Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Berthold, Mark --- "Malaysia's proposed privacy law in its Asean context" [2002] PrivLawPRpr 53; (2002) 9(7) Privacy Law and Policy Reporter 130

Malaysia’s proposed privacy law in its Asean context

Mark Berthold

Abu Bakar Munir and Siti Hajar Mohd Yasin

Privacy and Data Protection: A Comparative Analysis with Special Reference to the Malaysian Proposed Law

Sweet & Maxwell Asia 2002

The data privacy laws of the Asia-Pacific region comprise a motley crew. Few provide for the seamless application of data protection (aka ‘fair information’) principles across all sectors. A jurisdiction which appears to be on the verge of joining the small group that does is the subject of this new book. The authors are, respectively, an Associate Professor of Law at the University of Malaysia, and a Senior Lecturer at the Univeriti Teknologie ,of Malaysia.

The first thing worth knowing about a privacy law is why it was enacted. Motives are usually mixed, but truly the sins of the government are visited on its legislative offspring. The proposed Malaysian Bill does not identify any specific concerns precipitating the legislation, such as government initiatives regarding data matching (as in New Zealand) or ID cards (although, like Hong Kong, ID cards are compulsory for all Malaysian residents). Nor was there the positive catalyst of the enactment of a bill of rights (as in Hong Kong[1]). Rather, Malaysia is evidently yet another country concerned about the trade consequences of not legislating. Fortunately the draft legislation appears to represent a generally conscientious attempt to provide genuine protection. Perhaps it ,is relevant that the Ministry of Energy, Communications and Multimedia has announced that the legislation will ,form part of the ‘National Electronic Commerce Master Plan’ and is envisaged to be a ‘world class, leading edge cyber-law’.

As its title indicates, this book does not claim to be a detailed guide to the proposed legislation. Indeed the Bill does not even feature in the appendices, which instead provide the OECD Guidelines, the EU Directive on privacy, and the 1998 UK Data Protection Act. As the authors explain in their preface, although the proposed data protection law ‘gave impetus’ to their writing the book, their goal has been to examine the overarching issues and trends in privacy and data protection. The authors expressly disclaim any intention to provide a comprehensive account of the Bill, but choose rather ‘to highlight the perceived problem areas’.

The first half of the book provides a valuable overview of developments in data privacy. The authors survey a number of important international instruments and reports. The sources are varied but usually very recent. They are generally described with comparatively little commentary.[2] Much of this part of the book serves a function not dissimilar to that of the Electronic Privacy Information Centre (EPIC) annual source book.[3] Separate chapters are devoted to online privacy, unsolicited commercial email, privacy in the telecommunications sector, and self-regulation. A recurrent theme is the EU-US divide and the Safe Harbor accord that attempts to bridge it. Recent legislation in the UK and the US is examined, including a survey of developments in those two countries following September 11. Of particular interest will be the chapter on trans-border data flows, and some of the issues it raises are pursued below.

Where the authors do venture their own views, they are of interest. For example, they endorse the normative approach adopted by the EU Directive which requires that data processing is only permissible if falling within a specified ground legitimating it. This contrasts with the approach counten-anced by the OECD Guidelines where data users are free to nominate data purposes even if these are inherently inimical to privacy. The Bill adopts this more stringent approach regarding the processing of ‘sensitive’ data (itself an EU concept) but not otherwise. Even so, this is stricter than any other law in the region.

It is unusual to publish a book on proposed legislation, but the Bill’s protracted drafting process gives this title a perhaps unexpected opportunity to positively influence the final shape ,of the legislation. The Personal Data Protection Bill was introduced on ,21 February 2000 and according to ,the Privacy International/EPIC country report[4] it was expected to pass in March 2002 — three months before this book went to the printer. However, increasing requests for exemptions had complicated the drafting process.[5] Baker & McKenzie opine that the Bill ‘is in the final stages of drafting and will likely be introduced into Parliament next year’.[6]

Although the Bill is not included ,as an appendix, the book’s summary sufficiently indicates that the Hong Kong Personal Data (Privacy) Ordinance 1995 and UK Data Protection Acts (1984 and 1998) have provided the dominant influences. The privacy principles are framed in terms which are virtually identical to those of the Ordinance, although the Bill has pared off several of these for separate mention, perhaps for presentational purposes.

A thorough account of a jurisdiction’s protections cannot restrict itself to its data privacy law. This is recognised by art 25 of the EU Directive which provides that the ‘adequacy’ of the level of protection afforded by a country ‘shall be assessed in the light of all ,the circumstances surrounding a data transfer operation [including] the rules of law, both general and sectoral, in force in the third country in question’.

The book does not place the Bill in ,a constitutional setting, although the Privacy International/EPIC report notes that the Malaysian Constitution does not specifically recognise a right to privacy. In this respect Malaysia resembles Australia and New Zealand rather than the UK[7] or Hong Kong. ,But unlike all these other jurisdictions, Malaysia has not ratified the Inter-national Covenant of Civil and Political Rights.[8] This is relevant because of the legal principle that the terms of human rights treaties ratified by a country be taken into account in the interpretation of domestic legislation.[9]

Malaysia would have scores of enactments touching on the processing of specific classes of personal records. Combing through these is a time consuming exercise. What is vital is an account of the relationship of the data privacy law with these other provisions. Is it left to the general rules of statutory interpretation? If so, well and good.[10] Or is there lurking a legislative sleight of hand that subjugates the privacy principles to existing legislation oblivious to their requirements?[11] ,The answer does not emerge here.

