Cracking the Code: Malaysia’s Latest Personal Data Law Overview
LegalTAPS Mar 2023
Download PDF File
“A week prior to the Election Day for the 15th General Election in 2022, a data breach has allegedly occurred in Malaysia with the leak of the personal data of more than 800,000 voters, up for sale for US$2,000. These details include the full names, identification numbers, email addresses, birth dates and home addresses.”
“There has been a rise in data breaches in the past five years, peaking at 50 reported cases in 2022, a 44 per cent increase from 28 cases in 2021.”
In the era of the cyberspace and digital technology, data privacy has become an increasingly vital issue for individuals, businesses, and governments alike. With the growing threat of cybercrime and the increasing dependence of technology in daily life, it is essential for everyone to be aware of their rights and take proactive measures to safeguard their personal information. In Malaysia, the Personal Data Protection Act 2010 (“PDPA 2010”) regulates the processing of personal data in relation to commercial transactions.
DUTIES OF DATA USERS
The PDPA 2010 imposes obligations on the data users which requires them to comply with rules and regulations when collecting, storing, using or handling personal data.
REGISTRATION OF DATA USERS
Pursuant to Section 14 of the PDPA 2010, the Minister has published in Gazette the Personal Data Protection (Class of Data Users) Order 2013 and Personal Data Protection (Class of Data Users) (Amendment) Order 2016, which specified 13 classes of data users who must be registered under the PDPA 2010 (“Specified Data Users”). The 13 classes of Specified Data Users are from the following sectors:
(2) direct selling
(3) banking and financial institutions
(4) real estate
(9) tourism and hospitalities
(12) legal / audit / accounting / engineering / architecture services
CODES OF PRACTICE
Under Section 21 of the PDPA 2010, the personal data protection commissioner (“Commissioner”) may designate a body as a data user forum to prepare Codes of Practice (“CoPs”) for the respective Specified Data Users. The Commissioner has registered the seven CoPs below and data users which fall under these classes must comply with the CoPs as per Section 25(2) of the PDPA 2010:
(1) The Personal Data Protection Code of Practice for Private Hospitals in the Healthcare Industry
(2) The Personal Data Protection Code of Practice for the Utilities Sector (Water)
(3) The Personal Data Protection Code of Practice for the Utilities Sector (Electricity) Version 2.0
(4) The Personal Data Protection Code of Practice for Licensees under the Communications and Multimedia Act 1998
(5) The Personal Data Protection Code of Practice for the Banking and Financial Sector
(6) The Personal Data Protection Code of Practice for the Malaysia Aviation Sector
(7) The Personal Data Protection Code of Practice for the Insurance and Takaful Industries in Malaysia
Recently, the Commissioner registered the General Code of Practice (“General CoP”) which has come into effect on 15 December 2022. The General CoP applies to Specified Data Users who do not have existing CoPs (“Affected Data Users”). Therefore, until a specific CoP is registered for the Affected Data Users, the General CoP will serve as the minimum measure required to be implemented by the Affected Data Users pursuant to the PDPA 2010.
Seven Personal Data Protection Principles
The personal data of the data subjects from being misused or mishandled:
1. General Principle:
The first principle under Section 6 of the PDPA 2010 emphasizes that data users are prohibited from processing personal data of data subjects without their consent and consent of data subjects below 18 years old must be obtained from their parents or guardians. Personal data shall not be processed by data users unless it is relevant and not excessive, for a lawful purpose directly related to the activity of the data user and where necessary for that purpose only.
The General CoP has prescribed forms to obtain a consent so that it could be recorded and maintained properly, such as a verbal consent recorded digitally by software, consent by conduct where data subject voluntarily discloses his personal data without objecting to processing of it, or a signature/clickable box indicating consent.
2. Notice and Choice Principle:
The second principle under Section 7 of the PDPA 2010 requires data users to provide clear personal data protection notices (“PDP Notice”) to data subjects in dual language, English and Bahasa Malaysia, about their data collection and processing practices. In the PDP Notice, data users must give data subjects the choice to opt-out or limit the use of their personal data and inform data subjects of their rights to access or correct the personal data. For this purpose, data users must furnish details of the contact person to data subjects, such as the name and designation, phone number, email address and other relevant information for ease of communication.
The recent General CoP requires additional information to be included in the PDP Notice by the Affected Data Users. This includes, amongst others, whether any sensitive personal data is involved in the processing; whether personal data of children under 18 years old are processed; the duration of personal data being retained; when will the personal data be disposed; and to name the third party to whom the personal data are shared with and for what purpose.
3. Disclosure Principle:
The third principle under Section 8 of the PDPA 2010 prohibits data users from disclosing personal data to third parties without the consent of the data subjects. However, exceptions are made when disclosure is required by law or in the public interest.
4. Security Principle:
The fourth principle under Section 9 of the PDPA 2010 mandates that data users take practical steps to develop and implement appropriate security measures to protect personal data of data subjects from unauthorized access, modification, loss, misuse, theft or destruction.
