Privacy and Personal Data Essay Example

protection, which seeks to regulate the collection, possession, processing and use of personal data by any person or organisation to provide protection to an individual’s personal ata and to safeguard the privacy of individuals. The objective, amongst others, is to provide ‘adequate security and privacy in handling personal information and create confidence among consumers and users of both networked and non-networked industries’. This therefore, envisages a more general legislation. It should be pointed out that a draft Personal Data Protection Bill (‘draft Bill’) was introduced in 2000, but subsequently withdrawn for further consultation and the same is expected to be reintroduced soon.

This Draft Bill envisaged the formation of a commissioner for personal data protection and a tribunal, who would be answerable to the Minister. The definition of ‘personal data’ is wide and includes the kind of data that is recorded and which can be processed either via automatic means or otherwise and which relates directly or indirectly to a living individual who is or is not identified, either from that information or partly from other information, which also includes opinions of third parties about the concerned individual and any indication of the intentions of the data user (controller) in respect of the individual.

There are nine data protection principles which relate to the manner of collection of personal data, the purpose of the collection, its use, disclosure requirements, accuracy, duration, access and correction possibilities, security of personal data and ascertainment of data users’ (controller) policies and information to be provided to a data subject. Azmi observed that the wide provisions in the exemption provisions lend credence to the view that privacy protection

is a matter of ‘balance’ rather than any underlying notion of human rights.

The author further argues that the draft bill essentially deals with procedural usage of data instead of fostering a balance between privacy and surveillance issues as such and concludes that there are substantial amounts of exemption provisions, with minimal limitations in preventing or limiting data collection.  While enhanced privacy rights will be provided, such as ‘to prevent such information from being misused by unscrupulous parties’, this will likely be balanced against competing public/private rights and exemptions rights, especially for national and public security interests. 10 Whatever the arguments, it is believed that the arrival of general data protection legislation is imminent.

Privacy and Personal Data Protection under the CMA

Under the CMA regime, specific provisions are provided for network and service providers to protect communications. Interception of communicationwithout lawful authority, including divulging, using or attempts to do the same are prohibited. For service providers, this includes ‘observing or random monitoring’ except where such interception, disclosure or use are within the normal cause of an activity incidental to the rendering of facilities or services, or to the protection of the rights or property of the service provider.

However, the Sector Minister can authorise licensee(s) to implement capabilities ‘to allow authorised interception of communications’. The more specific provision for protection of consumer information are found in the General Consumer Code of Practice (‘the Consumer Code’)and in compliance with requirements in standard licence conditions of every licensee. The Consumer Code provides guiding principles that service providers could adopt in collecting and maintaining data/information on consumers for tracking practices.

How do

we construe that data is to be ‘fairly and lawfully collected and processed’ or that it is ‘processed for a limited purpose’ in the circumstances? It is submitted that, within the framework of the Code, these criterias are satisfied when the notice of information policies and disclosure of the uses of information are made by the service provider concerned after obtaining the consent of the individual. Further as argued by Munir et al, the fact that notice has to be provided of the type of information collected and its use (per r 2 above) and the requirement of ‘limited processing’ suggest that only information specified in the notice is to be processed, unless consent is obtained. This ‘limited purpose’ should also conform to the practice that the collection of data by the service provider was ‘adequate, relevant and not excessive’. The fact that data collected should be ‘accurate’ should comply with the rule that provides for a mechanism to correct inaccuracies defined by reference to the reliability of the sources of information, the particular collection method and reasonable access to the data subject concerned to enable correction.

The requirement of conservation of data must be read in conjunction with the limited purpose of such collection by the service provider and should be deleted once the purpose is accomplished, provided that the data subject’s consent was given in the first place. 8 In respect of the requirement that data is to be processed in accordance with the data subject’s rights, it is to be noted that the provision of consent is not expressed as to whether a data subject is given the possibility of agreeing

or rejecting but more in the sense of the choice given as to how the identifiable collected information can be used. In this formulation, a ‘data subject’s rights’ are more apparent than real.

The provision for secure information collection merely informs that the service provider should take appropriate measures to assure reliability and a commitment to protection of information to prevent loss, misuse or alteration. There is considerable ambiguity in the principle of ‘prior approval from the consumer’ in respect of any information transferred to any hird party as the consent appears to be expressed only as a matter of choice as to the use of the data and not an ability to exercise positive acceptance or refusal. Further, even the requirement that the service provider should assure similar security requirements to data transferred to third parties lacks any legal force as the provisions of the Consumer Code only apply to licensee(s) under the CMA and non-licensees who are members of the Consumer Forum. Hence any transfer of data to those apart from the above will not likely be protected. It is to be noted that there is no exemption provision in respect of consumer information in the Consumer Code itself, reflecting perhaps a consumer-centric approach in its provisions.

The question that arises is how can this framework be enforced? Under the mechanism established in the CMA, once a particular Code is registered with the regulator, it becomes effective. Though compliance by service providers with the Code provides a defence against any prosecution, action or proceeding, whether in court or otherwise in respect of a matter covered by the Consumer Code, compliance is

however not mandatory. 21 Notwithstanding the above, compliance with data protection can be effected by the following three methods. The regulator can direct compliance with a registered code, essentially by enforcing the licence conditions.

