Asian-mena Counsel: Data + Cyber Security Special Report 2020Published in
DFDL’s William Greenlee sets out the data protection regulatory framework in Malaysia and its recent developments.
During these daunting days of widespread economic disruption and global pandemic, many governments are striving to strike a balance between promoting a vibrant local business environment, ensuring adequate cyber-security, and protecting people’s personal data. This article sets out the data protection regulatory framework in Malaysia and its recent developments.
Overview of the regulatory framework
The Malaysia Personal Data Protection Act 2010 (“Malaysia PDPA”) is the principal legislation regulating personal data in Malaysia. Subject to prescribed exceptions, the Malaysia PDPA applies to any person who processes, has control over, or authorises the processing of any personal data in respect of commercial transactions1. Any information processed for credit reporting activities are carved out and separately regulated under the Malaysian Credit Reporting Agencies Act 2010.
Categories of Protected Data
The Malaysia PDPA regulates two categories of data.
- Personal data is information which relates directly or indirectly to an individual, who is identifiable from that information or from that and other information in the data user’s possession. For personal data (not including sensitive personal data), explicit consent is not required if such consent obtained from the individual can be recorded and maintained by the data user.
- Sensitive personal data is regulated more closely and is currently limited to personal data relating to a data subject’s health, political views, religious beliefs, criminal record, or alleged commission of any offence. The processing of sensitive personal data requires data subjects’ explicit consent.
The Malaysia PDPA regulates the processing of personal data by requiring a data user to comply with seven principles (“Processing Principles”).
- General Principle: Unless any exceptions under the Malaysia PDPA apply, a data user cannot process personal data without obtaining the subjects’ consent.
- Notice and Choice Principle: The Malaysia PDPA prescribes eight mandatory matters which the data user must inform a data subject by a written notice. Such a notice must be given in English and the local language.
- Disclosure Principle: A data user must limit disclosure of the personal data to the purpose which the data subject had been informed of at the time of collection and for which the data subject had consented.
- Security Principle: Practical steps must be taken by a data user to safeguard the personal data from any loss, misuse, modification, unauthorised or accidental access, disclosure, alteration, or destruction.
- Retention Principle: A data user must not retain personal data for longer than is necessary to fulfil the purpose for which it was collected.
- Data Integrity Principle: A data user must take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date.
- Access Principle: The data subject has the right to access his or her personal data and to correct such data held by the data user where it is inaccurate, incomplete, misleading, or not updated.
Failure to adhere to any of the Processing Principles is an offence under the Malaysia PDPA, and can result in penalties of approximately US$24,000 to 120,000 and a term of up to three years imprisonment.
Transfer of personal data outside Malaysia is prohibited unless the transfer is made to a jurisdiction approved by the Minister2 or where any specific exceptions prescribed under the Malaysia PDPA applies. The Commissioner published a consultation paper in 2017 seeking the public’s feedback on the draft whitelist of countries to which personal data may be transferred from Malaysia without having to rely on the exceptions. As of June 2020, the whitelist had yet to be approved.
The Processing Principles are akin to those in the 1995 EU Data Protection Directives. The regulator’s focus in the nascent years of the Malaysia PDPA has been on fostering awareness among businesses. The shift to enforcement actions have only recently begun. The Commission has been conducting inspections in the form of “audits” at business premises to assess levels of compliance.
A consultation paper was published in February 2020 to seek public’s feedback (“Paper”) on possible amendments to the PDPA.3 The Paper took the laws of various jurisdictions into consideration including the Philippines, Singapore, Japan, and the EU.
Considering the fast-paced development of technology in recent years, the review of this legislation is a commendable effort. The proposals in the Paper, if passed, will completely change how businesses in Malaysia handle data, as they envisage a data protection standard that is much higher than the country’s current existing regime.
- Personal Data Protection Act 2010, § 2.
- Personal Data Protection Act 2010, § 129.
- The Public Consultation Paper No. 01/2010 can be accessed on the official portal of the Department of Personal Data Protection at: https://www.pdp.gov.my/jpdpv2/assets/2020/02/Public-Consultation-Paper-on-Review-of-Act-709_V4.pdf.