ON New Year’s Eve, Prime Minister Anwar Ibrahim made a call for constructive discourse. 

Throughout the past year, the prime minister had repeatedly said criticism of the government was welcome as long as it avoided any form of racial provocation and any attempt to disturb public order.

Criticism of the prime minister or the leadership should be required. Critics should not feel anxious and be fearful. 

On that note, Economy Minister Rafizi Ramli should see the logic of Lawyers for Liberty’s (LFL) call for the government to postpone the Padu implementation until the Personal Data Protection Act (PDPA) 2010 is amended. 

LFL said that the rolling out of Padu, the government’s newly-launched central database hub, risked exposing sensitive information but gave the public no legal redress to seek damages if their personal data were leaked or stolen.

The group added that government agencies are protected from legal action if data from Padu were leaked or stolen based on a provision under section 3(1) of the Personal Data Protection Act 2010 (PDPA), which is the case. 

Section 3(1) of the Personal Data Protection Act 2010 (Act 709) (PDPA exempts the Federal and State governments from its application.

Legal scholars Sidi Mohamed Sidi Ahmed and Sonny Zulhuda wrote in 2019: “Non-applicability of the [PDPA] to data processed by governmental bodies (section 3 of PDPA) is [an] issue that could lessen the efficiency and capability of PDPA to adequately coexist with waves of new technology such as IoT.”

The IoT, or internet of things, an emerging technology of the 21st century, is the basic idea which “revolves around connecting things and objects (persons, animals, cars, trees, etc.) to the tnternet and enabling them to communicate and then process (generate, receive, send, etc.) data about themselves and the environment surrounding them”.

While the IoT, like Padu, brings countless benefits and provides timely data and information about places and objects, it has disadvantages especially in terms of privacy and security of data. Particularly, the IoT “might challenge personal data protection law and misgive its ability to effectively stand in the rapid successive technology waves”.

Hence, it is of concern that the biggest data users – the federal and state governments – are exempted from the application of the PDPA, which “could have far-reaching on data protection”.

The scholars argued that for the sake of personal data protection, the PDPA should be extended to include personal data processed by the government while providing for necessary exemption as the case is with the General Data Protection Regulation (GDPR) of the European Union (Regulation 2016/679).

The GDPR is an EU law for how organisations and companies must use personal data in an integrity friendly way. Each organisation that processes personal data (which is every organisation with employees and customers) must ensure that personal data it uses fulfil the requirements of the GDPR. 

Article 3(1) of GDPR states that the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, without exempting the government. “Controller” and “processor” include public authority (article 4).

Article 9(1) prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

However, the prohibition does not apply to “special categories” of personal data as listed in article 2(a-j), such as employment and social security and social protection in so far as authorised by the law of EU or its member states providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

Accordingly, the scholars recommend that Malaysia follow the EU law and extend the scope of PDPA to cover personal data processed by the federal and state governments. – January 2, 2024. 

* Hafiz Hassan reads The Malaysian Insight.