In part One of the Malaysia Personal Data Protection Act (PDPA) Your Guide we discussed the structure of the PDPA. Here in part two, we explain the operational mechanics of the PDPA.
Collection and Processing
Under the PDPA, subject to certain exceptions, data users are generally required to obtain a data subject’s consent for the processing (which includes collection and disclosure) of his or her personal data. Where consent is required from a data subject under the age of eighteen, the data user must obtain consent from the parent, guardian or person who has parental responsibility for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and maintained properly by the data user.
Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data disclosures to third parties.
On December 23, 2015, the Commissioner published the Personal Data Protection Standard 2015 (“Standards”), which set out the Commission’s minimum requirements for processing personal data. The Standards include the following:
- Security Standard For Personal Data Processed Electronically
- Security Standard For Personal Data Processed Non-Electronically
- Retention Standard For Personal Data Processed Electronically And Non-Electronically
- Data Integrity Standard For Personal Data Processed Electronically And Non-Electronically
Under the PDPA, a data user may not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been specified by the Minister. However, there are exceptions to this restriction, including the following:
- The data subject has given his or her consent to the transfer.
- The transfer is necessary for the performance of a contract between the data subject and the data user.
- The data user has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA.
- The transfer is necessary to protect the data subject’s vital interests.
In 2017, the Commissioner published a draft Personal Data Protection (Transfer of Personal Data to Places Outside Malaysia) Order 2017 to obtain public feedback on the proposed jurisdictions to which personal data from Malaysia may be transferred. As of December 26, 2018, the Minister has yet to approve the safe harbour jurisdictions. Once approved, a data user may transfer personal data to these safe harbour jurisdictions without having to rely on the data subject’s consent or other prescribed exceptions under the PDPA.
Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards.
In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
Data Breach Notification
There is no requirement under the PDPA for data users to notify authorities regarding data breaches in Malaysia. However, news reports dated October 5, 2018, suggest that Malaysia’s laws could be updated, as early as the middle of 2019, to include data breach notification requirements modelled after those under the European Union’s General Data Protection Regulation (GDPR), including requiring providing notice to government authorities.
Under the PDPA, the Commissioner is empowered to implement and enforce the personal data protection laws and to monitor and supervise compliance with the provisions of the PDPA. Under the Personal Data Protection Regulations 2013, the Commissioner has the power to inspect the systems used in personal data processing and the data user is required, at all reasonable times, to make the systems available for inspection by the Commissioner or any inspection officer. The Commissioner or the inspection officers may require the production of the following during inspection:
- The record of the consent from a data subject is maintained in respect of the processing of that data subject’s personal data by the data user
- The record of required written notices issued by the data used to the data subject
- The list of personal data disclosures to third parties
- The security policy developed and implemented by the data user
- The record of compliance with data retention requirements
- The record of compliance with data integrity requirements, and
- Such other related information which the Commissioner or any inspection officer deems necessary
Violations of the PDPA and certain provisions of the Personal Data Protection Regulations 2013 are punishable with criminal liability. The prescribed penalties include fines, imprisonment or both. Directors, CEOs, managers or other similar officers will have joint and several liabilities for non-compliance by the body corporate, subject to a due diligence defence.
However, there is no express right under the PDPA allowing aggrieved data subjects to pursue a civil claim against data users for breaches of the PDPA.
The PDPA applies to electronic marketing activities that involve the processing of personal data for the purposes of commercial transactions. There are no specific provisions in the PDPA that deal with electronic marketing. However, the PDPA provides that a data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing his or her personal data for direct marketing purposes. ‘Direct marketing’ means the communication by whatever means of any advertising or marketing material that is directed to individuals.
There are no provisions in the PDPA that specifically address the issue of online privacy (including cookies and location data). However, any electronic processing of personal data in Malaysia will be subject to the PDPA and the Commissioner may issue further guidance on this issue in the future.
Look out for the final part three soon