UMLR | University of Malaya Law Review
  • About Us
    • About UMLR
    • Our Editors
  • Articles
    • Lex; in Breve
    • Lex Omnibus
    • Lex Sententia
    • PotM / AotM
    • Letters from the Editor
  • At a Glance
  • Database
    • Year 1
    • Year 2
    • Year 3
    • Year 4
    • Electives
  • Masthead
    • Volume 1 (2016/17)
    • Volume 2 (2017/18)
    • Volume 3 (2018/19)
    • Volume 4 (2019/20)
    • Volume 5 (2020/21)
  • Citations
  • Nominations
    • Person of the Month & Alumnus of the Month
    • Faculty Achievement Suggestions
  • Submissions
    • Article Submissions
  • About Us
    • About UMLR
    • Our Editors
  • Articles
    • Lex; in Breve
    • Lex Omnibus
    • Lex Sententia
    • PotM / AotM
    • Letters from the Editor
  • At a Glance
  • Database
    • Year 1
    • Year 2
    • Year 3
    • Year 4
    • Electives
  • Masthead
    • Volume 1 (2016/17)
    • Volume 2 (2017/18)
    • Volume 3 (2018/19)
    • Volume 4 (2019/20)
    • Volume 5 (2020/21)
  • Citations
  • Nominations
    • Person of the Month & Alumnus of the Month
    • Faculty Achievement Suggestions
  • Submissions
    • Article Submissions
Search by typing & pressing enter

YOUR CART



19/4/2020 0 Comments

Shielding Individual Peace In Modern Times: Debunking The Efficacy Of The PDPA (2010) In Protecting Data And Privacy Rights

Picture
The absence of a specific law to protect privacy indicates the urgent need for Parliament to amend the PDPA in order to ensure the effectiveness of privacy protection laws in this country.

​I.          INTRODUCTION

The right to privacy is recognised as a fundamental right under Article 12 of the Universal Declaration of Human Rights (UDHR)[1] and Article 17 of the International Covenant on Civil and Political Rights (ICCPR).[2] Generally, privacy refers to the state of being free from public attention, violation or misuse.[3]  It represents an individual’s peace and tranquillity.

However, the legal concept of and rights to privacy have been proven difficult to define despite many attempts. The Calcutt Committee[4] defines privacy as the right of an individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by the publication of information.[5] The Australian Law Reform Commission divided privacy into four interrelated concepts,[6] known as information privacy,[7] bodily privacy,[8] privacy of communications[9] and territorial privacy.[10] In retrospect, the earliest and most widely used description to define the right to privacy was ‘the right to be let alone’, coined by Justice Cooley in 1888.[11]

Although this widely accepted definition remains elusive, privacy is undeniably multi-dimensional. It comprises of the right to be left alone,  the right to exercise control over one’s personal information, and  the right to protect one’s dignity and autonomy.[12]
II.        MALAYSIA’S POSITION ON PRIVACY PROTECTION

In 2019, University of Malaya (UM) appeared in the news because of a breach in its digital database following a controversial protest.[13] UM’s online payment portal (e-pay) was anonymously hacked into which resulted in nearly 24,000 personal data, including login IDs and passwords, leaked online.[14] Although no data was compromised,[15] it serves as a warning call for all authorities to start taking action in protecting privacy because once data is breached, the consequences are complex and unending.

A.        Statutory Protection for Privacy

In Malaysia, several fundamental rights are expressly protected under Article 5 to 13 of the Federal Constitution. However, none included privacy as a fundamental right despite the recognition it was given in the UDHR and the ICCPR. Hence, due to the absence of an express provision, claims for the right to privacy have been made under related constitutional provisions, namely, the right to life or personal liberty pursuant to Article 5 of the Federal Constitution or the right to property under Article 13.[16]

The main legislation that governs the protection of privacy in Malaysia is the Personal Data Protection Act (PDPA)[17] which deals mainly with the processing of personal data in commercial transactions, as stated in the preamble. This shows that the PDPA only covers privacy protection relating to commercial transactions, excluding its application over any other types of privacy interests.

The word ‘privacy’ was also included in S.12 of the Child Act 2001[18] and S.509 of the Penal Code,[19] wherein ‘privacy’ relates to the state in which a person is secluded from the public's view.[20] In the context of data protection, ‘privacy’ can be found in S.4 of the Births and Deaths Registration Act 1957,[21] S.9 of the Communication and Multimedia (Licensing) Regulations 1998,[22] S.46A of the Law Reform (Marriage and Divorce) Act 1976[23] and S.107 of the Private Healthcare Facilities and Services Act 1998.[24] ‘Privacy’ in these provisions is used in connection with confidentiality and security of an individual’s information,[25] limited to the types of data under the purview of the respective legislations or regulations.[26] Other laws with implications to privacy include the Anti-Corruption Act 1997,[27] the Companies Act 2016,[28] and the Computer Crimes Act 1997.[29]

B.        Judicial Protection for Privacy
​
Written laws aside, the judiciary also plays a huge role in privacy protection — by interpreting the law with creativity. It was known that ‘invasion of privacy’ is not an actionable tort in Malaysia.[30] This principle is based on court decisions in Ultra Dimension Sdn Bhd v Kook Wei Kuan[31] and Dr. Bernadine Malini Martin v MPH Magazine Sdn Bhd & Ors.[32]

