The PDPA, Data Protection Rights for Malaysian Citizens

The PDPA, Data Protection Rights for Malaysian Citizens

Malaysia’s Personal Data Protection Act 2010 or PDPA for short is a data privacy law that was passed in Malaysia in 2010. Prior to the passing of the PDPA, data legislation within Malaysia was limited to sector-specific laws in relation to finance, healthcare, communications, etc. What’s more, the PDPA also established subsidiary legislation, including laws regulating the registration of data users, fees, and the compounding of offenses under the law. Moreover, this subsidiary legislation also established a commissioner for the purposes of enforcing the law in relation to non-compliance.

What is the scope and application of the PDPA?

In terms of the personal scope of the law, the PDPA applies to any person who processes or has control over the processing of personal data (‘data user’). It is pertinent to note that processing is defined widely under the PDPA to cover a wide range of activities, including using, disseminating, collecting, recording, and/or storing personal data. In relation to the territorial scope of the law, the PDPA generally does not apply to personal data that is processed outside of Malaysia, unless said personal data will be processed further within Malaysia, or if a data controller uses equipment within the country to process data.

In terms of the material scope of the law, the PDPA covers personal data, defined as the collection, recording, holding, or storing of personal data, as well as carrying out any operation in relation to personal data, including the following:

What are the requirements of data controllers under the PDPA?

The PDPA establishes a number of data protection principles that data controllers must adhere to at all times when collecting, processing, or disclosing the personal data of Malaysian citizens. These data protection principles are as follows:

What are the rights of data subjects under the PDPA?

The PDPA grants Malaysian citizens various rights in relation to data protection. These rights include:

In terms of punishments in relation to violations of the law, data controllers who are found to be in non-compliance with the PDPA are subject to a prison term of up to three years, as well as administrative fines ranging from MYR 300,000 ($70,079) to MYR 500,000 ($116,814). Additionally, due to the sub legislation that was also passed alongside the PDPA, data controllers are also subject to compounded offenses and term punishments, in instances in which a particular data controller is found to be repeatedly in violation of the law.

As the PDPA was passed over 10 years ago in 2010, Malaysia was an early adopter of the privacy legislation that has become commonplace in recent years. As many countries around the world have taken great influence from the EU’s General Data Protection Regulation or GDPR, the PDPA is in many ways ahead of the curve as it pertains to both the requirements that are placed on data controllers, as well as the punishments that can be imposed against said data controllers when they violate the law. As such, Malaysia is among a shortlist of countries around the world that offers stringent data protection rights to their citizens, with few exceptions.

Related Reads