The common law is also relevant. The principles of online contracting have significant potential in conferring legal protection on website visitors. The duty of confidence effectively underscores ,the finality principle constraining the disclosure of personal information for purposes unrelated to their original collection. Indeed in the case of the Australian Privacy Act 1988 (as amended by the Privacy Amendment (Private Sector) 2000 Act), the duty ,of confidence continues to provide protection to employment records which the legislation intentionally omitted.

This title does not traverse these areas. It treats data privacy legislation as the sole denizen of the regulatory landscape. The next edition could usefully address these matters, to better place the enactment in context.

Fortunately the authors’ focus on data privacy legislation has not resulted in an occasional byproduct of this approach, namely a deconstructive approach to the very terms of the legislation. On the contrary, they demonstrate a salutary commitment ,to a purposeful approach to the inter-pretation of key terms. In particular they take issue (rightly in the reviewer’s opinion) with the majority decision in Eastweek[12] regarding the threshold issue of the ambit of ‘personal data’. Their valuable analysis of the statutory definitions identifies several instances where tinkering with the Ordinance’s definitions may create problems. A potentially major shortcoming they identify is limiting the Privacy Commissioner’s power to issue an enforcement notice[13] to contraventions of the privacy principles, as opposed to any requirement of the law (as in Hong Kong). Another lacunae identified by the authors relates to the regime regulating data matching, which as presently proposed will not bind government departments — its main practitioners!

Of most direct relevance to organisations seeking compliance ,advice is an explanation of the privacy principles. This is restricted to one chapter. It cannot be said that even here the plaintive presence of the beleaguered data subject really asserts herself. This is despite the authors emphasising a point sometimes overlooked, namely that although ‘principles’ they have the full force of law.[14] Exploring their ambit, however, requires providing examples culled from the case law and the more plentiful case notes of Privacy Commissioners. The authors have the obvious difficulty that the jurisdiction is necessarily still devoid of these. Some reference, however, is made to UK rulings. While these are relevant the more obvious source would be Hong Kong. It is hoped that when established the Office of the Malaysian Privacy Commissioner will avail itself of this increasingly comprehensive corpus of rulings.

An Asean model?

The extent to which the Bill has drawn on the Hong Kong Ordinance may suggest the early stages of what may emerge as an Asean model of data privacy. Nor will it necessarily remain solely a matter of legal drafting. The Asean conference that has just concluded promises to be the beginning of a China/Asean free trade zone of ,1.8 billion people. The lessons learnt from the EU therefore become directly relevant: there a detailed treaty on ,data privacy[15] nonetheless gave rise to sufficiently disparate national laws that a Directive was deemed necessary to harmonise them. As a result member states such as the UK have had to amend their legislation. There is no regional counterpart to the EU Directive or even the earlier Convention. In the absence of a treaty, the solution would be for countries legislating to follow the terms of a law in the region which seamlessly applies the data privacy principles to all data users. While the reviewer is not a completely impartial judge, it is suggested that the Ordinance is a sound choice for emulation. It is based on five years’ research and, importantly, a comprehensive public consultation process. It also factors,in key elements of the EU Directive.

‘Adequacy’ and onward transfer controls

Which raises the inevitable question: will the Bill (or other regional legislation) be deemed adequate by the EU? The Bill contains a provision (largely replicating ,s 33 of the HK Ordinance) restricting data transfers ‘out of’ the jurisdiction. But, as the authors perceptively ask, is Malaysia prepared to enforce this provision in respect of its trading partners, ‘particularly in countries where there is no data protection legislation ,or adequate protection’?

The book’s analysis of s 33 appears ,to assume that the provision has been brought into force. This is not the case, apparently for the very reasons suggested by the authors.[16] At least this avoids the hypocrisy of legislation that is only for show.

Does it follow, therefore, that if a jurisdiction does not restrict onward transfers it will be deemed not ‘adequate’ by the EU? Not necessarily. ,It is submitted it depends on the other provisions contained in the law. Of particular relevance are the terms of the principle restricting personal data being used for purposes other than those for which they were collected. The key here is the definition of the ‘consent’ required of the data subject to sanction such ,use. Like Hong Kong, but unlike the Australian or New Zealand privacy legislation, Malaysia requires express consent. The book also refers to a ‘registration scheme’ but no details are given. Hong Kong enables the Privacy Commissioner to specify a class of data users to notify him or her of their data processing practices, including whether they transfer personal data out of the jurisdiction. Certainly a notification requirement equips the Privacy Commissioner to subject to additional scrutiny data users with links outside the jurisdiction. Another consideration is whether the legislation (like Hong Kong’s, but apparently not the Malaysian Bill) entitles those out of the jurisdiction to make access requests and to lodge complaints for investigation by the Commissioner.

