The Experts below are selected from a list of 26973 Experts worldwide ranked by ideXlab platform
Graham Greenleaf - One of the best experts on this subject based on the ideXlab platform.
-
thailand asia s strong new Data Protection law
2019Co-Authors: Graham Greenleaf, Arthit SuriyawongkulAbstract:Thailand’s Personal Data Protection Act of 2019 may become one of the strongest Data privacy laws in Asia. It is much stronger than the previous Bill, both in terms of its principles and its enforcement. However, the picture will not be complete until the many rules that can be made by its Data Protection authority (the PDPC), and any Royal Decrees granting exemptions, are developed. The main significance of the Thai law is that it is the first explicitly ‘GDPR-based’ law to yet be enActed in Asia, ahead of the GDPR-informed draft Bills in India and Indonesia, While not all of the innovations of the EU GDPR’s Data Protection principles are included in the PDPA, a substantial set are included. Following the Thai 2019 elections, the EU is again willing to re-commence negotiations on a free trade agreement (FTA) with Thailand and is its third-largest trading partner. For businesses operating in Thailand, this Act imposes serious obligations, but to assess their full extent they will need to obtain much further information which is not yet available. For Data subjects the PDPA creates serious rights and remedies not previously available, and the Act overall is a major step forward. From the perspective of Civil Society, the complex administrative and enforcement structure of the Act raises difficulties in determining who could be held responsible for effective enforcement. The potential scope of exemptions are also of great concern. The enforcement mechanisms in the Act are all much stronger than in the previous Bill. Rights of appeal against administrative fines and other decisions of the PDPC or its expert Committees, and in criminal prosecutions, might benefit from some further clarity. All of these matters are examined in detail in this article.
-
regulations with Data export limitations bring singapore s Data privacy law into force
Social Science Research Network, 2014Co-Authors: Graham GreenleafAbstract:On 2 July 2014, the Data Protection provisions of Singapore’s Personal Data Protection Act 2012 (PDPA) came into force, following an 18 month transition period for companies to prepare for compliance. To complete the process, the Personal Data Protection Regulations 2014 (PDPR) were made on 15 May 2014.This article considers the most important aspects of the Regulations, which concern personal Data exports. Singapore’s approach is very thorough and not easily classified – it is sui generis. The Act requires that Data exports should only be to recipients bound by legally enforceable obligations comparable to those found in Singapore, and also includes some elements of extraterritoriality. Regulation 10 specifies that ‘legally enforceable obligations’ may include laws, contrActs, binding corporate rules (BCRs) or ‘any other legally binding instrument’. It probably gives individual Data subjects few opportunities to protect themselves against unprotected exports, unless an export becomes publicly notorious. However, it does impose obligations on companies which, if not observed, could result in PDPC enforcement Action if something goes badly wrong. Other aspects of how the PDPA is being brought into force are also explained, including regulations concerning deceased persons, various draft Guidelines, and exemptions promulgated by the Monetary Authority of Singapore which illustrate a major weakness of the PDPA. They have a common feature that businesses involved with Singapore need to be aware of considerable regulatory detail or there are considerable risks involved.
-
singapore s personal Data Protection Act 2012 scope and principles with so many exemptions it is only a known unknown
Social Science Research Network, 2013Co-Authors: Graham GreenleafAbstract:Singapore’s legislature enActed the Personal Data Protection Act on 15 October 2012, making it the tenth jurisdiction in Asia to enAct a Data privacy law. It is the fourth Data privacy law enActed in the ASEAN (Association of South East Asian Nations) region. This article explains the scope of Singapore’s Act, and its Data privacy ‘General Rules’.Singapore’s Act now implements all of the OECD privacy guidelines (with very substantial exemptions and qualifications), and adds some extra Protections. The complex provisions defining the scope of the Act, providing many exceptions, reveal some of its weaknesses as Data Protection. These exemptions make the scope of the Act a ‘known unknown’. Many aspects are quite balanced. While the Act exempts Data intermediaries, it make Data controllers vicariously liabile for their Acts. Similarly, Data exports may be allowed, but may also carry vicarious liability. The exceptions to the collection, use and disclosure principles are extremely extensive. The overall result appears to be a minimal version of a ‘normal’ Data privacy law, but an Act that is more more holes than cheese.The article will be followed in the next issue with an examination of the Act’s enforcement measures.
