The Personal Data Protection Act 2010 (PDPA), which came into force on 15 November 2013, sets out a comprehensive cross-sectoral framework for the protection of personal data in relation to commercial transactions.
The PDPA was seen as a key enabler to strengthen consumer confidence in electronic commerce and business transactions given the rising number of cases of credit card fraud, identity theft and selling of personal data without customer consent. Before the PDPA, data protection obligations were spread out among certain sectoral secrecy and confidentiality obligations, while personal information was primarily protected as confidential information through contractual obligations or civil actions for breach of confidence.
The PDPA imposes strict requirements on any person who collects or processes personal data (data users) and grants individual rights to 'data subjects'. Enforced by the Commissioner of the Department of Personal Data Protection (the Commissioner), it is based on a set of data protection principles akin to that found in the Data Protection Directive 95/46/EC of the European Union (EU)2 and, for this reason, the PDPA is often described as European-style privacy law. An important limitation to the PDPA is that it does not apply to the federal and state governments.3
The processing of information by a credit reporting agency is also exempted from the PDPA. In the past, credit reporting agencies did not fall under the purview of any regulatory authority in Malaysia, drawing heavy criticism for inaccurate credit information reporting. The Credit Reporting Agencies Act 2010, which came into force on 15 January 2014, now provides for the registration of persons carrying on credit reporting businesses under the regulatory oversight of the Registrar Office of Credit Reporting Agencies, a division under the Ministry of Finance, which is charged with developing a regulated and structured credit information sharing industry.
The PDPA enumerates the security principle as one of its data protection principles. Under this principle, an organisation must ensure both technical and organisational security measures are well in place to safeguard the personally identifiable information that it processes. The ISO/IEC 27001 Information Security Management System (ISMS), an international standard, which deals with information technology systems risks such as hacker attacks, viruses, malware and data theft, is the leading standard for cyber risk management in Malaysia.
Sectoral regulators such as BNM and the Securities Commission Malaysia have also been actively tackling issues relating to cybersecurity in relation to their relevant sectors by issuing guidelines and setting standards for compliance (discussed in Section IX).
The intersection between privacy and cybersecurity also manifests in the extent of the tolerance for government surveillance activity: the PDPA does not constrain government access to personal data, as discussed in Section VI. The reasons given to justify broad government access and use include national security, law enforcement and the combating of terrorism.
II THE YEAR IN REVIEW
The most significant development that has affected and will continue to affect the legal landscape in Malaysia is the installation of a new federal government following the outcome of the Malaysian general elections held on 9 May 2018. The Minister of Communications and Multimedia (Mr Gobind Singh Deo) announced that the PDPA is currently being reviewed by the Ministry of Communications and Multimedia to streamline international requirements on personal data protection including key takeaways of the European Union's General Data Protection Regulation (GDPR).4
To date, the Commission's enforcement actions tend towards enforcement of straightforward breaches such as offences for processing personal data without a certificate of registration. As at July 2019, there are at least five enforcement cases that have resulted in conviction by the court. A majority of the convictions are for the offence of processing personal data without a certificate of registration.5
Several organisations in the following sectors have also received inspection visits from the Commissioner's office: utility, insurance, healthcare, banking, education, direct selling, tourism and hospitality, real estate and services (retail and wholesale). Section 101 of the PDPA gives the Commissioner power to inspect the personal data systems in corporations with a view to making recommendations on compliance. The organisation is given limited notice of the pending visit. If an organisation fails to make the necessary improvements post-inspection, this could lead to criminal enforcement action under the PDPA. An inspection visit from the Commissioner's staff will entail a detailed review of the following areas:
- personal data collection forms and privacy notice;
- internal standard operating procedures for personal data management within the organisation;
- person in charge of personal data management within the organisation and his or her awareness of the legal requirements; and
- compliance with the seven data protection principles in the PDPA.
Cybersecurity issues have also received significant media attention as Malaysian companies were not spared in the global ransomware attacks, such as the WannaCry cyberattack in 2017. Currently, Malaysia does not have a specific law addressing cybersecurity-related offences. Enforcement agencies, such as the National Cybersecurity Agency (NACSA), have to rely on existing legislation, such as the Communications and Multimedia Act 1998 (CMA), the Defamation Act 1957 and the Sedition Act 1948, to combat cyberthreats.6
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The PDPA is a comprehensive data protection legislation containing seven data protection principles, including the general principle establishing the legal requirements for processing personal data (e.g., with consent or in compliance with the legal requirements), notice (internal privacy notices for employees and external notices for consumers), choice, disclosure, data security, integrity and retention, and rights of access. Failure by an organisation to observe these principles is an offence.7 The Personal Data Protection Standards 2015, which came into force on 23 December 2015 (the Standards) are considered the 'minimum' standards to be observed by companies in their handling of personal data of customers and employees, and failure to implement them carries criminal sanctions.
