Schrems II and the GDPR – where does Malaysia stand?
InsiderTAPS Nov 2021
Download PDF File
The recent judgment of the Court of Justice of the European Union (CJEU) in C-311/18 (Schrems II) restates the far-reaching impact of the EU General Data Protection Regulation (“GDPR”) not only in the European Union, but also to the rest of the world. The key takeaway from Schrems II is that the protection of personal data under GDPR must travel with the data anywhere it goes in the world. In Schrems II, it was found that the laws in the United States which enable the US authorities to access and use personal data from the EU on grounds of national security, do not provide for adequate controls to protect the rights of the EU data subjects. Data subjects also lack actionable judicial redress or any effective remedy in the US, which is contrary to Article 47 of the EU Charter on Fundamental Rights. While the CJEU acknowledged that standard contractual clauses (SCCs) may be valid transfer tools, assessments must still be made on a case-by-case basis on the adequacy of data protection in a third country.
Although Schrems II relates to the United States, the decision binds all as a similar assessment must made in all third countries where data of EU subjects are processed. The CJEU emphasized that data exporters and importers have the responsibility of ensuring that the processing of personal data of EU subjects should continue to comply with the EU data protection laws, regardless of where the processing takes place.
In line with the Schrems II judgment, the European Data Protection Board (EDPB) had published the recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Recommendations 01/2020”) outlining six steps to be taken by EU data exporters to assess whether personal data may be transferred to third countries, including Malaysia. Data exporters are required to take active steps such as mapping all their transfers, verifying the transfer tools that they are relying on, making assessments on the law and adopting the necessary supplementary measures based on their assessment. If supplementary measures are needed, formal procedural steps must be taken for their adoption and at appropriate intervals the level of protection afforded to the personal data transferred to third countries must be re-evaluated and monitoring if there have been or will be any developments that may affect it.
Malaysian data protection laws will be put to test since the third step of Recommendations 01/2020 places the responsibility on data exporters to assess whether there is anything in the law or practices of third countries that may interfere with the protection of EU data subjects, in particular laws requiring disclosure of personal data to public authorities or granting access to public authorities for purposes such as criminal law enforcement, regulatory provision or national security purposes. Access to personal data by public authorities is considered a form of interference to the right to data protection, and any interference must therefore be justified.
Where does Malaysia stand?
The Malaysian Personal Data Protection Act 2010 (“PDPA 2010”) provides for 7 principles of personal data protection but whether or not the level of protection under the PDPA 2010 is equivalent to the GDPR may require an additional assessment. For this purpose, the EDPB’s recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Recommendations 02/2020”) which provide for four European Essential Guarantees may be used to examine whether surveillance measures allowing access to personal data by public authorities in a third country can be regarded as a justifiable interference.
Guarantee A – Processing should be based on clear, precise and accessible rules.
Recommendations 02/2020 explains that the right of public authorities to restrict the data subjects’ rights to data privacy must only be for specified purposes and exercised under a legitimate basis laid down by the law. The law should indicate in what circumstances and under which conditions may the restriction take place, the categories of people that might be subject to surveillance, a limit on the duration of the restricting measure, the procedures for examining, using and storing the data obtained, as well as the precautions to be taken when communicating the data to other parties.
At the outset, it is pertinent to note that the PDPA 2010 does not apply to the Federal Government and State Government. While “government” is not defined in the PDPA 2010, it may be argued that since most public authorities are under the administrative oversight of a governmental ministry, public authorities may not be regarded as a “data user” as defined in the PDPA 2010, and hence the data protection laws encapsulated therein may not be applicable to them.
Section 39 of the PDPA 2010 contains provisions allowing a data user to disclose personal data to a third party if, among others, the disclosure is necessary for the purpose of preventing or detecting a crime, or for the purpose of investigations, or if the disclosure was authorized by any law or a court order. While the exemptions for disclosure are wide in nature, the PDPA 2010 does not provide any guidance as to the extent of disclosure that may be required for a particular purpose, and nor does it outline any procedures on how the disclosed data may be processed, used and retained by the public authorities exercising their powers. There are also other legislations empowering public authorities to intercept communications, such as the Security Offences (Special Measures) Act 2012 and Communications and Multimedia Act 1998. It would appear that without specific limitations placed on the public authorities’ power to access and process data, Malaysia may not be able to satisfy Guarantee A of Recommendations 02/2020.