However, in 2010, the Federal Court in Sivarasa Rasiah v Badan Peguam Malaysia & Anor[33] attempted to take a leap when Justice Gopal Sri Ram held in obiter that the right to privacy is protected under Article 5(1). This right can also be validly restricted under the same article.[34] 

Parallel to that decision, the Court of Appeal in Maslinda bt Ishak v Mohd Tahir bin Osman & Ors,[35] seems to have implicitly recognised the tort of privacy in Malaysia by allowing Maslinda’s claim and holding the respondents liable for violating privacy.[36] Subsequently, Lee Ewe Poh v Dr Lim Teik Man & Anor[37] became the first Malaysian case that recognised invasion of privacy as an actionable tort. The Court departed from English law by taking a different approach. It was held that the defendant, by taking pictures of the plaintiff’s private parts in a medical surgery without her consent, invaded the plaintiff’s privacy.[38] These decisions showed shifting approaches on the tort of privacy in Malaysia which are undoubtedly befitting in recognition of the right of privacy under Malaysian law. At this point, the Malaysian judiciary has extended privacy protection to a niche area — seemingly carved for women in relation to their modesty, decency, and dignity in the context of high moral value. Indeed, such development of the law is applaudable.

In Lew Cher Phow @ Lew Cha Paw & Ors v Phua Yong Yong & Anor,[39] the High Court followed Maslinda Ishak and Lee Ewe Poh and expanded the application of privacy law. The court struck down the position in Ultra Dimension, and declared that the right to privacy is so fundamental that it should be protected. This flares judicial progress in Malaysia for privacy rights.

Unfortunately, in Mohamad Izaham bin Mohamed Yatim v Norina Binti Zainol Abidin,[40] it was held that the learned judge in Lee Ewe Poh’s case had erred by relying on the decision of Maslinda Ishak because the issue of invasion of privacy was never challenged in that case. Additionally, the court struck down the plaintiff’s case and held that invasion of privacy is not an actionable tort in our country.

It is noteworthy that Malaysia participated in the ‘Panel Discussion on the Right to Privacy’, in 2014, which was jointly held by the Human Rights Council and the Office of the High Commissioner for Human Rights.[41] There, Malaysia affirmed its commitment to safeguard privacy rights. However, some of the subsequent events raised doubts on Malaysia’s commitment, which seems to render the aforementioned affirmation superficial.

The first significant incident was recorded in 2015 when a video of a female singer uttering ‘syahadah’ during her conversion ceremony was made available on the internet without her consent.[42] It was promised by the appointed official that although the entire proceeding would be recorded, it would be kept confidential and not be shared to the public. Still, the video was put on social media despite her wish to keep her change of faith, private and confidential.

In January 2016, the then Inspector-General of Police, Tan Sri Khalid Abu Bakar suggested that WhatsApp should be subjected to government surveillance in the name of public order and public security. This was criticised by Janarthani Arumugam, the president of EMPOWER, as an intrusion of privacy.[43]

Thirdly, in February 2017, the Federal Territories Islamic Affairs Department (JAWI) raided the room of a Muslim couple on suspicions of khalwat. However, the suspicions were untrue because the couple was legally married. The husband then claimed that his wife was not decently dressed when the male officer broke into their room. The couple initiated a legal action against JAWI for wrongful arrest and invasion of privacy, but later dropped the lawsuit as they could no longer bear the legal costs.[44]

The law of privacy in Malaysia is primarily grounded in common law, for which the judicial protection is certainly not guaranteed, unless the case relates specifically to women’s modesty and dignity. Till this day, the position of the right to privacy in the Federal Constitution remains stagnant. A wider legal interpretation of the protection of privacy is necessary, and should not be merely restricted to violations of confidentiality and morality.

In light of the deficiency in our legal system, this article will probe into other jurisdictions to better identify the gaps for privacy protection in Malaysia.

III.       PRIVACY PROTECTION IN OTHER JURISDICTIONS

A comparison of the domestic law with other jurisdictions is crucial to better identify the gaps for privacy protection in Malaysia.

A.        European Union

Statistics provided by Comparitech on privacy protection and the state of surveillance in 47 countries indicates that the best countries in privacy protection are mostly European countries  — a stark contrast with Malaysia which ranked the fifth-worst.[45]
​

The main reason behind this is the existence of two most important Courts in Europe which deal with issues of fundamental rights. The courts are the European Court of Human Rights, which adopted European Convention on Human Rights (ECHR), and the European Court of Justice (CJEU), which was set up by the European Union. The ECHR expressly protects privacy[46] and freedom of expression,[47] highlighting that both have equal importance and weightage.

​
Furthermore, the protection of privacy is explicitly stipulated in the European legislation. Comparatively, the right to privacy in Malaysia is still underdeveloped as we have no self-standing laws on privacy except for the PDPA, which has a limited scope of application, that only covers commercial transactions. In practice, there is no recourse under the PDPA if, hypothetically, someone decides to spy on another by gazing into the person’s bedroom through binoculars since it is not considered as an intrusion of commercial information. In addition, privacy right is not recognised constitutionally[48] and Malaysia failed to acknowledge that the right to privacy is equally important as the freedom of expression.[49] 

Another reason why the European countries topped the chart is because data privacy is viewed by them as the utmost importance. This is reflective through their action of adopting the General Data Protection Regulation (GDPR) back in May 2018[50] to protect data privacy of individuals in the European Union and European Economic Area. The GDPR supersedes the 20-year-old Data Protection Directive. It established stringent rules on data harvesting and data management, as well as incorporated hefty penalties for violators of data. 

