InsiderTAPS (16 March 2020)
PDPA Alert: Proposed amendments to the Personal Data Protection Act 2010
Download PDF File
On 14 February 2020, the Personal Data Protection Commissioner (“Commissioner”) released the much-anticipated proposed amendments to the Personal Data Protection Act 2010 (“PDPA”) for public consultation which closed on 10 March 2020.
Significant reforms to the PDPA aimed at strengthening the effectiveness and practical implementation of the PDPA whilst aligning it to international standards lie at the heart of the proposals. These proposed changes also significantly draws the PDPA closer to the European Union’s General Data Protection Regulation (“GDPR’). It seeks to address the emerging and evolving issues surrounding the rise in use of big data by commercial entities that has a corresponding impact on individuals whose behaviour are being tracked and are often targeted for marketing or other more disquieting purposes. The growing number of cases of data breaches involving multi-layered use of personal data by different sectors which neuters the utility of the PDPA to protect against misuse of personal data is also a cause for concern.
In brief, we set out below an overview of the proposed amendments to the PDPA.
Direct obligation on data processor
Presently, data processors are not subject to data protection principles or the requirements under the PDPA. In order to address the risk of data breaches that involve data processors, the Commissioner proposes to impose direct obligations and responsibilities on data processors who may be liable for non-compliance with specific processor obligations. The Commissioner is considering requiring data processors to be registered with the Commissioner and expanding the definition of “data processor” to include data processors appointed by the Federal Government and State Governments.
Right of data portability
The PDPA does not recognise the right of data portability. Its proposed introduction will facilitate the free flow of personal data transaction between data users within the control of the individual. The right of data portability is a further enhancement of a data subject’s right to request access to personal data under the PDPA. It gives individuals the right to access to his personal data in a structured, machine-readable format which can be transferred from one data user to another data user to obtain services. However, the implementation of this new right requires a careful consideration of the associated increased security risk, particularly the risk of data breaches during the transmission of personal data and the type of personal data the data user is required to transmit.
Appointment of Data Protection Officer (“DPO”)
Whilst there is no requirement under the PDPA to appoint a DPO who is responsible to oversee data protection strategy and its implementation, many organisations have already voluntarily designated a compliance officer to deal with data protection matters. The Commissioner is considering imposing a mandatory obligation on data users to appoint a DPO which will be coupled with issuing guidelines on the DPO mechanism.
Data breach notification
In response to the growing concerns of data breaches, the Commissioner proposes to introduce a mandatory requirement for data users to report data breaches to the Commissioner in line with the GDPR. In this connection, guidelines on the mechanism of data breach incident reporting would likely be issued.
Clarity in the consent of data subject
Although Regulation 3(1) of the Personal Data Protection Regulations 2013 (“PDPR”) stipulates that consent of data subjects may be given in any form provided that it is capable of being recorded and maintained by data users, it is unclear as to what qualifies as “consent” and “explicit consent” as a basis for processing personal data and sensitive personal data under Section 6 of the PDPA, respectively. Presently, the consent requirement is combined with other requirements such as purpose limitation and data minimization within the same provision. Therefore, Section 6 is proposed to be redeveloped to provide clarity on the scope and application of consent and to be encapsulated in a specific provision. As part of the proposed amendments, the Commissioner is considering adopting the default consent method.
Transfer of personal data to places outside Malaysia
To date, there is no whitelist gazetted by the Minister of places to which personal data may be transferred outside Malaysia under Section 129(1) of the PDPA. The Commissioner takes the view that a whitelist may be a barrier to data users transferring personal data to places outside Malaysia. Therefore, the proposed amendments seek to modify Section 129 to provide clarity on the conditions for the transfer and to remove the issuance of a whitelist from the PDPA with a view to facilitating e-commerce transactions and free trade agreements.
Privacy by design
Under the current regime, there is no requirement for data users to implement privacy by design in the process of developing a manual or digital system in an organization. To reduce the risk of data breaches, the Commissioner proposes to require data users to implement privacy by design which is a proactive security measure into a new system of life cycle built by them. For this purpose, guidelines on the mechanism of implementing privacy by design is proposed to be issued.
Do Not Call Registry (“DNCR”)
The Commissioner seeks to introduce the DNCR to enable data subjects to opt-out of receiving unsolicited direct marketing materials. This proposed amendment is designated to strike a balance between the needs of data users to engage in direct marketing as part of its commercial activities and protection of the privacy of individuals who do not wish to be contacted for marketing purposes.
Right to know the third party to whom personal data is disclosed
Regulation 5 of the PDPR only requires data users to keep and maintain a list of disclosure to third parties which if required during an inspection, must be produced to the Commissioner or the inspection officer pursuant to Regulation 14(2) of the PDPR. In other words, there is no requirement for data users to provide data subjects with the list of disclosure. The Commissioner proposes to give data subjects an extended right of access to be acquainted with the third parties to whom his or her personal data has been or will be disclosed.
Civil litigation against data user
A further significant proposed amendment to the PDPA is the introduction of the right for data subjects to take civil action against a data user for breaching the PDPA which is in line with the GDPR. Currently, there is no statutory right of civil action against misuse of personal data in the PDPA.
