In February this year, The Data Protection Commission under the then Pakatan Harapan led government issued a public consultation paper to seek feedback from the general public on the proposed changes to The Personal Data Protection Act 2010 (or the PDPA).
The PDPA is the principal law that sets out our personal data protection laws.
The consultation paper set out over 23 new changes to the existing personal data protection laws that the regulator is seeking feedback from the public. The topics include enhancing the protection of personal data among customers including compulsory reporting for data breach incidents and expanding the rights of customers to the flexibility when it comes to cross border personal data transfers especially involving cloud services.
The public consultation started in mid-February and ended on the same month. And to date, the regulator has not published any update on its website.
But in August this year, the Deputy Communications and Multimedia Minister Datuk Zahidi Zainul Abidin under the new Perikatan Nasional led government said that that Putrajaya is still studying the proposed changes to the PDPA.
He said in the parliament that the relevant agencies and parties are still “in the discussion stage” and stating that “any decision to make changes will be decided by the Cabinet” (on whether to amend the laws).
The status quo in Malaysia
The Personal Data Protection Act 2010 which is commonly referred to as the PDPA sets out the personal data protection laws which are derived from the European Union’s Data Protection Directive. The PDPA was passed by the parliament in 2010 and only came into force in 2013.
The public consultation paper sets out over 22 proposed changes to the existing PDPA. The proposed items range from the appointment of a Data Protection Officer (a dedicated person in a company to handle personal data protection matters), reporting obligations for data breaches, to dealing with the exchange of personal data transfers especially when dealing with offshore cloud services. A full copy of the consultation paper discussing the proposed changes above can be found on the Personal Data Protection Commission website here.
On a side note, the PDPA is not a dedicated statute when it comes to addressing privacy per se. But the PDPA is aimed to set out requirements when it comes to handling personal data for companies. Still, they may be several concepts that may overlap and apply to privacy matters like obtaining express consent over the use of specific personal data.
Why do we need a revised PDPA?
Many of us will remember the data leak affecting over 46.2 mil phone numbers in 2017. So many Malaysian only found out that their personal details are up for sale when they read on the news that someone was trying to sell the leaked data on a local online forum.
Under the status quo, the existing PDPA does not provide for any data breach reporting requirements. In other words, a company that has suffered a data breach is not obliged to report to the regulators or even the affected users. So from this perspective the public may not necessarily to be blamed solely for their concerns raised on the current use of MySejahtera app for recording their visits to the shops and such.
In the consultation paper, the regulator is seeking to incorporate several new measures to enhance personal data protection including the mandatory reporting requirements for companies when it comes to data breaches. If a company suffers a data leak, the company needs to report to the regulator. But the current consultation paper is silent if the customers need to be informed as well.
Cultivating ‘privacy by design’ culture
To ensure personal data are protected, the regulator also intends to introduce ‘privacy by design’ framework for companies to comply as part of the new requirements.
To summarise ‘privacy by design’ refers to a concept where companies place privacy at the forefront of their business objectives and projects. This concept is crucial to cater to the demand of emerging online and digital businesses that rely a lot on data and using artificial intelligence. Social platforms and streaming websites now make recommendations and suggestions to users like what songs to listen to or what videos to watch. So the privacy of its customers should not be an “afterthought” but rather an integral part of the overall business model.
From a regulators perspectives, this also means that compliance is not just another mere ‘ box-ticking’ exercise but should be viewed in a “holistic” manner. To recap, when designing a digital or an online platform, the technology company also needs to look at its overall business model to ensure that privacy is incorporated when developing its overall architecture. This concept is also similar to the existing principles adopted by other mature jurisdictions like in the European Union’s General Data Protection Regulation (GDPR).
They are many more proposed changes set out in the consultation paper, such as enhancing the flexibility for companies to transfer or exchange personal data in cloud server outside Malaysia. Anyone passionate about privacy issues should run through the consultation paper, especially technology enthusiasts and business owners as technologies become more pervasive.
Some final thoughts
Customers’ and personal data protection should be the ultimate goal for the regulators in the proposed revisions to the PDPA. But at the same time, we may not necessarily have too strict regulations as they may stifle innovation. Additionally, stricter requirements may also likely increase compliance costs and financial burdens, especially for early stage startups and small businesses. So the government needs to strike a balance between protecting customers trusts and promoting innovation.
* Izwan Zakaria is a lawyer and managing partner of Izwan & Partners ([email protected]).