The main difference between the GDPR and the Malaysian PDPA is that the GDPR applies extraterritorially to cover personal data in businesses and companies within and outside the EU.
[51] This allows EU citizens to transfer or relocate their businesses outside of EU while securing their personal data. In contrast, the PDPA is inapplicable outside of Malaysia.[52] This leaves Malaysia unprepared for future large-scale data breaches in an essentially borderless cyber realm.

Furthermore, GDPR newly introduced the ‘right to be forgotten’ under Article 17,[53] which allows data subjects to request the removal of their personal information from the service providers’ or data processors’ websites.[54] This right is enunciated in the landmark case of Google Spain SL,[55] where the court held that newspaper reports are protected under freedom of expression but the Google’s links to it are not, because google is considered a ‘data processor’. Any company carrying out ‘data processing’ will have to remove information that is ‘outdated, wrong or irrelevant’.[56] The legal recognition of the right to be forgotten clearly indicates that such right is crucial when dealing with individual’s information, privacy and dignity online. 

In Malaysia, the responsibility lies with the data user to take all reasonable steps to ensure all personal data is permanently deleted or destroyed when the purpose for which it was to be processed had lapsed or become invalid.
[57]

Regardless of the development on the law, it is to be noted that the territorial scope of the ‘right to be forgotten’ remains unclear even after the lapse of five years post Google Spain’s case.[58] The uncertainty on this matter was finally resolved in recently in Google Inc v CNIL[59] on 24 September 2019, where the CJEU held that there is no obligation under EU law for Google to apply the European right to be forgotten globally.[60] In other words, this right only applies within the borders of the EU.

Interestingly, the same court in the case of Eva Glawischnig-Piesczek v Facebook Ireland Limited[61] held that Facebook can be ordered to remove illegal contents worldwide. This case concerns an Austrian politician who requested Facebook to remove certain defamatory and illegal comments against her which were posted online. She successfully sought an injunction for Facebook to remove the comments globally. This case has extended the territorial scope of the right to be forgotten whereby social platforms can be made to comply with the requests in taking down unwanted comments globally.[62] The authors partially disagree with such decision as it gives European courts the power to take down online content globally which would undermine the long-standing principle of state sovereignty. 

Regardless of the opinions and debates revolving the issue, it is indisputable that the development in privacy protection in European countries are many steps ahead in comparison with Malaysia’s standing — in which, domestically, the direction towards privacy protection is rather vague. Data, being the currency in the 21st century, have become more personal and intrusive. The government should strengthen existing data privacy laws and draw inspiration from approaches taken by European countries to tighten the gap of privacy protection in Malaysia. 
​
​
B.        United Kingdom
​

The right to privacy in the United Kingdom (UK) is recognised both as a statutory right and a common law right.  

The European Convention on Human Rights (ECHR) has been incorporated into the Human Rights Act 1998.[63] This has greatly shifted the landscape of privacy law in the United Kingdom. For instance, S.6 of the Act states that the courts have no power to overrule statutes that contravene with rights in the Convention. Article 8(1) of the ECHR provides that a person is entitled to the right to respect for his private family life, home, and correspondence.

In Malaysia, not only that the right to privacy does not fall within the purview of the Malaysian Federal Constitution, Malaysia did not ratify to any of the international conventions providing for the right to privacy as a form of basic human rights. In Merdeka University Berhad v Government of Malaysia,[64] the court held that the UDHR is merely a statement of principles which are not part of domestic law — devoid of any obligatory character. This was further affirmed by the Federal Court in Mohamad Ezam Mohd Nor & Ors v Ketua Polis Negara, propounding that UDHR has no binding effect in Malaysia.[65]

According to Tun Arifin Zakaria, human rights are essentially a notion of Western ideology,[66] which may not always match with Malaysian values. His Lordship seemed to have relied on Malaysia’s multi-religious makeup and complex legal tradition — Islamic and civil systems — as the reason to limit the scope of human rights law as something foreign and imperialistic. However, even when viewing the right to privacy from an Islamic perspective, this right is actually consistent with Islamic values. From a constitutional perspective, the highest legal authority in the context of Islamic law is the Qur’an. In Chapter 24, verses 27-30 of the Qur’an,[67] it is stated that everyone is under an obligation to respect the privacy of another. This rebuts the suggestion that human rights are ‘Western norms’ and therefore it can be safely concluded that the right to privacy fits with Malaysia’s multi-religious context.

Due to the absence of the right to privacy on par with international standards in the Malaysian Constitution, the right to privacy has no legal force in Malaysia. This is different from the UK, where international conventions were ratified to provide for the right to privacy as a form of basic human rights[68] that conforms to international standards. This shows a clear gap between Malaysia and the UK in embracing the right to privacy.

