Content uploaded by Chris Kwan
Author content
All content in this area was uploaded by Chris Kwan on Dec 12, 2020
Content may be subject to copyright.
[2020] 1 LNS(A) cxxxi Legal Network Series 1
DATA PRIVACY FOR LAWYERS: AN INTRODUCTION
by
Chris KH Kwan*
1. Introduction
In Malaysia we have the well-known Personal Data Protection Act 2010
(PDPA), which came into force on 15 November 2013. The PDPA imposes
strict requirements on any person who collects or processes personal data
(data users) and grants individual rights to 'data subjects'. Enforced by the
Commissioner of the Department of Personal Data Protection (the
Commissioner), it is based on a set of data protection principles akin to that
found in the Data Protection Directive 95/46/EC of the European Union
(EU)[1] and, for this reason, the PDPA is often described as European-style
privacy law. An important limitation to the PDPA is that it does not apply to
the federal and state governments.[2] This exemption for state and federal
agencies is difficult to comprehend given collectively they hold every
conceivable data of all citizenry and foreigners. I am also minded that
PDPA does not apply where the processing of data happened outside of
Malaysia.[3] An interesting challenge whereby electronic “data” which could
not be identifiable or linked back to “personal data” such as usually found
for modelling Machine Learning is exempted under PDPA as per Section
45(2)(c) of the PDPA.[4] There was some backroom talk of updating PDPA
when the PH Government was in power but it appeared everything fizzled
out since it fell from power in 2020 just before the start of the pandemic by
the resignation of the Prime Minister.
This paper seeks to understand where our PDPA stands today against ISO 27701
and vis-à-vis against the European’s General Data Protection Regulation
“GDPR”. For a start it will be useful to map out the rules and I find this website[5]
[2020] 1 LNS(A) cxxxi Legal Network Series 2
very helpful for beginners at https://dataprotectionmapping.z21.web.core.
windows.net/#/dashboard and since this is an opensource project you may wish to
look their codes at https://github.com/microsoft/data-protection-mapping-project.
Just to test this system I applied GDPR against the core of ISO 27701 as seen
below, the screenshot taken from the data protection mapping project shows
compliance with at least Sections 5, 6, 7, 8 to augment specific privacy control. It
is said that ISO 27701 being a management system, it defines processes for
continuous improvement on data protection, particularly important in a world
where technology does not stand still. This means as lawyers, we will need to
assess whether our legal framework is in line with “technology that doesn’t stand
still” and advise our clients accordingly in a world where data is new “oil” in a
world without boundaries to information.
[2020] 1 LNS(A) cxxxi Legal Network Series 3
Obviously to be able to use the above, one must also be familiar with the
rules such as ISO 27701 and GDPR and how these rules may map back to
our own PDPA (if any). To begin, PDPA has its own ‘standard’ as seen in
the Personal Data Protection Standards 2015, which came into force on 23
December 2015. In addition, there are also codes of practice for banking,
utilities, insurance, aviation and licensees under the Communications and
Multi-Media Act 1998[6] and the latest can be found here.[7] It was clearly a
framework ahead of its time without the data privacy issues created by
cookies, online tracking, cloud computing, the internet of things or big data
because any data that is collected and processed outside of Malaysia is
beyond PDPA. Therefore, for local companies using a third-party provider
for its computing and commercial needs based in Singapore or elsewhere,
then our PDPA will not be applicable even though they may be collecting
data from locals in Malaysia. Another issue is that the personal data must be
in the context of a commercial transaction but excludes any information that
is processed for the purpose of a credit reporting business carried on by a
credit reporting agency under the Credit Reporting Agencies Act 2010.[8]
This basically means, any data for social purposes will not be under PDPA.
This may explain why there is not much need for lawyers unless one has a
Client which wants to process commercial data in Malaysia (other than a
branch office) and has cross-border dealings.
2. Data Security
An increasingly important development in line with privacy is data security.
