LETTER | Calls to amend PDPA have been made before

LETTER | On New Year’s Eve, Prime Minister Anwar Ibrahim said that constructive discourse should be promoted rather than criticised excessively.

Throughout the past year, the prime minister had said repeatedly that criticisms of the government were welcomed as long as they avoided any form of racial provocation and any attempt to disturb public order.

Apart from racial provocation and attempts at disturbing public order, criticism of the prime minister or the leadership should be required. Critics should not feel anxious and fearful.

On that note, Economy Minister Rafizi Ramli should welcome and see the logic of Lawyers for Liberty’s (LFL) call for the government to postpone Padu implementation until the Personal Data Protection Act (PDPA) 2010 is amended.

LFL said that the rolling out of Padu, the government’s newly launched central database hub, risked exposing sensitive information but gave the public no legal redress to seek damages if their personal data were leaked or stolen.

The group added that government agencies are protected from legal action if data from Padu is leaked or stolen based on a provision under section 3(1) of the Personal Data Protection Act 2010 (PDPA), which is the case.

Section 3(1) of the Personal Data Protection Act 2010 (Act 709) (PDPA exempts the Federal and State governments from its application.

Legal scholars Sidi Mohamed Sidi Ahmed and Sonny Zulhuda wrote in 2019:

“Non-applicability of the [PDPA] to data processed by governmental bodies (Section 3 of PDPA) is [an] issue that could lessen the efficiency and capability of PDPA to adequately coexist with waves of new technology such as internet of things.”

Internet of things, an emerging technology of the 21st century, the basic idea of which “revolves around connecting things and objects (persons, animals, cars, trees, etc) to the internet and enabling them to communicate and then process (generate, receive, send, etc) data about themselves and the environment surrounding them.” (Sidi Mohamed and Sonny Zulhuda, ‘Data Protection Challenges in the Internet of Things Era: An Assessment of Protection by PDPA 2010, (2019) IJGC 1)

While the internet of things, like Padu, brings countless benefits and provides timely data and information about places and objects, it has disadvantages, especially in terms of privacy and security of data.

Particularly, the internet of things “might challenge personal data protection law and misgive its ability to effectively stand in the rapid successive technology waves.”

Hence, it is of concern that the biggest data users - the federal and states governments - are exempted from the application of the PDPA, which “could have far-reaching [effect] on data protection”.

The scholars argued that for the sake of personal data protection, the PDPA should be extended to include personal data processed by the government while providing for necessary exemption as the case is with the General Data Protection Regulation (GDPR) of the European Union (EU) (Regulation 2016/679).

The GDPR an EU law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. Each organisation that processes personal data (which is every organization with employees and customers) must ensure that the personal data it uses fulfils the requirements of the GDPR.

Article 3(1) of GDPR states that the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, without exempting the government. “Controller” and “processor” include public authority - Article 4 GDPR.

Article 9(1) prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

However, the prohibition does not apply to “special categories” of personal data as listed in Article 2(a) - (j), such as employment and social security and social protection in so far as authorised by the law of EU or its member states providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

Accordingly, the scholars recommend that Malaysia follow the EU law and extend the scope of PDPA to cover personal data processed by the federal and state governments.

Calls to amend the PDPA have been made before. If previous governments have not acted to the calls, a reformist government should.

The views expressed here are those of the author/contributor and do not necessarily represent the views of Malaysiakini.