Abubakar munir iisf2011


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Abubakar munir iisf2011

  1. 1. DATA PROTECTION LAW IS COMING TO ASIA Professor Abu Bakar Munir Faculty of Law, University of Malaya Adviser to the Malaysian Government (2007-2010) INDONESIA INFORMATION SECURITY FORUM 2011 14 December 2011 Bandung, Indonesia #IISF2011 1
  2. 2. THE WORLD’S GREATEST NEWSPAPER 1843-2011 #IISF2011 2
  3. 3. #IISF2011 3
  4. 4. Concept of PrivacyDefinitionPrivacy is our right to keep a domain around us,which includes all those things that are part of us,such as our body, home, thoughts, feelings,secrets and identity. The right to privacy gives usthe ability to choose which parts in this domaincan be accessed by others, and to control theextent, manner and timing of the use of thoseparts we choose to disclose. #IISF2011 4
  5. 5. Types of Privacy  The right to be left alone  Bodily privacy  Privacy of communications  Territorial privacy  Informational privacy #IISF2011 5
  6. 6. Privacy as Human RightsArticle 12 Universal Declaration on Human Rights 1948 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.Some Other Instruments Article 17, International Covenant on Civil and Political Rights 1966 Article 16, Conventions on the Rights of the Child 1989 Article 8, Convention for the Protection of Human Rights and Fundamental Freedoms 1950 Article 18, OIC Cairo Declaration on Human Rights in Islam 1990 Article 4.3, Declaration of Principles on Freedom of Expression in Africa 2002 Article 5, American Declaration of the Rights and Duties of Man #IISF2011 6
  7. 7. Informational Privacy The rights of an individual to have control over his personal information Informational Privacy = Personal Data Protection #IISF2011 7
  8. 8. Why countries protect personal data?  International obligation  Competitiveness  Human right  International influence #IISF2011 8
  9. 9. Why Protect Personal Data?What Customers Say… Nearly 90% of online consumers want the right to control how their personal information is used after it is collected (Forrester Research 2003) 87 % of Americans are concern about the security of their information on the Internet (Zogby International 2010) 61 % of adult Americans said that they were extremely concerned about the privacy of their personal information when buying online (University of Southern California 2007) #IISF2011 9
  10. 10. Cont…….. Our research shows that 80% of our customer would walk away if we mishandled their information (Royal Bank of Canada 2003) Concerns about the use of personal information led 64% of respondents to decide not to purchase from a company (Privacy and American 2005) 67% respondents decided not to register at a website or shop online because they found privacy policy to be too complicated or unclear (Privacy and American 2005) #IISF2011 10
  11. 11. Malaysian Consumers Say….. 75.3% respondents say that they were “somehow concerned” and “very concerned” with their personal privacy even when not online 94.2 % respondents felt that their personal privacy might be threatened when using the Internet 50.8 % of non Internet Banking customers have not migrated to the online services mainly due to security, trust and privacy concerns (Muniruddeen Lallmahamood 2007/2008) #IISF2011 11
  12. 12. Therefore….  Trust and risk are major determinants towards purchasing and of intention to purchase  Trust is difficult to gain but easy to lose  Consumers are concern about their privacy  Consumers are very concern about privacy when transact online #IISF2011 12
  13. 13. GOOD PRIVACY, GOOD BUSINESS“Privacy is good forbusiness”Harriet PearsonIBM Chief Privacy Officer #IISF2011 13
  14. 14. How? Potential Risks  Breaches of data protection law  Damage to organization’s reputation and brand  Physical, psychological and economic harm to customers  Financial losses associated with deterioration in quality and integrity of personal data due to customers’ distrusts  Loss of market share or a drop in stock prizes due to negative publicity/ failure or delay in the implementation of new product / service due to privacy concern #IISF2011 14
