The General Data Protection Regulation: How is it Applicable to Businesses in Malaysia?

 

Background to GDPR

The European Union (“EU”) General Data Protection Regulation (“GDPR”) came into force on 25 May 2018 and replaces the Data Protection Directive 95/46/EC (“1995 Directive”). The GDPR has the objective of, among others, ensuring an equivalent level of protection for natural persons and the free flow of personal data throughout the EU. This is especially necessary in light of data protection issues brought about by technological developments and the sheer ease of transferring data online.

 

Who needs to comply?

The GDPR has a wider territorial scope compared to its predecessor, the 1995 Directive, as it applies to the processing of personal data of data subjects in the EU by a controller or processor, regardless of whether the processing takes place in the EU or not. The processing activities covered are:-

  1. the offering of goods or services to data subjects in the EU, irrespective of whether payment is required of the data subjects; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the EU.[1]

This means that businesses, regardless of where they are incorporated or located would have to comply with the GDPR so long as they are processing the personal data of data subjects in the EU. While Malaysia has its own data protection legislation in the form of the Personal Data Protection Act 2010 (“PDPA”), the wide territorial scope of the GDPR would impose further obligations upon local businesses who are caught under the GDPR. The GDPR contains what is viewed as the golden standard of data protection, some of the provisions of which are not found under the PDPA.

 

Selected key points of the GDPR versus existing provisions in the PDPA

  • Breach notification

Under the GDPR, the data controller is obligated to report any case of personal data breach to the supervisory authority within 72 hours after becoming aware of it.[2] In the event the personal data breach is likely to result in high risk to the rights and freedoms of natural persons, such breach would have to be notified to the data subject without undue delay.[3] There is no similar provision under the PDPA.

  • Right to erasure (‘right to be forgotten’)

The GDPR allows a data subject to request that the controller erase personal data concerning him/her and may compel the controller to do so if the requisite grounds apply. In comparison, while the PDPA does not have an identical provision, Section 38 does provide that a data subject may withdraw his/her consent for the processing of personal data and upon receiving such notice, the data user must cease the processing of his/her personal data. Since “processing” is defined as “collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data” under the PDPA, it would be reasonable to interpret the same to mean that the data user would have to erase such personal data once the data user no longer has consent to process the same.

  • Data portability

There are 2 parts to this right under the GDPR: (1) the data subject’s right to receive personal data concerning him/her in a structured, commonly used and machine-readable format; and (2) the right to transmit such data from one controller to another controller.[4] The PDPA does provide the right for a data subject to access personal data collected but it does not stipulate the format in which the personal data should be provided. There is however no similar provision when it comes to having the data transmitted to another controller.

  • Designation of representative in the Union

With the exception of (a) processing which is occasional, does not involve the processing on a large scale of special categories of data, processing of personal data relating to criminal convictions and offences, or processing that is unlikely to result in a risk to the rights and freedoms or natural persons; and (b) processing by a public authority or body; a controller or processor who is not established in the EU but processes personal data of data subjects in the EU would have to designate in writing a representative in the EU.[5] There is no such requirement under the PDPA.

 

Effect of Non-Compliance

Depending on the type of infringement, a company can be fined up to 20 million Euros or up to 4% of its worldwide annual turnover of the preceding financial year, whichever is higher.[6]

 

Conclusion

The extra territorial nature of the GDPR has brought more confusion than ever to Malaysian businesses that are just getting used to compliance with the PDPA. One may argue that there is an issue in enforcing the GDPR in the event Malaysian businesses were to breach its provisions and this remains to be seen as well. Enforcement aside, there are cogent reasons for Malaysian businesses to comply with the GDPR, particularly if they expect to deal with the personal data of data subjects in the EU. To err on the side of caution, it is likely that foreign companies would require Malaysian businesses they are working with to comply with the GDPR in view of the harsh financial penalties involved. It is thus highly recommended that Malaysian businesses be aware of this development of the law.

[1] Article 3 of the GDPR

[2] Article 33 of the GDPR

[3] Article 34 of the GDPR

[4] Article 20 of the GDPR

[5] Article 27 of the GDPR

[6] Article 83 of the GDPR