However, as a matter of common law right, the English common law in retrospect did not recognise the intrusion of privacy as a cause of action.[69] The court inadequately protected privacy under recognised torts instead of recognising the tort of privacy as a self-standing tort.

The enforcement of the Human Rights Act 1998 allowed courts to recognise an action of the breach of confidence as far as private information is concerned. Regrettably, it was incapable to remedy the breach of privacy because the action can only be taken when a confidential information has been made available, in breach of a relationship of confidentiality.[70] Breach of confidence could protect confidential relationship, but offers no comprehensive protection for private information.

Fortunately, the court in Douglas v Hello! Ltd [71] fixed the loophole. The court acknowledged privacy right and expanded the application of the breach of confidence doctrine. It was no longer a requirement to establish a relationship of confidence to make a claim under breach of privacy.

The Human Rights Act 1998 further led the House of Lords in Campbell v MGN Ltd [72] to accept that breach of confidence is appropriate in terms of protecting privacy. In Campbell, the defendant newspaper published a report on Campbell, a celebrity model, as an ex-drug addict seeking treatment at Narcotics Anonymous. The report was coupled with certain details of the treatment and a photograph of her outside Narcotics Anonymous. The judges held that her details and health condition were private and confidential, and the disclosure of such information would be highly offensive. Besides, the Court confirmed that an action for the tort of breach of confidence is capable of extensively protecting privacy, even in the absence of a confidential relationship. Campbell created a new privacy tort and established a new cause of action in English Law, which is known as the tort of ‘misuse of private information’ to ensure effective protection of private information.[73]

In contrast, the tort of invasion of privacy in Malaysia is still not a well-recognised cause of action.[74] The existing law of torts in Malaysia is insufficient to cover all instances of privacy invasion, as privacy suits cannot be primarily based on invasion of privacy per se, but must rely on other forms of established laws of torts to prove injury. Hence, we can observe the huge gap between both countries in terms of privacy protection. While the UK has recognised the new tort of privacy, the judicial attitude in Malaysia is still highly inconsistent. Needless to say, the development of privacy law in Malaysia has been a slow and sloppy one.
​

​C.        Australia
​

The Australian Constitution, including its state constitutions, are silent on the rights to privacy. It does not contain provisions relating to the protection of privacy and entrenched bill of rights are absent at the federal level.[75] The position is somewhat similar to Malaysia.

Before 1988, there was no general legal right to privacy in Australia, as confirmed by the High Court in Victoria Park Racing v Taylor.[76] This position changed when the Australian Law Reform Commission came up with a report[77] to acknowledge the dangers of privacy intrusion due to usage of new technologies, which could result in instances, such as the misuse of surveillance and information technology.[78] This report is so comprehensive in providing an effective framework for the protection of privacy,[79] that it induced the enactment of the Privacy Act in 1988.[80] The Act was amended in 2001 and is now applicable to private sector organisations and business entities, including individuals, corporate bodies and partnerships, unincorporated associations and trusts. It seeks to govern the way business entities and the federal government handle personal information. Its Malaysian counterpart would be the PDPA but unfortunately the PDPA does not provide privacy protection for individuals whose personal information has been breached.

The Australian Privacy Act sets out 13 privacy principles (APPs)[81] as a written code of practice which all entities and industries are obliged to comply with as a written code of practice. Coincidentally, the Malaysian PDPA also propels several principles to be accorded by data subjects. However, the PDPA lacks coverage for data protection in comparison with the Australian Privacy Act, as the PDPA only sets out 7 principles in Part II of the Act.[82] Principles like transborder data flow and the collection of sensitive information are not covered under the PDPA.

Whilst there is no absolute right to privacy or clearly recognised tort of invasion of privacy in Australia, the door to the development of such a cause of action at common law has been left open by the judiciary.[83] This can be seen in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd.[84] The Australian High Court discussed extensively on whether the court should grant an injunction to restrain the broadcasting corporation from airing a footage that exposes the respondent’s meat production process. The respondent argued that the footage involving the disposal of animal carcasses was taken privately without its permission, therefore airing it would amount to a breach of his privacy.[85] Although the court did not rule out the recognition of the tort of privacy, Justice Callinan suggested that the Court was receptive to arguments that a right to privacy for natural persons could be recognised in future.[86] This statement itself has gradually infused a certain sense of reformation to privacy law by the judiciary.

Subsequently, in Grosse v Purvism,[87] the court took a bold step  in allowing the plaintiff to rely on the actionable right to privacy.[88] The Court laid down 4 elements as the cause of action for invasion of privacy: [89]
​
  1. a willed act by the defendant;
  2. which intrudes upon the privacy or seclusion of the plaintiff;
  3. in a manner which would be considered highly offensive to a reasonable person of ordinary sensibilities; and
  4. which causes the plaintiff detriment in the form of mental psychological or emotional harm or distress or which prevents or hinders the plaintiff from doing an act which she is lawfully entitled to do. 

The Court, after reviewing ABC v Lenah,[90] held that the common law right to privacy should be enforced in Australia.[91] It was later in 2007, the tort of invasion of privacy emerged when it was held in Jane Doe v Australian Broadcasting Corporation[92] that the publication of information relating to sexual assault constitutes a breach of confidence and the publication of the plaintiff’s personal information equates to an invasion of privacy.

