About

The following is the statement read by The IO Foundation on the occasion of Indo-Pacific Economic Framework (IPEF)'s Stakeholders Listening Session that took place in Kuala Lumpur, on the 19th October of 2023. The session was held at the Kuala Lumpur Convention Centre (KLCC).

Statement

My name is Jean F. Queralt and I am here representing my organization, The IO Foundation.

I wish to start my statement by thanking you for the opportunity to present our comments and concerns on the Indo-Pacific Economic Framework for Prosperity (IPEF).

The IO Foundation is a tech NGO operating globally although with a focus on the SEA region, very specially Malaysia as many of our members reside in the country.

TIOF’s advocacy is Data-Centric Digital Rights, which can be summarized in the work towards ensuring that technology does not do certain things by design.

We aspire to technology, especially in the domains of software and data, that provides protections to citizens in the same fashion as other properly regulated industries. That is, as occupants of this building, we do not care (nor should we) as to why it is not collapsing on us. In a similar way, citizens should not concern themselves as to whether their data is being extracted or improperly used.

In this address, The IO Foundation wishes to raise concerns upon provisions in Pillar I of the IPEF, Trade, and in particular to those referring to cross-border data flows and source code.

Please note that as the time is limited, I will not be able to get into all the level of details that I’d wish and that we echo the concerns from my colleagues from previous statements which have raised concerns in the same provisions that we will.

The first thing that disturbed us, although this is not a new circumstance by any means, is the lack of technical definition of the text. And by this I am referring to the technologies that will be involved in its implementation.

If IPEF is proposing to achieve “prosperous” data flows then it comes to reason that there should be the necessary mechanisms in place to realize this vision and enforce it.

When speaking about cross-border data exchange, we tend to project the image that it’s a magical potion that produces magical results. Nothing further from the truth.

The fact that data exchanges are considered under Pillar I is telling: it sends the message that data is “a good”. However, let’s not get confused: data IS NOT a good, or an IP or any of the other 11 available definitions across jurisdictions. Data is ourselves. I am my data. Saya Data Saya.

In that spirit, we need to start taking seriously what happens with our citizens' data and how it is used and potentially weaponized.

This is yet not possible as there is no technical way to achieve 2 things:

• Attach a manifesto indicating clearly what can and cannot be done upon the exchanged data

• Ensure objective remote attestation of the platforms that will make use of that data

This gets further exacerbated when considering concepts such as “ethical technology” or “ethical AI”. I keep asking, to a deafening silence “Whose Ethics?”.

What are the elements that IPEF is missing? A few ones:

• A taxonomy of data use cases

• A standardized definition for data manifestos (in reference to cross-border data flows)

• A proven mechanism for remote attestations (in reference to source code concerns)

In other words, there is an urgent need to establish a methodology to run unit tests that show their compliance with the protections that are provided to our citizens.

This lack of technical sound approaches are precipitating the rise of more closed down networks, further fragmenting the Internet. We will soon witness, I fear, the creation of single point data exchange gateways, much like we have borders for people.

Furthermore, let it be pointed out that self-regulations imply the outsourcing of compliance verification from the government to its citizens, which requires frameworks and tools that are not currently available and are not considered in the IPEF.

In a period of time where we are observing an increasing neglect towards the technical community, I must emphasize the importance of their participation in policy making and Free Trade Agreements. They are not mere observers, they are the actual builders of the technology that fuels our international commerce and as such they need to be more involved in any negotiations that will shape their work.

To conclude, I wish to express that the IPEF could be a good opportunity to take steps towards technology that observes the principle of Rights by Design.

May we also raise our concerns towards the difficulty to manifest any meaningful feedback when negotiations are not open to the public and the texts are not made easily available.

Thank you.

About

1. Executive summary

This Policy Brief consolidates the proposed recommendations from The IO Foundation (TIOF), a Tech NGO advocating for Data-Centric Digital Rights, to incorporate technology as a cross-cutting issue in the upcoming National Action Plan on Business and Human Rights in Malaysia in its first iteration.

It is the result of 4 years of advocacy, research and engagement on BHR in the Tech sector in Malaysia and is unique in the sense that it is a document written from the perspective of technologists. Since its inception, TIOF has identified that the most significant gap in (Data-Centric) Digital Rights advocacy is the perspective from the builders and developers of these technologies — the technologists.

While it was the wish of The IO Foundation for this initial iteration of the NAP to develop a full thematic area on Technology, which has been the focus of TIOF’s efforts, we encourage the Malaysian government and working parties to, at least, incorporate Technology as a cross-cutting issue. That is, as a subject that can be identified in all considered thematic areas as the source of challenges that can be remediated through the UNGPs.

This Policy Brief builds on the work of policy documents and toolkits that have been developed before by various policy professionals. While the United Nation Guiding Principle on Business and Human Rights apply to all business sectors, this document focuses on the technology business in particular. Due to the niche scope of this topic within the Business and Human Rights space, it is perhaps easier to understand this brief as an effort for mainstreaming (Data-Centric) Digital Rights into all areas of public policy as part of the Information and Communications Technology sector’s duty of care for digital citizens.

The stakeholders for this Policy Brief are as follows:

Table 1.1 - List of stakeholders

Note

In the interest of brevity, this Policy Brief concentrates in providing Recommendations in a summarized way. Further implementation details can be provided once the NAP working group decides on which Recommendations to incorporate.

2. Background

The UNGPs were endorsed by the United Nations Human Rights Council (HRC) in June 2011— it was a historic event in the adoption of human rights standards to private business actors, raising their responsibility and accountability alongside the government’s duty to protect the rights of citizens.

With businesses as a major driver for economic growth and infrastructure, the UNGPs became a necessary component to support national development agendas such as the digital transformation plans, that put citizens’ well-being first. When a nation endorses a global framework such as the UNGPs, they further anchor that commitment in the form of National Action Plans (NAPs). Though, unfortunately, not a legally binding instrument, it is essential in promoting possible frameworks that the private sector could consider in positioning themselves as businesses that care about holistic development.

Alongside the UNGPs, the United Nations also adopted the 2030 Agenda for Sustainable Development with a list of components that make up the Sustainable Development Goals (SDGs). This is done in recognition of the important role that the private sector plays in promoting and implementing sustainable development. While the SDGs have been more popular amongst businesses and organizations worldwide, the adoption of the UNGPs has been slower. The UNGPs have relied on national commitments to adopt and implement them. Those initiatives would later be adopted by the private sector, once the governments finalizes and publishes their NAPs.

The main areas of concern for the general end users of digital technologies often come back to privacy protection. There is a growing concern over how information is collected, stored, and used by owners of digital platforms. While existing legislative developments in this area provide the basic principles for data protection, there is much room for improvement to better protect users of digital technologies in Malaysia. When all is said and done, what we are working towards is making Digital Rights protection work easily and seamlessly for regular end users.

National action plans (NAPs) on business and human rights are policy documents in which a government articulates priorities and actions it will take to protect human rights from business-related activities. As of 1 June 2020, NAPs have been adopted in 24 states around the world. However, few of these NAPs currently address the specific impacts on human rights by the use of digital technologies in the public and private sector, even though the potential scope of these impacts is very wide. Governments and tech companies can play a positive role in enabling the exercise of human rights in the digitalization of their services, but they can also pose risks to them.

Evidently, technological innovation has spurred the need for new laws and regulations that would ensure accountability of technology use via legal instruments. Even though the Malaysian government has taken steps to enable digital transformation and promote digital adoption by passing laws and policies that were intended to protect all parties engaged in digital transactions, there is still ample space for improvements.

The advocacy of human rights protection in the digital space, popularly known as Digital Rights advocacy, is gaining momentum globally. By and large, Digital Rights organizations have focused on legislative measures to protect the rights of people using digital technologies, especially when interacting with other parties on the Internet. More legislations, regulations, and policies have emerged in recent years to give a reference to what rights people have that are to be protected by the issuing authorities, how to exercise those rights, and the provision of penalties for non-compliance.

The IO Foundation has however identified a major problem in this approach: in the case of civilian consumption technology, these legislations, regulations and policies are not issued alongside technical specifications for their implementation. This creates an inevitable loophole that refrains:

• a standard implementation across technology products;

• the verification of claims of compliance through standard methodologies;

• technologists from creating products that protect Rights by design.

This is in stark contrast with any other adequately regulated product where companies never need to compete at compliance level: their products need to meet that basic criteria before they can compete in the market of ideas through their value propositions.

This creates challenges in promoting and strengthening both Rights (Human and Digital) and vibrant digital economies that concentrate on innovative value propositions while respecting Rights.

The IO Foundation works towards resolving this problems by:

• recognizing that data is only valuable when sufficiently contextualized and thus positing that one’s data is oneself (“I am my data”);

• that technology has the capacity to preemptively eliminate harms (especially Digital Harms) and thus drastically reducing the need for remedy;

• that, given a certain jurisdiction, the applicable protections given to its citizens should be transparently implemented in the technology they use (“Rights by design”)

Data being the core component that represents citizens (in the shape of models called Digital Twins), TIOF has approached this challenge from a Data-Centric Digital Rights perspective; that is, the attempt to enact the protection of Rights through a framework that allows

The UNGPs provide a suitable framework to combine Human Rights and Data-Centric Digital Rights when applied to the tech sector.

Note:

While currently not fully developed, the Framework provides a structured approach to protecting Rights and is used as guidance across this Policy Brief.

