Data subject rights

Under the PDPO, four main data subject rights were proposed, namely: the right to withdraw consent; the right to access; the right to rectification; and the right to data portability. Following the public consultation paper, the AITI noted that support existed for the introduction of the right to be informed in addition to the rights already proposed. Nevertheless, the AITI highlighted in its feedback response paper that the notification obligation, discussed in Part one of this series, sets out sufficient requirements that addresses concerns that have been provided for the right to be informed (5.1.3 of the Feedback Response Paper).

Right to withdraw consent

An individual may withdraw their consent to the collection, use, or disclosure of their personal data when exercised with reasonable notice to an organisation. The withdrawal of consent will apply to both express consent and deemed consent (section 5.3.1 of the public consultation paper). Similar to Article 13(2)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), an organisation must inform the individual of the likely consequences for their withdrawal of consent (section 5.3.2 and 5.3.4 of the public consultation paper). Moreover, upon receipt of withdrawal, an organisation must cease the collection, use, or disclosure of such data. The AITI noted that organisations are permitted to retain personal data subject to the retention limitation obligation (section 5.2.6 of the feedback response paper). Furthermore, the AITI clarified that the option to 'unsubscribe' or 'opt out' may constitute as withdrawal of consent for the purposes of the right to withdraw consent (section 5.2.7 of the feedback response paper).

Right to access

An individual has the right to request from organisations the personal data that is in their possession or under their control, and has been or may have been used or disclosed within a year before the date of the request, subject to exceptions (section 5.4.1 of the public consultation paper). Moreover, the AITI noted that an organisation is required to provide individuals with access to their requested personal information which encompasses all personal data unless such data may be omitted on reasonable grounds. Reasonable grounds include, among other things: a threat to the safety, physical, or mental health of the individual; the cause of immediate or grave harm to the physical or mental health of the individual; or the reveal of personal data of another individual. Data may be excluded from the right of access if it falls under the exclusion clause of the PDPO, which include opinion data on the individual, data that is subject to legal privilege, and personal data that has been disclosed without consent for the purposes of an investigation, among other things (sections 5.4.1 to 5.4.7 of the public consultation paper and section 5.3.12 of the feedback response paper).

Where an organisation rejects or excludes information from the right of access, the individual must be informed of the rejection or the exclusion, and the organisation must keep a copy of the personal data for the prescribed period and ensure that the copy is complete and accurate in case the AITI or a responsible authority needs to review the rejection (sections 5.4.8 and 5.4.9 of the public consultation paper).

The AITI also noted that organisations may set up verification requirements for access requests and correspond with individuals to find out the purpose of their access request. In addition to the above, the AITI intends to clarify timeframes and the charging of fees associated with the exercise of this right (sections 5.3.11 and 5.3.12 of the feedback response paper).

Right to rectification

An individual may request an organisation correct an error or omission associated with their personal data, and such request must be actioned as soon as practicable. The right to rectification only extends to personal data that is in the organisation's possession or under its control. Correspondingly, organisations may reject such a request on reasonable grounds which are the same to the reasonable grounds established under the right of access (sections 5.5.1, 5.5.2, and 5.5.7 of the public consultation paper and section 5.4.1 of the feedback response paper).

Organisations must also send the request to correct an error or omission to any other organisation or third party that possesses the personal data of the individual. Where such a request is made to a third party, they must comply with the rectification request, unless exceptions apply (section 5.5.4 of the public consultation paper and seciton 5.4.2 of the feedback response paper).

Right to data portability

The final right that was envisioned is the right to data portability. The right to data portability is the porting of an individual's 'applicable data' to another organisation under certain circumstances unless an exception applies. When a data portability request is submitted, the organisation must transmit the applicable data to the organisation requested, in the prescribed manner, if certain conditions are satisfied, including that the data subject has an on-going relationship with the organisation receiving the request.

The PDPO sets out exceptions to the right to data portability, similar to the exceptions provided in regard to the right to access and rectification. Specifically, organisations must notify data subjects if they refuse to transmit such data within the prescribed time and manner, noting that where data is to be transmitted, the initial organisation making the transfer must preserve any data specified in the data portability request for a prescribed period of time, regardless if such data is transferred, and ensure that a copy of such data is complete and accurate.

