I was quoted by ZDNet in their article “Malaysia gazettes data protection act, effective immediately“.
Malaysia gazettes data protection act, effective immediately
Summary: After almost a year delay, Malaysia finally gazettes its Personal Data Protection Act 2010 on Thursday and makes it effective Friday. Businesses have three months to comply and violation can result in fine and/or imprisonment.
By Eileen Yu |
Malaysia has quietly gazetted its Personal Data Protection Act 2010 (PDPA), effective immediately, and given businesses three months to ensure compliance.
The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010. An earlier note by the American Malaysian Chamber of Commerce indicated that the Act was scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia (PDPD) by November 15, 2013. This, however, apparently was also rescheduled.
According to Kuala Lumpur-based lawyer Foong Cheng Leong, the act has been gazetted and comes into force today, with Tuan Abu Hassan bin Ismail appointed the Personal Data Protection Commissioner. Foong noted that the Act outlined four new subsidiary legislation, including the class of data users and registration of data users. Businesses that fall under these categories include banking and financial institutions, communications service providers, insurance companies, transportation, and utilities.
Data users now have three months from November 15 to ensure compliance, he added.
The PDPA also provided some guidelines on the definition of consent, which must be in a form that can be recorded and maintained by the data user. Burden of proof for consent lies on the data user, Foong said.
Singapore-based tech lawyer and ZDNet blogger, Bryan Tan, said the sudden turn of events meant Malaysia has “stolen a march” on Singapore which passed its Personal Data Protection Act in October 2012, but its main regulations will come into effect only on July 2, 2014, when allorganizations must ensure compliance. The Act, however, includes a Do-Not-Call Registry which will be in force January 2, 2014.
Tan said: “The two countries’ PDPAs are different, but what it generally means for businesses is that a lot of time and effort will need to be spent on compliance. Perhaps it is a blessing in disguise that both come into force almost at the same time, so companies operating in Singapore and Malaysia can coordinate their compliance in one single project.”