For example, in the GDPR at Article 33 we have “Notification of a personal
data breach to the supervisory authority”. It mandates “in the case of
personal data breach, the controller shall without undue delay…not later
than 72 hours after having become aware of it, notify…the supervisory
authority”. Unfortunately, Malaysia’s PDPA does not have any notification
[2020] 1 LNS(A) cxxxi Legal Network Series 4
requirements. However, the Commissioner established under PDPA[9] has
provided regulations that require data users to have a security policy and
this must comply with standards set by the Commissioner.[10] For example,
under para 4 under the Table titled “DATA SECURITY FOR PERSONAL
DATA PROCESSED ELECTRONICALLY” we have this # 11 which I
repeat below.
Personal data transfer through cloud computing service must comply
with the personal data protection principles in Malaysia, as well as
with personal data protection laws of other countries.
If we literally take this to mean as it says, then depending on where this
“cloud” is located, the law now requires one to comply with both Malaysia n
and laws of that country. Assuming this is in Singapore, this would mean
Singapore law which also does not have any notification requirement for
data breaches and if this is in the European Union then GDPR would apply.
As an example, I look at AirAsia’s Privacy Statement[11] which reads as
follows:
[2020] 1 LNS(A) cxxxi Legal Network Series 5
As the reader can see, there seems to be some confusion as AirAsia
had stated that its servers are overseas but did not say where. I am
assuming this may be due to the transfer of data from unnamed
overseas locations for processing in Malaysia, therefore AirAsia
chooses to adhere to PDPA. It is also most likely the data is stored on
a cloud platform. We use https://hackertarget.com/whatweb-scan/
And we found this is located in Singapore by using another online tool
https://check-host.net/ip-info?host=airasia.com
Similarly, we also found www.malaysiaairlines.com which hosts its servers
- likely located in California, United States, which has very different
privacy and data protection regimes compared to Malaysia with its “biased
to data user” rights. The reason for ‘likely located’ is because it is using
Cloudflare, a popular CDN to mask its IP address.
[2020] 1 LNS(A) cxxxi Legal Network Series 6
3. Data Integrity
At para 7 of The Personal Data Protection Standards 2015 under table
“Descriptions” at # 4, it says:
As can be seen above, in most cases where the website provides a “profile”
account there is usually a slot for one to update one’s details, including
address and so on as seen here below in AirAsia.com.
[2020] 1 LNS(A) cxxxi Legal Network Series 7
At AirAsia’s Privacy Statement, we also find this part challenging.
When I pressed on the e-form there is no form.[12] However, according to
The Personal Data Protection Code of Practice for the Malaysia Aviation
Sector (circa 2017),[13] there is no requirement to offer this “form” for the
stated purpose as per Privacy Statement.
4. Data Portability
One of the most rigorous parts of the privacy management is transferring of
data to another location, say from one cloud to another. In Malaysia, as I
mentioned, under Rule 11 para. 4 of The Personal Data Protection Standards
2015 there is a need to comply with data protection laws of other countries.
This means our own law requires one to comply.
Under the GDPR, the general rule is that the transfer of personal data to
third countries is prohibited, unless one or more of the prescribed
compliance mechanisms, designed to ensure an adequate level of data
protection, is put in place.[14] It also attracts the highest fines (i.e. up to 20
million euros or 4% of the annual global turnover, whichever is greater).[15]
However, a number of third countries are deemed “adequate” but note that
[2020] 1 LNS(A) cxxxi Legal Network Series 8
this is reviewable every four years.[16] On 6 Oct 2015, the Court of Justice
of the European Union decided on Case C-362/14 | Maximillian Schrems v.
