Back to top

A new regime: Malaysia’s Data Protection Act

On Nov. 15 last year, Malaysia’s much anticipated Personal Data Protection Act (PDPA) took effect, almost one year after it was originally planned to be enacted, and three years after it was finalised. The PDPA helps safeguard the personal data of individuals (data subjects) with respect to commercial transactions. Individuals or organisations that process personal data (data users) have three months to register under the Act and comply with its provisions. But three months may not be long enough for all affected parties to comply. Furthermore, several companies have expressed concern about certain grey areas in the PDPA. However, the government is expected to release rules and regulations to provide further clarity on how the law will be implemented. While data users who do not comply with the PDPA by Feb. 15 will be subject to enforcement actions, the PDPA commissioner has made it clear that the top priorities for now are education and registering data users.

Back to top

Key components

“The introduction of the PDPA has filled a void because we have been waiting for this for some time, and because other jurisdictions around Malaysia already have their own data protection laws,” says Norhisham Bahrin, a partner at Azmi & Associates in Kuala Lumpur. “It is important to note that this act does not restrict the collection of data. Instead, it regulates how data users should deal with the personal data they collect,” says Bahrin.

Personal data refers to any information in respect of commercial transactions that relates to a data subject who is identifiable from the information or other information in the data user’s possession. Examples include the individual’s name, gender, date of birth, address and telephone number. In addition, sensitive personal data requires the explicit consent from the data subject, with examples including the person’s health, political opinions and religious beliefs. The PDPA generally prohibits the processing of personal data – defined in the Act as the use, dissemination, collection, recording and storing of personal data – without the explicit consent of the data subject. There are exceptions where the processing is necessary for legal and certain contractual obligations. The Act also lists seven principles on how data users should process personal data, which include security, retention and access.

Businesses and individuals that fall under a list of 11 categories – which includes banks and financial institutions, and insurance, communications and utilities providers – are required to register as data users under the Act before Feb. 15, and have to pay an annual fee, says Tong Lai Ling, a partner at Raja, Darryl & Loh in Kuala Lumpur.

The Act also touches upon the cross-border transfer of personal data. Section 129 under the PDPA prohibits the transfer of personal data outside of Malaysia, unless it is to a country on a list that is gazetted by the Minister, upon the recommendation of the commissioner, says Tong.
“The gazette does not have any recommended countries at the moment. However, I must caveat that to say as long as you get consent from the data subject, then one can still transfer data outside Malaysia,” says Tong.

Back to top

Compliance concerns

The PDPA, which draws some reference from the UK’s Data Protection Act 1998 and the EU’s Data Protection Directive 1995, has been warmly received, but some practitioners point out that the Act falls short in a few areas. “One main point is that the Act does not apply to the Malaysian government at the federal and state level, and therefore, they do not need to comply with the Act,” says Tong. “This is quite different from other jurisdictions like the UK, Hong Kong and Singapore, where the government is included under their data protection laws.”

For Khairul Fazli Abdul Kadir, a partner at Azmi & Associates in Kuala Lumpur, the omission of the government from the Act is no surprise. “The purpose of the PDPA is to protect the data subject, amongst others, from commercial exploitation of their personal data. When it comes to the government, it is pertinent for them to be allowed to use the personal data of the data subject to effectively perform their obligations. They are not using the personal data for commercial exploitation, but rather to perform the function of the government,” says Kadir.

Some data users too have expressed concern over certain provisions, especially with respect to obtaining explicit consent from the data subjects. They argue that obtaining explicit consent can be a very difficult task in practice. “Suppose you had obtained sensitive personal data from people you employed in the past, but they have since left the company. Now you have to get consent from ex-employees who may or may not still be at the address that they were at before. In the case of an insurance company, for example, it includes people who have not renewed their policy. They collect a lot of data in terms of the data subjects’ health, so the insurers have to obtain explicit consent,” says Tong.

Another challenge for data users is managing to comply with the PDPA’s provisions before the Feb. 15 deadline. The consequences of non-compliance can result in fines of up to 500,000 ringgit ($150,000) and up to three years imprisonment, depending on the severity of the penalty.

Lawyers and other businesses alike have questioned whether the three-month window allows enough time to comply with the Act. “Given the number of companies that are dealing with a lot of data in their daily operations, I am not sure whether this three-month period is sufficient time for all these companies to comply,” says Kadir. However, it is highly likely that the PDPA commissioner and the Malaysian government are more concerned about the registration process right now, rather than clamping down on companies that fail to comply, says Kadir. “The primary focus of the Malaysian government at this stage is to make sure that the data users required under the PDPA register themselves with the PDPA commissioner first. Enforcement will come later,” he adds.

Back to top

New guidelines imminent

While several data users have exposed certain shortcomings of the Act, practitioners are quick to emphasise that the PDPA is new in Malaysia, and that rules and regulations will be introduced gradually to supplement the implementation of the Act. “Data users need quite a bit of clarity in certain areas, and I think that further clarifications will come by way of codes of practices and guidelines,” says Tong.

For his part, Bahrin of Azmi & Associates says that it is hard to gauge what the shortcomings of the PDPA are at this point, and that any weakness will only become clear once the Act is properly implemented. “Take the European Data Protection Directive for example, which was drafted in 1995. This piece of legislation had to be amended to accommodate the changes to keep up with the growth in internet technology, so any shortcomings in the Act will only be known and rectified as it progresses along. In Malaysia, the Act is very new, so we need at least one or two years to see where the holes are, and what kind of action needs to be taken to enhance the Act,” says Bahrin.

Back to top

Implementation is key

In the meantime, the PDPA commissioner is holding educational briefings with those affected by the Act. While law firms are among the businesses required to register as data users, many are also actively involved in educating the market and their clients. “Since Nov. 15, a lot of legal firms, including ours, have received many queries from our clients, as well as requests to provide services to ensure that their operations are PDPA compliant,” says Azmi & Associates’ Kadir.

Raja, Darryl & Loh’s Tong says the firm has been giving educational briefings and advice on setting up compliance procedures for clients. “But in some areas of course, no one knows the answer because the Act is so new, so we can only rely on precedents in other jurisdictions like Hong Kong and the UK,” says Tong.

It is clear that companies will need to invest considerable time and resources in order to comply with the Act, and educational briefings, coupled with an open dialogue with the PDPA commissioner, will help businesses understand which procedures to follow. However, the key to the PDPA’s success will hinge on how it is implemented and, in due course, how effectively it is enforced. “We are eager to see how the law will be implemented by the government,” says Kadir. “We are happy to have this Act in place, but we also hope that, at the end of the day, it will be enforced in such a way that the purpose of introducing this Act can be met.”

Bahrin agrees: “It all comes down to the implementation of the law. The government can introduce a law to help the market perform in a more efficient manner by regulating how data is protected. At the end of the day it comes down to the stakeholders to play their respective roles.” For businesses that process personal data, the role is clear: Register under the Act. Law firms too must register, but also bear the responsibility of advising clients and educating the market to ensure that data users are in full compliance with the PDPA. “Malaysia is abuzz with interest right now … the market is there for legal firms to grow and grasp,” says Bahrin.

The PDPA requires businesses and individuals under the following 11 classes to register as data users:
• Communications
• Banking and financial institutions
• Insurance
• Health
• Tourism and hospitality
• Transportation
• Education
• Direct selling
• Services (including legal, audit, accounting, engineering, architecture)
• Real estate
• Utilities

Data users in these categories have to register by Feb. 15 and pay an annual fee.

Follow us on Twitter: @ALB_Magazine.

Back to top