The PDPA also sets up a co-regulatory model that emphasises the development of enforceable industrial codes of practice for personal data protection against the backdrop of the legal requirements of the government. Codes of Practice that have been approved and registered by the Commissioner include the Personal Data Protection Code of Practice for the:
- utilities sector (electricity);8
- insurance/takaful industry;9
- banking and financial sector;10
- licensees under the Communications and Multimedia Act 1998;11 and
- the Malaysian aviation sector.12
A code of practice for legal practitioners is also expected to be introduced.
As the Codes set sector-specific prescriptions, it is likely that these will set the expected standards for the specific sector, over and above the Standards. Non-compliance with the codes will also carry penal consequences.13
Three conditions must be fulfilled for any data to be considered as 'personal data' within the ambit of the PDPA.14
First, the data must be in respect of commercial transactions. 'Commercial transactions' is defined under the PDPA as transactions of a commercial nature, whether contractual or not, and includes any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.15 There is some ambiguity as to whether an activity must have a profit motivation to be considered a commercial transaction.
Second, the information must be processed or recorded (electronically) or recorded as part of a filing system.
Third, the information must relate directly or indirectly to a data subject who is identifiable from the information or other information in the possession of the data user. A central issue for the application of the PDPA is the extent to which information can be linked to a particular person. If data elements used to identify the individual are removed, the remaining data becomes non-personal information, and the PDPA will not apply.16
Sensitive personal data
Sensitive personal data is defined as any personal data consisting of information as to:
- the physical or mental health or condition of a data subject;
- his or her political opinions;
- his or her religious beliefs or other beliefs of a similar nature;
- the commission or alleged commission by him or her of any offence; or
- any other personal data as the minister responsible for personal data protection (currently the Minister of Communications and Multimedia) may determine.17
Sensitive personal data may only be processed with the explicit consent of the data subject and in the limited circumstances set out in the PDPA.18
Application of the PDPA
The PDPA applies to any person who processes or has control over the processing of any personal data in respect of commercial transactions.
'Processing' has been defined widely under the PDPA to cover activities that are normally carried out on personal data, including collecting, recording or storing personal data, or carrying out various operations such as organising, adapting, altering, retrieving, using, disclosing and disseminating the data. The prevailing view with respect to social media companies that have established a presence in Malaysia (for example through opening a branch office in Malaysia), is that they will be regarded as a data user and be subject to the PDPA for any data which they process in Malaysia (such as the personal data of their employees). Data processed wholly outside of Malaysia may not fall within the purview of the PDPA. There appears to be some doubt about the application of the PDPA to social media companies where it concerns data of users of social media if the interpretation taken is that this data is not being processed by the branch office in Malaysia or that no equipment in Malaysia is being used to process the data, except for the purpose of transit through Malaysia.19
A further point to note is that the PDPA only regulates personal data in the context of commercial transactions. As such, there is also some ambiguity as to whether a nominal user of social media (i.e., for recreational and social use) would enjoy the protection offered by the PDPA.
Most of the obligations under the PDPA apply to a 'data user' (i.e., 'a person who either alone or jointly in common with other persons processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor').
A 'data processor' who processes personal data solely on behalf of a data user is not bound directly by the provisions of the PDPA.
ii General obligations for data users
The Personal Data Protection (Class of Data Users) Order 2013 lists 11 categories of data users who have to be registered with the Commissioner. The categories are:
- banking and finance;
- hospitality and tourism;
- real estate and property development;
- direct selling;
- services (e.g., legal, accountancy, business consultancy, engineering, architecture, employment agencies, retail and wholesale); and
A data user may not process personal data unless it is for a lawful purpose directly related to the activity of the data user, the processing is necessary or directly related to the purpose, and the personal data are adequate and not excessive in relation to that purpose.