Aligning the Australian position with the Malaysian position, Australia’s privacy protection is certainly a few steps ahead in terms of judicial protection. The Australian judiciary had the opportunities to participate in reforming its privacy protection law, whereas the current developments in favour of privacy protection in Malaysian courts are still fragile and embryonic.[93] This raises the need for a statutory cause of action to build on the common law trend.

Malaysia needs its own legislative protection on matters pertaining to privacy. Introduction of the Bill will be the first legislative attempt in Malaysia to protect a general right to privacy. If successful, it can fill the gaps in Malaysian law, focusing on the protection of personal privacy as opposed to only focusing on the protection of specific personal data provided under the PDPA.

IV. REFORMING THE PERSONAL DATA PROTECTION ACT (PDPA) 2010 TO ACHIEVE EXTENSIVE DATA PRIVACY PROTECTION IN MALAYSIA


The PDPA was passed in 2010 to protect against the inappropriate use of personal data information collected for commercial purposes.[94] It is long overdue and much anticipated to curb unfair and unethical practices concerning personal data. Despite the passing of the PDPA, in 2017,  a massive data breach which leaked customer data of more than 46 million mobile subscribers in Malaysia to an online community forum, demonstrated severe gaps in data management and protection.[95] In reality,  the PDPA has both strong points and drawbacks in protecting data privacy.

Some of the deficiencies of the PDPA have been mentioned earlier.[96] The PDPA has no provision that specifically addresses the issue of online privacy and is inapplicable if the personal data is processed outside Malaysia. As many new developments were seen after the PDPA was legislated, it is crucial to amend the existing law to ensure its relevancy with current developments.[97] Moreover, the government should consider introducing other protection laws and analyse approaches taken by other countries, such as the European Union’s adoption of the General Data Protection Regulation (GDPR) which was discussed in the previous paragraphs.

Former Minister of Communications and Multimedia, Gobind Sing Deo, stated that the PDPA is being reviewed by the Personal Data Protection Department (JPDP) to ensure that it applies to those receiving leaked information, along with data leakers and cross-border hackers activities via cooperation with ASEAN countries.[98]  This review undertakes to address the leakage of personal data in the country, in line with international best practices, current digital technology and e-commerce developments.[99] However, due to the recent political turmoil and sudden change of government, the status of the review is very much uncertain.

In discussing the reformation of the PDPA, the following limitations should also be highlighted. As aforementioned, the PDPA applies only to persons who process, control or authorise the processing of personal data in respect of commercial transactions.[100] This precludes non-commercial affairs even though the information communicated in such transactions has an equal need for protection.[101] The personal data protection principles have no effect on personal data processed by an individual for personal, family, household affairs and recreational purposes such as photographs of family members for personal keeping, or information about household collections.[102] Similarly, the processing of personal data for journalistic, literary and artistic purposes is exempted from the principles if the publication is of public interest.[103]

Second, the PDPA does not bind the Federal Government and State Governments.[104] Although it was contended that this exemption provides space and the right for the government to use individual’s basic personal data for lawful administrative purposes, the government is still the biggest collector and holder of data and personal information — making the PDPA less significant as it excludes parties that deal with the most personal data.[105]

In addition, the Personal Data Protection Commissioner who administers and enforces the PDPA is responsible to the Minister.[106] The Minister can give the Commissioner general directions consistent with the provisions of the PDPA. This signifies that the Commissioner is not independent, thus fails to satisfy the EU adequacy requirement test which provides that there must be an independent supervisory authority to enforce the law. This may affect the transfer of personal data though it may still take place provided that the originating party takes additional measures to ensure that data is adequately protected. Ideally, the Commissioner should be answerable directly to Parliament to gain more independence in exercising his function under the Act, but this suggestion was refuted on the basis that such position distorts the established doctrine of separation of powers adopted by the Malaysian Constitution.[107]

Fourth, although the PDPA has created several criminal offences for non-compliance with the provisions of the Act, it does not give the data subject the right to enforce protected rights directly in the court.[108] In ensuring the availability of adequate protection, the PDPA should include provisions for redress and compensation in cases of breach of privacy.

Despite the issues highlighted above, the PDPA has arguably filled the long-standing gap in protecting an individual’s private data.[109] Data users must observe all data protection principles when processing and handling personal data, as any contravention of the principles results in an offence.[110] For instance, the PDPA prohibits a data user to process any personal data unless the data subject gave consent.[111]

In fact, sensitive personal data of a data subject shall not be processed except in accordance with several conditions. The conditions were listed down under S.40 of the PDPA. Now, in light of the current pandemic faced globally, relevant personal data can be collected, used and disclosed without consent of the data subject in order to carry out contact tracing for COVID-19 cases. So how does the PDPA comes into play? Here, the PDPA provides that data users such as companies or organisations that have collected or retained personal data of a data subject, must ensure that the personal data collected to carry out contact tracing by relevant authorities, are not being used for other purposes and in the absence of explicit consent given by the data subject[112] or valid authorisation under the law.[113] 

Overall, it can be concluded that the PDPA does protect data privacy in Malaysia. However, as highlighted earlier, some amendments should be made to ensure better efficiency in providing better and a more extensive data privacy protection in this country.

