DATA
PROTECTION
Cyber Law &
Islamic
Ethics
CICT3523
TRANSBORDER DATA FLOW(TBDF)
TBDF
is defined as all kinds of
electronic transmission of personal
information across political and
boundaries for processing or storing
in computer files.
It concerns the transfer of personal
information across sovereign
geographic boundaries.
WHY TBDF IS IMPORTANT?
 Because
of its significance to economic
growth and international trade
 Arises from 4 basic principles:
a)
b)
c)
d)
The vital importance of the efficient exchange
of information in the development and growth
of modern international trade and production.
The right of business to communicate freely
within and outside its corporate structure.
The right of business to access and utilize
national and international communication
facilities on a fair, competitive and nondiscriminatory basis.
The necessity of recognizing the world-wide
interdependence of modern business
communication.
WHY TBDF IS IMPORTANT?
Because
of this, many parties
recommend the government to strike
an appropriate balance in privacy
and data protection legislation.
Government in doing so, should
recognize the world-wide
dependence of modern business on
transborder flows and not legislate in
such a way as to restrict these flow.
DEFINITION OF DATA
This
term is only used to refer to the
transfer of personal information;
that is information relating to
individuals rather than information
relating to companies or
governments.
For example, information relating to
travel, or credit and health, as well
as information about criminal
convictions.
DEFINITION OF DATA
Personal
data has been defined in
the convention and OECD
guidelines as;

‘any information relating to an
identified or identifiable individual.’
The
above definition is extremely
broad; it can include a number of
data of varying kinds (social security,
bank accounts, etc) and all kinds of
commercial activity.
INTERNATIONAL INSTRUMENTS
 There
are three different international
instruments governing the issue of
transborder data flow and privacy
protection:
a)
b)
c)
Organization for Economic
Cooperation and Development
Guidelines (OECD).
Council of Europe Convention For the
Protection of Individuals with regards
to Automatic Processing of Personal
data. (Convention).
European Community Directive on the
Protection of Individuals (Directive).
OECD PRIVACY GUIDELINES
 The
guidelines seem to be a free data flow
regulation rather than a data protection.
 Useful for establishing legal means to protect
privacy on the electronic highway.
 A member country should refrain from restricting
transborder flows of personal data between itself
and another member country except where the
latter does not yet observe these guidelines.
 Member countries should avoid developing laws,
policies and practices in the name of the protection
of privacy which would create obstacles to
transborder flows of personal data that would
exceed requirements for such protection
EIGHT BASIC PRINCIPLES
1. The collection limitation principle requires that
information must only be obtained through lawful
means and with the knowledge or consent of the
data subjects.
2. The data quality principle provides that only
information relevant for the purpose of the
collection be required by the collector of the data
and such data must be up-to-date, accurate and
complete.
3. The purpose specification principle states that the
purpose or purposes for which the data is
gathered must be disclosed to the data subject at
the time it is collected and that such data shall
only be used for that purpose or purposes.
EIGHT BASIC PRINCIPLES
4. The use limitation principle requires that
information not be disclosed to a third party by
the person who has collected it without the
consent of the data subject unless it is
demanded by law.
5. The information must be protected by the
collector who must take reasonable precautions
to guard against loss, destruction, and
unauthorized use, access, modification or
disclosure of it.
6. The data subjects ought to be able to readily
determine the whereabouts, the use and
purpose of personal data relating to them.
EIGHT BASIC PRINCIPLES
7. A data subject can obtain confirmation
from the data collector that information is
held by it, obtain details of this information
within a reasonable time. Data subjects
should also be given reasons where access
to data is denied. He also can rectify
inaccurate information and where
necessary erased it.
8. The data collector ought to be
accountable for complying with the above
principles.
OECD PRIVACY GUIDELINES
However,
these guidelines do not
form part of a binding legal
document and accordingly may not
be enforced.
Many countries have put all these
guidelines into their legislation.
E.g, Australia, New Zealand, Hong
Kong, Singapore and many other
countries
THE CONVENTION
The
Council of European Convention
for the Protection of Individuals with
regard to Automatic Processing of
Personal Data was promulgated
because data protection has been
seen as a question of human rights.
The fundamental idea is to protect
privacy rather than to prevent
transborder data barriers.
THE CONVENTION
Unlike
the OECD guidelines, these
provisions form part of binding legal
document to European countries and
can be enforced.
However, it only applies to
automated processing of personal
information so that the transfer of
information in manual form is not be
caught.
EUROPEAN UNION DIRECTIVE
The
directive initiatives was based on
two reasons;
1.
2.
The possibility that different levels of
data protection laws could cause
obstacles for border crossing data
transfers.
The rights and freedoms of persons
with regard to the processing of
personal data.
EUROPEAN UNION DIRECTIVE
 It
requires EU Member States to ensure
that individuals have certain rights and
the standards are set for data quality
such as how to process the data fairly
and lawfully.
 The Directive regulates structured
collections of manual data as well as
data held in computerized form.
 The Directive only permits data to be
held relating to the individuals with their
consent.
EUROPEAN UNION DIRECTIVE
 The
Directive also covers judicial
remedies and penalties.
 It
requires Member States to establish
standard appropriate sanctions and
remedies for breach of domestic data
protection legislation.
 The
Member States are required to
transpose the Directive’s principles into
their national legislation within a time
limit of three years (1998).
 By now all Member States have done so.
THE UK DATA PROTECTION ACT 1998
The
purpose of DPA is to regulate the
use of automatically processed
information relating to the individuals
and the provisions of services relating
to the individuals (data subjects).
Regulation is carried out by placing
obligations on those who record and
use personal data (data users) and
computer bureau providing services
to data users.
THE PRINCIPLES OF DATA PROTECTION

