The first draft of the Personal Data Protection Bill (“PDP Bill”) was released in 1998 for public consultation but was not tabled in Parliament until November 2009.
The earlier drafts of the PDP Bill have since been redrafted to reflect public feedback as well as the Government’s approach towards personal data protection. The redrafted PDP Bill was tabled for first reading in November 2009 and passed by the Parliament in May 2010. It received Royal Assent and was gazetted in June 2010. The PDP Act will come into force on a date to be notified by the Minister.
The PDP Act has generally been well received by the public and the Malaysian Government is to be commended for its commitment to granting more protection to the people in respect of their personal data. Prior to this, Malaysia had adopted a sectoral approach in protecting personal data but this approach proved to be inadequate. Other than this, personal data was only protected in the form of confidential information through contractual obligations or common law. It is therefore timely for a legislation of general application to be introduced to regulate the processing of personal data.
The draft of the PDP Bill explicitly stated that “This Act shall bind the Government”. However, in a complete turnaround, Section 3(1) of the PDP Act now reads “This Act shall not apply to the Federal and State Governments”. The Government did not explain the reason behind this drastic change.
For example, the National Registration Department holds the personal data of nearly every citizen in Malaysia and our income tax returns which contain detailed records of our financial affairs and sources of income are well within the knowledge of the Inland Revenue Board.
All this information is valuable personal data which ought to be protected in the interest of every individual. The Government, being one of the biggest data users in the country, ought to be bound by the PDP Act to prevent any form of abuse of personal data of its citizens.
To exclude the Government from the PDP Act is contrary to the objectives of the PDP Act and would severely curtail its full effect. It also means that there is nothing to prevent the Government from processing personal data of its citizen in whatever manner it deems fit. Of even greater concern is that there are no sanctions to prevent civil servants from abusing such personal data other than the risk of disciplinary action.
The exclusion of the Federal and State Governments from the application of the PDP Act is inconsistent with jurisdictions such as Australia, Hong Kong and member countries of the European Union (“EU”) where governments are bound by their respective data protection legislation.
Section 2(1) provides that the PDP Act applies to the processing of any personal data in respect of commercial transactions.
In other words, the PDP Act does not apply to personal data processed in non-commercial transactions. Although the term “commercial transactions” is widely defined to include “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services”, the full effect of this term remains uncertain.
The limitation of the application of the PDP Act to “commercial transactions” makes the Malaysian legislation unique. This limitation was not found in the earlier draft of the PDP Bill. The personal data protection laws of most other jurisdictions do not have similar restrictions.
However, it is interesting to note that the Personal Information Protection and Electronic Documents Act of Canada applies to every organization that collects, uses or discloses personal information in the course of commercial activities. Cases suggest that “commercial activities” must involve some profit making element or attract certain monetary value.
An individual may submit his personal data in a contest or survey without consideration being given by any party. He may also submit his personal data as part of the subscription to various free online services such as online newspapers and magazines. Personal data may also be submitted to social networking websites such as Facebook or MySpace. Processing of personal data in these situations may not necessarily involve any “profit-making” element and is hardly to be considered as “use in respect of commercial transactions”. It will be interesting to see how the courts will interpret “commercial transactions” in the context of the PDP Act.
The combined effect of these two limitations is that the PDP Act only applies to the private sector and within the private sector, it is narrowed down to organizations which process personal data in commercial transactions. It is undesirable to have such a narrow application of the PDP Act.
There are, however, no provisions in the PDP Act that allow an aggrieved person to claim compensation for distress or damage to feelings caused by a data user’s failure to comply with its obligations under that Act. Such a provision was found in the earlier draft of the PDP Bill but was omitted from the PDP Act.
The PDP Commissioner is a person to be appointed by the Minister. The Commissioner is to be responsible to the Minister who may give him directions in relation to the discharge of his functions and responsibilities. His appointment may also be revoked by the Minister and his remuneration and allowances are determined by the Minister.