-
taiwan revises its Data Protection Act
Social Science Research Network, 2011Co-Authors: Graham GreenleafAbstract:Taiwan’s Computer Processed Personal Data Protection Act of 1995 was pioneering Data Protection legislation in Asia, but had many inherent defects. It had limited coverage, dealing generally with the public sector but only eight specified private sector areas. There was no single oversight body, enforcement being left to the Ministries responsible for each industry sector. Evidence of the enforcement or effectiveness of the Act is lacking, but commentators were of the opinion that the Act is ineffective. The new Personal Data Protection Act enActed 26 May 2010 is in effect a new piece of legislation. It will not be brought into force until 2012 when the Enforcement Rules necessary for operation of some sections, are expected to be prescribed by the Executive Yuan. The Act is comprehensive in relation to both public and private sectors, and thus much more extensive than the previous Act in relation to the private sector. The revised Act still has no single oversight body, and does not create a Data Protection authority. Enforcement is left to the Ministries responsible for each industry sector. The obligations imposed by the Act have been considerably expanded, particularly those in relation to notice, and to sensitive Data. Data exports (‘international transmission’) by private organisations (‘non-public agencies’) may be restricted by ‘the central competent authority for the relevant industry’ (A 21), but this is not an automatic prohibition on exports. The Act has the first example of an enforceable requirement to notify Data subjects (but not the relevant authority) of Data breaches enActed in Asian Data Protection legislation, although the Data breach notification provisions in the 2011 Korean legislation is the first to come into force. However, the Taiwanese provision does not apply to all ‘Data breaches,’ only to those where the company or government agency has breached a provision of the Act. Contraventions of the Act, where damage is caused to another person, can be punished by imprisonment up to two years or substantial fines. Potentially more important are the extensive provisions for damages Actions, and for class Action litigation (where ‘the rights of multiple subjects are injured by the same causal fActs’) by representative organisations which have objectives of protecting personal Data. While not as innovative as Korea’s new law, this Act does bring Taiwan up to many aspects of international standards.
-
macao s eu influenced personal Data Protection Act
Social Science Research Network, 2008Co-Authors: Graham GreenleafAbstract:Macao’s Personal Data Protection Act (2006) is the most recent Data Protection law in Asia, and potentially one of the strongest. The Act is a very similar to Portugal’s legislation in most respects (though also said to be influenced by Hong Kong’s Ordinance). As a result it is closer to the EU privacy Directive of 1995 than any other Data Protection legislation in Asia. Macao’s position as a region of the PRC makes this doubly interesting. This article examines the history of the Act, the Office for Personal Data Protection (OPDP), the role of Data Protection principles and codes, the variety of enforcement measures, transfers outside Macao, and the notification/registration system
Rebecca Wong - One of the best experts on this subject based on the ideXlab platform.
-
assessing the status of medical information in the light of the uk Data Protection Act 1998
Social Science Research Network, 2008Co-Authors: Rebecca WongAbstract:This paper will consider the current privacy laws as applied to healthcare in the UK, taking into account the UK Data Protection Act 1998, which implements the European Data Protection Directive 95/46/EC. Whilst the Data Protection laws in the UK deals with the overall Protection of an individual's personal information, there are certain issues that still need to be addressed by UK Courts including the subject of anonymous Data; sensitive Data; electronic patient records and genetic Databases. To understand these issues, we will need to understand the context in which the UK Data Protection laws apply and the recent caselaw emerging from the UK courts and the European Court of Justice. Part II will consider the scope of the Data Protection Act 1998 followed by a discussion of genetic Data. The discussion of anonymous and pseudonymous Data is then considered before examining health records with final concluding remarks.
