I was asked by The Edge to comment about the the current state of Malaysia’s own Personal Data Protection Act 2010.
Sonia Ong of Wong & Partners, Maneesh Chandra, chief technology officer of Firmus Sdn Bhd and Vernon Chua, CEO of enterprise data analytics start-up Innergia Labs Sdn Bhd are also featured in this article. The full article can be viewed at The Digital Edge’s website.
1 The PDPA explained
The PDPA, in a nutshell, is meant to legislate protection around the collection, storage and usage of personal data collected by the private sector, according to lawyer Foong Cheng Leong. The public sector and, generally speaking, contractors operating on behalf of the government are exempt from the provisions of the PDPA.
“The laws require that any personally identifiable data, collected in the course of commercial transactions, be stored safely, along with additional requirements to be transparent about its use to individuals who provided the data in the first place.”
One key issue, however, has to do with a lack of clarity on what constitutes a “commercial transaction”, Foong says. While personal data collected in the course of completing a contractual agreement — for example, swiping a credit card or signing up for a broadband service — is protected under the PDPA, it is not certain what else, if anything, constitutes a commercial transaction in Malaysia.
“It is unclear, for example, in the case of a company that might be required to collect personal data, for security purposes, from individuals they don’t have a direct contractual or commercial relationship with. Right now, there isn’t much additional guidance from the Data Protection Commission, the body enacted by the PDPA to oversee administration and enforcement of the law.”
While the PDPA is meant to regulate what businesses are allowed to do with personal data, the law confers certain rights on so-called “data subjects”. This is a term used to denote anyone who is able to be identified from the personal data collected.
An individual, for example, is conferred the right to revoke consent from the “data user” — this being the entity that collected the personal data in the first place.
Failure by the data user to respect this request could attract fines, jail terms or both.