The information on this section is being currently transferred from our legacy system to this repository. We thank you for your patience as the process will take us some time.
This Policy Brief consolidates the proposed recommendations from The IO Foundation (TIOF), a Tech NGO advocating for Data-Centric Digital Rights, to incorporate technology as a cross-cutting issue in the upcoming National Action Plan on Business and Human Rights in Malaysia in its first iteration.
It is the result of 4 years of advocacy, research and engagement on BHR in the Tech sector in Malaysia and is unique in the sense that it is a document written from the perspective of technologists. Since its inception, TIOF has identified that the most significant gap in (Data-Centric) Digital Rights advocacy is the perspective from the builders and developers of these technologies — the technologists.
While it was the wish of The IO Foundation for this initial iteration of the NAP to develop a full thematic area on Technology, which has been the focus of TIOF’s efforts, we encourage the Malaysian government and working parties to, at least, incorporate Technology as a cross-cutting issue. That is, as a subject that can be identified in all considered thematic areas as the source of challenges that can be remediated through the UNGPs.
This Policy Brief builds on the work of policy documents and toolkits that have been developed before by various policy professionals. While the United Nation Guiding Principle on Business and Human Rights apply to all business sectors, this document focuses on the technology business in particular. Due to the niche scope of this topic within the Business and Human Rights space, it is perhaps easier to understand this brief as an effort for mainstreaming (Data-Centric) Digital Rights into all areas of public policy as part of the Information and Communications Technology sector’s duty of care for digital citizens.
The stakeholders for this Policy Brief are as follows:
Governance
Government
Any entity with the authority to govern a country or a state, or to provide public services to their constituents.
Supranational
organization
An entity that, while not governing a country, is recognized as authoritative in a certain domain.
BUILDERS
Tech companies
Private companies that provide hardware and/or software solutions for business applications.
Technologists
A professional who is trained in building, deploying and maintaining technology.
USERS
Citizens
A legally recognized subject of a country or nation state.
Digital Twins
The digital representation of a citizen (not yet recognized as subjects of a country or nation state).
Civil Society
A community of citizens who gather around common interests or collective activity.
Table 1.1 - List of stakeholders
Note
In the interest of brevity, this Policy Brief concentrates in providing Recommendations in a summarized way. Further implementation details can be provided once the NAP working group decides on which Recommendations to incorporate.
The UNGPs were endorsed by the United Nations Human Rights Council (HRC) in June 2011— it was a historic event in the adoption of human rights standards to private business actors, raising their responsibility and accountability alongside the government’s duty to protect the rights of citizens.
With businesses as a major driver for economic growth and infrastructure, the UNGPs became a necessary component to support national development agendas such as the digital transformation plans, that put citizens’ well-being first. When a nation endorses a global framework such as the UNGPs, they further anchor that commitment in the form of National Action Plans (NAPs). Though, unfortunately, not a legally binding instrument, it is essential in promoting possible frameworks that the private sector could consider in positioning themselves as businesses that care about holistic development.
Alongside the UNGPs, the United Nations also adopted the 2030 Agenda for Sustainable Development with a list of components that make up the Sustainable Development Goals (SDGs). This is done in recognition of the important role that the private sector plays in promoting and implementing sustainable development. While the SDGs have been more popular amongst businesses and organizations worldwide, the adoption of the UNGPs has been slower. The UNGPs have relied on national commitments to adopt and implement them. Those initiatives would later be adopted by the private sector, once the governments finalizes and publishes their NAPs.
The main areas of concern for the general end users of digital technologies often come back to privacy protection. There is a growing concern over how information is collected, stored, and used by owners of digital platforms. While existing legislative developments in this area provide the basic principles for data protection, there is much room for improvement to better protect users of digital technologies in Malaysia. When all is said and done, what we are working towards is making Digital Rights protection work easily and seamlessly for regular end users.
National action plans (NAPs) on business and human rights are policy documents in which a government articulates priorities and actions it will take to protect human rights from business-related activities. As of 1 June 2020, NAPs have been adopted in 24 states around the world. However, few of these NAPs currently address the specific impacts on human rights by the use of digital technologies in the public and private sector, even though the potential scope of these impacts is very wide. Governments and tech companies can play a positive role in enabling the exercise of human rights in the digitalization of their services, but they can also pose risks to them.
Evidently, technological innovation has spurred the need for new laws and regulations that would ensure accountability of technology use via legal instruments. Even though the Malaysian government has taken steps to enable digital transformation and promote digital adoption by passing laws and policies that were intended to protect all parties engaged in digital transactions, there is still ample space for improvements.
The advocacy of human rights protection in the digital space, popularly known as Digital Rights advocacy, is gaining momentum globally. By and large, Digital Rights organizations have focused on legislative measures to protect the rights of people using digital technologies, especially when interacting with other parties on the Internet. More legislations, regulations, and policies have emerged in recent years to give a reference to what rights people have that are to be protected by the issuing authorities, how to exercise those rights, and the provision of penalties for non-compliance.
The IO Foundation has however identified a major problem in this approach: in the case of civilian consumption technology, these legislations, regulations and policies are not issued alongside technical specifications for their implementation. This creates an inevitable loophole that refrains:
a standard implementation across technology products;
the verification of claims of compliance through standard methodologies;
technologists from creating products that protect Rights by design.
This is in stark contrast with any other adequately regulated product where companies never need to compete at compliance level: their products need to meet that basic criteria before they can compete in the market of ideas through their value propositions.
This creates challenges in promoting and strengthening both Rights (Human and Digital) and vibrant digital economies that concentrate on innovative value propositions while respecting Rights.
