This country-specific Q&A provides an overview to Data Protection & Cyber Security laws and regulations that may occur in Malaysia.
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
Personal Data Protection Act 2010
In Malaysia, the protection of an individual’s personal data is governed under the Personal Data Protection Act 2010 (PDPA). The PDPA is the main legislation governing privacy. It came into force on 15 November 2013, together with the introduction of the following legislations:-
(a) Personal Data Protection (Fees) Regulations 2013;
(b) Personal Data Protection (Registration of Data User) Regulations 2013;
(c) Personal Data Protection (Class of Data Users) Order 2013; and
(d) Personal Data Protection Regulations 2013.
The PDPA 2010 regulates the processing of personal data in commercial transactions and applies to:-
(i) Any person who processes; and
(ii) any person who has control over or authorizes the processing of,
any personal data in respect of commercial transactions.
Pursuant to the Personal Data Protection (Class of Data Users) Order 2013, such regulatory framework covers sectors such as communications, banking and financial institution, insurance, health, tourism and hospitalities, transportation, education, direct selling, services, real estate, utilities, pawnbroker and moneylender. Further, compliance with PDPA is necessary only if data users are “processing” personal data. Examples of activities considered as “processing” includes:-
(a) Collecting data through forms, by phone or via the web
(b) Publishing data
(c) Selling data
(d) Using administrative data
(e) Using data for marketing purposes
(f) Recording data
(g) Disclosing or providing data to other organizations
(h) Destroying data
The governing body that enforces such legal framework is the Department of Personal Data Protection under the Ministry of Communications and Multimedia Malaysia.
Financial Services Act 2013
A banker’s duty of secrecy in Malaysia is statutory as it is provided under the Financial Services Act 2013 (“FSA”). Section 133 of the Financial Institutions Act 2013 stipulates that “No person who has access to any document or information relating to the affairs or account of any customer of a financial institution, including— (a) the financial institution; or (b) any person who is or has been a director, officer or agent of the financial institution, shall disclose to another person any document or information relating to the affairs or account of any customer of the financial institution”.
Official Secrets Act 1972
Official Secrets Act contains provisions which seek to prohibit any person from taking or making any document, measurement, sounding or survey of or within a prohibited place, he shall, unless he proves that the thing so taken or made is not prejudicial to the safety or interests of Malaysia and is not intended to be directly or indirectly useful to a foreign country.
Competition Act 2010
Additionally, section 21 of the Competition Act 2010 provides that it is an offence to disclose or make use of any confidential information with respect to a particular enterprise or the affairs of an individual obtained by virtue of any provision in the Act. This, therefore, implies that business secrets procured by way of non-competitive and unlawful acquisition may fall under the said provision.
Computer Crimes Act 1997
Malaysia also has the Computer Crimes Act 1997, which prohibits a person from (a) causing a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorized; and (c) he knows at the time when he causes the computer to perform the function that is the case.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Requirements for Registration
Section 13 and Section 14 of the PDPA stipulates a formal registration system of several classes of data users. The Personal Data Protection (Class of Data Users) Order 2013 (hereinafter referred to as “the Regulations”) specifies the classes of data users that must be registered under the said Act. The main classes are: –
Banking and financial institutions
Tourism and hospitalities
The steps to be taken for the purposes of registration can be found in the Personal Data Protection (Registration of Data Users) Regulations 2013. Upon submission, a receipt acknowledgment slip will be provided and the Data User will receive a notification of the approval of the registration via email. A registration fee of RM 200 (USD50) shall be made within 21 days of receipt of the notification of the approval of registration via email.
Once registration is complete, the Data User will receive a Certificate of Registration. The certificate of registration is just like applying for a licence to carry on business operations, except in this case, it is a licence to process personal data. This Certificate is valid for two years, after which it shall be renewable.
The renewal shall be made three months before the expiry of the Certificate of registration for a fee of RM 200 (USD50).
