Introduction
Have you ever been in a position where you’re signing up for an account on a website and you see a little box pop up with what seems like endless lines of text that you don’t necessarily comprehend? Ever just skip to the “Accept” button of the privacy notice all because it reading the notice is plainly “time consuming”?
We’ve all been there but what we fail to understand is that, as Malaysians, we have a piece of legislation that we can point to and say “Hey, it’s my personal data and you are not allowed to do that!”.
This article will run through a few principles in the Personal Data Protection Act (“PDPA”) that you probably should know as it concerns your rights as a data subject.
The Personal Protection Data Act 2010 (“PDPA”)
The Malaysian Parliament took a long time to pass the PDPA. Introduced in 1998, it took nearly 12 years to get royal assent, giving a new meaning to the term “giving due thought and consideration.
The PDPA governs two sets of people in relation to the protection of personal data. The first would be ‘data users’ who are defined as persons who process data once they have been given the same and the second, ‘data subjects’, who would be the person whose data is being processed, people like you and me.
The General Principle
The first major principle is found in Section 6 of the PDPA, the General Principle which makes it compulsory for data users to obtain consent from the data subjects before processing their personal data. However, the intriguing thing is that this is not always the case. For example, the whole act of obtaining consent from a data subject can be circumvented if the processing is necessary for things like the performance of a contract to which the data subject is a party or even for the administration of justice.
Therefore, if an individual is signing a data contract and the data is required is necessary for the performance of the contract, it essentially means that the Act is now void as the General Principle can be sidestepped on the pretext that it is necessary for the performance of a contract.
The Notice and Choice Principle
As a data subject, one thing you ought to remember is that a data user is required by the PDPA to give written notice to inform you the purpose for which your personal data is being collected and processed. Remember the privacy policy that we willingly accept without giving it much of a thought? That is an example of a written notice that companies/websites are required to do by law to inform you what your personal data is being collected and processed for.
Ever wondered why you sign up as a member on a specific website and you get a whole bunch of spam emails from them on their products? Well that’s basically because you’ve given them consent, whether you know it or not, to process your data and send you the marketing materials.
The Access Principle
Another pivotal part of the PDPA is the Access Principle. Many fail to realise that data subjects are not only allowed to access their personal data once they have given it but they are also allowed to correct any inaccurate data as well. In order to remain compliant with the Act, data users are obliged to respond accordingly to any data access and correction requests within fixed timelines.
Does the PDPA sufficiently cover all aspects of Privacy?
The PDPA is far from perfect, there are parts of the law that should be revamped to provide more protection for Data Subjects. One of the main things that can be done to improve protection is to extend the application of the PDPA to government agencies and not just businesses. Government agencies collect and process a lot of personal data and a data subject’s privacy would be better protected if the PDPA extends to cover government agencies.
Just an example, in January 2021, there were serious cyber-attack threats against the government over data breaches, by a particular hacktivist group. This prompted the National Security Council (MKN) to issue a warning to government agencies to prepare for, prevent and minimise the impact of a cyberattack. At this moment in time, the fact remains that the PDPA does not adequately provide protection to the data subject over the use of data by the government.
Another important thing to note is that non-compliance of the PDPA brings potential criminal sanctions. Any future amendments to the PDPA should include potential civil liability for non-compliance of the PDPA by data users. Criminal sanctions can only be conducted by the State (AG’s Chambers) and this may not necessarily compensate an individual for any breach of privacy. In the event there has been a breach, the person aggrieved will not be able to after the person breaching the PDPA and will have to rely on an already overworked Criminal Prosecution Service to find the time to get justice.
In conclusion, the PDPA is not the most complete piece of legislation that fully protects a data subject but it is a step in the right direction by the Malaysian Parliament. Improvements should be made to the Act in order to adequately protect a data subject’s rights.
References:
[1] Section 4 PDPA
[2] Section 6(1)(a) PDPA
[3] Section 6(2) PDPA
[4] Section 7 PDPA
[5] Section 12 PDPA
Comments