Technology in existing National Action Plans

The Malaysian NAP should make reference to technology inclusions in existing National Action Plans:

1. Japan. “In terms of the development of artificial intelligence (AI), a Council for Social Principles of Human-centric AI was established for the purpose of considering the basic principles for implementing and sharing AI in society in a better way under the AI Strategy Expert Meeting for Strength and Promotion of Innovation.”

1. Colombia. “The Ministry of Telecommunications [Mintic] will elaborate the “Guide on Human Rights and Business: A document on the application of human rights and business principles” for the specific context of the Information and Telecommunications Technologies (ICT) sector.”

1. Luxembourg. “1.15. Protection of human rights in business in the context of new information and communication technologies (ICT), including artificial intelligence (AI)”

3. Methodology

This Policy Brief is produced through 2 approaches:

1) Cross-referencing the UNGPs against legislations that govern data and/or digital technologies in Malaysia:

TIOF conducted a policy review of three main pieces of legislation that govern data and/or digital technologies in Malaysia. The legislations are the Personal Data Protection Act (PDPA) 2010, the Communications and Multimedia Act (CMA) 1998, and the Technologists and Technicians Act (TTA) 2015. This part of the research was specifically looking for Rights protection of citizens’ data, who we call Digital Twins, and analyze for possible gaps in the policies.

2) Applying the principles behind the DCDR Framework:

TIOF analyzed the existing plans for Malaysia’s digital development and identified a number of opportunities to ensure the protection of Rights for its citizens and their data through the UNGPs.

4. Research background

4.1 Rights in the PDPA Who’s protected and who’s not?

When compared to the principles outlined in the UNGP BHR, it was found that the PDPA does provide a minimum standard of protection for the protection of personal data processed in Malaysia. There are, however, critical areas of legislative improvement necessary to keep up with the technological advancements of our time.

The PDPA defines personal data as any information in respect of commercial transactions (Section 4), which:

1. is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; or

2. is recorded with the intention that it should wholly or partly be processed by means of such equipment; or

3. is recorded as part of a relevant filing system or with the intention that it should be part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.

In other words, personal data is any information that could identify a person, who resides within or outside of Malaysia, for as long as the data of that person is being processed in Malaysia in a machine-readable format

The person whose data it belongs to is called the “data subject”, while the person who is collecting, processing, and analyzing the data is called a “data user”. All this only applies to data used for commercial purposes, and does not apply to the Federal Government and State Governments as per Section 3 (1) of the Act. Furthermore, this law does not apply to personal data processed outside of Malaysia (Section 3[2]), leaving Malaysians dependent on the personal data protection laws of whichever countries their data resides.

In line with TIOF’s DCDR Principle I of “I am My Data”, we will be referring to “data subjects'' as “data owners'' to provide a more accurate representation of the digital reality we live in. It is essential to convey the right ideas and concepts to the public for their increased awareness on the subject. The term “data subject” is not only inaccurate to represent the reality of how our (digital) data relates to our physical bodies, it poses a big challenge to the proper legislative protections of our data.

In the PDPA, the rights protected of data owners are as follows:

Table 4.1 - Rights of PDPA data owners

As for data users, they are obliged by the law to adhere to the seven (7) data protection principles that outline what they can or cannot do with regards to the personal data that they have access to. However, there are exceptions to these principles whereby the data user may not be liable to a violation of the principles under circumstances described in the accompanying sub-sections. A summary of the principles, their descriptions, and caveats are outlined below:

Table 4.2 - PDPA’s data protection principles

Based on what we have seen in the PDPA, the loopholes that exist within the legislation would put data owners at more of a disadvantage than its opposite. From a practical standpoint, this is primarily due to the fact that data owners are not recognised by law as the owners of their data, so their data is not recognized as part of them, and merely exist as “subjects” of the data they rightfully own. As a result, the law views digital citizens as separate from the human beings, who are the source and rightful owners of the data extracted from them.

This point is important to note because without contextualizing data back to its source, data becomes meaningless, and quite utterly useless. There is no business value to be extracted from useless data, therefore the recognition of the source entity and digital entity relationship is crucial for States to provide adequate domestic policy space to meet the human rights obligations of businesses (UNGP 9).

Correcting the current paradigm on data is necessary for the correct implementation of data protection in digital spaces.

On more granular standpoints, exceptions to the rule, or caveats, within the PDPA pose risks to digital rights protection of technology users who are already legally disadvantaged for not being the rightful owners of their own data, apart from other disadvantages such as the costly nature of legal remedies. Some of the caveats are too dangerously broad to provide even the minimum protection, with clauses such as Section 39 (4) which allows data users to disclose personal information to a third party if it is within their “reasonable belief” that they “would have had the consent of the data owner if the data owner had known the circumstances of the disclosure”, which means citizens are expected to extend complete trust in the judgment of the data users to determine if we “would have consented” and if we “had known” about “the circumstances”. These types of ambiguous clauses cast a big shadow of doubt into the ability of the legislation to protect the data of citizens and ultimately on the State’s duty to protect (UNGP Pillar 1) citizens from businesses’ failure to respect (UNGP Pillar 2) our human right to privacy.

4.2 Communications and Multimedia Act (CMA)

[PENDING]

4.3 Technologists and Technicians Act (TTA)

[PENDING]

4.4 DCDR Framework

The Data-Centric Digital Rights Framework represents an attempt to model the protection of data through the use of standard definitions and methodologies.

While a full presentation and analysis of the DCDR Framework is out of the scope of this Policy Brief, the following are the main applicable considerations.

4.4.1 DCDR Principles applied to the BHR Pillars

4.4.1.1 Pillar I: State Duty to Protect

DCDR Principle I: ‘I am My Data’ - Treat data as you'd want to be treated.

The traditional understanding of data as separate entities from their users is anchored in past perceptions and the use of legacy technologies.

The reality is much different: the data representing users (and of which they should have control of consent) is intimately and inextricably linked to them; it models them, creating an accurate representation that loses all value should that contextualization ever be severed.

4.4.1.2 Pillar II: Corporate Responsibility to Respect

DCDR Principle II: ‘Rights by Design’ - Leave no policy uncoded behind.

This DCDR Principle responds to the need for policies and tech to be designed and implemented as one: the former establishes what is to be respected and the latter ensures that the compliance is built in the infrastructure so that users are protected automatically and transparently.

4.4.1.3 Pillar III: Access to Remedy

DCDR Principle II: End Remedy - Adopt designs that minimize grievances.

This DCDR principle represents the embodiment of the proactive planification, architecture and implementation of all necessary mechanisms, both in policy and technology, to avoid grievances to ever happen during the use of a product or a service, in turn minimizing the need for legal actions. In other words, any protection a citizen or its digital twins are subjected to under a specific jurisdiction should be transparently implemented inside the technology itself, by design.

4.4.1 DCDR applied to the UNGPs

Historically speaking, the traditional Digital Rights advocacy has concentrated its advocacy in the observance of Human Rights through the use of technology, as a medium; it has had very little interest on how the medium itself was built and operated technically.

Consider the following diagram:

Image 4.1 - Spaces and Entities

On the left, the Physical Space, are 2 (physical) entities, which for the purposes of this Policy Brief we can consider citizens, the government or a corporation.

On the right, the Digital Space, are represented the Digital Twins of the 2 entities.

In the case of citizens, this would be one of their numerous data representations and in the case of governments and corporations the digital twin encompases the digital platforms and services they provide.

All of these objects (the entities and their digital twins) interact with each other, potentially generating harms. The traditional Digital Rights approach provides no clarity as to how to define these harms in a way that can be expressed technically and therefore understood by technologists.

When attempting to structure how the UNGPs could protect both the Rights of citizens and their data, The IO Foundation analyzed the scenario in Image 4.1 by categorizing the interactions between the Physical and Digital spaces as source and receiver of a given Harm. Table 4.3 provides an easy representation of the possible combinations.

Table 4.3 - DCDR Harms Matrix

Following Table 4.3, it is now easier to understand and define Human Rights as the proactive attempt to avoid harms received by a physical entity.

Image 4.3 - Human Rights

In similar fashion we can define Data-Centric Digital Rights as the proactive attempt to avoid harms received by a digital twin (which is likely to translate into a Human Right at some point).

Image 4.3 - Data-Centric Digital Rights

Combining both concepts provides a general approach to observe and implement both Human Rights and Data-Centric Digital Rights through the implementation of the UNGPs on BHR in the Tech sector.

Image 4.3 - HR and DCDR delivered by BHR in Tech

5. NAP Recommendations

In its current iteration, the Malaysian National Action Plan will be focusing in the following 3 thematic areas:

• Governance

• Labor

• Environment

The following are the Recommendations made by The IO Foundation to protect the rights of citizens’ and of their data (which conforms their digital twins).

For ease of reference, Recommendations are coded as: NAPR.Number

Where:

• NAPR = National Action Plan Recommendation

• Number = Sequential number corresponding to that of the document section

5.1 Thematic Area: Governance

5.1.1 Overall impact

Observing the impact of technology is core to implementing the UNGPs in Malaysia’s governance.

The following are some of the aspects in which technology influences governance:

• The nature of data and its treatment

• The lack of definition of Digital Harms

• The lack of technical language to involve technologists

5.1.2 Recommendations

The following are Recommendations aimed at supporting the UNPGs in this thematic area.

5.1.2.1 Protection of citizens data

The protection of Malaysia's citizen’s data is core to being able to protect their rights and implement the UNGPs. For as long as the nature of data is not properly understood and recognized by the government, it will not be possible to mitigate Harms (both physical and digital) inflicted to its citizens through the implementation of Rights.