Guarantee B – Necessity and proportionality with regards to the legitimate objectives pursued
According to Recommendations 02/2020, the principle of proportionality would require an assessment of the seriousness of the interference to the rights of data protection, against the importance of the public interest objective which is being pursued by the interference. The interference must be proportionate to the seriousness of the public interest . With regards to the principle of necessity, the legislation requiring the retention of personal data must establish a connection between the data retained and the objective. The circumstances and conditions under which the public authorities are granted access to data must also be defined.
The PDPA 2010 does not appear to specify the type of personal data that may be subject to disclosure to public authorities, and there is also no requirement for public authorities to show the sufficiency or connection of the disclosure to their objectives apart from “preventing, detecting or investigating crime”. Hence, it could be argued that the PDPA 2010 may be leaving room for excessive personal data to be disclosed to public authorities even when they are not necessary for the particular crime that is being prevented or investigated.
Guarantee C – Independent oversight mechanism
An independent and impartial oversight system must be provided for either by a judge or by any other independent body. The keyword here is “independent”, which means that the supervising authority must be vested with sufficient powers to exercise an effective control over the public authorities’ exercise of power. The supervisory body’s activities must also be open to public scrutiny.
The Personal Data Protection Commissioner (“PDPC”) is the body responsible to monitor and supervise compliance with the provisions of PDPA 2010. However, it is unclear whether the activities of public authorities requiring disclosures from data user would be subject to the purview of PDPC. There are no provisions in PDPA 2010 imposing any form of obligations on public authorities, and thus it is arguable that there could be no offence committed by any public authorities under the PDPA 2010.
As such, it would appear that the only mechanism for oversight would be by way of judicial review of the public authorities’ activities. Judicial review by the High Court could arguably satisfy Guarantee C of Recommendations 02/2020, since the judiciary is an independent body and its activities are open to public scrutiny.
Guarantee D – Effective remedies available to the individual
Recommendations 02/2020 explained that the question of an effective remedy is inextricably linked to the right of the data subject to be notified of the interference by public authorities once it is over. Without being notified, it would not be possible for a data subject to pursue any potential remedies if they did not know that they might have suffered a wrong in the first place.
A data subject’s rights under the PDPA 2010 are relatively limited compared to the GDPR. Under PDPA 2010, data subjects have the right to access their own personal data, to correct the data or to withdraw their consent to the processing of the personal data. However, PDPA 2010 does not provide for an obligation on the data user to inform or a right of the data subject to be informed of any disclosure of his personal data to any identified third party by the data user. It would suffice for the data subject to be notified of the class of third parties to whom his personal data is or may be disclosed by the data user before the disclosure takes place without having to identify the specific third parties. Further, there is no express statutory right under the PDPA 2010 that allows an aggrieved data subject to pursue a civil claim or seek compensation against a data user or data processor for non-compliance of the PDPA 2010.By relying on the PDPA 2010 alone, it seems that Malaysia may not be able to satisfy Guarantee D of Recommendations 02/2020.
In 2019, the Malaysian government had indicated its intention to revise the PDPA 2010 to be in line with the GDPR, and had published a public consultation paper in this regard. However, with the political changes in in the past year, it remains to be seen whether the revision would take place in the foreseeable future. Having regard to all of the above, EU data exporters may be required to consider additional measures when exporting personal data into Malaysia. A separate assessment would have to be conducted on a case-by-case basis, as the results may differ depending on the type of personal data, the nature and purpose of the disclosure, the recipients of the data in addition to the practices of the various industries and specific legislations.
Lee Lin Li
T: +603 2050 1898
Nurul Qarirah Md Kahar