These provisions may hamper the ability of the Commissioner in carrying out his functions and are not in line with international standards which require data protection commissioners to be independent of the Government and to operate free from political or governmental interference.
Commissioners in Australia, Hong Kong as well as the United Kingdom play their role independently from the Government. These provisions may create the perception that the Commissioner is acting under the directions and orders of the Government.
Article 25 of the EU Directive requires each EU member state to ensure that transfer of personal data to a country outside the EU may only take place if the country in question has an adequate level of data protection unless one of the exceptions applies.
The Article 29 Working Party has adopted the Working Paper 12 entitled “Transfer of Personal Data to Third Countries: Applying Article 25 and 26 of the EU Data Protection Directive” which lays down certain criteria in determining whether the requirement in Article 25 is satisfied. One of the criteria is that the data protection law of the third country must apply to all individuals and entities. Another requirement is that a data protection law must apply to all forms of processing.
As it is clear from the discussion above that the PDP Act does not satisfy the aforesaid requirements, personal data cannot be transferred from an EU member state to Malaysia unless such transfer falls within the permitted exemptions under the relevant EU data protection laws (such as where the data subject has consented to such transfer or the transfer is necessary for the performance of a contract) or the parties to a transaction have adopted the EU approved Model Contract which contains provisions which safeguard the transfer of personal data.
For example, the general principle requires a data user to obtain a data subject’s consent in order to process the latter’s personal data. Consent is however not defined and whether “opt-in” or “opt-out” is permissible is something that remains to be seen.
Notwithstanding the general principle, the PDP Act dispenses with the requirement for the data user’s consent in various circumstances, such as where the processing is necessary for the performance of a contractor for the taking of steps with a view to entering into a contract for compliance with any legal obligation.
One of the exceptions to the disclosure principle permits a data user to disclose personal data of a data subject to a third party provided the data user has notified the data subject of the class of third parties by way of written notice. This exception presents a carte blanche opportunity to by-pass the restrictions contained in the disclosure principle by describing the class of third parties to whom personal data may be disclosed in the widest conceivable terms.
The retention principle requires a data user not to keep personal data for any period longer than necessary for the fulfilment of the purpose for which it was processed. This requirement is vague and a data user may legitimately retain data for a longer duration to comply with the requirements under other written laws or while awaiting the expiration of the statutory limitation period for which claims may be made by a data subject against the data user.
The definition of sensitive personal data has omitted the categories of racial or ethnic origin and sexual life of data subjects, which are normally found in data protection law in other jurisdictions. As racial, gender and sexual life issues are sensitive matters, it is unfortunate that the PDP Act omitted these categories of personal data from the definition.
Although the PDP Act confers a data subject with the right of access to his personal data and the right to correct the same, the manner in which such rights may be exercised is rather cumbersome. Further, the PDP Act also sets out numerous grounds on which the data user may refuse to comply with a data subject’s request.
Nevertheless, this rule is subject to 8 exemptions, such as where the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in a manner which, if that place is Malaysia, would be a contravention of this Act. Professor Graham Greenleaf has in “Limitations of Malaysia’s data protection Bill” expressed concern in that the exemptions are rather broad. In his words, “section 129 will involve a front door to data exports which appear to be shut, while the back door is wide open to transfers to anywhere, with exporters absolved from any accountability for what goes wrong”.
The PDP Act is not and is not intended to be, a codification of personal data protection laws. It sets out the basic framework of rights and obligations of stakeholders in order to safeguard personal data. It is expected that regulations, codes of practice, guidelines as well as case law will be developed to clarify and refine the scope of the numerous provisions of this statute.
Although the PDP Act is a good effort by the Malaysian Government to develop a proper framework to regulate the processing of personal data, it is not quite good enough. The application of the PDP Act must be extended to the Federal and State Governments and to the processing of personal data for all purposes, commercial or non-commercial, to take the legislation to the next level.