A Comparative Analysis of the Malaysian Personal Data Protection Act 2010 and GDPR

We learned that GDPR applies to Malaysian entities if they are either offering goods or services or monitoring the behavior of individuals in the European Union – Article 3 of the GDPR. Although both the PDPA and GDPR aim to protect an individual’s rights over their personal data and focus on a data subject’s “identifiability” or “identification potential” to decide if the data provided constitutes “personal data,” data subjects within the European Union are afforded greater rights. The GDPR is a more comprehensive and stringent data protection law than the PDPA. It gives individuals more control over their personal data and imposes stricter obligations on organizations that process personal data.

To keep pace with technological advancements, the Malaysian Personal Data Protection Department (JPDP) is actively considering significant updates to the current PDPA 2010, which is viewed as outdated. Proposed amendments, outlined in the Public Consultation Paper No. 1/2020, represent a transformative shift towards aligning with the European General Data Protection Regulation (GDPR). Notably, one such amendment aims to extend the PDPA’s jurisdiction to cover data users outside Malaysia monitoring Malaysian data, indicating a move towards GDPR-level data protection standards.

In this article, we will delve into the distinctions between the PDPA and GDPR.

The GDPR’s application extends beyond commercial interests to encompass various personal data processing activities, including social, educational, and employment contexts. This comprehensive approach contrasts with the PDPA’s focus primarily on commercial transactions, which could leave non-commercial data processing scenarios under-protected.

Applicable only in Malaysia.   Focus on personal data in commercial transactions.   Excludes the Federal Government, State Government, and credit reporting businesses.Applications and Territorial ScopeExtra-territorial applicability.   Applies to EU member states, with extra-territorial effect, covering data subjects in the EU.

The PDPA intertwines consent with data collection purposes but lacks a clear definition of “valid consent,” allowing for “implied consent.” In contrast, the GDPR mandates that consent be “freely given, specific, informed, and unambiguous,” thus providing clearer guidelines for data controllers.

Required consent for data processing but not specified in detail.   Must be recorded and maintained.Standard of Consent RequiredConsent must be actively given.   Consent must be freely given, specific, informed, and unambiguous.

Under the PDPA, data users have flexibility in retaining personal data as long as it remains justifiable. However, the lack of a specific timeframe leaves room for interpretation. Conversely, the GDPR empowers data subjects with the right to request data erasure when data is no longer necessary or consent is withdrawn, imposing stricter obligations on data controllers.

The PDPA grants limited rights to data subjects primarily in restricting processing likely to cause damage or distress and for direct marketing purposes. The GDPR, however, confers broader rights, including data portability, erasure, and the ability to object to data processing.

Limited rights.   Right to restrict processing when the processing is likely to cause damage or distress.   Right to prevent processing for the purposes of direct marketing.Authority Over Personal DataConfers data subject greater controls over their personal data.   Right to restrict processing.    Right to object to data processing.   Right to data portability.   Right to erasure.

The PDPA’s cautious approach to cross-border data transfers, requiring ministerial authorization, aims to enhance data security but creates practical challenges. The GDPR facilitates smoother data flows within the EEA, subject to stringent data protection standards for transfers outside the EEA.

Not allowed unless the transfer is authorized by the Minister.Transborder Transfer of DataFree flow of personal data within the EEA (European Economic Area).   Strict restrictions on transfers to third countries without an adequacy decision, safeguards, or exceptions.

While the PDPA allows for voluntary breach reporting, the lack of a mandatory requirement raises transparency concerns. The GDPR’s robust framework includes mandatory breach reporting within 72 hours, appointing Data Protection Officers, and conducting Data Protection Impact Assessments, ensuring higher transparency and accountability.

No specific breach notification requirement.Accountability and BreachMandatory to report breaches.   Appointment of Data Protection Officer.    Conduct Data Protection Impact Assessment.    Privacy by design.    Requires organizations to report data breaches within 72 hours to relevant authorities.

The Personal Data Protection Act (PDPA) in Malaysia and the General Data Protection Regulation (GDPR) in the EU have distinct approaches to data protection. While the PDPA primarily addresses commercial transactions, the GDPR offers a comprehensive framework covering various data processing aspects. These differences emphasize the importance of complying with the specific regulations relevant to your organization to ensure data security and compliance in a global context.

Let LPP Law be Your Legal Advisors

Contact Us illustration
Drop us a message and let us better understand your needs. Get your first consultation within 24-hours, absolutely free of charge.

Leave a Comment

Your email address will not be published. Required fields are marked *

Share this article:

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.

 © Copyright 2020, Lee & Poh Partnership

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.