[NAPR.5.1.2.1.1] Recognize the true nature of data.

Initiate a program to recognize the inextricable connection between citizens and their data in order to protect both. This recognition should propagate through existing and future regulations as well as shape the national digital infrastructure.

See also Further recommendations.

[NAPR.5.1.2.1.2] Protect citizen data on their devices.

Establish a national regulation covering the proper procedures to hand over devices for repair. Initiate programs to train shops that engage in repairs to follow a proper manipulation protocol that will protect citizens from data stealth.

Consider implementing a grading system similar to the existing one in the Food Hygiene Regulations (FHR) 2009.

[NAPR.5.1.2.1.3] Research on DCDR.

Initiate a program to support the research of the components required to translate the existing regulations on technology into technical terms around the Data-Centric Digital Rights Framework.

[NAPR.5.1.2.1.4] Issue a DR SDK.

Initiate a program to implement the results of the DCDR research into a (Data-Centric) Digital Rights Software Development Kit (DR SDK) which is to be distributed for adoption by the Malaysian tech sector.

Aside from resolving the current problem of verification of claims of compliance, it would also provide a standard way to perform a Digital Rights Impact Assessment (DRIA)

[NAPR.5.1.2.1.5] Expand the National Data Agency.

Expand the capacities of JPDP so that it can oversee the maintenance, deployment and usage of the DR SDK.

[NAPR.5.1.2.1.6] Redefine the actors in data protection policies.

5.1.2.2 Revisit Malaysia’s National Tech Infrastructure

Upscaling Malaysia’s digital infrastructure towards observing and implementing the UNGPs should also be encouraged. While Malaysia has its own Digital Economy Blueprint, the text fails to provide the necessary infrastructure to observe, let alone implement the UNGPs.

[NAPR.5.1.2.2.1] Establish Process-driven Governance.

Initiate a program through MAMPU to translate all government’s processes and existing regulations into BPMN.

[NAPR.5.1.2.2.2] Government digital services monitoring.

Provide a government led monitor that allows to observe status of the government’s services (Websites, APIs, etc.).

[NAPR.5.1.2.2.3] Commit to a high SLA for the national digital infrastructure.

Recognizing the critical role that the national digital infrastructure plays in citizens, commit to a 97% SLA for the government’s online services.

This number represents 1 full natural day of downservice (per service) across a full natural year.

[NAPR.5.1.2.2.4] Protect Internet Namespaces.

Considering the emergence of alternative naming protocols, ensure the current namespace (DNS) is not threatened through the Governmental Advisory Committee (GAC) at ICANN. Preserving a consistent user experience will result in minimizing the likelihood of digital attacks on citizens..

[NAPR.5.1.2.2.5] Monitor Internationalized domain names (IDNs)

With the imminent deployment of IDNs by ICANN, it will be crucial to ensure it does not open the doors for digital attacks on citizens.

[NAPR.5.1.2.2.6] Citizen network.

Initiate a program to assess how to complement Malaysia’s digital infrastructure through the use of its citizens’ devices. See Environment

[NAPR.5.1.2.2.7] Enable and encourage citizens VPS.

Initiate a program to enable and encourage citizens to run their own VPS with their data.

[NAPR.5.1.2.2.8] Establish data embassies.

Initiate a program to establish territorial legitimacy over servers holding data of Malaysian citizens abroad.

[NAPR.5.1.2.2.9] Explore Digital Taxes in hardware for digital companies.

Initiate a program to explore the possibility to apply a digital tax that would compel tech companies hoping to transact with Malaysian citizens into supplying proportional infrastructure. Consider the possibility of GLCs as a starting point.

[NAPR.5.1.2.2.10] Explore an Open Source revival program.

Initiate a program to explore the possibility of compelling tech companies to release the source code of products should they go out of business and certain criterias of dependence have been reached.

5.1.2.3 Transparency and Accountability

Technology can enable the government to effectively increase its transparency and accountability in accordance with its National Anti-corruption Plan.

[NAPR.5.1.2.3.1] Upscale Open Data government efforts.

Consolidate the Open Data portals that the government is currently offering.

[NAPR.5.1.2.3.2] Improve ODIN score

Invest efforts in improving Malaysia’s current ODIN score.

[NAPR.5.1.2.3.3] Public registry of government databases.

Governance bodies should publish which databases they have provided they are not under the Secrets Act.

[NAPR.5.1.2.3.4] Publish Policies in machine-readable formats.

Establish a mechanism to publish policies in a machine-readable format so that they can be processed and referenced more efficiently.

[NAPR.5.1.2.3.5] Use of BPMN to define processes

Leverage on [NAPR.5.1.2.2.1] to increase transparency and accountability in government processes.

[NAPR.5.1.2.3.6] Include technologists in tech consultations.

Increase the participation of the tech Civil Society (such as tech communities and tech NGOs) and industry representatives in policy making affecting the Malaysian tech sector.

[NAPR.5.1.2.3.7] Publishing of tech-related regulations

Ensure the publication and easy access of all tech-related regulations. At the time of writing, the National Data Sharing Policy (NDSP) has been announced yet the text is nowhere to be found. A similar situation happens with the upcoming revision of the PDPA of which the final draft, to our knowledge, hasn’t been circulated.

[NAPR.5.1.2.3.8] HRIAs & DRIAs

Conduct periodic Human Rights Impact Assessments (HRIAs) and (Data-Centric) Digital Rights Impact Assessments (DRIAs). The adoption of the DR SDK would enable a systematic monitoring of the impact of the UNGPs.

[NAPR.5.1.2.3.9] National registry of data breaches

Create a national registry of reported data breaches affecting Malaysian citizens, both domestically and internationally.

[NAPR.5.1.2.3.10] National Tech Ecosystem registry.

Create a national registry mapping the Malaysian tech ecosystem (from companies, associations, tech communities, IT Clubs, tech NGOs, etc.) that will include both registered and informal organizations. This registry would be used as a reference to implement [NAPR.5.1.2.3.6].

5.1.2.4 Educational pipeline

An effective implementation of the UNGPs in Malaysia will necessitate awareness and training for all involved stakeholders. This is particularly true of the government itself and of technologists, which The IO Foundation regards as the Next Generation of Rights Defenders.

[NAPR.5.1.2.4.1] Recognition of NextGen Rights Defenders.

[Pending]

[NAPR.5.1.2.4.2] Introduce UNGPs and related subjects.

Produce and implement programs to incorporate Human Rights, (Data-Centric) Digital Rights and the UNGPs into the tech educational pipeline.

[NAPR.5.1.2.4.3] Include Digital Literacy and UNGPs in all government agencies.

Produce and implement programs to incorporate Digital Literacy, Human Rights, (Data-Centric) Digital Rights and the UNGPs in all government agencies.

This will be crucial moving forward to not only expect the adoption of the UNGPs but also in the work to be done in the future for future iterations of the NAP.

5.1.2.5 Amendments to existing tech regulation

Certain existing regulations may require small amendments to ensure they support the implementation of the UNGPs.

[NAPR.5.1.2.5.1] In general, however, The IO Foundation recommends ensuring that, moving forward, tech-related legislation incorporates the UNGPs.

PDPA

Aside from the comments submitted during the Public Consultation on PDPA invited by the Data Protection Commissioner in 2020, The IO Foundation proposes the following recommendations (without the knowledge of the provisions in the upcoming PDPA version):

[NAPR.5.1.2.5.2] Codify the ‘I am My Data’ principle into law.

Citizens' data should be recognised as part of themselves so that any constitutional laws in the jurisdiction covers citizens’ data as much as it covers their physical bodies. When the data of citizens is recognised as part of themselves, existing legal frameworks that protect citizens’ human rights can be automatically applied to their digital twins, ensuring the protection of citizens’ digital rights. For PDPA to effectively protect Malaysian citizens and uphold their Rights, it is crucial that the true nature of data is legally recognized.

[NAPR.5.1.2.5.3] Cross-border protections.

Secure bilateral mechanisms to ensure that, in the event of an inevitable cross-border data transfer from Malaysian citizens, the recipient legislation enjoys at least the same protections that PDPA confers.

[NAPR.5.1.2.5.4] Include data managed by the government.

Section 3 (1) of the PDPA remains one of the biggest challenges to comprehensive data protection in Malaysia. It also brings confusion to public citizens when government bodies cite their commitment to the PDPA without actually being legally liable to adhere to it. This situation could have detrimental consequences to the citizens’ ability to trust the government with the protection of their data. Malaysian lawmakers have to amend this section of the PDPA to remove the non-application of the act to Federal and State government bodies.

[NAPR.5.1.2.5.5] Expand the definition of “personal information”.

The definition of ‘personal information’ should not only be full names, phone numbers, national identification numbers, location data, etc., it should also include information inferred from the personal information collected in the service of surveillance and profiling purposes which could be potentially abused. In other words, personal information is not just objective information that platforms know about us, but also what their systems and/or algorithms learn about us from different data sources that are, knowingly or unknowingly, linked together

Malaysia Digital Economy Blueprint

[PENDING]

5.2 Thematic Area: Labor

5.2.1 Overall impact

Observing the impact of technology is core to implementing the UNGPs in Malaysia’s labor sector.

The following are some of the aspects in which technology influences labor:

• The protection of labor relations

• The protection of laborers’ digital twins

5.2.2 Recommendations

The following are Recommendations aimed at supporting the UNPGs in this thematic area.

