News & Views

In October 2017, it was revealed that some 46.2 million mobile phone subscriber accounts were stolen from a variety of Malaysian telcos as a result of hacked servers maintained by them. This raised concerns that despite personal data protection laws being in force, Malaysian telcos were not providing adequate security and protection of personal data processed by them. It also raised questions on the adequacy of these laws and the ability of regulators to monitor and enforce the law.

In the era of digital online technology, data and information are processed and stored almost continuously and often in ways that most people are unaware. Malaysia’s Communication and Multimedia Minister, Gobind Singh Deo also recognised recently that data protection laws would have to be revamped so that they are “on par with European Union’s General Data Protection Regulation (GDPR)”.

Broadly speaking the PDPA regulates personal data by the application of 7 principles that ensure personal data cannot be collected without adequate consent and that a data subject is informed about the collection, processing, use, retention and storage of his personal data, and that there is data integrity, meaning that data collected and stored must be sufficiently accurate. Consent may be avoided in circumstances of legal, medical and practical necessity. Special and more stringent provisions apply to the collection of sensitive personal data.

Data users must also, under the security principle, ensure that steps are taken to protect personal data from loss, misuse, modification, unauthorised or accidental  access or disclosure, or destruction.  It was unclear what level of security would have met the requirement of the PDPA and therefore, the Personal Data Protection Standard 2015 was gazetted to provide a degree of guidance in this regard. However given the hacked telcos servers and the extensive loss of personal data, it is clear that these standards would require further refinement and elaboration. The difficulty would be finding a security standard or protocol that fits all categories of technology,  or establishing comprehensive standards for all industries and types of data processing.

Despite these seemingly comprehensive protections under the PDPA, the PDPA falls short of expectation in several other areas.

Limited meaning of Personal Data

The PDPA provides a specific definition for “personal data” which, contrary to popular assumption, does not encompass all private or personal information but rather is limited to information in respect of a commercial transaction that is processed by equipment operating automatically in response to instructions or is recorded with the intention that it should be so processed or recorded as part of a filing system. The information must also relate to a data subject and must be capable of identifying a person or from that and other information in the possession of the data user. Such information would clearly include names, addresses, identification card/passport numbers, email addresses, telephone numbers, as well as banking details. Where data comprises aggregated information either of a generic or non-specific nature, this may not enjoy the protection of the PDPA.

The fact that the PDPA only applies to personal data in respect of a commercial transaction means that vast chunks of other personal data available and processed online remains unprotected. These include data processed for educational and welfare purposes, such as in opinion polls or surveys or personal data harvested or made available on social media sites like Facebook or LinkedIn. This is a particularly difficult area because whilst data may initially be derived for non-commercial purposes, it may subsequently be sold for commercial exploitation which raises doubts as to whether the data at the point of collection was protected by the PDPA.

PDPA does not apply to the Malaysian government

S3(1) of PDPA express states “This Act shall not apply to the Federal and State Governments”. It is notable that the Personal Data Protection Bill when originally drafted explicitly included the government as it stated that “The Act shall bind the Government”. However, in the final Act, Section 3(1) excludes the largest data possessor in the country. This is a rather peculiar take on an important privacy legislation and sets Malaysia apart from other jurisdictions. For example, the Data Protection Act 2018 (DPA) of United Kingdom and the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 of Australia both include the government and its relevant authorities, putting it under the scrutiny of the data protection laws.

Furthermore, there are no regulations or legislation in Malaysia that govern the way personal data is obtained, processed, kept and used by the government. In a nutshell, the PDPA does not regulate the use of data stored in government databases by civil servants, let alone prevent the State from using our personal information in literally any way it so desires.

Having been expressly excluded from the obligations under the PDPA, the government and its agencies are under no obligation to remove or correct any data that it stores even if such data may have outlived its usefulness. Of particular concern would be sensitive personal data (for example criminal records, government investigations, etc) that a data subject may want expunged due to the effluxion of time or when such information is deemed no longer relevant.

PDPA does not comply with the EU Directive

Article 25 of the EU Directive provides that each EU member state has to ensure that transfer of personal data to a country outside the EU may only take place if the country in question has an adequate level of data protection, unless one of the exceptions (i.e data subject has consented, legally required on important public interest grounds and to protect the vital interests of the data subject- to name a few)  apply. There are also certain criteria to fulfil in determining whether the requirement in Article 25 is satisfied. One of the criteria is that the data protection law of the country in question must apply to all individuals and entities. Another requirement is that a data protection law must apply to all forms of processing.

From the discussion above, it is arguable that the PDPA does not satisfy the aforesaid requirements and that means personal data cannot be transferred from an EU member state to Malaysia unless such transfer falls within the permitted exemptions. In the long run, this could diminish the economic value of seamless data flow between the EU and Malaysia.

Distributed Ledger Technology or Blockchain may be problematic

Even more problematic is how new technologies such as blockchain technology and those using them may already fall foul of the PDPA simply because of the seemingly immutable nature of information that is stored on a blockchain. This is so notwithstanding that some may argue that access to personal data on a blockchain is controlled via a private key. Until a court decision is handed down on the scope of the PDPA in respect of DLT, it remains to be seen if DLT may need to be modified before it meets the standards of legitimacy required under the PDPA, or if exceptions for DTL will be made under the PDPA.

LOONG CAESAR & TAI KEAN LYNN