The Personal Data Protection Act 2010 (“PDPA”) is the very first legislation in Malaysia that seeks to comprehensively protect personal data.
As we do not have a general Privacy Act in place, and our Federal Constitution does not expressly recognize the right to privacy (although our Court of Appeal in one particular case held that the right to life and liberty (Article 5) is arguably broad enough to include the right to privacy), the PDPA is certainly a very much needed piece of legislation that Malaysians have long been waiting for.
So when the PDPA was passed in June 2010, it was seen as a positive move by our Government towards recognizing the importance of protecting personal data of individuals in Malaysia.
It also signals an important milestone for Malaysia in bridging the gap between Malaysian laws and international trends in protecting personal data. To prevent the misuse and disclosure of personal data to unauthorized third parties, governments around the world have enacted legal regimes on personal data protection.
In ASEAN, Malaysia and Singapore are the only two countries which have enacted a comprehensive data protection legislation.
Three years down the road, the PDPA finally came into force on 15 November 2013.
One would have thought that given the time that it took for the PDPA to come into force after it was passed by the Parliament in June 2010, most data users (i.e. companies/organisations/individuals who either alone or jointly in common with other persons process any personal data or have control over or authorize the processing of any personal data) would have put aside sufficient time and resources to make sure that they take the necessary steps to establish, review and strengthen internal policies, procedures, processes and systems that govern the management and handling of personal data in order to comply with the law.
Unfortunately, that was not the case.
When the Government announced that the PDPA will come into force on 15 November 2013, many companies and organisations were rushing into getting themselves PDPA compliant, as they were only given a 3-month sunrise period to ensure compliance with the law. Hence, we saw a spike in companies and organisations busy churning out privacy policies and notices.
Data users who were required to register themselves with the Personal Data Protection Department (“PDP Department”) were also uncertain with the registration process.
Perhaps due to inadequate publicity or low awareness, some data users were not even aware of the registration requirement, which had resulted in them being late in submitting their registration forms. Meanwhile, some companies and organisations (especially small and medium enterprises) chose to take a “wait-and-see” approach, conveniently ignored the fact that the PDPA applies to every company, organisation and individual in the country, and not just the big boys.
It has been one year since the coming into force of the PDPA.
Let’s examine what we have achieved so far, what could have been done, and what else we all can do.
While the deadline for data user registration was already over, the PDP Department acknowledged that the 3-month sunrise period was relatively short (Singapore’s PDPA, which has also recently come into force, provided an 18-month sunrise period). As such, the PDP Department adopted an unofficial stand by stating that they will still accept late applications for registration, provided it was accompanied with a letter stating the reason(s) for the delay.
As of November 2014, the PDP Department had registered more than 7,000 data users from various industries.
Encik Abu Hassan bin Ismail was appointed as the first Personal Data Protection Commissioner. The current Commissioner is Encik Mazmalek bin Mohamad.
Several regulations and orders have also been enacted, and the PDP Department has initiated public consultations on various guidelines to deal with specific topics such as management of CCTV images, direct marketing, employee data, consent requirements as well as general rules on compliance with the PDPA.
In an effort to create and raise public awareness, officers from the PDP Department have also been busy going around the country to conduct seminars and conferences on PDPA.
It is worth noting that the PDP Department always welcomes public opinions (for example through issuing public consultation papers) and constantly engages in talks and discussions with stakeholders such as industry players, NGOs, professional bodies and business associations.
All the efforts that have been put forward by the PDP Department must be commended, and we hope that the PDP Department will continue to engage with and consult stakeholders on the implementation of this broad-ranging law.
As for companies and organisations, some of them, especially large companies and organisations, have already put in place certain procedures and processes to ensure compliance with the law.
This can be attributed partly to the different levels of understanding towards compliance with the law and interpretation of the PDPA, and partly to other reasons such as no guidelines from the authorities providing clear guidance on the interpretation of the PDPA.
There are still a lot of grey areas under the PDPA which require further clarification.
Under the PDPA, in order for a data user to process an individual’s personal data, he must obtain consent from the individual, and the consent must be in a recordable form and capable of being maintained properly by the data user.
- Does this mean that consent must be in writing?
- Must the individual sign on the privacy notice or is it sufficient that the privacy notice is attached to the form where the individual fills in his personal data?
- What about deemed or verbal consent?
- Is that not acceptable?
- When dealing with a company or an organisation, does a data user need to get consent from every individual in the company or organisation?
- Must a privacy notice be given in physical form?
- Can it just be posted on a website?
- Can one refer an individual to the website?
- What about the collection of personal data through social media network where the servers are located outside Malaysia?
Other issues such as whether corporate binding rules are necessary for sharing of data within a group of companies, how the exemptions under the PDPA work, etc. remain unclear.
As such, it is evident that guidelines that set out guiding rules and best practices are very much needed as guidelines from the regulator will be helpful in filling in the gaps and assisting us in interpreting the law.
Industry players can also form data user forums and prepare their own industry codes of practice to provide their members with practical guidance and advice on how to meet the standards under the PDPA.
The number of unsolicited telemarketing calls has noticeably dropped, although this is still one of the most common complaints received by the PDP Department.
The PDP Department has indicated that it is considering setting up an official registry similar to Singapore’s Do Not Call Registry or the UK’s Telephone Preference Service to allow people to opt out from receiving unsolicited telemarketing calls. Apart from issuing guidelines, we would also recommend the PDP Department to post FAQs for individuals and businesses on the application and scope of the PDPA on their website or issue small leaflets or handbooks to the public, similar to what the Malaysia Competition Commission has done.
Companies and organisations should take a top-down approach when it comes to implementing and rolling out a PDPA compliance exercise. Instructions should pass down from the board of directors to the management and progress on the implementation exercise should be reported back to the board of directors regularly.
This is important because if a body corporate is found guilty of an offence under the PDPA, officers of the body corporate will automatically be held severally and jointly liable together with the body corporate, unless they can prove that the offence was committed without their knowledge, consent or connivance; and that they have taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.
This is a very high standard to discharge. Non-compliance with the PDPA may result in penalties of up to RM500,000 and/or 3 years imprisonment.
The PDP Department, in its public consultation paper, has recommended the following action plan as a roadmap for companies and organisations to comply with the requirements of the PDPA, namely:
- considering reasonable data security arrangements;
- introducing a compliance manual/programme which defines the personal data workflow involved;
- ensuring measures are in place to prevent data breaches;
- raising awareness among staff through conducting internal training programmes;
- undertaking a review of the employment terms in respect of personal data;
- ensuring that all service contracts with third parties processors cover quality, security, compliance and inspection safeguards and measures related to personal data;
- ensuring compliance for cross-border transfers of personal data; and
- keeping abreast with the latest developments in personal data protection in Malaysia.
What is certain is that the PDPA is here to stay, and it is no longer “business as usual”.
The PDPA has commercially far-reaching implications and severe penalties in the event of non-compliance. The intent of the PDPA is not to inhibit business or to stifle the legitimate use of personal data. Rather, it is meant to grow businesses by giving consumers confidence that their personal data will be protected and processed in good hands.
At the end of the day, privacy matters and good privacy conduct would eventually mean good business.