Define Rights to Privacy

Our constitution recognises the right to privacy under Article 5 of the Federal Constitution
according to the Federal Court case of Sivarasa Rasiah v. Badan Peguam Malaysia & Anor. Article 5(1)
of the Constitution provides that “No person shall be deprived of his life or personal liberty save in
accordance with law.” According to Gopal Sri Ram FCJ (as then he was) in the Sivarasa case, the right to
personal liberty includes the right to privacy.

The right to privacy is basically the right to be left alone and to live the private aspects of one’s
life without being subjected to unwarranted, or undesired, publicity or public disclosure. It is also a right
of an individual to seclude oneself or information about himself and thereby reveal himself selectively.

Law in Malaysia (PDPA 2010)

Personal Data Protection Act 2010 (Act 709) is a form of cyber legislation recommended the
implementation of the Multimedia Super Corridor (MSC). Basic objective of this act is set out in the
Tenth Communications and Multimedia Act 1998, to ensure information security and network reliability
and integrity.The main objective of this law is to regulate the processing of personal data by the user in a
commercial transaction data and protect personal data of common interest.
Under Section 4 of the PDPA, data is divided into 2 limb which are personal data and sensitive
data. Personal data means any information concerning commercial transactions stored or recorded and
which can be managed automatically or as a file system. Another is sensitive personal data means any
data consisting of information as to an individual's physical or mental health condition, political opinions,
religious beliefs and other beliefs of a similar nature. In addition, the commission or alleged commission
by the individual of any offence is also a sensitive personal data.
All individuals and organizations that process personal data in their dealings must comply with the
rules set out in the Personal Data Protection Act 2010 namely:

1. General Principle (Section 6) 5. Retention Principle (Section 10)

2. Notice and Choice Principle (Section 6. Data Integrity Principle
7) (Section 11)
3. Disclosure Principle (Section 8) 7. Access Principle (Section 12)
4. Security principles (Section 9)

1
Conventions and regulations relating to right to privacy and personal data protection.

1) Convention for the Protection of Individuals with regard to Automatic Processing of

Personal Data

Firstly, Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data or also recognized as Convention 108. This convention was open for signature on 28th of
January 1981 in Strasbourg, Geman. The main goal of the convention to protect the individuals against
any abuses which may accompany the collection and processing of personal data.

In addition to providing guarantees in relation to the collection and processing of personal data, it
outlaws the processing of "sensitive" data such as a person's race, politics, health, religion, sexual life any
so on. The Convention also enshrines the individual's right to know that information is stored on him or
her and, if necessary, to have it corrected. Restriction on the rights laid down in the Convention are only
possible when overriding interests are at stake.The Convention also imposes some restrictions on
transborder flows of personal data to States where legal regulation does not provide equivalent protection

2) Asia Pacific Economic Cooperation (APEC)

The Asia-Pacific Economic Cooperation (APEC) is a regional economic forum established in

1989 to leverage the growing interdependence of the Asia-Pacific. The aim is to create greater prosperity
for the people of the region by promoting balanced, inclusive, sustainable, innovative and secure growth
and by accelerating regional economic integration.

The APEC Cross-border Privacy Enforcement Arrangement (CPEA) aims to:

● facilitate information sharing among Privacy Enforcement Authorities (PE Authorities) in APEC
economies
● provide mechanisms to promote effective cross-border cooperation between authorities in the
enforcement of Privacy Law, joint investigations or enforcement actions
● encourage information sharing and cooperation on privacy investigation and enforcement with PE
Authorities outside APEC

3) EU General Data Protection Regulation (GDPR) 2018

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation took
effect after a two-year transition period and did not require any legislation to be passed by government.

2
GDPR came into force on 25th May 2018. It is a regulation in EU law on data protection and privacy for
all individuals citizens of the European Union (EU) and the European Economic Area (EEA).The
regulation is consist of 11 chapters with 99 articles.

