Two developments in Asia-Pacific (APAC) region relating to the protection of personal data are worth noting. Malaysia passed the Personal Data Protection Act (2009) in April, and the Asia-Pacific Economic Cooperation created the Cross-Border Privacy Enforcement Arrangement in July.


Briefly, the highlights of the Malaysian legislation are as follows.


1) The act is only applicable to
commercial transactions
and excludes the government itself at both federal and state levels under s.3 (1). One would have thought that the very idea of protecting the privacy of personal data should include the government, as governments as entities usually collect and process large amounts of data. The exclusion is a blanket one. By implication, noncommercial transactions such as data processed by charities and religious bodies are also excluded. This is another anomaly as these bodies do hold substantial quantities of personal data, although they are submitted voluntarily in most cases by the data subjects.


2) Persons or organizations processing personal data need to follow and comply with the following general principles in their handling processes under s.5 (1). They include a General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle and the Access Principle. These are more akin to EU-style principles than the current OECD or APEC data protection principles. Contravention of these principles may attract a fine of not more than RM $300,000 (USD 96,000, approximately), two years of imprisonment or both.


3) Section 47 provides for the appointment of a personal data protection commissioner reporting to the minister for a fixed term of three years. However, the appointment may be revoked by the minister anytime with reason/s under s.54 (1). There is no provision for the commissioner to report annually to the parliament, unlike similar commissioners in other APEC countries with similar data protection regimes. Some may argue that such a reporting structure may undermine the independence of the commissioner. Barring the commercial organizations, since the government, itself, is excluded from the application of the act that by itself may reduce any potential scope of bias and or conflict with regards to the government’s potential breach of the legislation. It is also worth noting that section 106 (3)(4) provides for a complainant to appeal against the commissioner’s decision not to investigate an alleged breach of the act to the Appeal Tribunal as empowered under s.93 (f). In the similar vein, section 108 (6) provides that a person served with an enforcement notice by the commissioner may appeal to the Appeal Tribunal against the notice served.


4) Lastly, section 129 prohibits the transfer of personal data to a third country without similar legal protection. The commissioner is empowered to draw up a “white list” of permitted countries. Interestingly, some of the potential countries that are affected under this scheme may be Malaysia’s major trading partners. There is, as usual, a list of exceptions under s.129, which is, itself, based on the broad principle that the exceptions are for the benefit of the data subject.

APEC creates cross-border enforcement regime


A second development on protection of personal data was put in place by a large swath of member economies of APEC (Asia-Pacific Economic Cooperation). On July 16, 2010, APEC’s Cross-Border Privacy Enforcement Arrangement (CPEA) was created to facilitate information sharing and cooperation between authorities responsible for data and consumer protection in the APEC region. Accordingly, this scheme will help to encourage trust amongst member nations and, therefore, further promote and facilitate electronic commerce. In addition, CPEA will also help to facilitate similar areas of concern with non-APEC counterparts.


Under this arrangement, countries with data privacy enforcement agencies (PEA) in APEC are able to assist each other in enforcement-related actions such as helping each other collect evidence, share information and transfer complaints to another jurisdiction on data protection issues.


A group of volunteer APEC member economies developed the CPEA framework. They include Australia, Canada, Hong, Kong, China, Japan, New Zealand, The Philippines, Chinese Taipei and the United States.


This framework raises two interesting questions worth noting:


a) How would CPEA handle a situation where a multinational headquartered in a non-CPEA member country breaches the privacy regulations in a CPEA member country? How will the non-CPEA country react, for example, in a request for information as part of the investigation process against that multinational? Should it voluntarily provide the information to the CPEA member-requestor? Or, should it require that member to process the request through a formal legal channel?


b) With this framework in place, will this scheme then encourage APEC member economies that do not have data privacy protection regimes to develop such legal infrastructures, bearing in mind the membership of CPEA includes some of the largest trading economies in Asia-Pacific, if not globally?


The success of CPEA may well be a key catalyst in accelerating the development of data privacy regimes in APEC as a whole in the foreseeable future.

ADVERTISEMENT

Radarfirst- Looking for clarity and confidence in every decision? You found it.