MCMC reviewing Personal Data Protection Act
By Dzof Azmi March 20, 2019
- Among areas being looked at are cross-border data transfers, data breach notification
- No timeline has been set by the Ministry for the work to be done
THE Personal Data Protection Act (PDPA) of Malaysia is currently being reviewed by the Ministry of Communication and Multimedia, confirmed Gobind Singh Deo, Minister of Communications and Multimedia.
This is in order to “streamline with international requirements of personal data protection”, particularly in conjunction with the EU’s General Data Protection Regulation (GDPR).
Among the areas being looked at by the Ministry are cross-border data transfers, data breach notifications, and whether the government should be exempt from the PDPA.
This was revealed during a conference on “The Impact of EU-GDPR In Malaysia And Non-EU Countries”, the most significant conference on GDPR and data protection in Malaysia to date.
“Comprehensive changes to business practices”
The GDPR is a European legislation that mandates how organisations collect, store, and process data belonging to EU citizens, and can impact Malaysian companies and their operations.
"Multinational companies and GLCs who have business dealings in the EU and with EU citizens should take the necessary steps to comply with GDPR," said Gobind. "It definitely requires comprehensive changes to business practices for (some) companies.”
Gobind in particular stressed the need for companies to instil trust and confidence in their customers, and should not see privacy laws as “stumbling blocks to doing business, but rather as enablers to ensure sustainability of businesses."
These companies right now are legally obliged to conform to the PDPA, which Gobind lauded as “comprehensive laws on personal data protection”, while admitting that GDPR “imposes additional requirements".
Focus on cross-border transfers and breach notifications
Right now, the government is having discussions with industry players to better understand the gaps that need to be narrowed.
Rosmahyuddin Baharuddin, the MCMC Office of Personal Data Protection Malaysia deputy commissioner opined in a presentation made later that morning that Malaysia’s PDPA is “60%” of the way from the GDPR.
The government is giving particular focus to certain areas, with varying degrees of progress.
For example, cross-border data transfer will require that the government first develop a “white list” of countries for which Malaysia can transfer data to. “We have to conduct due diligence for every country,” explained Rosmahyuddin, “It’s a very sensitive policy decision (that) needs to be made”.
In this area, countries like Japan have been proactive, as evidenced by the European Commission adopting an adequacy decision on the country, allowing personal data to be transferred between the two regions without additional safeguards.
Alternatively, Rosmahyuddin revealed that data breach notification is something that Malaysia is “seriously considering”, but work needs to be done fine-tuning the details of what constitutes a breach, under what circumstances should users be notified, and what the process should be.
Such a breach notification law would have, for example, compelled Astro to inform their users that their personal data had been compromised when the company discovered a breach of 10,000 records in January last year.
Meanwhile, the government is also studying the implications of Federal and state agencies currently being exempt from the PDPA, and will need to understand better the original intentions of the exemption.
“No timeframe fixed”
Unfortunately, Gobind would not commit to a timeline of when new policies or amendments will come into effect, other than to say, “I hope within the year, a new workable framework will allow us to bring proposed amendments to parliament”, while noting these proposals need to be brought to cabinet beforehand.
Meanwhile, the status quo will be maintained in Malaysia. “We already have laws in place,” maintained Gobind, “And those laws are in effect currently until we come up with new suggestions".