InsiderTAPS (26 April 2018)
Malaysia – Personal Data Protection briefing
Impact of European Union General Data Protection Regulation on Malaysian businesses
26 April 2018
Lee Lin Li
Introduction
In this briefing, we highlight the key differences between the EU General Data Protection Regulation (GDPR) which comes into force on 25 May 2018 and the Malaysian Personal Data Protection 2013 (PDPA), the impact the GDPR has on Malaysian organisations with operations within and outside the EU, spotlighting its extra-territorial application, the creation of new rights for data subjects, new safeguards imposed on data controllers and data processors, imposition of data breach notification, appointment of data protection officers, introduction of the right to be forgotten, data portability and safeguards against automated decision making and profiling.
Key highlights
- Non-EU impact
The GDPR marks a significant expansion of the territorial scope of the EU data protection regime enabling the long arm of the law to reach beyond its borders. Unlike the PDPA which only applies to personal data which is processed within Malaysia, the GDPR applies extra territorially to anywhere where personal data of individuals in the EU (including EU residents and non-EU nationals who are visiting the EU) is processed or monitored. It applies not only to processing carried out by data users operating within the EU, it also extends to processing carried out by data users based outside the EU to the extent that the individuals concerned (including EU nationals) are physically present in the EU.
The GPDR applies to Malaysian data users if:-
- they have a subsidiary or a branch in the EU;
- they offer goods or services to individuals in the EU (regardless of whether it involves a financial transaction or payment); or
- they monitor individual behaviour as far as the behaviour takes place within the EU
Whether Malaysian data users are offering goods or services to individuals in EU is a matter of business intention. It depends on whether it is apparent that an offer to individuals in EU was envisaged. Mere accessibility of a website, an email address or other contact details from the EU and the mere use of an EU language which is used in Malaysia (e.g. English) is insufficient. However, if the website is in an EU language, is offering goods or services in an EU currency or is explicitly targeting customers or consumers in the EU, this may be proof that the data user envisages offering of goods or services to individuals in the EU.
“Monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to take decisions to analyse or predict personal preferences, behaviours and attitudes, for example the use of cookies and IP addresses.
It is perhaps compelling to note that the Malaysian federal government and state governments would be subject to the GDPR in the same way as all other Malaysian data users who fall within any of the specific categories as public authorities and bodies are not exempted from compliance with the GDPR. This is an important change as the PDPA specifically excludes its application to the Malaysian federal government and state governments.
Malaysian organisations subject to the jurisdictional reach of the GDPR must appoint an EU-based representative.
- Data breach notification
Whilst there is no data breach notification obligations under the PDPA, the GDPR requires a data user to report data breaches to supervisory authorities without undue delay or within 72 hours and to communicate the data breaches to data subjects without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons.
Under the GDPR, a data breach notification to supervisory authorities must contain the name and contact details of the data protection officer (DPO) and must describe the nature of the breach, the likely consequences and the measures for addressing the breach. Where the notification to the supervisory authority is not made within 72 hours, the data user must provide reasons for the delay.
The communication to data subjects who are affected by data breaches must contain the same information as a data breach notification to the supervisory authorities except for the nature of the breach which is not required.
- Non-EU impact
- Appointment of data protection officer (DPO)
Whereas there is no obligation on data users or data processors to appoint a DPO under the PDPA, the GDPR mandates that data users and data processors appoint a DPO to oversee data security strategy and advise and monitor compliance of the GDPR where:-
- they are a public authority or body (except for courts acting in their judicial capacity);
- their processing operations require regular and systematic monitoring of data subjects on a large scale; or
- they process on a large scale of special categories of data and personal data relating to criminal convictions and offences.
A single DPO may be appointed by a group of undertakings provided that a DPO is easily accessible from each establishment.
In all other cases, data users and data processors may, at their option, designate a DPO.
- Appointment of data protection officer (DPO)
- Introduction of the right to data erasure or the right to be forgotten
The GDPR introduces the right to erasure or the right to be forgotten which allows data subjects to request erasure of personal data on any of the following grounds:-
- the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subjects objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data has been unlawfully processed;
- the personal data has to be erased for compliance with a legal obligation in the EU or Member State law to which the data user is subject; and
- the personal data has been collected in relation to the offer of information society services.