The General CoP requires the Affected Data Users to establish a security standard in practical steps which may vary from case to case, depending on the nature of personal data being processed and the degree of sensitivity attached to the personal data or the harm that the data subject might suffer. An example that security measures should be implemented is for the high-risk processing activities, such as Robot Process Automation (RPA), artificial intelligence, data analysis and prospective emerging technologies.
In addition, if personal data is processed by a data processor on behalf of the data user, it is recommended for the data user to include provisions such as confidentiality, non-disclosure and technical and/or organizational security measures in the agreement with the data processor so that data processor provide sufficient guarantees to comply with those measures.
5. Retention Principle:
The fifth principle under Section 10 of the PDPA 2010 specifies that personal data must not be kept for longer than necessary. Once the purpose of processing has been fulfilled, the data user must take reasonable steps to ensure that paper based personal data be destructed or electronic personal data be permanently deleted. The General CoP states that a disposal record by way of logbooks, photographs or other methods should be kept evidencing the act of disposal.
6. Data Integrity Principle:
The sixth principle under Section 11 of the PDPA 2010 mandates data users to take reasonable steps to ensure that personal data processed is accurate, complete, and kept up-to-date. The General CoP reiterates the data integrity standard provided in the Personal Data Protection Standard 2015 which includes providing a personal data update form for data subjects so that the latest verified information is reflected.
7. Access Principle:
The seventh principle under Section 12 of the PDPA 2010 gives data subjects the right to access their personal data with a maximum payable fee prescribed under the Personal Data Protection (Fees) Regulations 2013 and request corrections of any inaccuracies. Data subjects also have the right to withdraw consent to the processing of its personal data. Data users must adhere to the data access or correction request within 21 days from receipt of that request.
The PDPA 2010 provides grounds on which the data user may refuse to comply with a data access or correction request, for example, when providing access would constitute a violation of a court order or would disclose personal data of another.
Under Section 43 of the PDPA 2010, a data subject may provide a written notice (“Cessation Notice”) to data user to cease or prevent processing of its personal data for purposes of direct marketing and the data user must comply with the Cessation Notice within a reasonable period. Data subjects may apply to the Commissioner and request data user to comply with it. Failure of data user to comply with Commissioner’s requirements constitutes an offence liable to punishment with a fine not exceeding RM200,000.00 or to imprisonment for a term not exceeding two (2) years or to both.
ENFORCEMENT OF PDPA
The Commissioner is tasked to oversee the enforcement of the PDPA 2010 under Section 48 of the PDPA 2010. Upon receiving a complaint, the Commissioner may appoint public officers to investigate any potential breaches of the PDPA by data users. If the Commissioner determines that a data user has breached the provisions of the PDPA, an enforcement notice may be issued under Section 108 of the PDPA 2010. The notice may include directions for the data user to remedy the contravention. Notably under Section 134 of the PDPA 2010, no prosecution for an offense under the PDPA can be initiated without the written consent of the Public Prosecutor.
The following are examples of recent enforcement actions taken by the Commissioner: –
REPERCUSSIONS OF VIOLATION
Non-compliance with the provisions stipulated in the PDPA 2010 can result in criminal liability. Therefore, it is essential for data users to understand their obligations under the PDPA and take the necessary steps to comply with the law.
As per Section 5 of the PDPA 2010, failure by the data user to adhere to any of the seven personal data protection principles specified herein can lead to a maximum fine of RM300,000.00 and/or imprisonment for a term not exceeding two (2) years.
Furthermore, Section 16 of the PDPA mandates certain institutions to register as data users failing which would amount to a contravention of the PDPA 2010. Data users who process personal data without a valid registration certificate are subject to a fine of up to RM500,000.00 and/or imprisonment of up to three (3) years.
In case of non-compliance with the CoPs and the recent General CoP, Section 29 of the PDPA 2010 provides for a maximum fine of RM100,000.00 and/ or imprisonment for a term not exceeding one (1) year for data users.
In conclusion, the PDPA 2010 in Malaysia provides a legal framework that safeguards personal data of individuals and data users and data users are held to important responsibilities in this regard. As digitalization continues to expand, the necessity for data protection has become more crucial than ever. Moving forward, it is imperative for data users to implement strong data protection policies and provide their employees with the necessary training to responsibly handle personal data. This effort will promote a more secure and trustworthy environment for personal data in Malaysia and pave the way for a more prosperous digital future.
 New Straits Time. (2022, November 11). Personal info of 800,000 voters compromised by alleged breach of EC database. https://www.nst.com.my/news/crimecourts/2022/11/849700/personal-info-800000-voters-compromised-alleged-breach-ec-database
 New Straits Time. (2023, February 20). [Exclusive] “Bounty programmes can help nab cybercriminals” https://www.nst.com.my/news/nation/2023/02/881558 exclusive-bounty-programmes-can-help-nab-cybercriminals
 Ministry of Communications and Multimedia Malaysia. (n.d.). Personal Data Protection Act 2010: Compound History. https://www.pdp.gov.my/jpdpv2/public/ compound-history/?lang=en
The information in this article is intended only to provide general information and does not constitute any legal opinion or professional advice. For further information and advice on this article and/or on any areas of IP & Technology, please contact Lee Lin Li at firstname.lastname@example.org.
Lee Lin Li
T: +603 2050 1898