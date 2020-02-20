The Department of Personal Data Protection (‘PDP’) released, on 14 February 2020, Public Consultation Paper No. 10/2020 – Review of Personal Data Protection Act 2010 (Act 709) (‘the Consultation Paper’) which provided the proposed amendments (‘the Amendments’) to the Personal Data Protection Act 2010 (‘PDPA’). In particular, the Amendments include expanding the PDPA’s application to data processors, requiring data users to report incidents of data leakage to authorities, expanding data subject rights, and facilitating the cross-border transfer of personal data.

Key takeaways for businesses

Jillian Chia, Partner at Skrine & Co., told OneTrust Dataguidance, ” [B]usinesses should be aware that the Consultation Paper proposes obligations on data users to appoint a data protection officer (‘DPO’), the reporting of data breach incidents, and the implementation of certain measures, such as data portability, Privacy by Design and security from data collection endpoints. [In addition,] the possible introduction of civil litigation against a data user is a major point […]. Previously, there was no right of civil action as actions could only be taken by the Public Prosecutor against a data user for breach of the PDPA. [Furthermore,] the proposed extension of the PDPA to Federal and State Governments is a key point to be noted. [The] non-application of the PDPA to Federal and State Governments is presently seen as one of the flaws or loopholes in the existing PDPA, given that government agencies process a substantial amount of personal data.”

Ensuring Compliance

The Amendments introduce a number of new obligations for data users, including, among other things, the appointment of a DPO, the establishment of a Do Not Call Registry, and the requirement for data users to provide a clear mechanism on the way to unsubscribe from online services.

Adlin Abdul Majid, Partner at Hishammuddin Allen & Gledhill, highlighted, “[…] these Amendments impose additional compliance obligations on businesses and would be likely to increase compliance costs.” In addition, Chia noted, “In respect to data transfers, it is proposed that no white-listed countries are to be included, meaning transfers out of Malaysia may only be undertaken where exceptions apply, e.g. consent, the performance of the contract, […] and this may potentially be burdensome for businesses and be a hinderance to the exchange and sharing of data for commercial purposes.”

Chia also commented, “[T]he possible exemption of business contact information from compliance with PDPA (or clarifies the scope of application), and the exception to allow data users to make the first direct marketing call may be welcomed by marketers as this sheds some restrictions on the usage of data for marketing purposes.”

Adequacy

Malaysia has not been recognised by the European Commission as providing adequate protection for personal data. However, as outlined within the Consultation Paper, many of the Amendments have been adopted from other data protection legislation, including the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Chia further discussed that, “While the Amendments are indeed a step in bringing the PDPA more in line with European standards, given the stringent criteria to achieve adequacy status, it remains to be seen whether these amendments alone would be sufficient.”

Moreover, Majid further highlighted, ” [T]he revision of the PDPA is intended to be in line with the requirements in the GDPR. Many of the requirements in the GDPR are proposed to be introduced into the PDPA, such as privacy by design and imposing direct compliance obligations on data processors, although some GDPR requirements are notably absent, such as the right to be forgotten.”

Gaps and limitations

Finally, Chia clarified, “[T]here are no provisions in respect of the independence of the PDP, i.e. a supervisory authority independent from the government to enforce the PDPA. [In addition,] the [proposed] breach reporting requirements do not mention whether this would extend to the reporting of breaches to data subjects. [Furthermore,] while the extension of protection for data subjects is a welcomed objective, some of the proposed measures will significantly increase compliance costs. It is hoped that the revisions will be able to achieve a balance between protecting data subjects and imposing undue financial burden on data users particularly small- and medium-sized businesses.”

What’s Next?

Majid concluded, “[T]he revision outline is drafted in a general manner and does not set out in detail each requirement that would be introduced or amended. While this gives a broad overview of changes that will come about, it is important to also set out the scope of each requirement, to allow assessment of each requirement and potential practical issues arising. We hope that there will be a second public consultation, with details of the Amendments fully set out. All in all, this public consultation paper is a good step forward in bringing the PDPA to be in line with international standards.” The first public consultation is taking place from 14 February to 28 February 2020.