The data subject must also consent to the processing of the personal data unless the processing is necessary for specific exempted purposes.22
The PDPA does not define 'consent'; nor does it prescribe any formalities in terms of the consent. However, the Personal Data Protection Regulations 2013 (the Regulations) provide that the data user must keep a record of consents from data subjects. The Regulations further provide that the Commissioner or an inspection officer may require production of the record of consents. It places the burden of proof for consent squarely on the data user.
Helpfully, the Personal Data Protection Code of Practice for the Utilities Sector (Electricity) provides examples of consent, whether express or implied, that must be recorded or maintained by the data user. These examples include:
- signatures, or a clickable box indicating consent;
- deemed consent;
- verbal consent; and
- consent by conduct or performance.
Consent is deemed given by way of conduct or performance if the data subject does not object to the processing; the data subject voluntarily discloses its personal data; or the data subject proceeds to use the services of the data user.
Verbal consent should be recorded digitally or via a written confirmation that consent was given.
Regarding explicit consent, the Personal Data Protection Code of Practice for the Utilities Sector (Electricity) provides the following examples: where the data subject provides his or her identification card to be photocopied or scanned; where the data subject voluntarily provides the sensitive personal data; and verbal statements that have been recorded or maintained.
Data users are obliged to notify individuals of their purposes for the collection, use and disclosure of personal data on or before such collection, use or disclosure. For example, where a data user intends to use personal information collected for a different purpose, such as marketing communications, the data user must provide the affected individuals with the choice to disagree with the purpose before doing so.
Data users shall not disclose personal data for any purpose other than that for which the data was disclosed at the time of collection, or for a purpose directly related to it; or to any party other than a third party of the class notified by the data user without a data subject's consent.23
Personal data should not be kept longer than necessary. Retention policies must take into account any relevant requirements imposed by applicable legislation. However, the Standards appear to impose organisational requirements that may be challenging for organisations to comply with. Personal data collection forms are required to be destroyed within a period of 14 days, unless the forms can be said to have some 'legal value' in connection with the commercial transaction. It is unlikely that this time frame would be feasible for most organisations.
A record of destruction should be properly kept and be made available when requested by the Commissioner.
iii Data subjects' rights
A data subject has various rights to his or her personal data kept by data users. These are:
- the right of access to personal data;24
- the right to correct personal data;25
- the right to withdraw consent;26
- the right to prevent processing likely to cause damage or distress;27 and
- the right to prevent processing for purposes of direct marketing.28
Under the PDPA, the data subject can make a written complaint to the Commissioner about an act, practice or request:
- specified in the complaint;
- engaged in by the data user specified in the complaint;
- that relates to personal data of which the individual is the data subject; and
- that may be in contravention of the PDPA including any codes of practice.29
Upon receiving a complaint, the Commissioner may choose to conduct an investigation in relation to the relevant data user to ascertain whether the act, practice or request specified in the complaint contravenes the PDPA.30 In the event that the complainant withdraws the complaint, the Commissioner may carry out or continue an investigation where the Commissioner is of the opinion that it is in the public interest to do so.31 The enforcement powers of the Commissioner are further discussed in Section VII below.
iv Technological innovation
In general, the regulatory framework has not developed specific rules (outside the application of the seven principles in the PDPA) to deal with data privacy issues created by cookies, online tracking, cloud computing, the internet of things or big data.
Government efforts appear to be focused on positioning the country appropriately to benefit from these innovations. For example, the Ministry of Science, Technology and Innovation has unveiled the National Internet of Things Strategic Roadmap (the Roadmap) where a centralised regulatory and certification body will be established to address privacy, security, quality and standardisation concerns.
v Specific regulatory areas
There are special confidentiality rules that apply to data in specific sectors, such as the banking and financial institutions sectors, the healthcare sector as well as the telecommunications and multimedia sectors. However, these rules do not comprehensively cover all aspects of data protection in the comprehensive manner addressed by the PDPA, which tracks the information life cycle from its collection and use through to its storage, destruction or disclosure.
The PDPA does not contain specific protection for minors (below the age of 18). Section 4 of the PDPA states that for minors, the guardian or person who has parental responsibility for the minor shall be entitled to give consent on behalf of the minor.
A banker's duty of secrecy in Malaysia is statutory as is clearly provided under Section 133(1) of the Financial Services Act 2013 (FSA). The duty is not absolute.32 Section 153 of the FSA provides the legal basis for BNM to share a document or information on financial institutions with an overseas supervisory authority.33
The Guidelines on Data Management and MIS34 Framework issued by BNM sets out high-level guiding principles on sound data management and MIS practices that should be followed by financial institutions. It is noteworthy that boards of directors and senior management are specifically entrusted with the duty to put in place a corporate culture that reinforces the importance of data integrity.
