Fortifying the Personal Data Protection Act 2010

Malaysia was one of the first few countries in Asia to put in place a data privacy laws to protect the personal data of individuals back in 2013 when the Personal Data Protection Act (PDPA) 2010 was passed by Parliament. However, 9 years down the road this Act does not appear to deter personal data breaches in the country. This year alone, the country has seen major data leakages into the dark web that have resulted in an alarming increase of individuals being scammed of their hard-earned money when they fall prey of clicking unsecured link which resulted in the scammers emptying their bank accounts or using their credit cards for online purchases that they did not make.

This has resulted in many calls by politicians and social activists for the Act to be fortified by increasing the statutory fines against commercial organizations who failed to put in place tight security measures to protect the personal data of their customers which resulted in data privacy breaches causing financial harm. However, in recent news publications, the increase of statutory fines was not one of the areas that Jabatan Perlindungan Data Peribadi (JPDP) is proposing to table out to Parliament in October 2022.

In fact, the five areas of proposed amendments were around the requirement of appointing a data protection officer, the introduction of data breach notice which obligates all data users to report data leaks to the JPDP Commissioner within 72 hours, obligating data processors to comply with the security principle under the Act, allowing the transfer of personal data (data portability) between data users at the request of the individuals, if the technical system allows it, and replacing the Whitelist with a Blacklist for the transfer of personal data across borders. It would be interesting to see whether a Blacklist will materialise since the Whitelist itself was never officially make public. These are all good stuffs to align the Act with other similar data privacy laws around the globe such as the EU GDPR and Singapore PDPA but none of these will effectively deter data leakages or breaches. What JPDP needs are more resources to carry out enforcement actions for breaches of the Act but this is a common malady across the regulators in Malaysia!