5.2.2.1 Algorithm transparency & contracts

[NAPR.5.2.2.1.1] Transparent Gig-economy algorithms

Establish mechanisms to ensure that workers are not taken advantage of and their Rights are not observed and implemented.

Establish the necessary mechanisms to

• [NAPR.5.2.2.1.2] articulate contracts via BPMN

This would allow to easily reduce potential abuses towards the worker as well as corruption.

• [NAPR.5.2.2.2.1] enable the codification of contracts via SmartContracts or similar technology.

This would immensely reduce the need for remedy and serve as proof of contractual status, which also serves to combat corruption.

5.2.2.3 Legal Liability

[NAPR.5.2.2.3.1] Establish a professional association of developers.

Initiate the mechanisms to study and eventually implement the Malaysian professional association of developers.

Despite the rejection of the Computing Professionals Bill of 2011, the crucial role that technology plays in the proper implementation of the UNGPs demands to reconsider the need for such a regulatory body. Such organizations exist for architects, lawyers or healthcare practitioners. The reason why it is so obvious in such cases is only due to the fact that people can intimately relate to the Harms they can cause. While this is a complex subject, implementing [NAPR.5.1.2.1.3] and [NAPR.5.1.2.1.4] would largely help in making this association possible.

5.2.2.4 Amendments to existing labor regulation

Contract Act

[NAPR.5.2.2.4.1] Modernize contracts and their structure

In addition to [NAPR.5.2.2.1.2] and [NAPR.5.2.2.2.1], implement the necessary mechanisms to define contracts that are

• schema-driven

• provide visual cues such as Consent Commons does for Data Protection Laws

This would allow enforcing the minimum information legally expected while severely reducing abuses to the workers and facilitate statistical analysis.

[NAPR.5.2.2.4.2] BOYD and workers

Make provisions so that companies implementing a Bring Your Own Device (BOYD) policy need to compensate the worker in a similar manner than when they use their own vehicles and get paid by mileage.

5.3 Thematic Area: Environment

5.3.1 Overall impact

Technology needs to be considered in their impact on implementing the UNGPs in Malaysia’s environment.

The following are some of the aspects in which technology influences environment:

• The impact on minerals’ extraction

• The impact on technology recycling

• The protection of the environment’s digital twins

5.3.2 Recommendations

The following are Recommendations aimed at supporting the UNPGs in this thematic area.

5.3.2.1 Recycling of devices

[NAPR.5.2.2.4.2] Establish a

CSM could be tasked to detach members or provide the service of wipeout and ensure that no malware/spyware is installed in the device.

Repair Mode >> Protocols for full lifecycle

Google. Apple, FAIR Phone, Local Malaysian brands

>> MCMC

Would serve as the basis for a nation-wide DLT that is supported by its citizens as a national duty.

This could have further ramifications in the area of Labor as the citizen would be generating labor for the government.

5.3.2.2 Amendments to existing environmental regulation

None.

6. Further recommendations

The following are a series of recommendations that, beyond the current National Action Plan, can support the implementation of the UNGPs in the tech sector in Malaysia.

For ease of reference, Recommendations are coded as: OTHR.Number

Where:

• OTHR = National Action Plan Recommendation

• Number = Sequential number corresponding to that of the document section

6.1 International scene

Efforts to showcase the commitment of Malaysia towards the UNGPs, especially in the emerging sector of technology, would be favorable to Malaysia’s international image.

6.1.1 UN’s Universal Periodic Review

[OTHR.6.1.1.1] Include (Data-Centric) Digital Rights in subsequent UPRs.

This mention would include Malaysia’s commitment to protect citizen’s rights and those of their data as well as an evaluation of the status of the NAP, in particular in the Tech sector.

6.1.2 International participation

[OTHR.6.1.2.1] Encourage the presence of Malaysian technologists in the international scene.

The presence of Malaysian technologists in international fora (authoritative organizations, events, etc.) is not at par with the quality of its professionals.

Through initiatives such as TIOF’s TechUp, the Malaysian government should invest efforts in supporting its technologists to actively participate in relevant fora and lead the way in the implementation of the UNGPs in the tech sector.

6.2 Constitutional considerations

A number of relevant considerations are to be studied if Malaysia wishes to prepare itself for its digital future and safeguard its sovereignty through protecting its citizens’ data.

6.2.1 The nature of data

[OTHR.6.2.1.1] Expand the Constitution to adopt protections over citizens’ data.

Initiate the mechanisms, possibly on the grounds of Article 5.1 Right to Life, to evaluate the feasibility and implications of recognizing the intrinsic link between citizens and their data so that protections upon the latter may be applicable in a more clear manner.

[OTHR.6.2.1.2] Establish Connectivity as a Constitutional Right.

Initiate the mechanisms, possibly on the grounds of Article 9.1 Prohibition of banishment and freedom of movement, to evaluate the feasibility and implications of recognizing the implications of not ensuring Connectivity to all citizens in Malaysia’s digital territory.

6.3 Regulations affecting Civil Society

[OTHR.6.3.1] Accelerate/Update legislation enabling the easy creation of NGOs.

A vibrant Tech NGO/CS ecosystem would support Malaysia in its commitment to uphold the UNGPs in the tech sector, creating a differentiated value proposition compared to SEA and globally. This would translate into a positive impact in the implementation of Pillar III by ensuring that there are enough organizations that can support citizens when needed.

6.4 Malaysian NAP: Next iterations

[OTHR.6.4.1] Establish a permanent Technology Committee for the NAP.

Creating a Technology Committee composed by representatives of the Tech sector to be part of the next iterations would allow the necessary support to evaluate the changes, challenges and solutions for the UNGPs in the Tech sector in Malaysia.

7. Closing remarks

This Policy Brief attempts to bring attention to the protections that the Malaysian government can deliver to its citizens and their digital twins through the upcoming National Action Plan on Business and Human Rights, especially by focusing on its application in the tech sector.

By including technology as a cross-cutting issue in this current NAP cycle and focusing on implementing technological solutions, Malaysia can lead the way both in the SEA region and globally to become an example to follow in how governments can protect the rights of their citizens and of their data.

The IO Foundation wishes to emphatically request the Malaysian government and the organizations involved in this NAP process to include technology as a cross-cutting issue and to incorporate as many recommendations herein described as possible.

The IO Foundation remains at their disposal for any further consultation and to support the implementation of the recommendations.

Annexes

A.1 Relevant governance bodies and agencies

The following is a list of governance bodies and related agencies that are referenced in this policy brief. A brief summary of their mandate or function is also included in order to understand better their relevance to the recommendations herein submitted.

Note: Should you note that a relevant body is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.

Ministry of Communications and Multimedia (K-KOMM / ex KKMM)

Related agencies

Department of Personal Data Protection (JPDP)

The main responsibility of this Department is to enforce and regulate PDPA in Malaysia. PDPA focuses on the processing of personal data in commercial transactions and the avoidance of misuse of personal data.

MCMC

https://www.mcmc.gov.my

The Malaysian Communications and Multimedia Commission (MCMC) is a regulatory body whose key role is the regulation of the communications and multimedia industry based on the powers provided for in the Malaysian Communications and Multimedia Commission Act 1998, the Communications and Multimedia Act 1998, and the Strategic Trade Act 2010.

Related agencies

CyberSecurity Malaysia (CSM)

National Cyber Security Agency (NACSA)

National lead agency for cyber security matters, focused on securing and strengthening Malaysia's resilience in facing the threats of cyber attacks, by coordinating and consolidating the nation's best experts and resources in the field of cyber security. It develops and implements national-level cyber security policies and strategies, protecting Critical National Information Infrastructures (CNII).

Malaysia Digital Economy Corporation (MDEC)

MDEC was established in 1996 as the lead agency to implement the MSC Malaysia initiative. Today, it is an agency under the Ministry of Communications and Multimedia Malaysia (KKMM) with a close to 25-year track-record of successfully leading the ICT and digital economy growth in Malaysia.

Malaysian Administrative Modernisation and Management Planning Unit (MAMPU)

MAMPU is responsible for modernizing and reforming the public sector.

Malaysia Board of Technologists (MBOT)

Malaysia Board of Technologists (MBOT) is a professional body that gives Professional Recognition to Technologists and Technicians in related technology and technical fields. Based on Act 768, MBOT expands its function vertically and horizontally whereby MBOT looks at technology-based profession that cuts across discipline based from conceptual design to a realized technology and covers from Technicians (with MQF Level 3 to Advanced Diploma Level) up to Technologists (Bachelor’s Degree level and above). As a whole, these professionals (Technologists and Technicians) have integrated roles from concept to reality.

PIKOM

Ministry of Labour

Malaysian Technical Standards Forum Bhd (MTSFB)

MRANTI

(Note: MaGIC and MIMOS were consolidated inside MRANTI)

Malaysia Open Data Portal

Malaysia Open Data Portal

MyGDX

A.2 Applicable Legislation

The following is a list of applicable legislation in the context of Malaysia that relate to this Policy Brief and its recommendations. A brief summary of their content is also included in order to understand better their relevance to the recommendations herein submitted.

Note: Should you note that an applicable legislation is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.

Federal Constitution

https://www.jac.gov.my/spk/images/stories/10_akta/perlembagaan_persekutuan/federal_constitution.pdf

Source: NACSA

A.3 Applicable Regulation

The following is a list of applicable regulations in the context of Malaysia that relate to this Policy Brief and its recommendations. A brief summary of their content is also included in order to understand better their relevance to the recommendations herein submitted.

