September 26, 2009


Imagine this situation. Normally, when you book the flight’s ticket, you always will give your personal data such as National Registration Identity Card (NRIC) numbers, full name, address, and passport number to the flight’s company. All these information are your data privacy. Let’s say, the flight’s company uses this personal data for other purpose without asks your permission. It is has any legal action that you can takes against that company? Actually, it is very hard for you to take any legal action because in Malaysia there is no clear provision that govern on this issue. Can you imagine what will happen to you if the personal data that you give for other purpose had been use for something else without asks your permission but you do not have any right to take any legal action because no reference has been made to the existing law, neither any examination made to see if any relevant legal protection may be afforded to protect the personal data of individuals.

Based on the article “Poor privacy protection in Malaysia, says Privacy International” (, Malaysia scored miserably in the international ranking on privacy for 2007. In the International Privacy Ranking released on 28 December 2007, Malaysia shared the last spot with China and Russia and categorised as “endemic surveillance societies”. Malaysia’s poor record in privacy protection was said to be because of the absence of right to privacy in the constitution and other laws. The Centre for Independent Journalism executive director Gayathry Venkiteswaran said there is generally very little appreciation for privacy and data protection in Malaysia, and individual information is easily available to the authorities and other parties. She also said that individual information is not protected and can be use virtually by anyone for any purpose, but the authorities protect public interest information such as development deals, concessionaire agreements and consultancy agreements secret under the Official Secrets Act.

To protect personal data, Malaysia prepared the draft legislation in 1998, but it has yet to be tabled in Parliament. There are several reasons that make it necessary to have legislation to regulate this aspect. Among the reasons are (“Protection of Online Privacy & Its Impact on E-Commerce” by Hurriyah El Islamy):

1. The ability of technology to gather, retrieve, disseminate and manipulate personal data has given rise to concerns that the privacy of the individuals can be easily compromised and abused.

2. Security and privacy are often cited as some of the main reasons for the slow growth of electronic transactions.

3. The legislation may promote e-commerce in the country, as the availability of legal protection of personal data will encourage the consumers to transact online.

4. Having legislation is necessary for some countries to counter the effect of regulation that gives room for activities that may amount to privacy intrusion, such as unwarranted police wiretapping or corporate abuse of information.

5. There is a need to respond to legislative developments in other parts of the world in order to lift the data-sharing restriction imposed by several states’ legislation.

6. The last reason is one of main concerns to many countries in disregard of the countries’ preference of the method to regulate the flow of information over the Internet.

Most of the countries have been enacted the statues related to data protection in order to protect personal data against misuse by irresponsible parties. Therefore, with statues that governs personal data (i.e. Data Protection Act) we have the right to take any legal action, if anything happen to our personal data. Besides that, the protection to personal data is also important to provide safeguards against abuse of some provisions that permit the commission of some acts that would otherwise amount to invasion of data privacy. In example, section 79 of the Digital Signatures Act 1997 provides that a police officer conducting a search with or without warrant (in accordance with sections 77 and 79 respectively) shall be given access to computerised data whether stored in a computer or otherwise (s. 79(1)). Without the availability of legal provision that provides protection to personal data, these provisions and any other provision of similar nature can easily be abused. To protect from all these happen, we need legal provision on this issue.

In conclusion, in Malaysia our personal data is not protected because there is no clear provision that govern our personal data. Therefore, the Parliament should pass the Bill of Personal Data Protection to ensure our personal data will be protected.

September 13, 2009


Position of Data Privacy in Malaysia


Most of the country around the world such as US, Europe countries and etc has their own law that governs their data privacy. The third world countries or in other words developing countries such as Malaysia eventually realize the importance to protect personal data. The advancement of technology and also the increasing number of cases on cyber crimes in Malaysia shows that there is a need to enact law on data privacy. Expert in Cyber Law and also former dean in University Malaya, Prof Abu Bakar Munir in his comment stated that, ‘the recommendation to enact law relating to data privacy in Malaysia had been voice out since 10 years ago and comparing with other countries in Europe or even Asian countries, Malaysia had been left far away backward regarding this issue’- Bernama. Despite of that, bill regarding protection of data privacy will be table in the parliament in October by the Minister of Communication and Culture, Datuk Seri Dr Rais Yatim.

Generally protect the data of the government whether it is state or federal government. The government servant must not reveal information or data to anyone unauthorized by the government to have the information or data. The specific scope of this Act which only covers and apply to government servant and protect the official information and data only. How about our personal data? It seems that the Act is not relevant to be relied if there is an exposure of our personal information to irresponsibility bodies, organizations or individuals.

