Kl bar IT committee

Malaysia’s data privacy Act slow to take off

I was quoted by ZDNet in their article “Malaysia’s data privacy Act slow to take off” on 5 February 2013. To date, our Malaysian Personal Data Protection Act 2010 is still not in force.


Summary: Country’s personal data protection Act was due to take effect last month, but is still pending formalities. Despite that, many companies do not appear to be ready yet.

By Liau Yun Qing | February 5, 2013 — 11:16 GMT (19:16 SGT)

Malaysia’s Personal Data Protection Act 2010 (PDPA) was due to take effect on January 1, 2013, but the law is still not in force due to legal formalities. Despite its impending introduction, many companies are still lacking in compliance while consumers doubt it will be strongly enforced.

Foong Cheng Leong, a Malaysian lawyer and co-chairman at Kuala Lumpur Bar Information Technology Committee, said despite the announcement by a minister that the act will take effect at the beginning of the year, it is technically still on hold as there needs to first be an official notification in the Government Gazette for the Act to be formalized.

In a report published in December 2012, Malaysian newspaper The Star cited deputy Information, Communications and Culture Minister Datuk Joseph Salang who said during a keynote the PDPA would be enforced on January 1, 2013 and companies will have three months to comply.

Malaysia’s law for personal data protection has been long in the making. The Personal Data Protection Bill was first drafted in 2001 and was expected to be in force in early-2010 but that did not materialize.

Despite the protracted lead up, many Malaysian companies are still not prepared for the eventual implementation of the law. Foong pointed out during his many talks on PDPA, he had noticed many companies have not started their compliance exercise.

Barry Ooi, president of the Marketing Research Society of Malaysia, said the Act will have a direct impact on the practice of market research in the country as it includes entities that process personal data. “All market research companies will need to be aware of the rules and regulations under this act,” he said.

Ooi pointed out most market research companies in Malaysia have been adopting the international research standards set by the World Association for Market, Social and Opinion Research (ESOMAR). “Many of the rules and procedures in the PDPA are similar to the ESOMAR guidelines,” he added.

“Nevertheless, our members are tightening up their procedures, particularly in the area of respondent consent and non-disclosure,” he noted.

Consumers lack confidence in enforcement of Act
Despite the government efforts, a few consumers in Malaysia were not confident about how the law would be eventually enforced.

IT systems engineer Ranjeeta Kaur said she knew that the country has such an act. However, she did not take much interest in reading the details mainly because of the lack of enforcement for most of the laws in Malaysia. “Enacting an act is simple but placing it into the actual corporate world and making sure that it’s followed is another story altogether,” she said.

“If we were to look at our daily Internet activities, most Malaysians don’t care about this Act. In fact they don’t even bother that the information they exchange with other parties could be leaked or used against them,” said Kaur.

Postgraduate student Chua Soon Hau questioned whether the Act would impact Internet companies such as Facebook or Instagram which were not based in Malaysia. “The Act will more likely tackle analytics companies that gather data and sell it to people who want it,” he said.

Chua wondered if the implementation of the law might even conflict with privacy agreements which users need to agree to before using a service.

Kaur said unlike the European countries, consumers in Malaysia were more “carefree” about their personal information. “Many folks are just happy to be given a computer and access the Internet with a carefree mind. We should actually be made aware of how our data is being handled, who is viewing it or has access to it,” she said.

Malaysia vs Singapore’s data privacy Act
Neighboring country Singapore passed its personal data protection billin October 2012 and was enforced in January this year.

Foong said while both countries’ personal data protection bill are similar, the details differ “quite a bit”.

The Malaysian law requires data collection parties to give subjects a written notification in the national language and English during the process. For Singapore, the notification is simpler as there is no rule the notification needs to be in the national language or English.

However, the Singapore Act requires the party collecting data to state the purpose for the collection, use or disclosure of the personal data, he noted. When requested, the party collecting data needs to give the business contacts of the person who is able to answer any questions the individual might have.

Foong added consent to process personal data is not defined in the Malaysian PDPA, while the Singapore law sets out in detail what amounts to consent and what type of consent is acceptable.

End to data abuse

I was quoted in The Sun Daily regarding the weaknesses of the Personal Data Protection Act 2010 (PDPA). Note that The Sun Daily also reported that the PDPA will be in force come 1 January 2013.

End to data abuse
Posted on 23 October 2012 – 05:24am
Pauline Wong
newsdesk@thesundaily.com

PETALING JAYA (Oct 23, 2012): Come Jan 1, you will be able to put an end to pesky telemarketers and report such harassment to the authorities.

This is because the Personal Data Protection (PDP) Act which criminalises unauthorised use of your personal data will finally be enforced after a two-year delay.

Information, Communications and Culture Minister Datuk Seri Rais Yatim told theSun recently that enforcement of the Act was held up due to a delay in the recruitment of personnel for the newly-formed Personal Data Department.

The department, which comes under his ministry, will oversee and be responsible for the enforcement of the Act.

“The department will be operational from Jan 1,” Rais said in an SMS reply to queries from theSun as to the enforcement of the Act which had been gazetted in June 2010.

The law stipulates how personal data – phone numbers, identity card numbers, addresses and even DNA – is used and stored by any organisation.

It defines “personal data” as any information processed in respect of commercial transactions that relates directly or indirectly to a “data subject” (the consumer), including any sensitive personal data.

Data users – including banks, telecommunications providers and even employers – must comply with seven principles.

Failure to do so will make the data user liable to a fine of up to RM300,000, up to two years’ jail, or both, upon conviction.

Once in force, the Act makes it a criminal offence for data users to reveal your phone number (for example) to third-party telemarketers, unless you had consented and were notified of their intention to do so.

The right to put an end to direct marketing is also provided for under the Act as a consumer may, by notice in writing, tell the data user to stop processing personal data for direct marketing.

He or she may also at any time withdraw any consent previously given to the data user.

However, legal experts point out that many aspects of the Act remain vague – which they say does not bode well for the wide-ranging impact of the Act.

Lawyer Adlin Abdul Majid, who heads the PDP compliance team at law firm Lee Hishammuddin Allen and Gledhill, said the Act is in need of more thorough guidelines before implementation.

“The Act was drafted in a very general manner. For example, even the definition of ‘commercial transaction’ is not specific.

“If someone goes to a small boutique and makes a purchase with a credit card, does this hold the boutique responsible for your data, and will it have to serve you a notice?” she said.

She added that in interpreting the law, employers are also considered data users.

“This could mean that even a small or medium enterprise (SME) with a few employees would have to adhere to the Act and conduct a privacy impact assessment to ensure full compliance, but that can be very costly for SMEs,” she said.

Adlin said the government needs to draft very detailed guidelines in enforcing the PDP, or it would lead to a lot of confusion.

KL Bar IT Committee co-chairman Foong Cheng Leong said the Act does not address several key problems, especially when it comes to storing a person’s personal data.

“With the digitalisation of records, the internet, and ‘cloud’ computing, the question is how does a data user deal with soft copies of personal information?” he asked.

He added that it is also not practical for data users to give written notice when data is collected over the phone, or captured via closed-circuit television (CCTV).

Foong urged the autorities to draw up specific guidelines to address these issues.

 Scroll to top