V.        CONCLUSION

The Malaysian government is urged to place emphasis on reforming the law on privacy by enacting legislation for privacy law, as privacy is considered a pre-requisite to the meaningful exercise of freedom of expression — particularly online in the present circumstances. Without privacy, individuals lack the space to think, speak, and develop their voice.

At the same time, one person’s right to freedom of expression may impinge on someone else’s right to privacy and vice versa. This tension is further exacerbated by digital technologies. Whilst digital technologies have been central to facilitate freedom of expression and sharing of information, they have also greatly increased the opportunity for violations of privacy on a scale previously unimaginable.

Written by Chin Wei Song, Illianie Mohd Taib, Jenn Lee Jing Xuan, Farah Nabilah, Haw Qian Xing and Nurliyana Fatihah, third year students of University of Malaya. 

Edited by Celin Khoo Roong Teng.

​Disclaimer: The opinions expressed in this article are those of the author and do not necessarily reflect the views of the University of Malaya Law Review, and the institution it is affliated with.

Footnotes:

[1] Universal Declaration of Human Rights, Art 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

[2] International Covenant on Civil and Political Rights, Art 17 (1): No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation; Art 17 (2): Everyone has the right to the protection of the law against such interference or attacks.

[3] Duryana binti Mohamed. (2016). The Privacy Right and Right to be Forgotten: the Malaysian Perspectives. Indian Journal of Science and Technology, 9(1). Retrieved from <http://www.indjst.org/index.php/indjst/Art/view/106854/77717>. Site accessed on 19 December 2019.

[4] Calcutt Committee was formed in April 1989 in response to the widespread concern by the press on the invasion of privacy, much of which was expressed in the debates in two private Members’ Bills in the House of Parliament.

[5] Calcutt Committee. (1989). Report of the Committee on Privacy and Related Matters. Retrieved from <https://heinonline.org/HOL/LandingPage?handle=hein.journals/ilp15&div=31&id=&page=>. Site accessed on 19 Dec 2019.

[6] Australian Law Reform Commission. (2008). For Your Information: Australian Privacy Law and Practice, 1(108). Retrieved from <https://www.alrc.gov.au/wp-content/uploads/2019/08/108_vol1.pdf>. Site accessed on 19 Dec 2019.

[7] Includes personal credit information, medical and government records. Also known as ‘data protection’.

[8] Invasive procedures against physical selves such as genetic tests, drug testing and cavity searches.

[9] Covers the security and privacy of mail, telephones, e-mail and other forms of communication.

[10] Territorial privacy limits intrusion into the domestic and other environments like workplace or public space. This includes searches, video surveillance and ID checks.

[11] Warren, S., & Brandeis, L. (1890). The Right to Privacy. Harvard Law Review, 4(5).

[12] Buang, S. (2015, Sept 3). Public Officials and Private Space. New Straits Times. Retrieved from <https://www.nst.com.my/news/2015/09/public-officials-and-private-space>. Site accessed on 21 Dec 2019

[13] Yeoh, A., Chin, C., & Poon, E. (2019, Oct 8). Universiti Malaya E-Pay portal is down after being defaced. The Star. Retrieved from <https://www.thestar.com.my/tech/tech-news/2019/10/18/universiti-malaya-e-pay-portal-is-down-after-being-defaced>. Site accessed on 23 Dec 2019.

[14] Malaysiakini. (2019). UM Saga: Staff personal data, login IDs, passwords leaked online. Malaysiakini. Retrieved from <https://www.malaysiakini.com/news/496510>. Site accessed on 23 Dec 2019.

[15] Yeoh, A., & Chin, C. (2019, Oct 18). Universiti Malaya: No data compromised in e-Pay portal hack. The Star. Retrieved from <https://www.thestar.com.my/tech/tech-news/2019/10/18/universiti-malaya-no-data-compromised-in-e-pay-portal-hack>. Site accessed on 23 Dec 2019.

[16] Hurriyah El Islamy. (2005). Information Privacy in Malaysia: A Legal Perspective, [2005] 1 MLJ xxv. 

[17] Personal Data Protection Act 2010 (Act 709).

[18] Child Act 2001 (Act 611).

[19] Penal Code (Act 574).

[20] See footnote 16.

[21] Births and Deaths Registration Act 1957 (Act 299).

[22] Communications and Multimedia Act 1998 (Act 588).

[23] Law Reform (Marriage and Divorce) Act 1976 (Act 164).

[24] Private Healthcare Facilities and Services Act 1998 (Act 586).

[25] See footnote 16.

[26] See footnote 16.

[27] Anti-Corruption Act 1997 (Act 575).

[28] Companies Act 2016 (Act 777).

[29] Computer Crimes Act 1997 (Act 563).

[30] See footnote 1.

[31] [2004] 5 CLJ 285.

[32] [2010] 7 CLJ 525.

[33] [2010] 2 MLJ 333.

[34] Public Prosecutor v Azmi bin Sharom [2015] 6 MLJ 751, at para 37-40.

[35] [2009] 6 MLJ 826.

[36] [2010] 2 MLJ 333, at para 6.

[37] [2011] 1 MLJ 835.

[38] [2009] 6 MLJ 826, at para 8.

[39] [2011] MLJU 1195.

[40] [2015] 7 CLJ 805.

