Neo Hwee Yong discusses the new data protection law in the European Union.
In recent years, the world has seen unprecedented privacy breaches as the global population sees the gradual but unavoidable shift of information into cyberspace. In 2013, it was reported that Yahoo! had suffered a data breach that impacted three billion user accounts.
In 2017, Equifax, a major US credit rating agency, reported that it had suffered a data breach which leaked personal information, such as names, social security numbers, birth dates, addresses and driver's licence numbers, belonging to some 143 million consumers. On 1 March 2018, Equifax announced that further investigations disclosed that the data breach affected a further 2.4 million consumers, bringing the total number affected to almost 145.5 million.
Back home in Malaysia, it has recently been reported that major privacy breaches which may have affected almost the entire population resulted in personal information, such as mobile phone numbers, identification card numbers, home addresses and SIM card data, belonging to some 46.2 million mobile phone users being leaked. The gravity of such breaches cannot be understated, particularly where the information leaked allows criminals to commit identity theft.
In the most recent controversy, it was reported in March 2018 that personal data belonging to approximately 50 million Facebook users, including likes by the users on the Facebook platform, were accessed and used without consent by Cambridge Analytica, a data analytics firm, for the purpose of building a powerful software programme to predict and influence choices at the ballot box.
In light of major privacy breaches over the years, the European Union ("EU") has adopted the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") as the new EU data protection framework in April 2016. The GDPR is slated to come into force on 25 May 2018 in place of Directive 95/46/EC (General Data Protection Regulation). However, what would this mean for businesses in Malaysia?
WHAT DOES THE GDPR MEAN FOR BUSINESSES IN MALAYSIA?
Trade between Malaysia and EU has grown steadily over the years with reported figures of RM15.46 billion in trade, of which RM8.61 billion comprises exports from Malaysia to the EU. As such, it is imperative for Malaysian businesses, particularly those which trade with parties in the EU, to understand the impact of the implementation of the GDPR due to its wide extra-territorial scope.
The GDPR differs fundamentally from our Personal Data Protection Act 2010 ("PDPA") as it applies to businesses and companies within and outside the EU which process personal data of data subjects who are in the EU in the context of offering of goods or services (free or otherwise) to such data subjects or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2) GDPR). In contrast, the PDPA only applies to personal data in respect of commercial transactions and does not apply to businesses and companies outside of Malaysia unless they use equipment in Malaysia for processing of personal data otherwise than for purposes of transit through Malaysia. This significant and ambitious undertaking by the EU would mean that businesses undertaking any of the activities mentioned in Article 3(2) would be caught by the GDPR, regardless of where they are located in the world, including Malaysia. Indeed, one of the rationales behind the adoption of the GDPR is to ensure that the greater control and protection given to EU citizens over how their personal data is processed will not be defeated simply by transferring the personal data or relocating the business to a place outside of the EU.
In relation to what amounts to offering of goods and services to data subjects in the EU, the GDPR clarifies in its recitals that it must be apparent that the relevant business or company envisages offering goods and services to data subjects in the EU. The recitals explain that while it is insufficient to only consider mere accessibility of the business website in the EU or the use of a language generally used in the third country where the business is established, certain factors may make it apparent that the business or company envisages offering goods or services to data subjects in the EU e.g. the use of a language or a currency generally used in the EU with the possibility of ordering goods and services in that other language, or mentioning EU customers or users.
On the other hand, monitoring of behaviours involves the tracking of the behaviour of data subjects on the Internet and the subsequent processing of such personal data for other purposes, such as profiling in order to make decisions regarding the data subject or to analyse or predict the data subject's personal preferences, behaviours and attitudes.
WHAT IF I'M ALREADY COMPLIANT WITH THE PDPA?
The GDPR contains a number of requirements which are not found in the PDPA, of which some are highlighted below. Therefore, where the GDPR applies, businesses and companies in Malaysia must ensure compliance with the same.
Right to erasure
Article 17 of the GDPR provides data subjects in certain circumstances with the right to require data users to erase personal data (right to be forgotten) concerning him or her without undue delay e.g. the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed. Where the personal data has been made public by the data user, the GDPR further imposes upon the data user an obligation to take reasonable steps to inform other data users which are processing the personal data of such request for erasure.