Purposely, the bill being introduced to protect the personal data in Malaysia, but if there are exceptions in the Act for certain organizations or bodies or even government to uses the data for some reasons the act will be ineffective measurement to it purpose. However, Datuk Seri Dr Rais Yatim stated that the Act only will be applied in the private sector and not the government. In contrast, Prof Abu Bakar Munir suggested that the Act should be imposed strictly without any exceptions also intervention and interest of others (political or personal interest). Because of the disparity of opinion, critical discussion should be held and majority opinions of expertise should be took into consideration to make the Act more effective and relevant to be implemented. The question that needs to be answered is to what extent the Act is sufficient to preserve and protect personal data?

For your information, despite of the bill on protection of data privacy, the other bill that will be table is the Bill of Freedom of Information 2008. The purpose of the Act has become constitutional issue and highly debated by politicians and academicians in Malaysia. The bill has been introduced by the opposition party and the Chief Minister of Selangor stated that the bill will be table in the State Assemblies (as enactment) in November. Because of that , the opposition party suggested that the bill will be table in the Parliament (as an Act). Moreover, the establishment of the bill is to uphold the freedom of speech under the Article 10 of the Federal Constitution. The bill provided that anyone (private or public sector) can file an application to obtain personal information of others with sufficient and reasonable reason. If the responsible body or organization refused, there are subjected to civil and criminal proceeding under Schedule 8 of the bill. Schedule 4 of the bill provided the exceptions for those who refuse to give the information needed. The Bill of Freedom of Information 2008 which gives freedom to obtain information of a person maybe conflicting with the Bill of Protection of Data Privacy which does not allow the exposure of anyone information. Thus, Parliament should noted the problems and further discuss on this issue for the benefit of the public at large.

This bill is known as DNA data bank. This bill had been critically comment by a lot of people. However, there are need to implement this Act;

1. Improving the police’s solving rate further.
2. To mitigate the CSI mistake which sometimes help criminals to escape.

In contrast;

1. As an evidence in court, so, the impact on the judicial process. Police have a batter title to decide a case.
2. Infringe personal right to privacy
3. The head of DNA data bank has sole discretion to destroy the sample which may leads to misuse, abuse and injustice of the data as conclusive evidence in court.


The implementation of the Act and table of the Bills should be specified and should not related with any political interest or personal interest. The Act or Bills should be enacted for the purpose of the public solely. Thus, whether the Act or Bills are relevant or not it depends on the current situations and the interest of the legislative body to legislate the law.

September 5, 2009


Each country has their own law on data privacy. The following list contains of data privacy law by some county or region in this world.There are as follow:

United Kingdom: UK Data Protection Act 1998
The existence of UK Data Protection Act 1998 provides comprehensive data protection in United Kingdom.
European Union: European Union Data Protection Directive 1998
It deals on the protection of individual with regards to the processing of personal data and on the free movement on such data. It is also the world's most comprehensive data protection legislation.
Canada: The Privacy Act-July 1983
Hong Kong: Personal Data Ordinance(The Ordinance)
Japan: Personal Information Protection Law ( Act )
Basically, the purpose of the Act is to protects the rights and interest of individuals.
Netherlands: Personal Data Protection Act 2000
Brazil: currently the privacy protection governed by Article 5 of the 1988 Constitution where it generally stated that all persons are equal before the law, Brazilians and foreigners residing in the country being ensured of inviolability of the right to life, to liberty, to equality, to security and property.

Data protection in United State.

The right to privacy was recognized in several international agreement such as Article 12 of the Universal Declaration of Human Rights where it stated that no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks his honour or reputation. It also suggested that everyone has right to the protection of law. In United States, there is no comprehensive data protection legislation.The term privacy does not stated in US Constitution. However, US Supreme Court has ruled the right to privacy from various amendment to the constitution. The US Supreme Court first recognized the right to information privacy in the case of Whalen v. Roe. Since there was no comprehensive data protection legislation, there has been number of law that been enacted based on the court and also international agreement.The most important act that can be refer is the Privacy Act of 1974 and also The Computer Security Act of 1987.These two laws specifically deals with personal information held by federal government and do not have any authority over the collection of personal information held by the private sectors. The Privacy Act is to protect personal information in federal data bases and it also give individual some rights over information contained in those databases.The basic principles in both act is to provide individual with the right of access to information about themselves and it requires that personal information only can be disclosed with the individual consent. Besides that, another law that provide for data privacy protection is The Computer Security Act of 1987. It deals with personal information in the federal record systems and it also give protection towards the security of sensitive personal information in federal record system.