Data Protection Commissioner where the Court found that the Safe Harbour
agreement (“Scheme”) between the European Union and the United States to
be invalid.[17] This was the case against Facebook Ireland where its
headquarters was based and the issue was prohibiting Facebook to further
transfer data from Ireland to the United States. The Court held that the
Scheme between the European Commission and the United States to be
illegal as it allowed for government to interfere with the protection, no legal
remedies for individuals to access data related to themselves, nor to erase or
amend, and it also prevents national supervisory authorities (in this case
Ireland) from exercising their power.
Be that as it may, once a data subject explicitly consents to the transfer, then
a data controller may transfer personal data outside the EU.[18] This clearly
seems to be a god-sent solution as most users would click “yes” on any
online agreement without reading simply to complete the transaction. The
requirement is that consent must be “freely given”. The data controller has
to ensure that the data subject is aware of the fact that, and the extent to
which, consent is given.[19] Recital 43 states that consent is not valid if there
is a clear imbalance between the data subject and the controller. There is
also a presumption that the consent is not free “if the performance of a
contract, including the provision of a service, is dependent on the consent
despite such consent not being necessary for such performance.” [20] In the
positive sense, where an e-commerce website from China such as
AliExpress is collecting data from Clients based in the EU, it is necessary to
transfer the Client’s personal data from the EU to China to process the
order, ship products and supply services etc. In such cases, the data transfer
to China can be justified on the basis of contractual necessity. Another
situation is where one is travelling to Australia and passport details are
[2020] 1 LNS(A) cxxxi Legal Network Series 9
required to be checked against the destination country‘s blacklist. This is
because it is common for the destination country to hold the airlines
responsible for the cost of sending back an unwelcome visitor. In this
situation even though there is no connection with the provision of a ticket to
destination, it is needed at the point of sale. However, note that airlines
usually give notice that the purchaser is to be responsible for his or her own
visa arrangements. Airlines are not known to provide the data subject
information about what data will be transferred, to whom and where the data
will be transferred. Furthermore, such consent can be withdrawn.[21]
In summary, we can say that under the GDPR, Article 12 offers transparent
information, communication and modalities for the exercise of rights of the
data subject. It refers to “shall not refuse to act on the request…unless the
controller demonstrates that it is not in a position to identify the data
subject” and to “provide information on action taken…within one month of
receipt of the request...may be extended by two further months” whereby “if
the controller does not take action…inform the data subject without delay
and at the latest within one month” by giving “reasons for not taking
action”.
5. Comparing between GDPR with California Consumer Privacy Act
2018 (CCPA)
In addition to the GDPR, there is also the CCPA. The one distinguishable
feature is the “Right to Opt out of Sale” (1798.120). With some exceptions,
businesses cannot sell user’s personal information after receiving this opt-
out request. There is a waiting period at least 12 months before the provider
can ask the user to opt back into the sale of their personal information. In
the event of a breach there is a statutory right to sue (1798.150). At the time
of writing, there is opposition in California. Californians will be able to vote
on the California Privacy Rights Act this fall 2020 as Proposition 24 to
[2020] 1 LNS(A) cxxxi Legal Network Series 10
replace the CCPA which is deemed by tech companies to be the strongest
privacy law ever in the US. To privacy advocates, the right to know what
data businesses are collecting about them, to opt out of the sale of that data,
and to make businesses delete the data they’ve already gathered are
“theoretical”. First, while CCPA specifies that users have the right to opt
out of the “sale” of their data, tech companies argue that many transfers of
user information that seem to raise privacy concerns aren’t sales at all,
because no one is paying for data to constitute a “sale”. Second, the CCPA
has an exception for “service providers” who need user data to perform a
“business purpose.” Companies like Fac ebook and Google have seized on
that language, arguing that they provide the service of microtargeted
advertising. Taken together, the two provisions essentially exempt targeted
advertising from privacy law.[22] Proposition 24 aims to close these two
issues.[23] On the other hand, one common complaint is that Proposition 24
allows what is pejoratively known as “pay for privacy”: businesses can
charge users more if they opt out of sharing their information (already
allowed under the CCPA). Given the undercurrent, it will be sufficient for
this introduction to benchmark across GDPR, CCPA and our PDPA so that
we can appreciate how far our privacy laws have come as compared to
CCPA and GDPR since 2010 (enforceable since 2013).
