personal data protection act 2010 to comply is to know l.
Skip this Video
Loading SlideShow in 5 Seconds..
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 59


  • Uploaded on

PERSONAL DATA PROTECTION ACT 2010 TO COMPLY IS TO KNOW. Professor Abu Bakar Munir Faculty of Law, University of Malaya & Associate Professor Siti Hajar Mohd Yasin Faculty of Law, Universiti Teknologi MARA SEMINAR KESEDARAN AKTA PERLINDUNGAN DATA PERIBADI

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'PERSONAL DATA PROTECTION ACT 2010 TO COMPLY IS TO KNOW' - topaz

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
personal data protection act 2010 to comply is to know


Professor Abu Bakar Munir

Faculty of Law, University of Malaya


Associate Professor SitiHajarMohdYasin

Faculty of Law, UniversitiTeknologi MARA


9 February 2012

Kuala Lumpur


Some of our books on ICT Law

In Print

Privacy and

Data Protection

Sweet & Maxwell


Internet Banking: Law and Practice

LexisNexis UK


Cyber Law: Policies and Challenges

Butterworths Asia


Information & Communication Technology Law

Legal & Regulatory Challenges

Thomson Reuters




read this book.

reality check
Reality Check
  • The efficiency of computer network has caused more and more personal data be stored in computers
  • The world has reaped the benefits of the fast flow information and personal data:
    • Ten years ago – gigabytes of data,
    • Five years ago – terabytes of data,
    • Today, petabytes of data, are being transferred and stored on daily basis.
  • Users globally send around 47 billion (non-spam) emails and submits 95 millions tweets
  • Each month users share about 30 billion pieces of contents on facebook
  • Personal data is the new oil of the Internet and the new currency of the digital world
  • Greater concerns about privacy invasion
types of privacy
Types of Privacy

The right to be left alone

Bodily privacy

Privacy of communications

Territorial privacy

Informational privacy

privacy as human rights
Privacy as Human Rights

Article 12 Universal Declaration on Human Rights 1948

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Some Other Instruments

Article 17, International Covenant on Civil and Political Rights 1966

Article 16, Conventions on the Rights of the Child 1989

Article 8, Convention for the Protection of Human Rights and Fundamental Freedoms 1950

Article 18, OIC Cairo Declaration on Human Rights in Islam 1990

Article 4.3, Declaration of Principles on Freedom of Expression in Africa 2002

Article 5, American Declaration of the Rights and Duties of Man

Informational Privacy

The rights of an individual to have control over his personal information

Informational Privacy = Personal Data Protection

why countries protect personal data
Why countries protect personal data?
  • International obligation
  • Competitiveness
  • Human right
  • International influence
why protect personal data
Why Protect Personal Data?

What Customers Say…

Nearly 90% of online consumers want the right to control how their personal information is used after it is collected

(Forrester Research 2003)

87 % of Americans are concern about the security of their information on the Internet

(Zogby International 2010)

61 % of adult Americans said that they were extremely concerned about the privacy of their personal information when buying online

(University of Southern California 2007)


Our research shows that 80% of our customer would walk away if we mishandled their information

(Royal Bank of Canada 2003)

Concerns about the use of personal information led 64% of respondents to decide not to purchase from a company

(Privacy and American 2005)

67% respondents decided not to register at a website or shop online because they found privacy policy to be too complicated or unclear

(Privacy and American 2005)

malaysian consumers say
Malaysian Consumers Say…..

