Developing and Implementing Data Protection Law: Malaysia and Beyond Professor Abu Bakar Munir Faculty of Law, University of Malaya Malaysia K&K Advocates - Expert Panel Discussion on Data Protection Jakarta, 28 March Some of my Books & Latest Works on ICT & Data Protection Law Cyber Law: Policies and Challenges Butterworths Asia (1999) Privacy and Data Protection Sweet & Maxwell (2002) z Internet Banking: Law and Practice LexisNexis UK (2004) Information & Communication Technology Law Legal & Regulatory Challenges Thomson Reuters (2010)
Cont Protection in Malaysia Sweet & Maxwell (2010) Data Protection Law In Singapore Singapore Academy of Law (2014) Data Protection Law in Asia Sweet & Maxwell (2014) Second Edition (April )
Recent speaking engagements (invitations) Securing the digital economy - Trust, Privacy and Transparency, New Delhi, India, 21-22 February Data Protection Regulation in Asia: A Comparative Analysis, NUS, Singapore, 9 February Invited Guest Lecture, Bangor Law, University of Bangor, United Kingdom, 25 January. Asia - Europe Dialogue on Growing the Digital Economy, Washington, D.C, 6-7 November 2017. International Conference on Law and Governance in Global Context (LGGC), University of Indonesia, Jakarta, 1-2 November 2017. Seminar on Big Data: Dealing with the New Oil in the Digital Economy, University of Atmajaya, Jakarta, 31 October 2017. International Institute of Communications Annual Conference, Brussels, 10-12 October 2017. UN Conference, Asian Perspectives for Privacy as a Global Human Right, University of Hong Kong, 29-30 September 2017. 39th International Conference of Data Protection and Privacy Commissioners ( ICDPPC ), Shang-ri La Hong Kong, 28-29 September 2017 Asian Privacy Scholars Network International Conference, University of Hong Kong, 27 September 2017. International Seminar on Academic Network on Competition Policy, Building Knowledge Hub and Regional Expertise Towards the Harmonisation of Competition Policy in East Asian Region, Bali, 6 September 2017. Research & Consultancy Developed the National Human Rights Action Plan for Malaysia (RM 3.3 million) Legal and Regulatory Aspects of Blockchain Technology (QRC International RM 300,000 ) Cross-Boarder Data Transfer (ABLI Singapore) Data Protection Law in Asia (2 nd Edition, Thomson Reuters Hong Kong) Developing the Data Breach Notification Rules and Guidelines for the Department of Protection, Malaysia.
Data Protection Law: WHY? Human Right Consumer protection To make countries more competitive outsourcing centre, big data hub, smart nation, etc. International business Consumer demand International/ Regional Instruments OECD Guidelines 1980 Council of Europe Convention 1985 APEC Privacy Framework 1995 EU Data Protection Directive 2004 EU General Data Protection Regulation (May )
Hong Kong Some Recent Developments in Asia EU Adequacy Ruling on Japan Expected Singapore joins APEC CBPR March South Korea in the Pipeline for Adequacy Decision Indonesia s New Regulation on Personal Data Protection Strengthening the data protection ecosystem in Singapore through the work of PDPC Malaysia publishes draft "White List" for personal data exports
India's Supreme Court Recognises The Right to Privacy. Principle Petitioner Justice KS Puttaswamy 547 page judgement Asian Laws: A comparative overview Malaysia 2010 Taiwan 2010 Singapore 2012 Philippines Data Privacy Act 2012 Japan Personal Information 2003 Hong Kong (Privacy) Ordinance 1995 Korea Personal Information 2011 Indonesia Draft law Thailand Draft law Data Protection Principles?? Rights of Data Subjects?? Special enforcement entity X?? Exemption to public agency X X X X X??
