Transfers of personal data from Malaysia: understanding the requirements of the Personal Data Protection Act 2010
June 2014 | EXPERT BRIEFING | DATA PRIVACY
After years in the making, the Malaysian Personal Data Protection Act 2010 (PDPA) was enforced on 15 November 2013. The PDPA is the first legislation passed on data protection in the Southeast Asian region, paving the way for other similar legislative developments in Southeast Asia.
Does the PDPA apply to your organisation?
In essence, the PDPA governs the processing of personal data in commercial transactions. The definition of ‘personal data’ in the PDPA does not fall far from the definitions adopted in most other jurisdictions, which is information that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user.
The term ‘commercial transaction’ is defined in a simple manner, as “any transaction of a commercial nature, whether contractual or not…” and the examples given on what constitutes commercial transactions include matters that relate to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
Given the broad definition of commercial transactions, especially the phrase “supply or exchange of goods or services”, most business entities would be considered to be involved in the processing of personal data in commercial transactions. The phrase would also include employment relationships, bringing most, if not all companies, within the ambit of the PDPA.
Section 2(2) of the PDPA states that the PDPA applies to a person who is “established in Malaysia” or if the person is not established in Malaysia, if he uses “equipment in Malaysia” to process personal data for purposes other than for transit through Malaysia.
Who then is considered to be established in Malaysia? Such persons include individuals whose physical presence in Malaysia is not less than 181 calendar days; a body incorporated under the Malaysian Companies Act 1965; a partnership or incorporated associations established under Malaysian laws; and those who have in Malaysia, an office, branch or agency through which he carries on any activity or a regular practice.
Given the above, even if a company is not present in Malaysia, but either has a branch or agency carrying out activities in Malaysia, or uses equipment in Malaysia to process personal data (for purposes other than for transit in Malaysia), it would most likely be required to comply with the PDPA.
Compliance with the PDPA
At the core of compliance with the PDPA are the following seven principles:
General principle. Consent is required for the processing of personal data. In addition, personal data cannot be processed unless it is processed for a lawful purpose; the processing is necessary for or directly related to that purpose; and the personal data processed is adequate and not excessive in relation to that purpose.
Notice and Choice Principle. A written notice, in both the national language (Bahasa Malaysia) and English must be served on data subjects. The notice must state, amongst other things, the types of personal data collected and the source of the personal data, the purposes of processing, the rights of the data subject and how to exercise the said rights.
Disclosure Principle. Personal data should not be disclosed for purposes other than the purpose for which it was collected for, or directly related to that purpose; or to third parties other than the class of third parties stated in the notice issued pursuant to the Notice and Choice Principle.
Security Principle. Data users are required to maintain reasonable security standards to prevent any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction of personal data.
Retention Principle. Personal data should not be kept for a period that is longer than is necessary to fulfil the purpose it was collected for. Data users must take all reasonable steps to ensure that personal data is destroyed or permanently deleted once the period has lapsed.
Data Integrity Principle. Data users must take reasonable steps to ensure that personal data is accurate, complete and not misleading.
Access Principle. All data subjects have a right to access their personal data, and correct it. Data users must respond within 21 days to access requests by data subjects and/or their authorised representatives.
Malaysian law also recognises ‘sensitive personal data’, which is defined to include personal data relating to the mental and physical health of a data subject, his political opinions, his religious beliefs and the commission or alleged committing of any offence. Sensitive personal data can only be processed if certain specific requirements are met, namely, if the explicit consent of the data subject has been obtained; if the processing is necessary, pursuant to one of the circumstances under section 40(1)(b) of the PDPA (which includes processing for medicinal purposes or for legal proceedings); or if the data subject has deliberately made the information public.
Transfer of personal data from Malaysia
Given the nature of businesses in our current global climate, the transfer of personal data between borders is almost inevitable. The transfer of personal data, whether it is that of employees, customers, directors and even consultants will occur fairly frequently between offices, branches and other relevant third parties. As such, it would be important to understand the circumstances which allow for transfer of personal data out of Malaysia.