Privacy issues arising from data collection endpoints
With the rise of digital technology and e-commerce accelerating the wide deployment of new technologies and innovative techniques such as facial recognition and smart tracker as data collection endpoints to collect personal data or identify an individual in commercial activities, the Commissioner is considering proposals to issue a policy on endpoint security which uses technology like encryption to minimize the risk of data breaches.
Application of the PDPA to Federal Government and State Governments
The PDPA presently applies to statutory bodies but not applicable to the Federal Government and the State Governments which are governed by other laws, such as the Official Secrets Act 1972. Whilst there are proposals to extend the application of the PDPA to Federal Government and the State Governments, the Commissioner recognizes the need for an in depth study on the extension of the PDPA to the Federal Government and the State Governments. As part of this proposed amendment, the Commissioner is considering issuing guidelines to statutory bodies to clarify their compliance with the PDPA.
Exchange of personal data for data user with an entity located outside Malaysia
In light of the needs of data users who have overseas branches to exchange information which may contain personal data with its overseas counterparts, the Commissioner proposes to issue guidelines on the mechanism and implementation of cross-border data transfer.
Exemption of business contact information
Given the broad definition of “personal data” under the PDPA which covers business contact information, the PDPA would apply to business and name cards which are widely used to facilitate communication for business purposes. The Commissioner proposes to issue a guideline to clarify the status of business contact information considering the usage of business contact information, the impact of it being exempted from compliance with the PDPA and the risk of it being misused for inappropriate purposes. The net effect may be that business contact information would be granted a narrow exemption from the PDPA.
Disclosure of personal data to government regulatory agency
Despite the operation of Section 39(b) of the PDPA allowing data users to disclose personal data to third parties where it is necessary for the prevention of crime or investigation or where it is required or authorized by any law or a court order, there are instances where data users are reluctant to disclose personal data that is within their possession to a government regulator and authorities with cases of data users quoting the PDPA to resist such disclosure. To provide guidance on this exemption, the Commissioner is considering issuing guidelines to provide clarity and to assist data users to understand the level of disclosure permitted to be made when government regulatory agencies come knocking.
Classification of data user based on business activity
Presently, the 13 classes of data users who are subject to compulsory registration with the Commissioner are classified based on sectors and the governing legislation of the respective industries. The Commissioner proposes to reclassify the data users based on their business activities such as health and beauty and food and beverages etc.
Voluntary registration of data user
There is no provision in the PDPA requiring data users who do not belong to any of the 13 classes of data users to be voluntarily registered with the Commissioner. In light of the recent development in the United Kingdom which mandates registration of all data users, the Commissioner proposes to introduce voluntary registration by data users who are not within the 13 classes of data users prescribed under the PDPA.
Application of the PDPA to non-commercial activity
The PDPA presently only governs the processing of personal data in commercial transactions. The proposed amendments seek to extend the application of the PDPA to non-commercial transactions such as charities and religious activities to regulate both commercial and non-commercial transactions.
Application of the PDPA to data users outside Malaysia which monitor Malaysian data subject
Whilst Section 3(2) of the PDPA specifically exempts the act of data processing outside Malaysia unless it is intended to be processed further in Malaysia, the activity of surveillance and profiling of Malaysian citizens performed outside Malaysia has become increasingly inevitable due to the rapid expansion of digital economy. To close the gap between personal data laws in Malaysia and the GDPR which provides data subjects with the right not to be subject to a decision based solely on automated processing, including profiling that produces legal effects concerning them or significantly affects them, the Commissioner is considering expanding the application of the PDPA to data users outside Malaysia who monitor and actively profile Malaysians.
Mechanism to unsubscribe from online services
Although there are clear provisions under the PDPA enabling data subjects to withdraw the processing of their personal data, particularly Sections 38 and 43 on the withdrawal of consent and the prevention of processing for direct marketing, the Commissioner proposes to issue a guideline on the mechanism of digital and electronic marketing which includes the mechanism for data subjects to unsubscribe from online services.
First direct marketing call
In conjunction with the proposed amendments, the Commissioner is considering issuing a guideline on direct marketing for data users taking into account permitting data users to make the first direct marketing call to data subjects who would then have the option of opting-out if such calls are unwelcome.
Processing of personal data in cloud computing
Given that the PDPA lacks specific provision on the use of personal data by cloud service providers, the Commissioner is considering issuing guidelines on the usage of cloud computing for data users.
Despite the absence of details, the proposed amendments appear to be an overhaul of the Malaysian data protection regime which will have a significant impact on Malaysian businesses or organizations in view of the broadening of the scope of the PDPA and the introduction of new obligations and requirements on data users. Whilst this is a welcome development for data privacy, it is necessary to strike a reasonable and appropriate balance between protecting the rights and interests of individuals on the one hand and facilitating and encouraging the free flow of personal data to meet the demands of businesses and organisations in the digital age of big data.
The consultation document is available at here.
If you have any queries or require more information, please feel free to get in touch with us.
Lee Lin Li
T: +603 2050 1898
Chong Kah Yee
T: +603 2050 1831