Personal Data Privacy in Malaysia: An Introduction
by Jason Yong Kok Yew ~ 28 November 2020
Contributed by
Jason Yong Kok Yew
Email: yky@thomasphilip.com.my
Do you remember that one episode of Black Mirror called ‘Shut Up and Dance’?
In it, hackers spied on users through their computer webcams, collected ‘personal’ data and then blackmailed them with it. We won’t spoil anything (though you absolutely should watch it), but the point is that in an increasingly online world, the concept of ‘personal data’ requires increasing safeguards.
How does Malaysia’s legal framework help to protect your personal data… If at all?
Malaysia’s General Approach to Data Privacy
The right to privacy is a fundamental right enshrined in Article 12 of the Universal Declaration of Human Rights (“UDHR”), which states:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks”
Although we have affirmed to promote the human rights concepts articulated under the UDHR as a member of the United Nations, right to privacy is not explicitly provided in our Federal Constitution. Thankfully, the Federal Court in Sivarasa Rasiah v Badan Peguam Malaysia & Anor [2010] 3 CLJ 507 has decreed that our right to personal liberty under Article 5(1) of the Federal Constitution also includes the right to privacy.
Enter the PDPA
In terms of the law, we have the Personal Data Protection Act 2010 (“PDPA”) which came into force on 15 November 2013. This is the main (read: only) legislation relating to data privacy in Malaysia, and is supported by the Personal Data Protection Regulations 2013 (“PDPR”) and the Personal Data Protection Standards 2015 (“PDPS”).
In general, the PDPA seeks to regulate any person who process any ‘personal data’ in respect of ‘commercial transactions’.
To better explain how the framework of the PDPA, PDPR, and the PDPS, we’re going to use an analogy. Let’s say Nook Inc. is a company incorporated and based in Malaysia, and Blathers is interested in a ‘ deserted island getaway package’ that they are offering. Would the PDPA apply to this situation, and if yes, what are Nook Inc.’s obligations?
‘Personal Data’
Firstly, it is clear that some form of ‘personal data’ will have to be collected and processed by Nook Inc. For instance, Blathers’ name, NRIC, and passport details will have to be collected and recorded by Nook Inc. for administrative purposes. This would fall under the definition of ‘personal data’ under the PDPA, which covers information which is recorded and which relates directly or indirectly to an individual “who is identified or identifiable from that information or from that and other information in the possession of Nook Inc.”
What this really long definition means is that Blather’s information is considered ‘personal data’ if that information can be used to identify him, whether directly or indirectly. This includes the normal ideations of what is considered ‘personal data’, such as Blathers’ name and NRIC. However, it also includes information like Blathers’ address, which may be insufficient to identify him, but which may be combined with other information (such as his photograph) to identify him.
Sensitive Personal Data
There is a further categorisation of personal data called ‘sensitive personal data’, which includes information as to an individuals’ physical or mental health or condition, her political opinions, religious beliefs or other beliefs of a similar nature, the commission of any offence (alleged or otherwise), or any other personal data determined by the Minister.
If Nook Inc. collects and processes Blathers’ sensitive personal data, then it is subject to more stringent safeguards. For instance, sensitive personal data should not be processed at all unless it is necessary (such as in connection with employment, to protect the vital interests of the data subject or another person, or for medical purposes).
A Commercial Transaction
It is also seems clear that this ‘deserted island getaway package’ can be considered a ‘commercial transaction’ as Nook Inc. will be charging a fee as consideration for transporting Blathers to the deserted island and helping him get set up there. The PDPA defines a ‘commercial transaction’ as one which is:
“of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance…”
However, there is no exhaustive list, so it seems like we will have to rely on the Courts via case law to define the corner limits of what are considered as ‘commercial transactions’.
Further, the Personal Data Protection (Class of Data Users) Order 2013 (as amended by the Personal Data Protection (Class of Data Users (Amendment) Order 2016) sets out certain classes of data users which are required to be registered with the Personal Data Protection Commission (“PDPC”). As Nook. Inc is in the ‘tourism and hospitalities’ industry, this further indicates that the ‘deserted island getaway package’ offered by it should fall under the ambit of the PDPA.
The other classes of data users which must be registered with the PDPC include communications, banking and financial institutions, insurance, health, transportation (airlines), education, direct selling, services (specific service providers only), real estate, utilities, pawnbrokers, and moneylenders.