-
assessing the status of medical information in the light of the uk Data Protection Act 1998
Web Journal of Current Legal Issues, 2008Co-Authors: Rebecca WongAbstract:This article will consider the current privacy laws as applied to healthcare in the UK, taking into account the UK Data Protection Act 1998, which implements the European Data Protection Directive 95/46/EC (hereinafter “DPD”). Whilst the Data Protection laws in the UK deals with the overall Protection of an individual’s personal information, there are certain issues that still need to be addressed by UK Courts including the subject of anonymous Data; sensitive Data; electronic patient records and genetic Databases. To understand these issues, we will need to understand the context in which the UK Data Protection laws apply and the recent caselaw emerging from the UK courts and the European Court of Justice. Part 2 will consider the scope of the Data Protection Act 1998 followed by a discussion of “genetic Data”. The discussion of “anonymous” and “pseudonymous” Data is then considered before examining health records with final concluding remarks.
Chetan Gupta - One of the best experts on this subject based on the ideXlab platform.
-
indian personal Data Protection Act 2018 draft bill and its history compared to eu gdpr and california privacy law
2018Co-Authors: Lothar Determann, Chetan GuptaAbstract:2018 is a big year for Data privacy and Data processing regulation. On July 27, 2018, India published a draft bill for a new, comprehensive Data Protection law to "be called the Personal Data Protection Act, 2018," only a few weeks after the European Union General Data Protection Regulation (GDPR) took effect on May 25, 2018 and California enActed the California Consumer Privacy Act of 2018 at the end of June. Brazil already followed with a new General Data Protection Law (Law No. 13,709/2018) only a few weeks later, on August 14, 2018. With the new law, the Indian government responds to a mandate from the Indian Supreme Court, which had directed the government of India in August 2017 to enAct comprehensive Data Protection legislation. Before the Personal Data Protection Act becomes effective in India, there is no omnibus Data Protection regulation as in Europe, nor are there detailed sectoral privacy laws as in the United States. The new Indian Personal Data Protection Act adopts and further develops many existing principles of EU-style Data processing regulation and some aspects of U.S.-style Data privacy laws. Global companies can, and should try to, address the requirements of the new Indian Data Protection Law, the GDPR, the California Consumer Privacy Act and other privacy regimes simultaneously and holistically, in the interest of efficiency. But, it is also clear that companies cannot just expand the coverage of their GDPR-focused compliance measures to India without addressing the nuances of the new Indian Personal Data Protection Act, and the many differences compared to other jurisdictions' Data processing regulations and Data privacy laws. It is noteworthy that India is not maintaining its status quo, pursing lighter regulation, or following the U.S. approach of sectoral, harm-specific Protections for individual privacy, in which the Silicon Valley rose to world leadership in information technologies and the broader U.S. technology sector flourished. Instead, India is leaning heavily towards the European model of restrictive Data processing regulation. This shift could well affect India's globally leading information technology sector. In our article, we review the history and political context of the draft bill, summarize its key provisions, and compare them to the EU GDPR and the California Consumer Privacy Act.