Consumer Rights under
GDPR
Consumer Rights under
CCPA
Consumer Rights under
PDPA/Personal Data
Protection Standards
2015 (“PDPS 2015”) and
the Personal Data
Protection Code of
Practice (“PDPCP”)
Right to be informed
Right to know data
Under PDPCP which is
[2020] 1 LNS(A) cxxxi Legal Network Series 11
(Art 13, 14 and recital
60-62) & Right to data
portability (Art 20 recital
68)
collected and portability
(1798.100)
industry specific see the
requirements differ from
industries. (see details in
table below)
Under PDPS 2015, for
“Cloud” at Rule 11 under
para 4, it says “Personal
data transfer through
cloud computing service
must comply with the
personal data protection
principles in Malaysia,
as well as with personal
data protection laws of
other countries.”
Technically this only
affects citizens of the
other countries and not
locals. The responsibility
may also fall on the
Cloud provider.[24]
Right to erasure (Art 17,
19 and recital 65 & 66)
Right to delete posted
data (1798.105)
Right of access by data
subject (Art 15, recital
63, 64)
Right to be informed &
Right to know category
of sources (1798.110)
Right to object (Art 21
recital 69 & 70) & Right
to withdraw consent (Art
7, recital 32, 33, 41, 43)
& Right to restriction of
processing (Art 18, 19,
recital 67)
Right to say no to sale &
right to opt in before sale
of data for children
(1798.120)
NA
Right to non-
discrimination (1798.
125)
Right to compensation
and liability (Art 82)
Right to sue for breaches
(1798.150)
NA
Right to know business
purposes (1798.115)
Is processed for a lawful
purpose directly related
to an activity of the data
user (Section 6(3)(a) of
PDPA
[2020] 1 LNS(A) cxxxi Legal Network Series 12
Differences between different selected industries in Malaysia.[25]
Communication
Sector at page
37[26] (dated
23.11.2017)
Transportation
Sector (Aviation)
at page 46 (dated
21.11.2017)[27]
Banking And
Financial Sector
at page 48 (dated
19.1.2017)[28]
Electricity
Provider at page
34-44 (dated
21.1.2020)[29]
NA
NA
NA
Data Access
Request
NA
NA
NA
Data Correction
Request
Right of Access
to Personal Data
(Section 30 of the
PDPA)
NA
YES
YES
Right to Correct
Personal Data
(Section 34 of the
PDPA.)
NA
YES
YES
Right to Prevent
Processing Likely
to Cause Damage
or Distress (Section
42 of the PDPA)
YES
YES
YES
Right to Withdraw
Consent (Section
38 of the PDPA)
YES
YES
YES
[2020] 1 LNS(A) cxxxi Legal Network Series 13
Right to Prevent
Processing for
Purposes of Direct
Marketing (Section
43 of the PDPA)
YES
YES
YES
6. Why do we bother with the above?
The answer is that there are fines. For example, under Australian law – the
introduction of a mandatory data breach notification regime that comes into
effect on 22 February 2018. From that date, businesses that fail to notify
their customers about an eligible data breach could be liable for civil
penalty orders from the Privacy Commissioner of up to $2.1 million for
organizations, and up to $420,000 for individuals. Similarly, in the
European Union, the GDPR raises particular concerns including its wide
extra-territorial scope of application and the staggering administrative fines
in case of violation.[30] Unlike Malaysia which looks at where the data is
processed, in so far as the European Union is concerned, it does not matter
as to establishment, instead, it focuses on the offering of goods and services
targeting EU residents.[31] For all the external jurisdictional reasons above,
it is best to be cautious by complying or at least attempting to comply.
