Is Malaysia 5G ready?
Kok Eu Jin discusses the possible personal data protection issues surrounding the implementation of 5G in Malaysia.
The role of internet connectivity has become increasingly important in the wake of the COVID-19 pandemic which has witnessed the rise of remote working and learning arrangements as well as online businesses. As a result, there is an even greater demand for faster and more stable internet connectivity to enable tasks to be carried out virtually in an effective and seamless manner.
Parallel to such demands, the U.S. and China are currently leading the race to establish 5G telecommunications technology, at a time when the rest of the world is racing to find a cure for COVID-19. The relentless pursuit by these nations in rolling out the 5G technology is understandable given that 5G is expected to provide faster data download and upload speeds with significant reduction in latency, thereby enabling, among others, the rapid sharing of data within seconds.
Notwithstanding the undeniable advantages of 5G, there are concerns that 5G may facilitate the dissemination of an individual’s personal data to unauthorised parties at even greater speeds. These concerns are further compounded by the fact that IoT device providers may be tempted to compromise the security of IoT devices in the midst of sheer competition and cost-cutting measures.
In light of the imminent arrival of 5G at our shores, the Malaysian Communications and Multimedia Commission has set up a 5G taskforce to study the key issues pertaining to the implementation of 5G in Malaysia. Among the various structural and legal issues identified, the taskforce has regarded the protection of personal data as a critical area of assessment.
Personal Data Protection Safeguards in Malaysia
In Malaysia, the protection of personal data is governed by the Personal Data Protection Act 2010 (PDPA) which comprises of seven principles. The most relevant principle in the 5G context is the security principle given that the implementation of 5G will require collaboration from multiple parties such as network operators, cloud service providers and other third-party application developers.
Pursuant to the security principle, if personal data is processed by a third party service provider on behalf of a data user, the latter is required to procure sufficient guarantees from the former in respect of its technical and organisational security measures in governing the processing of personal data. Since the 5G ecosystem involves multiple parties, personal data could be routed in between the various parties thereby making it difficult to pinpoint which party has failed to apply adequate security measures during the processing of personal data.
In this regard, the Personal Data Protection Standard 2015 (PDP Standard) prescribes the following minimum security standards for personal data that is processed electronically:
- Data users should contract with third party data processors to ensure the safety of personal data from loss, misuse, modification, unauthorized access and disclosure.
- Periodically maintaining proper record of access to personal data and making such record available for submission when directed by the Personal Data Protection Commissioner.
- Safeguarding computer systems from malware threats to prevent attacks on personal data.
- Updating the back-up/recovery system and anti-virus to prevent personal data intrusion.
Since the minimum requirements under the PDPA and the PDP Standard are not meant to be exhaustive, the 5G task force has proposed the following measures in anticipation of 5G technology being implemented in Malaysia:
- Formulating a new Code of Practice to raise the minimum security standards.
- Adopting global standards such as the 3rd Generation Partnership Project (3GPP) Security Standard as a reference to ensure that the Malaysian ecosystem adheres to stipulated security features.
- Developing a Standardised Minimum Security Assessment Checklist to clearly define responsibilities and standards towards ensuring secured 5G networks.
In addition to the above recommendations, it would be prudent for commercial organisations in Malaysia to consider appointing a Personal Data Officer who is tasked with the responsibility of ensuring the organisation’s compliance with the PDPA and the PDP Standard.
Whilst we remain optimistic about the implementation of 5G in Malaysia and the advantages brought about by such technology, there is a need to balance the existing legislative safeguards with such technological advancement. The protection of personal data should not be neglected and must be taken seriously by the various stakeholders in order to instill trust and confidence in the public and to provide a safe environment for the use of the 5G technology.
Eu Jin is an Associate at Wong Jin Nee & Teo. His practice focuses on contentious IP matters and regularly advises clients on commercial and compliance matters including data protection issues.