In Malaysia, the Personal Data Protection Act 2010 (PDPA) is a law that governs the management of personal data. The enactment aims to secure individuals’ privacy and ensure that personal data is collected, used, and disclosed in a lawful and transparent manner.
The PDPA applies to all organizations that collect, use, or disclose personal data in Malaysia. This includes businesses, government agencies, and non-profit organizations.
What does PDPA 2010 include?
The PDPA sets out seven principles that organizations must follow when collecting, using, and disclosing personal data. These principles are
- Lawfulness: Personal data must be collected, used, and disclosed in accordance with the law.
- Fairness and transparency: Individuals must be informed about the collection, use, and disclosure of their personal data.
- Purpose limitation: Personal data must only be collected for specific, lawful, and explicitly stated purposes.
- Data minimization: Only the personal data that is necessary for the purpose for which it is being collected must be collected.
- Accuracy: Personal data must be accurate and up-to-date.
- Storage limitation: Personal data must be kept for no longer than is necessary for the purpose for which it is being collected.
- Integrity and confidentiality: Personal data must be protected against unauthorized access, use, disclosure, alteration, or destruction
- Accountability: Organizations must be accountable for the personal data that they collect, use, and disclose.
The PDPA gives individuals certain rights with respect to their personal data. These rights include:
- The right to access their personal data.
- The right to correct their personal data.
- The right to object to the processing of their personal data.
- The right to be forgotten.
The PDPA is enforced by the Malaysian Communications and Multimedia Commission (MCMC). The MCMC can take enforcement action against organizations that breach the PDPA, such as issuing a warning, imposing a fine, or suspending or revoking the organization’s license.
Examples of how the PDPA applies to business operations:
- Business that collect personal data from its customers must obtain their consent before doing so.
- Company that uses personal data for marketing purposes must give its customers the opportunity to opt out of receiving marketing communications.
- Businesses must safeguard personal data stored with them against unauthorized access, use, or disclosure.
- A company that suffers a data breach must notify the affected individuals and the MCMC within 72 hours of becoming aware of the breach
Is PDPA 2010 Effective?
The PDPA 2010 has been deemed outdated and ineffective since its implementation on 15th November 2013. Among them included:
- It does not apply to all organizations. The PDPA only applies to organization that collect, use, or disclose personal data in commercial transactions. This means that the PDPA does not apply to organizations that collect, use, or disclose personal data for non-commercial purpose, such as government agencies and non-profit organizations.
- It does not cover all types of personal data. It only covers personal data that is processed in electronic form. Data that are collected in other means, such as paper form, are not covered by PDPA. This may not comply with high level of information security policy companies.
- The absence of criminal penalties is notable. Covers only civil penalties for non-compliance. Organizations that violate the PDPA that relate to cybercrime cases activity such as financial fraud cannot be prosecuted.
- It is difficult to enforce. The PDPA is only limited to Malaysians’ data stored within Malaysia, however when more and more companies move to the cloud, data which stored abroad makes overseas enforcement difficult.
- The definition of “personal data” is not clearly specified. This can make it difficult for organizations to determine whether the data they collected is subject to PDPA’s regulation.
- It does not provide clear guidance on how organizations should comply to PDPA. While PDPA provides only general principal on how to protect personal data, but it is up to organization’s own understanding to create the method to comply to the PDPA, which could lead to uncertainty and confusion among organizations.
Two recent data breaches were highlighted by Assoc. Prof Dr from Universiti Sains Malaysia. One involved the sale of data belonging to 22.5 million Malaysians obtained from the National Registration Department’s MyIdentity API. The other involved 802,259 Malaysians’ data obtained from the Election Commission website. Selvakumar Manickam, has suggested that the current PDPA 2010 is outdated and inadequate to protect Malaysians’ privacy. (source: https://www.thesundaily.my/home/pdpa-outdated-and-toothless-say-experts-XE9336473)
Both cases turn out to be out of PDPA jurisdiction due to the fact that it happens in a government system and does not involve a commercial transaction.
Latest Development of PDPA 2010
Recognizing the limitation, the Minister of Communications and Digital, Fahmi Fadzil, has recently announced to the press that amendments to the PDPA is underway. The proposed amendments include:
- Increased penalties: The maximum fine for non-compliance with the PDPA would be increased from RM500,000 to 10% of the organization’s annual turnover, whichever is higher.
- Mandatory notification of data breaches: Organizations would be required to notify the PDPC of any data breaches within 72 hours of becoming aware of the breach.
- New obligations for data processors: Data processors, which are organizations that process personal data on behalf of other organizations, would be subject to the same obligations as data controllers.
- New rights for individuals: Individuals would have new rights, such as the right to be informed about the processing of their personal data and the right to object to the processing of their personal data for direct marketing purposes.
While it seems to be an improvement from the PDPA 2010, it is still unclear that whether all the loopholes and limitations are being addressed in the amendment. Several questions remain unanswered as of this stage, for example:
- Do CyberSecurity Malaysia (CSM) and National Cyber Security Agency (NACSA), or any of the cybersecurity experts are involved in the development of the new PDPA?
- Does the data processor and data controller also include entity such as government agencies and non-for-profit organizations?
- Instead of increasing the penalty, has there been a plan to improve the enforcement power?
- Has a clear definition and guideline being develop for the organization to comply.
- Does the PDPA also regulates overseas entity who collects Malaysian data?
With the rising awareness of the importance of personal privacy, a mature and comprehensive PDPA helps Malaysian companies to stay competitive in the market locally and globally. Therefore, a periodic review and amendment on the current act is always necessary.