The Hon. Arkam Ilyas

¶ 01 Hon. Presiding Member, today we debate the Second Reading of the Personal Data Protection (Amendment) Bill. This should have come years ago. We are happy to bring it swiftly with several amendments under our Government, yet saddened it took so long. The world is far ahead with AI and IT; as we step into a digital era and digital renaissance, this is a vital law. While protecting personal data, it provides a legal framework and infrastructure for operators and data processors to function effectively.

¶ 02 We must balance data protection with enabling the digital renaissance and support for relevant institutions. Personal data can be highly sensitive; its landing in the wrong hands risks life and limb, can bankrupt companies, and threaten national security. Yet we lacked a proper regulatory regime. Advanced nations treat privacy as highly sensitive. Consider the US — the Facebook–Cambridge Analytica scandal saw personal data of around 70 million users shared without consent, resulting in a US$5 billion penalty. Another US case in 2017 involved a group leaking names, Social Security numbers, dates of birth, addresses, and licence numbers of many individuals, leading to penalties around US$700 million. British Airways also suffered a breach affecting over 500,000 individuals. Such risks could arise here. We must be prepared with law and enforcement.

¶ 03 When the Act was first presented in 2022, timelines were set for operationalization. But after enactment, prior governments failed to provide necessary facilities to state institutions and to ensure data processors had adequate skilled human resources, stalling progress. We recognized this and, through this Amendment, provide grace periods — especially for public bodies and some private entities — to comply.

¶ 04 Another key feature is redress against automated or AI-driven decisions. Often interviews, loan applications, and other processes are now automated. If a person suffers an unfair decision, this law provides a means to challenge it.

¶ 05 We also relax the prior mandatory requirement for every public institution to appoint a Data Protection Officer, while expanding the powers of the Data Protection Authority, keeping the law adaptive and up to date. With breaches like at Cargills Bank and issues at the Department of Pensions, this Act provides the legal basis for action.

¶ 06 Importantly, we affirm the right to know how one’s data has been shared. Some in the Opposition asked whether the Bill ensures that; it does. For instance, when we are busy — driving, at work, or in meetings — we may get marketing calls. We do not know who gave them our number. Under this Act, we can find out who provided our personal data. We gain a legal entitlement to trace the source and to notify entities not to share our data without consent; those entities are legally bound to comply, or the forthcoming Authority can act.

¶ 07 With increasing foreign investors and tourists, this law applies to both domestic and foreign persons; it will protect their data too.

¶ 08 Coupled with this, we need the Cyber Security Act. As we expect large-scale digital economic activity, cyber security becomes essential. Alongside this data protection law, a comprehensive cyber security framework is necessary.

¶ 09 Privacy is not merely hiding things; it is about controlling who has access. We are introducing a framework to prevent the uncontrolled dissemination of people’s and institutions’ data and to ensure it reaches only proper hands. Privacy is not just a right; it is a responsibility — and as a Government, we are bound to uphold it.

¶ 10 Thank you.