Personal data protection law to be enforced by year-end?
By Edwin Yapp June 5, 2013
- Experts feel PDPA may finally be enforced by year-end; however, law does not specifically deal with scourge of SMS spam
- AIG introduces cyber risk insurance to Malaysian companies; believes that awareness of cyber risk still poor
THE enforcement of Malaysia’s Personal Data Protection Act (PDPA) 2010 has been delayed by more than a year but two industry experts believe that the legislation governing the handling of digital data in the country will finally come into force by year-end.
Speaking at the AIG-sponsored cyber security industry roundtable in Kuala Lumpur yesterday (June 4), Paul Subramaniam (pic), knowledge management and training partner for Zaid Ibrahim & Co (ZicoLaw), said he expected the PDPA be enforced by December 2013 now that Malaysia’s 13th General Election (GE13) is over and done with.
“The PDPA has been passed as a law and has been gazetted but it is not in force yet. This would require a notification to be made by the Minister for this to happen,” he said in response to a question as to when the PDPA will come into force.
Subramaniam acknowledged the fact that the target date for the notification is still vague, noting that the original enforcement date was to have been June 1, 2012.
“That date has come and gone and there has been no notification made,” he pointed out. “But given that we’ve just had the GE13 and new ministers have been appointed, I would be very surprised if it doesn’t come into force by year-end,” he said, adding that the notification could likely be made by September.
Thereafter, there could be a 'lead up' period for organisations to be prepared for the enforcement, which could take up to 18 more months, Subramaniam noted.
Malaysia concluded its most contentious general election on May 5, where the country’s opposition coalition once again denied the incumbent government its customary two-thirds majority in Parliament.
Fellow panellist at the roundtable Gigi Cheah, a partner with Singapore-based law firm Norton Rose Fulbright, concurred with Subramaniam.
She said Singapore’s own Personal Data Protection Act came into force in 2013, but there are different parts to it.
Cheah noted that Singapore’s Privacy Commission was set up in January 2013 and that the next step, the ‘Do Not Call’ (DNC) registry is expected to come into force in January, 2014. The DNC is a registry that stops people from spamming mobile phone users with unwanted advertisements, she added.
Following that, the Operative Rules will be enforced by June 2014.
“That gives roughly an 18-month ‘grandfathering’ period for [Singapore] businesses to get ready, which include companies doing the necessary audits and checks to see if they’re compliant, and for them to address any compliance gaps they may have.
“[But] I expect that Malaysia will [have its PDPA enforced] sooner because it has been there on the table longer [than in Singapore]. So I wouldn’t be surprised that it will come into force faster in Malaysia [by year-end].”
Next: Wrestling with SMS spam