECTION LAW IS COMING TO ASIA Professor Abu Bakar Munir Faculty of Law, University of Malaya Adviser to the Malaysian Government (2007-2010) INDONESIA INFORMATION SECURITY FORUM 2011 14 December 2011 Bandung, Indonesia #IISF2011 1
  • 3. #IISF2011 3
  • 4. Concept of PrivacyDefinitionPrivacy is our right to keep a domain around us,which includes all those things that are part of us,such as our body, home, thoughts, feelings,secrets and identity. The right to privacy gives usthe ability to choose which parts in this domaincan be accessed by others, and to control theextent, manner and timing of the use of thoseparts we choose to disclose. #IISF2011 4
  • 5. Types of Privacy  The right to be left alone  Bodily privacy  Privacy of communications  Territorial privacy  Informational privacy #IISF2011 5
  • 6. Privacy as Human RightsArticle 12 Universal Declaration on Human Rights 1948 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.Some Other Instruments Article 17, International Covenant on Civil and Political Rights 1966 Article 16, Conventions on the Rights of the Child 1989 Article 8, Convention for the Protection of Human Rights and Fundamental Freedoms 1950 Article 18, OIC Cairo Declaration on Human Rights in Islam 1990 Article 4.3, Declaration of Principles on Freedom of Expression in Africa 2002 Article 5, American Declaration of the Rights and Duties of Man #IISF2011 6
  • 7. Informational Privacy The rights of an individual to have control over his personal information Informational Privacy = Personal Data Protection #IISF2011 7
  • 8. Why countries protect personal data?  International obligation  Competitiveness  Human right  International influence #IISF2011 8
  • 9. Why Protect Personal Data?What Customers Say… Nearly 90% of online consumers want the right to control how their personal information is used after it is collected (Forrester Research 2003) 87 % of Americans are concern about the security of their information on the Internet (Zogby International 2010) 61 % of adult Americans said that they were extremely concerned about the privacy of their personal information when buying online (University of Southern California 2007) #IISF2011 9
  • 10. Cont…….. Our research shows that 80% of our customer would walk away if we mishandled their information (Royal Bank of Canada 2003) Concerns about the use of personal information led 64% of respondents to decide not to purchase from a company (Privacy and American 2005) 67% respondents decided not to register at a website or shop online because they found privacy policy to be too complicated or unclear (Privacy and American 2005) #IISF2011 10
  • 11. Malaysian Consumers Say….. 75.3% respondents say that they were “somehow concerned” and “very concerned” with their personal privacy even when not online 94.2 % respondents felt that their personal privacy might be threatened when using the Internet 50.8 % of non Internet Banking customers have not migrated to the online services mainly due to security, trust and privacy concerns (Muniruddeen Lallmahamood 2007/2008) #IISF2011 11
  • 12. Therefore….  Trust and risk are major determinants towards purchasing and of intention to purchase  Trust is difficult to gain but easy to lose  Consumers are concern about their privacy  Consumers are very concern about privacy when transact online #IISF2011 12
  • 13. GOOD PRIVACY, GOOD BUSINESS“Privacy is good forbusiness”Harriet PearsonIBM Chief Privacy Officer #IISF2011 13
  • 14. How? Potential Risks  Breaches of data protection law  Damage to organization’s reputation and brand  Physical, psychological and economic harm to customers  Financial losses associated with deterioration in quality and integrity of personal data due to customers’ distrusts  Loss of market share or a drop in stock prizes due to negative publicity/ failure or delay in the implementation of new product / service due to privacy concern #IISF2011 14
