Right to privacy

1
At the time of the Declaration of Human Rights, the right to privacy originally covered
invasions of private property, intrusions in one's home and attacks on one's reputation, but the
United Nations was unable to predict the sweeping changes in social and technological
conditions in the 20th and 21st centuries. There are only two lines in 2Article 12 of the 1948
Universal Declaration of Human Rights that summarize the right to privacy: "No one shall be
subjected to arbitrary interference with his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has the right to the protection of the law
against such interference or attacks.” (United Nations). There are seemingly endless virtual
platforms for people to communicate today, so adapting this right to modern times is
essential.Modern media platforms have given the phrase "attacks upon his honour and
reputation" a whole new meaning. A person's "honour" or "character" is protected by the law,
although that right looks different in an age when many news stories and social media posts
attack a person's reputation. Legal consequences can be determined and enforced depending on
the nature of these "attacks." Business owners and lawyers alike frequently use 3Oxford Law
Dictionary for more modern definitions of privacy.

4
Companies often have Corporate Responsibility programs that focus on philanthropy and social
issues. In today's world, companies are pledging to reduce their carbon footprints and save
endangered species. However, citizens are products whose information is purchased, sold, and
acquired without their consent. A website's privacy policies deserve more attention than just two
linked words at the bottom of its home page in light of recent events.

1 “The Right to Privacy” (HRBA PortalNovember 15, 2022) <https://hrbaportal.org/privacy/> accessed November
30, 2022

2 Morgan L, “Why Privacy Is a Corporate Responsibility Issue” (InformationWeekFebruary 23, 2018)

<https://www.informationweek.com/big-data/big-data-analytics/why-privacy-is-a-corporate-responsibility-issue/a/d-
id/282728> accessed November 30, 2022

3 Chia Yan Ping J, “Malaysia - Data Protection Overview” (DataGuidanceOctober 18, 2022)
<https://www.dataguidance.com/notes/malaysia-data-protection-overview> accessed November 30, 2022

4 Newlake Development Sdn Bhd v Zenith Delight Sdn Bhd & Ors (No 2) ( 7 CLJ 88)
Malaysian data protection laws are primarily governed by the 5Personal Data Protection Act
2010 (PDPA) and subsidiary legislation. According to the PDPA, data users are required to
comply with certain obligations and data subjects are granted certain rights with respect to their
personal information.

The regulation of personal data prior to 2010 was largely the domain of industry-specific
legislation. Banks and finance,healthcare, and telecommunications industries, among others,
have industry-specific data protection laws. Malaysian Parliament passed the PDPA in May 2010
and it received Royal Assent in June 2010. A three-month grace period ended on 14 February
2014 following the entry into force of the PDPA on 15 November 2013.

6
The PDPA, along with five subsidiary pieces of legislation, came into force on 15 November
2013. Personal Data Protection Act addresses issues such as appointing the PDPA
Commissioner, registering users, and imposing fees on users. To facilitate the enforcement of the
PDPA, this subsidiary legislation was also passed simultaneously. The subsidiary legislation that
has been passed to date include: the Personal Data Protection Regulations 2013 ('the 2013
Regulations'); the Personal Data Protection (Class of Data Users) Order 2013 ('the Order'); the
Personal Data Protection (Registration of Data User) Regulations 2013 ('the Registration
Regulation'). There is also subsidiary legislation pertaining to the appointment of the
Commissioner.

Section 45 of the PDPA was applied in the majority of reported cases. For example, in 7Newlake
Development Sdn Bhd v Zenith Delight Sdn Bhd & Ors (No 2)[2021] 7 CLJ 88, it was held that
the PDPA cannot be used as a shield to prevent such documents from being produced at trial if a
court rules that the documents in question are relevant and admissible. The High Court ruled in
December 2021 that under the PDPA, the Director-General of the Inland Revenue Board of
Malaysia is not permitted to make blanket requests for personal data, given the protections data

5 Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors (MLJU 2847)

6 “Universal Declaration of Human Rights” (United Nations) <https://www.un.org/en/about-us/universal-

declaration-of-human-rights> accessed November 30, 2022

7 Law J, Oxford Dictionary of Law

subjects receive under the Act. 8(Genting Malaysia Berhad v Personal Data Protection
Commissioner & Ors [2021] MLJU 2847). It is important that such requests for data are made in
accordance with the law, and the request must satisfy the test of necessity, namely that the
"interference with the rights of data subjects must be proportionate to the reality as well as to the
potential gravity of the public interest involved", and "a specific instance as contemplated by the
statute must be provided and not sweeping and inconsistencies in the reasons given."
Considering that it is the first formal challenge to law enforcement authorities' ability to request
information about individuals, this is a significant case.

9
On matter of the operation of right to privacy, there are Data Protection Principles in the PDP
Act 2010 and its relation to employment. General principle: Consent of the employee is the
fundamental element. Neither the employee nor management may disclose any personal
information about him or her without the employee's consent. Does the term 'consent' refer to
'express consent', or can it also encompass 'constructive consent'? A debatable issue arises from
this distinction. Employees are argued to have consented if informed of the disclosure and do not
object.

Notice and choice principle: Data subject must be notified if the employer or management
processes the employee's personal data. It is possible for data subjects to limit the extent to which
their data will be processed by being informed. However, written notice is advisable for evidence
purposes, even though some argue it is not necessary. In some cases, however, a written notice is
required before 'sensitive data' is disclosed.

Disclosure principle: Employees cannot disclose data to third parties other than for their original
purpose without their consent. This principle does not concern consent from the employee,
which is covered under general principles; it concerns the purpose of the disclosure. Information
shall not be disclosed beyond the original purpose or for multiple purposes, unless the employee
has given his consent to the disclosure of his data for more than the original purpose.

Security principle: During data processing, management must ensure that data is not lost,
misused, modified, destroyed or accessed accidentally. Employee data are secured by this
8 Personal Data Protection Act 2010 (PDPA)
9 Hassan KH [2012] Personal data protection in employment: New legal challenges for Malaysia
requirement. With almost all aspects of management taking place electronically in the era of
ICT, data is susceptible to cyber-attacks and viruses. It is therefore necessary for management to
ensure the highest level of data protection for employees.

Retention principle: Employers must consider how long they want to keep the data. The retention
of data should not exceed the requirement. Under the 10Employment Act 1955, employers must
retain employee data for as long as the employment contract lasts (this is a legal requirement).
Employees' personal data cannot be kept by their employer after they retire or otherwise end
their employment.

Integrity principle: Keeping personal data accurate, complete, current, and not misleading is
essential. Employers receive input that determines the accuracy of the data. An employee will
not be distressed or damaged by incorrect data when they receive it. Errors must, however, be
corrected by employers as soon as possible.

Access principle: Access to and correction of personal data must be available to the data subject.
Employment law has never been approached in this way before. It is common practice not to
allow employees access to their personal files. By virtue of this access principle, under the PDP
Act, employees will now be able to access their personal files and information within them. In
instances of electronically savvy management, where employee data are kept in electronic files
and access is strictly controlled by secret passwords, it would be interesting to observe how this
principle is implemented.

As part of its daily administration, management must adhere to all of the above principles. In
order to make the Act easier to reference and apply, a manual or guideline could be prepared
regarding the above duties.

10 Employment Act 1955