Personal Data Protection Commissioner has issued the above consultation paper on 14 February 2020 to obtain feedback on the proposed amendments to the Personal Data Protection Act 2010.
Notably, the Commissioner is intending to introduce a data breach notification requirement, civil action against data user, right of data user to make first direct marketing call and exemption of business contact from the Act.
I am very much interested in the amendment to include right to initiate civil action a data user. The introduction of the same would be a boost to data privacy litigation in Malaysia.
Currently, there is no remedy for an aggrieved data subject for non-compliance of the Personal Data Protection Act 2010 other than filing a complaint to the Commissioner. There is no provision similar to s. 13 of the United Kingdom Data Protection Act 1998 (now repealed by the United Kingdom Data Protection Act 2018), ss. 167 to 168 of the United Kingdom Data Protection Act 2018) and s. 32 of the Singapore Personal Data Protection Act 2010.
An aggrieved data subject can still pursue civil litigation under the common law. However, this would depend on the circumstances of the case. Invasion of privacy is one possible action but the law is not settled whether invasion of privacy is an actionable tort. The other possible action would be a breach of confidence. These two (2) torts have similar basic requirement i.e. that the information must be private or possesses the necessary quality of confidence. Not all personal information will have or has such elements, especially, when the data subject had published them themselves e.g on their social media page. The proposed civil action under the Personal Data Protection Act 2010 will cover the gap especially matters concerning misuse of personal data which are not or no longer confidential or private.
Deadline to file a response to the consultation has been extended to 10 March 2020.