The road ahead for Malaysia’s Personal Data Protection Act 2010
December 2021 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
December 2021 Issue
The Personal Data Protection Act (PDPA) 2010 of Malaysia was enacted to regulate the processing of personal data in commercial transactions, coming into force on 15 November 2013.
In 2018, the minister of communications and multimedia highlighted the need for the PDPA to be updated periodically to ensure that the Act is aligned with new developments and international requirements on personal data protection, such as the European Union’s (EU’s) General Data Protection Regulation (GDPR).
In this regard, the personal data protection commissioner issued ‘Public Consultation Paper No. 01/2020’ to review the PDPA in early 2020. This was a response to the findings of the Personal Data Protection Department pursuant to a survey which identified gaps within the PDPA compared to personal data protection laws in other Association of South-East Nations (ASEAN) countries, Japan, South Korea and the EU.
The following is an overview of some of the more important proposals outlined by the commissioner in the Public Consultation Paper.
Proposed amendments to the PCP
Creating direct legal obligations for data processors to comply with the PDPA. The first proposed amendment considers extending the application of the PDPA to data processors, by imposing direct legal obligations on data processors to comply with the PDPA. It also considers introducing requirements on data processors to register with the commissioner to process personal data.
Presently, the PDPA does not impose direct legal obligations on data processors, with the compliance obligations under the PDPA being imposed solely on data controllers. This being the case, the data controller’s ability to recover any loss or damage from the data processor would largely depend on the strength of its contractual terms with the data processor. Imposing direct legal obligations on data processors to comply with the PDPA would therefore address this imbalance of obligations, which is one of the major issues faced by data controllers when negotiating contracts with data processors.
However, with regard to the proposal to require data processors to register with the commissioner, there are views that this proposal may not be viable due to the sheer number of organisations that act as data processors (which may result in the need for all companies and organisations to register with the commissioner).
If data processors are to be subject to registration requirements, the commissioner would need to establish clear criteria as to the categories of data processors that would be subject to registration requirements.
Data controllers to appoint a data protection officer. The commissioner proposes to make it obligatory for data controllers to appoint a dedicated data protection officer (DPO) for its organisation, and for the commissioner to introduce guidelines relating to such appointments.
If the requirement to appoint a DPO is introduced in Malaysia, it should ideally be limited to organisations that fulfil certain qualifying criteria, similar to the approach taken under the GDPR. This would be preferred to the imposition of a blanket requirement on all organisations to appoint a DPO, which would be overly burdensome on small businesses such as sole proprietors, or businesses which process minimal amounts of personal data.
Mandatory breach notification rules. The introduction of a data breach notification framework is another key proposal under the Public Consultation Paper. Presently, there are no mandatory data breach notification requirements under the PDPA (save for data controllers in certain regulated industries, where sector-specific laws may require notification to be made to the relevant governing authority).
The absence of data breach reporting requirements under the PDPA is worrisome, as it gives organisations discretion to choose not to notify the commissioner or affected data subjects of a data breach, thereby preventing data subjects from taking measures to protect themselves from the potential harm that may ensue.
Accordingly, a threshold-based reporting obligation for data breach incidents is to be welcomed, in order to promote greater accountability and trust between data controllers and data subjects.
Transfer of personal data to places outside Malaysia. The rules governing transfers of personal data to places outside Malaysia are provided under Section 129 of the PDPA. In this regard, section 129 provides that cross-border transfers of personal data are generally prohibited, unless the place has been ‘whitelisted’ by the minister of communications and multimedia, by way of an order published in the Federal Gazette. However, no such ‘whitelist’ has been issued and gazetted by the minister to date.
In the absence of a whitelist, organisations have sought to carry out cross-border transfers by way of fulfilling the conditions under section 129(3) of the PDPA. Section 129(3) of the PDPA identifies the relevant situations where personal data can be transferred outside of Malaysia, assuming the place has been included on the whitelist.
Recognising the need for clear provisions and conditions for cross-border transfers and the role of cross-border data transfers in facilitating e-commerce transactions as well as free trade agreements, the commissioner has proposed removing the ‘whitelist’ provisions from the PDPA and instead relying on an objective assessment of each transfer of personal data outside of Malaysia.
Data controllers to implement privacy by design. Privacy by design is a concept which requires companies to place privacy at the forefront of their system lifecycle, so that the protection of personal data forms an integral part of the overall business model.
