In the previous post, we examined the data governance framework in Indonesia, one of the few countries in the APAC region that has not signed the Osaka Declaration. In this post, we examine the data governance framework of Malaysia, the only country in our blog series, which was not a part of the G-20 summit in Osaka. We look at the grounds of processing data and the obligations imposed on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flows (IV);the penal and enforcement framework (V); and the exemptions given to state agencies (VI). Part VII concludes.
Malaysia does not have a constitutional right to privacy, although it has enacted the Personal Data Protection Act, 2010 (“PDPA”) and the PDP Regulations, 2013. As part of an ongoing review of the Act, in February 2020, the government and the Personal Data Protection Commissioner (“Commissioner”) have released a Consultation Paper seeking the views of the public on various issues ranging from data breach notification and data portability to cross-border data transfers.
II. Data processing and other obligations
The PDPA regulates the processing of personal data in commercial transactions, and does not apply to the Federal or State governments. The Commissioner is currently in the process of examining whether Federal and State governments should be covered by the law.
The law distinguishes between controllers (called data users) and processors (called data processors). Data controllers may be required to get registered under the PDPA, on the recommendation of the Commissioner. The PDPA does not impose any direct obligations on data processors nor are processors required to register. The only provision that expressly refers to data processors is the security principle – it requires the data controller to ensure that the data processors provide sufficient guarantees and take reasonable steps to ensure the security of personal data. The Commissioner is considering amending the law to directly regulate and register data processors since many cases of data breach involve data processors.
Notice and consent
Data controllers must give individuals (called data subjects) notice of the personal data being collected and processed by them.
Consent is necessary for processing the personal data of individuals, and individuals can withdraw their consent in writing at any point. Data controllers can process personal data without consent only if the processing is necessary for:
- The performance of a contract to which the individual is a party.
- Compliance with a legal obligation.
- Protecting the vital interests of the individual.
- The administration of justice.
In contrast, sensitive personal data can only be processed under the following conditions:
- Individuals give their explicit consent or make the personal data publicly available; or
- The processing is necessary: (a) to perform any legal obligation; (b) to protect the vital interest of the individual or third parties under certain conditions; (c) for medical purposes; (d) for legal proceedings or advice; (e) for the administration of justice; and (f) for any other purpose as the Minister thinks fit.
Data controllers can only process personal data for a lawful purpose, which is directly related to the individual’s activity, and if such data is not excessive for that purpose.
Disclosure of information
A data controller may disclose an individual’s personal data for any purpose other than the original purpose if:
- The individual has consented to such disclosure.
- The disclosure is necessary for the investigation, prevention, or detection of crime.
- The disclosure is necessary/authorised under law or by a judicial order.
- The data controller acts under the reasonable belief that it has a right to disclose such data or that it has the consent of the individual.
- The disclosure is in public interest, as determined by the Minister.
However, the individual need not be notified of the identity of the third party, to whom such data has been disclosed – a situation, the Commissioner is considering amending.
Other accountability measures
Currently, the PDPA does not require data controllers to appoint data protection officers or implement privacy by design. There is also no data breach notification requirement. The Commissioner is considering introducing these requirements.
III. Individual rights
Individuals have the following rights under the PDPA:
- Accuracy (Data integrity): Personal data must be accurate, complete, not misleading and kept up-to date by having regard to its purpose.
- Access: Individuals can access their personal data, which is made available to them in an intelligible format. Data controllers are exempted from this obligation if: (i) the burden or expense of providing access is disproportionate to the risks to the individual’s privacy; (ii) disclosure would result in identifying a third party; (iii) violate a court order; or (iv) disclose confidential information.
- Correction: Individuals can correct their personal data if it is inaccurate, incomplete, misleading or not up-to date, if they adequately identify the error in the data.
- Deletion: Data controllers must take all reasonable steps to destroy or permanently delete personal data that has fulfilled its original purpose.
- Right to object to processing: Individuals can object to the processing of their personal data for a specified purpose or in a specified manner if it is likely to cause unwarranted substantial damage or distress to them or another person.
- Right to object to direct marketing: Individuals can object in writing to the processing of their personal data for the purpose of direct marketing.
