Commissioner issues Consultation Paper on Personal Data Protection Act 2010
18 February 2020
As part of an ongoing review of the Personal Data Protection Act 2010 (‘PDPA’), the Personal Data Protection Commissioner (‘Commissioner’) of the Ministry of Communications and Multimedia Malaysia has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010
(‘PC01/2020’) dated 14 February 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020.
Briefly, the issues for which feedback is sought are as follows –
- Extension of obligations to data processors
The PDPA does not presently impose direct obligations on data processors. The Commissioner is considering to directly regulate data processors.
The Commissioner seeks feedback on introducing a direct obligation on data processors under the PDPA and to require them to be registered with the Commissioner.
- Data portability
Data portability is a concept that gives individuals the right to obtain and reuse their data for other purposes across different services. It is a right for a data subject to get access to his data in a structured machine-readable format which can be transferred from one data user to another to obtain services.
As part of its study to determine whether the right to data portability should be introduced into the PDPA, the Commissioner seeks feedback on the proposed approach of the right to data portability and the impact of such right being introduced in Malaysia.
- Appointment of Data Protection Officer
The Commissioner is considering introducing an obligation in the PDPA for a data user to appoint a Data Protection Officer (‘DPO’) and to introduce a guideline pertaining to DPOs. The former is in line with the requirements in the European Union and Singapore.
Feedback is sought on the requirement to appoint a DPO and the elements to be included in the guideline pertaining to DPOs.
- Reporting of data breach
The Commissioner proposes to introduce a provision in the PDPA to make it mandatory for a data user to report a data breach incident and to introduce a guideline on the reporting mechanism for data breach. According to PC01/2020, the European Union, the Philippines and North Korea impose a mandatory notification requirement on data users to inform their respective data protection commissioners of any data breach incident.
Feedback is sought on the proposal to introduce this obligation, the elements to be included in the proposed guideline on the reporting mechanism for data breach and the impact of requiring all data users to report data breaches in their organisations.
- Clarity in the consent of data subject
Section 6 of the PDPA stipulates the requirement for consent of a data subject for the processing of his personal data or sensitive personal data. The Commissioner notes that the requirement for consent is mixed with incidental requirements such as the purpose and limits imposed on the processing of a data subject’s personal data. In line with the requirements in the European Union and Singapore, the Commissioner is considering redrafting section 6 to add clarity to on the consent subject matter.
The Commissioner seeks feedback on its proposal to amend section 6 to add clarity to the data subject’s consent, whether it should be in a specific provision and the impact of having a default consent.
- Transfer of personal data to places outside Malaysia
Section 129 of the PDPA prohibits the transfer of personal data to a place outside Malaysia unless such place is specified by the Minister by notification in the Gazette. The Commissioner notes that no such whitelist has been issued and gazetted thus far. The Commissioner observes that a clear provision and the conditions for transferring personal data to places outside Malaysia are essential to facilitate e-commerce transactions and free trade agreements and opines that a whitelist appears to curb and set a barrier for data users to transfer personal data to places outside Malaysia.
The Commissioner seeks feedback on its proposal to remove the whitelist provision from the PDPA and the impact of removing the whitelist from section 129.
- Implementing privacy by design
Privacy by design is a concept that integrates privacy into the system life cycle built by a data user. According to the Commissioner, the concept is an emerging method of proactive security measure by a data user to reduce the risk of data breaches.
The Commissioner is considering a proposal to instruct that any new system is required to apply privacy by design and to issue a guideline on the mechanism. In furtherance of this proposal, the Commissioner seeks feedback on the proposed implementation of privacy by design requirements on a data user, the impact of making this concept mandatory to all data users and the elements to be considered in preparing the privacy by design guideline.
- Do Not Call Registry
Following Singapore’s data privacy law which has clear provisions on ‘Do Not Call Registry’ (‘DNCR’), the Commissioner is considering the introduction of DNCR provisions into the PDPA to enable a data subject to opt out from receiving unsolicited direct marketing materials. The points to be considered include the proposal to require each data user to establish a DNCR and the impact of having DNCR in Malaysia.
- Right of data subject to know third party to whom personal data is disclosed
Regulation 5 of the Personal Data Protection Regulations 2013 requires a data user to maintain a list of disclosure to third parties which, if required under regulation 14(2)(c) of the aforesaid Regulations, must be shown to authorised officers of the Commissioner’s office during an inspection its personal data system.
The Commissioner is considering adopting the requirements in the European Union which gives a data subject the right of access to know any third party to whom his personal data has been or will be disclosed by a data user. The Commissioner seeks feedback on the foregoing proposal and the important elements to be considered in the implementation and enforcement of such right.
- Civil litigation against data user
The Commissioner proposes to follow the data protection laws of jurisdictions like the European Union, Singapore, Macau and North Korea by introducing a specific provision stating the right of a data subject to commence civil litigation against a data user.
- Addressing privacy issues from data collection endpoints
The Commissioner is considering issuing a clear policy regarding endpoint security which uses technology like encryption to reduce risks of a data breach incident. In this regard, PC01/2020 seeks public consideration of technological advancement and personal data protection, other technologies that may contribute to the vulnerability of personal data protection and the important elements to be considered in preparing endpoint security policy.