A company may only transfer personal data out of Malaysia if the country is specified by the minister in charge of data protection (currently the Minister of Communication and Culture) and is then published in the Gazette.
However, if a country is not published in the Gazette, the transfer may still be carried out if a data user meets one of the requirements in section 129(3) of the PDPA; consent of the data subject being one of them. In this regard, as the transfer of personal data outside Malaysia is a fairly common practice in the carrying out of an organisations’ business activities, it would be advisable for organisations to take steps to obtain the consent of data subjects on the transfer when they first collect the personal data, particularly when the organisations are seeking consent generally on the processing of personal data.
Transfers of personal data outside Malaysia can also be carried out, for example, if the transfer is necessary for the performance of a contract between the data user and a data subject, or to protect the vital interests of the data subject, or if the transfer is done for public interests.
Further, personal data can also be transferred out of Malaysia where the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in that place of transfer, in any manner which if that place is Malaysia, would be a contravention of the PDPA. In practical terms, one of the ways to be able to rely on this exemption is if a data user enters into an agreement with the party that it transfers data to, with the transferor imposing obligations on the transferee to process the personal data in a manner that complies with the principles of the PDPA.
A data user should also remember that the principles of the PDPA must still be complied with when transferring personal data. Security of personal data is an issue that has been at the top of the list of concerns of data protection regimes throughout the world. Much like in other jurisdictions, in transferring personal data out of Malaysia, the Security Principle would have to be adhered to. Specifically for transfers to data processors overseas, a data user must ensure that the data processor provides sufficient guarantees in respect of technical and organisational security measures in place to ensure the security of the data. The data user must also ensure that the data processor takes reasonable steps to comply with such measures.
A company must also take into account the fact that the transfer of personal data would trigger the application of the Disclosure Principle under the PDPA, as the personal data is being disclosed to a third party. The notice given to data subjects should adequately inform the data subjects of the said disclosure.
Financial penalties, which are the norm in most data protection regimes, are also reflected in the Malaysian PDPA. Monetary sanctions include fines of up to RM500,000, which is no paltry sum, especially given that a company would not only be imposed a fine, but would also suffer reputational damage and loss of revenue. In addition, the PDPA also provides for imprisonment terms of up to three years on officers of a company, including its directors, chief executive officer and chief operating, if the company is found to have committed an offence under the PDPA.
Companies impacted by the PDPA, and those that frequently transfer personal data out of Malaysia will have to take serious note of the provisions and the relevant penalties attached to the transfer of personal data from Malaysia. A breach of the overseas transfer provision, section 129, will incur a fine of up to RM300,000 and/or jail time of up to two years. Given that there is no list of ‘green-light’ countries, it would seem that the safest option for a data user in the transfer of data overseas is by obtaining consent from data subjects for the said transfer, or entering into data transfer or data processing agreements that take into account the requirements in the Malaysian legislation.
While it may not be business as usual and business processes will need to be reviewed and revised in light of the new law, the PDPA does assure companies of legislative protection for personal data that has been transferred into Malaysia, thus minimising breaches of data protection laws of other countries where they operate. The PDPA might be a legislation that is data subject friendly, but it is also one that never unfairly burdens the data user. In fact, it is hoped that the PDPA will make Malaysia a far more attractive business destination, given its initiatives in joining the global efforts in protecting personal data.
Adlin Abdul Majid is a partner, and Lyssa Loh Lee Keen and Tharishni Arumugam are associates, at Lee Hishammuddin Allen & Gledhill. Ms Majid can be contacted on +03 2170 5816 or by email: email@example.com. Ms Loh can be contacted by email: firstname.lastname@example.org. Ms Arumugam can be contacted by email: email@example.com.
© Financier Worldwide
Adlin Abdul Majid, Lyssa Loh Lee Keen and Tharishni Arumugam
Lee Hishammuddin Allen & Gledhill