After enactment in 2010, Malaysia’s Personal Data Protection Act, and implementing regulations, finally went into effect on November 15, 2013. The law applies to the processing of “personal data” by entities operating in Malaysia but generally does not apply to data processed entirely outside of Malaysia.[1] Additionally, official registration requirements will extend to many classes of “data users” (those who control or authorize data processing),[2] including those in the communications, banking and financial, insurance, health care, and other industries.[3]
“Personal data” is defined broadly within the Act as “any information in respect of commercial transactions” relating to any person “who is identified or identifiable from that information,” either by itself or in combination with other data.[4] “Sensitive personal data,” subject to heightened regulation within the law, is defined as:
any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence[5]
The law is structured around seven principles.[6] These are:
“General Principle:”[7] With narrow exception – where necessary to perform a contract to which the data subject is a party, to protect legal rights or comply with legal obligations, or to protect the “vital interests” of the data subject – this principle presumptively limits data processing in light of the data subject’s consent.[8] “Consent” of the data subject is required for processing all non-sensitive data.[9] “[E]xplicit consent” is required for all processing of “sensitive” data.[10] The implementing regulation provides that consent shall be obtained “in any form that such consent can be recorded and maintained properly.”[11] “Explicit consent” is not explicitly defined in the Act or the Personal Data Protection Regulations.
Additionally, the data subject is given the right to withdraw consent, after which the data user must cease processing the data subject’s data, with criminal penalties (including imprisonment) attached to any failure to cease processing.[12]
Notice and Choice: This principle requires extensive and detailed disclosures to affected data subjects about the use of their data, the source of the data, the kind of data being processed, the data subject’s rights to access or inquire about his data, and more.[13]
Disclosure: Disclosure must be limited by the purpose for which the data was originally collected, or, if, consistently with other provisions, data is disclosed to third parties, it may only be disclosed to third parties whose identity has itself been disclosed to the data subject in an appropriate notice.[14] The implementing regulations additionally specify that data processors must keep a log of all third-party disclosures.[15]
Security: The law requires data users to take “practical steps” to protect personal data from “loss, misuses, modification, [and] unauthorized or accidental access or disclosure, alteration or destruction.”[16] Data users must also “ensure” that their outside data processors “provide[] sufficient guarantees” regarding data security measures and “take reasonable steps” to “ensure compliance with those measures.”[17] The regulation also requires the data user to have and adhere to a security policy.[18]
Retention: Data may only be retained for so long as is necessary to fulfill the purpose for which it was collected.[19]
Data Integrity: The data user must take “reasonable steps” to “ensure that the personal data is accurate, complete, not misleading and kept up-to-to date.”[20]
Access: Data subjects have the right to access and correct their personal data.[21]
View Malaysia’s Personal Data Protection Act. Download the Implementing regulations below:
Personal Data Protection (Fees) Regulations 2013
Personal Data Protection (Registration of Data User) Regulations 2013
Personal Data Protection (Class of Data Users) Order 2013
Personal Data Protection Regulations 2013
Written by Michael Young, Associate, Technology and Privacy Group | Alston & Bird LLP
[1] Personal Data Protection Act of 2010 (hereinafter “PDPA”), § 2 and § 3(2)
[2] PDPA § 4 (definition of “data user”).
[3] PDPA § 14; Personal Data Protection (Class of Data Users) Order 2013 § 2.
[4] PDPA § 4 (definition of “personal data”).
[5] PDPA § 4 (definition of “sensitive personal data”).
[6] See PDPA § 5.
[7] PDPA § 6.
[8] PDPA § 6.
[9] PDPA § 6(1)(a).
[10] PDPA § 40(1)(a).
[11] Personal Data Protection Regulations 2013, § 3(1).
[12] PDPA § 38. It would seem that this provision could raise an issue in the case where a data user processed data pursuant to a contract with the data subject. Suppose that a data subject withdraws consent under § 38 in such a case. One might well ask: since processing arguably did not require original consent, why should withdrawal of consent require the data user to cease processing? Still, any data user who continues to process data after such a withdrawal of consent would seem to be subject to fines and up to a year’s imprisonment. It would appear that, in such a case, the data user stands on his contractual rights to process data only at some serious risk. Cf. id. at § 42 (investing data subjects with the right to stop data processing where such processing is “likely to cause damage or distress,” but explicitly carving out an exception for processing necessary “for the performance of a contract to which the data subject is a party”).
[13] PDPA § 7.
[14 PDPA § 8.
[15] Personal Data Protection Regulations 2013 (hereinafter “PDPR”) § 5.
[16] PDPA § 9(a).
[17] PDPA § 9.
[18] PDPR § 6.
[19] PDPA § 10.
[20] PDPA § 11.
[21] PDPA §12, § 30; PDPR § 9.