Under the PDPA, any notion of a right to erasure may emanate from the data subject’s right to withdraw consent to processing personal data and the requirement to destroy or delete personal data that is no longer required for the purpose for which it was to be processed. However, this is limited in scope and unlike the GDPR, may be insufficient to compel the erasure of publicly available personal data on websites.
- Introduction of the right to data erasure or the right to be forgotten
- Introduction of right to data portability
The right to data portability under the GDPR is a further enhancement of data subject’s right to request access to personal data under the PDPA. The GDPR not only allows data subjects to obtain a copy of their personal data in a structured, commonly used and machine-readable format, it further allows data subjects to transmit (where the processing is based on consent and carried out by automated means) or have the data transmitted directly from the data user to another data user.
- Introduction of right to data portability
- Introduction of the rights related to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Data subjects will have the right not to be subject to a decision when it is based on automated processing and which produces a legal effect or a similarly significant effect on the data subjects.
Data users must implement suitable measures to ensure that data subjects are able to obtain human intervention, express their point of view and obtain an explanation of the decision and challenge it.
- Introduction of the rights related to automated decision making and profiling
- Consent
The GDPR requires consent to be freely given, specific, informed and unambiguous. The GDPR makes it harder to obtain consent as it does not allow implied consent at all unlike the PDPA. Under the PDPA, apart from sensitive personal data where explicit consent is required, there is no specific form in which consent must be obtained provided that such consent can be properly recorded and maintained by data user and hence implied consent may be acceptable and is often the case applied.
- Consent
- Special categories of personal data
“Special categories of personal data” under the GDPR is broadly similar to “sensitive personal data” under the PDPA but it further includes philosophical beliefs, racial or ethnic origin, trade union membership, genetic data, biometric data, sex life and sexual orientation. Under the PDPA, “sensitive personal data” means personal data consisting of information on physical or mental health or condition of a data subject, political opinions, religious beliefs or other beliefs of a similar nature, commission or alleged commission of any offence or other personal data which may be determined by the Minister from time to time.
Personal data relating to criminal convictions and offences are not included but extra safeguards apply to its processing which may only be carried out under the control of official authority or when it is authorised by law. Consent in processing such information will not be relevant.
- Special categories of personal data
- contact details of the data user or its representative (if the data user is not established in the EU), where applicable;
- contact details of the DPO, where applicable;
- the legal basis for processing the personal data;
- the legitimate interests pursued by the data user or a third party (where the processing is based on legitimate interests);
- where applicable, details of the transfer of personal data to a third country or international organisation including whether there is an adequacy decision by the Commission or reference to the appropriate or suitable safeguards and means by which to obtain a copy of them or where they have been made available;
- the period for which the personal data will be stored or if that is not possible, the criteria used to determine that period;
- the existence of the right to erasure and the right to data portability;
- right to withdraw consent;
- right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; and
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.Privacy notice
Although the GDPR covers all level of information required for a privacy notice under the PDPA, it is more elaborate and comprehensive as it also requires the following additional information to be included:-
- Data protection by design and by default
Organisations must be able to demonstrate their compliance with the GDPR principles by adopting certain “data protection by design” measures such as use of pseudonymisation techniques, implementing staff training programmes and adopting specific data processing policies and procedures.
Measures must be implemented to ensure that by default, only personal data which are necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, the extent of the processing, the storage period and their accessibility, and significantly, the measures must ensure that personal data must not by default be accessible without the individual’s intervention to an indefinite number of natural persons.
Where organisations are engaging in “high risk” processing which affect the rights and freedom of data subjects such as (1) systematic and extensive evaluation of data subjects by automated processing, including profiling, leading to decisions which carry with it legal implications concerning the data subjects; (2) processing on a large scale special categories of data or data on criminal convictions and offences or (3) systematic monitoring activities of publicly accessible data on a large scale, a detailed privacy impact assessment (PIA) must be undertaken and documented.
Where a PIA results in the conclusion that there is a high and unmitigated risk for data subjects, controllers must notify the supervisory authorities and obtain its view on the adequacy of the measures proposed by the PIA to reduce the risks of processing.
- Data processors
Another key change the GDPR will bring is the direct responsibilities and obligations processors will have under the GDPR which goes beyond the terms of their data processing contracts with controllers. Unlike the PDPA where processors are not subject to data protection principles or its requirements, processors under the GDPR may be liable to fines and payment of compensation for non-compliance with specific processor obligations or where they act outside or contrary to the lawful instructions of the controller. However, controllers retain the ultimate responsibility for ensuring that data is processed in a compliant manner even if they appoint a processor to process data on their behalf. Controllers and processors will only be exempt from liability under the GDPR if they prove that they were “not in any way responsible for the event giving rise to the damage” resulting from non-compliant processing.