Note: Should you note that an applicable regulation is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.

A.4 Applicable National Plans

The following is a list of National Plans in the context of Malaysia that relate to this Policy Brief and its recommendations. A brief summary of their content is also included in order to understand better their relevance to the recommendations herein submitted.

Note: Should you note that an applicable National Plan is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.

Malaysia Digital Economy Blueprint

National Data Sharing Policy (NDSP)

At the time of writing, the documentation related to the NDSP is not publicly available.

A.5 Additional resources of interest

The following is a list of additional resources of interest, both national and international, that relate to this Policy Brief and its recommendations. A brief summary of their content or function is also included in order to understand better their relevance to the recommendations herein submitted.

Note: Should you note that a relevant resource is missing from this list, kindly reach out to The IO Foundation so we can analyze it and accordingly add it to this Policy Brief.

[1] BHEUU’s National Action Plan On Business And Human Rights

BHEUU’s mandate and strategy to develop Malaysia’s National Action Plan.

[2] United Nations Guiding Principles on Business and Human Rights

[3] Universal Declaration of Human Rights

Human Rights Impact Assessment

Data-Centric Digital Rights Framework

A framework for technologists composed of Principles, Taxonomies and other technical tools enabling them in their role as NextGen Rights Defenders.

TIOF's PDPA Comments 2020 submission

Data Protection and Digital Rights - Are Malaysians Concerned?

GlobalNAPs

A global comparison of NAPs by the Danish Institute of Human Rights

Data Protection Laws of the world

A global comparison of Data Protection Laws by DLA Piper

ASEAN Digital Masterplan 2025

Business Process Model and Notation

https://www.bpmn.org/

Open Data Inventory (ODIN)

https://odin.opendatawatch.com/

Federal Legislation Portal

https://lom.agc.gov.my/

A.6 About this document

A.6.1 Acknowledgements

This brief was produced by The IO Foundation, with the inestimable support and contributions of (in alphabetical order):

• Organizations

• • The IO Foundation

  • • Jean F. Queralt

    • Maryam Lee

    • Len Manriquez

  • Global Partners Digital

  • Global Network Initiative

  • Malaysian Public Policy Competition team (by ICMS)

• Individuals (in alphabetical order)

• • Helio Cola

  • Nunudzai Mrewa

  • Team Anonymous (MPPC 2022)

  • • Wee Seng Chung

    • Tee Suk Huei

    • Tan Yan Ling

  • Team Bits & Bytes (MPPC 2022)

  • • Kwong Tung Nan

    • Dhevasree

    • Mohd Luqmanul Hakim bin Malik

    • Wong Kar Ling

A.6.2 Accessing this document

A.6.3 Sharing this document

The IO Foundation encourages readers to freely share this document using the URL indicated above. Please keep in mind the licensing as described in the Licensing section.

A.6.4 Licensing

The following document is released under The IO Foundation’s Productions License for Text in accordance with its Intellectual Property policy.

Contact

Email: [email protected]

Website: https://TheIOFoundation.org

Follow us on our Social Media channels:

LinkedIn - Twitter - Facebook - Instagram - YouTube

Know about our stance on Big Tech: Hey Big Tech! declaration

Comments on Public Consultation Paper 01/2020

Review of Personal Data Protection Act 2010 (ACT 709)

Abstract and objectives

This document is addressed to the Data Protection Commissioner of Jabatan Perlindungan Data Peribadi (JPDP), who has invited the public for a consultation on the current PDPA Review process (2020).

The IO Foundation (TIOF), is a global nonprofit advocating for data-centric Digital Rights, with a strong focus on the open infrastructures to observe them by design.

This document is a collection of comments over the document

https://www.pdp.gov.my/jpdpv2/pengumuman/public-consultation-paper-no-01-2020-review-of-personal-data-protection-act-2010-14-february-2020-28-february-2020/

that we hope will be taken into consideration by the PDP Commissioner.

Ultimately, the objectives of PDPA would be to:

• Provide ample, effective protections to Data Subjects.

• Foster a sustainable economy that is vibrant and observant of Human Rights.

• Comply with international standards in Data Protection, fostering protection for Malaysian citizens beyond its application coverage.

• Enact provisions for policies as well as indicate the necessary technical standards to observe them by design and this in a transparent manner for all parties involved (Data Subjects, Data Users and Data Processors alike).

General notes and comments

The notes and comments here described aim at providing context to some of the Suggestions provided below.

On Terminology [C1]

While Data Subject, Data User and Data Processor are widely accepted and used terms, it would be important to point out that “User” has a very different interpretation outside of Data Protection Laws (DLPs) legislation and thus can easily create confusion and misinterpretation among those who should be protected by said regulation. DPLs expect citizens (commonly referred as Users) to understand complex issues and make consequence-full decisions out of it. That being the case, the industry and regulators should adopt more user-friendly terminology.

On limitations of technology [C2]

While considering the protections seeked by Data Protection Laws and their expected benefits, it is critical to understand the limitations that all involved stakeholders will face in their observance and enforcement.

One such limitation is the denominated Analog Hole, which essentially states that once information leaves the digital domain where it’s stored no further digital controls can be enforced.

For instance, no matter the protections and compliance an organization would follow, if any sensitive data is exposed via a screen, it can be memorized, copied on a piece of paper, typed on another digital device or simply photographed.

In other words, all that is needed to copy a DRM-protected song is a good set of speakers and a good microphone.

On critical stakeholders [C3]

Data Protections Laws traditionally focus on a number of stakeholders (Data Subjects, Data Users in their different categories, Data Processors).

One stakeholder that has traditionally been left aside from their direct implication on the proper use of technologies in societies are programmers. At The IO Foundation we identify them as a critical actor in architecting and building the technologies that will deal with Data Subject’s data.

Programmers are Data Subjects and work for/as Data Users and/or Data Processors. Their proper formation during their academic period is crucial to ensure that they implement platforms that are observant of due protections by design.

About licensing [C4]

While we tend to treat personal data as different from other Digital Assets (DA) from a legal perspective, the reality viewed from a usage-flow perspective is not so different.

For the most part, DAs are commercialized under licensing models instead of purchased like their physical counterparts. For instance, a movie purchased on any online digital entertainment platform (Google Play, for instance), won’t grant the user the same ownership over the product as its DVD counterpart. When observing the current DPL models worldwide, the rights provided to Data Subjects and the obligations mandated on Data Users and Data Processors are not much different than an equivalent licensing model.

In essence, if PDPA 2010 recognizes that a Data Subject may share data with a Data User while retaining control over it and defines provisions to ensure that requests of modification and/or deletion from the Data Subject are to be complied by the Data User at all times, then the scenario can be understood as a model of licensing of a DA (Personal Data in this case) from the Data Subject to the Data User.

Realizing this licensing flow is relevant to understand the importance of the Ecosystem Sovereignty [C5].

On Data Protection Laws’ focus [C5]

It is noteworthy that DPLs worldwide concentrate too much on the regulatory aspects of the law and very little (if ever) on the actual technical implementation of the enacted provisions; Malaysia’s PDPA 2010 is no exception to this.

The lack of officially defined data schemas (which should be based on international open standards) or the lack of established standard methodologies for retaining data agency for Data Subjects (in the shape of official APIs packaged in a single SDK) has lead to a situation where users cannot be sure that the specifics of their consent have been respected at all times. It is also impossible to create a standard methodology to ensure compliance as different vendors will undertake their own unique implementation. Such is the reality of policy documents being interpreted and translated by technologists. People working hand in hand cannot speak different languages.

On Ecosystem Sovereignty [C6]

The current landscape in digital services (very specially in digital platforms), is of total control by the Service Provider over the Digital Assets (DA) they offer to their users. For instance, any DA offered by Apple and acquired via iTunes (music, movie, etc.) will remain under their control over said DA’s full lifecycle. This implies that all control over DAs remains, at all times, under the Service Provider; Users are only given a certain margin of usage based on the licensing conditions. If a DA is removed from the catalog, it will automatically be removed from all devices where it is stored, transparently for all parties and without possible recourse from the User. This is possible because all the actions that can be performed on the DA are to be had inside the Service Providers’ ecosystem, effectively creating a sovereign digital space where Users have very little voice or control over.

On National Ecosystems: where nations are falling short in protecting their citizen’s data [C7]

To this date, governments worldwide have concentrated on issuing legislative tools to protect their citizens’ data; Malaysia did so with PDPA 2010.

What is yet to be addressed is the infrastructure, the national ecosystem, over which such DPLs should be observed, transparently for all stakeholders.

As mentioned, in [C6], tech companies are already doing this, allowing them to have full control on their Digital Assets. It’s time for Malaysia to start considering a similar approach to effectively protect its citizens’ data (effectively Digital Assets) in a much more proactive approach. This is, essentially, the missing piece to ensure the proactive observance of Data Subject’s rights in a way that is conducive, minimizes the need for Remedy and still allows companies to build competitive services and products. At The IO Foundation we call this a National Framework on Digital Rights (NFDR). While the full conversation on the specifics and benefits of this implementation are beyond the scope of this document, it is relevant to comment that such an approach would require the close collaboration of the government, civil society and corporate to ensure that state actors do not abuse this powerful tool.

On Privacy [C8]

The usual procedures undertaken to enforce privacy in data manipulation fall into some of the different (pseudo) anonymization techniques. Their effectiveness relies on minimizing the number of Data Points available for re-identification and striking a balance with the ability for Data Subjects to retain agency over their data is extremely difficult.