The principles are derived
from the 8 principles of OECD
guidelines, directive and
convention.
RIGHTS OF DATA SUBJECT
1.
2.
3.
The right to be informed by any data
user whenever the data held by him
includes personal data of which that
individual is the data subject (upon
written request).
The right to have a copy of the
information consisting of any such
personal data held by him.
The right to prevent processing likely
to cause damage and distress.
RIGHTS OF DATA SUBJECT
4.
5.
6.
The right to claim compensation for
inaccuracy of the data held by the
data users.
The rights to claim compensation for
loss or unauthorized disclosure of data
by data users including if the data
users breach the Data Protection Act.
The rights to have inaccurate data
rectified, blocked, erased or
destroyed.
ENFORCEMENT OF
DATA PROTECTION ACT
If
there be a breach, 3 actions
may be taken;
a)
b)
c)
Action being taken by a
registrar
Subject to criminal proceeding
Data subjects can claim
compensation
A. THE ACTION BY THE REGISTRAR
 If
any complaints made by data subjects,
registrar should investigate.
 If any breach happened, registrar will issue;
1. Enforcement notice - asking to make
rectification of inaccurate data
2. De-registration notice - to remove a
user entry on the register
3. Transfer prohibition - prohibit the transfer
if the recipient state do not provide
equivalent protection.
B. CRIMINAL OFFENCES
1)
2)
3)
4)
5)
6)
7)
Holds personal data of any description other than that
specified in the register entry.
Uses any such data other than for purposes described in
the register entry.
Discloses personal data to a person not described in the
register entry.
Transfers directly or indirectly personal data to an
overseas countries other than those described in the
register entry.
Obtains personal data from a source not described in
the register entry.
Disobeying a registrar’s notice.
Not register a data – strict liability offence meaning that
even though the person does not know it needs
registration, he still liable.
C. CLAIM COMPENSATION
Data subjects can claim
compensation in the event
that data is inaccurate or is
subjected to an
unauthorized disclosure.
MALAYSIAN POSITION