[41] Geneva. (2014, Sept). Statement by Malaysia: Panel on the right to privacy in the digital age. Statement presented at the 27th Regular Session of the Human Right Council. Retrieved from <https://www.kln.gov.my/web/che_geneva/news-from_mission/blogs/4426509_33_redirect=http%3A%2F%2Fwww.kln.gov.my%2Fweb%2Fche_geneva%2Fnews_from_mission%3Fp_p_id%3D33%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn_1%26p_p_col_pos%3D1%26p_p_col_count%3D2%26p_r_p_564233524_tag%3Dchile>. Site accessed on 18 Dec 2019.

[42] See footnote 10.

[43] Arumugam, J. (2016, Jan 12). Groups questions policing of WhatsApp, claims invasion of privacy. MalayMail. Retrieved from <https://www.malaymail.com/news/malaysia/2016/01/12/group-questions-policing-of-whatsapp-claims-invasion-of-privacy/1039459>. Site accessed on 18 Dec 2019.

[44] Ashraf, K. (2017, Feb 17). Couple take Jawi to court over khalwat arrest. FreeMalaysiaToday. Retrieved from <https://www.freemalaysiatoday.com/category/nation/2017/02/17/couple-take-jawi-to-court-over-khalwat-arrest/>. Site accessed on 18 Dec 2019.

[45] Bischoff, P. (2019). Surveillance States: Which countries best protect privacy of their citizens? Comparitech. Retrieved from <https://www.comparitech.com/blog/vpn-privacy/surveillance-states/>. Site accessed on 10 Nov 2019.
​
[46] European Convention on Human Rights, Art 8; Charter of Fundamental Rights of the European Union, Art 7.

[47] European Convention on Human Rights, Art 10; Charter of Fundamental Rights of the European Union, Art 11.

[48] Zuryati Mohamed Yusoff. (2014). Protection of Privacy in Malaysia: A law for the future, Victoria University of Wellington, 2. Retrieved from <https://pdfs.semanticscholar.org/dae5/f0bdb4238cc4215f2f9faa3747af51acf919.pdf>

[49] See footnote 57, 84.

[50] Lenaerts, K., & Gutiérrez-Fons, J. A. (2014). The Place of the Charter in the EU Constitutional Edifice. In Peers et al. (eds.). The EU Charter of Fundamental Rights. A Commentary. p.1600-‍1637. Oxford: Hart Publishing. Retrieved from <https://doi.org/10.5771/9783845259055-1600>. Site accessed on 8th November 2019.

[51] European Union General Data Protection Regulation 2016/679, Art 3 (2).

[52] See footnote 19, S.3 (2).

[53] See footnote 60, Art 17.

[54] Arthur, C. (2014, Jun 27). Google removing ‘right to be forgotten’ search links in Europe. The Guardian. Retrieved from <http://www.theguardian.com/technology/2014/jun/26/google-removing-right-tobe-forgotten-links>. Site accessed on 11 Nov 2019.

[55] Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja Gonzále [2014] ECR I-000.

[56] See footnote 63.

[57] See footnote 19, S.10 (2).

[58] Samonte, M. (2019). Google v CNIL, Case C-507/17: The Territorial Scope of the Right to be Forgotten Under EU Law. Retrieved from <https://europeanlawblog.eu/2019/10/29/google-v-cnil-case-c-507-17-the-territorial-scope-of-the-right-to-be-forgotten-under-eu-law/>. Site accessed on 11 Nov 2019.

[59] Google Inc v Commision nationale de l’informatique et des libertés (CNIL) C-507/17.

[60] See footnote 68, 64.

[61] Eva Glawischnig-Piesczek v Facebook Ireland Limited C-18/18.

[62] Brogi, A., & Maroni, M. (2019). Eva Glawischinig-Piesczek v Facebook Ireland Limited: a new layer of neutrality. Retrieved from <https://cmpf.eui.eu/eva-glawischnig-piesczek-v-facebook-ireland-limited-a-new-layer-of-neutrality/>. Site accessed on 10 Nov 2019.

[63] Human Rights Act 1998 (c. 42) (United Kingdom).

[64] [1981] 2 MLJ 356, at para 367.

[65] [2002] 4 MLJ 449, at para 513.

[66] Ida, L. (2016, Jan 8). CJ says can’t judge Malaysian court decisions by ‘Western’ rights standards. IalayMail. Retrieved from <https://www.malaymail.com/news/malaysia/2016/01/08/cj-says-cant-judge-malaysian-court-decisions-by-western-rights-standards/1036753>. Site accessed on 17 Nov 2019.

[67] Al-Qu’ran Chapter 24, Verse 27-30: “O ye who believe! Enter not houses other than your own, until ye have asked permission and saluted those in them: that is best for you, in order that ye may heed (what is seemly). If ye find none in the house, enter not until permission is given to you: if ye are asked to go back, go back: that makes for greater purity for yourselves: and Allah knows well all that ye do. It is no fault on your part to enter houses not used for living in, which serve some (other) use for you: And Allah has knowledge of what ye reveal and what ye conceal. Say to the believing men that they should lower their gaze and guard their modesty: that will make for greater purity for them: And Allah is well acquainted with all that they do.” See Abdullah Yusuf Ali. (1988). The Holy Quran – Text, Translation and Commentary: Parts I to IXX (3rd Ed.) Sh. Muhammad Ashraf Publishers.

