International data protection laws

In the past year, two more countries in Asia—Malaysia and Taiwan—have adopted comprehensive national privacy laws that regulate the collection, use and disclosure of personal information. These new privacy laws differ considerably from those in the United States. U.S. laws typically focus on addressing misuse of information and seek to protect individuals from particular harms. These two laws, instead, are omnibus laws that extend protections to all personal information and focus not only on the use of information but also on the collection and disclosure of personal information. With the addition of these two new international laws, there are now almost 80 countries with comprehensive privacy laws in effect, many of which have their own unique regulatory requirements. The addition of each new foreign law poses greater compliance challenges for global organizations. This article provides an overview of the requirements contained in the data privacy laws recently adopted in Malaysia and Taiwan.

The Personal Data Protection Act 2010 was given Royal Assent and published in the Gazette on June 1, 2010; however, the act will only come into operation on a date determined by the minister of information, communication and culture. No date has been set, but the Personal Data Protection Commission is expected to be set up by the end of 2010 or beginning of 2011. Implementing regulations will then need to be issued. Once the act enters into force, private sector organizations will have three months to comply.

This act establishes comprehensive rules for the processing of any personal data “by private sector entities in respect of commercial transactions.” Commercial transactions are defined as “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2009.”  One key question for organizations is whether this act will apply to the processing of employee data. Until the Malaysian Act enters into force and guidance is issued by the regulatory authority, this question will remain unanswered.

The act will apply to all other data processing by private sector entities that are established in Malaysia or, if not established in Malaysia, use equipment in Malaysia for processing personal information. The act does not apply to Malaysia’s federal and state governments.

Personal information includes any information with respect to commercial transactions that relates “directly or indirectly” to a data subject, who is “identified or identifiable from that information or from that and other information in the possession of” the data user (data controller). This includes sensitive personal information, which is defined as personal information relating to the physical or mental health or condition of a data subject or his or her “political opinions, religious beliefs or other beliefs of a similar nature.”

A data controller must provide data subjects with a written notice that advises them that their personal information is being processed and provides them with a description of that information, the purposes for which it is being processed, the class of third parties to whom their personal information may be disclosed and the source of the personal information. In addition, the notice must explain the data subject’s access and correction rights, the way to contact the data controller with any inquiries or complaints, the choices and means the data controller offers for limiting the processing of the data subject’s personal information, whether it is obligatory or voluntary for the data subject to provide the information and the consequences if the data subject refuses to provide the personal information.

Notice should be given as soon as “practicable” by the data controller, which could mean when the data subject is first asked to provide the information or when the data controller first collects the personal information. The notice must be given, however, before the data collector uses the personal information for a purpose other than the purpose for which the personal information was collected or before the data collector discloses the personal information to a third party.

Subject to limited exceptions, explicit consent is required to process sensitive information; consent (undefined) is required for non-sensitive information. A data subject may withdraw consent by providing the data controller with a written notice stating the objection to the processing of personal information. In addition, a data subject may, at any time by written notice, require data controllers to cease or to not begin processing personal information for direct marketing purposes.

The exceptions for the processing of sensitive data contained in the Malaysian act are similar to those found in many European laws. For example, consent is not required where processing is necessary to protect vital interests, obtain legal advice, administer justice, or provide medical care. In addition, consent to process sensitive data is not required in order “to exercise or perform any right or obligation permitted or required by law in connection with employment.”  This latter exception suggests, despite the previously discussed ambiguity about whether the processing of employee data falls within the scope of the act, that employee data may in fact be covered; however, until the authorities issue guidance, the full scope of the law remains unclear.

Finally, consent to process non-sensitive personal information is not required if the information has been made public as a result of steps deliberately taken by the data subject.

The data controller must take “practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.”  A variety of factors such as the nature of the personal information and the harm that could result from such a misuse of the personal information should be taken into account when adopting security measures. Where personal information is to be processed by a data processor, the data controller must ensure that the data processor provides sufficient guarantees regarding the security measures it will take and must supervise compliance with those security measures.