The Medical Act 1971 is silent on the duty of confidentiality. The Confidentiality Guidelines issued by the Malaysian Medical Council in October 2011 after the PDPA was enacted are the most comprehensive articulation of the confidentiality obligation of health professionals.
Multimedia and telecommunications
The General Consumer Code of Practice (GCC), developed by the Communications and Multimedia Consumer Forum of Malaysia, sets out a number of consumer protection principles, one of which is the protection of consumers' personal information (quite similar in scope to the seven PDPA principles) for the telecommunications and multimedia sectors. The GCC binds all licensed service providers under the CMA and all non-licensed service providers who are members of the Consumer Forum.35
The PDPA prescribes direct sellers as one of the 11 classes of data users that must register with the Personal Data Protection Department.
The PDPA also gives consumers the right to request in writing that the direct seller stop or not begin processing their personal data. Failure to cease using personal data for direct marketing purposes after a data subject has objected could make the offender liable for a fine of up to 200,000 ringgit, imprisonment for up to two years, or both.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Section 129(1) of the PDPA states that a company may only transfer personal data out of Malaysia if the country is specified by the Minister of Communications and Multimedia Malaysia and this is then published in the Gazette. The Commissioner had issued a Public Consultation Paper36 entitled Personal Data Protection (Transfer of Personal Data to Places Outside Malaysia) Order 2017 (the Proposed Order 2017), which seeks feedback from the public on the Commissioner's draft whitelist of countries to which the personal data originating in Malaysia may be freely transferred without having to rely on exemptions provided by Section 129(3) of the PDPA. The places identified in the Proposed Order 2017 are as follows: European Economic Area member countries, the United Kingdom, the United States, Canada, Switzerland, New Zealand, Argentina, Uruguay, Andorra, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, Australia, Japan, Korea, China, Hong Kong, Taiwan, Singapore, the Philippines and Dubai International Financial Centre.
As at July 2019, the Proposed Order 2017 has yet to be gazetted. Until it comes into effect, to transfer data outside the country, organisations will have to rely on the exemptions set out in Section 129(3) PDPA, which include:
- where the data subject has consented to the transfer;
- where the transfer is necessary for the performance of a contract between the data subject and the data user;
- where the transfer is necessary to protect the vital interests of the data subject; and
- where the data user has 'taken all reasonable precautions and exercised all due diligence' to ensure that the personal data will not be processed in the recipient country in a way that would be a contravention of the PDPA.
Unlike EU law, Malaysian law does not require transfer contracts to be made for the benefit of third parties. Malaysia also has a doctrine of privity of contract that prevents enforcement of third-party benefits by data subjects.
V COMPANY POLICIES AND PRACTICES
Organisations are under the obligation to implement policies and enforce certain practices to ensure their compliance with the PDPA.
i Data protection officers
The requirements for a data protection officer are not mandated under the law. However, the Commissioner's Proposal Paper (No. 2/2014), Guidelines on Compliance with Personal Data Protection 2010, makes a clear proposal for every organisation to establish responsibility for protection of personal data at the highest level and to designate an officer for this responsibility. The officer's primary responsibility will be to ensure that all policies, procedures, systems and operations are aligned with the PDPA. There is, however, no requirement for a senior management position such as a chief privacy officer.
In addition, the proposed Guidelines appear to place the responsibility for protection of personal data at the highest level, which would appear to suggest that privacy should be a board level issue.
ii Online privacy policies
iii Internal privacy policies for employees' rights and responsibilities
The notice and choice principle requires an employer to inform the employee of the nature of the information collected; whether the information will be shared with a third party; and that he or she has the right to access the information collected.
iv Data subject opt-in, opt-out, access, deletion and portability rights
In addition to the need for consent, the Public Consultation Paper (No. 1/2014) titled the Guide to Dealing with Direct Marketing under the Personal Data Protection Act (PDPA) 2010 provides that an individual must be given the right to refuse the use of personal data for direct marketing. In the case of direct marketing by electronic means, an opt-out right must be made available on every subsequent marketing message. The right of portability is not available under the PDPA.
v Requirement for data privacy due diligence and oversight over third parties
The Standards require data users, in discharging the security principle, to bind third parties contractually to ensure the safety of personal data from misuse, loss, modification, unauthorised access and disclosure. Some organisations do take the additional step of reserving audit rights over third parties processing personal data on their behalf, but this is not currently mandated.
vi Written information security plan
The Regulations require that data users develop and implement a security policy for their companies. This security policy must comply with standards established by the Commissioner from time to time.37 Some of the more prescriptive standards for implementation are the standards stipulating that the transfer of personal data through removable media devices (e.g., USB thumb drives) and cloud computing services (e.g., Dropbox and Google Drive) is no longer permitted, unless authorised in writing by the 'top management' of the company.
