Data Protection Enforcement in Malaysia

Administrative Remedies

The Personal Data Protection Commissioner (“PDPC”) administers and enforces the Malaysian Personal Data Protection Act (“PDPA”). The PDPC has the power to monitor and supervise compliance with the PDPA, including:

  1. implement and enforce personal data protection laws including the formulation of operational policies and procedures;
  2. Conduct investigations where complaints are made to the PDPC or where the PDPC has reasonable grounds to believe there is contravention of the PDPA; and
  3. Issue circulars, enforcement notices or any other instruments to any person.The PDPC does not however have the power to order compensation for damages.

The PDPC may, in the enforcement notice, direct: (i) data users to take the necessary steps to remedy the contravention; and (ii) where necessary, the data user to cease processing personal data, pending the remedy of the contravention by the data user. The PDPC does not however have the power to order compensation for damages. Any person who is aggrieved by the decisions of the PDPC may appeal to the Appeal Tribunal by filing a notice of appeal.

Civil Remedies

There is no express statutory right to pursue a civil claim for non-compliance of the PDPA.

Criminal Remedies

The penalty for breaching the personal data protection principles set out under the PDPA is the imposition of a fine not exceeding RM 300,000 (USD 1 = RM 3.80) and/or imprisonment not exceeding 2 years. Notwithstanding this penalty, the PDPA also provides for other more stringent penalties in respect of other offences, among others, listed below:

  1. A fine not exceeding RM 200,000 and/or imprisonment not exceeding 2 years for failure to comply with an enforcement notice or failure to process sensitive personal data in accordance with the PDPA;
  2. A fine not exceeding RM 500,000 and/or imprisonment not exceeding 3 years where a person who belongs to a specified class of data user, processes personal data without a certificate of registration;
  3. A fine not exceeding RM100,000 and/or imprisonment not exceeding 1 year where a data user fails to comply with provisions of the codes of practice (which have legal force);
  4. A fine not exceeding RM500,000 and/or imprisonment for a term not exceeding three years where a data user continues to process personal data after the data user’s registration has been revoked;
  5. A fine not exceeding RM200,000 and/or imprisonment for a term not exceeding two years where a person fails to surrender the certificate of registration to the PDPC when required to in accordance with the PDPA;
  6. A fine not exceeding RM100,000 and/or imprisonment for a term not exceeding one year where a data user continues processing personal data after a data subject has withdrawn his consent by notice in writing to the processing of his personal data;
  7. A fine not exceeding RM200,000 and/or imprisonment for a term not exceeding two years where a data user fails to comply with the requirement of the PDPC to cease processing the personal data of the data subject in a manner that is causing or is likely to cause substantial damage or distress to the data subject or another person;
  8. A fine not exceeding RM200,000 and/or imprisonment for a term not exceeding two years where a data user fails to comply with the requirement of the PDPC to cease the processing of personal data for the purposes of direct marketing;
  9. A fine not exceeding RM200,000 and/or imprisonment for a term not exceeding two years where a data user fails to comply with the directions stipulated in the enforcement notice issued by the PDPC;
  10. A fine not exceeding RM300,000 and/or imprisonment for a term not exceeding two years where a data user transfers personal data outside Malaysia, except to approved places which may be published in the Gazette; and
  11. A fine not exceeding RM500,000 and/or imprisonment for a term not exceeding three years where a person knowingly or recklessly collects or discloses personal data held by the data user or procures the disclosure to another person of personal data held by the data user without the consent of the data user.

Directors, chief executive officers, chief operating officers, managers or other similar officers have joint and several liability for non-compliance by the body corporate, subject to due diligence/ knowledge defenses.(Section 133(a)). There are also regulations issued which supplement the provisions of the PDPA and specific penalties for a breach of the various regulations which we have not summarized.

Other Remedies

Prosecution for an offence can only be instituted with the written consent of the Public Prosecutor. The Sessions Court has the jurisdiction to try offences under the PDPA.

Selected Enforcement Actions/ General Comment

The PDPA came into force on November 15, 2013. Regulations and statutory orders have also been published and continue to be amended from time to time.