The Malaysian Personal Data Protection Commissioner (Commissioner) has recently issued Public Consultation Paper No. 1/2020 (“PCP”) which aims to collect feedback on the Commissioner’s proposal to update the Personal Data Protection Act 2010 (PDPA). The PCP proposes the following:
- to impose direct obligations on data processors, including the obligation to register with the Commissioner;
- to introduce the right to data portability, i.e. to grant rights to data subjects to obtain his data in a structured, machine-readable format which can be transferred from one data user to another;
- to require data users to appoint a data protection officer (DPO) and to issue a guideline on the mechanism of having a DPO;
- to impose mandatory data breach notification obligations on data users, and to issue guidelines on the mechanism of data breach incident reporting;
- to provide clarity on the subject matter of consent and to restructure section 6 of the PDPA (which provides for the General Principle);
- to amend section 129 of the PDPA (transfer of personal data outside of Malaysia) to remove the whitelist of places as to date, the Minister of Communications and Multimedia has not published any whitelist;
- to require data users to implement privacy by design, i.e. data user should include privacy into its system life cycle, and to issue a guideline on the mechanism;
- to require data users to establish a Do Not Call Registry, which allows data subjects to opt-out from receiving unsolicited direct marketing materials;
- to introduce the right of data subjects to know the third party which his personal data has been or will be disclosed to;
- to introduce the right to bring civil actions against data users;
- to issue clear policy on endpoint security, for example using technology like encryption to reduce the risk of data breaches, in view of the techniques such as facial recognition and smart trackers which are widely used by data users as data collection endpoints;
- to extend the PDPA to the Federal and State Governments;
- to issue a guideline on the mechanism and implementation of cross border data transfers with regard to the exchange of personal data for data user with an entity located outside of Malaysia;
- to exempt business contact information (contact details that are obtained in a business-to-business relationship) from the PDPA, and to issue a guideline to clarify the status on business contact information;
- to issue a guideline to clarify the level of disclosure of personal data by data user to government regulatory agencies that is permitted under the PDPA;
- to classify data users based on business activities (this is different from the classes of data users that requires registration with the Commissioner);
- to introduce voluntary registration by data users that are not required to register pursuant to the PDPA;
- to extend the PDPA to non-commercial transactions;
- to extend the PDPA to data users outside of Malaysia that monitor and profile Malaysian data subjects;
- to require data users to provide clear mechanism for data subjects to unsubscribe from online services, and to issue a guideline on the mechanism of digital and electronic marketing;
- to allow data users to make first direct marketing calls to the data subject and to issue a guideline on direct marketing; and
- to issue a guideline on the processing of personal data in cloud computing.
The PCP may be accessed here. Data users and data processors may provide their feedback in Microsoft Word format citing the relevant paragraphs and page numbers as appropriate, complete Part II of the PCP, and send the completed PCP to pcpdp@pdp.gov.my by 28 February 2020.