Moreover, research has pointed out techniques of re-identification that are extremely effective even on current Privacy methodologies.

It is going to be critical for PDPA to establish a clear list of Data Points for instance for Sensitive Data, to the very least. Other similar catalog listings need to be investigated for Data Users and Data Processors to indicate which ones they are using and for what purpose. In summary, clear schemas need to be approved based on available international open standards.

On cross border data transfer [C9]

@@@PENDING

Principles

I am my Data [P1]

The traditional understanding of data as separate entities from their Data Subjects is anchored in past perceptions and the use of legacy technologies. The reality is much different: The data representing Data Subjects (and of which they have control of consent) is intimately and inextricably linked to them; it models them, creating an accurate representation that loses all value should that contextualization be severed.

In consequence, Data IS the Data Subject. This proposition has severe consequences as the same duties of care that apply by the Federal Constitution to citizens must apply to the data representing them. In this sense, the necessary infrastructures that the government of Malaysia sets in place to protect their citizens (Hospitals, Highways, the Judiciary,...) should also be extended to the management and protection of their data with a national cloud system based on open standards in the shape of an NFDR.

Rights By Design [P2]

Initiatives such as the SDGs, UNGPs or Privacy by Design are set in place to define a clear international framework on Human Rights and the defense of their Privacy; together with the Federal Constitution, they collectively conform the Rights that Malaysian citizens could and should benefit.

Data Protection Laws should foster not only policies that protect Data Subjects’ data, they should be accompanied by the necessary technical specifications (based on open standards) to implement them.

Rights by Design is the approach of Policies and Tech being designed around the Rights of citizens to observe them in their planification, architecture and implementation, transparently for all stakeholders.

End Remedy [P3]

The UN Guiding Principles on Business and Human Rights (BHR) are structured around 3 Pillars, namely:

• Pillar I: The State duty to protect

• Pillar II: The Corporate responsibility to respect

• Pillar III: Access to Remedy

From a proactive perspective on the use of technology (and therefore data protection), the objective should always be to avoid the occurrence of grievances, in turn minimizing the need for any Remedy along the use of technological products and services.

End Remedy represents the embodiment of the proactive planification, architecture and implementation of all necessary mechanisms, both in policy and technology, to avoid grievances to ever happen during the use of a product or a service, in turn minimizing the need for legal actions. In the context of PDPA, it implies the design of policies that protect Data Subjects and the implementation of such provisions in a transparent, trustworthy and safe manner where legal remedies, while defined, are employed as a safety net.

Note: Instilling this approach to the relevant stakeholders, namely in this case programmers (be it as Data Users or Data Processors), is a critical step to ensure that End Remedy becomes an integral part of the process.

Comments on Proposed Improvements

General considerations

It is observed that the regulation keeps focusing only on Policy and not on the technologies to implement its provisions.

Public consumption software (and by extension the manipulation of Data Subjects’s data) appears to be one of the few (if not the only) industries lacking checks and balances and proper certification schemes.

Recommendations

We encourage the PDP Commissioner

1. to recognize the critical importance of the implementing technologies for PDPA;

2. to recognize the need for a public, government-lead infrastructure to store Malaysian citizen’s data;

3. to recognize the need for a government-lead certification, based on open technical standards, for the transparent and automated observance of data processing operations mandated by PDPA;

4. to provide a open framework to interface with all Malaysian Daya Subjects according to the provisions from PDPA;

5. to work with all stakeholders, in particular programmers and civil society, to develop the necessary procedures for the governance and maintenance of all of the above.

Introduction

The text indicates that prior consultations have been had with a number of stakeholders, not explicitly mentioning civil society organizations (CSOs). It is important to emphasize that CSOs play a crucial role in ensuring that regulations are in accordance with international standards, both in the policy and tech perspectives.

Recommendations

We encourage the PDP Commissioner

1. to proactively involve in following PDPA revisions, as well as related activities, identified CSO organizations to be invited for comments during the initial stages.

The text also indicates “taking into consideration the emerging issues” yet doesn’t include the list of said “emerging issues”, which would have been a productive indicator of the matters the PDP Commissioner wishes to focus on. Stakeholders could deepen on these issues, benefitting the overall conversation and providing the Commissioner with richer feedback. Moreover, the consultation itself focuses on improvement suggestions without revealing how the new proposed provisions will be formulated.

Recommendations

We encourage the PDP Commissioner

1. List the emerging issues observed and the data supporting them for proper evaluation and consideration.

2. to share the proposed new version PDPA text so ensure that its language reflects accurately the Rights and Duties intended. In the interest of transparency, it would therefore be laudable to open a consultation for the revision of the final draft.

Proposed Improvement Suggestions (Part I)

1) Data processor to have a direct obligation under Act 709

General comments on the suggestion

This provision was certainly needed from the onset. Any obligations attaining Dara Users and Data Processor must be bound by the same obligations and observe the same Rights towards their Data Subjects.

Comments and Comments and recommendations on the Points to be considered

1. TIOF definitely supports a direct obligation for Data Processors, under the same terms as Data User.

2. The text indicates “appointed” yet doesn’t seem to imply the appointers themselves (Federal Government and State Governments), which they should as they are effectively Data Users by virtue of providing the data to the Data Processors.

3. TIOF definitely supports such appointed Data Processors to also be under the same direct obligation as any data processing needs to be protected under the same terms.

4. Possible conflicts of interest may however arise depending on the nature of the information processed, which needs to be addressed by the PDP Commissioner in accordance with prevailing law.

Further comments and recommendations

The doubt remains as to which functions would “appointed” Data Processors serve as PDPA, in its current form, is only focused on commercial transactions.

We encourage the PDP Commissioner

1. to clarify under which circumstances and for which services and transactions would these Data Processors be appointed. Clarifications on the appointment procedures would also be of great help.

2) The right to data portability

General comments on the suggestion

It is important to understand that the “Data Portability” conversation tends to be extremely skewed. Typically, service providers only refer to extracted data (data obtained from Data Subjects as well as produced by them - such as social media posts). There is however a much more critical set of Data Points typically left behind: derived data, information learned from the Data Subject as a result of the processing of their extracted data. Derived data should also be accessible to the Data Users as it represents an integral part of them [P1].

Comments and recommendations on the Points to be considered

Following the above, it is critical to consider the following aspects:

1. Which data will be considered under this provision?

2. Which data format will be used for this portability?

3. How to ensure full compatibility and full portability of all data (extracted and derived) if a common standard is not put in place for all parties?

4. Will portability in this suggestion consider cross border transfers? That being the case, which protection mechanisms will be considered, especially when the destination may be under a less protecting DPL? (If ever even having any)

Further comments and recommendations

The questions posed above reinforce the need to look at data protection from a more holistic approach (policy + tech).

We encourage the PDP Commissioner

1. to establish a complete definition (schemas) of Data Points for compliance, based on open standards to be used as reference for Data Users and Data Processors;

2. to mandate the compliance of Data Users and Data Processors to register their data points and operations accordingly;

3. to promote the implementation of a national cloud system to store and protect all data from its national citizens;

4. to include a provision of an SDK to implement and observe these requirements in the easiest way for all parties as a service of the national cloud;

5. to mandate all data portability to be compliant with the resulting National Framework on Digital Rights.

3) Data user to appoint a Data Protection Officer

General comments on the suggestion

The language employed in this suggestion seems to imply that it would only be applicable over Data Users, exempting Data Processors while same duties and obligations should apply to both.

On the other hand, cost will be an issue for smaller organizations as it has been observed in many other jurisdictions, effectively creating a disadvantage for startups that won’t be able to compete with well-funded, fully established Data Users.

We encourage the PDP Commissioner

1. to clarify why this provision would only apply to Data Users and not to Data Processors?

Comments and recommendations on the Points to be considered

We fully support the existence of a Data Protection Officer from a conceptual point of view although implemented differently (see below).

Concerning the elements to be considered:

1. “Size” gives a very dangerous impression that “smaller companies” could be neither accountable nor liable, creating a discriminatory situation and putting Data Subjects under very real threats of misuse of their data.

It would also create a potential scenario of “Particion to avoid responsibility” where bigger companies with resources could adopt a strategy to create smaller subsidiaries to fall out of the requirements to appoint a DPO.

1. “Type of Data” (based on the Data Point schema) should also be an element of consideration.

Further comments and recommendations

TIOF believes that the most effective solution would be for JDPD to act as a national DPO. This would be by means of a dedicated department/commission regulating Data Point definitions as well as a national cloud infrastructure and the necessary SDK for Data Users and Data Processors to be compliant with PDPA. Such an entity's governance should be properly designed to ensure the observance and compliance of technical standards, Human Rights standards and business needs.

This approach would provide a much more efficient and automated way to comply with PDPA, protecting Data Subjects while allowing companies to focus on developing new and better services. A national cloud would effectively outsource these problems by leveling the playfield and de-risk companies. In turn, it would foster competition in a thriving startup ecosystem and better compliance to PDPA.

4) Data user to report data breach incident to the Commissioner

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

In general, data breaches should be notified to both the PDP Commissioner and also the affected Data Subjects. It is hardly acceptable that citizens, who are ultimately the most affected by the breach, wouldn’t be informed on the spot so that they can take measures to protect themselves against the leaked information. This is extremely relevant in data points such as passwords, private keys and other means of identification that can be used for digital impersonation.