Data protection in Europe.

In Europe country, there are two national policies that deals with data privacy protection. The related law are Council of Europe's Convention on Data Protection and also Europe Data Directive. In Europe privacy law, it covers the privacy protection both for public and also private sectors. The Convention recognized the right to privacy as one of the fundamental human rights.The council concern with the processing of personal data and in the late of 1960's , one survey had been conducted with regards to human rights. Based on the surveys, it concluded that the existing law did not provide adequate protection of individuals . Due to that concerns, there are lots of efforts to solve the problems in order to give better protection of individuals.

Meanwhile, the EU Data Directive was adopted in October 1995 . It is specifically acknowledged the individual rights to privacy.
The EU Data Privacy sets standards for the treatment of the of personal data collected from individuals, the right for individuals to access, notification and correction.

In conclusion, Malaysia does not have a comprehensive data protection as in other countries. If we compared the law of data protection in US, when the US citizens deals with the government bodies, their data privacy will be protected. However, if someone dealing with individuals or business, there is no clear provisions regarding the data protection.This situation is different in United Kingdom where they have sufficient data protection because they have UK Data Protection Act 1998(Article: Information Privacy in Malaysia: A Legal Prospective [2005)]1 MLJ xxv.)


Case 1

Durant v Financial Services Authority [2003] EWCA Civ 1746

This case is about the claimant or the appellant, Mr Michael John Durant who seeks disclosure of information that he claims to be his personal data under section 7 of Data Protection Act 1998. When Mr Michael claims his personal data, Financial Services Authority response to it but refuse to give further information to the when the claimant seek for further disclosure.

Therefore the appeal give the public opportunity to know the proper interpretation of certain provisions of the Act in order to know the individual right to disclosure his personal data held by others. Mr Durant claim for the disclosure because he has lost the litigation against Barclay Bank PLS thus sought disclosure of various records in connection with the dispute.

The judge held that the information, seek by Mr Durant is not 'personal data' within the meaning of the Act thus dismiss the appeal. For further reading, click here.

Case 2

Criminal Proceedings v Lindqvist (Case C101/01) [2004] All ER (EC) 561

This case is about the defendant who set up a homepage on the internet. She set up internet pages at home on his personal computer to allow parishioners to obtain information they might need. The pages containes information about the applicant and her 18 colleagues in the parish including their:
  • full names
  • some of first names
  • jobs
  • hobbies
  • family circumstances
  • telephone numbers
She also stated that one colleague had injured on foot and was on half time on medical ground, She do not get consent to disclose all this information.

The public prosecutor brought a prosecution against the defendant, charging her under Swedish Law on Personal Data on the ground that she had possessed personal data without giving notification.

It was held that all her actions fall within the definition of Article 3(1) of European Parliament and Council Directive 95/96. Besides, such processing personal data is not covered by any exceptions in Article 3(2) of the Directive. There is no transfer of data to the third country nor in conflict with the general principle of freedom of expression of other freedoms. Order accordingly.

For further reading, click here.

Case 3

Murray v Big Picture [2008] 2 FLR 599

This case is about invasion of personal privacy. The child's mother was world famous popular author namely the author of Harry Potter books which she wrote under the name of JK Rowling. The parent had taken necessary steps to secure and maintain the privacy and their child was never exposed to the public. When the child at age one year old, a photographer had took a picture of the child and his parent at public place. The photo was sold to national organization and due to that it was published in a magazine. The child issue proceedings against the photography agency and seeking injunction to prevent the photo from being publicize without his consent. The child also asks for damages on the ground of infringement of his right to privacy under Art 8 of the European Convention for the Protection Of Human Rights and Fundamental Freedoms 1950 and also for the misuse of private information.
The Court of Appeal in allowing the appeal held that the child has his own rights to privacy and the respondent was held to be liable for the infringement of right to privacy. For further reading,please click here.