Even when permitted, each transfer of personal data via such a removable media device must be recorded. Additionally, data users are required to record access to personal data, and to make the records available to the Commissioner upon request.
vii Incident response plan
Data breach management and incident response plans have not been mandated by the Commissioner.
VI DISCOVERY AND DISCLOSURE
The data protection provisions under the PDPA do not affect any rights and obligations under other laws. There is a clear exemption for disclosure of personal data for a purpose other than the purpose for which data was collected where the disclosure is necessary for the purpose of preventing or detecting a crime, or for the purpose of investigations.
In this regard, Malaysian legislation (including the PDPA) tends to provide authorities with extensive powers of search and seizure, including powers to search without a warrant. This power arises where the delay in obtaining a search warrant is reasonably likely to adversely affect investigation, or where evidence runs the risk of being tampered with, removed or destroyed.
Section 263(2) of the CMA is particularly noteworthy. Internet service providers as licensees under the CMA must comply with the Malaysian Communications and Multimedia Commission (MCMC) or any other authorities that make a written request for their assistance in preventing an offence or the attempt of any crime listed under Malaysian law.
Section 263(2) is broad enough to permit authorities to gain access to telecommunications information such as contact information and content of communications.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The Commissioner has been entrusted with certain powers under the PDPA to enforce the PDPA. It has conferred powers to carry out inspections and investigations on data users, whether or not these are initiated by any complaints received from the public. The powers of the Commissioner include:
- conducting inspections on data users' personal data systems;
- publishing reports that set out any recommendations arising from the inspections; and
- serving enforcement notices on data users for a breach of any of the provisions of the PDPA, and directing data users to take (or refrain from taking) specified steps to ensure that they comply with the PDPA.
The Commissioner's authorised public officers also have various powers of enforcement under the PDPA, including:
- conducting investigations on the commission of any offence under the PDPA;
- conducting searches and seizure of data users' computerised data, documents, equipment, systems and properties, with or without a warrant;
- requiring the production of computers, books, accounts, computerised data or other documents kept by data users; and
- arresting without warrant any person who the authorised public officer reasonably believes has committed or is attempting to commit an offence under the PDPA.
It is worth highlighting a provision that is now commonplace in Malaysian legislation (including the PDPA) that provides that where an offence is committed by a body corporate, its director, chief executive officer, chief operating officer, manager, secretary or other similar officer, the entity or person may be deemed to have committed the offence unless it, he or she can establish that there was no knowledge of the contravention, and that it, he or she has exercised all reasonable precautions and due diligence to prevent the commission of the offence.38
ii Recent enforcement cases
In early 2018, an online employment agency was convicted and fined 10,000 ringgit for processing personal data without a certificate of registration. This is the second case involving an employment agency in the services sector that has led to a conviction.39
iii Private litigation
The PDPA does not provide for a statutory civil right of action for breach of any of the provisions of the PDPA. An aggrieved individual can nevertheless still pursue a civil action under common law or tort against a data user who has misused the individual's personal data.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
The PDPA applies to all activities relating to the collection, use and disclosure of personal data in Malaysia. As such, it will also apply to foreign entities processing such data in Malaysia regardless of whether they have an actual physical presence in Malaysia. The PDPA does not apply to personal data that is processed outside Malaysia, unless the data is intended to be further processed in Malaysia.
IX CYBERSECURITY AND DATA BREACHES
Statistics from Cybersecurity Malaysia for – MyCERT Incident Statistics – indicate that in 2018 there were a total of 10,699 reports on cyber-related incidents.40 Statistics from January to May 2019 indicate that there have been over 3,743 reports on cyber-related incidents.41 This figure does not include those cases that go unreported almost daily, as there is no requirement to report breaches to the authorities or to customers. However, in August 2018, a Public Consultation Paper (No. 1/2018) titled the Implementation of Data Breach Notification (the DBN Consultation Paper) was issued. The DBN Consultation Paper suggests that data users are required to, among other things, notify the Commissioner within 72 hours of becoming aware of the data breach, provide details of the data breach, provide details on actions taken to contain the breach and whether the organisation's staff has received training on data protection in the last 24 months.