  15. 15. Benefits More positive organizational image and significant edge over the competition Business development via expansion into jurisdiction requiring clear privacy standard Enhanced data quality and integrity Fostering better customer service and more strategic business decision making Enhanced customer trusts and loyalty #IISF2011 15
  16. 16. #IISF2011 16
  17. 17. #IISF2011 17
  18. 18. International Instruments  OECD Guidelines 1980  Council of Europe Convention 1981  European Directive 1995  APEC Privacy Framework 2004  Madrid Resolution 2009 #IISF2011 18
  19. 19. OECD Guidelines 1980 (8 Principles)  Collection limitation  Data Quality  Purpose Specification  Use Limitation  Security  Openness  Individual Participation  Accountability #IISF2011 19
  20. 20. Council of Europe Convention 1981Personal Data shall be: obtained fairly and lawfully stored for specified and legitimate purposes and not used in a way incompatible with those purposes adequate, relevant and not excessive accurate and, where necessary kept up to date preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored #IISF2011 20
  21. 21. European Directive 1995Personal data must be; Processed fairly and lawfully Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes adequate, relevant and not excessive accurate and, where necessary kept up to date #IISF2011 21
  22. 22. APEC Privacy Framework 2004 (9 Principles)  Preventing harm  Notice  Collection Limitation  Uses of personal information  Choice  Integrity  Security safeguards  Access and correction  accountability #IISF2011 22
  23. 23. Madrid Resolution 2009 (6 Principles)  Lawfulness and fairness  Purpose specification  Proportionality  Data quality  Openness  Accountability #IISF2011 23
  24. 24. Innovative ideas on proactive measures to protectpersonal data: Procedures to prevent and detect breaches Appointment of data protection or privacy officers Training, education and awareness programmes Audit Adaptation of information systems and /or technologies Implementation of privacy impact assessment prior to implementing new systems or technologies Adoption of codes of practice Implementation of a response plan The Madrid Resolution has received support from Oracle, Walt Disney, Accenture, Microsoft, Google, Intel, Procter & Gamble, General Electric, IBM and Hewlett Packard #IISF2011 24
  25. 25. National Approaches  Comprehensive Legislation  Legislation + Self-Regulatory  Self–Regulatory  Doing Nothing #IISF2011 25
  26. 26. Comprehensive Legislation  All EU countries, including the 10 new member states (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia)  Japan, Korea, New Zealand, Australia, Hong Kong, Macao, Taiwan, Philippines  Chile, Argentina, Brazil, Mexico  In Middle East, only Israel #IISF2011 26
  27. 27. Legislation + Self-Regulatory  USA – Privacy Act 1974 + 12 federal sectoral based legislation + State Laws + Safe HarbourSelf-Regulatory  Singapore - Does not work – To have a data protection law by 2012 #IISF2011 27
  28. 28. Doing Nothing so far  Brunei  Vietnam  Laos  Cambodia  Many more #IISF2011 28
  29. 29. #IISF2011 29
  30. 30. Our Part of the World : What’s Happening ?• Macao enacted her Personal Data Protection Act in 2006• China has came out with several drafts of the law, and the latest in 2007• India amended her Information Technology Act in December 2008. Some new provisions are added to protect privacy and personal data. In April 2011, the third draft of the Privacy Bill was issued.• Indonesia came out with an academic draft in 2009• Thailand has developed a draft Bill in 2010• Taiwan amended her old law and passed a more comprehensive Personal Data Protection Act in April 2010• Malaysia has passed the Personal Data Protection Act in June 2010• Korea came out with a more comprehensive law in March 2011• The Philippines Congress has came out with the draft Act• Australia and Hong Kong are reviewing their Privacy Act and Privacy Ordinance respectively• Singapore is currently developing a law and is expected to be ready by 2012. On 13 Sept 2011, a Consultation Paper was released• In April 2011, the EU Working Party decided that the New Zealand Privacy Act is adequate #IISF2011 30
