Your Data is My Data? – Data Protection in an ‘onlife’ era

INTRODUCTION

Since the turn of the millennium, personal data has been regarded as a commodity more valuable than our natural resources. One only has to do a quick web search to realise that organisations have the capacity (and do have a tendency) to misuse this resource. 

However, the same individuals who claim to be so protective of their own of valuable resources (data) do not blink an eye before consenting to their data being processed or used. This is becoming the norm whenever anyone uses their smartphone, popular online search tools and social media applications. 

Recently, there was an alleged data leak in our Election Commission database involving the personal details of 800,000 voters occurred. The leak was allegedly available for a measly sum of USD 2,000 on an online marketplace. 

Also there was also an incident of data leak containing information of a whopping 22.5 million Malaysians born between 1940 and 2004, purportedly stolen from the National Registration Department (NRD) in early 2022. 

So, the question you’re probably asking is “If data leaks and breaches are going to be more common over time, what should I do if I think I’m affected?”

The Personal Data Protection Act (PDPA) 2010

Other jurisdictions such as the UK appears to have recognised the special value of data from as early as 1983 through the enactment of the Data Protection Act 1984. However, this was repealed by the 1998 Act which came into force in 2000 and subsequently in 2018 by the Data Protection Act (DPA 2018).

In Malaysia, we have the Personal Data Protection Act 2010 (“PDPA 2010”) which was enacted to balance the rights of individuals who generate personally identifiable data, also known as data subjects and organisations who collect that data in respect of commercial transactions. The preamble of the PDPA 2010 sets out the spirit and intention of the act which is an Act to regulate the processing of personal data in commercial transactions as well as connected and incidental matters. 

Section 5(1) of the PDPA 2010 lays out 7 principles that data users must comply with when processing personal data and non-compliance with the principles equates to a breach of the PDPA. The principles are as follows:-

• General Principle – This prohibits the data user from processing a data subject’s personal data without their consent unless it is necessary.
• Notice and Choice Principle - The data user must notify the data subject through writing as to the purpose, extent, accuracy, and consequences of the personal data being processed. A data subject can request that the data is not used for the purposes of direct marketing. 
• Disclosure Principle - This principle prohibits the disclosure of personal data without the consent of the data subject except in limited circumstances.
• Security Principle - The PDPA imposes obligations on the data user to take reasonable steps to protect the personal data being processed from risks.
• Retention Principle - Under this Principle, data users are to ensure that the personal data is not to be retained longer than is necessary for the fulfilment of the purpose for which it is processed.
• Data Integrity Principle - The data user has an obligation to take reasonable steps to ensure that the data kept is accurate, complete, not misleading and updated.
• Access Principle - The PDPA gives the data subject the right to access his/her own personal data and to correct the personal data which is inaccurate, incomplete, misleading or outdated.

Potential Recourse under PDPA

Pursuant to Section 104 of the PDPA, individuals who think their personal data may have been processed in breach of any PDPA provision can lodge a complaint to the Personal Data Protection Commissioner. 

Following a complaint, the Commissioner will carry out an investigation to ascertain whether there has indeed been a data protection breach under the PDPA or alternatively, work with the Malaysian Communications and Multimedia Commission to see if the Malaysian Communications and Multimedia Commission Act 1998 applies instead. If the individual is dissatisfied with the Commissioner’s decision on the matter, that person can then a legal action to court by way of Judicial Review application to challenge the decision of the Commissioner.

As the PDPA 2010 is a relatively new piece of legislation, there have not been many cases on the effect and applicability of the act. However, there appears to be a push by our Courts towards safeguarding the rights of data subjects within reason.

In Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors [2021] MLJU 2847. Genting Malaysia brought a Judicial Review application against the Personal Data Protection Commissioner. the Deputy Commissioner, and the third and the Deputy Commissioner of the Revenue Department. The judicial review application was brought to challenge the decision of the Revenue Department for requesting for the  personal data such as names and IC numbers of Genting’s customers which would assist in increasing their tax base and reducing tax evasion.

The Revenue Department relied on Section 81 of the Income Tax Act 1967 and Section 39 of the PDPA 2010 to argue that such disclosure was warranted. The court held, inter alia, it is illegal for the Respondents that to interpret the PDPA without taking into account the fundamental liberties particularly the right to privacy under Article 5 of the Federal Constitution (the right to privacy). The Court further added that in situations where there is conflict between the two acts, the PDPA 2010 would prevail  it was more recent and was specifically enacted for the protection of personal data. 

The above case is a clear win for data subjects. However, there are instances where, the courts have sought to strike a balance by using their discretionary powers to refuse to order the protection under the application of the PDPA 2010. 

This can be seen in Kopitiam Asia Pacific Sdn Bhd v Modern Outlook Sdn Bhd & Ors [2019] 10 MLJ 243 where the plaintiff discovered that an article allegedly defaming him was being circulated on websites online. As the plaintiff took the view that he had insufficient information regarding the people responsible for posting the said defamatory articles, he filed a legal action against the administrators of the websites for asking for an order to disclose all relevant information to identify the responsible parties.

The Defendant objected to the pre-action discovery above on grounds that the information sought breached the PDPA. The High Court allowed the application as Section 39 of the PDPA 2010 empowered the courts to make orders directing the person in possession of such data to disclose it. 

It is clear from the case above that our Courts are keen on protecting data subjects as well as the controllers.  

Since our PDPA is based on a similar enactment in the UK (DPA 2018), it will be useful to look at the decisions of the UK Courts to see how they have developed the law in respect of personal data protection. 

The trend in the UK seems to be dialling down the rights of data subjects as seen in the Supreme Court case of Lloyd v Google LLC [2021] UKSC 50. Here, an action was taken by the data subject against Google for bypassing privacy settings on Apple’s iPhone Safari browser. The Court held that there had to be some actual damage suffered by the data subject and proof of this damage to sustain a legal action under the DPA 2018. Unlawful processing alone would not give rise to a claim under the DPA 2018. 

In Williams, Re Application for Judicial Review (2022) NIQB 12, a judicial review application was filed in Northern Ireland to challenge the validity of vaccine passports, application was denied. However, the court decided that since the appellant was unvaccinated, he cannot be considered as a data subject. It would be interesting to observe the approach taken by Malaysian courts if a similar action was taken with respect of MySejahtera. 

The Malaysian courts on the other hand are still rather open to safeguarding privacy and data protection rights enshrined in the PDPA. Hence, data subjects who feel their rights under the PDPA have been infringed are advised to take a proactive approach in making a complaint and/or taking the matter to court. 

Conclusion 

Society’s increasing reliance on technology especially after the Covid-19 pandemic paired with a poor understanding of what one’s rights as a data subject is a recipe for disaster. Examples of such disaster can be seen during the Cambridge Analytica episode where the data of millions were unwillingly shared that ended up influencing a presidential election. 

The silver lining is that the Malaysian government and Courts are committed to protecting the rights of data subjects. It is now imperative for the public to be more aware of their rights over their personal data to ensure that the same remains “personal”.