Financial Crime World

Here is the converted article in markdown format:

Data Protection Regime Takes Shape in Brunei Darussalam

In a move aimed at strengthening data protection laws in Brunei Darussalam, the Personal Data Protection Ordinance (PDPO) has been proposed to provide individuals with greater control over their personal data. The PDPO is expected to introduce several key rights and obligations for organisations handling personal data.

Rights and Obligations

Right to Access

Individuals will have the right to access their personal data held by an organisation, including requesting correction of any errors or omissions. Organisations must provide the requested information in a timely manner, unless exceptions apply.

Rectification and Erasure

Individuals will also have the right to request rectification of incorrect data or erasure of data that is no longer necessary for the purpose for which it was collected. Organisations must comply with such requests, unless exceptions apply.

Right to Data Portability

The PDPO proposes a right to data portability, allowing individuals to request their personal data be transferred to another organisation under certain circumstances. However, following public feedback, the Authority for Info-communications Technology and Industry of Brunei Darussalam (AITI) has decided to exclude this right from the PDPO, citing concerns over regulatory burden and clarity on the scope of “applicable data”.

Do Not Call Regime

Similarly, a Do Not Call (DNC) regime was initially proposed but later excluded due to concerns over high costs associated with its establishment and operation.

Enforcement Powers

The PDPO will grant responsible authorities, such as AITI, powers of investigation, imposition of penalties, directions, and an appeal mechanism for individuals. These powers include the ability to:

  • Conduct investigations
  • Require organisations to produce documents or information
  • Enter premises without a warrant
  • Imposition of fines and imprisonment

Fines and Penalties

The PDPO proposes fines not exceeding BND 10,000 (approximately €6,700) and/or imprisonment not exceeding 12 months for individuals who intentionally avoid access or correction requests. Organisations that contravene data protection provisions may face fines of up to 10% of their annual turnover in Brunei Darussalam.

Conclusion

The proposed PDPO aims to provide a comprehensive regime for data protection in Brunei Darussalam, introducing several key rights and obligations for organisations handling personal data. While some aspects have been excluded due to public feedback, the ordinance is expected to significantly strengthen data protection laws in the country. Further guidelines and advisories are anticipated before full enforcement of the PDPO.

Contact

Theo Stylianou Privacy Analyst [Email Address]