75.3% respondents say that they were “somehow concerned” and “very concerned” with their personal privacy even when not online

94.2 % respondents felt that their personal privacy might be threatened when using the Internet

50.8 % of non Internet Banking customers have not migrated to the online services mainly due to security, trust and privacy concerns

(Muniruddeen Lallmahamood 2007/2008)

  • Trust and risk are major determinants towards purchasing and of intention to purchase
  • Trust is difficult to gain but easy to lose
  • Consumers are concern about their privacy
  • Consumers are very concern about privacy when transact online
good privacy good business

“Privacy is good for business”

Harriet Pearson

IBM Chief Privacy Officer


Potential Risks

  • Breaches of data protection law
  • Damage to organization’s reputation and brand
  • Physical, psychological and economic harm to customers
  • Financial losses associated with deterioration in quality and integrity of personal data due to customers’ distrusts
  • Loss of market share or a drop in stock prizes due to negative publicity/ failure or delay in the implementation of new product / service due to privacy concern
  • More positive organizational image and significant edge over the competition
  • Business development via expansion into jurisdiction requiring clear privacy standard
  • Enhanced data quality and integrity
  • Fostering better customer service and more strategic business decision making
  • Enhanced customer trusts and loyalty
(Reuters) - HSBC Holdings, Europe's biggest bank, was fined 3.2 million pounds on Wednesday for information security breaches, the biggest fine the country's financial regulator has ever imposed for data security lapses. (2007, 2008)
Insurance giant Norwich Union has been fined £1.26 million by the Financial Services Authority (FSA) for security systems failures (2007)



For immediate release

Date: 13 November 2012




The Data Protection Commissioner's Office (DPCO) has found that the XYZ SDN.

BERHAD is in beach of the Personal Data Protection Act 2010 following an

investigation into the complaint of  ………………………………………………

………AB H………..


international instruments
International Instruments
  • OECD Guidelines 1980
  • Council of Europe Convention 1981
  • European Directive 1995
  • APEC Privacy Framework 2004
  • Madrid Resolution 2009
  • EU Proposed Directive (25 Jan 2012)
oecd guidelines 1980 8 principles
OECD Guidelines 1980 (8 Principles)
  • Collection limitation
  • Data Quality
  • Purpose Specification
  • Use Limitation
  • Security
  • Openness
  • Individual Participation
  • Accountability
council of europe convention 1981
Council of Europe Convention 1981

Personal Data shall be:

  • obtained fairly and lawfully
  • stored for specified and legitimate purposes and not used in a way incompatible with those purposes
  • adequate, relevant and not excessive
  • accurate and, where necessary kept up to date
  • preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored
european directive 1995
European Directive 1995

Personal data must be;

  • Processed fairly and lawfully
  • Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes
  • adequate, relevant and not excessive
  • accurate and, where necessary kept up to date
apec privacy framework 2004 9 principles
APEC Privacy Framework 2004 (9 Principles)
  • Preventing harm
  • Notice
  • Collection Limitation
  • Uses of personal information
  • Choice
  • Integrity
  • Security safeguards
  • Access and correction
  • accountability
madrid resolution 2009 6 principles
Madrid Resolution 2009 (6 Principles)
  • Lawfulness and fairness
  • Purpose specification
  • Proportionality
  • Data quality
  • Openness
  • Accountability
eu proposed directive
EU Proposed Directive

On Data Protection with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the executions of criminal penalties, and the fee movement of such data.

  • Known as The Police and Criminal Justice Data Protection Directive
  • January 25, 2012, the European Commission released a proposed data protection regulation to replace the current EU Data Protection Directive (95/46/EC). The proposed regulation would drastically alter the data protection landscape for companies
national approaches
National Approaches
  • Comprehensive Legislation
  • Legislation + Self-Regulatory
  • Self–Regulatory
  • Doing Nothing

Comprehensive Legislation

  • All EU countries, including the 10 new member states (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia)
  • Japan, Korea, New Zealand, Australia, Hong Kong, Macao, Taiwan, Philippines, Singapore
  • Chile, Argentina, Brazil, Mexico, etc.
  • In Middle East, only Israel and Dubai Financial Centre

Legislation + Self-Regulatory

  • USA – Privacy Act 1974 + 12 federal sectoral based legislation + State Laws + Safe Harbour


