This year has seen an unprecedented acceleration of digital transformation efforts, as businesses grasp at any sort of technology to stay afloat in what has generally been a miserable 2020.
In the rush to digitally transform, companies have taken to transferring untold amounts of data — a large chunk considered to be personally identifiable — to the cloud. This raises questions about their adherence to the Personal Data Protection Act 2010, the flagship legislation governing the collection, use and storage of personal data.
In recent months, Singapore’s Parliament proposed several key amendments to its own Personal Data Protection Act 2012. These amendments included a reporting requirement for data breaches, in addition to developing a tiered fine system that would increase proportionately relative to the offending company’s annual turnover in Singapore.
Digital Edge takes a look at the state of Malaysia’s own Personal Data Protection Act 2010 (PDPA).
1 The PDPA explained
The PDPA, in a nutshell, is meant to legislate protection around the collection, storage and usage of personal data collected by the private sector, according to lawyer Foong Cheng Leong. The public sector and, generally speaking, contractors operating on behalf of the government are exempt from the provisions of the PDPA.
“The laws require that any personally identifiable data, collected in the course of commercial transactions, be stored safely, along with additional requirements to be transparent about its use to individuals who provided the data in the first place.”
One key issue, however, has to do with a lack of clarity on what constitutes a “commercial transaction”, Foong says. While personal data collected in the course of completing a contractual agreement — for example, swiping a credit card or signing up for a broadband service — is protected under the PDPA, it is not certain what else, if anything, constitutes a commercial transaction in Malaysia.
“It is unclear, for example, in the case of a company that might be required to collect personal data, for security purposes, from individuals they don’t have a direct contractual or commercial relationship with. Right now, there isn’t much additional guidance from the Data Protection Commission, the body enacted by the PDPA to oversee administration and enforcement of the law.”
While the PDPA is meant to regulate what businesses are allowed to do with personal data, the law confers certain rights on so-called “data subjects”. This is a term used to denote anyone who is able to be identified from the personal data collected.
An individual, for example, is conferred the right to revoke consent from the “data user” — this being the entity that collected the personal data in the first place.
Failure by the data user to respect this request could attract fines, jail terms or both.
2 Reporting mandate required
The PDPA needs a reporting mandate to build greater accountability into Malaysia’s burgeoning data economy, says Sonia Ong, partner at the IT and technology practice of Wong Partners. The law firm is a member of Baker McKenzie International.
“As things stand, the PDPA does not include a mandatory data breach reporting regime, either to regulators or to affected users,” Ong tells Digital Edge.
Earlier this year, the Data Protection Commission released a public consultation paper, with a lengthy list of proposed amendments designed to build more accountability and bite into the PDPA. Unfortunately, the rapid onset of the pandemic put paid to those plans, and the public consultation process has been on the backburner since earlier this year.
“While there are quite a number of proposed amendments to the PDPA, I believe the two most crucial amendments are the reporting requirement, in addition to what is referred to as ‘privacy by design’.
“This is a proposed amendment aimed at creating a culture of appreciation of data privacy in all aspects of a business’ practices. It is very much a preventive measure, meant to minimise the risks of data breaches to begin with,” she says.
3 PDPA a work in progress
The groundwork has been laid, but the PDPA in its present form needs further amendment to make it a more effective deterrent, in addition to providing more safeguards for individuals.
According to Firmus Sdn Bhd chief technology officer Maneesh Chandra, while the enactment of the PDPA was a great first step, crucial updates have been delayed for far too long.
“While the law itself came into force in 2013 (and was passed in Parliament in 2010), it took a further four years for the overarching body, the Data Protection Commission, to be established. And there has been an extended period after that for the commissioner to get up to speed on the laws.”
A specific example, according to Maneesh, has to do with the general rule prohibiting the offshoring of any local personal data by any company in Malaysia. “The PDPA bars the offshoring of personal data, except for a so-called whitelist of jurisdictions that would be allowed to store personal data,” he tells Digital Edge.
Offshoring of data refers to the transfer of data from a home country data centre to that of a foreign jurisdiction. Meanwhile, the PDPA whitelist is meant to be a list of foreign jurisdictions that would be allowed to host personal data originating in Malaysia.
Checks by Digital Edge show that it has been at least three years since this whitelist was first made known. At press time, however, it remains empty.
This problem has been further exacerbated by the Covid-19 pandemic, which has forced much of the private economy into adopting cloud technology. “The nature of cloud networks is such that there is no guarantee that personal data will remain within the jurisdiction of a company that collected the data,” Maneesh says.
“In fact, it is entirely possible that the data is spread over multiple data centres, themselves located in multiple foreign jurisdictions.”
This is yet another concern, because Malaysia’s PDPA — unlike similar laws in other countries — apply only in Malaysia, as opposed to applying globally to any company that might end up handling the personal data of Malaysian citizens.
4 A cultural ignorance of civil liberties
Data privacy does not track particularly well in Malaysia because Malaysians, generally speaking, are not as vocal as their Western counterparts about civil liberties.
“There is definitely a need to build more awareness about the importance of data privacy in Malaysia,” says Vernon Chua, CEO of enterprise data analytics start-up Innergia Labs Sdn Bhd.
“I wish more people realised that the seemingly innocuous act of receiving unsolicited phone calls from companies most likely amounts to a violation of one’s personal data.”
Chua believes that, unless more people in Malaysia speak up about their right and reasonable expectation to data privacy, enforcement is going to be a challenge simply because there would be so few who would make a complaint in the first place.
When it comes to businesses, Chua advises leaders to adopt a data-centric version of the classical “golden rule”. “I would advise businesses to treat the data of others with the same respect as you would have others treat your own personal data.
“In addition, I would call on businesses, especially start-ups, to take some time to understand the provisions of the PDPA in Malaysia. There are already quite a lot of resources online that help simplify the law. As long as you adhere to the main principles laid out in the PDPA, you will be reasonably well-insulated from privacy risks.”
Finally, start-ups should periodically reevaluate their data capture, usage and storage protocols, while keeping in mind who in the company has access to such records.
“If you’re a start-up with just three founders, it stands to reason that all of you need to use the personal data. But as you expand and hire employees, be mindful of who it is you grant access to and put appropriate safeguards in place to minimise the risk of data breaches.”