Malaysia holds the distinction of being one of the few countries that took the lead in protecting the privacy and digital rights of its citizens online. Thanks to its Personal Data Protection Act (PDPA), citizens in Malaysia had rights over how companies and websites online collect, use, and share their personal data.
The PDPA goes into great detail on what rights a consumer has with regards to their data being collected, the responsibilities of data handlers in properly educating the data subjects of their rights, and most importantly, how organizations can expect to be penalized if they fall foul of the PDPA regulations.
Passed in June 2010 by the Malaysian parliament, the PDPA came into effect more than three years later in November 2013. Under Article 55 of the PDPA, the enforcement powers of the data regulation rest with the Malaysian Ministry of Justice, which later established the office of the Commissioner of the Department of Personal Data Protection (regulatory authority) dedicated specifically to enforcing the PDPA.
The PDPA is seen as an incredibly balanced piece of legislation that takes concrete steps to guarantee data subjects’ right to privacy and protection of their data while giving all websites and corporations the necessary breathing space to carry out their behavioral analyses with minimal losses to their reach or engagement.
Who Needs To Needs To Comply
The PDPA follows the same data protection protocols that several other pieces of legislation have followed over the last couple of years such as the GDPR and CPRA as it not only applies to organizations inside Malaysia but also ones that deal with the data of Malaysian citizens from anywhere in the world if it has used equipment inside Malaysia for that very purpose.
Any website or company that handles user data collected on the basis of “commercial transactions” is required to follow these regulations. As such, this would include any site that has anything to do with financing, banking, insurance, investments, the supply or exchange or goods and services for a price.
However, the PDPA is explicitly clear in creating exceptions for the following entities:
- The Federal & State governments of Malaysia;
- Credit report agencies that fall under the Malaysia Credit Reporting Agencies Act 2010; and
- Data handlers (data controllers) processing personal data outside Malaysia (Unless the processed data requires further processing inside Malaysia).
The last part has special significance since it gives companies and websites leeway in collecting Malaysians’ data if they aren’t processing that data inside Malaysian borders.
For further clarification, the term “processing” includes collecting, publishing, selling, recording, disclosing, and using data obtained from Malaysian users. Companies that do engage in these activities but not within Malaysia’s borders are exempt from the PDPA regulations.
Obligations for Organizations Under the PDPA
The PDPA emphasizes the rights of data subjects. Hence, it goes into extensive detail about the responsibility of the websites and data handlers when it comes to dealing with the data subjects’ personal data.
Lawful Basis Requirements
The PDPA provides that a data user (data controller) must not process individuals without their consent. The PDPA, however, provides the following exception to this principle:
- Performance of a contract to which the data subject is a party;
- Taking steps, at the data subject's request, with a view to entering into a contract;
- Protecting the vital interests, namely matters relating to life, death, or security, of the data subject;
- Compliance with any legal obligation to which the data user is the subject, other than a contractual obligation;
- Administration of justice; or
- Exercise of any functions conferred on any person under any law.
Consent Requirements
An organization can only collect data for which it has gained explicit consent from the data subject. At the same time, it must have options for data subjects to easily withdraw or revoke their consent. Once consent is withdrawn, proper measures must be taken to ensure that the data subject’s data is not collected in any form.
Privacy Notification
An organization has the responsibility to properly inform all users that visit their website why their data needs to be collected and whether it will be shared with any third parties. The PDPA requires a data controller to inform a data subject by written notice of the following:
- That the personal data of the data subject is being processed and a description of the data;
- The purposes for which the personal data is being collected and further processed;
- Any information available to the data user as to the source of that personal data;
- The data subject's right to request access and correction of the personal data;
- The contact particulars of the data user in the event of any inquiries or complaints;
- The class of third parties to whom the data is or may be disclosed;
- The choices and means offered to a data subject to limit the processing of the data; and
- Whether it is obligatory or voluntary for the data subject to supply data, and if obligatory, the consequences of not doing so.
Security Requirements
The onus is on the data handler to ensure that the data collected is properly protected against any form of cyberattacks and data breaches. For this reason, the data handler needs to have the best organizational tools and practices in place to prevent any such attacks.Where the data processing is carried out by a data processor on behalf of a data controller, the data controller must ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing and takes reasonable steps to ensure compliance with those measures. The regulatory body has also issued several security standards that mandate a data controller to have a formulated security policy.
Data Breach Requirements
Currently, the PDPA does not provide any data breach notification requirements. However, as per the Public Consultation Paper 1/2018: The Implementation of Data Breach Notification, data controllers are required to notify the affected data subjects and regulatory authority about the breach and whether any of their information has been compromised as a result.
Data Protection Impact Assessment
There is no requirement for conducting data protection impact assessment under the PDPA.
Record of Processing Activities
A data controller must keep and maintain a record of any privacy notice, data subject request, or any other information relating to personal data processed by him in the form and manner that may be determined by the regulatory authority.
Cross Border Data Transfer Requirements
The PDPA provides that personal data can be transferred out of Malaysia only when the recipient country is specified as adequate in the Official Gazette. The personal data of data subjects can not be disclosed without the consent of the data subject. The PDPA provides the following exceptions to the cross border data transfer requirements:
- Where the consent of data subject is obtained for transfer; or
- Where the transfer is necessary for the performance of contract between the parties;
- The transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
- The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this PDPA;
- The transfer is necessary in order to protect the vital interests of the data subject; or
- The transfer is necessary as being in the public interest in circumstances as determined by the Minister.