On 4 October 2018, Malaysia’s Communications and Multimedia Minister Mr. Gobind Singh Deo announced that Malaysia will review the Personal Data Protection (PDP) Act 2010 (PDPA) as Malaysia “needs to be on par with global legislation on data protection”. The Minister hinted that the updated PDPA “could be modelled after the European Union’s (EU) General Data Protection Regulation (GDPR) and added that the Ministry is looking to work with other ASEAN countries to develop a framework on data protection.
Expand the Scope of PDPA
Whilst the move to update PDP laws is welcomed, amendments to the PDPA should address current limitations. It is recommended to expand the scope and applicability of the PDPA e.g.:
- expanding the definition of “personal data” to include non-commercial transactions as such information has an equal need of protection;
- extending the applicability of the PDPA to the Federal and State Governments as the PDPA in its current form does not apply to both;
- subjecting credit reporting agencies to the PDPA in addition to the Credit Reporting Agencies Act 2010; and
- expanding the territorial scope of the PDPA to apply to controllers and processors of personal data in Malaysia (regardless whether processing takes place locally or abroad) and to foreign controllers or processors who process personal data of Malaysians; and
- making the PDP Commissioner answerable directly to Parliament, thereby becoming an independent supervisory authority from the government to enforce the PDPA.
Introducing new elements to PDPA
To have an effective data protection regime, new elements should be added to the PDPA e.g.:
- mandating the appointment of data protection officers (DPOs) for controllers and processors whose core activities consist of regular processing and monitoring of data subjects;
- setting up and regulating professional certification, training & examination of DPOs;
- giving data subjects the right to enforce protected rights directly in courts and pursue civil redress and compensation in case of breach of privacy as no such rights exist in the current PDPA; and
- establishing a Do-Not-Call Registry as what Singapore has done as Malaysians continue to receive a lot of spam messages on a daily basis.
Reinforcing data subject rights, amongst others, to include the following:
- breach notification: data subjects to have a right to be notified of any data breach;
- right to access: data subject to have the right to obtain confirmation from data controller whether the subject’s personal data is being processed, where and for what purpose; and
- right to be forgotten: data subject to have the right to be forgotten if consent was withdrawn or if the processing of personal data is no longer relevant to original purpose.
Enforcement of PDPA
On the enforcement of PDPA, the Ministry and the Commissioner should work towards a robust enforcement of PDPA provisions, especially on the following matters:
- ensuring the classes of data users under PDP (Class of Data Users) Order 2013 are duly registered with the Commissioner;
- gazetting the whitelist of countries in which personal data can be transferred to; and
- taking stricter enforcement actions against controllers and processors in cases of breach of privacy.
PDP framework beyond Malaysia
Enhancing the PDPA and establishing the right legal infrastructure for PDP are key to Malaysia’s preparation for Industry 4.0 and the digital economy. It will also enable Malaysia to play a leading role in ASEAN’s implementation of ICT Masterplan 2020.
Malaysia can contribute to ASEAN’s development on PDP by moving beyond the 2016 ASEAN Framework on PDP by recognising the right to privacy which is found in Article 21 of ASEAN’s 2012 Human Rights Declaration.
On the APEC front, Malaysia should consider participating in the APEC Cross-Border Privacy Rules System (which focuses on cross-border data transfers) to boost e-commerce growth. It is worth noting that on 7 March 2018, Singapore became the 6th participate in this system, joining Canada, Japan, Korea, Mexico and the United States of America.
As for the EU, Malaysia should engage the EU to recognize each other’s data protection systems as being “equivalent”. Having an EU adequacy decision will enable personal data to flow from the European Economic Area (i.e. the EU Member States, Norway, Liechtenstein and Iceland) to Malaysia without being subject to any further safeguards or authorizations. On this end, on 17 July 2018, the EU and Japan have agreed to recognize each other’s data protection systems as “equivalent” and both parties will adopt reciprocal adequacy decisions.
From amendments to the PDPA to policy-level changes, new minister Gobind Singh Deo has his task cut out for him and the Ministry. Whatever changes are made to the PDPA, it is hoped that such changes will be on par with international standards.