Data Secrecy, PDPA and Cyber Vigilantism
“Those who create information (in any form) is doomed to safeguard it, until it has been completely destroyed” – Suresh Ramasamy (2005)
There was a buzz on social media about how the female gender in Singapore had compiled a list of persons who are not suitable for dating for various reasons. This became viral and spilled over in Malaysia, where someone started a similar list. Within hours, it was reported that over 200 entries were made into that similar list. In normal days, I would observe the trend to see where it went. I have no clue what data is captured there, so instead of making assumptions I decided to make parallel to the situation. A good friend had posted a message, saying men should do better, and that he wanted to have a daughter, but now thinking twice about it due to the current situation. I didn’t realize how impactful that message was, to the point my overthinking brain started writing this article mentally without me even pondering.
This article is written from an objective lens, analyzing the whole situation from a data, privacy, and activism context. It isn’t about what’s right and what’s not, but to give a perspective into the issue and understand further by making parallels into how data affects our daily lives, even without us knowing about it.
To help me describe this, I have created a fictitious story (no resemblance to the living unless if your name is 2 characters and 3 numbers) from a simple country called Kandaqstan (Hi Jahabar! As you can see, I am missing Penang food!).
This story revolves around the car dealership and its buyers. These are the characters in the story. Look out, loads of pun ahead!
CD007 – Well meaning car dealer
SA001 – Sales Agent
CB004 – Clueless car buyer
CB008 – Car buyer, brother to the owner of CD003
CD005 – A car dealer
CD003 – Another car dealer
CD007 has been an established car dealer. Sales has been brisk, but due to the pandemic (haha, I had to throw this in) sales has dropped. CD007 noticed that while traffic into the centers have reduced, there are people still coming in to test drive the cars. However, CD007 began to notice that there are people who repeatedly test drive, but do not buy the car. This frustrates CD007 and they decide to do something.
CD007 came up with an idea. Why not compile a list of customers who does repeated test drive without buying or even making a booking. This list is shared amongst the car dealers. In a way, this helps the car dealers to identify if the customer who came in had a “track record” of not buying the car. So, CD007 started this list and it became a hit as other car dealers began to use it and contribute. Soon, this list grew and had a lot of comments and even customer ratings (you have some irate customers, some that asks a lot, etc etc).
CB004 is a new car buyer. Poor sod, can’t differentiate between a nut and a wheel. He’s worked his way through the corporate ladder and had saved up a lot of money to eventually treat himself to a nice car. Naturally, being careful about every single penny he earned, he wanted to get the best deal at the same time use the opportunity to learn. His colleagues told him that the best way to know a car is to test drive it.
CD007 was very close to his house and was somewhat his preferred car brand. So CB004 would visit the showroom, asks questions. CB004 would also request for test drive. Every time a new model or facelift comes up, CB004 would line up patiently and get his turn. This was observed by CD007 and decided to put CB004 in this list.
Soon after, CB004 realized the cold treatment he’s receiving from CD007. He wasn’t sure what he did wrong, he thought that’s what everyone did. So CB004 went to another car dealer, CD005. To his surprise, no one entertained him after getting his details. Puzzled, CB004 decided to take a break and thought maybe he was going through a rough spell. But the urgency of getting the car was increasing and he was close to deciding.
Similar situation happened to CB008. Having a family member in the dealership business, CB008 was much more pedantic compared to CB004. He could smell through bullshit miles away, and unfortunately Sales Agent are prone to that syndrome. CD005 decided that they will have none of it and put CB008 into the list.
CB008 was receiving the same lackluster treatment, decided to check with CD003. CD003 discovered that his brother CB008 has been put on to the list and decided to protest. CD007 was in a predicament, do you remove it or do you leave the entry? CB008 had no avenue to argue his case as the list is only limited to Car Dealers. This went on for a while.
Not happy with the situation CB008 decided to start his own list. This list would have rating and how car dealers behave and treat their customers. This news reached our friend CB004 who start subscribing to the list and actively contributing to the entries. Eventually customers started using the list and boycotted dealers the same way dealers were boycotting customers. The industry became a hostile ground, some dealer decided to stay out of the fight and decided to give each customer equal access. Those earned better sales, and CB004 & CB008 eventually bought their cars.
So lets analyse the situation.
Once this data is created (referring to the list), we know have a list custodian (aka the owner). We have contributors (who may or may not be attributed for the entry) and consumers who use this data. Note that there will be personal information in the list, so as to correctly identify who the person is on the name. Name may be synonymous (like mine is too common), so other identifiers will be included to ensure that the person is identified correctly.
