When it comes to financial technology, e-wallet is one that is no stranger to the masses. In Malaysia, there are quite a number of competing e-wallets. However, it has been forecasted that the year 2020 might see a consolidation of these e-wallets. From a business standpoint, streamlining the numerous e-wallets to just two or so would probably translate to better profits. However, there remains legal issues that one have to contend with in such a consolidation — one of which is how this would play out in light of the Personal Data Protection Act 2010 (“PDPA“).
While our earlier article discussed on the general principles that businesses should abide by in relation to processing of personal data, one cannot help but wonder whether a consolidation of e-wallets would be a contravention of the PDPA bearing in mind that the usage of e-wallets in Malaysia require the storing and processing of personal data.
Section 8 of the PDPA reads as follows:
(1) Subject to section 39, no personal data shall, without the consent of the data subject, be disclosed—
(a) for any purpose other than—
(i) the purpose for which the personal data was to be disclosed at the time of
collection of the personal data; or
(ii) a purpose directly related to the purpose referred to in subparagraph (i); or
(b) to any party other than a third party of the class of third parties as specified in
In a consolidation of e-wallets, it is no doubt that e-wallet companies would have to disclose the personal data of its data subjects to the acquiring company. On the face of it, this seems to be prohibited by Section 8 of the PDPA.
This is not to say that the disclosure and/or acquisition of personal data is absolutely impossible. Amongst other things, the PDPA itself does provide exceptions for the disclosure of personal data. However, what is pertinent to bear in mind is that companies that are looking to acquire other companies, be acquired by other companies or even merging with another company would have to have in place policies and procedures to ensure that the handling, disclosure and processing of personal data does not contravene the PDPA — be it e-wallet companies or companies in general.
This is even more so in the financial technology sector wherein almost every application and/or platform requires detailed personal data of the data subject, particularly for purposes of registration, identification and verification.