In recent times, significant attention has been paid to updating local data protection laws by the government, especially by Fahmi Fadzil, the minister of Communications and Digital.

We strongly welcome this move, especially in light of the ongoing spate of data breaches affecting Malaysian citizens. Scam syndicates are also very rapidly and creatively evolving, calling for gaps between privacy, data protection and cybersecurity to be addressed.

While we note that proposed updates and recommendations to revamp the Personal Data Protection Act (PDPA) have already been discussed at length, we have attempted to provide a fresh and balanced take, taking into consideration the country’s financial and economic objectives while also ensuring protection for its citizens.

We set out six key proposed updates to the local privacy, data protection and cybersecurity with a pragmatic approach, which we hope the government and the ministry will seriously take into consideration.

Application of PDPA to the government

Currently, the PDPA provides a blanket exemption to the federal government and state governments, where both these terms are undefined in the PDPA and not clearly defined under the Interpretation Act 1989. It is unclear how far-reaching this exemption is applied and if entities such as statutory bodies and government-linked companies are similarly exempt.

The exemption of the federal and state governments, and potentially including statutory bodies under the exemption, have been applied very broadly, indiscriminately covering government entities that process both large and small volumes of personal data.

Comparing this with other jurisdictions in Asia-Pacific, most, except Brunei Darussalam, do not apply a blanket exemption to the government. The exemptions are applied in a structured and clearly defined manner. Some jurisdictions, such as Singapore, the Philippines and Australia, also have additional standalone provisions regulating data protection in the public sector to further safeguard citizens.

The government, being the ruling body of the country with the largest access to citizens’ personal data, should be held accountable to the same laws imposed upon its citizens.

The rights of citizens to have their data protected and a right to privacy should be upheld per the Federal Constitution as an extension to the right to life.

As a solution, government bodies/agencies should only be exempt from the PDPA for processing personal data for reasons including national security, public interest and processing by enforcement bodies. An order should be issued expressly listing the entities exempted from the PDPA as practised in Singapore for clarity and transparency.

Introduction of mandatory data breach notification

Despite being the first country in Asean to introduce standalone data protection legislation, the PDPA is lagging far behind its counterparts which have introduced mandatory data breach notifications. Nine jurisdictions in Asia-Pacific have done so, including Australia, China, Indonesia, Japan, New Zealand, the Philippines, Singapore, Taiwan and Thailand.

To resolve this, Malaysia could introduce a staggered two-step approach, similar to Japan’s, to help bolster accountability, transparency and trust. A data user, being the person having control or authority over the processing of personal data, is mandated to make an immediate data breach notification to the Personal Data Protection Commissioner upon being aware of the breach.

A second notification must be made within 30 days following an internal investigation, furnishing all known details and the outcome of the investigation. The commissioner must be able to maintain oversight at all times and have the authority to request any information or documentation at any point for transparency.

Address privacy risks from ‘flexible work arrangement’ introduced under the Employment Act

Recently, the Employment Act 1955 (EA) was amended to introduce flexible working arrangement provisions, allowing employees to request to vary their hours, days of work and place of work. Data protection legislation must be updated to cater for the privacy and security risks arising from this flexible working style.

A balance between accountability and obligations of employers and employees must be struck where, in this instance, guidelines can be introduced under the EA to place obligations onto the employees to exercise reasonableness in handling personal data during the course of their employment. The entire burden to protect the sanctity of personal data cannot fall squarely onto the shoulders of the businesses.

Employers who effectively place these obligations onto the employees should also be afforded a defence in the event of a data breach and should not be held accountable for the negligent actions of their employees, providing balance of accountability.

Easing cross-border data movement

When data is allowed to move freely across borders, it can help promote economic relations between countries. The government can help drive international trade by easing cross-border data movement by the issuance of a whitelist under the PDPA. This whitelist is intended to contain countries with adequate and equivalent data protection mechanisms as Malaysia, allowing free movement of personal data between this and said identified countries.

The issuance of a whitelist would help small businesses that do not possess the infrastructure or resources to independently determine if it is secure to transfer personal data to these countries. With readily identified countries, economic transactions and business relationships can be promoted.

Upon updating our legislation, we can develop our own benchmark for other countries to meet. This is similar to the European Union and the UK “adequacy decision” — once we develop our own benchmark, we are then empowered to determine if other jurisdictions meet our standards in order to allow free flow of personal data, subsequently opening up investment opportunities and improving business ties between participating countries.

Introduce comprehensive cybersecurity legislation

Data protection, privacy and cybersecurity all interplay with one another to form the key pillars of data sanctity. While data protection and privacy governance relate to processing and protection of personal data, cybersecurity stipulates how systems should be kept secure to prevent a breach.

To date, there is no standalone cybersecurity legislation here, where there is only sectoral cybersecurity legislation governing the finance industry.

A single, comprehensive piece of cybersecurity legislation should be introduced to provide a consistent approach across the different industries to ensure that, over and above improving personal data practices, the very systems processing personal data too are safeguarded.

Imposition of direct obligations onto a data processor

Data processors, being persons who process personal data under the instructions of a data user, do not have any direct obligations under the PDPA. It is up to the data user to ensure that appointed data processors will protect personal data from loss or misuse via contractual obligations. Given that the government is exempted from the PDPA as discussed earlier, it is also unclear if government-appointed data processors are similarly exempt.

Seeing that imposing the full breadth of obligations under the PDPA onto data processors might create administrative and financial burdens for businesses, especially given the current economic climate, imposing partial obligations seems practical. Selective obligations can be imposed on data processors to hold them accountable for the personal data they process, including obligations to protect personal data in their possession, retention principles and mandatory data breach notification obligations.

Conclusion

We believe it is critical that the objective to reshape the privacy, data protection and cybersecurity landscape in Malaysia involves creating an ecosystem promoting free flow of data without compromising citizens’ rights to have their data protected and secure. This must be done by revamping the legislative landscape alongside strengthening public policy and propagation of education and public awareness.

Raphael Tay is the head of the corporate, commercial and M&A practice at LAW Partnership, a relationship firm of the global firm Eversheds Sutherland. He also has academic roles in institutions/organisations such as the College of Law (Australia) and the Faculty of Law at Chulalongkorn University (Thailand). He is a council member of the Inter-Pacific Bar Association and a member of LAWASIA. Malvinderjit Kaur is an associate with the corporate, commercial, M&A team at LAW Partnership.