The IO Foundation works towards resolving this problems by:
recognizing that data is only valuable when sufficiently contextualized and thus positing that one’s data is oneself (“I am my data”);
that technology has the capacity to preemptively eliminate harms (especially Digital Harms) and thus drastically reducing the need for remedy;
that, given a certain jurisdiction, the applicable protections given to its citizens should be transparently implemented in the technology they use (“Rights by design”)
Data being the core component that represents citizens (in the shape of models called Digital Twins), TIOF has approached this challenge from a Data-Centric Digital Rights perspective; that is, the attempt to enact the protection of Rights through a framework that allows
The UNGPs provide a suitable framework to combine Human Rights and Data-Centric Digital Rights when applied to the tech sector.
Note:
While currently not fully developed, the Framework provides a structured approach to protecting Rights and is used as guidance across this Policy Brief.
Technology in existing National Action Plans
The Malaysian NAP should make reference to technology inclusions in existing National Action Plans:
Japan. “In terms of the development of artificial intelligence (AI), a Council for Social Principles of Human-centric AI was established for the purpose of considering the basic principles for implementing and sharing AI in society in a better way under the AI Strategy Expert Meeting for Strength and Promotion of Innovation.”
Colombia. “The Ministry of Telecommunications [Mintic] will elaborate the “Guide on Human Rights and Business: A document on the application of human rights and business principles” for the specific context of the Information and Telecommunications Technologies (ICT) sector.”
Luxembourg. “1.15. Protection of human rights in business in the context of new information and communication technologies (ICT), including artificial intelligence (AI)”
This Policy Brief is produced through 2 approaches:
1) Cross-referencing the UNGPs against legislations that govern data and/or digital technologies in Malaysia:
TIOF conducted a policy review of three main pieces of legislation that govern data and/or digital technologies in Malaysia. The legislations are the Personal Data Protection Act (PDPA) 2010, the Communications and Multimedia Act (CMA) 1998, and the Technologists and Technicians Act (TTA) 2015. This part of the research was specifically looking for Rights protection of citizens’ data, who we call Digital Twins, and analyze for possible gaps in the policies.
2) Applying the principles behind the DCDR Framework:
TIOF analyzed the existing plans for Malaysia’s digital development and identified a number of opportunities to ensure the protection of Rights for its citizens and their data through the UNGPs.
When compared to the principles outlined in the UNGP BHR, it was found that the PDPA does provide a minimum standard of protection for the protection of personal data processed in Malaysia. There are, however, critical areas of legislative improvement necessary to keep up with the technological advancements of our time.
The PDPA defines personal data as any information in respect of commercial transactions (Section 4), which:
is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; or
is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
is recorded as part of a relevant filing system or with the intention that it should be part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.
In other words, personal data is any information that could identify a person, who resides within or outside of Malaysia, for as long as the data of that person is being processed in Malaysia in a machine-readable format
The person whose data it belongs to is called the “data subject”, while the person who is collecting, processing, and analyzing the data is called a “data user”. All this only applies to data used for commercial purposes, and does not apply to the Federal Government and State Governments as per Section 3 (1) of the Act. Furthermore, this law does not apply to personal data processed outside of Malaysia (Section 3[2]), leaving Malaysians dependent on the personal data protection laws of whichever countries their data resides.
In line with TIOF’s DCDR Principle I of “I am My Data”, we will be referring to “data subjects'' as “data owners'' to provide a more accurate representation of the digital reality we live in. It is essential to convey the right ideas and concepts to the public for their increased awareness on the subject. The term “data subject” is not only inaccurate to represent the reality of how our (digital) data relates to our physical bodies, it poses a big challenge to the proper legislative protections of our data.
In the PDPA, the rights protected of data owners are as follows:
Item
Section
Right to correct personal data
11; 34
Right to withdraw consent to process personal data
38 (1)
Right to be notified of how their data will be processed and used (under the Notice and Choice Principle)
7 (1)
Right to choose how their data will be processed and used (under the Notice and Choice Principle)
7 (1)
Right to non-disclosure of personal data without consent
8 (1)
Right to be forgotten (under the Retention Principle)
10 (1)
Right to access personal data
12; 31 (1)
Table 4.1 - Rights of PDPA data owners
As for data users, they are obliged by the law to adhere to the seven (7) data protection principles that outline what they can or cannot do with regards to the personal data that they have access to. However, there are exceptions to these principles whereby the data user may not be liable to a violation of the principles under circumstances described in the accompanying sub-sections. A summary of the principles, their descriptions, and caveats are outlined below:
Principle
Section
Description
Caveat(s)
General
6
A data user is not allowed to process personal data about a data subject unless the data subject has given his consent to the processing of the personal data.
In sub-section (1)(a), the data user may proceed with processing the personal data of a data owner if the processing is necessary:
1) for the performance of the contract of which the data owner is a party;
2) for the taking of next steps with the data owner for a contact;
3) for the compliance with any legal obligations of which the data user is a subject;
4) to protect the interests of the data owner;
5) for the administration of justice;
6) for the exercise of any functions conferred on a person under the law. Under sub-section (3), a data user may process personal data of a data owner if the personal data is processed for a lawful purpose directly related to an activity of the data user.
Notice and Choice
7
A data user is obligated to inform a data owner via written notice when:
1) their data is being processed,
2) for what purposes, as well as
3) how the data is sourced.
A data user is also obligated to inform the data owner of their right to access their personal data and to request a correction of their personal data if any errors are detected. The data owner should also be informed of any third parties employed by the data user to process the data, how they can control or limit access to their data, whether it is obligatory or voluntary for them to supply their data to the data user, and if it is obligatory to do so, inform the data owner of the consequences of failing to provide their data.