The commissioner has proposed that all data controllers utilise privacy by design when developing any new system. According to the proposal, privacy by design would operate as a preventive measure by reducing the likelihood of data breaches from the outset.
It has not been specified whether this requirement would be introduced as a mandatory requirement (such as in the GDPR) or a good practice requirement (such as in Singapore and the US). It is noted that a mandatory privacy by design requirement would have a substantial impact on data controllers, as it would take them several years to implement this concept in their systems and also result in increased operating costs.
Application of the PDPA to data controllers outside Malaysia that monitor Malaysian data subjects. The PDPA in its present form applies only to processing activities carried out within Malaysia. As such, companies outside of Malaysia that process the personal data of Malaysians are not subject to the PDPA.
The commissioner proposes to extend the application of the PDPA to data controllers outside of Malaysia, that monitor and carry out profiling activities of data subjects in Malaysia.
The concept of extraterritorial application for data protection laws is not new, being first introduced in the GDPR and adopted in the data privacy laws of other countries such as India’s Personal Data Protection Bill 2019 and the California Consumer Privacy Act. However, if this proposal is implemented, the commissioner would need to consider how to overcome the practical difficulties of enforcing the PDPA against data controllers outside Malaysia (e.g., the need to enter into interworking arrangements with the authorities in foreign jurisdictions).
Processing of personal data in cloud computing. The commissioner proposes to issue guidelines on the processing of personal data by way of cloud computing services.
Globally, cloud services are increasingly utilised for the processing and storage of personal data due to their flexibility, efficiency and cost-effectiveness. Based on the definition of ‘processing’ under the PDPA (which includes holding and storing personal data), cloud service providers (CSPs) would certainly be considered data processors. Under the GDPR, CSPs are considered data processers and global cloud computing providers such as Oracle and ServiceNow have incorporated data processor obligations in their contracts to ensure GDPR compliance.
Given that CSPs have the capacity to host huge amounts of personal data, the commissioner is of the view that it is imperative that the PDPA includes provisions which clarify the responsibilities of CSPs, and the responsibilities of organisations using cloud services to process data.
Conclusion
The passing of the GDPR has acted as an impetus for many jurisdictions to similarly amend their data protection laws, in order to ensure alignment with global data protection standards. In this regard, the review of the PDPA is timely to ensure that Malaysia has an in-depth privacy law that is relevant and keeps pace with changing times.
The proposed amendments in the Public Consultation Paper are important to strengthen personal data protection standards in Malaysia. If implemented, the amendments will have a significant impact on the operations of data controllers and their interactions with data subjects. Some of these amendments will unavoidably impose additional compliance obligations on data controllers and may very likely increase operational and compliance costs.
Other than the Public Consultation Paper, the Malaysia Digital Economy Blueprint, which was issued by the government in February 2021, further identifies the need to strengthen data protection and related regulatory frameworks in order to ensure holistic protection of personal data and an individual’s privacy. The Blueprint also identifies the need to strengthen cross-border data transfer mechanisms to facilitate seamless and secure cross-border data flows. According to the Blueprint, the Malaysian government aims to complete the review of the PDPA by 2025.
In addition to the Blueprint, ASEAN endorsed the model contractual clauses (MCCs) for cross-border data flows in January 2021. While the MCCs are not mandatory in nature, they are intended to cover the principal obligations imposed on data controllers as well as reduce the costs of negotiation and compliance which are often the bane of small and medium enterprises. In line with this, the commissioner has indicated that for now the MCCs are being targeted at small and medium enterprises.
In terms of the timeline for the above proposals to become law, it remains to be seen. The amendments proposed by the Public Consultation Paper were initially intended to be tabled in 2021 and have been provided to the attorney general’s chambers for the necessary legislative drafting. However, with the issuance of the Blueprint, where the target to amend the PDPA is now stated to be 2025, it remains to be seen if any amendments to the PDPA will be introduced in the near term.
Deepak Pillai is a partner and Michelle Wu is a legal associate at Christopher & Lee Ong. Mr Pillai can be contacted on +60 3 2275 2675 or by email: deepak.pillai@christopherleeong.com. Ms Wu can be contacted on +60 (3) 2273 1919 or by email: michelle.wu@christopherleeong.com.
© Financier Worldwide
BY
Deepak Pillai and Michelle Wu
Christopher & Lee Ong