The right to data portability is not provided in the PDPA, although the Commissioner is considering including these provisions under the law. It has also cited Singapore’s example to discuss whether a Do Not Call Registry should be established under the PDPA.
IV. Cross-border data flows
Cross-border transfer of personal data is only permitted if the recipient country is included in a whitelist issued by the Minister (based on the recommendations of the Commissioner). The inclusion of a country in the whitelist is based on whether the recipient country has a similar data protection framework in place or provides at least an equivalent level of protection as the PDPA. If these conditions change, countries can be removed from this whitelist.
Data controllers can also transfer data to a country not on the whitelist if:
- Individuals consent to the transfer.
- The transfer is necessary for the performance of a contract.
- The transfer is for the purpose of a legal proceeding.
- The data controller reasonably believes that the transfer is necessary to avoid adverse action against the individual or to protect their vital interests.
- The data controller takes all reasonable precautions and exercises due diligence to ensure adequate data protection in the recipient country.
- The transfer is necessary in public interest in circumstances as determined by the Minister.
Incidentally, no whitelist has been issued by the government since the enactment of the law. The Commissioner is now considering remove the whitelisting requirement, since they can act as a barrier to free flow of data. The Commissioner is also considering whether to notify any guidelines regulating the usage of cloud computing and the obligations of cloud service providers to protect personal data.
V. Penal and enforcement framework
Data controllers can be held criminally liable if:
- They violate any of the privacy principles enshrined in the law.
- They do not cease processing the personal data of an individual who has sent them a notice withdrawing her consent.
- They process sensitive personal data in violation of the law.
- They fail to comply with the Commissioner’s order to stop processing an individual’s personal data for direct marketing purposes.
- They transfer personal data to a country that is not included in the whitelist.
- They fail to register with the Commissioner, despite being part of the class of data controllers required to register.
Third parties can also be held criminally liable if they knowingly or recklessly, and without consent, collect or disclose personal data held by a data controller, subject to certain conditions. Notably, criminal prosecution can only be instituted on the written consent of the Public Prosecutor.
Currently, there is no provision in the PDPA to permit an individual to file a civil claim in court against the data processor for any violation of the law. The Commissioner is considering remedying this, and providing a specific provision to facilitate civil litigation.
The Commissioner is empowered to carry out inspections, investigations, and send enforcement notices specifying a course of action that data users have to follow. Individuals can also file complaints with the Commissioner for the violation of provision of the law or codes of practice. They can also file an appeal with the Appeal Tribunal against the Commissioner’s decision relating to a data processor’s failure to comply with an access and correction request or relating to her refusal to commence/continue an investigation initiated by an individual. The Appeal Tribunal is to be constituted by the Minister and its decision can be enforced in court.
VI. Exemption given to state agencies
The PDPA gives a wide berth to processing for law enforcement purposes. For instance, personal data processed for: (a) prevention, detection, and investigation of crimes; (b) apprehension or prosecution of offenders; and (c) assessment or collection of tax or duty is exempted from complying with the key provisions of the Act governing notice and consent, choice, disclosure, access, as well as ‘other related provisions’. On the Commissioner’s recommendations, the Minister can further exempt any data controller from the application of any or all the provisions of the Act. Notably, there are no conditions prescribed in the law to constrain the exercise of the Minister’s powers.
Law enforcement powers of the Commissioner
In addition, the Commissioner or an officer authorised by him (“authorised officer”) can exercise powers of search and seizure based on a warrant issued by a Magistrate, or in certain circumstances, without a warrant. As part of its search and seizure powers, the authorised officer can also access computerised data. Even if there is a defect in the warrant, any material seized shall continue to be admissible as evidence.
Authorised officers also have the power to require the production of computers, computerised data, books of accounts etc.; as well as the power to require the attendance of, and examine, persons acquainted with the case. Finally, an authorised officer has also been given the power to arrest persons.
