Malaysia gazettes data protection act, effective immediately

Malaysia gazettes data protection act, effective immediately

Summary: After almost a year delay, Malaysia finally gazettes its Personal Data Protection Act 2010 on Thursday and makes it effective Friday. Businesses have three months to comply and violation can result in fine and/or imprisonment.

SHARE:
2

Malaysia has quietly gazetted its Personal Data Protection Act 2010 (PDPA), effective immediately, and given businesses three months to ensure compliance.  

The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010. An earlier note by the American Malaysian Chamber of Commerce indicated that the Act was scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia (PDPD) by November 15, 2013. This, however, apparently was also rescheduled. 

According to Kuala Lumpur-based lawyer Foong Cheng Leong, the act has been gazetted and comes into force today, with Tuan Abu Hassan bin Ismail appointed the Personal Data Protection Commissioner. Foong noted that the Act outlined four new subsidiary legislation, including the class of data users and registration of data users. Businesses that fall under these categories include banking and financial institutions, communications service providers, insurance companies, transportation, and utilities.

Data users now have three months from November 15 to ensure compliance, he added. 

The PDPA also provided some guidelines on the definition of consent, which must be in a form that can be recorded and maintained by the data user. Burden of proof for consent lies on the data user, Foong said. 

Singapore-based tech lawyer and ZDNet blogger, Bryan Tan, said the sudden turn of events meant Malaysia has "stolen a march" on Singapore which passed its Personal Data Protection Act in October 2012, but its main regulations will come into effect only on July 2, 2014, when all organizations must ensure compliance. The Act, however, includes a Do-Not-Call Registry which will be in force January 2, 2014. 

Tan said: "The two countries' PDPAs are different, but what it generally means for businesses is that a lot of time and effort will need to be spent on compliance. Perhaps it is a blessing in disguise that both come into force almost at the same time, so companies operating in Singapore and Malaysia can coordinate their compliance in one single project."

Topics: Privacy, Security, Malaysia

About

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently a freelance blogger and content specialist based in Singapore, she has over 16 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • This is definitely a flaw in the Malaysian system

    Laws should take effect as soon as they receive the Royal Assent (but maybe the King should be allowed to submit bills to referendum on his own initiative if he objects to them).

    Regardless, allowing the Goverment to indefinitely postpone putting already passed laws into effect is unacceptable.
    John L. Ries
  • "BIG COMPLIANCE IN THE AGE OF INNOVATION: PERSONAL DATA PROTECTION LAW IN M

    "BIG COMPLIANCE IN THE AGE OF INNOVATION: PERSONAL DATA PROTECTION LAW IN MALAYSIA AND ASEAN REGION"

    Jeong Chun Phuoc.

    A. INTRODUCTION
    The PERSONAL DATA PROTECTION ACT 2010 ('PDPA 2010') was enforced within reasonable time by Malaysia commencing 15 Nov 2013. Despite its enforcement, the private sector is still in the dark. Many do not have in place any proper PDPA COMPLIANCE PROGRAM.

    The PDPA enforcement position adopted by Singapore is a good move in the right direction as well.


    B. COMPLIANCE ASSESSMENT
    Despite potential serious fines and penalties for PDPA violations and PDPA non-compliance, the attitude remains lackadaisical.


    C. PHASE 2 ENFORCEMENT
    In Phase 2 of the COMPLIANCE & ENFORCEMENT MODEL, strict enforcement and audit measures will be taken to enforce COMPLIANCE.


    D. CONCLUSION.
    Megatrend in PDPA protection will see full adoption and enforcement of PDPA protection within ASEAN region in particular, commencing ASEAN ECONOMIC COMMUNITY (AEC) 2015 and beyond.


    E. COMPLIANCE PROGRAM
    Organisations are strongly advised to establish an effective COMPLIANCE PROGRAM to ensure full compliance with PDPA ACT 2010 to avoid serious fines and penalties for non-compliance/violations under the PDPA 2010.




    ......................................
    JEONG CHUN PHUOC
    Adv CLI. Big Compliance and Big Law.
    He may be reached at jeongchunphuoc@gmail.com
    (this is his personal view)
    Jeong chun phuoc