While in most cases we are looking at fines by the respective authorities,
there is now a class action suit filed against EasyJet under Art 82 of the
GDPR for its data breach in January 2020 by hackers who managed to steal
not only personal data but also financial data. In this case, even though
EasyJet notified UK's Information Commissioner's Office in time, customers
were not informed until four months later. The suit has a potential liability
of £18 billion, or up to £2,000 per impacted customer.[32] The law firm
representing the claimants, PGMBM, emphasized, "In particular, the
exposure of details of individuals' personal travel patterns may pose security
[2020] 1 LNS(A) cxxxi Legal Network Series 14
risks to individuals and is a gross invasion of privacy."[33] What is
interesting and should be taken note of is that according to Verizon Data
Breach Investigation Report for 2020 (circa May 2020), it shows a common
factor in data breaches, and that is the misconfiguration of cloud-based
repositories and buckets which stood out.[34] The Report also highlighted
and I quote, “External actors were behind 70% of the breaches and
organized crime in 55%. 30% involved internal actors.” and “86% of
breaches were financially motivated”. It is clear that had it not been for
storing financial information (from cards with static numbers) at least the
majority of the breaches would not have happened.
In Malaysia under the PDPA at Section 133(a), it provides that where an
offence is committed by a body corporate, its director, chief executive
officer, chief operating officer, manager, secretary or other similar officer,
the entity or person may be deemed to have committed the offence unless it,
he or she can establish that there was no knowledge of the contravention,
and that it, he or she has exercised all reasonable precautions and due
diligence to prevent the commission of the offence.[35] It is noteworthy to
remind the reader that under the PDPA at Section 134, any prosecution must
first obtain consent from the Public Prosecutor which shows in practice that
the Personal Data Protection Commissioner (‘Commissioner’) is merely a
“paper tiger”.
7. Where to begin?
For those who are interested and aim to make this into a fulfilling career,
and assuming one is already conversant with the rules such as GDPR, I find
completing a Privacy Impact Assessment is a good starting point as it
checks whether one is familiar with the processes and so on. This website
by CNIL[36] at https://www.cnil.fr/en/open-source-pia-software-helps-carry-
out-data-protection-impact-assesment includes a software to assist in this
[2020] 1 LNS(A) cxxxi Legal Network Series 15
task. Other well-known privacy management systems include OneTrust,
which shows how integrated both law and privacy systems are. I have also
used a free service by osano.com and I provide a link to their free report for
Malaysiaairlines.com.[37] There will be demand for legal skills given the
decision of the EU Court of Justice (‘EUCJ’) striking out the EU-US
Privacy Shield agreement in July 2020.[38] Accordingly, the EUCJ reasoned
data protection requirements must be interpreted to require that data
transferred outside of the EEA be afforded a level of protection “essentially
equivalent” to that guaranteed within the EU by the GDPR. Legal
experience is needed to evaluate the level of protection afforded to
transferred data in the light of both the contractual clauses agreed to by the
data exporter and the data recipient and, “as regards any access by the
public authorities of that third country [such as the U.S.] to the data
transferred, the relevant aspects of the legal system of that third country.”[39]
The fact that authorities of the non-Member State country to which data is
transferred are not binding is not enough to invalidate the Standard
Contractual Clauses or “SCCs”. Notably, however, this SCC’s validity
depended, according to the EUCJ, on whether effective mechanisms are in
compliance with the requirements of EU law and ensuring that data transfer
is stopped in the event of a breach of the clauses. The SCCs themselves
offer this protection and are still valid. This is also the second time in five
years that a “safe harbor” program between the EU and U.S. has been found
inadequate by the EUCJ. From this latest set-back, the data user or data
controller (as defined in GDPR)[40] will need to demonstrate compliance
with the Standard Contractual Clauses,[41] or SCC, to ensure privacy-related
data is treated lawfully. A sample contract applying SCC can be seen
following this link.[42] It is important to note that the terms cannot be
amended or modified[43] and in the event the data exporter has disappeared
or ceased to exist in law or has become insolvent, the data importer
[2020] 1 LNS(A) cxxxi Legal Network Series 16
(residing outside of the EU) must agree to defend any claims of damages by
the data subject.[44] In addition, Vendors offering data processing will have
to provide timelines for SCC compliance on behalf of the data users. The
privacy revolution is still ongoing, and this is merely the beginning of a
chapter in a longer story.