There is no specific provision on the
right to privacy in the Constitution of
Malaysia.
The Personal Data Protection Act
2010 was drafted in 1998 in light of
the OECD Guidelines and similar
laws in the EU, Hong Kong and New
Zealand and has been passed by
the Parliament in May 2010.
PERSONAL DATA PROTECTION ACT 2010
NON APPLICATION
 Federal & States Governments.
 Non-commercial Transactions.
 Personal, Family & Household Affairs.
 Data Processed Outside Malaysia.
 Credit Reference Agencies.
Data Protection Principles
General Principle - Personal Data
cannot be processed without the
consent of data subject.
Exemptions:
 for
the performance of a contract to
which the data subject is a party.
 at the request of the data subject with a
view to entering into a contract.
 to protect the vital interest of the data
subject.
Notice and Choice Principle
A
data user shall inform the data
subject that;
the
personal data of the data
subject is being processed and
provide a description of the
personal data.
the purposes of the collection.
the right of the data subject to
request access.
Disclosure Principle
 No
personal data shall, without the
consent of the data subject, be disclosed
for other purposes.
Retention Principle
 Personal
data processed for any purpose
shall not be kept longer than is necessary
for the fulfillment of that purpose.
Data Integrity Principle
 User
shall take reasonable steps to ensure
that the personal data is accurate,
complete, not misleading and kept up-todate.
Access Principle
A
data subject shall be given access to his
personal data and shall be able to correct
that personal data if it is inaccurate,
incomplete, misleading or not up-to-date.
Security Principle
A
data user shall take practical steps to
protect the personal data from any loss,
misuse, modification, unauthorized or
accidental access or disclosure, alteration
or destruction.
Some Criminal Offences
 Contravene
any of the Data Protection
Principles.
 Failure to comply with the requirements of
the Data Protection Commissioner in
relation to the right to prevent processing
that cause damage or distress.
 Failure to comply with the requirements of
the Data Protection Commissioner in
relation to the right to prevent processing
for direct marketing purposes.
Some Criminal Offences
 Transfer
of data to places outside
Malaysia whenever there is no law in force
to protect the personal data or there is no
adequate level of protection.
 Collect, disclose or procures the disclosure
of personal data without the consent of
data user.
 Failure to comply with the enforcement
notice.
If a body corporate commits an offence,
any person who at the time of the
commission of the offence was a
director,
chief
executive
officer,
manager, secretary, etc, may be
charged severally or jointly in the same
proceeding. If the body corporate is
found to have committed the offence,
the officers are deemed to have
committed the offence personally.
OTHER LAWS



In the area of security of
networks and information
placed in them, two laws have
direct bearing:
Computer Crimes Act 1997.
Communications and Multimedia
Act 1998 (CMA).
COMPUTER CRIMES ACT 1997
Not specifically mentioned
about the protection of data
but it may be to protect the
owner’s privacy.
 Hacking and disclose the
password without authorization
are among crimes under this
Act.

The Communications
and Multimedia Act 1998


On security of networks and
communications through them.
The offences relating to privacy are:
a)
b)
c)
The use of any device with the intention of
obtaining without authority, information on the
contents, sender or addressee of any
communication.
The possession or creation of a system to gain
fraudulent access to network facilities or
services
Unlawful interception of any communications;
disclosure or use of such intercepted
communication.
ISLAMIC
PERSPECTIVE ON DATA PROTECTION
Al-Qur‟an
4: 148
“Allah does not like the public
mention of evil except by one who
has been wronged. And ever is Allah
Hearing and Knowing”.
ISLAMIC
PERSPECTIVE ON DATA PROTECTION
Al-Qur‟an
4: 114
“No good is there in much of their
private conversation, except for
those who enjoin charity or that
which is right or conciliation between
people. And whoever does that
seeking means to the approval of
Allah - then We are going to give
him a great reward”.
Islamic Principles on privacy protection



Every man and woman have some
information for which they have the right
and obligation to keep it secret.
The extent of secrecy changes according
to the nature of the observer, the time of
observation, and the amount of
information observed.
Some of the secret can be joint secrets
and all the parties have the obligation to
keep it secret.
Islamic Principles on privacy protection


Some of the secret can be shared
(Disclosed to someone else) but the
nature of the observer is conditional and
then the one who receives it has the
obligation to keep it secret.
It is undesirable to investigate the secrets
of someone else.