Introduction
As the world strides towards the digital age through the widespread adoption and avid usage of technology and the internet, it is possible for anyone to have access to a myriad of information, including one’s personal information. The internet is now used as a platform to conduct business, store information and even manage one’s finances. This increased reliance on technology and digital platforms has raised concerns about data privacy and more pertinently, the risk of unauthorized access, storage and processing of one’s sensitive personal information.
In April 2022, a data breach incident occurred wherein the Malaysian National Registration Department (NRD) had personal data (full names, identification numbers, home addresses, phone numbers and ID photos) of 22.5 million citizens stolen. The personal data of the citizens were then sold on the dark web at a reported price of US$10,000. More recently, another data breach incident transpired in December 2023 when the Social Security Organisation (SOSCO) confirmed a cyberattack on its system, database and website.
Such incidents showcase the crucial importance and need of protecting one’s personal data from potential misuse. This article seeks to introduce the Personal Data Protection Act 2010 (“PDPA 2010”) which aims to safeguard individuals from the unauthorized disclosure and misuse of their personal data while also ensuring that those handling such personal data act ethically in business transactions. Additionally, this article will also touch on the various ongoing amendments to the PDPA 2010.
Personal Data Protection Act 2010 (“PDPA 2010”)
In Malaysia, the PDPA 2010 regulates the processing of personal data in regards to commercial transactions and matters connected directly or indirectly to it. The PDPA 2010 applies to any person(s) who processes and has control over or authorises the processing of, any personal data in respect of commercial transactions. The PDPA 2010 makes reference to several key terms which are used throughout the legislation, some of which are reiterated below:-
Terms | Description |
Personal data | Includes any information utilized in commercial transactions which directly or indirectly relate to a data subject covering sensitive personal data and opinions on the individual. |
Data user | A singular person or persons jointly in common with other persons who processes any personal data or has control over or authorizes the processing of any personal data. |
Data subject | An individual who is the subject of the personal data. |
Data processor | Any person who processes personal data on behalf of a data user and does not process the personal data for any of his own purposes. |
Sensitive personal data | Refers to any personal data consisting of information regarding the data subject’s physical/mental health or condition, religious beliefs, political opinions or any other personal data the Minister may determine by order. |
Generally, the main ethos of the PDPA 2010 is to ensure that personal data of data subjects who are involved in commercial transactions are not misused by data users in ways that infringe their right to privacy. This underlying right to privacy has been acknowledged and recognised in the Federal Court case of Sivarasa Rasiah v Badan Peguam Malaysia [2010] 3 CLJ 507, wherein the Court clarified that ‘personal liberty in Article 5(1) of the Federal Constitution includes within its compass other rights such as the right to privacy’. Additionally, the case of Toh See Wei v Teddric Jon Mohr & Anor [2017] 11 MLJ 67 further elaborates that right to privacy covers the right to control the use and disclosure of personal information which could be in the form of family records, communication records, medical records or even educational records.
The Seven (7) Principles Enshrined in the PDPA 2010
To ensure that personal data will not be misused, the PDPA 2010 lays out seven principles in which data users must abide by when it comes to the processing of personal data. The key seven principles are as follows:-
Section in PDPA 2010 | Principle | Description |
S.6 | General | The data subject must give consent to the processing of personal data (save for the exceptions provided under the PDPA 2010). Explicit consent is required for the processing of sensitive personal data (in accordance with S.40 PDPA 2010). |
S.7 | Notice & Choice | Requires the data user to provide a written notice informing the data subject of the information contained in the PDPA 2010, such as description of the personal data to be processed, the purposes for such collection, and the data subject’s right to request access and correction of personal data, etc. Data subjects can choose to limit the processing of their personal data. This written notice is to be provided prior to the collection of personal data (or as soon as possible thereafter) in both Bahasa Malaysia and English language. |
S.8 | Disclosure | Ensures the data subject provides consent for disclosing personal data beyond the initially intended purpose during the initial data collection process or to a party other than the third party previously notified by the data user. |
S.9 | Security | Imposes responsibility on the data user to take practical steps in protecting the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction by having regard to the circumstances contained in the PDPA 2010. |
S.10 | Retention | Ensures that personal data shall not be kept longer than necessary and imposes responsibility on the data user to ensure that reasonable steps are taken to destroy or permanently delete such personal data if it is no longer required for its initial intended purpose. |
S.11 | Data Integrity | The data user has to take reasonable steps to ensure the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose for which the personal data was collected and processed. |
S.12 | Access | Gives the data subject the right to access his personal data and make corrections to such data in the event it is inaccurate, incomplete, misleading or not up-to-date. |
Non-compliance with the aforesaid principles would amount to an offence under the PDPA 2010 and upon conviction, the data user may be liable to a fine of not more than RM300,000 or imprisonment for a term not exceeding 2 years or to both.
