By Judith Delaney, Attorney and member of Agnes + Day’s Crisis Intelligence Team
As part of my contribution to the Agnes + Day team I have the opportunity to share with you developments around the world relating to protecting the privacy of all people when they either voluntarily or out of necessity, like purchasing an airline ticket, provide their personal and private information via digital platforms.
One of the countries I have been following has been Malaysia.
Malaysia’s Personal Data Protection Act
Malaysia’s Personal Data Protection Act 2010 (the “Act”) whose effective date had been postponed for several years. did go into effect on November 15, 2013.
The Act, along with other related regulations and orders, introduces a comprehensive data protection framework that imposes broad obligations on “data users” – generally the organization that receives and processes personal data in respect to commercial transactions. This framework is similar to the European Union’s Directives around the protection of an individual’s personal and private information. The Act also distinguishes between personal data and sensitive personal data, with more stringent requirements applying to the latter.
The Act requires users (organizations) of an individual’s personal data to comply with a number of principles:
1. The General Principle
An individual’s personal and private data cannot be processed without the consent of the individual.
2. The Notice and Choice Principle
The right of an individual to be informed about the purpose or purposes (hereinafter the “Purpose”) for the processing of his/her personal and private information. For example: The processing of an airline ticket
3. The Disclosure Principle
The prohibition for a commercial organization to disclose an individual’s personal and private information except in connection with the Purpose
4. The Security Principle
The obligation of an organization to take practical steps to protect an individual’s personal and private information from any loss, misuse modification, unauthorized or accidental access or disclosure, alteration or destruction.
5. The Retention Principle
The duty of an organization to not keep an individual’s data for longer than necessary to fulfill the Purpose.
6. The Data Integrity Principle
An organization’s duty to ensure that the data is accurate and up to date; and
7. The Access Principle
Meaning an individual’s right to have access to his/her data to correct that personal and private data if it is inaccurate, incomplete, misleading or not up to date.
Non-compliance with the Act may result in penalties to an organization ranging from financial to legal criminal liabilities, inclusive of incarceration.
Better understanding the crisis of flight MH370
Over a week ago one of Malaysia Airlines planes flight MH370 never made it to its destination – Beijing, China. The manner of its disappearance has been unprecedented.
As they tried to understand why someone with more than 200 souls on board would fly this plane hundreds of miles off course – an unthinkable crisis for any organization – their communication with the families and with the world was swift and transparent. All of this was aptly discussed in the article “A look at Malaysia Airlines’ Crisis Communications During the Crisis of Flight MH370” posted by Melissa Agnes on this website.
Yet, in this digital age, their handling of this unprecedented crisis has been criticized over and over again. The criticism ranges, such as the perception that the organization’s spokespersons were saying different things at different times as to why the organization was not entering the pilot’s and co-pilots homes or investigating their personal lives or those of the passengers through the personal and private data they had collected or such data other countries could have and so on.
This criticism for the most part seems to lack a very tried and true basic – which is – until one has taken the time to understand the makeup of an organization’s structure and any laws, such as the Act discussed here which places limitations on an organization to control or have the right to disclose certain information about an individual (or for that matter to enter his/her private residence without a court order or the individual’s direct permission) then perhaps the critics need to stay silent until they have those facts in hand.
So, here are some of those facts
Malaysia Airlines is legally known as Malaysian Airline System (MAS) (Malay: Sistem Penerbangan Malaysia) and is the flag carrier of Malaysia and a 5-star airline.
Following the Widespread Asset Unbundling (WAU) restructuring of Malaysia Airlines, the Malaysian Government investment arm and holding company, Khazanah Nasional’s subsidiary, Penerbangan Malaysia Berhad (which is Malaysia Airlines parent company) became the majority shareholder with a 52.0% stake. After Penerbangan Malaysia Berhad the second-largest shareholder is Khazanah Nasional, which holds 17.33% of the share (source: Wikipedia)
Malaysia Airlines CEO, Ahmad Jauhari Yahya, is the CEO of the “group” as the airline is known within the structure of its parent company. He is not the CEO of the parent company which is in fact the Malaysian Government.
The bottom line: Malaysia Airlines has been a state-run stock corporation since 1957.
Throw into the mix the Act, a law whose sole purpose is to fiercely protect the private and personal data collected, in this instance, by the airline on their customers and employees from public dissemination. A law with severe consequences for non-compliance.
Is the picture clearer now?
As Melissa has stated in response to a comment on her article: “Everybody is a spokesperson for your organization whether you want them to be or not.” The Malaysian government owns 52.4% of Malaysia Airlines. How much control would you conclude Malaysia Airlines CEO, Ahmad Jauhari Yahya has over what representatives of its major stockholder is going to say or not say?
In addition, as of yesterday, March 17, 2014
- The Malaysian Police are investigating the backgrounds of the pilots and crew
- The Homes of the two pilots have been searched
Because the process has been completed to move forward while remaining compliant with the Act.
We live in this digital world where we want and believe that we are entitled to instantaneous answers and are unhappy when they are not the answers we want or we lack the knowledge to understand why we get the answers we do.
We also tend to forget in our thirst for those answers that it can be at the expense of an individual’s right to choose to keep his/her personal and private information just that- personal and private.
All over the world people fight every day for their right to control how their personal and private information is used. The European Union has led the way. Malaysia has framed their Act similar to the European Union Directives and other countries are following with EU modeled privacy laws globally.
Malaysia Airlines continues to work within the authority they can control and the laws, inclusive of the Act, they have a duty to comply with.
So, when the horrific and unthinkable happens, know that it is important to walk in the shoes of those who must respond to the crisis and then judge them accordingly.
Disclaimer: The information contained in this post is provided only as general information and may or may not reflect the most current legal developments; accordingly, this information is not promised or guaranteed to be correct or complete and is not intended to create, or constitute formation of, an attorney-client relationship. The author expressly disclaims all liability in law or otherwise in respect to actions taken or not taken based on any or all the contents of this chapter or related information.
Judith Delaney is an attorney who specializes in global online privacy laws and issues and social media law. Judith helps organizations integrate new media strategies with business strategies to effectively manage risk associated with online compliance such as the HIPPA Omnibus Rule, global social media private and data protections and contract risk management.