Malaysia’s long overdue Act now in force

Malaysia’s Personal Data Protection Act 2010 (PDPA) was finally brought into force on 15 November 2013, more than three years after it was enacted. A number of Regulations have come into force on the same day. All data users have three months from that date to comply with Act and Regulations, making it the first data privacy Act in the ASEAN region to be fully in force.

By February 2014 data users who are established in Malaysia or use equipment in Malaysia will have to take all necessary steps to comply with the PDPA and with the Regulations, if they use personal data in commercial transactions. The data privacy principles in the Act are quite comprehensive and go considerably beyond minimal OECD-style, including many additional elements familiar from the EU data protection directive, including special protections for sensitive data, direct marketing opt out provisions, and even a right to block access to personal data.

The enforcement provisions in the Act are potentially quite strong, with contraventions of any of the privacy principles being offences per se, and the fines upon conviction being as high (in many cases) as US $100,000. The normal means of enforcing the Act is likely to be by enforcement notices, and directions for remedial actions, issued by the Personal Data Protection Commissioner (subject to an appeal to Appeal Tribunal). Non-compliance with an enforcement notice is also an offence.

Read an analysis of this law by Professor Graham Greenleaf in the next issue of PL&B International, due 13 December.