Malaysia 2010 Taiwan 2010 Singapore 2012 Philippines Data Protection Act 2012 Japan Personal Information 2003 Hong Kong (Privacy) Ordinance 1995 Korea Personal Information 2011 Indonesia Draft law Thailand Draft law Mandatory data breach notification to the Data Subject X X X X (encouraged)?? Mandatory reporting to the Authority X X X X X (encouraged)?? Differentiate personal data & sensitive data X?? Mediation to resolve dispute X X X X X?? Organisation must designate someone to take charge (DPO) X X X X (encouraged)?? Malaysia 2010 Taiwan 2010 Singapore 2012 Philippines Data Protection Act 2012 Japan Personal Information 2003 Hong Kong (Privacy) Ordinance 1995 Korea Personal Information 2011 Indonesia Draft law Thailand Draft Law Registration X X X X X X?? Civil and criminal remedies X?? Data Protection Impact Assessment X X X X X X?? Financial penalty by Regulator X X X X X??
Enforcement in Malaysia and Singapore Malaysia - Subsidiary Legislations Determination of the effective date of enforcement Appointment of commissioner Protection of personal data (data user group) Rules of personal data protection Regulations protection of personal data (user registration data) Rules of personal data protection (fees) Personal data protection standard Rules on compounding of offences
Code of Practice PDP Code of Practice for the Banking and Financial Sector PDP Code of Practice for the Utility Sector (Electricity) PDP Code for the Insurance and Takaful Industry PDP Code for Licensees under the CMA 1998 (Telcos and Multimedia Companies) Complaints received 300 250 200 150 280 100 162 153 50 0 2014 2015 2016
Complaints in 2016 1 1 1 20 11 5 12 19 3 8 7 10 Communication Education Financial ector Direct Marketing Insurance Services Health Real Estate Utility No. SECTOR OFFENCES PENALTY 1 Tourism ( HOTEL ) 1.Section 16(4) Processing personal data without authorisation of the Commissioner 2.Section 5(2) Processing personal data without consent of data subject Fine of RM 10,000.00 @ 8 Months Imprisonment Fine of RM 10,000.00 @ 8 Months Imprisonment 2 Education ( IPTS ) 1.Section 16(4) Processing personal data without authorisation of the Commissioner Fine of RM 10,000-00 or 3 Months Imprisonment 3 Services ( Employment Agency ) 1.Section 16(4) Processing personal data without authorisation of the Commissioner Fine of RM 10,000.00
Singapore Advisory Guidelines Advisory Guidelines on Key Concepts in the (revised on 27 July 2017) Advisory Guidelines on the for Selected Topics (revised on 28 March 2017) Advisory Guidelines on the Do Not Call Provisions (revised on 27 July 2017) Advisory Guidelines on Requiring Consent for Marketing Purposes (published on 8 May 2015) Advisory Guidelines on Enforcement of Data Protection Provisions (published 21 April 2016) Advisory Guidelines on Application of PDPA to Election Activities (published 8 August 2017) Sector Specific Guidelines Advisory Guidelines for the Telecommunication Sector (published on 16 May 2014) Advisory Guidelines for the Real Estate Agency Sector (published on 16 May 2014) Advisory Guidelines for the Education Sector (published on 11 Sep 2014) Advisory Guidelines for the Healthcare Sector (updated on 28 March 2017) Industry led guidelines LIA Code of Practice for Life Insurers on the Singapore Protection Act (published on 1 Apr 2015) LIA Code of Conduct for Tied Agents of Life Insurers on the Singapore Personal Data (published on 1 Apr 2015)
Other Guides Guide to Notification (published on 11 Sep 2014) Guide to Securing in Electronic Medium (updated on 20 January 2017) Guide to Managing Data Breaches (published on 8 May 2015) Guide on Building Websites for SMEs (updated on 20 January 2017) Guide to Disposal of on Physical Medium (updated on 20 January 2017) Guide to Preventing Accidental Disclosure When Processing and Sending (published 20 January 2017) Guide to Data Sharing (revised on 1 February ) Guide to Developing a Data Protection Management Programme (published on 1 November 2017) Guide to Data Protection Impact Assessments (published on 1 November 2017) Guide to Basic Data Anonymisation Techniques (published on 25 January ) Enforcement Complaints Received 3500 3000 2500 2000 1500 1000 3300 3100 2200 500 0 2015 2016 2017
abmunir@um.edu.my Office: +60379676526 Mobile: +60122185242