Written by Richard Wee and Ong Yi Jun
Understanding the PDPA
The Personal Data Protection Act 2010 is Malaysia’s primary legislation governing the processing of personal data in commercial transactions. Its main purposes are:
- To protect the personal data of individuals in commercial transactions;
- To regulate the processing of personal data; and
- To prevent misuse of personal information.
The PDPA is built on several basic tenets, including:
- Consent: Data users must obtain consent before collecting or processing personal data.
- Notice and Choice: Individuals must be informed about how their data will be used.
- Disclosure: Personal data should only be disclosed for purposes consented to by the individual.
- Security: Data users must take practical steps to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure.
- Retention: Personal data should not be kept longer than is necessary.
- Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up to date.
- Access: Data subjects have the right to access and correct their personal data.
Data Protection Concerns
In recent years, data protection has become a critical concern globally, including in Malaysia. The rise of digital technologies, increased data collection, and sophisticated cyber threats have led to growing risks of data breaches, identity theft, and misuse of personal information. These concerns have highlighted the need for stronger, more comprehensive data protection laws that can keep pace with technological advancements and evolving threats.
Key Amendments
Digital Minister, Gobind Singh Deo announced on 4 July 2024, that the approved amendments aim to strengthen policies related to security and enforcement. The proposed changes include:
- Mandatory personal data breach notifications;
- Additional compliance responsibilities for data processors;
- Appointment of Data Protection Officers;
- Introduction of data subjects’ right to data portability; and
- Removal of the white-list regime for cross-border data transfers.
These amendments result from extensive consultations, involving input from 719 stakeholders across 40 engagement sessions.
Why Amendments are Needed
The amendments to the PDPA are necessary for several reasons:
- Technological Advancements: The rapid pace of technological change has created new challenges in data protection that weren’t anticipated when the original Act was passed.
- Global Alignment: Many countries have updated their data protection laws (eg, GDPR in Europe). Malaysia needs to ensure its laws are compatible with international standards to facilitate cross-border data flows and international business.
- Increasing Cyber Threats: The rise in cybercrime and data breaches necessitates stronger protective measures and clearer procedures for handling breaches.
- Enhancing Individual Rights: The amendments aim to give individuals more control over their personal data, aligning with global trends in data protection.
- Addressing Gaps: The current law has certain gaps, such as the lack of mandatory breach notifications, which these amendments seek to address.
Recent Statistics
Recent statistics underscore the urgency of these changes:
- A 5.1% increase in complaints received from October 2023 to March 2024;
- 322 complaints regarding misuse and breach of personal data in this period;
- A significant 41% increase in personal data breaches in 2024 compared to 2023;
- 34,497 online fraud cases reported nationwide in 2023, resulting in RM1.218 billion in losses; and
- 10,348 telecommunications crime cases in 2023, involving losses of RM352.9 million.
Potential Outcomes
If the amendments are passed, several positive outcomes can be anticipated:
- Increased Data Security: Mandatory breach notifications and stricter compliance requirements should lead to improved data security practices among businesses.
- Enhanced Consumer Trust: With stronger protections and more control over their data, consumers may feel more confident in sharing their information with businesses.
- International Competitiveness: By aligning with global standards, Malaysia may become a more attractive destination for international businesses and data-driven industries.
- Improved Incident Response: Clear procedures for data breaches should lead to faster, more effective responses to data incidents.
- Greater Accountability: The appointment of Data Protection Officers and increased responsibilities for data processors will create clearer lines of accountability.
- Potential Challenges: While beneficial overall, these changes may initially pose compliance challenges for businesses, particularly smaller enterprises.
Conclusion
As Malaysia moves to align its data protection legislation with global standards, businesses should prepare for additional compliance obligations. These changes are expected to enhance security measures and address the growing challenges of data protection in the digital age, marking a crucial step in Malaysia’s efforts to strengthen its data protection framework and respond to the evolving landscape of digital threats and data privacy concerns.
Published on 4 September 2024