The National Cybersecurity Policy is Malaysia's integrated cybersecurity implementation strategy to ensure the critical national information infrastructure (CNII) is protected to a level that is commensurate with the risks faced. Cutting across government machineries, the implementation has drawn in various ministries and agencies to work together to create a CNII that is secure, resilient and self-reliant. Implementation of this scheme has involved certification of CNIIs by Cybersecurity Malaysia to be ISMS-compliant. Other initiatives include Cyber999 Help Centre, which is a service operated by the Malaysian Computer Emergency Response Team (MyCERT) for internet users to report or escalate computer security incidents.
On 18 July 2019, the BNM issued the policy document on Risk Management in Technology (RMiT policy document) that sets out its requirements with regard to financial institutions' technology risk management framework and practices proportionate to the size and complexity of the financial institutions. The RMiT policy document sets out the board and senior management responsibilities, the responsibilities of the chief information security officer, the requirement for financial institutions to establish a robust framework for managing technology projects, the requirement to conduct due diligence on third-party service providers, the requirement to conduct risk assessment prior to conducting cloud services, and to provide adequate and regular technology and cybersecurity awareness training.
The Securities Commission Malaysia has also issued its Guidelines on Management of Cyber Risk,42 which sets out a framework to address cybersecurity resilience for capital market participants' management of cybersecurity risks.
i Cyber laws
In contrast to the comprehensive approach of the PDPA, Malaysia's cyberlaws are scattered across various pieces of legislation. Presently, the key provisions of Malaysia's cyberlaws are as follows.
Offences under the CMA include:
- the offence of the use of network facilities or network services by a person to transmit any communication that is deemed to be offensive and that could cause annoyance to another person;43
- the offence of using an apparatus or device without authority;44
- the offence of improper use of network facilities or network services – such as annoying, abusive, threatening, harassing or obscene communications – emails (spamming), SMS or MMS website content publishing;45
- the offence of interception and disclosure of communications;46 and
- the offence of damage to network facilities.47
Other cyberoffences include:
- cyberpornography and exploitation of children;48
- online sedition and internet defamation;49
- misuse of computers;50
- prostitution and other illegal cybersexual activities; and
ii Laws to facilitate prosecutions of internet-based offences
A noteworthy development in Malaysian law was the introduction of Section 114A into the Evidence Act 1950, which came into force on 31 July 2012. Under the new Section 114A, a person is deemed to be a publisher of a content if it originates from his or her website, registered networks or data-processing device of an internet user unless he or she proves the contrary.
iii Laws to promote tracking transactions conducted on the internet
Examples of laws that provide for tracking and recording transactions conducted on the internet include the Cyber Centre and Cyber Cafe (Federal Territory of Kuala Lumpur) Rules 2012 and the Consumer Protection (Electronic Trade Transactions) Regulations 2012. The former requires any person operating a cybercafé and cybercentre to maintain a customer entry record and a record of computer usage for each computer, whereas the latter require online business owners and operators to provide their full details and terms of conditions of sale, to rectify errors and maintain records.
We expect to see more enforcement actions by the Commissioner in the coming year, particularly given the focus of the Minister of the MCMC on enforcement of data breaches. Having said that, we expect to see the Commission continue to pursue its 'audit' type regulation (as opposed to prosecution) via inspection visits and enforcement notices as a means of instilling awareness among data users on their data protection obligations.
Recent incidents such as the MOMO challenge hoax, ransomware, banking account leaks and other data breaches were reported and received wide media coverage in Malaysia. The Chief Executive Officer of Cybersecurity Malaysia stated that cybersecurity is currently perceived as a cost rather than an investment for businesses. He further stated that with the increased use of technology, cybersecurity should be a default feature in all businesses regardless of their size and not an afterthought.52 It is understood that the Personal Data Protection Commission is still seeing low levels of awareness in relation to the PDPA, particularly among smaller enterprises. We expect to see more businesses improving their data protection framework and measures to safeguard the interests of the data subjects as well as their own.