- Application of the PDPA to Federal and State Governments
Presently the PDPA applies to statutory bodies but not to the Federal Government and State Governments. Whilst acknowledging that a massive study is required to consider whether the PDPA is to be extended to the Federal Government and State Governments, the Commissioner is considering issuing a guideline to statutory bodies to clarify the latter’s compliance with the PDPA.
Issues highlighted by the Commissioner for consideration in PC01/2020 are the extension of the PDPA to the Federal Government and State Governments and the impact if they are exempted from complying with the provisions of the PDPA.
- Exchange of personal data for data user with an entity located outside Malaysia
The Commissioner acknowledges that data users with overseas branches may need to exchange information with the branches at some point. Presently the PDPA does not prohibit the transfer of personal data if the requirements of section 129 are complied with.
The Commissioner is considering issuing a guideline on the mechanism and implementation of cross border data transfer and seeks feedback on the important matters to be considered in the proposed guideline.
- Exemption of business contact information from compliance with PDPA
Business cards often display personal data, such as the name and contact number of an individual. Singapore exempts business contact information from compliance with their personal data protection laws.
The Commissioner is considering issuing a guideline to clarify the status of business contact information. To this end, it seeks public consideration of the use of business contact information, the impact of exempting such information from compliance with the PDPA and the elements to be considered in preparing the guideline for the use of business contact information.
- Disclosure of personal data to government regulatory agency
Section 39(b) of the PDPA permits a data user to disclose personal data of a data subject if the disclosure is required for the purposes of crime prevention or detection or for investigations or is required or authorised by law or court order.
The Commissioner is considering issuing a guideline to clarify and assist data users to understand the level of disclosure to government regulatory agencies; and seeks feedback as to the elements to be considered in preparing such a guideline.
- Class of data user based on business activity
Presently, the 13 classes of data users which are required to register with the Commissioner are based on sectors and the laws that govern the respective industries. Data users that do not fall into those 13 classes of data users are not required to register but are still required to comply with the PDPA.
The Commissioner proposes that classes of data users be based on business activities and seeks public feedback on the impact in compliance if data users are classified according to business activities, such health and beauty, and food and beverages.
- Voluntary registration
The PDPA does not contain any provision that permits data users other than those within the 13 classes of prescribed data users to register with the Commissioner.
The Commissioner has asked the public to consider voluntary registration by data users and the impact if all data users in Malaysia are required to register with the Commissioner.
- Application of PDPA to non-commercial activity
The PDPA only regulates the processing of personal data in commercial transactions.The data protection laws in certain jurisdictions, such as the European Union, Philippines, Japan and North Korea, regulate both commercial and non-commercial transactions.
The Commissioner has asked the public to consider a proposed extension of the PDPA to non-commercial transactions and the impact of extending the PDPA to such transactions.
- Application of PDPA to data users outside Malaysia which monitor Malaysian data subjects
Presently the PDPA does not apply to personal data processed outside Malaysia unless it is intended to be processed further in Malaysia. The Commissioner has sought consideration by the public on the extension of the application of the PDPA to data users outside Malaysia who monitor and do profiling of Malaysian data subjects.
- Mechanism to unsubscribe from online service
The Commissioner is considering issuing a guideline to data users on the mechanism of digital and electronic marketing. The Commissioner has sought feedback on a proposed requirement for a data user to provide a clear mechanism for the data subject to unsubscribe from online services and the elements to be considered in preparing the guideline on processing personal data in digital and electronic marketing.
- Data users allowed to make first direct marketing call
Section 43 of the PDPA confers the right on a data subject to prevent the processing of his personal data for direct marketing.
The Commissioner is considering issuing a guideline on the implementation of direct marketing for data users. Feedback from the public is sought as to whether a proposed data user is allowed to make the first direct marketing call to the data subject, the use of the ‘opt-out’ method and the important elements to be considered in the preparation of the guideline.
- The processing of personal data in cloud computing
There are no provisions in the PDPA that regulate cloud service providers. The Commissioner is considering issuing a guideline on the usage of cloud computing for data users.
The Commissioner seeks views from the public on cloud services providers, the impact if there are no contractual clauses on personal data protection between the data user and its appointed cloud service provider, and the scope of the guideline on the use of cloud computing.
All feedback on PC01/2020 should be received by the Commissioner by 28 February 2020.
PC01/2020 contains proposals that, if implemented, will substantially update and extend the application of data protection laws in Malaysia. While the extension of protection for data subjects is a welcomed objective, it is to be acknowledged that some of the proposed measures will significantly increase compliance costs, especially for small businesses. It is hoped that the Commissioner will be able to achieve a balance between protecting data subjects and imposing undue financial burdens on data users which are small businesses.
Please contact our Ms Jillian Chia (Partner) at firstname.lastname@example.org or Ms Natalie Lim (Partner) at email@example.com if you have any feedback or comments on the proposals in PC01/2020.