[68] Holmes, D. (2016). United Nations Treaties Ratified by the UK. Scottish Government: Riaghaltas na h-Alba. Retrieved from <https://www.gov.scot/publications/united-nations-treaties-ratified-by-the-uk/>. Site accessed on 13 Nov 2019.

[69] Giliker, P. (2015). A Common Law Tort of Privacy? The Challenges of Developing a Human Rights Tort. Singapore Academy of Law Journal, 27, 764. Retrieved from <https://research-information.bris.ac.uk/files/55674339/A_Common_Law_Tort_of_Privacy_final_.pdf>. Site accessed on 17 Dec 2019.

[70] See footnote 80.

[71] [2002] 2 WLR 992.

[72] [2004] UKHL 22.

[73] Campbell v MGN Ltd [2004] UKHL 22, 205.

[74] Ultra-Dimension v Kook Wei Kuan [2001] MLJU 751; Dr Bernadine v MPH Magazines Sdn Bhd [2006] 2 CLJ 1117; Lew Cher Phow @ Lew Cha Paw & Ors v Phua Yong Yong & Anor [2011] MLJU 1195.

[75] European Commission Directorate-General Justice, Freedom and Security, Comparative Study. (2010). Comparative study on Different Approaches to New Privacy Challenges, in particular in the Light of Technological Developments.  Retrieved from <https://op.europa.eu/en/publication-detail/-/publication/9c7a02b9-ecba-405e-8d93-a1a8989f128b>. Site accessed on 24 Dec 2019.

[76] [1937] HCA 45; (1937) 58 CLR 479.

[77] See footnote 4.

[78] Australian Law Reform Commission. (1983). Australia: Australia Government Publishing Service 1983. ALRC Report 22. Retrieved from <https://www.alrc.gov.au/publication/privacy-alrc-report-22/>. Site accessed on 16 Nov 2019.

[79] Australian Law Reform Commission. (2008). For Your Information: Australian Privacy Law and Practive (ALRC Report 108). Retrieved from <https://www.alrc.gov.au/publication/for-your-information-australian-privacy-law-and-practice-alrc-report-108/>. Site accessed on Site accessed on 14 Nov 2019.

[80] Privacy Act 1988 (No. 119) (Australia).

[81] See footnote 91, Schedule 3.

[82] See footnote 19, Part II, Division 1.

[83] Australian Law Reform Commission. (2007). Australian Law Reform Commission Discussion paper 72: Review of Australian Privacy Law (DP72). Retrieved from <https://www.alrc.gov.au/publication/review-of-australian-privacy-law-dp-72/>. Site accessed on 16 Nov 2019.

[84] [2001] HCA 63; (2001) 208 CLR 199 HC.

[85] See footnote 95, at para 5.

[86] See footnote 95, 335.

[87] [2003] QDC 151.

[88] Wang, H. (2011). Protecting Privacy in China: A Research on China’s Privacy Standard and the Possibility of Establishing the Right to Privacy and the Information Privacy Protection Legislation in Modern China. London, England: Springer.

[89] Telford, R. (2003). Grosse v Purvis: Its place in the common law of privacy. Privacy Law and Policy Reporter. Retrieved from <http://www.austlii.edu.au/au/journals/PLPR/2003/36.html#Footnote41>. Site accessed on 16 Nov 2019.

[90] See footnote 95.

[91] See footnote 100.

[92] [2007] VCC 281 HC.

[93] See footnote 57.

[94] Naufal Fauzi. (2019, Feb 12). Data privacy laws: Malaysia has a long way to go. New Straits Times. Retrieved from <https://www.nst.com.my/opinion/columnists/2019/02/459321/data-privacy-laws-malaysia-has-long-way-go>. Site accessed on 20 Dec 2019.  

[95] See footnote 107. 

[96] See footnote 107. 

[97] See footnote 107. 

[98] Bernama. (2019). Personal Data Protection Act review to include cross-border hacking activities – Gobind. The Edge Markets. Retrieved from <https://www.theedgemarkets.com/Art/personal-data-protection-act-review-include-crossborder-hacking-activities-%E2%80%94-gobind>. Site accessed on 20 Dec 2019.

[99] See footnote 104.

[100] See footnote 19,  S.2.

[101] See footnote 57.

[102] See footnote 19, S.45(1).

[103] See footnote 57.

[104] See footnote 19, S.3.

[105] See footnote 57.

[106] See footnote 19, S.59.

[107] See footnote 57.

[108] See footnote 57.

[109] See footnote 57.

[110] See footnote 19, S.5.

[111] See footnote 19, S.6. 

[112] See footnote 19, S.40 (1)(a).

[113] See footnote 19, S.40 (1)(b).
0 Comments



Leave a Reply.

    Categories

    All Comments Criminal Law Environmental Law Law And Society UMLR

Email

umlawreview@outlook.com

Phone

Tel : +603-7967 6511/6512
Fax : +603-7957 3239

Address

The Editor-in-Chief,
University of Malaya Law Review,
​Faculty of Law,
University of Malaya,
50603 Kuala Lumpur,
Malaysia.