The GDPR requires a written contract to be in place between the controller and its processors with mandatory provisions to be included in the contract, in particular:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subjects;
- the obligations and rights of the controller;
- the obligations of the processor to:
- only act on the written instructions of the controller;
- ensure that persons processing the data are subject to a duty of confidence;
- take appropriate measures to ensure the security of processing;
- only engage sub-processors with the prior consent of the controller and under a written contract;
- assist the controller in responding to data subject requests to exercise their rights under the GDPR;
- assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- delete or return all personal data to the controller at its request at the end of the contract;
- comply with audits and inspections by and provide the controller with any information to demonstrate compliance with its processor obligations under the GDPR. Processors must inform the controller if the instructions to the processor infringes the GDPR or other data protection law.
It is likely that Malaysian data user and processor contracts will not cover all of these points, so it is imperative that existing contracts be reviewed and updated to address these requirements.
- Remedies and liabilities
Under the PDPA, individuals who have suffered loss and damage as a result of an infringement of the PDPA do not have the right to receive compensation from the data users and data processors.
Under the GDPR, individuals who have suffered loss and damage as a result of an infringement of the GDPR are entitled to bring a claim against the controllers and processors for compensation for monetary and non-monetary losses. The judicial remedies and liability for compensation under the GDPR extend to both controllers and processors who infringe the GDPR.
Individuals have the following rights against controllers and processors:
- the right to lodge a complaint with supervisory authorities where their data have been processed in a way that does not comply with the GDPR;
- the right to an effective judicial remedy where a competent supervisory authority fails to deal properly with a complaint;
- the right to compensation from the relevant controller or processor for material or immaterial damage resulting from infringement of the GDPR.
Natural and legal persons have the right of appeal to national courts against a legally binding decision concerning them which is made by a supervisory authority.
What to do now?
While businesses with a physical presence in the EU will need to abide by the GDPR, it may also apply to Malaysian businesses or organisations with no physical presence with customers or clients who are based in the EU. This would be the case for e-commerce-based businesses operating internationally, as well as businesses that serve a significant number of EU tourists, visitors or expatriates where personally identifiable information (PII) is processed. Some examples of sectors that will be affected by the GDPR are life sciences and healthcare, financial services, retail and tourism.
Organisations should run a GDPR compliance gap analysis audit to identify areas of non-compliance most material to the organisation and prioritise the mitigating measures to be implemented, particularly, in areas of high risk processing activities, such as processing of special categories of data. What constitutes “high risk” is measured by reference to the risk of infringing a natural person’s rights and freedoms.
The responsibility and budget for data protection compliance process within the organisation should be assigned and steps taken to ensure a full compliance program is designed for the organisation by incorporating features such as PIAs, regular audits, HR policy reviews, and updates and training and awareness raising programs. Supplier arrangements with processors should be reviewed and updated to ensure that the contracts reflect the data processors’ obligations under the GDPR.
A toothless tiger?
Malaysia is in some ways well placed for the impending coming into force of the GDPR as the PDPA which has been in effect from November 2013 upholds data protection principles which echo the standards and ideals postulated under the GDPR.
Under the GDPR, the maximum monetary penalties that can be imposed by EU data protection regulators for serious breaches have been increased to a maximum of: (i) €20,000,000; or (ii) 4% of an undertaking’s global annual turnover, whichever is the greater. This is far greater that the maximum fine of RM 500,000 imposed under the PDPA, although the PDPA also imposes a imprisonment sentence of up to a maximum of 3 years.
For Malaysian organisations that have a physical presence (establishment) in the EU, the GDPR can be enforced directly against them. However, in the absence of clear provision on appropriate enforcement mechanism, there may be difficulties in enforcing the GDPR against Malaysian organisations that do not have an establishment in the EU. Although the GDPR may be enforced against representatives based in the EU who are appointed by Malaysian organisations, there is yet to be any clarity on how EU data protection regulators will take action against non-EU parties who infringe the GDPR.
If you have any queries or require more information, please feel free to get in touch with us.
Lee Lin Li
Partner
Tay & Partners
linli.lee@taypartners.com.my