Protecting Personal Data In Malaysia

Protecting Personal Data In Malaysia

Table of Contents

The PDP is still a step in the right direction and a good beginning, although it lacks the right to claim for compensation in the case of breaches that cause damage or distress.

After a decade of delay, the Personal Data Protection Bill 2009 (PDP) has finally been tabled and passed by Parliament. This is a very important piece of legislation as it would affect almost everyone in the country. Generally, the enactment of the PDP is laudable. Prior to this, Malay­sia adopted the sectoral approach in protecting personal data but this approach proved inadequate

It is time to have a comprehensive legislation to cover all aspects of personal data protection.

The PDP will apply to anyone who processes or who has control over or authorises the processing of any personal data in respect of commercial transactions. The person who processes any personal data is called “data user” and the person whose personal data is being processed is known as “data subject”. The PDP imposes many obligations on the data user. It requires that the data user comply with the seven PDP principles, failing which he can be fined not exceeding RM300,000 or be jailed for a term not exceeding two years, or both.

Buying and selling of personal data is a criminal offence. Besides, any individual who feels annoyed with direct marketing will be able to prevent this from happening. The PDP principles require that a data user not process personal data unless with consent from the data subject, and it must be processed for a lawful purpose directly related to an activity of the data user.

However, it is not stated whether the consent must be express or can be implied.

It also states that a data user has the duty to inform a data subject about the processing of his personal data by way of written notice, and such notice must be given as soon as practicable by the data user. In the absence of consent from the data subject, personal data shall not be disclosed to any party other than the purpose for which the personal data was to be disclosed at the time of collection or for a purpose directly related to that purpose.

The data user must also take practical steps to implement security measures to protect and safeguard the personal data. In addition, personal data shall not be kept longer than is necessary and the data must be destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

There is, however, no time frame given and the PDP leaves it to the discretion of the data user, who must also take reasonable steps to ensure that the personal data is accurate, complete, not misleading and up-to-date. The PDP also provides the data subject with the right to have access to his personal data held by a data user.

If the personal data is inaccurate, incomplete, misleading or not up-to-date, the data subject can request that the data be corrected. Although the PDP confers many rights on individuals and imposes liabilities on those who breach the law, the Act is far from perfect due to its unique features and its narrow application.

Here are a few of its shortcomings.

The PDP does not apply to the Federal and state governments (an earlier draft of the Bill read: this Act shall bind the Government), although massive amounts of personal data are stored with government departments.

For example, the National Registration Department processes most of our personal data; the Inland Revenue Board processes our income tax returns which contain our financial records and sources of income; the DNA Identification Act 2009 allows the Government to keep DNA profiles of individuals in the DNA databank.

As such, to exclude the Government from the application of the PDP would be contrary to the objective underlying the PDP in protecting the personal data of its citizens. It is not clear whether local authorities established under the Local Government Act 1976 and those agencies and statutory bodies established under their respective Acts of Parliament to perform specific public functions are also considered as part of the Government.

The PDP only applies to the processing of personal data in respect of commercial transactions.

The Oxford English Dictionary defines the term “commercial” to mean “engaged in, or connected with, commerce and having profit as a primary aim rather than artistic etc. value”.

The Government has repeatedly emphasised that the PDP is critical in this age of e-commerce and it will solve such problems as credit card fraud, identity theft and selling of personal data without customers’ consent.

However, personal data protection is not just about safeguarding personal data in the commercial world. It is equally important to protect personal data such as medical and health records, employee records, financial records, and even criminal records.

These personal data may be used for employment, educational, professional, taxation, social security and welfare etc.

For example, someone may have submitted his personal data in a contest or enquiry form. The use of personal data in these situations may not necessarily involve a “profit-making” element and it is hardly to be considered as “use in respect of commercial transactions”.

The effect of this restrictive limitation is that the PDP applies to, and within, the private sector, and then further narrows down to organisations which process personal data in commercial transactions.

It is unclear whether civil remedies are available under the PDP.

In many other jurisdictions such as Britain and Hong Kong, breaches of data protection law are punishable under both criminal and civil law. Any individual who suffers any damage (which include injury to feelings) or distress by reason of a contravention of the provision of the PDP shall be entitled to file a civil suit and claim compensation for such damage or distress.

A similar provision was found in an earlier draft but omitted in the PDP.

This is ironic because while the PDP provides the right to prevent processing that is likely to cause damage or distress, there is no right to claim for compensation for causing such damage or distress.

The exclusion of the Government from the PDP and its narrow scope are undesirable. Most data protection laws in other jurisdictions do not have such restrictions.

Nevertheless, the enactment of the PDP is still a step in the right direction as individuals will now have legal protection in safeguarding their personal data.

This is a good beginning and it is hoped that with increased awareness of the importance of personal data protection among the public and the demand for stronger protection, the law will be further improved.

*****
About the author:
This article was written by Edwin Lee Yong Cieh, Partner of LPP Law – law firm in Kuala Lumpur, Malaysia (+6016 928 6130, [email protected]). Feel free to contact him if you have any queries.
This article was first published in CHIP Magazine Malaysia.
The view expressed in this article is intended to provide a general guide to the subject matter and does not constitute professional legal advice. You are advised to seek proper legal advice for your specific situation.

Let LPP Law be Your Legal Advisors

Contact Us illustration
Drop us a message and let us better understand your needs. Get your first consultation within 24-hours, absolutely free of charge.
Share this article:
THESE MIGHT INTEREST YOU:

Meta’s Threads, a threat to Twitter

Meta Platforms, formerly known as Facebook, recently launched an app called Threads, which quickly gained over 10 million users within the first seven hours[1]. The

Meta’s Threads, a threat to Twitter

Meta Platforms, formerly known as Facebook, recently launched an app called Threads, which quickly gained over 10 million users within the first seven hours[1]. The

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.
Global Chamber of Business Leaders logo - Light

 © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
Click here to see our certificate of registration

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.