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
“Personal Data” has been defined in the PDPA as any information in respect of commercial transactions, which-
(a) Is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b) Is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c) Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2009. Sensitive personal data on the other hand is defined as personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette. The PDPA defines the ‘Data Subject’ as the individual who is the subject of the Personal Data whereas, ‘Data User’ is a person who either alone or jointly with other persons ‘processes’ Personal Data, has control or authorizes the processing of any Personal Data.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
A data user shall not process the personal data unless the consent of the data subject has been given pursuant to Section 6(1)(a) of the PDPA 2010. According to the Personal Data Protection Regulations 2013, the burden of proof for such consent shall lie on the data user (Regulation (5)). Section 6(2) of the PDPA provides that a data user may process personal data without consent if the processing is necessary -:
(i) For The performance of a contract to which the data subject is a party; or
(ii) In order to take steps at the request of the data subject prior to entering into a contract;
(iii) In order to comply with a legal obligation (other than that imposed by contract); or
(iv) To protect the vital interests of the data subject;
(v) For the administration of justice; or
(vi) For the performance of a function conferred on by or under other laws
Pursuant to Section 6(3) of the PDPA, personal data shall not be processed unless:-
(i) The personal data is processed for a lawful purpose directly related to an activity of the data user;
(ii) the processing of the personal data is necessary for or directly related to that purpose; and
(iii) the personal data is adequate but not excessive in relation to that purpose.
The data subject has to be aware amongst other things, the types, the purposes for which the personal data is collected, the source of the personal data, the rights of the data subject and how to exercise the said rights as well as the class of third parties to whom the data user discloses or may disclose the personal data. The PDPA does not specify the level or form of consent that must be obtained. Regulation 3(1) of the Personal Data Protection Regulations 2013 does however stipulate that the consent shall be obtained from the data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user. This would mean that consent may vary not only from case to case but also between implied and explicit insofar as processing of sensitive personal data is concerned.
Hence, the key test will be the ability to demonstrate that consent exists or being given by the data subject. In this context, it is important for data users to ensure that a data subject is fully aware of and understands the purposes for which his/her data are being processed. Consent can be understood to have been given when individuals do not object and instead volunteer their personal data after the purposes of processing are clearly explained.
A clear explanation by trained staff of the data user is therefore necessary to prove that consent has been obtained from the data subject after him/her being explained the purposes of processing his/her data.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
The conditions for processing sensitive personal data are listed in Section 40(1) of the PDPA:
(a) The data subject has given his explicit consent to the processing of those personal data;
(b) processing is necessary:-
(i) For the purposes of exercising any rights or obligations which are conferred or imposed by law on the data user in connection with employment;
(ii) to protect the vital interests of the data subject or of another person where (A) consent cannot be given by or on behalf of the data subject; or (B) the data user cannot reasonably be expected to obtain the consent of the data subject;
(iii) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
(iv) for medical purposes and is undertaken by-
(A) a healthcare professional; or
(B) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional;
(v) for the purpose of, or in connection with, any legal proceedings;
(vi) for the purpose of obtaining legal advice;
(vii) for the purposes of establishing, exercising or defending legal rights;
(viii) for the administration of justice;
(ix) for the exercise of any functions conferred on any person by or under any written law; or
(x) for any other purposes as the Minister thinks fit; or
(c) The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
How do the laws in your jurisdiction address children’s PII?
Regulation 3(3) of the Personal Data Protection Regulations 2013 requires that for data subjects under the age of 18, a data user shall obtain consent in relation to the processing of personal data from the parent, guardian or person who has parental responsibility on the data subject.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Section 44 of the PDPA requires data user to keep and maintain records of any application, notice, request or any other information relating to personal data processed by him. Further, the PDPA regulations provide that consent collected has to be in a form that can be maintained by the data user and any consent obtained should be presented distinguishable in its appearance from such other matter. Regulation 5 of the Personal Data Protection Regulations 2013 requires a data user to keep and maintain a list of disclosure to third parties in relation to personal data processed by him.
