Malaysia gazettes data protection act, effective immediately

I was quoted by ZDNet in their article “Malaysia gazettes data protection act, effective immediately“.

Malaysia gazettes data protection act, effective immediately

Summary: After almost a year delay, Malaysia finally gazettes its Personal Data Protection Act 2010 on Thursday and makes it effective Friday. Businesses have three months to comply and violation can result in fine and/or imprisonment.

By  |

Malaysia has quietly gazetted its Personal Data Protection Act 2010 (PDPA), effective immediately, and given businesses three months to ensure compliance.

The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010. An earlier note by the American Malaysian Chamber of Commerce indicated that the Act was scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia (PDPD) by November 15, 2013. This, however, apparently was also rescheduled.

According to Kuala Lumpur-based lawyer Foong Cheng Leong, the act has been gazetted and comes into force today, with Tuan Abu Hassan bin Ismail appointed the Personal Data Protection Commissioner. Foong noted that the Act outlined four new subsidiary legislation, including the class of data users and registration of data users. Businesses that fall under these categories include banking and financial institutions, communications service providers, insurance companies, transportation, and utilities.

Data users now have three months from November 15 to ensure compliance, he added.

The PDPA also provided some guidelines on the definition of consent, which must be in a form that can be recorded and maintained by the data user. Burden of proof for consent lies on the data user, Foong said.

Singapore-based tech lawyer and ZDNet blogger, Bryan Tan, said the sudden turn of events meant Malaysia has “stolen a march” on Singapore which passed its Personal Data Protection Act in October 2012, but its main regulations will come into effect only on July 2, 2014, when allorganizations must ensure complianceThe Act, however, includes a Do-Not-Call Registry which will be in force January 2, 2014.

Tan said: “The two countries’ PDPAs are different, but what it generally means for businesses is that a lot of time and effort will need to be spent on compliance. Perhaps it is a blessing in disguise that both come into force almost at the same time, so companies operating in Singapore and Malaysia can coordinate their compliance in one single project.”

Malaysia’s data privacy Act slow to take off

I was quoted by ZDNet in their article “Malaysia’s data privacy Act slow to take off” on 5 February 2013. To date, our Malaysian Personal Data Protection Act 2010 is still not in force.

Summary: Country’s personal data protection Act was due to take effect last month, but is still pending formalities. Despite that, many companies do not appear to be ready yet.

By Liau Yun Qing | February 5, 2013 — 11:16 GMT (19:16 SGT)

Malaysia’s Personal Data Protection Act 2010 (PDPA) was due to take effect on January 1, 2013, but the law is still not in force due to legal formalities. Despite its impending introduction, many companies are still lacking in compliance while consumers doubt it will be strongly enforced.

Foong Cheng Leong, a Malaysian lawyer and co-chairman at Kuala Lumpur Bar Information Technology Committee, said despite the announcement by a minister that the act will take effect at the beginning of the year, it is technically still on hold as there needs to first be an official notification in the Government Gazette for the Act to be formalized.

In a report published in December 2012, Malaysian newspaper The Star cited deputy Information, Communications and Culture Minister Datuk Joseph Salang who said during a keynote the PDPA would be enforced on January 1, 2013 and companies will have three months to comply.

Malaysia’s law for personal data protection has been long in the making. The Personal Data Protection Bill was first drafted in 2001 and was expected to be in force in early-2010 but that did not materialize.

Despite the protracted lead up, many Malaysian companies are still not prepared for the eventual implementation of the law. Foong pointed out during his many talks on PDPA, he had noticed many companies have not started their compliance exercise.

Barry Ooi, president of the Marketing Research Society of Malaysia, said the Act will have a direct impact on the practice of market research in the country as it includes entities that process personal data. “All market research companies will need to be aware of the rules and regulations under this act,” he said.

Ooi pointed out most market research companies in Malaysia have been adopting the international research standards set by the World Association for Market, Social and Opinion Research (ESOMAR). “Many of the rules and procedures in the PDPA are similar to the ESOMAR guidelines,” he added.

“Nevertheless, our members are tightening up their procedures, particularly in the area of respondent consent and non-disclosure,” he noted.

Consumers lack confidence in enforcement of Act
Despite the government efforts, a few consumers in Malaysia were not confident about how the law would be eventually enforced.

IT systems engineer Ranjeeta Kaur said she knew that the country has such an act. However, she did not take much interest in reading the details mainly because of the lack of enforcement for most of the laws in Malaysia. “Enacting an act is simple but placing it into the actual corporate world and making sure that it’s followed is another story altogether,” she said.

“If we were to look at our daily Internet activities, most Malaysians don’t care about this Act. In fact they don’t even bother that the information they exchange with other parties could be leaked or used against them,” said Kaur.

Postgraduate student Chua Soon Hau questioned whether the Act would impact Internet companies such as Facebook or Instagram which were not based in Malaysia. “The Act will more likely tackle analytics companies that gather data and sell it to people who want it,” he said.

Chua wondered if the implementation of the law might even conflict with privacy agreements which users need to agree to before using a service.

Kaur said unlike the European countries, consumers in Malaysia were more “carefree” about their personal information. “Many folks are just happy to be given a computer and access the Internet with a carefree mind. We should actually be made aware of how our data is being handled, who is viewing it or has access to it,” she said.

Malaysia vs Singapore’s data privacy Act
Neighboring country Singapore passed its personal data protection billin October 2012 and was enforced in January this year.

Foong said while both countries’ personal data protection bill are similar, the details differ “quite a bit”.

The Malaysian law requires data collection parties to give subjects a written notification in the national language and English during the process. For Singapore, the notification is simpler as there is no rule the notification needs to be in the national language or English.

However, the Singapore Act requires the party collecting data to state the purpose for the collection, use or disclosure of the personal data, he noted. When requested, the party collecting data needs to give the business contacts of the person who is able to answer any questions the individual might have.

Foong added consent to process personal data is not defined in the Malaysian PDPA, while the Singapore law sets out in detail what amounts to consent and what type of consent is acceptable.

 Scroll to top