In the feedback response paper, however, the AITI stated that, following the feedback it had received during the public consultation, it would exclude the right to data portability from the PDPO and monitor the introduction of such right in future amendments. The AITI highlighted that organisations raised concerns about the regulatory burden likely to be placed on them, and the lack of clarity concerning the scope of 'applicable data' that may be transmitted under this right (sections 5.5.1 to 5.5.3 of the feedback response paper).

Do not call regime

Similar to the right to data portability, in the initial public consultation paper, a DNC regime was envisioned under the PDPO but later excluded in the feedback response paper (section 8.1 of the feedback response paper). In particular, the DNC regime was intended to establish a registry to protect individual consumers by allowing them to register if they do not wish to receive telemarketing messages via phone call, text message (i.e. SMS, MMS, or any electronic communications sent using a telephone number, e.g. WhatsApp, Telegram), or fax, free of charge (sections 8.1 and 8.2 of the public consultation Paper). Under the DNC regime, organisations would have been required to check the registry prior to undertaking direct marketing activities, make available the company contact information, and establish further requirements on clear and unambiguous consent for the sending of such messages (sections 8.5 to 8.8 of the public consultation paper).

The AITI noted that from the public consultation, organisations detailed that high costs would be associated with the establishment, operation, and compliance with a DNC regime and registry, noting that the existing consent requirements established under the PDPO already addressed the issues that such a regime and registry would attempt to address (sections 8.1.2 to 8.1.4 of the feedback response paper).

Enforcement of the PDPO

The PDPO would provide responsible authorities, such as the AITI, with regulatory and enforcement powers to adequately enforce the PDPO. Such powers include powers of investigation, imposition of penalties and directions, as well as the introduction of an appeal mechanism for individuals and a right to private action.

The responsible authority may, following a complaint or with its own motion, conduct an investigation to determine whether an organisation or person is in compliance with the PDPO. Such investigatory powers include, among other things (section 6.2 of the public consultation paper):

• requiring an organisation, by written notice, to produce any specified documents or information;
• by giving at least two working days' advance notice of intended entry, entering into an organisations' premises without a warrant; and
• obtaining a search warrant to enter an organisation's premises and taking possession of, or removing, any document.

The imposition of fines envisaged under the PDPO establish that an offence may be liable to a fine not exceeding BND 10,000 (approx. €6,700) and/or imprisonment not exceeding 12 months for individuals, or a fine not exceeding BND 100,000 (approx. €67,000) in any other case (section 6.3.1 of the public consultation paper) where:

• an organisation or person who with intent avoids an access or correction request disposes of, alters, falsifies, conceals, or destroys a record containing personal data or other information;
• obstructs or hinders the responsible authority or an authorised officer in the exercise of their powers or performance of their duties under the PDPO; or
• knowingly or recklessly makes a false statement to the responsible authority, or knowingly misleads or attempts to mislead the responsible authority.

In the case of neglect or refusal to comply with an order made by the responsible authority, or without reasonable excuse neglect or refusal to provide any information or produce any document specified in a written notice, a person may be guilty of an offence, punishable by a fine of up to BND 10,000 (approx. €67,000) and/or, imprisonment of up to 12 months (section 6.3.2 of the public consultation paper).

In addition, in the feedback response paper, the AITI noted that where an organisation has intentionally or negligently contravened the data protection provisions of the PDPO, the responsible authority may issue a fine of 10% of the annual turnover of the organisation in Brunei Darussalam, and in any other case a fine of BND 1 million (approx. €670,000) (whichever is higher) where the contravention is committed by an organisation whose annual turnover in Brunei Darussalam exceeds BND 10 million (approx. €6,700,000) (sections 4.2 and 6.3.1 of the feedback response paper).

Conclusion

The public consultation paper and the feedback response paper have set out a comprehensive and strict regime for data protection within Brunei Darussalam. Previously Brunei Darussalam had minimal requirements and consideration in this field.

Several rights and obligations proposed mirror those that exist in other jurisdictions, although notable differences exist. Brunei Darussalam and the AITI have noted that further guidelines and advisories will be established prior to the full enforcement of the PDPO, therefore we expect to see more regulatory action within coming months in this jurisdiction.

Theo Stylianou Privacy Analyst
[email protected]