-
Disclosure
8
No personal data shall be disclosed for purposes other than the purposes stated at the time of collection, or a purpose directly related to the purposes stated at the time of collection, and to any third party unless informed to the data owner as required by Section 7.
A data user may cite Section 39 of the Act to activate exceptions to this principle, at which point personal data may be disclosed if :
1) the data owner has given their consent;
2) the disclosure is necessary for the purpose of detecting or preventing a crime, or by the court order;
3) the data user is acting in the reasonable belief that they had in law the right to disclose the personal data to another party; 4) the data user has reasonable belief that they would have had the consent of the data owner if the data owner had known the circumstances of the disclosure; and lastly 5) the disclosure was justified as a matter of public interest in circumstances determined by the Minister.
Security
9
A data user is obligated to take practical steps to protect personal data of data owners from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
-
Retention
10
Personal data shall not be kept longer than it is necessary to fulfill the business purposes. Data users must take necessary steps to ensure personal information is deleted or permanently destroyed once the purposes have been served.
-
Data Integrity
11
Data users must ensure that all personal information is accurate and not misleading, as well as kept up-to-date.
Access
12
Data owners have the right to access their data and to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date.
Section 36 (1) allows data users to refuse the request to access and correct personal data if :
1) the data user is not supplied with necessary information for them to process the request;
2) the data user cannot ascertain the identity of the requestor for when the requestor claims to be a relevant person;
3) the data user is not convinced that the data needs to be corrected;
4) the data user is not satisfied that the data correction request is accurate, complete, not misleading, and up-to-date.
Table 4.2 - PDPA’s data protection principles
Based on what we have seen in the PDPA, the loopholes that exist within the legislation would put data owners at more of a disadvantage than its opposite. From a practical standpoint, this is primarily due to the fact that data owners are not recognised by law as the owners of their data, so their data is not recognized as part of them, and merely exist as “subjects” of the data they rightfully own. As a result, the law views digital citizens as separate from the human beings, who are the source and rightful owners of the data extracted from them.
This point is important to note because without contextualizing data back to its source, data becomes meaningless, and quite utterly useless. There is no business value to be extracted from useless data, therefore the recognition of the source entity and digital entity relationship is crucial for States to provide adequate domestic policy space to meet the human rights obligations of businesses (UNGP 9).
Correcting the current paradigm on data is necessary for the correct implementation of data protection in digital spaces.
On more granular standpoints, exceptions to the rule, or caveats, within the PDPA pose risks to digital rights protection of technology users who are already legally disadvantaged for not being the rightful owners of their own data, apart from other disadvantages such as the costly nature of legal remedies. Some of the caveats are too dangerously broad to provide even the minimum protection, with clauses such as Section 39 (4) which allows data users to disclose personal information to a third party if it is within their “reasonable belief” that they “would have had the consent of the data owner if the data owner had known the circumstances of the disclosure”, which means citizens are expected to extend complete trust in the judgment of the data users to determine if we “would have consented” and if we “had known” about “the circumstances”. These types of ambiguous clauses cast a big shadow of doubt into the ability of the legislation to protect the data of citizens and ultimately on the State’s duty to protect (UNGP Pillar 1) citizens from businesses’ failure to respect (UNGP Pillar 2) our human right to privacy.
[PENDING]
[PENDING]
The Data-Centric Digital Rights Framework represents an attempt to model the protection of data through the use of standard definitions and methodologies.
While a full presentation and analysis of the DCDR Framework is out of the scope of this Policy Brief, the following are the main applicable considerations.
4.4.1.1 Pillar I: State Duty to Protect
DCDR Principle I: ‘I am My Data’ - Treat data as you'd want to be treated.
The traditional understanding of data as separate entities from their users is anchored in past perceptions and the use of legacy technologies.
The reality is much different: the data representing users (and of which they should have control of consent) is intimately and inextricably linked to them; it models them, creating an accurate representation that loses all value should that contextualization ever be severed.
4.4.1.2 Pillar II: Corporate Responsibility to Respect
DCDR Principle II: ‘Rights by Design’ - Leave no policy uncoded behind.
This DCDR Principle responds to the need for policies and tech to be designed and implemented as one: the former establishes what is to be respected and the latter ensures that the compliance is built in the infrastructure so that users are protected automatically and transparently.
4.4.1.3 Pillar III: Access to Remedy
DCDR Principle II: End Remedy - Adopt designs that minimize grievances.
This DCDR principle represents the embodiment of the proactive planification, architecture and implementation of all necessary mechanisms, both in policy and technology, to avoid grievances to ever happen during the use of a product or a service, in turn minimizing the need for legal actions. In other words, any protection a citizen or its digital twins are subjected to under a specific jurisdiction should be transparently implemented inside the technology itself, by design.
Historically speaking, the traditional Digital Rights advocacy has concentrated its advocacy in the observance of Human Rights through the use of technology, as a medium; it has had very little interest on how the medium itself was built and operated technically.
Consider the following diagram:
Image 4.1 - Spaces and Entities
On the left, the Physical Space, are 2 (physical) entities, which for the purposes of this Policy Brief we can consider citizens, the government or a corporation.
On the right, the Digital Space, are represented the Digital Twins of the 2 entities.
In the case of citizens, this would be one of their numerous data representations and in the case of governments and corporations the digital twin encompases the digital platforms and services they provide.
All of these objects (the entities and their digital twins) interact with each other, potentially generating harms. The traditional Digital Rights approach provides no clarity as to how to define these harms in a way that can be expressed technically and therefore understood by technologists.
When attempting to structure how the UNGPs could protect both the Rights of citizens and their data, The IO Foundation analyzed the scenario in Image 4.1 by categorizing the interactions between the Physical and Digital spaces as source and receiver of a given Harm. Table 4.3 provides an easy representation of the possible combinations.
RECEIVER
PHYSICAL
DIGITAL
SOURCE
PHYSICAL
PHYSICALLY
SOURCED
PHYSICALLY
RECEIVED
PHYSICALLY
OURCED
DIGITALLY
RECEIVED
DIGITAL
DIGITALLY
SOURCED
PHYSICALLY
RECEIVED
DIGITALLY
SOURCED
DIGITALLY
RECEIVED
Table 4.3 - DCDR Harms Matrix
Following Table 4.3, it is now easier to understand and define Human Rights as the proactive attempt to avoid harms received by a physical entity.
Image 4.3 - Human Rights
In similar fashion we can define Data-Centric Digital Rights as the proactive attempt to avoid harms received by a digital twin (which is likely to translate into a Human Right at some point).
Image 4.3 - Data-Centric Digital Rights
Combining both concepts provides a general approach to observe and implement both Human Rights and Data-Centric Digital Rights through the implementation of the UNGPs on BHR in the Tech sector.
Image 4.3 - HR and DCDR delivered by BHR in Tech
In its current iteration, the Malaysian National Action Plan will be focusing in the following 3 thematic areas:
Governance
Labor
Environment
The following are the Recommendations made by The IO Foundation to protect the rights of citizens’ and of their data (which conforms their digital twins).
For ease of reference, Recommendations are coded as: NAPR.Number
Where:
NAPR = National Action Plan Recommendation
Number = Sequential number corresponding to that of the document section
Observing the impact of technology is core to implementing the UNGPs in Malaysia’s governance.
The following are some of the aspects in which technology influences governance:
The nature of data and its treatment
The lack of definition of Digital Harms
The lack of technical language to involve technologists
The following are Recommendations aimed at supporting the UNPGs in this thematic area.
5.1.2.1 Protection of citizens data
The protection of Malaysia's citizen’s data is core to being able to protect their rights and implement the UNGPs. For as long as the nature of data is not properly understood and recognized by the government, it will not be possible to mitigate Harms (both physical and digital) inflicted to its citizens through the implementation of Rights.
[NAPR.5.1.2.1.1] Recognize the true nature of data.
Initiate a program to recognize the inextricable connection between citizens and their data in order to protect both. This recognition should propagate through existing and future regulations as well as shape the national digital infrastructure.
See also Further recommendations.
[NAPR.5.1.2.1.2] Protect citizen data on their devices.
Establish a national regulation covering the proper procedures to hand over devices for repair. Initiate programs to train shops that engage in repairs to follow a proper manipulation protocol that will protect citizens from data stealth.
Consider implementing a grading system similar to the existing one in the Food Hygiene Regulations (FHR) 2009.
[NAPR.5.1.2.1.3] Research on DCDR.
Initiate a program to support the research of the components required to translate the existing regulations on technology into technical terms around the Data-Centric Digital Rights Framework.
[NAPR.5.1.2.1.4] Issue a DR SDK.
Initiate a program to implement the results of the DCDR research into a (Data-Centric) Digital Rights Software Development Kit (DR SDK) which is to be distributed for adoption by the Malaysian tech sector.
Aside from resolving the current problem of verification of claims of compliance, it would also provide a standard way to perform a Digital Rights Impact Assessment (DRIA)
[NAPR.5.1.2.1.5] Expand the National Data Agency.
Expand the capacities of JPDP so that it can oversee the maintenance, deployment and usage of the DR SDK.
[NAPR.5.1.2.1.6] Redefine the actors in data protection policies.
Actors
Current definition
Redefinition based on digital realities
Data owners
Third parties who collect, store, and use citizens’ data.
The primary owners of citizens’ data should be the citizens, not any third or external parties. The owners of data, especially data related to a human being, must be linked to their Source Entities. As such, citizens should and would be the only party that are able to control what happens to their data.
See: “I am My Data” principle
Data controllers
Third parties who control the collection, storage, and usage of citizens' data. They control the flow of the use of the data.
See ‘Data owners’ above
Data subjects
The source of the data i.e. the humans.
We should not have “data subjects”. The term “subject” has implications of belonging to indicate that someone belongs to a third or external party e.g. a State, corporations, which extracts people’s data via the use of technologies. As the source of our own data, we are the owners of our data. Our data, just like us, should not be a “subject” of someone or something else. Laws and policies must reflect the digital reality that citizens are not subject to their data, but are sole owners and controllers of their data.
Data users / processors
Anyone with access to read, edit, copy, and delete data or perform any actions that changes the states of data between at rest, in use, or in transit.
For processing highly sensitive data, requiring the processor to be a licensed technologist ([NAPR.5.2.2.3.1]) would increase the level of data security, and makes the protection of data a personal liability to a technologist’s profession.
5.1.2.2 Revisit Malaysia’s National Tech Infrastructure
Upscaling Malaysia’s digital infrastructure towards observing and implementing the UNGPs should also be encouraged. While Malaysia has its own Digital Economy Blueprint, the text fails to provide the necessary infrastructure to observe, let alone implement the UNGPs.
[NAPR.5.1.2.2.1] Establish Process-driven Governance.
Initiate a program through MAMPU to translate all government’s processes and existing regulations into BPMN.
[NAPR.5.1.2.2.2] Government digital services monitoring.
Provide a government led monitor that allows to observe status of the government’s services (Websites, APIs, etc.).
[NAPR.5.1.2.2.3] Commit to a high SLA for the national digital infrastructure.
Recognizing the critical role that the national digital infrastructure plays in citizens, commit to a 97% SLA for the government’s online services.
This number represents 1 full natural day of downservice (per service) across a full natural year.
[NAPR.5.1.2.2.4] Protect Internet Namespaces.
Considering the emergence of alternative naming protocols, ensure the current namespace (DNS) is not threatened through the Governmental Advisory Committee (GAC) at ICANN. Preserving a consistent user experience will result in minimizing the likelihood of digital attacks on citizens..
[NAPR.5.1.2.2.5] Monitor Internationalized domain names (IDNs)
With the imminent deployment of IDNs by ICANN, it will be crucial to ensure it does not open the doors for digital attacks on citizens.
[NAPR.5.1.2.2.6] Citizen network.
Initiate a program to assess how to complement Malaysia’s digital infrastructure through the use of its citizens’ devices. See Environment
[NAPR.5.1.2.2.7] Enable and encourage citizens VPS.
Initiate a program to enable and encourage citizens to run their own VPS with their data.
[NAPR.5.1.2.2.8] Establish data embassies.
Initiate a program to establish territorial legitimacy over servers holding data of Malaysian citizens abroad.
[NAPR.5.1.2.2.9] Explore Digital Taxes in hardware for digital companies.
Initiate a program to explore the possibility to apply a digital tax that would compel tech companies hoping to transact with Malaysian citizens into supplying proportional infrastructure. Consider the possibility of GLCs as a starting point.
[NAPR.5.1.2.2.10] Explore an Open Source revival program.
Initiate a program to explore the possibility of compelling tech companies to release the source code of products should they go out of business and certain criterias of dependence have been reached.
5.1.2.3 Transparency and Accountability
Technology can enable the government to effectively increase its transparency and accountability in accordance with its National Anti-corruption Plan.
[NAPR.5.1.2.3.1] Upscale Open Data government efforts.
Consolidate the Open Data portals that the government is currently offering.
[NAPR.5.1.2.3.2] Improve ODIN score
Invest efforts in improving Malaysia’s current ODIN score.
[NAPR.5.1.2.3.3] Public registry of government databases.
Governance bodies should publish which databases they have provided they are not under the Secrets Act.
[NAPR.5.1.2.3.4] Publish Policies in machine-readable formats.
Establish a mechanism to publish policies in a machine-readable format so that they can be processed and referenced more efficiently.
[NAPR.5.1.2.3.5] Use of BPMN to define processes
Leverage on [NAPR.5.1.2.2.1] to increase transparency and accountability in government processes.
[NAPR.5.1.2.3.6] Include technologists in tech consultations.
Increase the participation of the tech Civil Society (such as tech communities and tech NGOs) and industry representatives in policy making affecting the Malaysian tech sector.
[NAPR.5.1.2.3.7] Publishing of tech-related regulations
Ensure the publication and easy access of all tech-related regulations. At the time of writing, the National Data Sharing Policy (NDSP) has been announced yet the text is nowhere to be found. A similar situation happens with the upcoming revision of the PDPA of which the final draft, to our knowledge, hasn’t been circulated.
[NAPR.5.1.2.3.8] HRIAs & DRIAs
Conduct periodic Human Rights Impact Assessments (HRIAs) and (Data-Centric) Digital Rights Impact Assessments (DRIAs). The adoption of the DR SDK would enable a systematic monitoring of the impact of the UNGPs.
[NAPR.5.1.2.3.9] National registry of data breaches
Create a national registry of reported data breaches affecting Malaysian citizens, both domestically and internationally.
[NAPR.5.1.2.3.10] National Tech Ecosystem registry.
Create a national registry mapping the Malaysian tech ecosystem (from companies, associations, tech communities, IT Clubs, tech NGOs, etc.) that will include both registered and informal organizations. This registry would be used as a reference to implement [NAPR.5.1.2.3.6].
5.1.2.4 Educational pipeline
An effective implementation of the UNGPs in Malaysia will necessitate awareness and training for all involved stakeholders. This is particularly true of the government itself and of technologists, which The IO Foundation regards as the Next Generation of Rights Defenders.
[NAPR.5.1.2.4.1] Recognition of NextGen Rights Defenders.
[Pending]
[NAPR.5.1.2.4.2] Introduce UNGPs and related subjects.
Produce and implement programs to incorporate Human Rights, (Data-Centric) Digital Rights and the UNGPs into the tech educational pipeline.
[NAPR.5.1.2.4.3] Include Digital Literacy and UNGPs in all government agencies.
Produce and implement programs to incorporate Digital Literacy, Human Rights, (Data-Centric) Digital Rights and the UNGPs in all government agencies.
This will be crucial moving forward to not only expect the adoption of the UNGPs but also in the work to be done in the future for future iterations of the NAP.
5.1.2.5 Amendments to existing tech regulation
Certain existing regulations may require small amendments to ensure they support the implementation of the UNGPs.
[NAPR.5.1.2.5.1] In general, however, The IO Foundation recommends ensuring that, moving forward, tech-related legislation incorporates the UNGPs.
PDPA
Aside from the comments submitted during the Public Consultation on PDPA invited by the Data Protection Commissioner in 2020, The IO Foundation proposes the following recommendations (without the knowledge of the provisions in the upcoming PDPA version):
[NAPR.5.1.2.5.2] Codify the ‘I am My Data’ principle into law.
Citizens' data should be recognised as part of themselves so that any constitutional laws in the jurisdiction covers citizens’ data as much as it covers their physical bodies. When the data of citizens is recognised as part of themselves, existing legal frameworks that protect citizens’ human rights can be automatically applied to their digital twins, ensuring the protection of citizens’ digital rights. For PDPA to effectively protect Malaysian citizens and uphold their Rights, it is crucial that the true nature of data is legally recognized.
[NAPR.5.1.2.5.3] Cross-border protections.
Secure bilateral mechanisms to ensure that, in the event of an inevitable cross-border data transfer from Malaysian citizens, the recipient legislation enjoys at least the same protections that PDPA confers.
[NAPR.5.1.2.5.4] Include data managed by the government.
Section 3 (1) of the PDPA remains one of the biggest challenges to comprehensive data protection in Malaysia. It also brings confusion to public citizens when government bodies cite their commitment to the PDPA without actually being legally liable to adhere to it. This situation could have detrimental consequences to the citizens’ ability to trust the government with the protection of their data. Malaysian lawmakers have to amend this section of the PDPA to remove the non-application of the act to Federal and State government bodies.
[NAPR.5.1.2.5.5] Expand the definition of “personal information”.
The definition of ‘personal information’ should not only be full names, phone numbers, national identification numbers, location data, etc., it should also include information inferred from the personal information collected in the service of surveillance and profiling purposes which could be potentially abused. In other words, personal information is not just objective information that platforms know about us, but also what their systems and/or algorithms learn about us from different data sources that are, knowingly or unknowingly, linked together
Malaysia Digital Economy Blueprint
[PENDING]
Observing the impact of technology is core to implementing the UNGPs in Malaysia’s labor sector.
The following are some of the aspects in which technology influences labor:
The protection of labor relations
The protection of laborers’ digital twins
The following are Recommendations aimed at supporting the UNPGs in this thematic area.
5.2.2.1 Algorithm transparency & contracts
[NAPR.5.2.2.1.1] Transparent Gig-economy algorithms
Establish mechanisms to ensure that workers are not taken advantage of and their Rights are not observed and implemented.
Establish the necessary mechanisms to
[NAPR.5.2.2.1.2] articulate contracts via BPMN
This would allow to easily reduce potential abuses towards the worker as well as corruption.
[NAPR.5.2.2.2.1] enable the codification of contracts via SmartContracts or similar technology.
This would immensely reduce the need for remedy and serve as proof of contractual status, which also serves to combat corruption.
5.2.2.3 Legal Liability
[NAPR.5.2.2.3.1] Establish a professional association of developers.
Initiate the mechanisms to study and eventually implement the Malaysian professional association of developers.
Despite the rejection of the Computing Professionals Bill of 2011, the crucial role that technology plays in the proper implementation of the UNGPs demands to reconsider the need for such a regulatory body. Such organizations exist for architects, lawyers or healthcare practitioners. The reason why it is so obvious in such cases is only due to the fact that people can intimately relate to the Harms they can cause. While this is a complex subject, implementing [NAPR.5.1.2.1.3] and [NAPR.5.1.2.1.4] would largely help in making this association possible.
5.2.2.4 Amendments to existing labor regulation
Contract Act
[NAPR.5.2.2.4.1] Modernize contracts and their structure
In addition to [NAPR.5.2.2.1.2] and [NAPR.5.2.2.2.1], implement the necessary mechanisms to define contracts that are
schema-driven
provide visual cues such as Consent Commons does for Data Protection Laws
This would allow enforcing the minimum information legally expected while severely reducing abuses to the workers and facilitate statistical analysis.
[NAPR.5.2.2.4.2] BOYD and workers
Make provisions so that companies implementing a Bring Your Own Device (BOYD) policy need to compensate the worker in a similar manner than when they use their own vehicles and get paid by mileage.
Technology needs to be considered in their impact on implementing the UNGPs in Malaysia’s environment.
The following are some of the aspects in which technology influences environment:
The impact on minerals’ extraction
The impact on technology recycling
The protection of the environment’s digital twins
The following are Recommendations aimed at supporting the UNPGs in this thematic area.
5.3.2.1 Recycling of devices
[NAPR.5.2.2.4.2] Establish a
CSM could be tasked to detach members or provide the service of wipeout and ensure that no malware/spyware is installed in the device.
Repair Mode >> Protocols for full lifecycle
Google. Apple, FAIR Phone, Local Malaysian brands
>> MCMC
Would serve as the basis for a nation-wide DLT that is supported by its citizens as a national duty.
This could have further ramifications in the area of Labor as the citizen would be generating labor for the government.
5.3.2.2 Amendments to existing environmental regulation
None.
The following are a series of recommendations that, beyond the current National Action Plan, can support the implementation of the UNGPs in the tech sector in Malaysia.
For ease of reference, Recommendations are coded as: OTHR.Number
Where:
OTHR = National Action Plan Recommendation
Number = Sequential number corresponding to that of the document section
Efforts to showcase the commitment of Malaysia towards the UNGPs, especially in the emerging sector of technology, would be favorable to Malaysia’s international image.
[OTHR.6.1.1.1] Include (Data-Centric) Digital Rights in subsequent UPRs.
This mention would include Malaysia’s commitment to protect citizen’s rights and those of their data as well as an evaluation of the status of the NAP, in particular in the Tech sector.
[OTHR.6.1.2.1] Encourage the presence of Malaysian technologists in the international scene.
The presence of Malaysian technologists in international fora (authoritative organizations, events, etc.) is not at par with the quality of its professionals.
Through initiatives such as TIOF’s TechUp, the Malaysian government should invest efforts in supporting its technologists to actively participate in relevant fora and lead the way in the implementation of the UNGPs in the tech sector.
A number of relevant considerations are to be studied if Malaysia wishes to prepare itself for its digital future and safeguard its sovereignty through protecting its citizens’ data.
[OTHR.6.2.1.1] Expand the Constitution to adopt protections over citizens’ data.
Initiate the mechanisms, possibly on the grounds of Article 5.1 Right to Life, to evaluate the feasibility and implications of recognizing the intrinsic link between citizens and their data so that protections upon the latter may be applicable in a more clear manner.
[OTHR.6.2.1.2] Establish Connectivity as a Constitutional Right.
Initiate the mechanisms, possibly on the grounds of Article 9.1 Prohibition of banishment and freedom of movement, to evaluate the feasibility and implications of recognizing the implications of not ensuring Connectivity to all citizens in Malaysia’s digital territory.
[OTHR.6.3.1] Accelerate/Update legislation enabling the easy creation of NGOs.
A vibrant Tech NGO/CS ecosystem would support Malaysia in its commitment to uphold the UNGPs in the tech sector, creating a differentiated value proposition compared to SEA and globally. This would translate into a positive impact in the implementation of Pillar III by ensuring that there are enough organizations that can support citizens when needed.
[OTHR.6.4.1] Establish a permanent Technology Committee for the NAP.
Creating a Technology Committee composed by representatives of the Tech sector to be part of the next iterations would allow the necessary support to evaluate the changes, challenges and solutions for the UNGPs in the Tech sector in Malaysia.
This Policy Brief attempts to bring attention to the protections that the Malaysian government can deliver to its citizens and their digital twins through the upcoming National Action Plan on Business and Human Rights, especially by focusing on its application in the tech sector.
By including technology as a cross-cutting issue in this current NAP cycle and focusing on implementing technological solutions, Malaysia can lead the way both in the SEA region and globally to become an example to follow in how governments can protect the rights of their citizens and of their data.
The IO Foundation wishes to emphatically request the Malaysian government and the organizations involved in this NAP process to include technology as a cross-cutting issue and to incorporate as many recommendations herein described as possible.
The IO Foundation remains at their disposal for any further consultation and to support the implementation of the recommendations.
The following is a list of governance bodies and related agencies that are referenced in this policy brief. A brief summary of their mandate or function is also included in order to understand better their relevance to the recommendations herein submitted.
Note: Should you note that a relevant body is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.
Ministry of Communications and Multimedia (K-KOMM / ex KKMM)
Related agencies
Department of Personal Data Protection (JPDP)
The main responsibility of this Department is to enforce and regulate PDPA in Malaysia. PDPA focuses on the processing of personal data in commercial transactions and the avoidance of misuse of personal data.
MCMC
The Malaysian Communications and Multimedia Commission (MCMC) is a regulatory body whose key role is the regulation of the communications and multimedia industry based on the powers provided for in the Malaysian Communications and Multimedia Commission Act 1998, the Communications and Multimedia Act 1998, and the Strategic Trade Act 2010.
Related agencies
CyberSecurity Malaysia (CSM)
National Cyber Security Agency (NACSA)
National lead agency for cyber security matters, focused on securing and strengthening Malaysia's resilience in facing the threats of cyber attacks, by coordinating and consolidating the nation's best experts and resources in the field of cyber security. It develops and implements national-level cyber security policies and strategies, protecting Critical National Information Infrastructures (CNII).
Malaysia Digital Economy Corporation (MDEC)
MDEC was established in 1996 as the lead agency to implement the MSC Malaysia initiative. Today, it is an agency under the Ministry of Communications and Multimedia Malaysia (KKMM) with a close to 25-year track-record of successfully leading the ICT and digital economy growth in Malaysia.
Malaysian Administrative Modernisation and Management Planning Unit (MAMPU)
MAMPU is responsible for modernizing and reforming the public sector.
Malaysia Board of Technologists (MBOT)
Malaysia Board of Technologists (MBOT) is a professional body that gives Professional Recognition to Technologists and Technicians in related technology and technical fields. Based on Act 768, MBOT expands its function vertically and horizontally whereby MBOT looks at technology-based profession that cuts across discipline based from conceptual design to a realized technology and covers from Technicians (with MQF Level 3 to Advanced Diploma Level) up to Technologists (Bachelor’s Degree level and above). As a whole, these professionals (Technologists and Technicians) have integrated roles from concept to reality.
PIKOM
Ministry of Labour
Malaysian Technical Standards Forum Bhd (MTSFB)
MRANTI
(Note: MaGIC and MIMOS were consolidated inside MRANTI)
Malaysia Open Data Portal
MyGDX
The following is a list of applicable legislation in the context of Malaysia that relate to this Policy Brief and its recommendations. A brief summary of their content is also included in order to understand better their relevance to the recommendations herein submitted.
Note: Should you note that an applicable legislation is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.
Federal Constitution
https://www.jac.gov.my/spk/images/stories/10_akta/perlembagaan_persekutuan/federal_constitution.pdf
An Act to regulate the processing of personal data in commercial transactions and to provide for matters connected with data collection, storage, processing, and transfer. This Act came into effect on 10 June 2010 with its most problematic component being the exclusion of government entities from accountability to this act.
An Act that publishes the establishment of a national Board of Technologists. It states the functions, powers, and other operational clauses of the Board. One of the functions outlined is the function “to determine and regulate the conduct and ethics of the technologist and technical profession” (Section 5(e)). This Act came into effect on 4 June 2015.
An Act to provide for and to regulate the converging communications and multimedia industries, and for incidental matters. The Communications and Multimedia Act 1998 which came into effect on the 1st of April 1999, provides a regulatory framework to cater for the convergence of the telecommunications, broadcasting and computing industries, with the objective of, among others, making Malaysia a major global center and hub for communications and multimedia information and content services. The Malaysian Communications and Multimedia Commission was appointed on the 1st November 1998 as the sole regulator of the new regulatory regime.
