13 April 2017
The Department of Personal Data Protection (‘PDP’) opened, on 5 April 2017, a public consultation (‘the Consultation’) on the Personal Data Protection (Transfer of Personal Data to Places Outside Malaysia) Order 2017 (‘the Draft Order’), a ministerial order that, for the first time, provides a whitelist of countries deemed to maintain adequate standards of data protection by the Personal Data Protection Commissioner (‘the Commissioner’).
Adlin Abdul Majid, Partner at Lee Hishammuddin Allen & Gledhill, told DataGuidance, “Once the Draft Order is finalised and published in the Official Gazette, it would allow personal data to be transferred to the jurisdictions specified, without resorting to the conditions in Section 129(3) of the Personal Data Protection Act 2010 (‘PDPA’). [Under the Draft Order] the transfer of personal data to countries such as [those within] the European Economic Area, the UK, Australia and Singapore could therefore be done without having to resort to Section 129(3). This would undoubtedly facilitate the cross-border transfer of data from Malaysia.”
[T]o date, there has not been any [list of countries] published for this purpose
Prior to the Draft Order, organisations were limited in their data transfer solutions by the conditions stipulated under Section 129 of the PDPA, the provision governing cross-border transfers. As a general rule, Section 129 prohibits international transfers to jurisdictions that have not been approved and published in the Official Gazette by the Minister responsible for personal data, on the advice of the Commissioner, but it also provides exceptions, namely those under the third subsection.
Majid noted, “[T]o date, there has not been any [list of countries] published for this purpose. Therefore, businesses have been relying on conditions under Section 129(3) of the PDPA to transfer personal data outside Malaysia. These conditions include: (a) obtaining the consent of the data subject in relation to the transfer; or (b) taking all reasonable precautions and exercising all due diligence to ensure that the personal data is not processed outside Malaysia in any manner which would be a contravention of the PDPA. This can sometimes prove to be a burden to data users.”
The PDP is currently seeking comments on the Draft Order, noting that it is a ‘living document’ and also welcomes any suggestions to the criteria for determining whether a country is adequate. The Consultation is open for submissions until 4 May 2017.
Hernán Romero-Dutschmann | Privacy Analyst