The GDPR aims primarily to give control to individuals over their personal data and to simplify
the regulatory environment for international business by unifying the regulation within the EU. It will
protect all EU citizens from privacy and data breaches in today’s data-driven world. By setting a global
data protection standard, it will strengthen the EU internal market, benefiting both citizens and businesses.
The GDPR is going to give EU citizens more control over their own personal data, improving their
security both online and offline.

Laws in Other Countries

1) United Kingdom
The Data Protection Act 2018 controls how personal information is used by organisations,
businesses or the government. The Data Protection Act 2018 (DPA 2018) is the UK’s implementation of
the EU General Data Protection Regulation (GDPR). Everyone is responsible for using personal data has
to follow strict rules called data protection principles. They must make sure the information is used fairly,
lawfully and transparently used for specified. There is also stronger legal protection for more sensitive
information, such as one’s race, religious beliefs, ethical background, political opinions, genetics, health
and sex life or orientation and so on.

2) The United States Of America

In the United States, data privacy isn’t as highly legislated on a federal level as most of the other
countries on this list. Like with many issues, the federal government leaves a lot of the details up to each
state. Laws also differ depending on the industry, which results in a confusing mess of rules and
regulations for US website owners to navigate. The FTC (Federal Trade Commission) regulates business
privacy laws. They don’t require privacy policies per se, but they do prohibit deceptive practices.

The United States follows what is referred to as a 'sectoral' approach to data protection legislation.
Under this approach, the laws of data protection and privacy rely on a combination of legislation,
regulation, and self-regulation rather than governmental interference alone. Pursuant to this policy, the US
has not yet developed a single, federal data protection law.

3
 Some federal laws that touch on data privacy include the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), which deals with health-related information, and the Children’s
Online Privacy Protection Rule (COPPA), which applies to websites that collect data from children under
the age of 13. Some states have more stringent laws than others, such as the California Online Privacy
Protection Act (CalOPPA), which is the first law in the United States that specifically requires websites to
post a privacy policy.

3) Australia
Australia regulates data privacy and protection through a mix of federal, state and territory laws.
The Federal Privacy Act 1988 (Cth) (Privacy Act) and its Australian Privacy Principles (APPs) apply to
private sector entities with an annual turnover of at least AU$3 million, and all Commonwealth
Government and Australian Capital Territory Government agencies.

Legal cases related to the issue.

1) Sir Cliff Richard v The British Broadcasting Corporation & The Chief Constable of South
Yorkshire Police.
In 2014 and unbeknownst to him, Sir Cliff Richard became the subject of a police investigation in
relation to an allegation of a historic sex offence and was investigated. Upon learning that The British
Broadcasting Corporation (BBC) knew of the confidential details of the investigation, South Yorkshire
Police(SYP) decided to cooperate with the BBC and they had a meeting at which they confirmed the
details. They then disclosed further details of an intended search of Sir Cliff's premises.

Very little warning was given and Sir Cliff (who was in Portugal) did not find out about the
criminal allegation until just before broadcast, and did not know it had been made public until friends
contacted him telling him about the news broadcasts they had seen. The plaintiff claims that both the BBC
and the SYP violated his rights both in privacy and under the Data Protection Act 1998 (DPA 2018). He
claims substantial damages because his life and finances have been radically affected by what happened.

Mann J found that this was a serious infringement of Sir Cliffs privacy rights, in terms of what
was disclosed, in terms of the manner of disclosure and in terms of the effect on Sir Cliff. The plaintiff
was awarded with general damages of £190,000 and aggravated damages of £20,000. He held that the
BBC and SYP were jointly responsible for £185,000 of these damages, with their share of responsibility
being 65% and 35% respectively. Mann J also found that the broadcasts had caused the Claimant to incur

4
certain financial losses and expenses.

2) K Indhira Raja A/L Kalandasamy v Khas Cergas Sdn Bhd.

