By Jotham Lim – 21 July 2021
Think about our current digital footprint — gigabytes of family photos, social media posts and sensitive documents uploaded from our phones, out of the country to the public cloud. A single cyberattack could wipe out decades worth of accumulated memories.
Surely, data privacy laws are on our side. Yet, an attempt at legal recourse will inevitably hit a wall — there is little we can do about data stored outside of Malaysia.
Our current data privacy laws are ill-equipped to handle these sorts of delicate situations due to a concept known as data sovereignty. It is the idea that data is subjected to the laws of the country where it is physically stored. Away from Malaysian shores, we are effectively relying on blind trust in the self-policing of the firms that store the data and international regulators.
Can our laws protect us?
Although there are overlapping jurisdictions, our data privacy is primarily determined by the Personal Data Protection Act 2010 (PDPA). In it, there are clauses stating that a data user shall not transfer any personal data outside of Malaysia except under certain conditions.
However, a 2018 academic paper released by Taylor’s University Malaysia points out that the PDPA only applies to personal data used in commercial transactions — unrelated to the protection of an individual’s personal data.
This is unlike the legal perspective in the UK where citizens’ general right to privacy is viewed as a fundamental human right.
“When we use our smart devices and watches, we are sending this data to the cloud, but we do not know whether the data sits in Malaysia or somewhere else,” says Thillai Raj, senior technological adviser at Wise AI Sdn Bhd.
“This is a matter of some concern because the current PDPA policies only apply to commercial transactions and do not apply to personal data that is processed outside of Malaysia. So, when companies collect sensitive health data, such as your height and weight, the number of steps you took today, or even if you have diabetes, the data being stored on your fitness watch does not matter to the PDPA.”
Formerly the chief technology officer (CTO) of Mimos Bhd, Thillai highlights that our current PDPA laws require updates, saying that many other countries have evolved their versions of the PDPA over the years. Malaysia, on the other hand, only started a public consultation session early last year for policies that have remained unchanged for over a decade.
For reference, he points towards the General Data Protection Regulation (GDPR) as the gold standard. Despite being adopted by the European Union (EU) since 2016, it has far-reaching implications that could even reach Malaysian shores.
“For example, if a European citizen’s data is being kept on Malaysian shores and he demands that his data be removed, the company is obliged to do so,” says Thillai. “California issued the California Consumer Privacy Act (CCPA) in 2018, which contains similar regulations, but the fines are significantly smaller.”
When updating our current data privacy policies, it must also open up channels for citizens to claim recuperation in the event of a data compromise, says Farlina Said, an analyst with the Institute of Strategic and International Studies (ISIS) Malaysia.
“Citizens should have the right to go to the government and ask for protection because that is technically how things should work,” she adds. “But in this current environment, the individual has to personally inform the private company of the data breach and ask for compensation directly. With proper data sovereignty policies, the jurisdiction falls in the hands of the government, and it should be able to protect its citizens, which can be the case for keeping sensitive data on Malaysian shores.”
Farlina, who specialises in foreign policy and national security studies, describes our current state of data privacy laws as “unfolding”, acknowledging that we are still a developing nation in many regards. For years, our data practices in both the public and private sectors have been sufficient.
However, continuing in such a state will hamper our nation’s efforts in building a well-rounded digital economy.
“For us to achieve high-income nation status, our country’s trajectory points towards building a data-fuelled economy, encompassing artificial intelligence, cloud computing and so on. From a national security perspective, we need to have the capacity and the aptitude to protect our data and understand data governance,” she says.
“That is why current laws need to be reviewed for enforcement agencies, be it by policing authorities or related ministries, to be held responsible for protecting these systems in the first place. Conversations around data protection need to happen, before we can dive deeper into protecting individual user privacy and related matters.”
An issue of enforcement
On the other hand, there is the matter of enforcing the existing policies, says M Satya Riayatsyah Syafruddin, CEO of ACASIA Communications Sdn Bhd. He uses the example of oil and gas players that conduct maritime subsurface scanning. The data collected is highly sensitive, with an impact on national security. However, such data is exported out of the country to be processed because the technology for this is still not available in Malaysia.
“There needs to be ways for local authorities to identify companies that are placing data outside the borders of our country, which means employing the right experts that can trace how data is transferred from one enterprise to another. This is something we lack, and we currently do not have the capacity to do that,” says Satya.
“This applies to private companies as well. Business owners need to adopt the digital mindset and have clear visibility of where their data is kept while employing the right talents who are well versed in handling these types of sensitive data.”
He also highlights a distinct lack of commercially available data centres in Malaysia, prompting organisations from both the public and private sectors to rely on public cloud services to host and process large amounts of data.
Satya believes ACASIA will play an increasingly important role in enabling large organisations to adhere to data sovereignty policies moving forward. For example, if an international company were to penetrate Southeast Asia, it would need to approach a multitude of stakeholders to set up information and communications technology (ICT) infrastructure in each of the member states of Asean to fulfil the data localisation requirements.
ACASIA fills this gap by serving as a one-stop centre and a regional ICT solutions provider. This is enabled by its shareholder composition, which comprises several telecommunications providers in the Asean region, including Telekom Malaysia, Singapore Telecommunications Ltd and Indosat.
“Moving forward, I believe the Malaysian government is taking the right steps by providing conditional approvals to Big Tech companies and Telekom Malaysia to build hyperscale data centres. However, to establish a cohesive digital economy, we will need more local data centre players to come on board,” says Satya.
The inevitability of the issue
Malaysian organisations are now going through a transitionary period when it comes to data storage and governance. With many processes undergoing digitalisation, data and workloads are constantly being moved from on-premise servers to the cloud, and back to localised servers in the company — creating multi-generational data sprawls.
These exercises generate massive amounts of data, and are not conducive to an organisation’s growth, says Sunil Mahale, Commvault’s vice-president and general manager for Hong Kong, Taiwan, South Korea and Asean.
“Further complicating matters, cloud data can be subjected to multiple laws depending on where it is hosted, how it is transmitted and by whom it is controlled,” he adds. Sunil explains that different legal obligations regarding privacy, data security and breach notifications may be applicable, depending on whether the data is “in-flight” or “at rest” — terms used to describe the data if it is actively moving from one location to another.
Thus, he believes that organisations should be proactive rather than reactive when it comes to reinforcing data sovereignty policies, and not wholly rely on government agencies.
“At the core of data is personal information — the data trail created by every individual in their day-to-day life. The responsibility of keeping this information secure is an issue that has been complicated by the necessity of cross-border data sharing, especially as businesses accelerate their move to the cloud and software-as-a-service (SaaS) solutions to accommodate remote working environments,” says Sunil.
“There is no time like now for businesses to have a complete, updated overview of their data. Ideally, issues pertaining to data sovereignty should be dealt with at every stage of organisational growth and incorporated into data management strategies from the bottom up.”
This article also appeared in The Edge, 21 June 2021.