In Malaysia, the main legislation governing data protection matters is the Personal Data Protection Act 2010 (PDPA). As the PDPA is modelled upon the European Union Data Protection Directive 95/46/EC, the principles and requirements set out in the PDPA are largely similar to the data protection requirements found in the UK's Data Protection Act 1998. That being said, there are several notable differences between EU data protection legislation and the PDPA, such as (1) the ambit of the PDPA being limited only to the processing of personal data in commercial transactions; (2) the non-applicability of the PDPA in relation to the federal and state governments; (3) the lack of an express right for data subjects to bring a legal action under the PDPA for a breach of their PDPA related rights; and (4) the Commissioner reporting to a minister and not to parliament.
Apart from the PDPA, there are also sector-specific regulations in sectors such as the banking and financial sector, the healthcare sector and the capital markets sectors that prescribe specific data protection related requirements that are tailored to their respective sectors and industries.
With regard to the recognition of data privacy as a human right under Malaysian laws, data privacy or the right to privacy in general is not one of the fundamental liberties enshrined under Part II of the Federal Constitution (FC). However, case laws have in limited instances, particularly in cases where the modesty of the claimant is involved, recognised that the right to life and personal liberty under Article 5(1) of the FC encompasses the right to privacy and the Malaysian courts have allowed aggrieved claimants to initiative civil claims under the tort of breach of privacy. 2
ii Cybersecurity in Malaysia
There is currently no overarching or dedicated cybersecurity legislation in Malaysia. The Malaysian government's approach to cybersecurity matters is primarily based on national cybersecurity policies, with different aspects of matters relating to cybersecurity regulated across different pieces of legislation in Malaysia, including the PDPA.
However, the Malaysian government has announced its intention to enact a standalone cybersecurity legislation in Malaysia to regulate cybersecurity matters and address existing gaps in Malaysia's current cybersecurity legal framework.
This chapter will provide an overview of Malaysia's data privacy and cybersecurity legal framework and discuss recent regulatory developments in Malaysia.
The year in review
Following from the Malaysian government's publication of the Malaysian Digital Economy Blueprint (MDEB) in early 2021 where the Malaysian government expressed its commitment to strengthen the country's data protection and cybersecurity legal framework, there have been a number of developments in the data protection and cybersecurity sphere in Malaysia.
In 2022 alone, there were several reports of data leak incidents involving the personal data of millions of Malaysians that allegedly originated from the databases of government agencies. 3 As a result, there is increasing public scrutiny on the effectiveness of the country's data protection and cybersecurity framework and calls have been made for the government to fortify the existing legal framework for data protection and cybersecurity.
i Data privacy developments
In December 2021, the High Court released its grounds of judgment for Genting Malaysia Berhad v. Personal Data Protection Commissioner & Ors 4 (Genting), which was the first time Malaysian courts decided on a formal challenge brought against government authorities in respect of their powers to request for disclosure of personal data pursuant to the PDPA. The High Court's decision in the case essentially introduced limits on the data-gathering powers of enforcement and regulatory agencies and the impact of the case is discussed further below.
Earlier in 2022, the Personal Data Protection Commissioner (Commissioner) issued a series of documents that are further discussed in Section III, namely:
In the August 2022 parliamentary proceedings, the Minister of Communications and Multimedia (Minister) announced that a draft amendment bill to the PDPA has been prepared and passed to the Attorney-General's Chambers (AGC) on 28 June 2022 for the AGC's review. Once the Ministry of Communications and Multimedia (K-KOMM) receives feedback on the final draft of the amendment bill from the AGC, the Minister has indicated that K-KOMM is committed to ensuring that the draft amendment bill is tabled for parliament's approval in the upcoming parliamentary sitting in October 2022. 6
To this end, the Minister has also confirmed five main amendments that are to be included in the draft amendment bill, namely:
In early 2022, the Prime Minister also confirmed in parliament that a draft standalone Cybersecurity Bill to regulate cybersecurity matters in Malaysia is in the works and the Malaysian government aims to table the Cybersecurity Bill for parliament's approval by March 2023.
Additionally, from a sectoral perspective, the Central Bank of Malaysia (Bank Negara Malaysia or BNM) also issued the Exposure Draft on Cloud Technology Risk Assessment Guideline (CTRAG) for public feedback in June 2022. The exposure draft aims to complement BNM's Policy Document on Risk Management in Technology (RMiT) by setting out proposed guidance to assess common key risks and considerations of control measures when financial institutions adopt cloud services.
