As the e-commerce market is expanding rapidly across the globe including Malaysia, the risk of personal data breaches is becoming extremely high. Malaysians have, in recent years, fallen victim to various personal data breaches, which resulted in the personal data of many of them being stolen and sold on the dark web. Whilst Malaysia has its own Personal Data Protection Act 2010 (“PDPA”), the PDPA in its current form is often criticised for being outdated and ineffective to address current data protection concerns.
In order to address the data protection concerns and to bring the PDPA in line with global data protection standards such as the General Data Protection Regulation (“GDPR”) adopted in the European Union, the Malaysian government has announced its intention to amend the PDPA. While there have been various delays, the Minister of Communications and Digital (“Minister”) has announced earlier this year that the draft bill is expected to be presented in Parliament before the end of the year.
The key proposed amendments to the PDPA are as follows:
Under the current PDPA, there is no obligation for data users to appoint a data protection officer (“DPO”). A DPO in an organisation is usually responsible for the personal data protection matters of the organisation, such as overseeing data protection strategy and implementation to ensure compliance with the PDPA. The Department of Personal Data Protection (“PDP”) has proposed to make the appointment of a DPO mandatory for all data users. There are currently no guidelines provided on the appointment of the DPO but the PDP is expected to issue guidelines on the same in due course. In the meantime, other jurisdictions such as Singapore have made it mandatory for organisations to designate at least one individual in the organisation as the DPO to oversee data protection responsibilities and ensure compliance.
The PDPA does not impose a requirement for data users to notify PDP of any data breach incident. Currently, data breach notifications to PDP are made voluntarily by the data users. However, the PDP has now proposed to implement a mandatory data breach notification mechanism whereby data users are required to notify and inform the PDP within 72 hours of a data breach incident. It is unclear at this juncture whether there is any other criteria in relation to the data breach notification. There are various jurisdictions which have imposed the requirement of the mandatory data breach notification such as, among others, the European Union, New Zealand, United States and China.
A data processor means a person, company or other party which processes personal data on behalf of a data user. The PDPA currently does not impose direct obligations to a data processor to comply with the PDPA. The proposed amendments are aimed to extend the application of the security principle under Section 9 of the PDPA to data processors and not only data users. This essentially means that data processors will have the responsibility to take practical steps to ensure protection of personal data from any theft, loss, unauthorised usage, misuse or accidental access. This was mainly due to many cases of data breaches being reported to have involved data processors. Therefore, the objective of extending the security principle’s application to data processors is so that the data processors will take the protection of personal data seriously.
Data portability is a concept that provides individuals with the right to obtain and reuse their personal data for other purposes across different services. It is the right of the data subjects to gain access to their data in a structured, machine-readable format which can be transferred from one data user to another to get services. The introduction of this proposed amendment will grant data subjects the right to data portability under the PDPA.
Section 129 of the PDPA provides that a data user shall not transfer any personal data of a data subject to a place outside of Malaysia unless to such place that is specified or “whitelisted” by the Minister in the Federal Gazette. The whitelist seems to set a barrier for data users to transfer personal data to places outside Malaysia. The proposed amendment seeks to restructure Section 129 and remove the issuance of the whitelist relating to the transfer of personal data outside Malaysia. The PDP has indicated that the whitelist regime will instead be replaced with a blacklist regime whereby data users will be allowed to transfer personal data abroad except for countries which have been blacklisted by the Minister.
At this juncture, the Minister and the PDP have yet to confirm if there will be any addition, removal or alteration to the proposed amendments in the draft bill. Therefore, it is uncertain whether the highlighted proposed amendments herein will be tabled at Parliament and included in the amended PDPA. However, the Minister has voiced out that the amount of fines or penalties imposed on the data users that have been found to be misusing personal data are disappointing and do not fit with current times and has expressed his intention to increase the maximum fines and penalties. Further, the Minister has also proposed to elevate the PDP as a statutory body and increase its enforcement powers to ensure that it has enough resources and authority to regulate and combat issues on data breaches.
Considering the draft bill is still under further review, there is a chance that we may see additions to the above proposed amendments to the PDPA soon. These proposed amendments are broadly in line with data privacy laws across the world and therefore, hopeful to bring a fresh change to facilitate and enforce the much-needed data protection in Malaysia moving forward. Businesses and organisations should anticipate developments in the data protection regulatory framework and should be well prepared to take the necessary steps to ensure compliance with such changes.
Kathreena is an associate at Wong Jin Nee & Teo. Her practice predominantly focuses on brand protection and enforcement, franchise advisory and registration, as well as regulatory compliance work.