Nonetheless, it is noted that Section 10 of the PDPA requires that personal data must not be kept longer than is necessary for the fulfilment of the purpose for which it was to be processed. Essentially, data user has the duty to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for such purpose. In light of Regulation 7 of the Personal Data Protection Regulations 2013, the Commissioner has set out a retention standard in the Personal Data Protection Standard 2015, where for the purposes of destroying personal data, certain considerations have to be taken into account, such as requirements in other legal provisions, maintain a periodic record of personal data disposal and a 24-month personal data disposal schedule for inactive data. It is however noted that, the PDPA does not apply to a data processor.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
Referring to Section 26(2) PDPA, consultation with the Commissioner is conducted before a code of practice is revised, wherein the Commissioner would consult with the relevant body representative of data users to which the code of practice apply. Section 14(2) PDPA requires similar consultations with potential representative of data users before making his recommendation relating to the class of data users to be subjected to registration under PDPA.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
The Personal Data Protection Standard 2015 prescribes a minimum list of security standards for data processed electronically and that a data user shall, take practical steps to protect the personal data from any loss, misuse, modifications, unauthorized or accidental access or disclosure, alteration or destruction by having regard. This includes the use of removable media device for storing personal data is not permitted without written approval from the top management of the organization. Further, there are several sector-specific standards and guidelines, which require organisations to apply security measures.
For example, the Central Bank of Malaysia spells out in its policy document on the Management of Customer Information and Permitted Disclosures that all Financial Service Providers (FSPs) must identify potential threats and vulnerabilities that can result in theft, loss, misuse, or unauthorised access, modification or disclosure by whatever means. The policy document also states that FSPs must assess the likelihood that such threat and vulnerability will materialise and the potential impact it will have on the FSP and its customers in the event a customer information breach occurs.
Threats and vulnerabilities to customer information can be internal or external and could be due to negligence or deliberate act of any person. The risk assessment by FSPs must be proportionate to the size, nature and complexity of the FSP’s operations as well as the amount and sensitivity of customer information held. FSPs may leverage on existing arrangements, functions or tools that have a similar focus on managing risk to the confidentiality and security of customer information.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
Currently, Malaysian law does not require that data users appoint a data protection officer.
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Section 7 of the PDPA requires data users to make available a written notice to data subjects prior to or as soon as possible after the collection of their personal data.
It specifically requires data users to provide data subjects such privacy notice stating:
(a) That personal data of the data subject is being processed by the data user and providing the data subject with a description of the personal data being processed by the data user;
(b) Purpose for which the personal data is being collected and processed;
(c) Source of the personal data;
(d) Data subject’s right to access and correct the personal data and the contact details to which a data subject may send the data access and/or correction request;
(e) Class of third parties the personal data is disclosed or may be disclosed to;
(f) Choices and means available to the data subject to limit the processing of his/her personal data;
(g) Whether it is obligatory or voluntary for the data subject to provide the personal data; and
(h) Where it is obligatory personal data, the consequences of failing to provide such obligatory personal data.
The aforementioned written notice shall be in the national and English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages.
Further, the means of communication to serve such notice is to be determined by data users which can be done by any means deemed effective, such as posting an online privacy notice to the general public, including it in a service application form for new customers, and providing it in a portal for existing customers, as reflected in a brochure of “A Quick Guide to Privacy Notice” published by the Commissioner.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
Under Section 2, the PDPA applies to any person who processes, as well as any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
There are no provisions addressing the contractual obligations and restrictions with service providers.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
Section 129 of the PDPA prohibits transfer of personal data outside Malaysia, unless to such places specified by the Minister by notification published in the Gazette (to date, no places have been specified by the Minister), or if it falls under one of the exceptions in Section 129(3):
a. the data subject has given his consent to the transfer;
b. the transfer is necessary for the performance of a contract between the data subject and the data user;
c. the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which-
(i) is entered into at the request of the data subject; or
(ii) is in the interests of the data subject;
d. the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
e. the data user has reasonable grounds for believing that in all circumstances of the case-
(i) the transfer is for the avoidance or mitigation of adverse action against the data subject;
(ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and
(iii) if it was practicable to obtain such consent, the data subject would have given his consent;
f. the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this Act;
g. the transfer is necessary in order to protect the vital interests of the data subject; or
h. The transfer is necessary as being in the public interest in circumstances as determined by the Minister.
In practice, businesses generally obtain consent of the data subject to allow for transfers to be made outside Malaysia.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
Security principles are set out in Section 9 of the PDPA and Regulation 6 of the Personal Data Regulations 2013:-
Personal Data Protection Act 2010, Section 9
A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard-
(a) to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
(b) to the place or location where the personal data is stored;
(c) to any security measures incorporated into any equipment in which the personal data is stored;
(d) to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
(e) to the measures taken for ensuring the secure transfer of the personal data.
Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the data processor-
(a) provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
(b) Takes reasonable steps to ensure compliance with those measures.
Personal Data Regulations 2013, Regulation 6
The data user shall develop and implement a security policy for the purposes of section 9 of the Act.
The data user shall ensure the security policy referred to in subregulation (1) complies with the security standard set out from time to time by the Commissioner.
The data user shall ensure that the security standard in the processing of personal data be complied with by any data processor that carry out the processing of the personal data on behalf of the data user.
Does your jurisdiction impose requirements of data protection by design or default?
The PDPA applies to all data users processing any personal data in respect of commercial transactions, hence the requirements therein are imposed by default.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
There are no provisions addressing security breaches.
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
Both the Commissioner and the judicial system are involved in enforcing the PDPA. The commissioner is required under the PDPA to implement, monitor and supervise compliance with the PDPA provisions. Section 108 of the PDPA requires the Commissioner to issue enforcement notice directing data users to take necessary steps to remedy any contravention and to cease processing personal data pending the remedy of the contravention by the data user.
In the event there is reasonable belief that any premise has been used for the commission of an offence or reasonable belief that a person has committed or is attempting to commit an offence under PDPA, an authorized officer appointed by the Commissioner is required to investigate, search and seize such premise and/or arrest such person. Further, the prescribed penalties resulting from violations of the PDPA range of fines and/or imprisonment. The fines range between RM 10,000 and RM 500,000, whereas terms of imprisonment could be imposed up to a maximum of 3 years.
Apart from this, Section 93(1) of the PDPA allows aggrieved PII owners (data users) to appeal to the Appeal Tribunal against the decisions of the Commissioner, relating to:
(a) Registration of data users
(b) Refusal to register a code of practice
(c) Service of an enforcement notice
(d) Refusal to vary or cancel an enforcement notice
(e) Refusal to conduct or continue an investigation that is based on a complaint made
Subsequently, if data users are not satisfied with the decision of the Appeal Tribunal, they may proceed to file a judicial review of the decision in the Malaysian High Court, as provided in the official website of the Department of Personal Data Protection and the brochure of “What You Need to Know? – Personal Data Protection Act 2010?” published by the Ministry of Communications and Multimedia Malaysia.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Application of the PDPA is limited to exclude Federal and State Governments, non-commercial transactions, for credit reporting business purposes, personal data processed outside Malaysia, and data collected solely for personal purposes.
Further, Section 45 PDPA exempts certain processing of personal data from complying with certain Principles.
(a) For purposes of personal, family or household affairs – Total exemption.
(b) For purposes of investigations, prosecution of offenders of assessment and collection of tax or other similar imposition – Exempted from General, Notice and Choice, Disclosure, and Access Principles.
(c) In relation to physical or mental health – Exempted from Access Principle.
(d) For purposes of research and statistics – Exempted from General, Notice and Choice, Disclosure, and Access Principles.
(e) For purposes of any court order or judgment – Exempted from General, Notice and Choice, Disclosure, and Access Principle.
(f) For purposes of discharging regulatory functions – Exempted from General, Notice and Choice, Disclosure, and Access Principle.
(g) For journalistic, literary or artistic purposes – Exempted from General, Notice and Choice, Disclosure, Retention, Data Integrity, and Access Principles.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
There are no provisions which defines or restricts the use of tracking technologies such as cookies.
Please describe any laws addressing email communication or direct marketing?
Section 43 of the PDPA provides the data subject with a right to prevent processing for purposes of direct marketing, the section states that:
A data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing his personal data for purposes of direct marketing.
Where the data subject is dissatisfied with the failure of the data user to comply with the notice, whether in whole or in part, under subsection (1), the data subject may submit an application to the Commissioner to require the data user to comply with the notice.
Where the Commissioner is satisfied that the application of the data subject under subsection (2) is justified or justified to any extent, the Commissioner may require the data user to take such steps for complying with the notice.
A data user who fails to comply with the requirement of the Commissioner under subsection (3) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
For the purposes of this section, “direct marketing” means the communication by whatever means of any advertising or marketing material which is directed to particular individuals.