-
india s personal Data Protection Act 2018 comparison with the general Data Protection regulation and the california consumer privacy Act of 2018
Social Science Research Network, 2018Co-Authors: Lothar Determann, Chetan GuptaAbstract:2018 is a big year for Data privacy and Data processing regulation. On July 27, 2018, India published a draft bill for a new, comprehensive Data Protection law to "be called the Personal Data Protection Act, 2018," only a few weeks after the European Union General Data Protection Regulation (GDPR) took effect on May 25, 2018 and California enActed the California Consumer Privacy Act of 2018 at the end of June. Brazil already followed with a new General Data Protection Law (Law No. 13,709/2018) only a few weeks later, on August 14, 2018. With the new law, the Indian government responds to a mandate from the Indian Supreme Court, which had directed the government of India in August 2017 to enAct comprehensive Data Protection legislation. Before the Personal Data Protection Act becomes effective in India, there is no omnibus Data Protection regulation as in Europe, nor are there detailed sectoral privacy laws as in the United States. The new Indian Personal Data Protection Act adopts and further develops many existing principles of EU-style Data processing regulation and some aspects of U.S.-style Data privacy laws. Global companies can, and should try to, address the requirements of the new Indian Data Protection Law, the GDPR, the California Consumer Privacy Act and other privacy regimes simultaneously and holistically, in the interest of efficiency. But, it is also clear that companies cannot just expand the coverage of their GDPR-focused compliance measures to India without addressing the nuances of the new Indian Personal Data Protection Act, and the many differences compared to other jurisdictions' Data processing regulations and Data privacy laws. It is noteworthy that India is not maintaining its status quo, pursing lighter regulation, or following the U.S. approach of sectoral, harm-specific Protections for individual privacy, in which the Silicon Valley rose to world leadership in information technologies and the broader U.S. technology sector flourished. Instead, India is leaning heavily towards the European model of restrictive Data processing regulation. This shift could well affect India's globally leading information technology sector. In our article, we review the history and political context of the draft bill, summarize its key provisions, and compare them to the EU GDPR and the California Consumer Privacy Act.
Phil Boyd - One of the best experts on this subject based on the ideXlab platform.
-
health research and the Data Protection Act 1998
Journal of Health Services Research & Policy, 2003Co-Authors: Phil BoydAbstract:The 1998 Data Protection Act in the UK largely restates existing good prActice: individuals have a right to know what Data are held about them and why; and those processing Data have a duty to proceed with fairness and transparency, maintain high Data quality and keep Data secure. Some health researchers have criticised the Act, seeing it as a legal minefield, unnecessary bureaucracy and interference from the European Union. This is largely based on misconceptions. Recent guidance from the Information Commissioner aims to assist researchers by advising how legal requirements can be met through anonymisation of Data, attention to Data-processing methods and fair collection of Data. The Act provides a clear framework of rights and responsibilities that should be embraced with enthusiasm rather than with the reluctance of a person forced to carry out a meaningless chore.
-
the requirements of the Data Protection Act 1998 for the processing of medical Data
Journal of Medical Ethics, 2003Co-Authors: Phil BoydAbstract:The Data Protection Act 1998 presents a number of significant challenges to Data controllers in the health sector. To assist Data controllers in understanding their obligations under the Act, the Information Commissioner has published guidance, The Use and Disclosure of Health Data, which is reproduced here. The guidance deals, among other things, with the steps that must be taken to obtain patient Data fairly, the implied requirements of the Act to use anonymised or psuedonymised Data where possible, an exemption applicable principally to records based research, the right of patients to object to the processing of their Data, and the interface of the Act and the common law duty of confidence.
Hui Na Chua - One of the best experts on this subject based on the ideXlab platform.
-
Personal Data Protection Act Enforcement with PETs Adoption: An Exploratory Study on Employees’ Working Process Change
IT Convergence and Security 2017, 2017Co-Authors: May Fen Gan, Hui Na Chua, Siew Fan WongAbstract:It is often that personal Data were being misused by organizations for their own benefits. To tackle this issue, different countries had introduced and enforced personal Data Protection regulations. With the enforcement, organizations in the relevant countries need to comply with the law enforcement to protect personal Data as their legal responsibility. Privacy Enhancing Technologies (PETs) Act as a form of technology that protects individual privacy Data in organizations. The purpose of this research is to discover the impAct of personal Data Protection Act enforcement with PETs adoption on organization employees’ working experience and performance through the study of their working process change. This research adopts a qualitative single case study on one of the telecommunication companies in Malaysia. The targeted participants are employees come from different work nature, i.e., use personal Data, process personal Data or setup system to protect personal Data. The finding of this research will enable organizations to have better understanding in future PETs adoption and provide insights on the measures to be taken to comply with personal Data Protection. This paper presents our preliminary results based on semi-structured interviews with 8 participants from different groups of work nature.
