Malaysia’s data privacy Act slow to take off

I was quoted by ZDNet in their article “Malaysia’s data privacy Act slow to take off” on 5 February 2013. To date, our Malaysian Personal Data Protection Act 2010 is still not in force.

Summary: Country’s personal data protection Act was due to take effect last month, but is still pending formalities. Despite that, many companies do not appear to be ready yet.

By Liau Yun Qing | February 5, 2013 — 11:16 GMT (19:16 SGT)

Malaysia’s Personal Data Protection Act 2010 (PDPA) was due to take effect on January 1, 2013, but the law is still not in force due to legal formalities. Despite its impending introduction, many companies are still lacking in compliance while consumers doubt it will be strongly enforced.

Foong Cheng Leong, a Malaysian lawyer and co-chairman at Kuala Lumpur Bar Information Technology Committee, said despite the announcement by a minister that the act will take effect at the beginning of the year, it is technically still on hold as there needs to first be an official notification in the Government Gazette for the Act to be formalized.

In a report published in December 2012, Malaysian newspaper The Star cited deputy Information, Communications and Culture Minister Datuk Joseph Salang who said during a keynote the PDPA would be enforced on January 1, 2013 and companies will have three months to comply.

Malaysia’s law for personal data protection has been long in the making. The Personal Data Protection Bill was first drafted in 2001 and was expected to be in force in early-2010 but that did not materialize.

Despite the protracted lead up, many Malaysian companies are still not prepared for the eventual implementation of the law. Foong pointed out during his many talks on PDPA, he had noticed many companies have not started their compliance exercise.

Barry Ooi, president of the Marketing Research Society of Malaysia, said the Act will have a direct impact on the practice of market research in the country as it includes entities that process personal data. “All market research companies will need to be aware of the rules and regulations under this act,” he said.

Ooi pointed out most market research companies in Malaysia have been adopting the international research standards set by the World Association for Market, Social and Opinion Research (ESOMAR). “Many of the rules and procedures in the PDPA are similar to the ESOMAR guidelines,” he added.

“Nevertheless, our members are tightening up their procedures, particularly in the area of respondent consent and non-disclosure,” he noted.

Consumers lack confidence in enforcement of Act
Despite the government efforts, a few consumers in Malaysia were not confident about how the law would be eventually enforced.

IT systems engineer Ranjeeta Kaur said she knew that the country has such an act. However, she did not take much interest in reading the details mainly because of the lack of enforcement for most of the laws in Malaysia. “Enacting an act is simple but placing it into the actual corporate world and making sure that it’s followed is another story altogether,” she said.

“If we were to look at our daily Internet activities, most Malaysians don’t care about this Act. In fact they don’t even bother that the information they exchange with other parties could be leaked or used against them,” said Kaur.

Postgraduate student Chua Soon Hau questioned whether the Act would impact Internet companies such as Facebook or Instagram which were not based in Malaysia. “The Act will more likely tackle analytics companies that gather data and sell it to people who want it,” he said.

Chua wondered if the implementation of the law might even conflict with privacy agreements which users need to agree to before using a service.

Kaur said unlike the European countries, consumers in Malaysia were more “carefree” about their personal information. “Many folks are just happy to be given a computer and access the Internet with a carefree mind. We should actually be made aware of how our data is being handled, who is viewing it or has access to it,” she said.

Malaysia vs Singapore’s data privacy Act
Neighboring country Singapore passed its personal data protection billin October 2012 and was enforced in January this year.

Foong said while both countries’ personal data protection bill are similar, the details differ “quite a bit”.

The Malaysian law requires data collection parties to give subjects a written notification in the national language and English during the process. For Singapore, the notification is simpler as there is no rule the notification needs to be in the national language or English.

However, the Singapore Act requires the party collecting data to state the purpose for the collection, use or disclosure of the personal data, he noted. When requested, the party collecting data needs to give the business contacts of the person who is able to answer any questions the individual might have.

Foong added consent to process personal data is not defined in the Malaysian PDPA, while the Singapore law sets out in detail what amounts to consent and what type of consent is acceptable.


7 responses to “Malaysia’s data privacy Act slow to take off”

  1. Cheong Avatar

    Hi Cheng Leong,

    Thanks so much for the very informative article.
    I wonder if I could pick your brains further.

    I help out at a charity for refugees.
    They have started a sewing group that produces basic items like pillowcases, coasters, cushions. Basically so that the refugee ladies can earn some minimal pocket money.

    The charity already has a website, and would like to post photos of the products and then take orders from customers (customers would call the charity & pick up the goods at the charity’s premises)

    In your opinion, would the new legislation mean this activity needs to be registered ?

    Your article says the new Act applies to 2 types of persons:
    1) A person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace (“Online Business Owner“).
    2) A person who provides an online marketplace (“>Online Marketplace Operator“)

    I guess the charity may be caught by (1) above, but wonder if there might be wriggle room, as the charity is clearly not doing this biz as it’s main activity.

    Also we would probably post something like “please call 123456789 for more information”, together with photos of the products & prices.
    i.e. not taking orders inside the website itself.

    Thanks in advance for your help

    1. FCL Avatar

      Cheong: Hi Cheong, To determine whether the charity falls under this Regulation, one must look at the definition of business. The Consumer Protection Act 1999 defines business as “”any undertaking that is carried on whether for gain or reward or not and in the course of which goods or services are acquired or supplied whether at a price or otherwise“.

      If the said operation of the charity falls within the definition of business, then the Regulation applies.

      But the requirements of the Regulation are not onerous. It requires the 7 details to be posted which I think can be easily fulfilled.

      1. Cheong Avatar

        Hi Cheng Leong,

        Many thanks for the swift reply.

        Glad that you reckon all we need to do is post the 7 bits of info on the website.
        And not need to register with some govt agency somewhere for permits etc.

        Really appreciate your help

        Thanks again

  2. JH Avatar

    Dear Foong,

    As the name PDPA indicates it’s personal data, are business data like the following falls under PDPA?
    – Company Name
    – Office Telephone
    – Name of the Person (not fullname as per IC, but something like Danny Tan)
    – Position / Designation of the Person (HR Manager)
    – Business Emails (
    – Office Address

    Look forward to your response soon.


    1. FCL Avatar

      JH: Company Name, Office Telephone, Position/Designation and Office Address (“Business Data”) on their own are not personal data. Name of a person / business emails may be considered as personal data. However, combination of a person’s name and any one of the Business Data may be considered personal data.

      1. JH Avatar

        Thanks for your prompt reply… Since you mentioned it’s “maybe considered as personal data”, is there any confirmed answer from the PDPA commission?

        1. FCL Avatar

          JH: I used the word “maybe” because it depends on the transaction which the personal data is involved. If there is no commercial transaction, then it is not caught under the PDPA. For example, a casual email from a business associate containing his name and email address to my email is not a commercial transaction. If I drop my business card into a bowl to get the latest product updates from a merchant, that is a commercial transaction.

Leave a Reply

Your email address will not be published. Required fields are marked *