JANUARY 6 ― On New Year’s Eve, Prime Minister Datuk Seri Anwar Ibrahim said that constructive discourse should be promoted rather than criticised excessively.
Throughout the past year, the prime minister had said repeatedly that criticisms of the government were welcomed as long as they avoided any form of racial provocation and any attempt to disturb public order.
Apart from racial provocation and attempts at disturbing public order, criticism of the prime minister or the leadership should be required. Critics should not feel anxious and be fearful.
On that note, Economy Minister Rafizi Ramli should not “bristle” with Lawyers for Liberty (LFL) for the latter’s criticism of Padu.
LFL said that the rolling out of Padu, the government's newly-launched central database hub, risked exposing sensitive information but gave the public no legal redress to seek damages if their personal data were leaked or stolen.
The group added that government agencies are protected from legal action if data from Padu is leaked or stolen based on a provision under section 3(1) of the Personal Data Protection Act 2010 (PDPA), which is the case.
Section 3(1) of the Personal Data Protection Act 2010 (Act 709) (PDPA exempts the Federal and State governments from its application.
Legal scholars Sidi Mohamed Sidi Ahmed and Sonny Zulhuda wrote in 2019:
“Non-applicability of the [PDPA] to data processed by governmental bodies (section 3 of PDPA) is [an] issue that could lessen the efficiency and capability of PDPA to adequately coexist with waves of new technology such as IoT.”
IoT is Internet of Things, an emerging technology of the 21st century, the basic idea of which “revolves around connecting things and objects (persons, animals, cars, trees, etc.) to the Internet and enabling them to communicate and then process (generate, receive, send, etc.) data about themselves and the environment surrounding them.”
While the IoT, like Padu, brings countless benefits and provides timely data and information about places and objects, it has disadvantages especially in terms of privacy and security of data. Particularly, the IoT “might challenge personal data protection law and misgive its ability to effectively stand in the rapid successive technology waves.”
Hence, it is of concern that the biggest data users ― the federal and state governments ― are exempted from the application of the PDPA, which “could have far-reaching on data protection”.
The scholars argued that for the sake of personal data protection, the PDPA should be extended to include personal data processed by the government while providing for necessary exemption as the case is with the General Data Protection Regulation (GDPR) of the European Union (EU) (Regulation 2016/679).
The GDPR is an EU law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. Each organization that processes personal data (which is every organisation with employees and customers) must ensure that the personal data it uses fulfils the requirements of the GDPR.
Article 3(1) of GDPR states that the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, without exempting the government. “Controller” and “processor” include public authority ― Article 4 GDPR.
Article 9(1) prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
However, the prohibition does not apply to “special categories” of personal data as listed in Article 2(a) ― (j), such as employment and social security and social protection in so far as authorised by the law of EU or its member states providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Accordingly, the scholars recommend that Malaysia follow the EU law and extend the scope of PDPA to cover personal data processed by the federal and state governments.
What says the minister?
* This is the personal opinion of the writer or publication and does not necessarily represent the views of Malay Mail.