-
unveiling the coverage patterns of newspapers on the personal Data Protection Act
Government Information Quarterly, 2017Co-Authors: Hui Na Chua, Siew Fan Wong, Younghoon Chang, Christian Fernando LibaquesaenzAbstract:Internet-enabled technology has significantly increased the amount of personal Data that are being collected, used, processed and even transferred to third party organizations. To protect the privacy of Data owners and the security of these Data, the Malaysian government has enforced the Personal Data Protection Act (PDPA) in 2013. Several studies found that Malaysians have low awareness of the PDPA. Prior literature also shows that the framing of news stories by the media has significant influence on public awareness and perception toward a covered topic. In this paper, we investigated how the Malaysian newspapers frame the PDPA news. We extrActed a total of 793 news articles between January 1st 2010 and July 31st 2015 from ten local English newspapers. The results show that newspapers in general have not given the PDPA enough attention considering its potential impAct on Data privacy and security. Nonetheless, newspapers do publish significantly higher number of PDPA articles after the enforcement period compared to before the enforcement period. The newspapers also mostly position the PDPA news in the Technology section. The results also show that more PDPA news originated from foreign sources compared to local sources or the government. Our findings provide insights into the coverage patterns of local newspapers and the insufficient level of prominence given to the PDPA. The findings have implications for both the government and the newspapers as a media.
-
Compliance to personal Data Protection principles
Telematics and Informatics, 2017Co-Authors: Hui Na Chua, Siew Fan Wong, Anthony Herbland, Younghoon ChangAbstract:We examined how organizations' privacy policy meet the compliance requirement.We found privately-owned organizations have higher compliance level.Sectors with more personal sensitive Data have significantly higher compliance score.Government sectors have the lowest compliance score and highest readability score.Foreign and local sectors demonstrate statistically significant comparable compliance scores. This study examines how organizations in Malaysia frame their privacy policy notice to comply with the Personal Data Protection Act (PDPA, 2010) and if these organizations differ in their level of compliance and the readability of their privacy notices. We collected the online privacy polices of 306 organizations from 12 sectors to assess their readability and compliance with PDPA requirements. The results show that private-owned organizations have higher compliance level compared to public-owned organizations. Sectors that hold more personal sensitive Data obtain higher compliance scores. Non-governmental organizations demonstrate higher compliance level compared to government-owned organizations. Despite differences in the compliance scores, most organizations fail to meet the requirements of the PDPA. Our study also reveals that readability has a negative correlation with the compliance score because simple and shorter version of the privacy policies often lack detailed information. Our findings provide valuable insights into organizations privacy policy compliance across different sectors in Malaysia. Specifically, the Malaysian authority should implement more effective mechanisms to enforce the compliance of the PDPA. Organizations should also take corrective Actions to improve the compliance scores of their online privacy policies.
-
using text analytics to discover online newspapers role in disseminating government policy a malaysian pdpa context
International Conference on Distributed Computing Systems Workshops, 2016Co-Authors: Hui Na ChuaAbstract:As there are many cases on Data misused, Malaysia government has enforced Personal Data Protection Act (PDPA) to regulate the processing of personal Data in commercial transActions. However, it is found that many individuals have little knowledge on what is PDPA. According to literature, newspaper is the primary source for public knowledge on justice/legal affair. However, previous survey shows that 16% of Malaysian individuals gained PDPA knowledge through newspaper. Each aspect in the newspaper such as news category, news source, headline, frequency of relevant news and time gap between each relevant news being published plays a major role in affecting individual knowledge acquisition. This paper presents the discovery of the PDPA publication trend from online news portal and identify the attributes of current newspaper framing that affects the dissemination of news. In our studies, a total of 830 Malaysia English news from 29 different web portals has been collected. Descriptive analysis has been performed in each news aspects. The findings of this research project show that most online news are not focused on PDPA. Moreover, the framing, agenda setting and priming of the news indicates that personal Data Protection information had not been disseminating effectively.
