Background

The AITI highlighted under its public consultation paper ('the Public Consultation Paper') that the PDPO was introduced to protect individuals' personal data, from private sector organisations that collect, use, disclose, or otherwise process such personal data for their purposes; and to facilitate cross-border flows of personal data, which will further the development of the digital economy in Brunei Darussalam (Part 1, Sections 1 and 2 of the Public Consultation Paper).

In particular, the AITI cited in its initial consultation paper that during the first waves of the COVID-19 pandemic, the handling of personal data from businesses and organisations had become irresponsible. Specifically, the AITI detailed that the security measures implemented were minimal to non-existent, noting that businesses had been able to leverage data collected from contact tracing for other purposes with any accountability or recourse for the individuals who were affected from such actions (Part 1, Section 2 of the Public Consultation Paper).

The PDPO

The PDPO aims to establish a comprehensive data protection regime that encompasses key definitions, scope of application, data protection principles, requirements for organisations, data subject rights, and investigatory as well as enforcement powers of the data protection authority. Although the wording of the PDPO has not been drafted and has not been made publicly available yet, the AITI sets out extracts from the legislature on what we can expect from the PDPO. Furthermore, AITI will act as the supervisory authority for enforcing and administrating all data protection regulations and laws (Part 1 and 2 of the Public Consultation Paper).

Definitions

According to the AITI under the PDPO, personal data will be defined as 'data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access to'. On the other hand, 'individual' means a natural person whether alive or deceased, with no differentiation between data that is true or false (Part 2, Section 3 of the Public Consultation Paper).

Notably, the PDPO applies to 'organisations', which is similarly to 'data controller' in most data protection regimes, while 'data intermediary' has a comparable meaning to 'data processor' (Part 2, Section 3 of the Public Consultation Paper).

Material scope

The material scope of the PDPO applies to all forms of personal data regardless of whether it is collected, processed, or stored through electronic or non-electronic means. Under the PDPO however, there is no distinction between types of personal data such as sensitive personal data, instead all obligations found under the PDPO apply to all types of data. However, the AITI noted that personal data with a more sensitive nature will require stricter standards of protection and safeguards, and that sector specific regulations may also apply (Part 2, Section 3.2 of the Public Consultation Paper).

Exceptions to the material scope of personal data include where personal data is used in a personal or domestic capacity, and where employees or individuals are acting in the capacity of their employment or appointment within an organisation – in this instance the organisation is still required to comply with the PDPO. Notably, business contact information, and deceased persons who have been deceased for over ten years also receive an exception to the PDPO. In addition to the abovementioned exclusions, the PDPO governs the processing of personal data in the private sector, with a specific exclusion for public agencies and bodies as the PDPO's main purpose is to provide consumers with recourse to the mishandling of their data by private organisations (Part 2, Section 3.4 of the Public Consultation Paper).

Moreover, in relation to the processing of the personal data of minors, the AITI confirmed that the PDPO will apply to the personal data of all individuals, including minors. For young children who are unable to give consent to organisations to collect, use, and disclose their personal data, organisations will need to obtain consent from the child's parent or legal guardian.

Territorial scope

The PDPO applies to all private sector organisations that collect, use, or disclose personal data in Brunei Darussalam, regardless of whether they are formed or recognised under Brunei law or whether they are resident, have an office, or a place of business within Brunei Darussalam. The AITI notes that under the envisioned territorial scope, organisations that are located overseas may still be subject to the PDPO as long as they collect, use, or disclose personal data in Brunei Darussalam (Part 2, Section 3.6 of the Public Consultation Paper).

Data protection obligations

Under the PDPO, the law establishes nine data protection obligations which provide legal bases, data subject rights, and data protection principles comparable to modern data protection regimes. Importantly, there are minor but notable differences and exceptions expected in PDPO. Below are the main obligations established under the PDPO and expected operation under the legislation (Part 2, Section 4 of the Public Consultation Paper):

The accountability obligation

The accountability obligation creates a requirement for organisations to appoint a data protection officer ('DPO') for handling compliance under the PDPO. The AITI clarified that the DPO may be a person within the organisation, or an outsourced third party service. A DPO does not need to be physically located within Brunei Darussalam, however they should be available to answer queries from data subjects who are resident in Brunei (Part 2, Section 4.5 of the Public Consultation Paper).

The consent obligation

The AITI notes that the manner in which consent may be given is not specifically prescribed; however, there are certain requirements in order to obtain valid consent (Part 2, Section 4.6 of the Public Consultation Paper).

