Countdown officially begins for PDPA compliance
By Gabey Goh November 15, 2013
- Businesses and data users have three months from November 15 to ensure compliance
- Enforcement of the PDPA also introduces four new subsidiary legislations
AFTER much delay, Malaysia’s Personal Data Protection Act 2010 (PDPA) is officially in force today (Nov 15), with the appointment of Abu Hassan Ismail (pic) as Personal Data Protection Commissioner, accountable to the Communication and Multimedia Minister.
The PDPA is aimed at regulating the processing of the personal data of an individual who is involved in commercial transactions, by the data user, to provide protection to the individual's personal data and thereby protect the interest of the individual concerned.
Abu Hassan was formerly the director general of the Personal Data Protection Department (PDPD), which is tasked with managing and enforcing the regulations outlined in the Act.
Thirteen new criminal offences have been created by this Act, with penalties ranging from a maximum jail term of one year, a RM200,000 fine or both, to a maximum jail term of three years, a RM500,000 fine or both.
Offences include processing without a certificate of registration, processing after consent has been withdrawn, and failure to comply with the Commissioner’s requirements.
Among the enforcement mechanisms and power granted by the PDPA to the Commissioner, is the right to enter premises and seize equipment without a warrant for the purposes of investigating offences, and the power to arrest and recommend for prosecution.
Data users and businesses now have three months from November 15 to ensure compliance with the PDPA.
Digital News Asia (DNA) columnist and intellectual property lawyer Foong Cheong Leong said that he was currently in the process of seeking clarification from the PDPD on whether parties would have three months to comply with the Act for all data or three months to implement procedures but with the non-compliance penalty beginning today for new data collected.
“I believe the latter is the correct position, that one must comply with PDPA today in respect of new data but has three months to comply with old data,” he said.
Businesses and data users found to be in non-compliance with the PDPA will be subject to a fine not exceeding RM300,000 or imprisonment for a term not exceeding two years or both.
Foong had stated previously that the PDPA is supposed to bring an end to unsolicited communication, but it will cause drastic changes to Malaysian businesses.
“Much valuable commercial data will be lost due to the PDPA. It is noted that many Malaysian industries had taken the wait-and-see approach. This is alarming considering that three months to comply with the PDPA will probably be not enough,” he wrote.
The enforcement of the PDPA also introduced four new subsidiary legislations namely:
The new regulations require certain classes of data users to register with the PDPD. Sectors that fall under these categories include banking and financial institutions, communications service providers, insurance companies, transportation and utilities companies.
According to Leong, the burden of proof for consent lies on the data user, and must be given expressly rather than implied or be assumed.
All companies will need to ensure that all possible purposes for processing personal data are set out before the collection of the data. Additional procedures may need to be established to ensure consent is captured.
He added that express consent can be gained in a variety of ways -- for example by filling in a form, ticking a box on a website, over the phone or face-to-face.
Industry players had previously advocated the introduction of mandatory breach notification within the PDPA, in line with many other jurisdictions which have either implemented such legislations or are in the process of doing so.
By informing affected stakeholders, this also gives them the opportunity to take the required remedial actions (such as changing passwords, or having their financial institutions change their credit card numbers) to mitigate the consequences of any breach.
The inclusion of a 'safe harbour' principle was also proposed, where organisations demonstrating that the data has been secured to an adequate level of security, need not undertake any notification.
Foong reported that mandatory breach notification and the safe harbour principle is not included in the current PDPA.
The PDPA was gazetted into law in June 2010 and was originally scheduled to be in force by June 2012 to allow time for the Information, Communications and Culture Ministry to set up the PDPD, train staff, and select a commissioner.
The act was then scheduled to take effect on Jan 1, 2013, but delayed due to legal formalities.