  • Singapore - Does not work – To have a data protection law by 2012
doing nothing so far
Doing Nothing so far
  • Brunei
  • Vietnam
  • Laos
  • Cambodia
  • Many more
our part of the world what s happening
Our Part of the World : What’s Happening ?
  • Macao enacted her Personal Data Protection Act in 2006
  • China has came out with several drafts of the law, and the latest in 2007
  • India amended her Information Technology Act in December 2008. Some new provisions are added to protect privacy and personal data. In April 2011, the third draft of the Privacy Bill was issued.
  • Indonesia came out with an academic draft in 2009
  • Thailand has developed a draft Bill in 2010
  • Taiwan amended her old law and passed a more comprehensive Personal Data Protection Act in April 2010
  • Malaysia has passed the Personal Data Protection Act in June 2010
  • Korea came out with a more comprehensive law in March 2011
  • The Philippines Congress has came out with the draft Act
  • Australia and Hong Kong are reviewing their Privacy Act and Privacy Ordinance respectively
  • Singapore is currently developing a law and is expected to be ready by 2012. On 13 Sept 2011, a Consultation Paper was released
  • In April 2011, the EU Working Party decided that the New Zealand Privacy Act is adequate
offences by a body corporate
Offences by a body corporate

A director, chief executive officer, chief operating officer, manager, secretary; or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management - may be charged severally or jointly in the same proceeding with the body corporate; and

If the body corporate is found to have committed the offence, he shall be deemed to have committed the offences unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves :

- that the offences was committed without his knowledge, consent or connivance; and

- that he had taken all reasonable precautions

and exercised due diligence to prevent

the commission of the offence. (s.133)

abetment and attempt to commit offence
Abetment and Attempt to Commit Offence

A person who abets the data user in the commission of any offence under this Act commits an offence, and shall, on conviction, be liable to the punishment provided for that offence.(s.132(1)

A person who attempts to commit an offence punishable under this Act commits an offence and shall be liable to imprisonment not exceeding one half of the maximum term provided for that offence.

transfer of data to outside malaysia
Transfer of Data to Outside Malaysia

What PDPA says…

  • Sect 129

No transfer unless to such places specified by the Minister

  • The Minister may specify if:

a) there is a law substantially similar to PDPA, or

b) there is a law that serves the same purpose as PDPA, or

c) that place ensures an adequate level of protection

equivalent to the protection afforded by PDPA

enforcement mechanisms
Enforcement Mechanisms
  • Data Protection Commissioner
  • Advisory Committee
  • Appeal Tribunal
  • Codes of Practice
  • Enforcement Notice
  • Prosecution
  • Revocation of Registration

Telco A

  • “Personal information held by Telco A may include your name, date of birth, current address, telephone/mobile phone number, email address, credit cards details, occupation, user ID or password… as well as certain details about your personal interest.”
  • “Telco A complies with and is registered under the data protection law in Malaysia and…”

Bank A

“Any information sent to Bank A Bhd through the use of this site will be deemed not to be confidential and be deemed to remain the property of Bank A Bhd who shall be free to use, copy, publish, reproduce, distribute and/or transmit all such information at Bank A Bhd’s absolute discretion for any purpose and…”


Bank C

“Bank C Group may also use your personal information to market Bank C Group’s products, and services to you based on your interest and…”

“Our use of your information may also extend to other purposes… which may at our sole discretion be made available to our third party vendors, advertisers, affiliates or relevant third parties”


Bank Z

“… the Bank does not warrant the security of any information transmitted by the Customer using the Bank’s Internet Banking Services. Accordingly, the Customer hereby accepts the risk that any information transmitted or received using the Bank’s Internet Banking Services may be accessed by unauthorised third parties and the Customer agrees not to hold the Bank liable for any such unauthorised access or any loss or damage suffered as a result thereof.”

abmunir@um edu my http profabm blogspot com 60122185242 sitihajar425@salam uitm edu my 60123455537