I was quoted by ZDNet in their article “Malaysia gazettes data protection act, effective immediately“.
Malaysia gazettes data protection act, effective immediately
Summary: After almost a year delay, Malaysia finally gazettes its Personal Data Protection Act 2010 on Thursday and makes it effective Friday. Businesses have three months to comply and violation can result in fine and/or imprisonment.
By Eileen Yu |
Malaysia has quietly gazetted its Personal Data Protection Act 2010 (PDPA), effective immediately, and given businesses three months to ensure compliance.
The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010. An earlier note by the American Malaysian Chamber of Commerce indicated that the Act was scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia (PDPD) by November 15, 2013. This, however, apparently was also rescheduled.
According to Kuala Lumpur-based lawyer Foong Cheng Leong, the act has been gazetted and comes into force today, with Tuan Abu Hassan bin Ismail appointed the Personal Data Protection Commissioner. Foong noted that the Act outlined four new subsidiary legislation, including the class of data users and registration of data users. Businesses that fall under these categories include banking and financial institutions, communications service providers, insurance companies, transportation, and utilities.
Data users now have three months from November 15 to ensure compliance, he added.
The PDPA also provided some guidelines on the definition of consent, which must be in a form that can be recorded and maintained by the data user. Burden of proof for consent lies on the data user, Foong said.
Singapore-based tech lawyer and ZDNet blogger, Bryan Tan, said the sudden turn of events meant Malaysia has “stolen a march” on Singapore which passed its Personal Data Protection Act in October 2012, but its main regulations will come into effect only on July 2, 2014, when allorganizations must ensure compliance. The Act, however, includes a Do-Not-Call Registry which will be in force January 2, 2014.
Tan said: “The two countries’ PDPAs are different, but what it generally means for businesses is that a lot of time and effort will need to be spent on compliance. Perhaps it is a blessing in disguise that both come into force almost at the same time, so companies operating in Singapore and Malaysia can coordinate their compliance in one single project.”
I was quoted by the Malay Mail in their report “Data protection act gazetted, effective today” on 15 November 2013.
KUALA LUMPUR, Nov 15 — The much awaited Personal Data Protection Act (PDPA) 2010 has finally been gazetted and will take effect today, with businesses given three months to comply with the new law and violation will result in fine, or imprisonment, or both.
KL Bar Information Technology Committee chairman Foong Cheng Leong confirmed that the law will be effective today, with Abu Hassan Ismail appointed the Personal Data Protection commissioner.
“The law introduced seven principles, in these seven principles, you would need to, for example get consent if you possess any personal data, name, IC, address, pictures, email and phone numbers.
“Once you get the personal data, you need to give a written notification in BM and English and make sure it’s safe and give it to the relevant parties,” he told The Malay Mail Online when contacted.
Foong, who is also the member of the Malaysian Bar Intellectual Property Committee, also said that although businesses are given three months to comply, it would be a challenge to those which have not begun putting their houses in order.
“I think [businesses] are hit quite hard especially those not doing anything since 2009 because the law was introduced since 2009, but I know quite a bit of companies which have started to comply with the law since 2009.
“Most companies would need six months to complete the exercise, so those who have not done anything, need to move very quickly.
“For consumers, expect less phone calls, less SMSes and basically receiving any tele-marketing materials,” he said.
Foong noted however, that the Malaysian government is exempted from this law.
The PDPA also introduced four new subsidiary legislations, including the registration of data user and class of data users.
Businesses that are considered data users including banking and financial institutions, communications service providers, insurance companies, transportation, and utilities, will now have to register with the commissioner.
He also said that data subject, meaning individuals, would be able to request access to the type of personal data being processed.
“The law provides that there will be no transfer of data outside Malaysia, unless you get consent, or the country or jurisdiction you want to transfer data to is included in the list by the commissioner [which has yet to be released],” he said.
The law stipulates that consent for personal data processing should be required explicitly it has to be expressed, rather than implied or assumed. The organiser will also need to justify the reason they need the information they are asking for.
Under the law, consumers have the right to access, correct data, prevent damage or distress, withdraw from data processing, prevent direct marketing and bring complaint on data abuses to PDP commissioners.
Data users meanwhile, are obligated to provide the necessary mechanisms that will facilitate data subjects to exercise these rights.
The provisions also allows consumers to withdraw consent to personal data. If the data user continue to process the personal data, it will be liable to a fine of up to RM100,000 or a maximum of one-year jail, or both.
The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010.
The law was initially scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia by November 15, 2013.
I was quoted by Sin Chew in the article below regarding the impending Personal Data Protection Act 2010.
On 9 July 2013, the Bar Council Intellectual Property Committee and myself paid a courtesy visit to the Personal Data Protection Department at Putrajaya. We were received by the Deputy Director General of Personal Data Protection Department, Dr. Zainal Abidin Bin Sait and his team.
In the meeting, we have been informed that, among others, the Personal Data Protection Act 2010 (PDPA) will be in force on 16 August 2013. Former Director General of the PDPD, Tuan Haji Abu Hassan Ismail will be appointed the Commissioner.
The Data User registration regime will also be in force. Under this regime, designated class of data users will be required to register with the Commissioner (see Public Consultation No. 2/2012 entitled “Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees for the proposed class of users).
In our earlier blog entry entitled, “Enforcement of the Malaysian Personal Data Protection Act 2010“, we mentioned that the Personal Data Protection Department stated that “it is best for us to wait for the Minister to make the announcement on the enforcement of the Act and notify in the Gazette”.
We recently came across a tweet by the Information, Communication and Culture Minister, Datuk Seri Utama Dr Rais Yatim that the Personal Data Protection Act 2010 (PDPA) will come into force “middle of the year”.
We look forward to the announcement of the date of operation of the PDPA in the Government Gazette.
In our earlier blog entry, we mentioned that Bernama reported that the Personal Data Protection Act 2010 (PDPA) will be enforced in June 2012 but this may not be correct in view of the Director General of Personal Data Protection Department’s (PDPD) statement.
We sought clarification with the PDPD and the PDPD informed us that “the newspaper reported that the Act [PDPA] is going to be enforce in June was based on the Secretary General’s closing ceremony speech in the evening eventhough the Minister did not state anything earlier. Despite of all that, it is best for us to wait for the Minister to make the announcement on the enforcement of the Act and notify in the Gazette “.
We look forward to the Minister’s announcement on the enforcement of the PDPA.
KUALA LUMPUR: New Zealand’s Assistant Privacy Commissioner Katrine Evans has suggested that Malaysia have privacy officers to implement the data protection law.
She said a privacy officer is the person in an agency who can understand its business and, at the same time, help the agency get it right in handling personal information.
“I don’t know whether Malaysia has the requirement for every agency to have a privacy officer but, if it doesn’t, you should have one,” she said when delivering her talk on ‘First Steps for a Data Protection Commissioner: Some Suggestions from New Zealand’ at the inaugural seminar on personal data protection, here.