8. Conclusion
Back in Malaysia, there is much to be done too. As M/s Shanthi Kandiah
had stated in her article published Oct 2019 “The Privacy, Data Protection
and Cybersecurity Law Review - Edition 6”, Malaysia’s PDPA was not
designed for data privacy issues created by cookies,[45] online tracking,
cloud computing, the internet of things or big data which is at the forefront
of the data revolution. However, she also pointed out that Government
efforts appeared to be focused on positioning the country appropriately to
benefit from these innovations. For example, she cited, the Ministry of
Science, Technology and Innovation has unveiled the National Internet of
Things Strategic Roadmap (the Roadmap) where a centralised regulatory
and certification body will be established to address privacy, security,
quality and standardisation concerns.[46]
Since then, I noted that around February 2020, the Personal Data Protection
Commissioner had issued a public consultation paper (No 01/2020) to
review the PDPA within a 2 week timeframe.[47] The Commissioner had
proposed the need to keep-up with business requirements (such as the rights
of portability) and apportioned responsibilities (such as to the data
processor). The Commissioner’s proposal disapproved a white-list of
countries (for transfer of data outside of Malaysia), however, he wanted
notification of data breach to be made compulsory. In Malaysia where robot
calls are common, the Commissioner had included the need for the Data
user to establish a Do Not Call Registry but this may not assist because the
[2020] 1 LNS(A) cxxxi Legal Network Series 17
data is already in circulation and the culprits are outside of Malaysia,
making prosecution impossible. The Commissioner is considering an
extension of the right of a data subject to know specifically one’s personal
data has been disclosed to which third party. Further, the Commissioner also
recommended the data subject should have rights to pursue civil litigation
against a data user by citing various laws in Singapore [s. 32(1)], North
Korea [Art. 57], Macau [Art. 14] and EU-GDPR [Art. 82]. The
Commissioner seems to be conservative when it comes to applying the
PDPA to the State/Federal governments citing a huge study is needed first
but is mindful that statutory bodies are not exempted at this time and
guidelines will be provided for these bodies. The Commissioner is also
considering extending the PDPA to non-commercial activities citing leads in
Philippines, Japan, North Korea and EU. It is also interesting to note that
the Commissioner is looking into enforcement against data users outside
Malaysia who monitor and do profiling of a Malaysian data subject. This
would be awkward because profiling and monitoring of Malaysian data
subjects are mainly done on behalf of the Malaysian government (say the
allegation whereby Cambridge Analytica was involved in Kedah[48]). Non-
controversial proposals by the Commissioner include the obligation of a
data user to appoint a Data Protection Officer “DPO” and to issue a
guideline on the mechanism of having a DPO. So far at the time of writing,
there is no outcome or decisions since this public consultation ended on
28.2.2020.
I should also take note that the second reason why the EUCJ struck out the
EU-US Privacy Shield agreement was that the EUCJ found that “the
requirements of US national security, public interest and law enforcement
have primacy, thus condoning interference with the fundamental rights of
persons whose data are transferred to [the US].”[49] EUCJ reasoned that the
requirements of the GDPR must be read in light of the provisions of the EU
[2020] 1 LNS(A) cxxxi Legal Network Series 18
Charter of Fundamental Rights[50] guaranteeing respect for privacy and
family life, protection of personal data, and the right to effective judicial
protection which appears to be contrary to the views of the US on
authorities’ access to data or for that matter, even Malaysia, where we do
not even appreciate[51] such Charter nor say Art 2, “No one shall be
condemned to the death penalty, or executed.” nor Art 8, “Protection of
personal data” as Malaysia has excluded State and Federal Authorities from
compliance.
