As we do not have a general Privacy Act in place, and our Federal Constitution does not expressly recognize the right to privacy (although our Court of Appeal in one particular case held that the right to life and liberty (Article 5) is arguably broad enough to include the right to privacy), the PDPA is certainly a very much needed piece of legislation that Malaysians have long been waiting for.
It also signals an important milestone for Malaysia in bridging the gap between Malaysian laws and international trends in protecting personal data. To prevent the misuse and disclosure of personal data to unauthorized third parties, governments around the world have enacted legal regimes on personal data protection.
In ASEAN, Malaysia and Singapore are the only two countries which have enacted a comprehensive data protection legislation.
One would have thought that given the time that it took for the PDPA to come into force after it was passed by the Parliament in June 2010, most data users (i.e. companies/organisations/individuals who either alone or jointly in common with other persons process any personal data or have control over or authorize the processing of any personal data) would have put aside sufficient time and resources to make sure that they take the necessary steps to establish, review and strengthen internal policies, procedures, processes and systems that govern the management and handling of personal data in order to comply with the law.
Unfortunately, that was not the case.
When the Government announced that the PDPA will come into force on 15 November 2013, many companies and organisations were rushing into getting themselves PDPA compliant, as they were only given a 3-month sunrise period to ensure compliance with the law. Hence, we saw a spike in companies and organisations busy churning out privacy policies and notices.
Perhaps due to inadequate publicity or low awareness, some data users were not even aware of the registration requirement, which had resulted in them being late in submitting their registration forms. Meanwhile, some companies and organisations (especially small and medium enterprises) chose to take a “wait-and-see” approach, conveniently ignored the fact that the PDPA applies to every company, organisation and individual in the country, and not just the big boys.
It has been one year since the coming into force of the PDPA.
While the deadline for data user registration was already over, the PDP Department acknowledged that the 3-month sunrise period was relatively short (Singapore’s PDPA, which has also recently come into force, provided an 18-month sunrise period). As such, the PDP Department adopted an unofficial stand by stating that they will still accept late applications for registration, provided it was accompanied with a letter stating the reason(s) for the delay.
Encik Abu Hassan bin Ismail was appointed as the first Personal Data Protection Commissioner. The current Commissioner is Encik Mazmalek bin Mohamad.
Several regulations and orders have also been enacted, and the PDP Department has initiated public consultations on various guidelines to deal with specific topics such as management of CCTV images, direct marketing, employee data, consent requirements as well as general rules on compliance with the PDPA.
It is worth noting that the PDP Department always welcomes public opinions (for example through issuing public consultation papers) and constantly engages in talks and discussions with stakeholders such as industry players, NGOs, professional bodies and business associations.
All the efforts that have been put forward by the PDP Department must be commended, and we hope that the PDP Department will continue to engage with and consult stakeholders on the implementation of this broad-ranging law.
This can be attributed partly to the different levels of understanding towards compliance with the law and interpretation of the PDPA, and partly to other reasons such as no guidelines from the authorities providing clear guidance on the interpretation of the PDPA.
Under the PDPA, in order for a data user to process an individual’s personal data, he must obtain consent from the individual, and the consent must be in a recordable form and capable of being maintained properly by the data user.
Other issues such as whether corporate binding rules are necessary for sharing of data within a group of companies, how the exemptions under the PDPA work, etc. remain unclear.
As such, it is evident that guidelines that set out guiding rules and best practices are very much needed as guidelines from the regulator will be helpful in filling in the gaps and assisting us in interpreting the law.
The PDP Department has indicated that it is considering setting up an official registry similar to Singapore’s Do Not Call Registry or the UK’s Telephone Preference Service to allow people to opt out from receiving unsolicited telemarketing calls. Apart from issuing guidelines, we would also recommend the PDP Department to post FAQs for individuals and businesses on the application and scope of the PDPA on their website or issue small leaflets or handbooks to the public, similar to what the Malaysia Competition Commission has done.
Companies and organisations should take a top-down approach when it comes to implementing and rolling out a PDPA compliance exercise. Instructions should pass down from the board of directors to the management and progress on the implementation exercise should be reported back to the board of directors regularly.
This is important because if a body corporate is found guilty of an offence under the PDPA, officers of the body corporate will automatically be held severally and jointly liable together with the body corporate, unless they can prove that the offence was committed without their knowledge, consent or connivance; and that they have taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.
What is certain is that the PDPA is here to stay, and it is no longer “business as usual”.
The PDPA has commercially far-reaching implications and severe penalties in the event of non-compliance. The intent of the PDPA is not to inhibit business or to stifle the legitimate use of personal data. Rather, it is meant to grow businesses by giving consumers confidence that their personal data will be protected and processed in good hands.
At the end of the day, privacy matters and good privacy conduct would eventually mean good business.