In light of the GDPR, the Minister stated that while there is no timeframe for the review of the PDPA, the review exercise is still ongoing and it is hoped that a new framework will be formulated or that a proposed amendment will be brought to Parliament. The release of the DBN Consultation Paper is expected to be implemented by imposing conditions on the certificate of registration issued to the data users by the Commissioner. As such, this applies to the 13 classes of data users as specified in Section III.ii above. A blanket requirement to report every breach could be excessively onerous. A threshold such as 'a real risk of serious harm' should accompany such a requirement (which would most certainly cover identity theft). Alternatively, and instead of a mandatory requirement, Parliament may wish to consider explicitly recognising breach notification as a mitigation point in enforcement proceedings. This would not just address considerations on fairness to the consumer, but provide organisations with the incentive to advise consumers of breaches, as well as the flexibility to evaluate their position.
1 Shanthi Kandiah is a partner at SK Chambers.
2 The EU Data Protection Directive 95/46/EC has now been replaced with the EU General Data Protection Regulation, which came into force on 25 May 2018.
3 There is some ambiguity about which public entities fall within this definition. It does not appear that agencies and statutory bodies established under Acts of Parliament or state enactments to perform specific public functions, such as Bank Negara Malaysia (BNM), the Employees Provident Fund, the Securities Commission Malaysia and the Companies Commission of Malaysia, fall within the scope of this exemption.
4 Mr Gobind Singh Deo, from 'Gobind: Personal data protection law to be updated soon' dated 18 March 2019, New Straits Times (https://www.nst.com.my/news/government-public-policy/2019/03/470358/gobind-personal-data-protection-law-be-updated-soon)
5 Section 16(4) of the PDPA.
6 See Section IX.i.
7 Section 5(2) of the PDPA.
8 With effect from 23 June 2016.
9 With effect from 23 December 2016.
10 With effect from 19 January 2017.
11 With effect from 23 November 2017.
12 With effect from 21 November 2017.
13 Section 29 of the PDPA.
14 Section 2 of the PDPA.
15 Section 2 of the PDPA.
16 See also Section 45(2)(c) of the PDPA.
17 Section 2 of the PDPA.
18 Section 40(1) of the PDPA.
19 Section 2(2) of the PDPA.
20 Personal Data Protection (Class of Data Users) (Amendment) Order 2016, which came into effect on 16 December 2016.
21 Section 16(4) of the PDPA.
22 Section 6(2) of the PDPA.
23 If a data user is found guilty of disclosing personal data without the consent of the data subject, he or she may be liable to a 300,000-ringgit fine or two years' imprisonment, or both.
24 Section 30 of the PDPA.
25 Section 34 of the PDPA.
26 Section 38 of the PDPA.
27 Section 42 of the PDPA.
28 Section 43 of the PDPA.
29 Section 104 of the PDPA.
30 Section 105(1) of the PDPA.
31 Section 107 of the PDPA.
32 Schedule 11 of the FSA sets out a list of permitted disclosures.
33 See also Section 165 of the Islamic Financial Services Act 2013.
34 Management Information System.
35 The Malaysian Communications and Multimedia Content Code also sets out privacy-related restrictions.
36 (PCP) No. 1/2017.
37 The Personal Data Protection Standards 2015.
38 Section 133(1) of the PDPA.
42 With effect from 31 October 2016.
43 Section 233(1)(a) of the CMA.
44 Section 231 of the CMA.
45 Section 233 of the CMA.
46 Section 234 of the CMA.
47 Section 235 of the CMA.
48 Sections 292, 293 and 294 of the Penal Code, Section 5 of the Film Censorship Act 2002 and Section 31 of the Child Act 2001.
49 Sections 3 and 4 of the Sedition Act 1948, Section 211 (prohibition on provision of offensive content) and Section 233 (improper use of network facilities or network service) of the CMA.
50 Section 3 (unauthorised access to computer materials), Section 4 (unauthorised access with intent to commit or facilitate commission of further offence), Section 5 (unauthorised modification of contents of any computer) and Section 6 (wrongful communications) of the Computer Crimes Act 1997.
51 The Penal Code contains provisions that deal with terrorism that may apply to cyberterrorism, such as Chapter VIA Sections 130B–130T (incorporated into the Penal Code on 6 March 2007).
52 Datuk Dr Amiruddin Abdul Wahab, from 'Cybersecurity should be the default feature in all businesses' dated 12 May 2019, New Straits Times (https://www.nst.com.my/business/2019/05/487760/cybersecurity-should-be-default-feature-all-businesses).