It is important to consider that “Remedy” is a last resort solution. Instead, and this is especially true in technology, a proactive mindset is to be instilled in all parties.

From regulations to implementation, all involved parties should strive towards the “End Remedy” Principle to ensure automatic compliance minimizes the need for Remedy.

Further comments and recommendations

The issuance of “a guideline on the mechanism of data breach incident reporting” should only serve as a guideline. Data Users and Data Processors should be provided with automated facilities for such reporting, a situation that is already considered in certain DPLs such as EU-GDPR for specific scenarios.

It is however important to understand that it is rare for the information exposed by any data breach to not be comprised of critical data, more even so when considering the I am my data principle [P1] and the existing methodologies to re-identify Data Subjects, placing the privacy at risk.

While there is an understanding about the reputation implications of a Data User or Data Processor in the event of a data breach, this should not be used as an argument to avoid the same level of transparency and accountability that is expected for financial transactions.

5) Clarity in the consent of data subject

General comments on the suggestion

This suggestion revolves around the concept of consent, which is very disputed in many circles; especially when it is discussed in association with the concept of Ownership.

TIOF defends the position that Data Subjects do own their data, following the I am my data principle [P1]. On the controversy that allowing data ownership leads to allowing the merchandising of personal data, we propose that this not need be the case and that effective legal and technical measures can and should be set in place for this control.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. What is the position of Malaysia in terms of data ownership?

2. How can consent be given if the Data Subject is not the legal owner of the data?

3. What stops Data Users or Data Processors from appropriating data from Data Subjects if they are not the legal owners?

The text also fails to mention one key element of consent: the understanding from the Data Subject of what will said consent entail. The average Data Subject has never read PDPA, which is still a vague concept even for many Data Users and Data Processors.

c

1. Which evaluations have been made to measure the level of understanding of Data Subjects upon consent?

2. Are there any capacity building and awareness campaigns envisioned in the months after the enactment of the new PDPA?

Finally, the text mentions “sensitive personal data”, which to this date remains a non comprehensive list of Data Points. This creates a lot of uncertainty and enables all sorts of potential grievances, which is something to avoid following the End Remedy principle [P3].

Comments and recommendations on the Points to be considered

PDPA (and all other Data Protection Laws) operates from the perspective that Data Subjects must understand its provisions and this is seldom ever the case. It is also one of the few (if only?) laws that expects to be fully understood so that daily decisions, in this case consent, on data are well informed.

Taking a few other examples, very few citizens are informed of the Food and Hygiene regulations yet assume that proper checks and balances are done to ensure their food is safe for consumption. Similarly, very few citizens are aware of the technical requirements of highways; their usage requires, in turn, for citizens to pass an examination. Data protection laws expect the former without considering the latter.

Assuming that data is a subject matter that will attract citizens into reading, understanding and learning PDPA is not a realistic expectation.

Instead, other measures should be implemented such as a national cloud ecosystem [C7] to ensure PDPA observance.

Default consent: Data Subjects don’t care and/or understand the concept of consent. This provision would open the flood gates to data abuse. To illustrate one equivalent situation, one does not “default consent” to let a stranger enter their house; instead, access is granted in a case by case policy. The same must apply for consent over one’s data.

We encourage the PDP Commissioner

1. to establish an official Data Points schema, based on open standards;

2. to work towards a national infrastructure cloud and its related National Framework on Digital Rights;

3. to not create a single provision that could, in any way, allow for default Consent;

4. to investigate the necessary mechanisms to establish the mandatory protections with the collaboration of other governmental institutions to make it illegal to sell (only to license) personal data;

5. to foster, even make mandatory, the translation of ToUs and Data & Privacy policies into more user-friendly systems such as Consent Commons.

Further comments and recommendations

Producing visual aids for ToUs is a first good step towards awareness. One step beyond would be to categorize such elements (for instance 3rd Party sharing) and turn them into personal settings that devices should implement by law. This would allow users to filter, in a more user-friendly manner, the services Data Subjects are provided in their digital interactions.

We encourage the PDP Commissioner

1. to conduct research on codification for ToUs (and others) from a programmatic point of view;

2. to implement a platform (SDK) that will allow digital services to categorize themselves;

3. to promote among OS developers to incorporate these categorizations as OS-level settings;

4. to alternatively conduct research over alternative modes of data representation and processing. See Solid or DataSwift.

6) Transfer of personal data to places outside Malaysia

General comments on the suggestion

The text makes some concerning assumptions. Should a Data Subject’s data really be a commodity considered in FTAs? It is relevant to mention that the I am my Data principle [P1] effectively turns “Data transfers” into a situation akin to “Data Trafficking”.

The text also fails to explain the reasons as to why the Whitelist has not been implemented so far. These are necessary to properly evaluate the question posed.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. What is the position of the PDP Commissioner on whether personal data is a trading commodity or something much more intimate and personal that requires special care and protection [P1]?

2. Which FTAs are related, in one way or another, to PDPA?

3. What are the reasons for the Whitelist never happening?

Comments and recommendations on the Points to be considered

There is no reason why keeping the Whitelist provision is a bad idea. It’s better to have it there, in case it is needed in the future.

On the other hand, since PDPA has no extra territorial scope, transferring data outside of Malaysia’s jurisdiction is incredibly dangerous.

We encourage the PDP Commissioner

1. to keep the Whitelist provision in the new PDPA revision;

2. to establish restrictions on the transfer of data to territories with a lesser degree of protection for Data Subjects.

Further comments and recommendations

None.

7) Data User to implement privacy by design

General comments on the suggestion

The suggestion only mentions Data Users while Data Processors are just as important.

On the subject of Privacy by Design (PbD), a number of doubts arise, especially on the scope and the actual implementation of such solutions. This is especially relevant when considering re-identification strategies.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. PbD is to be considered for which states?

2. Which technical open standards are to be encouraged/adopted by the PDP Commissioner?

3. What are the provisions to enforce PbD in transit (Infrastructure providers)?

4. Since FTAs and cross border transfers are being considered, how can Malaysia enforce an equivalent PbD protection once the data leaves the country?

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. to mandate PbD to not only Data Users but also Data Processors;

2. to research and implement a national infrastructure based on open standards

3. to restrict cross border transfers should the jurisdiction at destination offer less protections and guarantees to the Data Subjects;

4. to actively collaborate with other states and jurisdictions to foster interoperability between national infrastructures so that the same level of protection is ensured in cross border transfers.

Further comments and recommendations

Privacy by Design is a concept oriented at protecting Data Subjects from a number of harms, essentially rooted in the collection of Rights applying to them. From a data-centric perspective, the same applies: Data has Digital Rights as it is an intimate representation of its Data Subject [P1].

It is however not possible to make an actual definition of Digital Rights without first establishing a clear definition of Digital Harms. There is currently no worldwide consensus on this subject.

Finally, it is relevant to point out that while PbD is a method to observe and protect Digital Rights, it gets superseded by considering the whole subject of data protection as a whole: all provisions and all technical implementations should be guided by the set of Rights that Data Subjects are entitled with, not only the Right to Privacy.

We encourage the PDP Commissioner

1. to conduct research on Digital Harms;

2. to consider future revisions of PDPA around the concept of Rights by Design.

8) Data User to establish Do Not Call Registry

General comments on the suggestion

When considering a DNCR, especially if Privacy by Design is desired, it must be stressed that Privacy is not only about protecting the data; it also implies not using that data to establish an unwarranted contact.

It is also as relevant to mention that the stress effect over citizens/users is to be always considered as an excess of stimuli tends to create burn-out effects that translates into relaxed (oftentimes to the point of neglect) decisions.

In layman terms, default Opt-in is the equivalent of having a parade of salespersons right by the user's doormat.

The text also mentions "the right of an individual", without providing more context. A more precise definition would greatly help the conversation as the phasing raises legitimate concerns on the mentioned “balance”. There is in fact no balance to be found: Rights are to be protected and observed at all times, no exceptions.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. Does the PDP Commissioner have any data on research done over the impact of default Opt-in in citizens (ranging from costs (spam) and emotional impact)?

2. What are the Rights of an individual considered by the PDP Commissioner?

3. Are there any definitions of those Rights that establish exceptions of any kind for business reasons?

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. to enforce non mandatory Opt-in in PDPA and instead enforce mandatory Opt-out and voluntary Opt-in;

2. to promote among OS developers to incorporate Opt-out as OS-level settings.

Further comments and recommendations

None.

9) Right of Data Subjects to know the third party to which their data has been or may be disclosed to

General comments on the suggestion

Again, the text is operating from the assumption that Data Subjects are not only aware of PDPA but moreover understand it in its entirety. This is truly not the case, let alone analyzing the consequences of their decisions of such sharing. This requires a level of analysis that is typically beyond the average consumer.

Comments and recommendations on the Points to be considered

There is a clear need to implement a standard registry, a unified log, of all 3rd parties that may have been granted access to a Data Subjects’ data as a consequence of their consent with a specific Data User. These 3rd parties are in turn to be considered Data Users as well. This should also automatically extend to the Data Processors employed by the 3rd parties.

In turn, any 3rd party should disclose which other 3rd Parties are equally given access and so on; special mention to 3rd parties that may export data outside of the coverage of PDPA and to legislations with lesser protection.

All these parties are to be considered equally accountable under the provisions of PDPA.

The enormous issues and enforcement complications this model implies is reduced by moving into a national cloud and vendors coming over the country for operations.