Right to data portability
Article 20 of the GDPR grants data subjects in certain circumstances the right to receive from the data user personal data concerning him or her in a structured, commonly used and machine-readable format, and the right to transmit those data to another data user without hindrance. This also includes the right to have the personal data transmitted directly from one data user to another, where it is technically feasible.
Data breach notification
There is currently no data breach notification requirement under the PDPA. The GDPR, however, places an obligation on the data user to notify the supervisory authority (i.e. the independent public authority responsible for monitoring the application of the GDPR within each Member State) and the relevant data subject of the personal data breach.
Under Article 33, data users are required to notify the supervisory authority of any personal data breach (including the nature of the breach and the likely consequences thereof) within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Article 34 requires data users to communicate to the relevant data subject, without undue delay, any personal data breach which is likely to result in a high risk to the rights and freedoms of natural persons, unless the prescribed exemptions apply e.g. it would involve disproportionate effort.
Data protection impact assessment
The GDPR also introduces the requirement to carry out a data protection impact assessment ("DPIA") where processing is likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes (e.g. processing involving the use of new technologies). The purpose of the assessment is to ascertain the impact of the envisaged processing operations on the protection of personal data. Article 35 emphasises that a DPIA should be required in the following circumstances:
- A systematic and extensive evaluation of the personal aspects relating to natural persons which is based on automated processing that produces legal effects concerning the natural person or similarly affects such person in a significant way;
- Large-scale processing of special categories of personal data, biometric data, or criminal or security records for purposes of making decisions regarding the data subject; or
- A systematic monitoring of publicly assessable area on a large-scale.
Data Protection Officer
Article 37 of the GDPR requires data users and data processors to designate a Data Protection Officer ("DPO") in certain circumstances, e.g. where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity) or the core activities involve processing on a large-scale of special categories of data and personal data relating to criminal convictions and offences.
Designation of representative in the EU
Article 27 requires data users and data processors who are not established in the EU but are caught under Article 3(2) of the GDPR to designate in writing a representative in the EU, unless (i) the processing is occasional and does not include processing on a large-scale of special categories of data or personal data relating to criminal convictions and offences and is unlikely to result in a risk to the rights and freedoms of natural persons; or (ii) the data user or data processor is a public authority or body. One of the main purposes of such a representative is to act on behalf of the data user or data processor as a point of contact with any supervisory authority on any matter relating to the GDPR.
Under the PDPA, direct obligations are only placed on data users and not data processors, although in certain circumstances the former is required to contractually bind the latter to ensure compliance with the PDPA.
Unlike the PDPA, the GDPR imposes direct obligations on data processors. These obligations include the obligation to: (i) obtain specific or general written authorisation of the data user prior to engaging another processor; (ii) process personal data only on instructions from the data user; (iii) designate, in certain circumstances, a representative established in the EU (if the data processor is not established in the EU); (iv) designate a DPO in certain circumstances; and (v) inform the data user of any personal data breach without undue delay after becoming aware of the same.
WHAT HAPPENS IF I DON'T COMPLY?
The GDPR prescribes the imposition of hefty fines for non-compliance based on the provisions in question. Article 83 permits the relevant supervisory authority to impose a fine of up to EUR10 million or up to 2% of the total worldwide annual turnover of the preceding financial year in the case of an undertaking, whichever is higher, for breach of certain provisions such as the requirement to carry out a DPIA.
A fine of up to EUR20 million or up to 4% of the total worldwide annual turnover of the preceding financial year in the case of an undertaking, whichever is higher, may be imposed for breach of certain provisions such as the basic principles for processing, including conditions for consent.
HOW LONG DO I HAVE TO COMPLY?
The 2-year grace period following the adoption of the GDPR will expire on 25 May 2018. Businesses and companies must ensure compliance with the GDPR by that date.
The PDPA has only been in force for less than five years and many businesses and companies in Malaysia are still struggling to ensure compliance with the same.
The implementation of the GDPR means that businesses and companies in Malaysia that are required to comply with the GDPR would have to conduct internal assessments in order to ensure compliance with the GDPR by 25 May 2018 or risk the imposition of fines and penalties. However, the extent of enforcement which the supervisory authorities are willing to take against data users and data processors established outside of the EU under this new data protection framework remains to be seen.
Originally published by Legal Insights - A Skrine Newsletter, April 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.