Cyber Law on E-Commerce CYBER LAW ON E-COMMERCE
PERSONAL DATA PROTECTION STATUTES COMPARED TABLE OF CONTENTS 1.0INTRODUCTION 2.0PERSONAL DATA PROTECTION ACT 2010 2.1Application 2.2Principles 2.2.1General Principle 2.2.2Notice & Choice Principle 2.2.3Disclosure Principle 2.2.4Security Principle 2.2.5Retention Principle 2.2.6Data Integrity Principle 2.2.7Access Principle 2.3Right of Data Subject 2.4Penalties 3.0DATA PROTECTION ACT 1998 3.1Application 3.2Principles 3.2.1Processed Fairly & Lawfully 3.2.2Obtained only for One/ More Specified & Lawful Purposes 3.2.3Adequate, Relevant & Not Excessive 3.2.4Accurate & Where Necessary, Kept Up to Date 3.2.5Processed Data Not Kept for Longer Than is Necessary 3.2.6Processed in Accordance with Rights of Data Subject 3.2.7Taking Appropriate Measures Against Unauthorised/Unlawful Processing & Against Loss/Damage 3.2.8Personal Data shall Not be Transferred to Countries outside of EEA without Adequate Level of Protection 3.3Rights of Data Subject 3.4Penalties 4.0SIMILARITIES BETWEEN PDPA 2010 AND DPA 1998 5.0EXAMPLE OF CASES 5.1Malaysia 5.2United Kingdom 6.0REFERENCES 7.0APPENDIX
With the advancement and sophistication of todayâ€™s technologies, the world is no longer safe from privacy. Worst of all, there is no law that is able to govern or defend against data privacy or personal data in the Cyberworld. As a result, hackers/perpetrators breach into the privacy of victims, stealing valuable and personal information without victimâ€™s knowledge for various purposes, usually to commit frauds. With the rise of cybercrimes and data frauds, protection of personal information and data becomes more crucial. Therefore, a statute was proposed in Malaysia and was named the Personal Data Protection Act 2010 (PDPA) that seeks to regulate processing of personal data of individuals that are involved in commercial transactions. More importantly, it was drafted to provide protection to any individualâ€™s personal data. The act was gazetted in the year June 2010 but was not put into force until November 2013. On the other hand, there are other countries that already have governing statutes to protect personal data since a long time ago. As such, the United Kingdom has amended such an act to safeguard the information for the interests of individuals. The act was called Data Protection Act 1998 (DPA). It was first composed in 1984 and was updated in 1998. Since the law of Malaysia is mainly based on the common law legal system, both acts might share similarities which will be further elaborated in the later sections.
2.0PERSONAL DATA PROTECTION ACT 2010
The Malaysia PDPA 2010 has important details that should be noted and elaborated in this assignment. First of all, PDPA is applicable through certain scenarios that must be fulfilled to have the personal data be protected. Furthermore, the processing of personal data should also comply with PDPA 2010 7 principles which are the General Principle, Notice & Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle. Besides that, knowing the rights of data subject is important as a mean to protect the interest and confidentiality of the data subject. Lastly, failure to adhere or comply with the act leads to consequences and penalties which will also be described here.
The act is only applicable to :
- anyone who processes, or has authorization of the processing any personal data for any commercial transactions.
- anyone who in not established in Malaysia but uses equipment in Malaysia to process personal data otherwise than for purposes of transit through Malaysia
However, there are certain exceptions where the act does not apply to such as :
- Federal Government & State Governments for legal administrative purposes
- personal data that is processed outside of Malaysia unless data is to be further processed in Malaysia
This principle disallows the data user from processing personal data unless the data subject has given permission to the data user to do so. Still, this principle is exempted from certain situations such as performance of a contract where data subject is involved, protecting vital interests of data subject, administration of justice many more. Moreover, the principle also states that personal data can be processed only if the data is processed for legal purpose related to an activity of the data user, or processing the data is necessary for that mentioned purpose and that the personal data is just enough and not excessive for the purpose.
2.2.2Notice & Choice Principle
This principle requires the data user to notify the data subject via written form as a consent to the data subject. The contents of the written form would be :
- acknowledgement that the data subjectâ€™s personal data is being processed
- description as well as purpose of that data will be provided to the data subject
- data subjectâ€™s right to request access and correction of data with contact details of data user
- mention of third parties whom the data user has exposed the personal data to
- choices and means offered by data user to data subject to limit the personal data that is to be processed
- question to data subject whether data to be supplied is obligatory or voluntary
- consequences of data subject should he/she fail to supply the data
The written form to be sent to the data subject must be written in English and Bahasa Malaysia. Furthermore, a clear and readily accessible means shall be provided to the data subject to make a choice in both the languages.
