- AI
- Arbitration
- Asia
- Automobile
- Bangladesh
- Banking
- Biodiversity
- Biological Inventions
- bLAWgathon
- Brand Valuation
- Business
- Celebrity Rights
- Company Act
- Company Law
- Competition Law
- Constitutional Law
- Consumer Law
- Consumer Protection Authority
- Copyright
- Copyright Infringement
- Copyright Litigation
- Corporate Law
- Counterfeiting
- Covid
- Design
- Digital Media
- Digital Right Management
- Dispute
- Educational Conferences/ Seminar
- Environment Law Practice
- ESIC Act
- EX-Parte
- Farmer Right
- Fashion Law
- FDI
- FERs
- Foreign filing license
- Foreign Law
- Gaming Industry
- GDPR
- Geographical Indication (GI)
- GIg Economy
- Hi Tech Patent Commercialisation
- Hi Tech Patent Litigation
- IBC
- India
- Indonesia
- Intellectual Property
- Intellectual Property Protection
- IP Commercialization
- IP Licensing
- IP Litigation
- IP Practice in India
- IPAB
- IPAB Decisions
- IT Act
- IVF technique
- Judiciary
- Khadi Industries
- labour Law
- Legal Case
- Legal Issues
- Lex Causae
- Licensing
- Live-in relationships
- Lok Sabha Bill
- Marriage Act
- Maternity Benefit Act
- Media & Entertainment Law
- Mediation Act
- Member of Parliament
- Mergers & Acquisition
- Myanmar
- NCLT
- NEPAL
- News & Updates
- Non-Disclosure Agreement
- Online Gaming
- Patent Act
- Patent Commercialisation
- Patent Fess
- Patent Filing
- patent infringement
- Patent Licensing
- Patent Litigation
- Patent Marketing
- Patent Opposition
- Patent Rule Amendment
- Patents
- Personality rights
- pharma
- Pharma- biotech- Patent Commercialisation
- Pharma/Biotech Patent Litigations
- Pollution
- Posh Act
- Protection of SMEs
- RERA
- Section 3(D)
- Signapore
- Social Media
- Sports Law
- Stamp Duty
- Stock Exchange
- Surrogacy in India
- TAX
- Technology
- Telecom Law
- Telecommunications
- Thailand
- Trademark
- Trademark Infringement
- Trademark Litigation
- Traditional Knowledge
- UAE
- Uncategorized
- USPTO
- Vietnam
- WIPO
Introduction
Prior to 2010, the regulation of personal data was governed mainly by industry-specific legislation. Industry-specific legislation with respect to data protection existed in the banking and finance, healthcare, and telecommunications industries, among others. In May 2010, the PDPA was passed by the Malaysian Parliament and received Royal Assent in June 2010. The PDPA came into force on 15 November 2013, with a three-month grace period ending on 14 February 2014.
[Image Source: Shutterstock]
On November 15, 2013, five more pieces of legislation went into effect in addition to the PDPA. These cover topics including the selection of the Personal Data Protection Commissioner, the registration of data users, and potential fees levied in accordance with the PDPA. This supporting legislation was approved concurrently to aid in the PDPA’s implementation.
The Personal Data Protection Standard 2015 (also known as “the 2015 Standards”) was released by the Commissioner and went into effect on December 23, 2015. The 2015 Standards include security, retention, and data integrity requirements that apply to both electronically and non-electronically processed personal data. The 2015 Standards, which will apply to everyone who processes, has control over, or permits the processing of any personal data in connection with a commercial transaction, are meant to be “a minimum requirement.”
On its website, the Department of Personal Data Protection (‘PDP’) has posted a number of FAQs and guidance documents regarding numerous topics covered by the PDPA and its related laws. There is also the March 2016-released Draft Guide for Data Users. Data users in micro, small, and medium-sized businesses can refer to the PDP’s Guide to Prepare Personal Data Protection Notice (also known as the “Guide to prepare PDP notice”), which was published in January 2022.
In the vast majority of the incidents that were reported, Section 45 of the PDPA’s general exemption was taken into account. For instance, it was determined in Newlake Development Sdn Bhd v. Zenith Delight Sdn Bhd & Ors (No 2) [2021] 7 CLJ 88 that the PDPA cannot be used as a shield to prevent such documents from being produced at trial under the guise of personal data protection if a court determines that the documents in question were relevant and admissible.
Notably, in December 2021, the High Court held that the PDPA does not allow the Director-General of the Inland Revenue Board of Malaysia to make blanket demands for personal data in view of the protections afforded to data subjects under the PDPA (Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors [2021] MLJU 2847). Such requests for data must be made in accordance with the law, and it should be ensured that the request satisfies the test of necessity, in that “the interference with the rights of data subjects must be proportionate to the reality as well as to the potential gravity of the public interests involved”, and “there must also be a specific instance as contemplated by the statute and not a general sweeping and inconsistent reasons for the disclosure to be given”.
Any individual who processes personal data or has control over that processing (referred to as a “data user”) is subject to the PDPA. It is important to remember that the PDPA broadly defines processing to include a variety of actions like utilising, disseminating, collecting, recording, and/or storing personal data. In addition, the PDPA exclusively uses the term “data subject” to refer to people.
Additionally, there are specific provisions in the PDPA for data processors. The PDPA’s provisions may not apply directly to a data processor who handles personal data solely for a data user; instead, it is the data user’s responsibility to ensure that the data processor complies with the pertinent PDPA provisions.
Unless the data is intended to be further processed in Malaysia, the PDPA does not apply to personal data processed outside of Malaysia. It also does not apply to data users who are not established in Malaysia unless they use equipment in Malaysia to process personal data, other than for transit through Malaysia. The Credit Reporting Agencies Act of 2010 exempts the Federal Government of Malaysia (the “Federal Government”), state governments, and any information processed for the purposes of a credit reporting firm from the application of the PDPA.
A department of the Ministry of Communications and Multimedia (MCM) is the PDP. On February 12th, 2012, the Minister formally debuted it in Kuala Lumpur. The PDPA becomes effective on December 15, 2013. Mazmalek bin Mohamad, who was appointed on March 16, 2020, is the current Commissioner. The PDP’s primary duty is to uphold and oversee the PDPA in Malaysia, with a particular emphasis on the handling of personal data in business transactions and preventing its exploitation. The Commissioner is required to register all categories of data users under the Order as part of enforcing the PDPA.
Conclusion
Both the Malaysian PDPA and the GDPR in Europe are intended to safeguard the information and privacy of their respective populations. Although there are numerous similarities between these rules, businesses operating in either area must be aware of the specifics of each in order to comply with them. DPOs are required by the PDPA, but their roles and requirements for technical expertise are not nearly as clear-cut as those of their European counterparts. The PDPA does not mandate that companies register their DPOs with any regulatory body, in contrast to the GDPR. Furthermore, there is no rule in Malaysia requiring firms to give their DPOs all the resources they need to do their work to the highest standard, or requiring DPOs to avoid conflicts of interest or report to the highest management.
Author: Tanya Saraswat, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at Khurana & Khurana, Advocates and IP Attorney