Malaysia's Personal Data Protection Act 2010 (PDPA) was due to take effect on January 1, 2013, but the law is still not in force due to legal formalities. Despite its impending introduction, many companies are still lacking in compliance while consumers doubt it will be strongly enforced.
Foong Cheng Leong, a Malaysian lawyer and co-chairman at Kuala Lumpur Bar Information Technology Committee, said despite the announcement by a minister that the act will take effect at the beginning of the year, it is technically still on hold as there needs to first be an official notification in the Government Gazette for the Act to be formalized.
In a report published in December 2012, Malaysian newspaper The Star cited deputy Information, Communications and Culture Minister Datuk Joseph Salang who said during a keynote the PDPA would be enforced on January 1, 2013 and companies will have three months to comply.
Malaysia's law for personal data protection has been long in the making. The Personal Data Protection Bill was first drafted in 2001 and was expected to be in force in early-2010 but that did not materialize.
Despite the protracted lead up, many Malaysian companies are still not prepared for the eventual implementation of the law. Foong pointed out during his many talks on PDPA, he had noticed many companies have not started their compliance exercise.
Malaysia vs Singapore's data privacy Act
Neighboring country Singapore passed its personal data protection bill in October 2012 and was enforced in January this year.
Foong said while both countries' personal data protection laws were similar, the details differed "quite a bit".
The Malaysian law requires data collection parties to give subjects a written notification in the national language and English during the process. For Singapore, the notification is simpler as there is no rule the notification needs to be in the national language or English.
Furthermore, Singapore's Act requires the party collecting data to state the purpose for the collection, use or disclosure of the personal data, he noted. When requested, the party collecting data needs to provide a point of contact to address any queries by individuals.
Foong added consent to process personal data is not defined in the Malaysian PDPA, while the Singapore law sets out in detail what amounts to consent and what type of consent is acceptable.
Singapore's PDPA also clarifies what happens to personal data collected before the date of commencement of the law but the Malaysian PDPA is silent on this, he said.
Barry Ooi, president of the Marketing Research Society of Malaysia, said the Act will have a direct impact on the practice of market research in the country as it includes entities that process personal data. "All market research companies will need to be aware of the rules and regulations under this act," he said.
Ooi pointed out most market research companies in Malaysia have been adopting the international research standards set by the World Association for Market, Social and Opinion Research (ESOMAR). "Many of the rules and procedures in the PDPA are similar to the ESOMAR guidelines," he added.
"Nevertheless, our members are tightening up their procedures, particularly in the area of respondent consent and non-disclosure," he noted.
Consumers lack confidence in enforcement of Act
Despite the government efforts, a few consumers in Malaysia were not confident about how the law would be eventually enforced.
IT systems engineer Ranjeeta Kaur said she knew that the country has such an act. However, she did not take much interest in reading the details mainly because of the lack of enforcement for most of the laws in Malaysia. "Enacting an act is simple but placing it into the actual corporate world and making sure that it's followed is another story altogether," she said.
"If we were to look at our daily Internet activities, most Malaysians don't care about this Act. In fact they don't even bother that the information they exchange with other parties could be leaked or used against them," said Kaur.
Postgraduate student Chua Soon Hau questioned whether the Act would impact Internet companies such as Facebook or Instagram which were not based in Malaysia. "The Act will more likely tackle analytics companies that gather data and sell it to people who want it," he said.
Chua wondered if the implementation of the law might even conflict with privacy agreements which users need to agree to before using a service.
Kaur said unlike the European countries, consumers in Malaysia were more "carefree" about their personal information. "Many folks are just happy to be given a computer and access the Internet with a carefree mind. We should actually be made aware of how our data is being handled, who is viewing it or has access to it," she said.