In particular, the PDPO establishes that consent may be express or implied, therefore under the PDPO organisations may establish that deemed consent – which derives from implied consent ­– exists. The following may be used to establish deemed consent namely where (Part 2, Section 4.6.4 of the Public Consultation Paper):

• without giving express consent, the data subject has voluntarily provided their personal data, and that it would be reasonable for them to voluntarily provide the personal data;
• the collection of data is necessary for the conclusion of a contract; and
• an organisation notifies an individual of a new purposes of use for their data, and they have not objected to it after a reasonable opt out period of time.

The purpose limitation obligation

Purpose limitation under the PDPO provides that an organisation may collect, use, or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances (Part 2, Section 4.7 of the Public Consultation Paper).

The notification obligation

The notification obligation establishes a requirement to notify the data subject of the purposes for the collection, use, or disclosure of their personal data, and any other purpose that has not been notified to the individual prior to the use or disclosure. The AITI clarified that for consent to be considered valid, one of its requirements will be for the data subject to be notified of the purposes for which their personal data will be collected, used, and/or disclosed on or prior to the individual providing their consent (Part 2, Section 4.8 of the Public Consultation Paper).

The accuracy obligation

Under the accuracy obligation, organisations must make reasonable efforts to ensure that personal data collected is accurate and complete, if they are likely to use such personal data to make a decision that affects the individual concerned or disclose such personal data to another organisation. The AITI noted that it will publish supplementary guidelines on what constitutes 'reasonable efforts' for the purposes of the accuracy obligation. However where personal data is provided to an organisation by third parties, or an organisation has reasons to suspect that the personal data may be incorrect or outdated, the organisation should consider what other reasonable steps it needs to take to ensure accuracy of the data (Part 2, Section 4.10 of the Public Consultation Paper).

The protection obligation

The protection obligation establishes that an organisation must establish measures to protect personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal, or other risks, and any loss of any type of stored personal data. The AITI notes that it will provide further guidance on what type of security, organisational, or technical measures are recommended to comply with the protection obligation (Part 2, Section 4.11 of the Public Consultation Paper).

The retention limitation obligation

The retention limitation establishes that personal data should be removed or deleted where it no longer serves the purpose for which it was collected. With further guidance on this obligation to come, the AITI noted that legal requirements that require the retention of personal data found in other legislation would not be a contravention of the PDPO (Part 2, Section 4.12 of the Public Consultation Paper).

The transfers limitation obligation

The transfer limitation obligation establishes that personal data may not be transferred to a country or territory outside of Brunei Darussalam, except where requirements prescribed by the PDPO ensure that the personal data will be accorded a standard of protection that is comparable to that under the PDPO. Moreover, specific requirements on cross-border transfer mechanisms will be introduced by the AITI in additional guidance (Part 2, Section 4.13 of the Public Consultation Paper).

The data breach notification obligation

The data breach notification ('DBN') obligation established under the PDPO will require organisation to notify the AITI without undue delay no later than three calendar days after a breach, whether the data breach will or is likely to result in significant harm to individuals who are affected, or if the breach is likely to be of a significant scale. The AITI clarifies that the 'significant harm' threshold attempts to ensure that only data breaches where there is a significant risk of harm are notified to the authorities and clarifies 'material harm' to individuals is not a necessity for the threshold to be met. Both 'significant harm' and 'significant scale' will be further clarified in guidelines by the AITI. Finally, for the DBN, an organisation should consider in the event of a breach the remedial actions that can be taken to rectify and prevent reoccurrence (Part 2, Section 4.14 of the Public Consultation Paper).

Conclusion

Importantly, the PDPO establishes exceptions for data intermediaries, such as where a data processor contract is in place, data intermediaries may be exempt from complying with obligations relating to the protection, retention, or transfer of personal data, or the notification of a data breach to a public authority.

In addition, it must be noted that the AITI emphasises it intends to issue advisory guidelines and other resources which will assist organisations in complying with the PDPO once the law is introduced. The enactment of the PDPO is aimed for the mid-2022, with a two-year grace period for organisations and data intermediaries to achieve compliance.

Part two of this series will provide further information on data subject rights under the PDPO, and enforcement powers including sanctions and orders that may be made by the supervisory authority or remedial actions that are given to consumers against organisations that violate their rights. Furthermore, the Insight will have a look at the Do Not Call regime under the PDPO.

Theo Stylianou Privacy Analyst
[email protected]