The renewed interest shown by the Commissioner is a reflection of the
necessity to keep up appearances with “international” requirements.
Regardless of whether it is a Malaysian company or otherwise, its obligation
could technically fall within the purview of Singapore, US or EU law
because data is sourced and stored from multiple jurisdictions and the nature
of online businesses. It is no secret that the international trend decidedly
tilts toward expanding data protection laws towards the framework
employed by the GDPR particularly for protecting data subjects, including
minors. This is clearly sought by the Commissioner in its Consultation
Paper No 1/2020 subject to heightened fear of data security breaches in the
Cloud. This actually provides further business opportunities for vendor-
organizations that process information by complying with the most stringent
standards of omnibus privacy laws such as in the SCC. This will open doors
to flexibility across different legal landscapes and put them in good
standing. Even in the short term, striving to comply with GDPR-SCC would
give credence to our local franchisees to stand together with other brands
promoting e-commerce activities.
*Advocate & Solicitor.
[2020] 1 LNS(A) cxxxi Legal Network Series 19
Endnotes:
[1] The EU Data Protection Directive 95/46/EC has now been replaced with the EU
General Data Protection Regulation, which came into force on 25 May 2018.
[2] Section 3(1) of PDPA.
[3] Section 3(2) of PDPA.
[4] “(c) processed for preparing statistics or carrying out research shall be exempted
from the General Principle, Notice and Choice Principle, Disclosure Principle and
Access Principle and other related provisions of this Act, provided that such
personal data is not processed for any other purpose and that the resulting statistics
or the results of the research are not made available in a form which identifies
the data subject;”
[5] https://dataprotectionmapping.z21.web.core.windows.net/#/dashboard.
[6] https://www.pdp.gov.my/jpdpv2/assets/2019/09/WhatYouNeedToKnow.pdf.
[7] https://www.pdp.gov.my/jpdpv2/tata_amalan/?lang=en.
[8] Section 4 of PDPA under definition of personal data.
[9] Section 47 of the PDPA.
[10] The Personal Data Protection Standards 2015 and also referred to as the Personal Data
Protection Regulations 2013 (The latest copy https://www.pdp.gov.my/jpdpv2/ assets/2019/
09/LatestStandard.pdf).
[11] https://www.airasia.com/aa/about-us/en/gb/privacy-statement.html#storage.
[12] Accessed on 10.9.2020. There was no form and forwarded to https://support.airasia.com/
s/?language=en_GB.
[2020] 1 LNS(A) cxxxi Legal Network Series 20
[13] https://www.pdp.gov.my/jpdpv2/tata_amalan/the-personal-data-protection-code-of-practice
-for-the-malaysia-aviation-sector/?lang=en.
[14] Art 44 of the GDPR.
[15] Art 83(5)(c) of the GDPR.
[16] Article 45(4 of the GDPR.
[17] https://www.europeansources.info/record/judgment-in-case-c-362-14-maximillian-schrems
-v-data-protection-commissioner/.
[18] Article 49(1)(a) of the GDPR.
[19] Recital 42 at https://gdpr-info.eu/recitals/no-42/.
[20] Recital 43 at https://gdpr-info.eu/recitals/no-43/.
[21] Article 7(3) of the GDPR.
[22] https://www.wired.com/story/california-prop-24-fight-over-privacy-future/.
[23] https://www.latimes.com/opinion/story/2020-09-15/yes-on-proposition-24.
[24] Most of the obligations under the PDPA apply to a 'data user' (i.e., 'a person who
either alone or jointly in common with other persons processes any personal data or has
control over or authorises the processing of any personal data, but does not include a
data processor'). A Cloud service is perhaps identifiable to 'data processor' who
processes personal data solely on behalf of a data user and therefore is not bound
directly by the provisions of the PDPA.
