Many telco’s so-called content services (MCS) providers have been indiscriminately violating Personal Data Protection Act 2010 (PDPA) by sms blasting of unsolicited advertisements/promotions daily to million of cellphone subscribers for a fees with press of a button. Why is this possible?
If we were to examine closely one of the Malaysia Communication and Multimedia Commission (MCMC)’s policy objectives is to “Regulate for the long-term benefit of the end user”, such sms blasting of unsolicited advertisements/promotions to cellphone subscribers should not have happened as it was not for the benefits of the cellphone subscribers. On the contrary, it is for the benefits of the MCS providers and the advertisers.
By right, MCMC does not need the enactment of PDPA to stop the sms blasting of unsolicited advertisements/promotions and etc, it has the power to regulate/restrict the sms blasting of messages only to those cellphone subscribers who has contract with the advertisers for some form of services.
It seems that the more the MCMC “regulates” the more advertisements/promotions were sent out daily to our cellphones. WHY?
Perhaps, the very learned chairman of MCMC, Yg Bhg Dato’ Mohamed Sharil Bin Mohamed Tarmizi, would see it fit to break his elegant silence and clarify this serious matter.
Is MCMC taking the PDPA seriously and regulating the activities of mobile content service (MCS) providers? The answer is an obvious “NO” because cellphone subscribers are receiving more unsolicited advertisements/promotions and other messages daily in our cellphones despite the existence of MCMC.
Let us examine the relevant sections of PDPA in order to have a better understanding of the spirit of PDPA in this posting. In the next posting lets us examine in greater details how the mobile content services (MCS) providers and/or telcos have violated the provisions of PDPA.
THE PRINCIPLES ENSHRINED UNDER THE PERSONAL DATA PROTECTION ACT 2010.
A data user who processes personal data must comply with the seven Personal Data Protection Principles set out in sections 6 to 12 of the PDPA, namely:
(a) General Principle;
(b) Notice and Choice Principle;
(c) Disclosure Principle;
(d) Security Principle;
(e) Retention Principle;
(f) Data Integrity Principle; and
(g) Access Principle.
Non-compliance by a data user with any of these principles is an offence under the Act.
Section 6 sets out the application of the General Principle to personal data and sensitive personal data.
Processing of personal data
The General Principle of PDPA is to prohibits a data user from processing a data subject’s personal data except with the latter’s consent.
The General Principle is qualified by 6 exceptions in section 6(2) which permits personal data to be processed without the data subject’s consent, namely:
(i) for the performance of a contract to which the data subject is a party;
(ii) for the taking of steps at the data subject’s request with a view to entering into a contract;
(iii) for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
(iv) to protect the vital interests of the data subject;
(v) for the administration of justice; or
(vi) for the exercise of any functions conferred on any person under any law.
Section 6(3) also sets out certain parameters for the processing of personal data and such data may not be processed unless:
(i) it is for a lawful purpose directly related to the activity of the data user;
(ii) it is necessary for or directly related to that purpose; and
(iii) the data is adequate but not excessive in relation to that purpose.
Processing of sensitive personal data
The processing of sensitive personal data must comply with the conditions specified in section 40 and is permitted in the following circumstances
(i) with the explicit consent of the data subject; or
(ii) if the processing is necessary:
(a) for the performance of any right or obligation which is conferred or imposed by law on the data user in connection with employment;
(b) to protect the vital interests of the data subject or another person if consent cannot be given by or on behalf of the data subject or the data user cannot reasonably be expected to obtain the data subject’s consent;
(c) to protect the vital interests of another person in a case where consent by or on behalf of the data subject has been unreasonably withheld;
(d) for medical purposes and is undertaken by a healthcare professional or a person who owes a duty of confidentiality similar to that of a healthcare professional;
(e) for or in connection with any legal proceedings;
(f) for the purpose of obtaining legal advice;
(g) for the purposes of establishing, exercising or defending legal rights;
(h) for the administration of justice;
(i) for the exercise of any functions conferred on any person under any written law;
(j) for any purpose the Minister thinks fit; or where the information contained in the personal data has already been made public through the data subject’s own deliberate actions.
Notice and Choice Principle
Section 7 requires a data user to inform a data subject by written notice of the following:
(i) that the personal data of the data subject is being processed and a description of the data;
(ii) the purposes for which personal data is being collected and further processed;
(iii) any information available to the data user as to the source of that personal data;
(iv) the data subject’s right to request access to and correction of the personal data and contact particulars of the data user in the event of any inquiries or complaints;
(v) the class of third parties to whom the data is or may be disclosed;
(vii) the choices and means offered to a data subject to limit the processing of personal data; and
(viii) whether it is obligatory or voluntary for the data subject to supply data, and in the event of the former, the consequences of the failure to do so.
The notice must be given by the data user in the national and English languages and to be given as soon as practicable:
(i) when the data user first requests the data subject to provide his personal data;
(ii) when the data user first collects the personal data of the data subject; or
(iii) in any other case, before the data user uses it for a purpose other than the original purpose or before the data user discloses it to a third party.
The data subject must be provided with a clear and readily assessable means to exercise his choice, where necessary, in the national and English languages.
Section 41 exempts a data user from complying with the Notice and Choice Principle in relation to the subsequent collection of personal data from the same data subject which is carried out within 12 months from the first collection if it will result in a repetition by the data user of his obligations under the Notice and Choice Principle in respect of the first collection.
One would have thought that after the enactment of PDPA, the SMS blasting of the unsolicited advertisements/promotions and etc would be things of the past. But it was not to be because MCMC did not terminate the licenses of the MCS providers. What MCMC has done was just to limit the number of SMS blasting daily by MCS providers. This is not what the cellphone subscribers want! They wanted the sms blasting of unsolicited advertisements/promotions and etc to be stopped altogether and not reduced.
If this warning is not heeded by MCMC and the Ministry of Information, there will be serious repercussion in the future. Data of mobile phone subscribers will be up for sale or compromised in one way or another.