  31. 31. Korea Malaysia Taiwan Data Protection Act Personal Data Personal Data 2011 Protection Act 2010 Protection Act 2010• Data Protection • Data Protection • Data Protection Principles Principles Principles• Rights of Data Subjects • Rights of Data • Rights of Data• Organization to Subjects Subjects designate someone to take charge • Special entity to • Mandatory data• Special entity to enforce enforce the Act (Data Breach Notification the Act (Data Protection Protection (to the Data Subject) Commission/DPC) Commissioner) • Enforcement by• Mandatory reporting of • No mandatory data Ministries responsible significant breach to DPC breach notification. for each industry• Data breach notification • Differentiate personal sector (to the Data Subject) data & sensitive data.• Mediation to resolve • Does not apply to dispute. Federal and States• Differentiate personal Goverments data & sensitive data• PIAs are encouraged #IISF2011 31
  32. 32. Malaysian PDPA : An Overview Federal & States Govts Credit Non- Reference Commercial Agencies Transactions Non- Application Data Personal, Processed Family, Outside Household Malaysia Affairs #IISF2011 32
  33. 33. General Principle Notice and Access Choice Principle Principle DATA PROTECTION Data PRINCIPLES DisclosureIntegrity PrinciplePrinciple Retention Security Principle Principle #IISF2011 33
  34. 34. Exemptions • Crime Prevention/Detection • Offenders Apprehension/Prosecution • Tax/Duty Assessment/Collection Partial • Physical/Mental Health • Statistics/Research • Court Order/Judgment • Regulatory Functions • Journalistic/Literary/Artistic • Personal • Family Total • Household • Recreational #IISF2011 34
  35. 35. Right to be Informed Right to PreventProcessing for Right to Direct Access Marketing Purposes RIGHTS OF DATA SUBJECTS Right to Prevent Right to Processing Correct Likely toCause Distress Right to Withdraw Consent #IISF2011 35
  36. 36. No. Section Offences Penalty 1 Fine <RM500,000.00/ S. 16(4) Processing without a certificate of registration Imprisonment < 3 years/ Both 2 Fine <RM500,000.00/ S 18(5) Processing after registration is revoked Imprisonment < 3 years/Both 3 Fine <RM500,000.00/ S.5 Contravening Data Protection Principles Imprisonment < 2 years/Both 4 Fine <RM100,000.00/ S. 29 Non-Compliance with Code of Practice Imprisonment < 1 year/Both 5 Failure to Inform the Refusal to Comply with the Data Fine <RM100,000.00/ S. 37(4) Correction Request Imprisonment < 1 year/Both 6 Fine <RM100,000.00/ S. 38(4) Processing after consent been withdrawn Imprisonment < 1 year/Both 7 Fine <RM200,000.00/ S.40(3) Processing of Sensitive Data Imprisonment < 2 years/Both8. Failure to Comply with the Commissioner’s Fine <RM200,000.00/ S.42(6) Requirement Imprisonment < 2 years/Both (Processing likely to cause damage or distress) 9 Failure to Comply with the Commissioner’s Fine <RM200,000.00/ S. 43(4) Requirement Imprisonment < 2 years/Both (Direct Marketing)10. Transfer of Data to Places Outside Malaysia without Fine <RM300,000.00/ S. 129(5) any law or adequate protection Imprisonment < 2 years/Both11 Collects, disclose or procure to disclose data without Fine <RM500,000.00/ S. 130(3) consent of Data User Imprisonment < 3 years/Both12 Fine <RM500,000.00/ S. 130(4) and (5) Selling or offer to sell Imprisonment < 3 years/Both13 #IISF2011 36 Half of the maximum term provided for S. 131(1) and (2) Abetment and Attempt to commit any of the offences that offence
  37. 37. Enforcement Mechanisms  Data Protection Commissioner  Advisory Committee  Appeal Tribunal  Codes of Practice  Enforcement Notice  Prosecution  Revocation of Registration #IISF2011 37
  38. 38. May Irecommend you toread this! #IISF2011 38
  39. 39. My other books on ICT Law In Print Cyber Law: Privacy and Internet Banking: Information & Policies and Data Protection Law and Practice Communication Challenges Sweet & Maxwell LexisNexis UK Technology LawButterworths Asia (2002) (2004) Legal & Regulatory (1999) Challenges Thomson Reuters (2010) #IISF2011 39
  40. 40. abmunir@um.edu.myhttp://profabm.blogspot.com +60122185242 #IISF2011 40