  • 15. Benefits More positive organizational image and significant edge over the competition Business development via expansion into jurisdiction requiring clear privacy standard Enhanced data quality and integrity Fostering better customer service and more strategic business decision making Enhanced customer trusts and loyalty #IISF2011 15
  • 16. #IISF2011 16
  • 17. #IISF2011 17
  • 18. International Instruments  OECD Guidelines 1980  Council of Europe Convention 1981  European Directive 1995  APEC Privacy Framework 2004  Madrid Resolution 2009 #IISF2011 18
  • 19. OECD Guidelines 1980 (8 Principles)  Collection limitation  Data Quality  Purpose Specification  Use Limitation  Security  Openness  Individual Participation  Accountability #IISF2011 19
  • 20. Council of Europe Convention 1981Personal Data shall be: obtained fairly and lawfully stored for specified and legitimate purposes and not used in a way incompatible with those purposes adequate, relevant and not excessive accurate and, where necessary kept up to date preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored #IISF2011 20
  • 21. European Directive 1995Personal data must be; Processed fairly and lawfully Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes adequate, relevant and not excessive accurate and, where necessary kept up to date #IISF2011 21
  • 22. APEC Privacy Framework 2004 (9 Principles)  Preventing harm  Notice  Collection Limitation  Uses of personal information  Choice  Integrity  Security safeguards  Access and correction  accountability #IISF2011 22
  • 23. Madrid Resolution 2009 (6 Principles)  Lawfulness and fairness  Purpose specification  Proportionality  Data quality  Openness  Accountability #IISF2011 23
  • 24. Innovative ideas on proactive measures to protectpersonal data: Procedures to prevent and detect breaches Appointment of data protection or privacy officers Training, education and awareness programmes Audit Adaptation of information systems and /or technologies Implementation of privacy impact assessment prior to implementing new systems or technologies Adoption of codes of practice Implementation of a response plan The Madrid Resolution has received support from Oracle, Walt Disney, Accenture, Microsoft, Google, Intel, Procter & Gamble, General Electric, IBM and Hewlett Packard #IISF2011 24
  • 25. National Approaches  Comprehensive Legislation  Legislation + Self-Regulatory  Self–Regulatory  Doing Nothing #IISF2011 25
  • 26. Comprehensive Legislation  All EU countries, including the 10 new member states (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia)  Japan, Korea, New Zealand, Australia, Hong Kong, Macao, Taiwan, Philippines  Chile, Argentina, Brazil, Mexico  In Middle East, only Israel #IISF2011 26
  • 27. Legislation + Self-Regulatory  USA – Privacy Act 1974 + 12 federal sectoral based legislation + State Laws + Safe HarbourSelf-Regulatory  Singapore - Does not work – To have a data protection law by 2012 #IISF2011 27
  • 28. Doing Nothing so far  Brunei  Vietnam  Laos  Cambodia  Many more #IISF2011 28
  • 29. #IISF2011 29
  • 30. Our Part of the World : What’s Happening ?• Macao enacted her Personal Data Protection Act in 2006• China has came out with several drafts of the law, and the latest in 2007• India amended her Information Technology Act in December 2008. Some new provisions are added to protect privacy and personal data. In April 2011, the third draft of the Privacy Bill was issued.• Indonesia came out with an academic draft in 2009• Thailand has developed a draft Bill in 2010• Taiwan amended her old law and passed a more comprehensive Personal Data Protection Act in April 2010• Malaysia has passed the Personal Data Protection Act in June 2010• Korea came out with a more comprehensive law in March 2011• The Philippines Congress has came out with the draft Act• Australia and Hong Kong are reviewing their Privacy Act and Privacy Ordinance respectively• Singapore is currently developing a law and is expected to be ready by 2012. On 13 Sept 2011, a Consultation Paper was released• In April 2011, the EU Working Party decided that the New Zealand Privacy Act is adequate #IISF2011 30