Much like the GDPR, the PDPA is also based on a governing set of personal data protection principles (notice and choice, disclosure, security, retention, data integrity, and access principle). It is sometimes referred to as a “European style privacy law.” However, it is distinct from the GDPR (and even the privacy laws of its APAC neighbours such as Australia, Japan and Singapore) in three important respects. First, it exempts Federal and State governments from the purview of the Act. Second, it gives a wide berth to data controllers in case they process personal data for law enforcement purposes. Third, the PDPA focuses on criminal offences, rather than providing individuals with the statutory right to file civil claims for compensation/damages. The Commissioner has recommended certain amendments on these aspects. The government may introduce changes in the law following the Commissioner’s recommendations.
Authored by the Ikigai team.
For more on the topic, please feel free to reach out to us at email@example.com.
 Personal Data Protection Act (“PDPA”), 2010 (Act 709), available at http://www.agc.gov.my/agcportal/uploads/files/Publications/LOM/EN/Act%20709%2014%206%202016.pdf. The PDP Regulations, 2013, available at http://www.foongchengleong.com/downloads/Personal%20Data%20Protection%20Regulations%202013.pdf.
 PDP Commissioner and Ministry of Communications and Multimedia, Review of Personal Data Protection Act,2010, Public Consultation Paper No. 01/2020 (“PDP Consultation”), available at https://www.pdp.gov.my/jpdpv2/assets/2020/02/Public-Consultation-Paper-on-Review-of-Act-709_V4.pdf
 Sections 2 and 3, PDPA.
 PDP Consultation Paper, supra note 2.
 As per Article 4, a data user (or a data controller) is a “person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor”. A data processor is “any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes.”
 Sections 13-16, PDPA. The Personal Data Protection (Class of Data Users) Order 2013 (amended in 2016) lists 13 categories of data controllers such as banking and finance, insurance, telecommunications, utilities who have to be registered with the Commissioner. See Shanthi Kandiah, The Privacy, Data Protection and Cybersecurity Law Review – Edition 6, Malaysia (October 2019), available at https://thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-review-edition-6/1210063/malaysia.
 Article 9(2), PDPA.
 Section 7, PDPA.
 Section 6(1)(a), PDPA. Section 41 of the PDPA law specifies certain conditions under which consent given for the first collection of data can also be used for any subsequent collection of data. The PDP Regulations 2013, which provide that the data user must keep a record of consents from data subjects. See Kandiah, supra note 6.
 Section 38, PDPA.
 Section 6(2), PDPA.
 Section 6(1)(b) read with 40, PDPA.
 Clause 4.2.2 of the Personal Data Protection Code of Practice for the Utilities Sector (Electricity) provides examples of explicit consent, such as where the individual provides their identification card to be photocopied or scanned or voluntarily provides the sensitive personal data.
 Section 6(3), PDPA.
 Section 39, PDPA.
 PDP Consultation, supra note 2.
 PDP Consultation, supra note 2.
 Section 11, PDPA.
 Sections 12 read with 30, PDPA.
 Section 32, PDPA
 Section 34, PDPA.
 Section 36, PDPA.
 Section 10, PDPA.
 Section 42, PDPA.
 Section 43, PDPA.
 PDP Consultation, supra note 2.
 Section 129, PDPA.
 PDP Consultation, supra note 2.
 Section 5(2), PDPA.
 Section 38(4), PDPA.
 Section 40(3), PDPA.
 Section 43(4), PDPA.
 Section 129(5), PDPA.
 Section 16(4), PDPA.
 Section 130, PDPA.
 Section 134, PDPA.
 PDP Consultation, supra note 2.
 Section 101, PDPA.
 Section 105, PDPA.
 Section 108, PDPA.
 Section 104, PDPA. Codes of Practice are personal data protection codes which are registered by the Commissioner for a specific class of data controllers. These co-regulatory models have already been adopted and registered by the Commissioner for the utilities (electricity) sector, the aviation sector, and banking and financial sector. See Kandiah, supra note 6.
 Section 93, PDPA.
 Section 85, PDPA.
 Section 100, PDPA.
 Section 45(2), PDPA.
 Section 46, PDPA.
 Section 113, PDPA.
 Section 114, PDPA.
 Section 115, PDPA.
 Section 116, PDPA.
 Sections 121-123, PDPA.
 Section 127, PDPA