The data controller must take reasonable steps to ensure that the personal information is accurate, complete, not misleading and up-to-date for the purposes—including any directly related purpose—for which the data was collected and further processed.

Subject to certain exceptions, data subjects must be given access to their personal information held by a data controller and be able to correct that personal information where inaccurate, incomplete, misleading or not up-to-date. Access requests are to be made in writing, and a fee may be charged for such requests. The data controller must keep and maintain a record of such requests; the personal data protection commissioner may determine the manner and form in which the record is to be maintained.

A data controller may not transfer any personal information to a place outside Malaysia unless the jurisdiction is listed in a notification issued by the minister of information and published in the Gazette, or an exception applies. The approved jurisdictions must have in place laws that are substantially similar to the Malaysian act or must ensure an adequate level of protection that is at least equivalent to the level of protection afforded by the Malaysian act.

Alternatively, transfers to places outside Malaysia may occur if one of the listed exceptions applies. Some of these exceptions are similar to those found in European laws, such as the data subject has consented to the transfer; the transfer is necessary to carry out a contract between the data controller and the data subject; the transfer is necessary to conclude or carry out a contract between the data controller and a third party at the request of the data subject,or the transfer is in the interests of the data subject.

Transfers outside of Malaysia will be permitted in cases where the data controller “has taken all reasonable precautions and exercised all due diligence to ensure the data will not, in that place, be processed in any manner which, if that place is Malaysia, would be a contravention of this act.”  Further guidance from the regulatory authority is needed, however, to clarify what measures will satisfy the conditions set forth in this exception.

While the Malaysian act establishes detailed registration requirements, it does not specify to whom such obligations would apply; rather, it gives the relevant minister the authority to designate a class of data controllers that will be required to register under the act. Consequently, until the regulatory authority is established, it remains unclear which types of organizations, if any, will be subject to registration obligations.

Violations of the Malaysian act, such as unlawful processing of sensitive personal information, transfers to jurisdictions not approved by the minister or failure to honor a request to cease processing, can result in up to two years of imprisonment, a fine up to 200,000 ringgit or both. Unlawful collection, disclosure or sale of data is punishable by imprisonment up to three years, a fine up to 500,000 ringgit or both.

The PDPA will only become effective when the Executive Yuan, the central government administrative authority, issues an official order that specifies its effective date. According to government authorities, the PDPA should become effective by November 2011.

The PDPA has expanded the CPPDPA definition of personal information to include not only computer-processed personal information but also personal information in any data format. Personal information now includes any information that refers to a “natural person’s name, date of birth, national unified ID card number, passport number, characteristics, fingerprint, marital status, family, education, occupation, medical history, medical treatment, genetic information, sex life, health examination, prior criminal records, contact information, financial status and social activities as well as other data which can be used directly or indirectly to identify” this natural person.

Unlike the CPPDPA, which does not forbid the collection or use of any specific kind of personal information, the PDPA prohibits anyone from collecting, processing or using sensitive personal information except in very narrow circumstances. Sensitive personal information is defined as medical treatment, genetic information, sex life, health examination, and prior criminal records. In particular, sensitive personal information may only be processed when explicitly required by law; necessary to carry out a statutory obligation, and only provided appropriate security measures are in place; made public by the data subject or through other legal methods, or carried out by a government agency or academic research institute for medical purposes, crime prevention, research or statistical purposes. The PDPA authorizes the central competent authorities and the Ministry of Justice to develop regulations regarding the processing of sensitive information.

The collection limitations on non-sensitive information remain largely the same as under the existing law. In particular, non-sensitive personal information may be collected and processed only for a specific purpose, when, for example, the information is explicitly required by law; the private sector organization is engaged in a contractual or quasi-contractual relationship with the data subject; the written consent of the data subject has been obtained, or the personal information has been made public by the data subject or through other legal methods. In addition, personal information may be used for a different purpose but only when, for example, the information is expressly required by law; necessary to avoid danger to the life, body, freedom or property of the data subject or to prevent serious damage to the rights and interests of others, or the written consent of the data subject has been obtained.