With the acknowledgement of the data subject, the personal data can be revealed to parties and for purposes that has been granted by data subject only. The exception where disclosure can be done are :
- with intention to prevent or detect a crime
- data user has the right in law to disclose the personal data to other people
- disclosure is in public interest which is decided by the Minister
Precaution and necessary steps are to be taken by the data user to protect the data from any loss, abuse, modification, unauthorized access, disclosure or destruction when the data user processes the data. The data user has to take into consideration of :
- where the data is stored
- the consequence of the data due to protection failure
- security measures taken to secure equipment where data is stored
- ensuring that personnel having access to data is trustworthy and reliable
- steps taken to ensure the safety of transfer of personal data
Under this principle, it is stated that processed personal data for any purpose is not allowed to be kept longer than necessary for the completion of the purpose. The data user will be responsible to conduct measures to ensure that data is deleted permanently once the data is no longer required.
2.2.6Data Integrity Principle
The data user is required to verify and make sure that the data maintains its integrity that the data is still intact, up-to-date and has not changed. This way, data that is disclosed to other third parties is the same to avoid any further confusion. Not only that, it becomes an obligation for the data user also to obtain updates from the data subject on a regular basis for data integrity.
Under this principle, the data subject has the right to access his/her own personal data that is held by the data user. In the event that the personal data might be wrong or inaccurate, the data subject is able to alter and correct the data. However, there are certain exceptions in the Act where the data user may refuse the right to access under certain circumstances such as an element of confidentiality involved.
2.3Right of Data Subject
As a personal data belongs to a data subject, the data subject is entitled to several rights to the data.
- Rights to access personal data
The data user needs to inform the data subject whether the data is being processed. A requestor (can be the data subject) may write to the data user to make a data access request upon payment of a fee. From there, a copy of the personal data can be sent to the requestor.
- Right to correct personal data
In the event that the requestor considers that the copy of data supplied to the requestor is inaccurate, not up-to-date or incomplete, the requestor may make a data correction request to the data user to make the necessary correction to the personal data.
- Right to withdrawal of consent
A data subject has the rights to withdraw his consent to the processing of his personal data. This can be done by writing a notice to the data user to inform of the consent where the data user shall cease the processing upon receiving the notice.
- Right to prevent processing likely to cause damage or distress
For reasons that the personal data belonging to the data subject might cause damage to himself or to another person or cause damage that would be unwarranted, the data subject can write a notice to the data user to stop the processing of personal data. However, this right shall not be applied for the same reasons that are stated in the exemptions of the General Principle such as the performance of a contract where data subject is involved.
- Right to prevent processing for purpose of direct marketing
If the personal data is processed for the purpose of direct marketing, the data subject has the rights to require the data user to halt the processing. The data subject, where he may be dissatisfied with the failure of the data user to comply with the notice written to him, an application can be submitted to the Commissioner to assert the data user to comply with the notice.
There are several punishments or liabilities that are enforced for certain offences made. Each offence carry different severity of liability and/or punishment.
- Failure to comply with PDPA 2010 Principles
The data user is liable to a fine that does not exceed RM300,000 and/or imprisonment for a term of not more than 2 years.
- Failure of a data user processing personal data without certificate of registration
Fine of not more than RM500,00 and/or imprisonment for a term of not more than 3 years.
- Data user continues to process personal data after registration revoked
Fine of not more than RM500,000 and/or imprisonment for a term of not more than 3 years.
- Failure of data user to comply with code of practice
Fine of not more than RM100,000 and/or imprisonment for a term of not more than 1 year.
- Refusal to comply with commissionerâ€™s requirements to cease processing of personal data that is likely to cause damage or distress
Fine of not more than RM200,000 and/or imprisonment for a term of not more than 2 years.
3.0DATA PROTECTION ACT 1998
The Data Protection Act 1998 covers not only personal data but â€˜dataâ€™ in general as a whole as compared to the PDPA 2010 which legislates personal data alone. Even so, DPA 1998 comes first before the PDPA 2010 was even drafted, the DPA 1998 would have enough laws to protect the personal data of the people of the United Kingdom(UK). PDPA 2010 only involves the data subject and data user/processer, this is however, different for DPA 1998 which consists of a data controller, data processor and data subject. A data controller is someone who decides on the purposes of the data that is to be processed whereas the data processor is an individual who processes the data on behalf of the data controller.
The Act applies to a data controller in 2 scenarios :
- only if he is established in UK and that the data are processed there
- established outside of UK and European Economic Area (EEA) state but uses equipment in UK for processing. A UK representative must be nominated in this case for the purpose of this Act.
Besides that, an invidual is considered as being established in UK through these several options :
- resident of UK
- a body under the any part of the law of UK
- a partnership/association that is formed under any part of the law of UK
- an office/branch/agency in UK and any EEA state
- performing practice in UK and any EEA state
3.2.1Processed Fairly & Lawfully
The First principle specifies that the processing of data must be done fairly and lawfully.
3.2.2Obtained only for One/ More Specified & Lawful Purposes
Every data that is collected and processed must have its purpose and its reasons which should be stated in a notice by the data controller to the data subject. With that, the data can only be processed for that stated purpose and no other. The Commissioner is also to be notified by the data controller regarding the purpose of the data processing.
