It has been more than a year since the General Data Protection Regulation (“GDPR”) came into force on 25 May 2018. The GDPR was described by the Information Commissioner as a game-changer as it sought to raise the standards of personal data privacy. The GDPR also sought to harmonise data protection regulations across the EU as well as give greater protection and rights to individuals.
In the wake of the data breach involving Malindo Air in Malaysia, much talk and focus have been placed on whether this would spur any changes in the law. The Personal Data Protection Act 2010 (“PDPA”) came into force in Malaysia on 15 November 2013, with the objective of protecting the personal data of individuals with respect to commercial transactions. To what extent should the GDPR be adopted as part of Malaysia’s data protection laws? This article summarises the impact of the GDPR on Malaysian companies.
Firstly, is the GDPR applicable to Malaysian companies? The GDPR has a far-reaching impact because it not only applies to organisations located within the EU but it also applies to companies outside of the EU that offer goods or services to individuals in the EU, or monitor the behaviour of EU data subjects. The GDPR applies to a broad range of entities, both private and public, located outside the EU.
In contrast, the PDPA applies to a narrower range of entities. The PDPA applies only to the processing of any personal data in respect of commercial transactions. It does not apply to the Federal Government and State Governments. Such exemptions are not found in the GDPR.
The PDPA also does not apply to persons established outside Malaysia unless they use equipment in Malaysia for processing the personal data other than for the purposes of transit through Malaysia.
Given the broad wording of Article 3(2), the GDPR would extend to Malaysian companies such as e-commerce businesses or hotels that operate websites that display languages or currencies commonly used in the EU, as these companies would then be targeting EU data subjects even if they never made a sale in the EU, or where Malaysian companies track the behaviour of individuals in the EU to create profiles of them. For data users not established in the EU, the GDPR may also be indirectly applicable through the execution of data processing agreements if the “processor” is under the GDPR as the processor will be subject to the relevant GDPR provisions directly applicable to data processors.
One of the major differences between the GDPR and the PDPA is the penalty imposed for non-compliance by a data user. Under the PDPA, a data user who contravenes the personal data protection principles commits an offence and shall, on conviction, be liable to a fine of up to RM500,000 and imprisonment of up to three years.
On the other hand, the GDPR is backed by an enforcement mechanism with significant fines of up to 20 million Euros or 4% of a company’s global turnover, whichever is higher. The EU has therefore demonstrated just how seriously they take violations of the GDPR and, as a result, organisations worldwide have become acutely aware of the importance of protection of personal data.
Data breach notification
Under the GDPR, notification of a breach of data security to the supervisory authority and the affected individuals is a mandatory requirement in all member states where the breach is likely to “result in a risk to the rights and freedoms of natural persons”.
The notification has to be made within 72 hours of becoming aware of the data breach and, in the case of delay, the reasons therefor. At the very least, data controllers have to provide the following information when making the notification to the supervisory authority:-
- The nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the Data Protection Officer (“DPO”) or other contact point where more information can be obtained;
- description of the likely consequences of the personal data breach; and
- description of the measures taken or proposed to be taken by the controller to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects.
There are no data breach obligations prescribed under the PDPA although, in August 2018, the Department of Personal Data Protection issued a public consultation paper on the implementation of data breach notification under the PDPA.
The GDPR requires detailed privacy notices. Both the GDPR and PDPA require organisations to provide people with a privacy notice that is readily accessible. The GDPR goes further to spell out that a privacy notice must be written in clear and plain language, particularly for any information addressed specifically to a child.
The GDPR goes on to stipulate the following additional information to be included in a privacy notice, namely:-
- contact details of the data user and its DPO, where applicable;
- the legitimate interests pursued by the data user or a third party (where the processing is based on legitimate interests);
- where applicable, details of the transfer of personal data to a third country or international organisation including whether there is an adequacy decision by the European Commission or reference to the appropriate or suitable safeguards and means by which to obtain a copy of them or where they have been made available;
- the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
- the existence of the right to erasure and the right to data portability;
- right to withdraw consent;
- right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; and
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Right to be forgotten
Under the GDPR, data subjects are given the discretion to request verbally or in writing for the data controller to erase his or her data. The grounds for the erasure include:-
- the personal data is no longer necessary in relation to the purposes for which it was originally collected or processed for;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data has been unlawfully processed;
- the personal data has to be erased for compliance with a legal obligation;
- the personal data has been collected in relation to the offer of information society services to a child.
In considering the impact of this right under the GDPR, on 24 September 2019, the European Court of Justice (“ECJ”) ruled that Google’s delisting of search results that concern EU citizens should only apply in the bloc’s 28 member states.
One of the important lessons from this case is that the balance between an individual requester’s rights against the right of Internet users interested in that information may vary around the world. The decision illustrates that the EU may not necessarily be able to impose this right in countries that do not recognise this principle.
In Malaysia, the closest provision in the PDPA to this right is that found in the retention principle, which is embodied in section 10 of the PDPA, which provides that personal data shall not be kept longer than is necessary for the fulfilment of that purpose. Under the PDPA, consent may only be withdrawn upon giving written notice to the organisation. Under the PDPA, even after consent is withdrawn, the organisation may still keep the personal data, so long as it is necessary for fulfilment of the purpose in which the personal data was collected.
Under the GDPR, data subjects have the right to receive personal data concerning him or her, which he or she has provided to a controller in a structured, commonly used and machine-readable format.
In contrast, the PDPA provides that data subjects have a right to request for their information from a data user, but there is no specific provision on the method or the medium in which such records of personal data are to be given. Singapore is currently considering introducing a data portability requirement to its PDPA.