Subject to certain exceptions, notice must be provided to data subjects when personal information is collected from them and must include information such as the name of the entity that is collecting the information, the purposes of collection and use, the type of information to be collected and the duration of use of the information. Data subjects must also be informed of their access and correction rights. If personal information is not collected directly from the data subject, notice must be provided to the data subject prior to processing or using, and the data subject must be advised about the source of the personal information being collected.

Where consent is to be obtained, it must be in writing and only after the requisite notice has been provided. If personal information is to be used for a different purpose than described in the notice, and consent will be used as the legal basis for this new use, then a separate written consent must be obtained from the data subjects after they have been expressly informed about the different purpose and the effect their consent or refusal will have on their rights and interests.

Private sector organizations that hold personal information are required to adopt appropriate security measures to prevent information from being stolen, altered without authorization, destroyed, eliminated or divulged. The competent authority responsible for regulating a specific industry may require organizations subject to its oversight to develop data security maintenance plans or data disposal procedures.

Private sector organizations must maintain the accuracy of the personal information, supplementing or correcting the information on their own initiative or upon request from the data subject.

When the purpose of collection has been fulfilled or the period in which the personal information may be used has expired, the private sector organization must delete or discontinue processing the information, or it must delete the information when requested to do so by the data subject, unless the processing or use is necessary to perform a business operation or a written consent of the data subject has been obtained.

Subject to a number of exceptions, a data owner whose personal information has been processed has the right to access, review, receive duplicates of, cancel the collection, processing or utilization of, and delete the personal data. These rights cannot be waived in advance or limited by an agreement. The PDPA requires that access requests be acted on within 15-30 days. Correction requests must be acted upon within 30-60 days. Organizations may, at their own discretion, charge a fee to cover the costs associated with responding to such requests.

There are no explicit cross-border restrictions contained in the amended law; however, the PDPA does give government agencies the authority to restrict international transfers in the industries they regulate, under certain conditions, such as when the transfer involves a major national interest, there are special provisions in a international treaty or agreement restricting the transfer, the receiving country does not yet have proper laws and regulations to protect personal data so that the data owner’s rights and interests may be damaged and personal data are indirectly transmitted to a third country to evade this act.

Under the CPPDPA, organizations had the obligation to file a registration and obtain a license. The PDPA abolishes the CPPDPA’s previous registration requirements, and there are no obligations to file registration with any authority.

The PDPA significantly strengthens the penalties that can be imposed on organizations that violate the law. For example, organizations that profit from the collection, processing, or use of personal data can be fined up to NT$1 million—compared to NT $40,000 under the CPPDPA—or face a term of imprisonment of up to five years versus two years under the CPPDPA. Depending on the gravity of the violation, damages of NT$500-2,000 may also be claimed per violation of the PDPA even if the actual damage cannot be proven. In addition, class action suits will be permitted.

The new laws in Malaysia and Taiwan significantly change the privacy landscape in these countries. Organizations should carefully examine their existing data privacy practices and procedures to ensure they comply with these new laws. Failure to comply with these laws can result in significant civil and criminal penalties.

For many organizations, it will mean that in these countries, they will have to issue privacy notices, obtain consent to process, use and transfer personal information, establish mechanisms for individuals to exercise their access and correction rights and ensure that their data security and retention policies and practices conform to the laws’ requirements. In addition, organizations in Taiwan will now have an obligation to notify individuals in the event of a data security breach.

Moreover, in both countries, organizations may be subject to specific cross-border limitations, which will further complicate their efforts to transfer and share data within their global organizations. Consequently, they may have to establish new legal mechanisms to enable such transfers to continue. Organizations also need to examine their data collection practices, particularly in Taiwan, to ensure that their practices comply with the collection limitations set forth in the law.

Organizations should assess their data privacy practices and procedures in Malaysia and Taiwan and begin to formulate compliance plans, bearing in mind, however, that it will be difficult to finalize compliance efforts until these laws become fully effective and implementing regulations and regulatory guidance are issued by the authorities.