Moreover, the case of Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors [2021] MLJU 2847 exemplifies that the courts are steadfast in safeguarding the rights of data subjects. In this case, the Malaysian Inland Revenue Board (IRB)sought access to the personal data of casino customers for the purposes of expanding the tax base through increased tax collection, and reducing tax evasion by relying on the provisions of S.39 PDPA 2010 and S.81 Income Tax Act 1967. However, they failed to illustrate how the disclosure of personal data was necessary (pursuant to ss.39 and 45(2) of the PDPA 2010), and their reasons for such were held not permissible. This case serves as a noteworthy precedent that even in the pursuit of legitimate objectives, the courts will ensure that disclosure of personal data aligns with the relevant constitutional and statutory frameworks.
Proposed Amendments to the PDPA 2010
Since the PDPA’s inception in 2010, amendments have long been proposed to update and better align the PDPA 2010 with other international standards such as the EU’s General Data Protection Regulation (“GDPR”). As of October 2023, the current Deputy Minister of Communications announced that the government would look into tabling the amendments to the PDPA2010 in the earlier months of 2024.
Previously, the former Minister set out five proposed amendments which have since been confirmed to be included in the updated PDPA 2010:-
- Compulsory appointment of a data protection officer by data users for their organisation;
- Mandatory data breach notification to the Personal Data Protection Department (“PDPD”);
- Direct obligation of data processors to strictly comply with the Security Principle under the PDPA 2010;
- Data subjects would have a new right to data portability; and
- A “black-list” system regime to replace the current “white-list” system for cross-border transfers of personal data outside of Malaysia.
Two further proposed amendments have since been stated to be included in the updated PDPA 2010, namely:-
- Increased penalties for breaches of the PDPA 2010; and
- Increase of the PDPD’s enforcement powers and advancement of PDPD from a government department to an independent statutory commission.
In January 2024, the current Digital Minister, Gobind Singh Deo, announced the development of seven new guidelines to be included under the PDPA 2010, namely:-
- Notification of Data Breach Guidelines
- Data Protection Officers Guidelines
- Data Portability Guidelines
- Cross Border Data Transfer Guidelines and Mechanisms
- Data Protection Impact Assessment Guidelines
- Privacy by Design Guidelines
- Profiling and Automated Decision Making Guidelines
Conclusion
The rapid advancement of technology continues to generate much discussion on how to address contemporary pressing issues regarding data privacy. While the PDPA 2010 currently lays out seven fundamental principles (outlined above), the escalating reliance on technology necessitates continuous development of the law in this area – as evidently seen by the push for legislative amendments to the PDPA 2010. Greater efforts have also been made in developing various guidelines under the PDPA 2010 to improve enforcement powers and to establish clearer practical regulatory frameworks. It is noted that the proposed amendments and guidelines are meant to be non-exhaustive, leaving room for possible future amendments. As such, the area of data privacy is one to look out for due to its ever-evolving nature. Alongside these developments, we as data subjects should continue to be aware of and exercise our rights over our own personal data.
Author: Natalie Foo (Intern), LL.B. (Hons) (Second Year student at Taylor’s University)
Disclaimer: The views, thoughts and opinions expressed in the articles belong solely to the author and do not reflect the views of Loke, King, Goh & Partners. Readers of this website should contact their lawyer/attorney to obtain advice with respect to any particular legal matter. No reader, user or browser of this site should act or refrain from acting on the basis of the information on this site without first seeking legal advice from counsel in the relevant jurisdiction. LKGP Advocates shall not be held liable for any liabilities, losses and/or damages incurred, suffered and/or arising from the articles posted on this site.