Regardless, any such 3rd party sharings should be clearly specified to the Data Subject. Methods such as Consent Commons are encouraged.

We encourage the PDP Commissioner

1. to consider all the lifecycle of data manipulation and processing that a set of data may undergo;

2. to ensure that all Data Users and Data Processors involved in such lifecycle are bound by PDPA;

3. to observe different models of data sharing that would facilitate a much more efficient system to observe PDPA from a technical perspective, such as the PPC model.

Further comments and recommendations

Ideally, Data Subjects should be fully informed about the full cycle of usage of their data (from acquisition to disposal of their data, along to all sharing episodes and processing of it) while retaining their agency at all times. The sheer amount of data this represents is much too vast to expect that any Data Subject will be able to exercise their rights properly.

We encourage the PDP Commissioner

1. to promote the implementation of a national cloud system to store and protect all data from its national citizens;

2. to include a provision of an SDK to implement and observe these requirements in the easiest way for all parties as a service of the national cloud.

10) Civil litigation against Data User

General comments on the suggestion

While provisions for civil litigation, as well as any other awarded legal protections to Data Subjects, are laudable , the reality is that very little Data Subjects will have the means (financial and in time) to prosecute grievances. This is even exacerbated if the provision of data breach notification only applies forward to the PDP Commissioner as they will be potentially unaware of the grievance itself.

This has always been an identified problem that has created neglect by Data Subjects in their will to defend their Rights. Instead, a more proactive approach should be needed to minimize the need for litigation in the first place following the End Remedy principle [P3].

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. to enable provisions for civil litigation to be available as a last resort;

2. to promote End Remedy [P3] among the sector to enable a more transparent observance of PDPA (and thus the protection of Data Subjects and their data);

3. to undertake active capacity building to instill End Remedy [P3] to the current programmers community;

4. to take measures to instill End Remedy [P3] in academia to prepare next generations of programmers.

Further comments and recommendations

None.

11) Address Privacy issues arising from data collection endpoints

General comments on the suggestion

Judging by the text, it is to be understood that collection endpoints refer to IoT devices (possibly among others). It is important to mention that despite marketing efforts from manufacturers, the usage of data collection endpoints (IoT) is profiling as their business model is not based on selling the devices but to have access to the data produced and sell it to 3rd parties. In this regard, data breaches are only a side of the problem as data-sharing-by-design is an actual architectural decision. One that harms Data Subjects.

Most of these devices are manufactured abroad and, by design, send data outside of Malaysia’s jurisdiction.

There is also the distinction to be made between an IoT device purchased by a Data Subject that may be extracting data from other Data Subjects without their knowledge and/or consent.

Moreover, we must remember that protecting data in transit is just as crucial.

It is interesting to note that the text seems to be a recognition of the I Am My Data [P1.

A part of the text is not clear and, by virtue of a possible misinterpretation, could suggest that business interests are above people’s rights.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. Is the PDP Commissioner implying that business interests are above people and their rights?

2. What are the protections that the PDP Commissioner envisions to protect Data Subjects exposed to th

3. How can PDPA be enforced on such devices with such behaviors by design?

Comments and recommendations on the Points to be considered

The same protections have been mentioned in past suggestions for this problem.

We encourage the PDP Commissioner

1. to establish an official Data Points schema, based on open standards;

2. to work towards a national infrastructure cloud and its related National Framework on Digital Rights;

3. to implement provisions to avoid automatic data extraction via IoT devices;

4. to study with other government bodies to design and implement local IoT devices.

Further comments and recommendations

Reflecting on data collection endpoints easily shows how vulnerable our data is to non consensual, 3rd party extraction.

This has hardly anything to do with FTAs and reinforces the argument that Malaysia should have its own national ecosystem, which we emphatically request of the PDP Commissioner.

12) The application of Act 709 to the Federal Government and State Governments

General comments on the suggestion

This will be a necessary step if Malaysia wishes to comply with international standards of protection. It is also a mandatory requirement to international treaties such as C108+

Moreover, if Malaysia wishes that its Data Subjects' data is stored and processed in a compliant way (under the provisions of PDPA and with the protection of principles such as PbD), how could it possibly gain foreign respect and trust if PDPA does not provide the same levels of protection? This imbalance could cause certain countries not allowing the transfer of their sovereign data to Malaysian Data Users and Data Processors. Instead, a much more conducive scenario would be an increasing alignment in equally protective regions/territories where data flows would be protected by the same Rights and Duties.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. Does the PDP Commissioner envision Malaysia as a signatory of C108+?

Comments and recommendations on the Points to be considered

Making all potential Data Users and Data Processors accountable and to ensure that they make legal use of the Data Subjects’s data should be a priority of all DPLs.

We encourage the PDP Commissioner

1. To enable the necessary provisions to make PDPA applicable to Government and State Governments.

Further comments and recommendations

None.

13) The exchange of personal data for Data Users with an entity located outside of Malaysia

General comments on the suggestion

In the text, the word "exchange" creates the impression that personal data is considered a commodity, which is a very worrying idea.

The main consideration to be had is which are the jurisdictions where the data may be transferred to. Allowing just about any transfer to a territory with a DPL with poor protective provisions would render Malaysian PDPA virtually unenforceable. Furthermore, should this be possible, we must consider the scenario by which companies with enough resources could create entities on such territories to bypass any effective protection derived from PDPA.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. Does the PDP Commissioner consider data as a commodity?

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. to consider provisions that restrict the cross border transference of data protected by PDPA to territories and/or jurisdictions with a lesser level of protection.

Further comments and recommendations

Again, this conversion makes the case that it’s clear that a national ecosystem would be an overall much better and protective approach.

14) Exemption of business contact information from compliance with Act 709

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

This suggestion makes sense and should, in fact, be extended to all publicly available contact information. For instance, the contact data from a University Department is typically available through their website so that its members can be reached easily.

There must be a recognition of the several roles a citizen plays, which is represented by different data personas, in turn having their own contact channels. Public information, while protected against abuse, should still be protected by PDPA yet treated in its liability differently.

We encourage the PDP Commissioner

1. To still consider this data under PDPA;

2. To create a provision mentioning the exceptional nature of such public data and treat it differently.

Further comments and recommendations

None.

15) Disclosure of personal data to government regulatory agency

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

16) Class of Data User based on business activity

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

This classification should be part of the parameters offered in the Digital Rights SDK settings mentioned in previous suggestions.

17) Voluntary registration

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

18) The application of Act 709 to non-commercial activity

General comments on the suggestion

The text doesn’t describe the list of non-commercial transactions that are to be considered. This would be necessary for a more informed conversation.

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. What are the non-commercial transactions the PDP Commissioner would like to consider?

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

19) The application of Act 709 to Data Users outside of Malaysia which monitor Malaysian Data Subjects

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

20) Data Users to provide a clear mechanism on the way to unsubscribe from online services

General comments on the suggestion

In this context, we would like to request the PDP Commissioner to reflect and share its views on the following:

1. What is the definition of “online” in the views of the PDP Commissioner?

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. To not consider only “online” channels but rather ANY communication channel (SMS, printed, automated voice calls, etc)

Further comments and recommendations

None

21) Dara Users are allowed to make first direct marketing call

General comments on the suggestion

This suggestion seems, overall, impossible to enforce. Users won't be protected from abuse, which is the main aim of PDPA. Experience so far shows that forced, poorly communicated opt-in will be the norm. Moreover, it's an already too common practice to condition the provision of services or sales to be Opt-in.

Any Opt-in should be logged properly.

Comments and recommendations on the Points to be considered

We encourage the PDP Commissioner

1. To not allow for this provision to be enacted.

2. To ensure that any Opt-in is properly logged by all Data Users.

Further comments and recommendations

None.

22) The processing of personal data in cloud computing

General comments on the suggestion

None.

Comments and recommendations on the Points to be considered

None.

Further comments and recommendations

None.

Conclusions

The current PDPA revision is a step forward into strengthening Malayasia’s PDPA.

Further efforts are hoped to make it more compliant with international standards, hopefully to the extent of enabling Malaysia to subscribe to international treaties such as Convention 108+ from the European Council.

The IO Foundation would also want to stress the importance of rethinking some of the inherited concepts on data that we keep dragging for so many decades and that are a hindrance towards a safe, transparent and trustworthy protection of Data Subjects.

It is going to become increasingly critical to establish strict Data Points schemas for compliance, to recognize the intimate (and non severable) connection between Data Subjects and their data, to create a national cloud infrastructure to protect that data and to facilitate all stakeholders tools to be able to use it safely.

These are subjects that will spark a lot of conversation in the years to come and we invite the PDP Commissioner to be part of them.

References

Personal Data Protection Act, Malaysia

www.agc.gov.my/agcportal/index.php?r=portal2/lom2&id=2225

Analog Hole

https://en.wikipedia.org/wiki/Analog_hole

RFC 8280 - Research into Human Rights Protocol Considerations

https://trac.tools.ietf.org/html/rfc8280

The Contract for the Web

https://contractfortheweb.org/

Me2B Alliance

https://www.me2balliance.org/

The Data Transfer Project (DTP)

https://en.wikipedia.org/wiki/Data_Transfer_Project

https://datatransferproject.dev/

Estimating the success of re-identifications in incomplete datasets using generative models

https://www.nature.com/articles/s41467-019-10933-3

Consent Commons

https://consentcommons.com/

Solid

https://solid.inrupt.com/

DataSwift

https://dataswift.io/

Credits

Jean F. Queralt - Founder & CEO, The IO Foundation