[25] https://www.pdp.gov.my/jpdpv2/tata_amalan/?lang=en.
[26] https://www.pdp.gov.my/jpdpv2/assets/2019/09/Communications-Sector-PDPA-COP.pdf.
[2020] 1 LNS(A) cxxxi Legal Network Series 21
[27] https://www.pdp.gov.my/jpdpv2/tata_amalan/the-personal-data-protection-code-of-practice
-for-the-malaysia-aviation-sector/?lang=en.
[28] https://www.pdp.gov.my/jpdpv2/tata_amalan/personal-data-protection-code-of-practice-
for-the-banking-and-financial-sector/?lang=en.
[29] https://www.pdp.gov.my/jpdpv2/tata_amalan/tataamalan-perlindungan-data-peribadi-untuk
-sektor-elektrik-versi-2-0-bahasa-inggeris/?lang=en.
[30] Up to 20 million euros or 4% of total worldwide annual turnover, whichever amount
is higher. See Article 83 of the GDPR.
[31] Art 3(1) & 3 (2) of GDPR.
[32] https://www.zdnet.com/article/easyjet -faces-18-billion-class-action-lawsuit-
over-data-breach/.
[33] Ibid.
[34] https://www.zdnet.com/article/verizons-data-breach-report-highlights-how-unsecured-
cloud-storage-opens-door-to-attacks/.
[35] Section 133(1) & (2) of the PDPA. Note that under Section 134, it says that “No
prosecution for an offence under this Act shall be instituted except by or with the
written consent of the Public Prosecutor”.
[36] CNIL also prosecuted Google and levied fine at 50 million euro for failing to (1) comply with
the transparency and notice requirements of the GDPR, and (2) obtain valid consent from users.
Source: https://www.hunton privacyblog.com/2020/06/23/french-highest-administrative-court-
upholds-50-million-euro-fine-against-google-for-alleged-gdpr-violations/.
[2020] 1 LNS(A) cxxxi Legal Network Series 22
[37] https://cdn.osano.com/hubfs/visitor_files/audits/c17520cc0dece3c47a364f4dceb 2a450d81365
af-6672218854e3e8b10e76244c8ab69742bb932a2c.pdf (or permanent site at https://1drv.ms/b/s!Ao
CP5PALDZGQqiP_FgFPsg3XRznw).
[38] https://www.velaw.com/insights/the-eu-us-privacy-shield-is-down-cjeu-decides-schrems-ii/.
[39] https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.
[40] A data controller is a key decision-maker. They have the overall say and control
over the reason and purposes behind data collection and over the means and method of
data processing.
[41] https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/
standard-contractual-clauses-scc_en.
[42] https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
[43] Ibid at Clause 10.
[44] Ibid at Clause 6.
[45] There are regulations for cookies - example see https://gdpr.eu/cookies/and fortunately
technical solution as well say, in https://github.com/osano/cookieconsent.
[46] https://thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-
review-edition-6/1210063/malaysia.
[47] https://www.pdp.gov.my/jpdpv2/assets/2020/02/Public-Consultation-Paper-on-Review-of-
Act-709_V4.pdf.
[48] https://www.nst.com.my/news/politics/2018/03/348423/kedah-bn-denies-engaging-services
-cambridge-analytica.
[2020] 1 LNS(A) cxxxi Legal Network Series 23
[49] Last page in https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp20009
1en.pdf.
[50] https://ec.europa.eu/info/aid-development-cooperation-fundamental-rights/your-rights-eu/eu-
charter-fundamental-rights_en.
[51] Currently, death penalties are carried out in Malaysia through eleven offences under
the Penal Code and Firearms (Increased Penalties) Act, 1971 which carry the mandatory
death penalty.