We learned that GDPR applies to Malaysian entities if they are either offering goods or services or monitoring the behavior of individuals in the European Union – Article 3 of the GDPR. Although both the PDPA and GDPR aim to protect an individual’s rights over their personal data and focus on a data subject’s “identifiability” or “identification potential” to decide if the data provided constitutes “personal data,” data subjects within the European Union are afforded greater rights. The GDPR is a more comprehensive and stringent data protection law than the PDPA. It gives individuals more control over their personal data and imposes stricter obligations on organizations that process personal data.
To keep pace with technological advancements, the Malaysian Personal Data Protection Department (JPDP) is actively considering significant updates to the current PDPA 2010, which is viewed as outdated. Proposed amendments, outlined in the Public Consultation Paper No. 1/2020, represent a transformative shift towards aligning with the European General Data Protection Regulation (GDPR). Notably, one such amendment aims to extend the PDPA’s jurisdiction to cover data users outside Malaysia monitoring Malaysian data, indicating a move towards GDPR-level data protection standards.
In this article, we will delve into the distinctions between the PDPA and GDPR.
Territorial Scope and Application
The GDPR’s application extends beyond commercial interests to encompass various personal data processing activities, including social, educational, and employment contexts. This comprehensive approach contrasts with the PDPA’s focus primarily on commercial transactions, which could leave non-commercial data processing scenarios under-protected.
PDPA | Aspect | GDPR |
Applicable only in Malaysia. Focus on personal data in commercial transactions. Excludes the Federal Government, State Government, and credit reporting businesses. | Applications and Territorial Scope | Extra-territorial applicability. Applies to EU member states, with extra-territorial effect, covering data subjects in the EU. |
Standard of Consent Required
The PDPA intertwines consent with data collection purposes but lacks a clear definition of “valid consent,” allowing for “implied consent.” In contrast, the GDPR mandates that consent be “freely given, specific, informed, and unambiguous,” thus providing clearer guidelines for data controllers.
PDPA | Aspect | GDPR |
Required consent for data processing but not specified in detail. Must be recorded and maintained. | Standard of Consent Required | Consent must be actively given. Consent must be freely given, specific, informed, and unambiguous. |
Retention of Data
Under the PDPA, data users have flexibility in retaining personal data as long as it remains justifiable. However, the lack of a specific timeframe leaves room for interpretation. Conversely, the GDPR empowers data subjects with the right to request data erasure when data is no longer necessary or consent is withdrawn, imposing stricter obligations on data controllers.
Authority Over Personal Data
The PDPA grants limited rights to data subjects primarily in restricting processing likely to cause damage or distress and for direct marketing purposes. The GDPR, however, confers broader rights, including data portability, erasure, and the ability to object to data processing.
PDPA | Aspect | GDPR |
Limited rights. Right to restrict processing when the processing is likely to cause damage or distress. Right to prevent processing for the purposes of direct marketing. | Authority Over Personal Data | Confers data subject greater controls over their personal data. Right to restrict processing. Right to object to data processing. Right to data portability. Right to erasure. |
Transborder Transfer of Data
The PDPA’s cautious approach to cross-border data transfers, requiring ministerial authorization, aims to enhance data security but creates practical challenges. The GDPR facilitates smoother data flows within the EEA, subject to stringent data protection standards for transfers outside the EEA.
PDPA | Aspect | GDPR |
Not allowed unless the transfer is authorized by the Minister. | Transborder Transfer of Data | Free flow of personal data within the EEA (European Economic Area). Strict restrictions on transfers to third countries without an adequacy decision, safeguards, or exceptions. |
Accountability and Breach Notification
While the PDPA allows for voluntary breach reporting, the lack of a mandatory requirement raises transparency concerns. The GDPR’s robust framework includes mandatory breach reporting within 72 hours, appointing Data Protection Officers, and conducting Data Protection Impact Assessments, ensuring higher transparency and accountability.
PDPA | Aspect | GDPR |
No specific breach notification requirement. | Accountability and Breach | Mandatory to report breaches. Appointment of Data Protection Officer. Conduct Data Protection Impact Assessment. Privacy by design. Requires organizations to report data breaches within 72 hours to relevant authorities. |
Summary
The Personal Data Protection Act (PDPA) in Malaysia and the General Data Protection Regulation (GDPR) in the EU have distinct approaches to data protection. While the PDPA primarily addresses commercial transactions, the GDPR offers a comprehensive framework covering various data processing aspects. These differences emphasize the importance of complying with the specific regulations relevant to your organization to ensure data security and compliance in a global context.
Edwin is a corporate and technology lawyer. He is also the founder and deputy managing partner of Lee & Poh Partnership (LPP Law). Edwin has advised a range of companies from technology startups to multinational corporations on a range of matters. In 2020, Edwin was named as a Malaysian Rising Star by Asian Legal Business, a finalist for the Young Lawyer of the Year at the ALB Malaysia Law Awards as well as a lawyer in the annual ALB publication of Asia 40 under 40.
View his full profile here.