The Personal Data Protection Principles
Now that we’ve established that Nook Inc. is subject to the PDPA, we turn to the obligations it must comply with. The PDPA sets out 7 personal data protection principles which Nook Inc. must comply with when processing Blathers’ personal data:
General Principle
Nook Inc. cannot process Blathers’ personal data unless Blathers has given consent. However, this does not apply under any one of the conditions exempted under the PDPA, e.g. where the processing is necessary for the performance of a contract to which Blathers is a party, to protect Blathers’ ‘vital interests’, or for the administration of justice.
Notice & Choice Principle
Nook Inc. must inform Blathers by written notice about how Nook Inc. will process his personal data. Section 7 of the PDPA lists out specific types of information which must be included in the written notice, for example:
The fact that Blathers’ personal data is being processed;
- A description of the data collected and the purpose(s) for which it is to be collected;
- Blathers’ right to request access and to correct his personal data; and
- The class of third parties to whom Blathers’ personal data may be disclosed to.
This notice must be in both BM and English, and Blathers’ must be provided with a clear and readily accessible means to exercise his choice.
Disclosure Principle
Nook Inc. cannot disclose Blathers’ personal data beyond the scope to which Blathers’ already consented. If Nook Inc. wants to disclose Blathers’ personal data further (e.g. by disclosing Blathers’ personal data to Dodol airlines while arranging for Blathers’ flight to the deserted island), then fresh consent will have to be obtained.
Security Principle
Nook Inc. must take ‘practical steps’ to protect Blathers’ personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction by deploying the necessary security measures to protect personal data. The specific guidelines on the measures to be taken are set out in further detail in the PDPS.
Retention Principle
Nook Inc. shall not keep Blathers’ personal data for longer than is necessary for the fulfilment of its purpose. It shall be Nook Inc.’s duty to ensure that all of Blathers’ personal data is destroyed or permanently deleted if it is no longer required for the purposes for which it was to be processed.
Data Integrity Principle
Nook Inc. must also take ‘reasonable steps’ to ensure personal data in their possession is accurate, complete, not misleading and kept up to date by having regard to the purpose it was collected for.
Access Principle
Nook Inc. must also ensure that Blathers’ has the right to access his personal data and be able to correct his personal data where it is inaccurate, incomplete or misleading or not up to date.
If Nook Inc. fails to observe these principles, Nook Inc. will be liable on conviction to a fine not exceeding RM 300,000 and/or to imprisonment for a term not exceeding 2 years or both.
Enforcement
If Nook Inc. has breached the PDPA in any way, then Blathers can make a complaint to the PDPC. The PDPC will then investigate the matter, and if it deems necessary, it will then refer to the matter to the Prosecution. Unlike the Companies Commission of Malaysia which is the governing authority of Malaysian companies, the PDPC does not appear to have any right to impose fines – s. 134 PDPA provides that no prosecution for an offence under the PDPA shall be instituted except by or with the written consent of the Public Prosecutor.
Any person who is aggrieved by the Commissioner’s decision can appeal to the Appeal Tribunal. Some examples of decisions that are appealable would include decisions relating to the registration of a data user, refusal of the Commissioner to carry out or continue an investigation initiated by a complaint and the failure of the data user to comply with a data access request or data correction request.
Limitations of the PDPA
Although Malaysia was one of the first countries in the Southeast Asia region to have a data privacy protection law in place, there remains a significant lack of enforcement of the PDPA.
In October 2017, Malaysia has faced one of the country’s largest telco data leak, where the personal data of 46 million mobile phone accounts have been compromised. A study carried out in October 2019 by British tech company, Comparitech had also ranked Malaysia the 5th worst out of 47 countries with a rating of 2.64 out of 5 point in terms of data protection.
After more than 6 years since the PDPA came into force, the need for a more comprehensive and adequate data privacy law is becoming more apparent. This is so as the PDPA has several limitations:-
- It has a limited scope of applicability
- The PDPA does not protect personal data beyond those processed for the purposes of a ‘commercial transaction’.
- It grants a blanket exemption to the Government
- The PDPA does not apply to the State and Federal Government, which are probably the biggest data processors in the country.
- It does not cover data processed outside of Malaysia
As compared to the General Data Protection Regulation (“GDPR”) in the European Union (EU) which applies extraterritorially to cover personal data located within and outside the EU. The PDPA does not apply outside of Malaysia which is a loophole considering how data breaches on a larger scale often involve cross-border elements.