Malaysia - January 2013 'in force' likely

Malaysia's Personal Data Protection Act 2010 (PDPA) will finally come into force on 1 January 2013, according to reported statements by the Minister of Information, Communications and Culture of Malaysia, Datuk Seri Rais Yatim. From that date, it is expected that data users will have three months to prepare to comply with the rules and regulations, in accordance with s145. The Act provides that it comes into operation on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act (s1), so it is still uncertain exactly when which sections will become operative.

The Director General of the Personal Data Protection Department (PDPP) will apparently be the regulator, but may be renamed as the Malaysian Data Protection Commissioner, or similar, and appointed as such under the Act. The Act makes little pretence that the Commissioner is independent of the government, but for the head of a Department of the Executive to be made the Commissioner would certainly underline the lack of independence from government.

The PDPP is currently holding public consultations on the proposed classification of Data Users (processors), and proposes to hold further consultations in 2013 before finalising the regulations/guidelines to the PDPA. Any person who at the date of coming into operation of this Act either alone or jointly processes (or controls the processing) of personal data must within three months of the Act coming into operation be registered as a data user (s 146), but this only applies to a data user who belongs to a class of data users as specified in the order to be made by the Minister under s14.