Standard licence conditions contain provisions that seek compliance, inter alia, with voluntary industry codes, of which the said Consumer Code is one. 22Non-compliance with such a direction will constitute an offence, liable on conviction to a fine not exceeding RM300,000 or imprisonment for a term not exceeding three years or to both. However, notwithstanding this and without prejudice to any other remedy or sanction, a civil penalty can be imposed by the regulator, for non compliance via a fine not exceeding RM200,000.

Compliance can also be enforced when a service provider (ie only network service or application service providers) fails, refuses or neglects to deal reasonably with consumers or to adequately address consumer complaints. According to Munir et al, this provision provides the ‘teeth’ necessary under the Code to ensure compliance, as non-compliance with rules concerning the protection of consumer information would amount to not ‘dealing reasonably with consumers’. However, it is contended that enforcement under this provision would be less effective in respect of protection of consumer information, compared to a direction issued by the regulator discussed above, as the latter goes to the licence and attracts a higher monetary penalty. Further, this provision is limited to only network service and application service providers, leaving out network facility providers and content application service providers.

The other enforcement is dispute resolution via the Consumer Code itself. In the nature of a breach of personal data, it would be

highly unattractive to first, attempt to settle the dispute with the service provider concerned as is promoted in the Consumer Code process. A quite lengthy process is involved, in that, where on failure to settle with the service provider concerned, the matter is taken to the Consumer Forum and only on this failure to resolve, is the matter brought before the regulator. Though the complaints handling process should be free of charge, a ‘reasonable charge’ is incurred to retrieve ‘extensive or archival’ (more than one year old) records.

Further, the requirement for confidentiality of proceedings, limited compensation provision and the sanctions available, (ie either a caution or warning notice) are all unattractive for a data subject to pursue information breaches under the Consumer Code. Finally, the absence of benchmarks, guidelines on the various rules, interpretations on the provisions and enhanced redress mechanism for consumer data protection allow opportunities for perfunctory compliance, which considerably weakens such protection within the Consumer Code. In the circumstances, empirical evidence gathered by Munir et al further confirms weaknesses in complying with consumer data protection by the service provider.

The authors found, inter alia, that a number of sites did not have privacy statements or information notices and that some others had brief statements that were misleading or unclear. Specifically in respect of communication providers, privacy policies are inconsistent with the rules set forth in the Consumer Code. In this respect, monitoring by the regulator also revealed non-compliance with data protection principles and the requirements of confidentiality. Hence, in this analysis, consumer data protection in the communications sector is insufficiently comprehensive and lacks compliance. However, consumer awareness is also

urgently needed to complement efforts by the regulator.

Perhaps the urgency of the atter would be brought to the fore when the main provision of a Personal Data Protection Bill is enacted. It is likely that when that happens, data protection in the communications sector would be further enhanced. Evaluation Even while there is considerable debate and anxiety about privacy and data retention, empirical evidence shows a considerable lack of compliance and public awareness of the rights to privacy, either in the general sense or more specifically in the communications sector. Even in countries where privacy and data protection laws are quite established, calls are constantly made for enhanced information and privacy notices by establishments to facilitate compliance and to improve citizens’ awareness of data protection rights. In the United Kingdom, for example, the Information Commissioner has called on businesses to adopt clear and simple methods of explaining data protection rights to consumers and to avoid gobbledegook. Further, a survey report noted that respondents, inter alia, often had little knowledge of what happened to their personal information, misunderstood the scope of data protection and paid scant attention to information notifications.

Similarly in the CMA regime, greater enforcement and public awareness of consumer privacy and personal data protection are crucial to enable the achievement of the objects of the CMA as well as to safeguard the rights of users. While there are advocates who argue that markets and technology should be the sole arbiter of privacy laws that are proactive, the сurrent state of compliance and the low level of awareness of consumers as to their rights, can lead to possible abuses, leading to

shrinkage of the private sphere. However, there are also calls for longer periods and other measures for retention of data in respect of combating terrorism and/or criminal activities.

This suggests that a regulated ‘balance’ is the best way forward. While in part these measures could be considered necessary in the circumstances, the key to the balance is still to do the least damage to freedom and respect for human rights and to the greatest possible extent, individuals should directly be in control of their privacy choices.

1. See International Research on Privacy for Electronic Government, March 2003 at http://joi. ito. com/joiwiki/PrivacyReport.
2. Council of Europe — per art 8 of the Convention for the Protection of Fundamental Human Rights and Fundamental Freedoms at http://conventions. coe. int/treaty/en/Treaties/Html/005. htm.
3. See Ida Madieha Azmi, E-Commerce and Privacy Issues:  An Analysis of the Personal Data Protection Bill, CTLR 2002, 8(8) at pp 206–212.
4. However, the ‘right to privacy’ in its normative meaning has been discussed and taken cognisance of in a report on video surveillance in public spaces, 2008 at p 30.
5. It is to be noted that an ‘opt-out’ scheme was contemplated for direct marketing. See Isa Madieha Azmi, E-Commerce and Privacy Issues:  An Analysis of the Personal Data Protection Bill, CTLR 2002, 8(8) at pp 206–212. 10
6. See Isa Madieha Azmi, E-Commerce and Privacy Issues:  An Analysis of the Personal Data Protection Bill, CTLR 2002, 8(8) at pp 206–212. 11 Section 234 of the CMA.
7. Section 265 of the CMA. The definitions of ‘intercept’ means the aural or other acquisitions of the contents of
   

any communications by the use of any equipment while ‘authorised interception’ means permitted interception by the licensee of network facilities services or application service, per s 6 of the CMA.