  • 31. Korea Malaysia Taiwan Data Protection Act Personal Data Personal Data 2011 Protection Act 2010 Protection Act 2010• Data Protection • Data Protection • Data Protection Principles Principles Principles• Rights of Data Subjects • Rights of Data • Rights of Data• Organization to Subjects Subjects designate someone to take charge • Special entity to • Mandatory data• Special entity to enforce enforce the Act (Data Breach Notification the Act (Data Protection Protection (to the Data Subject) Commission/DPC) Commissioner) • Enforcement by• Mandatory reporting of • No mandatory data Ministries responsible significant breach to DPC breach notification. for each industry• Data breach notification • Differentiate personal sector (to the Data Subject) data & sensitive data.• Mediation to resolve • Does not apply to dispute. Federal and States• Differentiate personal Goverments data & sensitive data• PIAs are encouraged #IISF2011 31
  • 32. Malaysian PDPA : An Overview Federal & States Govts Credit Non- Reference Commercial Agencies Transactions Non- Application Data Personal, Processed Family, Outside Household Malaysia Affairs #IISF2011 32
  • 33. General Principle Notice and Access Choice Principle Principle DATA PROTECTION Data PRINCIPLES DisclosureIntegrity PrinciplePrinciple Retention Security Principle Principle #IISF2011 33
  • 34. Exemptions • Crime Prevention/Detection • Offenders Apprehension/Prosecution • Tax/Duty Assessment/Collection Partial • Physical/Mental Health • Statistics/Research • Court Order/Judgment • Regulatory Functions • Journalistic/Literary/Artistic • Personal • Family Total • Household • Recreational #IISF2011 34
  • 35. Right to be Informed Right to PreventProcessing for Right to Direct Access Marketing Purposes RIGHTS OF DATA SUBJECTS Right to Prevent Right to Processing Correct Likely toCause Distress Right to Withdraw Consent #IISF2011 35
  • 36. No. Section Offences Penalty 1 Fine <RM500,000.00/ S. 16(4) Processing without a certificate of registration Imprisonment < 3 years/ Both 2 Fine <RM500,000.00/ S 18(5) Processing after registration is revoked Imprisonment < 3 years/Both 3 Fine <RM500,000.00/ S.5 Contravening Data Protection Principles Imprisonment < 2 years/Both 4 Fine <RM100,000.00/ S. 29 Non-Compliance with Code of Practice Imprisonment < 1 year/Both 5 Failure to Inform the Refusal to Comply with the Data Fine <RM100,000.00/ S. 37(4) Correction Request Imprisonment < 1 year/Both 6 Fine <RM100,000.00/ S. 38(4) Processing after consent been withdrawn Imprisonment < 1 year/Both 7 Fine <RM200,000.00/ S.40(3) Processing of Sensitive Data Imprisonment < 2 years/Both8. Failure to Comply with the Commissioner’s Fine <RM200,000.00/ S.42(6) Requirement Imprisonment < 2 years/Both (Processing likely to cause damage or distress) 9 Failure to Comply with the Commissioner’s Fine <RM200,000.00/ S. 43(4) Requirement Imprisonment < 2 years/Both (Direct Marketing)10. Transfer of Data to Places Outside Malaysia without Fine <RM300,000.00/ S. 129(5) any law or adequate protection Imprisonment < 2 years/Both11 Collects, disclose or procure to disclose data without Fine <RM500,000.00/ S. 130(3) consent of Data User Imprisonment < 3 years/Both12 Fine <RM500,000.00/ S. 130(4) and (5) Selling or offer to sell Imprisonment < 3 years/Both13 #IISF2011 36 Half of the maximum term provided for S. 131(1) and (2) Abetment and Attempt to commit any of the offences that offence
  • 37. Enforcement Mechanisms  Data Protection Commissioner  Advisory Committee  Appeal Tribunal  Codes of Practice  Enforcement Notice  Prosecution  Revocation of Registration #IISF2011 37
  • 38. May Irecommend you toread this! #IISF2011 38
  • 39. My other books on ICT Law In Print Cyber Law: Privacy and Internet Banking: Information & Policies and Data Protection Law and Practice Communication Challenges Sweet & Maxwell LexisNexis UK Technology LawButterworths Asia (2002) (2004) Legal & Regulatory (1999) Challenges Thomson Reuters (2010) #IISF2011 39
  • 40. +60122185242 #IISF2011 40