When the Personal Data Protection Act 2010 (PDPA 2010) came into force in 2013, some of us thought that their privacy will be protected by the Act when in actual fact our privacy rights can be protected by numerous other legislations as described in this article.
The Malaysian Federal Constitution does not expressly mention the right to privacy within its list of fundamental liberties. Nevertheless, the right to privacy is potentially provided for in Article 5(1) of the Constitution, which states that “no person shall be deprived of his … personal liberty save in accordance with the law”.
The Federal Court has stated in dicta that the “personal liberty” referred to encompasses other rights such as the right to privacy. Two key aspects of privacy protection are cybersecurity and data protection. Both are important concerns for businesses, especially as many increasingly move their operations and transactions online due to the Covid-19 pandemic.
Privacy protection in Malaysia is regulated by numerous pieces of legislation in relation to cybersecurity and one data protection statute, the PDPA 2010.
Privacy protection and cybersecurity are distinct but closely related efforts.
Privacy protection aims to prevent privacy invasion: the unjustified intrusion on the private or personal affairs of another without their consent.
It can take many forms, including but not limited to non-consensual data collection, violation of confidentiality and deception regarding the use of data.
Protection of personal information is a chief concern in preventing privacy invasion. Hence, the close relation between privacy protection and cybersecurity.
Cybersecurity is concerned with protecting electronic systems, programs and databases – technology often used to store private or personal data – against theft, damage or misuse.
The Computer Crimes Act 1997 regulates the use of electronic devices and access to programs and data stored in those devices.
Under the Act, unauthorized accessing of computer material, unauthorized modification of the contents of any computer, and wrongful communication of any means of access to an unauthorized person is categorised as an offence.
These categories cover acts such as hacking and the spreading of computer viruses. The Act is applicable to any computer, program or data that is in Malaysia, or which was capable of being connected or sent to, or used by or with, a computer in Malaysia at the time an offence was committed.
The Digital Signatures Act 1997 enables electronic transactions by establishing digital signatures as a method for securing online transactions. The Act details the procedure for electronic identity verification using encryption techniques; provides for certification and authentication of digital signatures; and regulates certification authorities.
The Electronic Commerce Act 2006 further extends the possibilities of electronic transactions by recognising electronic messages in commercial transactions as binding. This allows the formation of contracts by electronic means. The Act also established additional requirements for ensuring the reliability of electronic signatures.
Other Acts which contain provisions relevant to cybersecurity are the Communications and
Multimedia Act (CMA) 1998, the Copyright Act 1987 including the Penal Code. Information security is one of the objectives of the CMA 1998. Under the Act, possession of devices or software used to commit cybercrimes; the initiation of communication with the intent to threaten, annoy, abuse or harass any person at any number or electronic address; and actions which constitute hacking, unauthorized communication interception or tampering with network facilities are categorised as offences.
Meanwhile, the Copyright Act 1987 is often relevant to database theft, which usually involves copyright infringements. Finally, section 416 of the Penal Code – which identifies the crime of ‘cheating by impersonation’ – is applicable to cases of electronic identity theft or fraud, such as the practice of ‘phishing’.
The PDPA 2010 defines ‘personal data’ as information which relates to a data subject who is identified or identifiable from that information, or from that and other information in the possession of a data user. This includes expressions of opinion about a data subject. Information covered under the Act must satisfy 1 of 3 conditions:
Furthermore, the scope of the Act is limited to information related to commercial transactions.
The Act provides an additional distinct definition for ‘sensitive personal data’:
Such data is provided with slightly heavier protection, requiring explicit consent from data subjects for collection and use.
The PDPA 2010 is applicable only to data users, and not data processors. A data user is defined in the Act as a person who processes any personal data or has control over, or authorizes, the processing of any personal data – either alone, jointly or in common with other persons. The definition expressly excludes data processors.
Data processors are distinguished as persons – other than employees of a data user – who process personal data solely on behalf of a data user and do not do so for any of their own purposes.
The PDPA 2010 applies to any data users ‘established in Malaysia’ or who ‘use equipment in Malaysia’. It does not apply to personal data processed outside Malaysia, unless the relevant data is intended to be further processed in Malaysia. The Act also restricts data exporting, prohibiting data from being transferred outside of Malaysia unless the destination is ‘whitelisted’ by the Minister.
Different enforcement provisions are available to the Commissioner, depending on the context in which a breach of the Act is committed. Where a breach is ongoing – or is likely to be repeated – but no damage has been incurred, a Commissioner may issue an enforcement notice either requiring a contravention to be remedied or ceasing processing pending remedial actions.
On the other hand, breaches which have occurred in the past but are unlikely to be repeated can be prosecuted as offences. Moreover, the Commissioner has the power to inspect data users’ systems and the Minister may require the registration of specific classes of data users.
Other than PDPA 2010, there is no legislation which imposes a requirement for companies or organisations to implement cybersecurity measure. Further, the effectiveness of the PDPA 2010 is limited by its relatively narrow scope.
The applicability of the Act is restricted to automated, and some manual, commercial transactions. The Act defines commercial transactions as any transactions of commercial nature, whether contractual or not – including matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
Other than that, data collected in the public sector is wholly excluded from the Act. This is problematic as no other significant protections for personal information in the public sector exist, meaning that data protection in Malaysia has yet to encompass prevention of state abuses of privacy.
In addition, the Minister, upon the recommendation of the Commissioner, may exempt any data user or class of data users from any principles or provisions of the Act. This, alongside the lists of exemptions provided under the Act, greatly detracts from the reliability of the Act in ensuring privacy protection in Malaysia.
More regulations, guideline and code of practice need to be issued to ensure that these existing laws are being implemented accordingly.
This section is normally where authors tell people about their achievements, life aspirations, etc. I'm Effa; a land law expert, and an organized, highly logical corporate lawyer who loves to run and hike. Oh, and I occasionally lie in my bio.
Latest posts by Effa Suzieana Zainal (see all)