Case 4

Douglas and others v Hello limited and others [2003] EMLR 585

This case involved a Hollywood celebrity, Catherine Zeta Jones and her husband Michael Douglas.On their wedding day on 18 November 2000, they had sold an exclusive right to published all the wedding photos to OK! magazines only. The dispute kicked off when one photographer,not from OK! magazine had enter the Douglases's wedding and sold of his unauthorised photograph of the wedding to Hello! magazine. The claimant commenced these proceeding by applying for an injunction to prevent publication of unauthorized photographs in Hello! magazine. The Douglases also sought damages from Hello! for breach of privacy and meanwhile OK! magazine sought compensation for the loss of its exclusive rights to publish.
The court of appeal held that in this case the the protected information was the photograph of the Douglases's wedding. By applying the test propounded by House of Lords in Campbell v MGN, the court found that photographs of the wedding is fell within the protection of the law of confidentiality as extended to cover private or personal information.

For further reading,click here.

September 3, 2009


1. The Council of Europe (CE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data;

2. The Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data;

3. European Union’s Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data (Data Protection Directive);

Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data

Date of release:28th January 1981.
Organizer:Council of Europe.
Objective:Article 1

“Object and Purpose”

The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection").”

This convention also provided that those who wanted to be a member of this convention must abide with the requirments needed that is ensuring that their national legislation contains these basic principles in respect of the personal data of every individual on their territory. However, having that as the requirment for being a member state to the convention resulted few problems, which are:

a. if the party of origin offers a higher level of protection of the personal data than the receiving party;

b. if the transfer of data is to a third state not party to the convention.

In 1992 the Consultative Committee of the Convention for the Protection of individuals with regard to Automatic processing of Personal Data elaborated a Model Contract which is used extensively by private operators in order to facilitate transborder flows of data between states which do not ensure equivalent protection of data,.

In order to adapt the general principles set out in the convention to the specific requirements of various sectors of activity in society, a number of recommendations dealing with the following subjects have been adopted by the Council of Europe:

(a) medical databanks (1981);
(b) scientific and other statistical research (1983);
(c) direct marketing (1985); social security (1986);
(d) police records (1987);
(e) employment data (1989);
(f) financial payments and related transactions (1990);
(g) communication of data to third persons by public institutions (1991);
(h) protection of personal data in the field of telecommunications, in particular telephone services (1995);
(i) the protection of medical and genetic data (1997);
(j) the protection of personal data collected and processed for statistical purposes (1997) and for the protection of privacy on the Internet (1999).

September 2, 2009


Article 8 of European Convention on Human Rights stated that there is a protection for personal data from it being exploited by others.


Convention for Protection of Human Rights and Fundamental Freedoms of the Council of Europe, Rome, 04 November 1950 (also called the "European Convention on Human Rights" and "ECHR")

Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders, Chapter 3, art. 102-118;

Convention No. 108 of the Council of Europe of January 28, 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data;

Recommendation No. R (87) 15 of the Council of Europe Committee of Ministers, dated September 17th 1987, regulating the use of personal data in the police sector;

Directive 95/46/ЕC of the European Parliament and of the Council, of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

Regulation 1987/2006 of 20 December 2006 on the establishment, operation and use of the second generation Schengen information system; and

Council Decision 2007/533 of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System.

Quoted from:

September 1, 2009


Up till October 15, 2009, the position in Malaysia regarding data privacy issues are still not absolutely govern by any specific law as compared to other countries. There have been many attempts by the legislator to pass a law that shall govern data protection. However, the only one that have been passed so far is only the DNA Identification Act 2009. Malaysia is still waiting for the Bill of Data Protection to be passed so that the citizens shall be protected from their data being misused and disclosed freely by others.


January 28 each year has been declared to be an international holiday since it was made as the ‘Data Privacy Day’. That date was chosen in celebration of the date which the Council of Europe (CE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data was opened for signatured for the first time in 1981. House Resolution HR 31 by vote of 402-0 was passed by United States House of Representatives on January 26, 2009 was the one that declared the National Data Privacy Day’ shall be held on January 28 each year. It was later followed by Senate who passed the Senate Resolution 25 also recognizing January 28, 2009 as National Data Privacy Day.

The Data Privacy Day will be celebrated by United States, Canada and 27 other European countries. The main purpose of declaring January 28 as Data Privacy Day is to promote awareness and education among teens across the United States. That day also serves the importance of futhering international collebration and cooperation privacy issues.

The celebration of Data Privacy Day in the United States have invoved all privacy professionals, corporations, government officials, and representatives, academics, and students across the country. In the 2009 celebration of Data Privacy Day, it took place across the Unites States, Canada and Europe. That day has offered many opportunities to the world to learn more about data privacy and to take action to protect personal information. It holds many events like academic conferences on topics including national security and data transfers, social networking and information security