This is not the place to pursue this emerging issue of whether a data privacy law may meet EU concerns other than by enacting a provision restricting onward transfers. The book’s chapter ,on transborder data flows addresses many of the issues. It examines the EC Working Party’s decision on standard contractual provisions.[17] The authors also describe how the UK Data Protection Commissioner declined to endorse specific contractual standards. This reflected her concern about their enforceability arising lack of privity of contract.[18] Nor is it possible here to examine the (potentially significant) resource implications arising for jurisdictions such as Hong Kong that enact privacy laws that accommodate those outside its borders to lodge access requests and invoke the Privacy Commissioner’s investigatory powers.

This is a stimulating and carefully researched book that will provide valuable assistance to all who wish to keep abreast of the latest developments in privacy law. It does not claim to be compliance manual and its publication prior to the finalisation of the Malaysian Bill is not conducive to it serving this role. Also, although this is not the book’s stated intention, it highlights ,the need for a body to co-ordinate the development of data privacy laws in ,the Asia-Pacific region. Only in this ,way may the transborder dataflow conundrum be systematically addressed. It is not just a question of being ‘on side’ with Europe, but of facilitating transfers between regional states that do not compromise the privacy of their own citizens. That, after all, is the basis of the EU restrictions in the first place.

(Disclaimer of potential conflict of interest: as an author in the general field of Asia-Pacific privacy laws, readers may consider that I have a potential interest in publications in this field and take this into account in considering my remarks. I have of course attempted to be as objective as possible.) l

Mark Berthold (markiwinz@ yahoo.co.nz) is the co-author (with Raymond Wacks) of Hong Kong Data Privacy Law: Territorial Regulation in a Borderless World, to be published by Sweet & Maxwell Asia in January 2003.

[1] Bill of Rights Ordinance 1991.

[2] An editorial point is that the text does not always make apparent when text (mainly from international instruments) is being quoted.

[3] Rotenberg M (ed) The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments Washington DC Electronic Privacy Information Centre 2001.

[4] <www.privacyinternational.org/survey/phr2002/phr2002-part3.pdf>.

[5] This is disconcerting, because the Bill appears to adopt all the exemptions contained in the Hong Kong Personal Data (Privacy) Ordinance, and this provides a comprehensive account.

[6] <www.bmck.com/ecommerce/malaysia.htm>.

[7] With the enactment of the Human Rights Act 1998.

[8] <www.ffq.qc.ca/marche2000/en/docpdf/pacte-political-en.pdf>.

[9] R v Home Secretary, ex parte Brind [1991] I AC 696 {HL], 747 per Lord Bridge of Harwich; Minister for Immigration & Ethnic Affairs v Teoh (1995) 183 CLR 27. This principle ,may prove decisive in interpreting key provisions of the Australian legislation, such as s 6D(4)(c) which provides that from 21 December 2002 the Act will apply to organisations that discloses personal information ‘for a benefit, service or advantage’.

[10] Where a subsequent statute is inconsistent with any earlier statute, the former prevails. However, the court will strive to avoid a finding of inconsistency and consequent repeal, there being ‘a general presumption that the legislature intended that both provisions should operate and that, to the extent that they would otherwise overlap, one should be read as subject to the other’: Saraswati v R [1991] HCA 21; (1991) 100 ALR 193, at 204 per Guadron J.

[11] An example is s 7 of the New Zealand Privacy Act. The NZ Privacy Commissioner does not question the deference of the privacy principles to other legislation then in force in his Necessary and Desirable: Privacy Act 1993 Review 1998 p 6.

[12] Eastweek Publisher v Privacy Commissioner for Personal Data , [2000] HKCA 137.

[13] Itself an important mechanism ,to effect compliance, as opposed to the Australian Act’s placing the onus on successful complainants taking court proceedings to enforce the Commissioner’s ruling.

[14] Admittedly determining the precise standards may be complicated by the issue of ‘best practice’ principles by Privacy Commissioners, but this goes to content, not their legally binding nature.

[15] The Council of Europe Convention for Protection of Individual with regard to Automatic Processing of Personal Data (1981).

[16] See Shamdasani S ‘Gap in privacy law defended’ South China Morning Post, 4 September 2002 where concern was expressed about the impact on Hong’s biggest trading partners, namely the People’s Republic of China, the ,US and Japan — none of which have a comprehensive privacy law. The ultimate decision on the fate of s 33 will be that of the Executive.

[17] Opinion No 1/2001 adopted ,by the Article 29 Working Partly on ,26 January 2001 on the level of protection provided under the standard contractual clauses for the transfer of personal data to third countries under directive 95/46/EC reprinted in Rotenberg M (ed) The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Develop-ments Washington DC Electronic Privacy Information Centre 2001 p 445 available at <europa.eu.int/comm/internal_market/en/dataprot/news/clauses2.htm>.

[18] ‘Privity of contract’ is the principle of English law whereby only parties to the contract may enforce it, notwithstanding that it intends to benefits third parties (namely data subjects in the present context).