The Malaysian Personal Data Protection Act (PDPA), effective since November 15, 2013, governs the processing of personal data within Malaysia. It applies to all businesses involved in commercial transactions. However, as Malaysian enterprises increasingly expand their operation across international horizons, a pressing question arises: does compliance with the PDPA seamlessly align with the stringent requirements of GDPR (General Data Protection Regulation)?
Indeed, the GDPR is relevant to Malaysian companies if they either provide goods or services to, or monitor the activities of, individuals within the European Union – Article 3 of GDPR[1]. Failure by Malaysian companies to adhere to GDPR standards when collecting or processing personal data of EU citizens may result in the imposition of hefty fines of up to 4% of global annual turnover or €20 million, whichever is greater, for non-compliance[2].
To introduce GDPR briefly, it is a regulation in EU law, since May 25, 2018, on data protection and privacy in the European Union (EU) and the European Economic Area (EEA) which aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business through harmonised regulation within the EU.
Complying with PDPA the same with GDPR?
While both the PDPA and GDPR share the common goal of safeguarding an individual’s right to their personal data, however, GDPR provides individuals within the European Union with more extensive rights in relation to their personal data. GDPR stands as a more comprehensive and rigorous data protection law compared to the PDPA. It grants individuals greater control over their personal data and places stricter obligations on organisations engaged in personal data processing. Nevertheless, the detailed comparison between PDPA and GDPR merits a separate discussion.
Should a Malaysian companies adopt GDPR standards?
The Golden Standard. GDPR’s inception was driven by the aim of advancing the Digital Single Market[3] strategy, seeking to establish a unified set of regulations in the digital realm while encouraging innovative thinking in areas pivotal to competitiveness and future technological growth. GDPR’s comprehensiveness is geared towards establishing leadership in the global digital economy. By offering enhanced protection, it bolsters fundamental societal rights. GDPR, notably, mandates that individuals must provide explicit consent – Recital 32 of GDPR[4][LPP1] before data processing is permitted and enables individuals to request for deletion of their data (the right to be forgotten – Article 17 of GDPR[5]), these are provisions which are absent in PDPA [LPP2] and grant individuals greater control over their own data.
One Set of Regulations for Eeveryone. The GDPR is the unified legislation on personal data protection throughout the European countries. It provides similar benefits and rights for all individuals regardless of the company size. This means that Malaysian companies that adopt GDPR standards will only have to comply with one set of regulations, rather than multiple sets of regulations in different countries.
Modern Personal Data Protection Framework. GDPR introduces innovative concepts that are absent in the PDPA, like data portability and streamlined data transfer mechanisms, which are vital components of its modernity, aligning with the borderless nature of the digital age.
Data portability – Article 20 of GDPR[6], a hallmark of GDPR, empowers individuals by allowing them to request their personal data in a machine-readable format. This facilitates easy transfer of their data to another service provider (data controller), ensuring modern data practices align with user-centric principles.
Additionally, GDPR’s approach to international data transfers – Article 44 of GDPR[7] is noteworthy. It offers a range of mechanisms, such as mandates data protection impact assessments[8][LPP3] ,Standard Contractual Clauses[9] (SCCs) and Binding Corporate Rules[10] (BCRs), to facilitate secure and compliant cross-border data flows (contrast with the default position on transfer under PDPA[11]). [LPP4] The GDPR reflects the modern reality of global data transfer requirements and ensures that individuals’ personal data remains protected regardless of geographical boundaries.
By adopting GDPR standards, Malaysian companies can embed data protection principles into the earliest stages of product development emphasis on “privacy by design and default”.
Stricter Personal Data Legislation. GDPR stands out as notably stricter than PDPA in safeguarding personal data. It enforces significantly higher fines for non-compliance, imposes rapid data breach notification requirements, and sets a higher standard for obtaining and recording consent.
As consumers are increasingly aware of their data privacy rights and are more likely to do business with companies that they trust to protect their data. Adopting GDPR standards not only shows that a company is committed to protecting its customers’ data privacy but a strategic move that positions companies favourably in the global marketplace.
Conclusion
In conclusion, while Malaysian companies are inherently bound by the PDPA, the adoption of GDPR standards, which represent a more comprehensive and rigorous data protection regime, presents an array of advantages, particularly for companies venturing into the European market. However, it is crucial to acknowledge that embracing GDPR standards necessitates meticulous deliberation by companies, as it entails significant shifts in data collection practices and often requires substantial technological investments.
[1] https://gdpr-info.eu/art-3-gdpr/
[2] https://gdpr-info.eu/art-83-gdpr/
[3] https://edps.europa.eu/data-protection/our-work/subjects/digital-single-market_en
[4] https://gdpr-info.eu/recitals/no-32/
[5] https://gdpr-info.eu/art-17-gdpr/
[6] https://gdpr-info.eu/art-20-gdpr/
[7] https://gdpr-info.eu/art-44-gdpr/
[8] https://gdpr-info.eu/art-35-gdpr/
[9] https://gdpr-info.eu/recitals/no-168/
[10] https://gdpr-info.eu/art-47-gdpr/
[11] https://www.azmilaw.com/insights/data-protection-limits-to-the-lawfulness-of-transborder-flow-of-personal-data-outside-malaysia/