Malaysia should also consider including a data portability provision in the PDPA as such a provision would facilitate competition of digital services and innovation, empowering individuals to try new services, and enabling them to choose the offering that best suits their needs.
Privacy by design
The data controller is required to implement appropriate technical and organisational measure to ensure that only personal data which is necessary for each specific purpose of the processing is processed. To comply with this requirement, the data controller is required to adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. This includes measures to minimise the processing of personal data, improve pseudonymising of personal data, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, and the controller to create and improve security features.
These provisions are not specifically provided under the PDPA.
Consent is an important principle articulated under both the GDPR and the PDPA. Under both the GDPR and PDPA, processing of personal data is prohibited unless expressly allowed by law or the data subject has consented to the processing. Both the GDPR and PDPA provide that the requirement to obtain the consent must be presented in a manner which is clearly distinguishable from the other matters.
However the GDPR goes further to provide that consent must be provided in an intelligible and easily accessible form, using clear and plain language. Unlike the GDPR, the PDPA does not prescribe the type of language that must be used in order to obtain consent. However, Malaysian businesses should be mindful that if consent is not recorded and maintained properly by the data user, the Commission may, in the course of an investigation, take the view that consent was not obtained.
On 21 January 2019, Google LLC (Google’s French arm) was fined €50million by the Commission Nationale de l ’information et des Liberties (“CNIL”) for various failings under GDPR. The ruling attacked the accessibility of the information saying that, although most of the information was there, it was scattered around its site via various different “links”.
One reason for the fine that was imposed was that Google did not ensure that consent met the GDPR threshold through using pre-ticked boxes and not separating consents for advert personalisation from other processing by Google.
Malaysian businesses should therefore take a common-sense approach to obtaining consent and provide consent notification language in a clear and easily-understandable manner.
Appointment of DPOs
Under the PDPA, a DPO is not mandatory. The GDPR introduced a mandatory requirement to appoint a DPOto monitor an organisation’s data protection compliance and inform it as well as advise on its data protection obligations where:
- the processing is carried out by a public authority or body;
- where the core activities of the organisation require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of special categories of data or personal data relating to criminal convictions and offences.
Processing of personal data belonging to minors
Where a child is below 16 years old, the data processor must obtain consent or authorisation from the holder of parental responsibility over the child. The GDPR takes into consideration that children are less aware of the risks, consequences and safeguards concerned with processing of personal data. This would particularly apply where the use of the personal data of children for purposes of marketing or creating personality or user profiles or for collection of personal data with regards to services offered for children.
In light of the modern age of digital technology and exposure of social media and online gaming to children, this provision is particularly important to ensure that personal data of children are accounted for.
In contrast, the PDPA does not specially provide for measures to safeguard protection of processing of personal data belonging to minors.
Data protection impact assessment (“DPIA”)
The GDPR imposes a mandatory requirement for data controllers to conduct a DPIA where the type of processing uses a new technology and, taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedom of natural persons. The DPIA will assess the impact of the processing operations to the protection of personal data. The PDPA does not impose an obligation on a data processor to conduct impact assessment even where there is use of new technologies.
Cross-border data transfers
The GDPR restricts the transfer of data from the EU to “third countries” (that is, non EU or EEA members) unless that country is assessed by the European Commission as having “adequate” levels of data protection. As Malaysia is currently a “third country” without an “adequacy decision”, the EU/EEA countries will only be able to transfer data to Malaysia in very limited circumstances.
1) Data protection audit
One of the first steps Malaysian companies should take when preparing for the GDPR is to conduct a comprehensive audit of all the personal data they currently hold, where the data in its entire business comes from and their data processing activities. For example, a company cannot draft an employee privacy notice or compile a data protection policy or record of processing activities unless it knows what data it holds and what it does with that data.
In the wake of Marriott’s data breach involving a loss of 339 million guest records, which was reported in November 2018, companies must also carry out proper due diligence measures in relation to personal data when carrying out a corporate acquisition.
2) Implement processes and procedures
One purpose of the audit is to collate information that companies will need in order to comply with certain GDPR obligations and to take immediate steps to implement processes and procedures to address the compliance gaps. This could include developing new data handling policies, updating contracts clauses in data processing agreements and privacy notices.
Companies should also implement technical measures such as using end-to-end encryption and organisation security measures to limit the risk of data breaches. It is also important to ensure that customers and service users understand what companies do with their data. Privacy notices should be clearly signposted, and be as accurate as possible about what data is collected and why it is used.
Further, Malaysian companies must develop data governance policies when moving EU-specific data to countries outside of the EU.
3) Conduct data protection impact assessments (“DIPA”)
A DPIA will help Malaysian companies understand the risks to the security and privacy of the data processed and ways to mitigate those risks.
4) Implement data breach notification policies
It is essential to have in place a practical guide on how organisations should respond to a data breach, including outlining clear processes on how reports should be made, assessment of breaches internally, including to be clear on what kind of breaches should be reported to the PDPA Department, and how statements are to be released to the media.
5) Appointment of DPOs
Many organisations should consider designating a DPO and a representative based in one of the EU member states.
It is also important to ensure that employees are trained with proper data handling techniques and are aware of the GDPR obligations.
The implementation of the GDPR brings about additional obligations in which organisations and businesses in Malaysia will have to comply with, on top and above the requirements of the PDPA.
In light of digital and technology advancement, the need for protection of personal data has become more compelling. The ratification of appropriate and necessary principles under the GDPR as part of Malaysia’s personal data protection laws is vital to ensure growth of the digital economy whilst balancing the emerging need to improve data protection.