Neo Hwee Yong discusses the new data protection law in the European Union.
In recent years, the world has seen unprecedented privacy breaches as the global population sees the gradual but unavoidable shift of information into cyberspace. In 2013, it was reported that Yahoo! had suffered a data breach that impacted three billion user accounts.
In 2017, Equifax, a major US credit rating agency, reported that it had suffered a data breach which leaked personal information, such as names, social security numbers, birth dates, addresses and driver's licence numbers, belonging to some 143 million consumers. On 1 March 2018, Equifax announced that further investigations disclosed that the data breach affected a further 2.4 million consumers, bringing the total number affected to almost 145.5 million.
Back home in Malaysia, it has recently been reported that major privacy breaches which may have affected almost the entire population resulted in personal information, such as mobile phone numbers, identification card numbers, home addresses and SIM card data, belonging to some 46.2 million mobile phone users being leaked. The gravity of such breaches cannot be understated, particularly where the information leaked allows criminals to commit identity theft.
In the most recent controversy, it was reported in March 2018 that personal data belonging to approximately 50 million Facebook users, including likes by the users on the Facebook platform, were accessed and used without consent by Cambridge Analytica, a data analytics firm, for the purpose of building a powerful software programme to predict and influence choices at the ballot box.
In light of major privacy breaches over the years, the European Union (“EU”) has adopted the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) as the new EU data protection framework in April 2016. The GDPR is slated to come into force on 25 May 2018 in place of Directive 95/46/EC (General Data Protection Regulation). However, what would this mean for businesses in Malaysia?
WHAT DOES THE GDPR MEAN FOR BUSINESSES IN MALAYSIA?
Trade between Malaysia and EU has grown steadily over the years with reported figures of RM15.46 billion in trade, of which RM8.61 billion comprises exports from Malaysia to the EU. As such, it is imperative for Malaysian businesses, particularly those which trade with parties in the EU, to understand the impact of the implementation of the GDPR due to its wide extra-territorial scope.
The GDPR differs fundamentally from our Personal Data Protection Act 2010 (“PDPA”) as it applies to businesses and companies within and outside the EU
which process personal data of data subjects who are in the EU in the context of offering of goods or services (free or otherwise) to such data subjects or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2) GDPR). In contrast, the PDPA only applies to personal data in respect of commercial transactions and does not apply to businesses and companies outside of Malaysia unless they use equipment in Malaysia for processing of personal data otherwise than for purposes of transit through Malaysia. This significant and ambitious undertaking by the EU would mean that businesses undertaking any of the activities mentioned in Article 3(2) would be caught by the GDPR, regardless of where they are located in the world, including Malaysia. Indeed, one of the rationales behind the adoption of the GDPR is to ensure that the greater control and protection given to EU citizens over how their personal data is processed will not be defeated simply by transferring the personal data or relocating the business to a place outside of the EU.
In relation to what amounts to offering of goods and services to data subjects in the EU, the GDPR clarifies in its recitals that it must be apparent that the relevant business or company envisages
offering goods and services to data subjects in the EU. The recitals explain that while it is insufficient to only consider mere accessibility of the business website in the EU or the use of a language generally used in the third country where the business is established, certain factors may make it apparent that the business or company envisages offering goods or services to data subjects in the EU e.g. the use of a language or a currency
generally used in the EU with the possibility of ordering goods and services in that other language, or mentioning EU customers or users.
On the other hand, monitoring of behaviours involves the tracking of the behaviour of data subjects on the Internet and the subsequent processing of such personal data for other purposes, such as profiling in order to make decisions regarding the data subject or to analyse or predict the data subject’s personal preferences, behaviours and attitudes.
WHAT IF I’M ALREADY COMPLIANT WITH THE PDPA?
The GDPR contains a number of requirements which are not
found in the PDPA, of which some are highlighted below. Therefore, where the GDPR applies, businesses and companies in Malaysia must ensure compliance with the same.
Right to erasure
Article 17 of the GDPR provides data subjects in certain circumstances with the right to require data users to erase personal data (right to be forgotten) concerning him or her without undue delay e.g. the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed. Where the personal data has been made public by the data user, the GDPR further imposes upon the data user an obligation to take reasonable steps to inform other data users which are processing the personal data of such request for erasure.
Right to data portability
Article 20 of the GDPR grants data subjects in certain circumstances the right to receive from the data user personal data concerning him or her in a structured, commonly used and machine-readable format, and the right to transmit those data to another data user without hindrance. This also includes the right to have the personal data transmitted directly from one data user to another, where it is technically feasible.
Data breach notification
There is currently no data breach notification requirement under the PDPA. The GDPR, however, places an obligation on the data user to notify the supervisory authority (i.e. the independent public authority responsible for monitoring the application of the GDPR within each Member State) and the relevant data subject of the personal data breach.
Under Article 33, data users are required to notify the supervisory authority of any personal data breach (including the nature of the breach and the likely consequences thereof) within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Article 34 requires data users to communicate to the relevant data subject, without undue delay, any personal data breach which is likely to result in a high risk to the rights and freedoms of natural persons, unless the prescribed exemptions apply e.g. it would involve disproportionate effort.
Data protection impact assessment
The GDPR also introduces the requirement to carry out a data protection impact assessment (“DPIA”) where processing is likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes (e.g. processing involving the use of new technologies). The purpose of the assessment is to ascertain the impact of the envisaged processing operations on the protection of personal data. Article 35 emphasises that a DPIA should be required in the following circumstances: