Public Consultation: PDPA | 2020

Comments on Public Consultation Paper 01/2020

Review of Personal Data Protection Act 2010 (ACT 709)

Abstract and objectives

This document is addressed to the Data Protection Commissioner of Jabatan Perlindungan Data Peribadi (JPDP), who has invited the public for a consultation on the current PDPA Review process (2020).

The IO Foundation (TIOF), is a global nonprofit advocating for data-centric Digital Rights, with a strong focus on the open infrastructures to observe them by design.

This document is a collection of comments over the document

https://www.pdp.gov.my/jpdpv2/pengumuman/public-consultation-paper-no-01-2020-review-of-personal-data-protection-act-2010-14-february-2020-28-february-2020/

that we hope will be taken into consideration by the PDP Commissioner.

Ultimately, the objectives of PDPA would be to:

• Provide ample, effective protections to Data Subjects.

• Foster a sustainable economy that is vibrant and observant of Human Rights.

• Comply with international standards in Data Protection, fostering protection for Malaysian citizens beyond its application coverage.

• Enact provisions for policies as well as indicate the necessary technical standards to observe them by design and this in a transparent manner for all parties involved (Data Subjects, Data Users and Data Processors alike).

General notes and comments

The notes and comments here described aim at providing context to some of the Suggestions provided below.

On Terminology [C1]

While Data Subject, Data User and Data Processor are widely accepted and used terms, it would be important to point out that “User” has a very different interpretation outside of Data Protection Laws (DLPs) legislation and thus can easily create confusion and misinterpretation among those who should be protected by said regulation. DPLs expect citizens (commonly referred as Users) to understand complex issues and make consequence-full decisions out of it. That being the case, the industry and regulators should adopt more user-friendly terminology.

On limitations of technology [C2]

While considering the protections seeked by Data Protection Laws and their expected benefits, it is critical to understand the limitations that all involved stakeholders will face in their observance and enforcement.

One such limitation is the denominated Analog Hole, which essentially states that once information leaves the digital domain where it’s stored no further digital controls can be enforced.

For instance, no matter the protections and compliance an organization would follow, if any sensitive data is exposed via a screen, it can be memorized, copied on a piece of paper, typed on another digital device or simply photographed.

In other words, all that is needed to copy a DRM-protected song is a good set of speakers and a good microphone.

On critical stakeholders [C3]

Data Protections Laws traditionally focus on a number of stakeholders (Data Subjects, Data Users in their different categories, Data Processors).

One stakeholder that has traditionally been left aside from their direct implication on the proper use of technologies in societies are programmers. At The IO Foundation we identify them as a critical actor in architecting and building the technologies that will deal with Data Subject’s data.

Programmers are Data Subjects and work for/as Data Users and/or Data Processors. Their proper formation during their academic period is crucial to ensure that they implement platforms that are observant of due protections by design.

About licensing [C4]

While we tend to treat personal data as different from other Digital Assets (DA) from a legal perspective, the reality viewed from a usage-flow perspective is not so different.

For the most part, DAs are commercialized under licensing models instead of purchased like their physical counterparts. For instance, a movie purchased on any online digital entertainment platform (Google Play, for instance), won’t grant the user the same ownership over the product as its DVD counterpart. When observing the current DPL models worldwide, the rights provided to Data Subjects and the obligations mandated on Data Users and Data Processors are not much different than an equivalent licensing model.

In essence, if PDPA 2010 recognizes that a Data Subject may share data with a Data User while retaining control over it and defines provisions to ensure that requests of modification and/or deletion from the Data Subject are to be complied by the Data User at all times, then the scenario can be understood as a model of licensing of a DA (Personal Data in this case) from the Data Subject to the Data User.

Realizing this licensing flow is relevant to understand the importance of the Ecosystem Sovereignty [C5].

On Data Protection Laws’ focus [C5]

It is noteworthy that DPLs worldwide concentrate too much on the regulatory aspects of the law and very little (if ever) on the actual technical implementation of the enacted provisions; Malaysia’s PDPA 2010 is no exception to this.

The lack of officially defined data schemas (which should be based on international open standards) or the lack of established standard methodologies for retaining data agency for Data Subjects (in the shape of official APIs packaged in a single SDK) has lead to a situation where users cannot be sure that the specifics of their consent have been respected at all times. It is also impossible to create a standard methodology to ensure compliance as different vendors will undertake their own unique implementation. Such is the reality of policy documents being interpreted and translated by technologists. People working hand in hand cannot speak different languages.

On Ecosystem Sovereignty [C6]

The current landscape in digital services (very specially in digital platforms), is of total control by the Service Provider over the Digital Assets (DA) they offer to their users. For instance, any DA offered by Apple and acquired via iTunes (music, movie, etc.) will remain under their control over said DA’s full lifecycle. This implies that all control over DAs remains, at all times, under the Service Provider; Users are only given a certain margin of usage based on the licensing conditions. If a DA is removed from the catalog, it will automatically be removed from all devices where it is stored, transparently for all parties and without possible recourse from the User. This is possible because all the actions that can be performed on the DA are to be had inside the Service Providers’ ecosystem, effectively creating a sovereign digital space where Users have very little voice or control over.

On National Ecosystems: where nations are falling short in protecting their citizen’s data [C7]

To this date, governments worldwide have concentrated on issuing legislative tools to protect their citizens’ data; Malaysia did so with PDPA 2010.

What is yet to be addressed is the infrastructure, the national ecosystem, over which such DPLs should be observed, transparently for all stakeholders.

As mentioned, in [C6], tech companies are already doing this, allowing them to have full control on their Digital Assets. It’s time for Malaysia to start considering a similar approach to effectively protect its citizens’ data (effectively Digital Assets) in a much more proactive approach. This is, essentially, the missing piece to ensure the proactive observance of Data Subject’s rights in a way that is conducive, minimizes the need for Remedy and still allows companies to build competitive services and products. At The IO Foundation we call this a National Framework on Digital Rights (NFDR). While the full conversation on the specifics and benefits of this implementation are beyond the scope of this document, it is relevant to comment that such an approach would require the close collaboration of the government, civil society and corporate to ensure that state actors do not abuse this powerful tool.

On Privacy [C8]

The usual procedures undertaken to enforce privacy in data manipulation fall into some of the different (pseudo) anonymization techniques. Their effectiveness relies on minimizing the number of Data Points available for re-identification and striking a balance with the ability for Data Subjects to retain agency over their data is extremely difficult.

Moreover, research has pointed out techniques of re-identification that are extremely effective even on current Privacy methodologies.

It is going to be critical for PDPA to establish a clear list of Data Points for instance for Sensitive Data, to the very least. Other similar catalog listings need to be investigated for Data Users and Data Processors to indicate which ones they are using and for what purpose. In summary, clear schemas need to be approved based on available international open standards.

On cross border data transfer [C9]

@@@PENDING

Principles

I am my Data [P1]

The traditional understanding of data as separate entities from their Data Subjects is anchored in past perceptions and the use of legacy technologies. The reality is much different: The data representing Data Subjects (and of which they have control of consent) is intimately and inextricably linked to them; it models them, creating an accurate representation that loses all value should that contextualization be severed.

In consequence, Data IS the Data Subject. This proposition has severe consequences as the same duties of care that apply by the Federal Constitution to citizens must apply to the data representing them. In this sense, the necessary infrastructures that the government of Malaysia sets in place to protect their citizens (Hospitals, Highways, the Judiciary,...) should also be extended to the management and protection of their data with a national cloud system based on open standards in the shape of an NFDR.

Rights By Design [P2]

Initiatives such as the SDGs, UNGPs or Privacy by Design are set in place to define a clear international framework on Human Rights and the defense of their Privacy; together with the Federal Constitution, they collectively conform the Rights that Malaysian citizens could and should benefit.

Data Protection Laws should foster not only policies that protect Data Subjects’ data, they should be accompanied by the necessary technical specifications (based on open standards) to implement them.

Rights by Design is the approach of Policies and Tech being designed around the Rights of citizens to observe them in their planification, architecture and implementation, transparently for all stakeholders.

End Remedy [P3]

The UN Guiding Principles on Business and Human Rights (BHR) are structured around 3 Pillars, namely:

• Pillar I: The State duty to protect

• Pillar II: The Corporate responsibility to respect

• Pillar III: Access to Remedy

From a proactive perspective on the use of technology (and therefore data protection), the objective should always be to avoid the occurrence of grievances, in turn minimizing the need for any Remedy along the use of technological products and services.

End Remedy represents the embodiment of the proactive planification, architecture and implementation of all necessary mechanisms, both in policy and technology, to avoid grievances to ever happen during the use of a product or a service, in turn minimizing the need for legal actions. In the context of PDPA, it implies the design of policies that protect Data Subjects and the implementation of such provisions in a transparent, trustworthy and safe manner where legal remedies, while defined, are employed as a safety net.

Note: Instilling this approach to the relevant stakeholders, namely in this case programmers (be it as Data Users or Data Processors), is a critical step to ensure that End Remedy becomes an integral part of the process.

Comments on Proposed Improvements

General considerations

It is observed that the regulation keeps focusing only on Policy and not on the technologies to implement its provisions.

Public consumption software (and by extension the manipulation of Data Subjects’s data) appears to be one of the few (if not the only) industries lacking checks and balances and proper certification schemes.

Recommendations

We encourage the PDP Commissioner

1. to recognize the critical importance of the implementing technologies for PDPA;

2. to recognize the need for a public, government-lead infrastructure to store Malaysian citizen’s data;

3. to recognize the need for a government-lead certification, based on open technical standards, for the transparent and automated observance of data processing operations mandated by PDPA;

4. to provide a open framework to interface with all Malaysian Daya Subjects according to the provisions from PDPA;

5. to work with all stakeholders, in particular programmers and civil society, to develop the necessary procedures for the governance and maintenance of all of the above.

Introduction

The text indicates that prior consultations have been had with a number of stakeholders, not explicitly mentioning civil society organizations (CSOs). It is important to emphasize that CSOs play a crucial role in ensuring that regulations are in accordance with international standards, both in the policy and tech perspectives.

Recommendations

We encourage the PDP Commissioner

1. to proactively involve in following PDPA revisions, as well as related activities, identified CSO organizations to be invited for comments during the initial stages.

The text also indicates “taking into consideration the emerging issues” yet doesn’t include the list of said “emerging issues”, which would have been a productive indicator of the matters the PDP Commissioner wishes to focus on. Stakeholders could deepen on these issues, benefitting the overall conversation and providing the Commissioner with richer feedback. Moreover, the consultation itself focuses on improvement suggestions without revealing how the new proposed provisions will be formulated.

Recommendations

We encourage the PDP Commissioner

1. List the emerging issues observed and the data supporting them for proper evaluation and consideration.

2. to share the proposed new version PDPA text so ensure that its language reflects accurately the Rights and Duties intended. In the interest of transparency, it would therefore be laudable to open a consultation for the revision of the final draft.

Proposed Improvement Suggestions (Part I)

1) Data processor to have a direct obligation under Act 709

General comments on the suggestion

This provision was certainly needed from the onset. Any obligations attaining Dara Users and Data Processor must be bound by the same obligations and observe the same Rights towards their Data Subjects.

Comments and Comments and recommendations on the Points to be considered

1. TIOF definitely supports a direct obligation for Data Processors, under the same terms as Data User.

2. The text indicates “appointed” yet doesn’t seem to imply the appointers themselves (Federal Government and State Governments), which they should as they are effectively Data Users by virtue of providing the data to the Data Processors.

3. TIOF definitely supports such appointed Data Processors to also be under the same direct obligation as any data processing needs to be protected under the same terms.

4. Possible conflicts of interest may however arise depending on the nature of the information processed, which needs to be addressed by the PDP Commissioner in accordance with prevailing law.

Further comments and recommendations

The doubt remains as to which functions would “appointed” Data Processors serve as PDPA, in its current form, is only focused on commercial transactions.

We encourage the PDP Commissioner

1. to clarify under which circumstances and for which services and transactions would these Data Processors be appointed. Clarifications on the appointment procedures would also be of great help.

2) The right to data portability

General comments on the suggestion

It is important to understand that the “Data Portability” conversation tends to be extremely skewed. Typically, service providers only refer to extracted data (data obtained from Data Subjects as well as produced by them - such as social media posts). There is however a much more critical set of Data Points typically left behind: derived data, information learned from the Data Subject as a result of the processing of their extracted data. Derived data should also be accessible to the Data Users as it represents an integral part of them [P1].

Comments and recommendations on the Points to be considered

Following the above, it is critical to consider the following aspects:

1. Which data will be considered under this provision?

2. Which data format will be used for this portability?

3. How to ensure full compatibility and full portability of all data (extracted and derived) if a common standard is not put in place for all parties?

4. Will portability in this suggestion consider cross border transfers? That being the case, which protection mechanisms will be considered, especially when the destination may be under a less protecting DPL? (If ever even having any)

Further comments and recommendations

The questions posed above reinforce the need to look at data protection from a more holistic approach (policy + tech).

We encourage the PDP Commissioner

1. to establish a complete definition (schemas) of Data Points for compliance, based on open standards to be used as reference for Data Users and Data Processors;

2. to mandate the compliance of Data Users and Data Processors to register their data points and operations accordingly;

3. to promote the implementation of a national cloud system to store and protect all data from its national citizens;

4. to include a provision of an SDK to implement and observe these requirements in the easiest way for all parties as a service of the national cloud;

5. to mandate all data portability to be compliant with the resulting National Framework on Digital Rights.

3) Data user to appoint a Data Protection Officer

General comments on the suggestion

The language employed in this suggestion seems to imply that it would only be applicable over Data Users, exempting Data Processors while same duties and obligations should apply to both.

On the other hand, cost will be an issue for smaller organizations as it has been observed in many other jurisdictions, effectively creating a disadvantage for startups that won’t be able to compete with well-funded, fully established Data Users.

We encourage the PDP Commissioner

1. to clarify why this provision would only apply to Data Users and not to Data Processors?

Comments and recommendations on the Points to be considered

We fully support the existence of a Data Protection Officer from a conceptual point of view although implemented differently (see below).

Concerning the elements to be considered:

1. “Size” gives a very dangerous impression that “smaller companies” could be neither accountable nor liable, creating a discriminatory situation and putting Data Subjects under very real threats of misuse of their data.

It would also create a potential scenario of “Particion to avoid responsibility” where bigger companies with resources could adopt a strategy to create smaller subsidiaries to fall out of the requirements to appoint a DPO.

1. “Type of Data” (based on the Data Point schema) should also be an element of consideration.

Further comments and recommendations

TIOF believes that the most effective solution would be for JDPD to act as a national DPO. This would be by means of a dedicated department/commission regulating Data Point definitions as well as a national cloud infrastructure and the necessary SDK for Data Users and Data Processors to be compliant with PDPA. Such an entity's governance should be properly designed to ensure the observance and compliance of technical standards, Human Rights standards and business needs.

This approach would provide a much more efficient and automated way to comply with PDPA, protecting Data Subjects while allowing companies to focus on developing new and better services. A national cloud would effectively outsource these problems by leveling the playfield and de-risk companies. In turn, it would foster competition in a thriving startup ecosystem and better compliance to PDPA.

4) Data user to report data breach incident to the Commissioner

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

In general, data breaches should be notified to both the PDP Commissioner and also the affected Data Subjects. It is hardly acceptable that citizens, who are ultimately the most affected by the breach, wouldn’t be informed on the spot so that they can take measures to protect themselves against the leaked information. This is extremely relevant in data points such as passwords, private keys and other means of identification that can be used for digital impersonation.

It is important to consider that “Remedy” is a last resort solution. Instead, and this is especially true in technology, a proactive mindset is to be instilled in all parties.

From regulations to implementation, all involved parties should strive towards the “End Remedy” Principle to ensure automatic compliance minimizes the need for Remedy.

Further comments and recommendations

The issuance of “a guideline on the mechanism of data breach incident reporting” should only serve as a guideline. Data Users and Data Processors should be provided with automated facilities for such reporting, a situation that is already considered in certain DPLs such as EU-GDPR for specific scenarios.

It is however important to understand that it is rare for the information exposed by any data breach to not be comprised of critical data, more even so when considering the I am my data principle [P1] and the existing methodologies to re-identify Data Subjects, placing the privacy at risk.

While there is an understanding about the reputation implications of a Data User or Data Processor in the event of a data breach, this should not be used as an argument to avoid the same level of transparency and accountability that is expected for financial transactions.

5) Clarity in the consent of data subject

General comments on the suggestion

This suggestion revolves around the concept of consent, which is very disputed in many circles; especially when it is discussed in association with the concept of Ownership.

TIOF defends the position that Data Subjects do own their data, following the I am my data principle [P1]. On the controversy that allowing data ownership leads to allowing the merchandising of personal data, we propose that this not need be the case and that effective legal and technical measures can and should be set in place for this control.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. What is the position of Malaysia in terms of data ownership?

2. How can consent be given if the Data Subject is not the legal owner of the data?

3. What stops Data Users or Data Processors from appropriating data from Data Subjects if they are not the legal owners?

The text also fails to mention one key element of consent: the understanding from the Data Subject of what will said consent entail. The average Data Subject has never read PDPA, which is still a vague concept even for many Data Users and Data Processors.

c

1. Which evaluations have been made to measure the level of understanding of Data Subjects upon consent?

2. Are there any capacity building and awareness campaigns envisioned in the months after the enactment of the new PDPA?

Finally, the text mentions “sensitive personal data”, which to this date remains a non comprehensive list of Data Points. This creates a lot of uncertainty and enables all sorts of potential grievances, which is something to avoid following the End Remedy principle [P3].

Comments and recommendations on the Points to be considered

PDPA (and all other Data Protection Laws) operates from the perspective that Data Subjects must understand its provisions and this is seldom ever the case. It is also one of the few (if only?) laws that expects to be fully understood so that daily decisions, in this case consent, on data are well informed.

Taking a few other examples, very few citizens are informed of the Food and Hygiene regulations yet assume that proper checks and balances are done to ensure their food is safe for consumption. Similarly, very few citizens are aware of the technical requirements of highways; their usage requires, in turn, for citizens to pass an examination. Data protection laws expect the former without considering the latter.

Assuming that data is a subject matter that will attract citizens into reading, understanding and learning PDPA is not a realistic expectation.

Instead, other measures should be implemented such as a national cloud ecosystem [C7] to ensure PDPA observance.

Default consent: Data Subjects don’t care and/or understand the concept of consent. This provision would open the flood gates to data abuse. To illustrate one equivalent situation, one does not “default consent” to let a stranger enter their house; instead, access is granted in a case by case policy. The same must apply for consent over one’s data.

We encourage the PDP Commissioner

1. to establish an official Data Points schema, based on open standards;

2. to work towards a national infrastructure cloud and its related National Framework on Digital Rights;

3. to not create a single provision that could, in any way, allow for default Consent;

4. to investigate the necessary mechanisms to establish the mandatory protections with the collaboration of other governmental institutions to make it illegal to sell (only to license) personal data;

5. to foster, even make mandatory, the translation of ToUs and Data & Privacy policies into more user-friendly systems such as Consent Commons.

Further comments and recommendations

Producing visual aids for ToUs is a first good step towards awareness. One step beyond would be to categorize such elements (for instance 3rd Party sharing) and turn them into personal settings that devices should implement by law. This would allow users to filter, in a more user-friendly manner, the services Data Subjects are provided in their digital interactions.

We encourage the PDP Commissioner

1. to conduct research on codification for ToUs (and others) from a programmatic point of view;

2. to implement a platform (SDK) that will allow digital services to categorize themselves;

3. to promote among OS developers to incorporate these categorizations as OS-level settings;

4. to alternatively conduct research over alternative modes of data representation and processing. See Solid or DataSwift.

6) Transfer of personal data to places outside Malaysia

General comments on the suggestion

The text makes some concerning assumptions. Should a Data Subject’s data really be a commodity considered in FTAs? It is relevant to mention that the I am my Data principle [P1] effectively turns “Data transfers” into a situation akin to “Data Trafficking”.

The text also fails to explain the reasons as to why the Whitelist has not been implemented so far. These are necessary to properly evaluate the question posed.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. What is the position of the PDP Commissioner on whether personal data is a trading commodity or something much more intimate and personal that requires special care and protection [P1]?

2. Which FTAs are related, in one way or another, to PDPA?

3. What are the reasons for the Whitelist never happening?

Comments and recommendations on the Points to be considered

There is no reason why keeping the Whitelist provision is a bad idea. It’s better to have it there, in case it is needed in the future.

On the other hand, since PDPA has no extra territorial scope, transferring data outside of Malaysia’s jurisdiction is incredibly dangerous.

We encourage the PDP Commissioner

1. to keep the Whitelist provision in the new PDPA revision;

2. to establish restrictions on the transfer of data to territories with a lesser degree of protection for Data Subjects.

Further comments and recommendations

None.

7) Data User to implement privacy by design

General comments on the suggestion

The suggestion only mentions Data Users while Data Processors are just as important.

On the subject of Privacy by Design (PbD), a number of doubts arise, especially on the scope and the actual implementation of such solutions. This is especially relevant when considering re-identification strategies.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. PbD is to be considered for which states?

2. Which technical open standards are to be encouraged/adopted by the PDP Commissioner?

3. What are the provisions to enforce PbD in transit (Infrastructure providers)?

4. Since FTAs and cross border transfers are being considered, how can Malaysia enforce an equivalent PbD protection once the data leaves the country?

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. to mandate PbD to not only Data Users but also Data Processors;

2. to research and implement a national infrastructure based on open standards

3. to restrict cross border transfers should the jurisdiction at destination offer less protections and guarantees to the Data Subjects;

4. to actively collaborate with other states and jurisdictions to foster interoperability between national infrastructures so that the same level of protection is ensured in cross border transfers.

Further comments and recommendations

Privacy by Design is a concept oriented at protecting Data Subjects from a number of harms, essentially rooted in the collection of Rights applying to them. From a data-centric perspective, the same applies: Data has Digital Rights as it is an intimate representation of its Data Subject [P1].

It is however not possible to make an actual definition of Digital Rights without first establishing a clear definition of Digital Harms. There is currently no worldwide consensus on this subject.

Finally, it is relevant to point out that while PbD is a method to observe and protect Digital Rights, it gets superseded by considering the whole subject of data protection as a whole: all provisions and all technical implementations should be guided by the set of Rights that Data Subjects are entitled with, not only the Right to Privacy.

We encourage the PDP Commissioner

1. to conduct research on Digital Harms;

2. to consider future revisions of PDPA around the concept of Rights by Design.

8) Data User to establish Do Not Call Registry

General comments on the suggestion

When considering a DNCR, especially if Privacy by Design is desired, it must be stressed that Privacy is not only about protecting the data; it also implies not using that data to establish an unwarranted contact.

It is also as relevant to mention that the stress effect over citizens/users is to be always considered as an excess of stimuli tends to create burn-out effects that translates into relaxed (oftentimes to the point of neglect) decisions.

In layman terms, default Opt-in is the equivalent of having a parade of salespersons right by the user's doormat.

The text also mentions "the right of an individual", without providing more context. A more precise definition would greatly help the conversation as the phasing raises legitimate concerns on the mentioned “balance”. There is in fact no balance to be found: Rights are to be protected and observed at all times, no exceptions.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. Does the PDP Commissioner have any data on research done over the impact of default Opt-in in citizens (ranging from costs (spam) and emotional impact)?

2. What are the Rights of an individual considered by the PDP Commissioner?

3. Are there any definitions of those Rights that establish exceptions of any kind for business reasons?

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. to enforce non mandatory Opt-in in PDPA and instead enforce mandatory Opt-out and voluntary Opt-in;

2. to promote among OS developers to incorporate Opt-out as OS-level settings.

Further comments and recommendations

None.

9) Right of Data Subjects to know the third party to which their data has been or may be disclosed to

General comments on the suggestion

Again, the text is operating from the assumption that Data Subjects are not only aware of PDPA but moreover understand it in its entirety. This is truly not the case, let alone analyzing the consequences of their decisions of such sharing. This requires a level of analysis that is typically beyond the average consumer.

Comments and recommendations on the Points to be considered

There is a clear need to implement a standard registry, a unified log, of all 3rd parties that may have been granted access to a Data Subjects’ data as a consequence of their consent with a specific Data User. These 3rd parties are in turn to be considered Data Users as well. This should also automatically extend to the Data Processors employed by the 3rd parties.

In turn, any 3rd party should disclose which other 3rd Parties are equally given access and so on; special mention to 3rd parties that may export data outside of the coverage of PDPA and to legislations with lesser protection.

All these parties are to be considered equally accountable under the provisions of PDPA.

The enormous issues and enforcement complications this model implies is reduced by moving into a national cloud and vendors coming over the country for operations.

Regardless, any such 3rd party sharings should be clearly specified to the Data Subject. Methods such as Consent Commons are encouraged.

We encourage the PDP Commissioner

1. to consider all the lifecycle of data manipulation and processing that a set of data may undergo;

2. to ensure that all Data Users and Data Processors involved in such lifecycle are bound by PDPA;

3. to observe different models of data sharing that would facilitate a much more efficient system to observe PDPA from a technical perspective, such as the PPC model.

Further comments and recommendations

Ideally, Data Subjects should be fully informed about the full cycle of usage of their data (from acquisition to disposal of their data, along to all sharing episodes and processing of it) while retaining their agency at all times. The sheer amount of data this represents is much too vast to expect that any Data Subject will be able to exercise their rights properly.

We encourage the PDP Commissioner

1. to promote the implementation of a national cloud system to store and protect all data from its national citizens;

2. to include a provision of an SDK to implement and observe these requirements in the easiest way for all parties as a service of the national cloud.

10) Civil litigation against Data User

General comments on the suggestion

While provisions for civil litigation, as well as any other awarded legal protections to Data Subjects, are laudable , the reality is that very little Data Subjects will have the means (financial and in time) to prosecute grievances. This is even exacerbated if the provision of data breach notification only applies forward to the PDP Commissioner as they will be potentially unaware of the grievance itself.

This has always been an identified problem that has created neglect by Data Subjects in their will to defend their Rights. Instead, a more proactive approach should be needed to minimize the need for litigation in the first place following the End Remedy principle [P3].

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. to enable provisions for civil litigation to be available as a last resort;

2. to promote End Remedy [P3] among the sector to enable a more transparent observance of PDPA (and thus the protection of Data Subjects and their data);

3. to undertake active capacity building to instill End Remedy [P3] to the current programmers community;

4. to take measures to instill End Remedy [P3] in academia to prepare next generations of programmers.

Further comments and recommendations

None.

11) Address Privacy issues arising from data collection endpoints

General comments on the suggestion

Judging by the text, it is to be understood that collection endpoints refer to IoT devices (possibly among others). It is important to mention that despite marketing efforts from manufacturers, the usage of data collection endpoints (IoT) is profiling as their business model is not based on selling the devices but to have access to the data produced and sell it to 3rd parties. In this regard, data breaches are only a side of the problem as data-sharing-by-design is an actual architectural decision. One that harms Data Subjects.

Most of these devices are manufactured abroad and, by design, send data outside of Malaysia’s jurisdiction.

There is also the distinction to be made between an IoT device purchased by a Data Subject that may be extracting data from other Data Subjects without their knowledge and/or consent.

Moreover, we must remember that protecting data in transit is just as crucial.

It is interesting to note that the text seems to be a recognition of the I Am My Data [P1.

A part of the text is not clear and, by virtue of a possible misinterpretation, could suggest that business interests are above people’s rights.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. Is the PDP Commissioner implying that business interests are above people and their rights?

2. What are the protections that the PDP Commissioner envisions to protect Data Subjects exposed to th

3. How can PDPA be enforced on such devices with such behaviors by design?

Comments and recommendations on the Points to be considered

The same protections have been mentioned in past suggestions for this problem.

We encourage the PDP Commissioner

1. to establish an official Data Points schema, based on open standards;

2. to work towards a national infrastructure cloud and its related National Framework on Digital Rights;

3. to implement provisions to avoid automatic data extraction via IoT devices;

4. to study with other government bodies to design and implement local IoT devices.

Further comments and recommendations

Reflecting on data collection endpoints easily shows how vulnerable our data is to non consensual, 3rd party extraction.

This has hardly anything to do with FTAs and reinforces the argument that Malaysia should have its own national ecosystem, which we emphatically request of the PDP Commissioner.

12) The application of Act 709 to the Federal Government and State Governments

General comments on the suggestion

This will be a necessary step if Malaysia wishes to comply with international standards of protection. It is also a mandatory requirement to international treaties such as C108+

Moreover, if Malaysia wishes that its Data Subjects' data is stored and processed in a compliant way (under the provisions of PDPA and with the protection of principles such as PbD), how could it possibly gain foreign respect and trust if PDPA does not provide the same levels of protection? This imbalance could cause certain countries not allowing the transfer of their sovereign data to Malaysian Data Users and Data Processors. Instead, a much more conducive scenario would be an increasing alignment in equally protective regions/territories where data flows would be protected by the same Rights and Duties.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. Does the PDP Commissioner envision Malaysia as a signatory of C108+?

Comments and recommendations on the Points to be considered

Making all potential Data Users and Data Processors accountable and to ensure that they make legal use of the Data Subjects’s data should be a priority of all DPLs.

We encourage the PDP Commissioner

1. To enable the necessary provisions to make PDPA applicable to Government and State Governments.

Further comments and recommendations

None.

13) The exchange of personal data for Data Users with an entity located outside of Malaysia

General comments on the suggestion

In the text, the word "exchange" creates the impression that personal data is considered a commodity, which is a very worrying idea.

The main consideration to be had is which are the jurisdictions where the data may be transferred to. Allowing just about any transfer to a territory with a DPL with poor protective provisions would render Malaysian PDPA virtually unenforceable. Furthermore, should this be possible, we must consider the scenario by which companies with enough resources could create entities on such territories to bypass any effective protection derived from PDPA.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. Does the PDP Commissioner consider data as a commodity?

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. to consider provisions that restrict the cross border transference of data protected by PDPA to territories and/or jurisdictions with a lesser level of protection.

Further comments and recommendations

Again, this conversion makes the case that it’s clear that a national ecosystem would be an overall much better and protective approach.

14) Exemption of business contact information from compliance with Act 709

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

This suggestion makes sense and should, in fact, be extended to all publicly available contact information. For instance, the contact data from a University Department is typically available through their website so that its members can be reached easily.

There must be a recognition of the several roles a citizen plays, which is represented by different data personas, in turn having their own contact channels. Public information, while protected against abuse, should still be protected by PDPA yet treated in its liability differently.

We encourage the PDP Commissioner

1. To still consider this data under PDPA;

2. To create a provision mentioning the exceptional nature of such public data and treat it differently.

Further comments and recommendations

None.

15) Disclosure of personal data to government regulatory agency

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

16) Class of Data User based on business activity

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

This classification should be part of the parameters offered in the Digital Rights SDK settings mentioned in previous suggestions.

17) Voluntary registration

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

18) The application of Act 709 to non-commercial activity

General comments on the suggestion

The text doesn’t describe the list of non-commercial transactions that are to be considered. This would be necessary for a more informed conversation.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. What are the non-commercial transactions the PDP Commissioner would like to consider?

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

19) The application of Act 709 to Data Users outside of Malaysia which monitor Malaysian Data Subjects

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

20) Data Users to provide a clear mechanism on the way to unsubscribe from online services

General comments on the suggestion

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. What is the definition of “online” in the views of the PDP Commissioner?

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. To not consider only “online” channels but rather ANY communication channel (SMS, printed, automated voice calls, etc)

Further comments and recommendations

None

21) Dara Users are allowed to make first direct marketing call

General comments on the suggestion

This suggestion seems, overall, impossible to enforce. Users won't be protected from abuse, which is the main aim of PDPA. Experience so far shows that forced, poorly communicated opt-in will be the norm. Moreover, it's an already too common practice to condition the provision of services or sales to be Opt-in.

Any Opt-in should be logged properly.

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. To not allow for this provision to be enacted.

2. To ensure that any Opt-in is properly logged by all Data Users.

Further comments and recommendations

None.

22) The processing of personal data in cloud computing

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

Conclusions

The current PDPA revision is a step forward into strengthening Malayasia’s PDPA.

Further efforts are hoped to make it more compliant with international standards, hopefully to the extent of enabling Malaysia to subscribe to international treaties such as Convention 108+ from the European Council.

The IO Foundation would also want to stress the importance of rethinking some of the inherited concepts on data that we keep dragging for so many decades and that are a hindrance towards a safe, transparent and trustworthy protection of Data Subjects.

It is going to become increasingly critical to establish strict Data Points schemas for compliance, to recognize the intimate (and non severable) connection between Data Subjects and their data, to create a national cloud infrastructure to protect that data and to facilitate all stakeholders tools to be able to use it safely.

These are subjects that will spark a lot of conversation in the years to come and we invite the PDP Commissioner to be part of them.

References

Personal Data Protection Act, Malaysia

www.agc.gov.my/agcportal/index.php?r=portal2/lom2&id=2225

Analog Hole

https://en.wikipedia.org/wiki/Analog_hole

RFC 8280 - Research into Human Rights Protocol Considerations

https://trac.tools.ietf.org/html/rfc8280

The Contract for the Web

https://contractfortheweb.org/

Me2B Alliance

https://www.me2balliance.org/

The Data Transfer Project (DTP)

https://en.wikipedia.org/wiki/Data_Transfer_Project

https://datatransferproject.dev/

Estimating the success of re-identifications in incomplete datasets using generative models

https://www.nature.com/articles/s41467-019-10933-3

Consent Commons

https://consentcommons.com/

Solid

https://solid.inrupt.com/

DataSwift

https://dataswift.io/

Credits

Jean F. Queralt - Founder & CEO, The IO Foundation