Malaysia’s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013.
Personal data protected under PDPA law are any information in respect of commercial transactions that is:
In each case, all the information that relates directly or indirectly to a data subject who is identified or identifiable from that information or from that and other information in the possession of a data user.
Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.
Under the PDPA, subject to certain exceptions, data users are generally required to obtain a data subject’s consent for the processing (which includes collection and disclosure) of personal data. Where consent is required from a data subject under the age of eighteen, the data user must obtain consent from the parent, guardian or person who has parental responsibility for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and maintained properly by the data user.
Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data disclosures to third parties. On December 23, 2015, the Commissioner published the Personal Data Protection Standard 2015, which set out the Commission’s minimum requirements for processing personal data. The Standards include the following:
Under the PDPA, a data user might not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been specified by the Minister. However, there are exceptions to this restriction, including the following:
Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards.
Moreover, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
There is no requirement under the PDPA for data users to notify authorities regarding data breaches in Malaysia. However, Malaysia’s laws could be updated, to include data breach notification requirements modelled after those under the European Union’s General Data Protection Regulation (GDPR), including requiring providing notice to government authorities.