Let’s look at data quality. It is a collaborative list, which means all contributors can add entry to the list. There may be some set parameters or selection on why the person is added to the list, those reasons that aren’t there may just be another selection of existing option just to put the person or dealer on that list. Who ensures that the data is accurate? How do you prevent mistaken identity (we have seen in the past loan sharks attacking innocent victims just because the previous tenant had owned money and the property is now splashed with red paint). How do you prevent personal vendetta from getting into the way of (ab)using the list?
Data management – how long does a person/dealer stay on that list? Is there an expiry term like a Statutes of Limitation? Or is it a permanent list? How do you resolve conflict? Who decided (or becomes God of the list) to say who stays and who leaves the list? Since the list is relied by many, getting on and off the list has consequences to both individual and dealer. In the case of CB004, he wanted to get a car, and had to go to a dealer who wasn’t using the list to complete the sales.
Now, the slightly bigger fish – Privacy.
This section is written based on Malaysia’s implementation of PDPA, citing its principles to explain the context.
If an organization retains a personal information, the organization is now duty bound to inform how that data is used. In this case, since the list was kept secret within the industry, no one informed anyone about their personal details being stored in this list. This is a violation of General Principle of PDPA.
Is this necessary for the car dealership? No. Dealers can still do business even without access to the list. Hence it is not mandatory nor exempted under PDPA. Is it necessary to protect the vital interest of the data subject? Obviously is counterproductive to the customers nor the dealers.
Did the customer or the dealer receive a notice about the list? No. Notice and Choice Principle failed. Does the data subject has the right to review and correct the information? Obviously No. Is the list disclosed to anyone else? E.g. other industries? Maybe. No one knows for sure as sales agent who has access may leave the industry but still have access to the list and use it for his/her/their new job. Is it obligatory or voluntary for data subject to provide the data? No, because the data was entered without the data subject’s knowledge. Was the data provided by the data subject used for other than intended purpose? In this case, a customer provides information for test drive purpose, however now used for the list. It’s a No as well.
No data shall be disclosed without the consent of the data subject. In this case, data is actively being disclosed to consumers of the list without the knowledge of the data subject.
What are the security measures taken to safeguard the list? Well its just a list in Google determined by CD007 on who has access. CD007 gets a call from a fellow distributor and adds the email address into the access list. Is it sufficient? Maybe. Is there rigor in access management, I doubt that.
Earlier question – how long is the data retained? Perpetual, since the list was started. Does not meet Retention policy.
Does CD007 take every step to ensure that the data entered is accurate? No, CD007 relies on those keying into the database to ensure that the data is secure.
Is the data subject given access to the data and allow the data to be corrected? No. It’s a private list. Fails Access Principle.
Suresh, all this is fine and well, for this situation which involves dealers and buyers are commercial transaction. But the original topic talks about personal, which is not covered by PDPA.
You are absolutely right. PDPA does not cover data used for personal use. However, remember I didn’t end the story, but said intermission? Let me continue the story.
CB004 thinking about his financial commitments worry his current job may not be sufficient for him to take up this new car, even though he can cover his monthly bill. CB004 decides to apply for a job at a local motoring news outlet as IT Supervisor hoping to get a bump in his salary. The HR staff, whose an ex Sales Agent, SA001 does his due diligence on all staffs. Since he was formerly a Sales Agent, he has access into this private list. Looking at the entry of CB004, he decided to put a footnote to the hiring manager saying that this person’s attitude is not welcomed. CB004 was unsuccessful in his job application, and knowing the Malaysian HR process was simply ghosted without any further details.
I’m going to stop the story here.
While the list is private, its used can never be limited. Anyone having access could use the list for any reasons, beyond what it was intended. Hence, what set out to be a simple well meaning effort may eclipse into a bigger beast.
The actual whale – Defamation
A defamatory statement is a statement that:
- Tends to lower a person in the estimation of right thinking members of society generally;
- Causes a person to be shunned or avoided or to expose him to hatred, contempt or ridicule; or
- Conveys an imputation on a person disparaging or injurious to his office, profession, calling, trade or business.
There are two methods of interpreting the words in an allegedly defamatory statement:
- By their natural and ordinary meaning; or
- By innuendo.
Based on this, it is sufficient to say that it meets the test where the list can be defamatory. This applies both sides, to the buyer and the dealer as well.
Is there a solution on this? No. Cyber vigilantism may look all good and well, there are real world issues, from the beginning from the matter of data, privacy and legal in this manner. Does it solve a problem or exacerbate it? You be the judge.
To my friend, fret not. Have your daughter, raise her in every right way as a responsible father that you are. We are always thrown challenges in life; we usually swim it through even though we think that we’re drowning. Every generation has its own unique challenges and gives you a different battle scars, but it is a journey, not a destination. Hope this gives you comfort.