Dispute was referred to the industrial court, on 3 May 2017, the company, Khas Cergas Sdn Bhd
which owns Victoria International College in Jalan Ipoh, was charged with processing the personal data of
the college’s former maintenance technician, A. Marimuthu, 39, without a certificate of registration issued
by the Personal Data Protection Commissioner. This is in contravene with section 16(1) of the PDPA.
Section 16(1) requires certain classes of data users to be registered and to be issued with a valid certificate
of registration by the PDPD.

The company has become the first data user to be charged for alleged breach of the PDPA. This
marks the commencement of the enforcement phase of the PDPA by the Personal Data Protection
Department and the Personal Data Protection Commissioner, Puan Khalidah binti Mohd Darus. The court
held that the company was liable and ordered them to pay RM 280,000 damages to the claimant.

3) YAHOO!

In September 2016, the once dominant Internet giant, announced it had been the victim of the
biggest data breach in history. The attack compromised the real names, email addresses, dates of birth and
telephone numbers of 500 million users. Initially believed to have affected over 1 billion user accounts,
Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches
are considered the largest discovered in the history of the Internet. Specific details of material taken
include names, email addresses, telephone numbers, encrypted or unencrypted security questions and
answers, dates of birth, and hashed passwords.

Under the General Data Protection Regulation (GDPR), companies have 72 hours to report a
breach to the regulator and therefore Yahoo! failed to do so. Yahoo must pay $50M in damages for
security breach.

Challenges

1) The Growth of Data is Exponential

5
 Data is growing faster than ever. More than 1.7 megabytes of new data is created every second.
Organizations must keep up with protecting not only their customer’s personal information but also
sensitive personal information. Breach Level Index, a public tracking site for data breaches, reports nearly
9,198,580,293 data records are now lost or stolen since 2013. Data has grown exponentially over the last
decade, yet poor security practices continue to put organizations at risk of a data breach.

2) Human Error Creates a Level of Complexity

Common everyday human errors can significantly affect the data privacy and protection. Many
security analysts claim that human error is the biggest challenge in data privacy and security. Ill-informed
and unaware employees can use weak passwords, mistakenly delete data, fall for phishing scams, have
privileged account access, and browse websites not under acceptable use.

3) Inadequacy of Current Law

Notably, the PDPA 2010 only protects against the inappropriate use of personal data for
commercial purposes. Even then, 2017 saw a massive data breach affecting the customer data of more
than 46 million mobile subscribers in Malaysia to an online community forum.

Besides, it is worth noting that PDPA has no provisions that specifically address the issue of
online privacy, which includes data such as geolocation, and cookies, for example. Making matters worse
is that the PDPA 2010 is inapplicable if the personal data is processed outside Malaysia. Relevantly, as
things stand with technological advancements and an essentially borderless cyber realm, Malaysia is
unprepared to deal with data privacy matters and in danger of future data breaches happening on larger
scales.

Recommendations.
Firstly, companies should encrypt digital personal information when moving or sending it out of
their secure network. Unencrypted personal information will have higher possibility to be stolen or
misdirect data. Only people with the authentication credentials or a pre-verified device will have access to
data that is encrypted.
Second, is addressed towards the government which is to introduce a legislation to investigate
breaches involving unencrypted personal information and such legislation requiring the use of encryption
to protect personal information in transit.
Thirdly is toward the data subject they need to have a two-step verification process as it will add

6
another layer of protection for data, which is essential when there are so many devices now being
connected together with the same username and password. Longer passwords are also part of this extra
security measure, making it more difficult to compromise the system.

Conclusion
The increasing use of information technology and the internet ensures that data protection remains
one of the most important and relevant laws that need to be improved day by day. The internet is all about
the transfer of information. Not only is the internet used to disseminate information, but also to collect it.
Organisations must look now at how they collect, store and use personal data and ask themselves whether
they comply with the Act. Most of the breaches are due to inadequate security measures have been taken.
Thus, following some of the tips will help internet users have a better understand on what will be required
to protect from unauthorised intrusions and minimise the risk of being a victim of privacy breaches.