This is an Act to provide for the establishment of the Malaysian Communications and Multimedia Commission with powers to supervise and regulate the communications and multimedia activities in Malaysia, and to enforce the communications and multimedia laws of Malaysia, and for related matters. With its enactment on 15 October 1998, the commission came into existence. Commissioners are appointed by the Minister of Communications.
An Act to make provision for, and to regulate the use of, digital signatures and to provide for matters connected therewith.
The Digital Signature Act 1997, enforced on the 1st of October 1998, is an enabling law that allows for the development of, amongst others, e-commerce by providing an avenue for secure on-line transactions through the use of digital signatures. The Act provides a framework for the licensing and regulation of Certification Authorities, and gives legal recognition to digital signatures.
An Act to provide for the regulation and control of the practice of telemedicine; and for matters connected therewith. The Telemedicine Act 1997 is intended to provide a framework to enable licensed medical practitioners to practice medicine using audio, visual and data communications. To date, the Telemedicine Act has yet to be enforced.
The Computer Crimes Act 1997, effective as of the 1st of June 2000, created several offenses relating to the misuse of computers. Among others, it deals with unauthorized access to computer material, unauthorized access with intent to commit other offenses and unauthorized modification of computer contents. It also makes provisions to facilitate investigations for the enforcement of the Act.
An Act to provide for legal recognition of electronic messages in commercial transactions, the use of the electronic messages to fulfill legal requirements and to enable and facilitate commercial transactions through the use of electronic means and other matters connected therewith.
Amended from the original act in 1987, the Copyright Act. The Copyright (Amendment) Act 1997, which amended the Copyright Act 1987, came into force on the 1st of April 1999, to make unauthorized transmission of copyright works over the Internet an infringement of copyright. It is also an infringement of copyright to circumvent any effective technological measures aimed at restricting access to copyright works. These provisions are aimed at ensuring adequate protection of intellectual property rights for companies involved in content creation in the ICT and multimedia environment.
An Act to provide for legal recognition of electronic messages in dealings between the Government and the public, the use of electronic messages to fulfill legal requirements and to enable and facilitate the dealings through the use of electronic means and other matters connected therewith.
National Language Act
Source: NACSA
The following is a list of applicable regulations in the context of Malaysia that relate to this Policy Brief and its recommendations. A brief summary of their content is also included in order to understand better their relevance to the recommendations herein submitted.
Note: Should you note that an applicable regulation is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.
This regulation outlines the offenses in the PDPA (2010) that can be compounded and how to issue the compounds.
This regulation outlines the registration mechanism of data users from citation and commencement, interpretation, application, validity, renewal, change, replacement, display, and certified copy of the certificate.
This regulation outlines the objectives, targets, and obligations for universal service provisions (USPs) of national communications equipment.
This regulation outlines the standard conditions for individual and class licenses for communications service providers.
This regulation outlines the technical standards for universal service provisions (USPs), the certifications of communications equipment, as well as the suspension or cancellation, recall, and disposal of certified equipment.
The following is a list of National Plans in the context of Malaysia that relate to this Policy Brief and its recommendations. A brief summary of their content is also included in order to understand better their relevance to the recommendations herein submitted.
Note: Should you note that an applicable National Plan is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.
Malaysia Digital Economy Blueprint
National Data Sharing Policy (NDSP)
At the time of writing, the documentation related to the NDSP is not publicly available.
The following is a list of additional resources of interest, both national and international, that relate to this Policy Brief and its recommendations. A brief summary of their content or function is also included in order to understand better their relevance to the recommendations herein submitted.
Note: Should you note that a relevant resource is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.
[1] BHEUU’s National Action Plan On Business And Human Rights
BHEUU’s mandate and strategy to develop Malaysia’s National Action Plan.
[2] United Nations Guiding Principles on Business and Human Rights
[3] Universal Declaration of Human Rights
Human Rights Impact Assessment
Data-Centric Digital Rights Framework
A framework for technologists composed of Principles, Taxonomies and other technical tools enabling them in their role as NextGen Rights Defenders.
TIOF's PDPA Comments 2020 submission
Data Protection and Digital Rights - Are Malaysians Concerned?
A global comparison of NAPs by the Danish Institute of Human Rights
Data Protection Laws of the world
A global comparison of Data Protection Laws by DLA Piper
ASEAN Digital Masterplan 2025
Business Process Model and Notation
https://www.bpmn.org/
Open Data Inventory (ODIN)
https://odin.opendatawatch.com/
Federal Legislation Portal
https://lom.agc.gov.my/
This brief was produced by The IO Foundation, with the inestimable support and contributions of (in alphabetical order):
Organizations
The IO Foundation
Global Partners Digital
Global Network Initiative
Malaysian Public Policy Competition team (by ICMS)
Individuals (in alphabetical order)
Helio Cola
Nunudzai Mrewa
Team Anonymous (MPPC 2022)
Wee Seng Chung
Tee Suk Huei
Tan Yan Ling
Team Bits & Bytes (MPPC 2022)
Kwong Tung Nan
Dhevasree
Mohd Luqmanul Hakim bin Malik
Wong Kar Ling
This document can be easily accessed with the following URL:
Alternatively, you can scan the QR Code.
The IO Foundation encourages readers to freely share this document using the URL indicated above. Please keep in mind the licensing as described in the Licensing section.
The following document is released under The IO Foundation’s Productions License for Text in accordance with its Intellectual Property policy.
Email: [email protected]
Website: https://TheIOFoundation.org
Follow us on our Social Media channels:
LinkedIn - Twitter - Facebook - Instagram - YouTube
Know about our stance on Big Tech: Hey Big Tech! declaration