Limitations of Malaysia’s Data Protection Bill

Malaysia's Personal Data Protection Bill 2009 adds a distinct new flavour to Asia’s growing array of data protection laws. The Bill applies only to personal data in ‘commercial transactions’. The largest omission is that the public sector is not covered at all (s3(1)). Malaysia has no existing protections for personal information which limit State abuses of privacy. This Bill can only be said to cover part of the private sector, and only then subject to many exceptions, particularly where any State-related activities are concerned. Within its scope it may still be valuable, but the narrow scope must always be kept in mind.Malaysia will have a Personal Data Protection Commissioner appointed by the Minister (s47), with a normal range of powers. The Commissioner will be appointed for up to three years, and may be re-appointed (s53), but he or she may also be dismissed by the Minister, who only needs to ‘state the reason’. There is no point pretending that this Commissioner’s office is like that of other Privacy Commissioners in the Asia-Pacific. Those in Australia, New Zealand, Canada and Hong Kong have statutory provisions underwriting their independence which are not found here. The seven Personal Data Protection Principles in the Bill’s ss5-12 (General; Notice and Choice; Disclosure; Security; Retention; Data Integrity; and Access) are influenced strongly by the EU data protection Directive rather than by the OECD Guidelines or APEC Framework. The Act will have no application to processing outside Malaysia, with the interesting exception of where data is intended to be further processed in Malaysia. Temporary exports of data from Malaysia for purposes of processing breaching the Act will therefore be subject to it. It applies to anyone ‘established in Malaysia’ or who uses equipment in Malaysia. Personal data may not be transferred outside Malaysia unless the destination is on a ‘whitelist’ specified by the Minister, after receiving the Commissioner’s advice. The Minister can so specify a place if it has in force a law ‘substantially similar’ to the Malaysian Act, or the place ensures ‘an adequate level of protection … which is at least equivalent to the level of protection’ provided by Malaysia’s Act. There are exceptions similar to those found in Article 26 of the EU data protection Directive, but some which go considerably further than the Directive, including where ‘the data user has taken all reasonable precautions and exercised all due diligence’. Data users who breach one of the Principles commit an offence carrying substantial fines or even imprisonment . However, as with the Hong Kong law, reliance on enforcement notices has the fatal flaw that breaches that have caused harm, but are unlikely to be repeated, fall outside the scope of the Act. Overall, the ‘enforcement pyramid’ in this Act is completely deficient. While this Bill has many deficiencies, privacy legislation even of these modest dimensions will be a step forward for Malaysians.[Postscript: The Bill was enacted in 2009, but not brought into force. The Malaysian government announced in 2012 that the Bill would be brought into force in June 2012, but that instead of the Commissioner, who has not been appointed, a new Department will be set up to administer the Act.]