Kok Eu Jin discusses the possible personal data protection issues surrounding the implementation of 5G in Malaysia.
The role of internet connectivity has become increasingly important in the wake of the COVID-19 pandemic which has witnessed the rise of remote working and learning arrangements as well as online businesses. As a result, there is an even greater demand for faster and more stable internet connectivity to enable tasks to be carried out virtually in an effective and seamless manner.
Parallel to such demands, the U.S. and China are currently leading the race to establish 5G telecommunications technology, at a time when the rest of the world is racing to find a cure for COVID-19. The relentless pursuit by these nations in rolling out the 5G technology is understandable given that 5G is expected to provide faster data download and upload speeds with significant reduction in latency, thereby enabling, among others, the rapid sharing of data within seconds.
Notwithstanding the undeniable advantages of 5G, there are concerns that 5G may facilitate the dissemination of an individual’s personal data to unauthorised parties at even greater speeds. These concerns are further compounded by the fact that IoT device providers may be tempted to compromise the security of IoT devices in the midst of sheer competition and cost-cutting measures.
In light of the imminent arrival of 5G at our shores, the Malaysian Communications and Multimedia Commission has set up a 5G taskforce to study the key issues pertaining to the implementation of 5G in Malaysia. Among the various structural and legal issues identified, the taskforce has regarded the protection of personal data as a critical area of assessment.
In Malaysia, the protection of personal data is governed by the Personal Data Protection Act 2010 (PDPA) which comprises of seven principles. The most relevant principle in the 5G context is the security principle given that the implementation of 5G will require collaboration from multiple parties such as network operators, cloud service providers and other third-party application developers.
Pursuant to the security principle, if personal data is processed by a third party service provider on behalf of a data user, the latter is required to procure sufficient guarantees from the former in respect of its technical and organisational security measures in governing the processing of personal data. Since the 5G ecosystem involves multiple parties, personal data could be routed in between the various parties thereby making it difficult to pinpoint which party has failed to apply adequate security measures during the processing of personal data.
In this regard, the Personal Data Protection Standard 2015 (PDP Standard) prescribes the following minimum security standards for personal data that is processed electronically:
Since the minimum requirements under the PDPA and the PDP Standard are not meant to be exhaustive, the 5G task force has proposed the following measures in anticipation of 5G technology being implemented in Malaysia:
In addition to the above recommendations, it would be prudent for commercial organisations in Malaysia to consider appointing a Personal Data Officer who is tasked with the responsibility of ensuring the organisation’s compliance with the PDPA and the PDP Standard.
Whilst we remain optimistic about the implementation of 5G in Malaysia and the advantages brought about by such technology, there is a need to balance the existing legislative safeguards with such technological advancement. The protection of personal data should not be neglected and must be taken seriously by the various stakeholders in order to instill trust and confidence in the public and to provide a safe environment for the use of the 5G technology.
Eu Jin is an Associate at Wong Jin Nee & Teo. His practice focuses on contentious IP matters and regularly advises clients on commercial and compliance matters including data protection issues.