3.2.3Adequate, Relevant & Not Excessive
The information collected should just be enough and not more than necessary nor any less. As an example, filling up a form of membership card only requires full name, race, address, phone number and identification number. Other sensitive personal information that was not asked for such as birth identification number, religion and others are not required.
3.2.4Accurate & Where Necessary, Kept Up to Date
This principle requires that data should be accurate at all times and should be constantly updated where necessary. Information obtained and recorded by the data controller from the data subject should be accurate by having regards that the data controller have taken reasonable precautions for the ensuring that the data is accurate. The data subject may notify the data controller that the data is inaccurate with the data in hand as proof and fact that it is inaccurate.
3.2.5Processed Data Not Kept for Longer Than is Necessary
Once the data has served its purpose, it must be disposed as it is no longer required and is not necessary. In conjunction to the third principle, data would be deemed excessive as the data no longer has any purpose.
3.2.6Processed in Accordance with Rights of Data Subject
Any processing of data conducted by the data controller has to be regarded with the rights of the data subject such as rights to access personal data, prevent automated decisions for processing of personal data, preventing the processing of personal data for the purposes of direct marketing and others. There is a timescale where the responses to subject access requests have to be made within 40 days of the receipt of request.
3.2.7Taking Appropriate Measures Against Unauthorised/Unlawful Processing & Against Loss/Damage
The data controller must be aware of the harm that might result from the unauthorized or unlawful processing or loss or damages that is done to the data. Therefore, it is important to uphold aspects of security to ensure that data is not disclosed or altered in any way. Since the data might have been accessed by employees of the data controller, he has to make sure that the employees are reliable and trustable for the confidentiality of the data. Besides that, the data controller has to pick a reliable data processor so that data is safe. Then, the data processor has to carry out the processing under a contract with the data controller and only to act upon the instructions of the data controller.
3.2.8Personal Data shall Not be Transferred to Countries outside of EEA without Adequate Protection
As the Act is legislated in UK, protection towards the data is legit even in EEA. Once data is transferred outside of EEA, protection of the data is not guaranteed to be safe and may be abused for various purposes whilst not protected under this Act. Consent should be given to data subject beforehand for the opinion on the data being transferred outside of the EEA and UK.
3.3Rights of Data Subject
- Right of Access to Personal Data
The data subject has the rights to access personal data that is stored by the data controller. Therefore, the data controller should supply any the personal data of the data subject, purpose of the data and parties who the data controller has disclosed to. There is a small fee of Ã¢â€šÂ¤10 for supplying the information to the data subject. A request in writing must be made to the data controller by the data subject in order to be supplied with the required information.
- Rights of Correction of Personal Data
Should there be any inaccuracy to the personal data held by the data controller, the data subject is entitled the right to force the data controller to correct the mistakes in the data.
- Rights to Prevent Processing likely to Cause Damage/Distress
The data subject is entitled the power to write a notice to the data controller to end the processing of the personal data for a specified purpose and reasons such as the likely of the data to cause damage or distress as well as causing damage/distress to other parties.
- Rights to Prevent Processing for Purposes of Direct Marketing
Personal data that is used for direct marketing attempts can be stopped by the data subject. Likewise, a written notice need to be sent to the data controller to cease the processing of the personal data. With the failure of the data controller to comply, the court can order him to take such steps for complying with the notice if the court is satisfied and thinks fit.
- Rights to Prevent Automatic Decisions
The data subject can specify to require the data controller to ensure that the decisions taken on behalf of the data controller is not done automatically towards the processing of the personal data. The data controller then has to write a notice to the data subject that specifies the steps he intends to take to comply with the requirement of the data subject.
- Rights to Complain to Information Commissioner
If an issue between the data subject and the data controller got out of hand, the data subject can seek the Information Commissioner to review the user of the personal data belonging to the data subject. The Information Commissioner has the power to enforce the ruling of DPA and penalize the data controller under any offence that the data controller has violated.
- Rights of Compensation
In the event that damage or dissatisfaction has invaded to the data subject, the data subject has the right to use the law to obtain compensation for damages that have been caused from inaccuracy, disclosure or loss of the data.
4.0SIMILARITIES BETWEEN PDPA 2010 AND DPA 1998
5.0EXAMPLE OF CASES
(Yan Ping, n.d.) 
(Jin Nee & Min Lee, n.d.) 
, 2010, page 7) 
(Lee Hishammuddin Allen & GledHill Advocates & Solicitors, 2011) 
(â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 17) 
(â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 23) 
(â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 24) 
(â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 31) 
(â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 43) 
(â€œData Protection Act 1998 - data.pdf,â€ 2013, page 5) 
(Belfast Education & Library Board, 2007) 
(University of Dunham, 2013) 
(â€œData Protection Act 1998 - data.pdf,â€ 2013, page 83) 
(BBC UK, n.d.) 
(â€œData Protection Act (DPA) Penalties,â€ 2013)