Subscribe
personal-data-protection
1 April 2014J. Shamesh

Personal data protection in Malaysia

The long wait is finally over. The Personal Data Protection Act (PDPA) in Malaysia, which was introduced in 2010, came into force on November 15, 2013, and data users were given until February 15 this year to notify the PDP commissioner of the details of any personal data they hold. The act is Malaysia’s first specific legislation relating to personal data and reflects a commitment made by the government to put in place a suitable and enforceable legal framework to protect the interests of consumers and the public at large.

The PDPA was enacted to regulate the processing of personal data in commercial transactions. These include any transactions that are commercial in nature and it does not matter whether the transaction is contractual or not. However, companies or corporations registered under the Credit Reporting Agencies Act 2010 are excluded from the PDPA.

Protection of privacy has been a global concern due to the rapid growth of information and communications technology.

US president Barack Obama, in his election campaign, said:

“The open information platforms of the 21st century can also tempt institutions to violate the privacy of citizens. Dramatic increases in computing power, decreases in storage costs and huge flows of information that characterise the digital age bring enormous benefits, but also create risk of abuse. We need sensible safeguards that protect privacy in this dynamic new world.”

The PDPA requires companies and corporations that handle consumers’ personal data in commercial transactions, known as data users, to notify them and obtain their agreement to the collection and processing of the information within three months of the enforcement date. The Personal Data Protection Regulation 2013 requires the data user to obtain consent from a data subject in relation to the processing of personal data. The burden of proof for such consent lies with the data user.

The most important feature of the act is that data users, who are defined as those who either alone, or jointly or in common with others, process any personal data or have control over or authorise the processing of any personal data, but do not include a data processor, must obtain consent from the data subject before they use the personal data for commercial purposes.

“In the event of a breach, the data subject can ensure the data user addresses it and mitigates it through an appraisal of the seven data protection principles.”

The PDPA describes seven broad principles:

•   The general principle: the data user must process data only with the consent of the data subject;

• The notice and choice principle: to ensure that data users notify the data subject that his or her data will be used in a processing activity. The data user is obliged to request the data subject to correct all personal information;

• The disclosure principle: relates largely to the element of consent and reasonableness. Disclosure must always take place for a particular purpose, at a particular time and a specific location;

• The security principle: addresses the event of loss, misuse, modification and unauthorised access to personal data. The data user is bound to take practical and reasonable precautionary steps to consider the risk and harm that may lead to such loss or misuse of data, to store the data in a safe location with embedded security measures and also to ensure compliance on security measures;

• The retention principle: that personal data should be kept and retained within the specified period for a particular purpose. The data user should avoid keeping data for a long period;

• The data integrity principle: emphasises the responsibility of the data user to ensure the accuracy and completeness of the data subject’s updated personal information; and

• The access principle: allows the data subject to request the data user for access to his or her personal data. This would allow the data subject to correct and make amendments to incorrect personal data. However, the data user may refuse the data subject access to the personal data by providing an explanation within 21 days.

A data user who contravenes any one of these principles, and is found to have committed an offence, faces a fine of up to MYR300,000 ($92,000) or imprisonment for a term of up to two years, or both.

It is my view that the security principle is the most important principle of the seven. This is due to the capricious risk of a security breach that may occur in the future.

The PDPA does not have an explicit data breach notification clause but, in the event of a breach, the data subject can ensure the data user addresses it and mitigates it through an appraisal of the seven data protection principles.

Personal data cannot be transferred to a place outside Malaysia unless such a place has been specified by the relevant minister. However, there are circumstances in which personal data can be transferred, for example for the performance of a contract between the data subject and the data user or for the purpose of legal proceedings.

The PDPA stipulates that registration is compulsory for entities involved in the processing of personal data for commercial transactions from 11 sectors ranging from communication to transportation, particularly airlines, education, direct selling and services such as legal, audit, accountancy, engineering and architecture.

An individual or relevant person may make a complaint in writing to the commissioner about an act, practice or request. Upon receiving a complaint under Section 104 of the PDPA, the commissioner can carry out an investigation of the relevant data user to ascertain whether the act, practice or request specified in the complaint contravenes the provisions of the PDPA. Corporate liability is up to MYR500,000 ($153,000) or imprisonment for up to three years, or both.

The PDPA is a piece of good legislation to protect personal data in Malaysia, although there is room for improvement, especially in the relationship between employer and employee and in the context of closed circuit TV surveillance.

J. Shamesh holds a law degree from the University of London and is a certified arbitrator. He was admitted to the Malaysian bar more than a decade ago and his practice has a corporate and litigation flavour, specialising in areas including IP and carriage by air and sea.

Already registered?

Login to your account

To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.

Two Weeks Free Trial

For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Adrian Tapping at atapping@newtonmedia.co.uk




Editor's picks

Patents
UPC’s ‘pro-transparency’ ruling welcomed—but does it go far enough?
11 April 2024

Editor's picks

Patents
UPC’s ‘pro-transparency’ ruling welcomed—but does it go far enough?
11 April 2024
Patents
Ericsson’s SEP triumph ‘paves way’ for future litigation in India
9 April 2024
Diversity
‘Cut yourself some slack’: How to avoid technostress
8 April 2024
Trademarks
Price-matching message checks out for Lidl
20 March 2024
Trademarks
Exclusive: New TM Rankings results are a 'testament to UK's depth of talent'
15 March 2024
Trademarks
‘A lot of companies might have been afraid to sue Amazon’: Q&A with Andy Lee, Brandsmiths
14 March 2024

More articles

AI patent platform secures $4.5m funding spearheaded by Google
Google warned not to invade jurors’ privacy in AI tech case
GDPR is the foundation for the EU’s AI rulebook
Spencer Fane hires new partner with international focus
Finnegan hires former DHS chief privacy officer
Advertorial: Mercado Libre cuts infringing listings by 60%
Malaysia introduces 20-year jail sentence for online pirates
Meghan Markle wins copyright appeal over ‘leaked’ letter