chevron-down Created with Sketch Beta.

International Law News

International Law News, Spring 2022

Data Privacy in the ASEAN Region

William Greenlee

Summary

  • The Malaysia Personal Data Protection Act 2010 is the principal piece of legislation regulating personal data in Malaysia.
  • It applies to any person who processes, controls, or authorizes the processing of personal data in commercial transactions.
  • Singapore, Malaysia, and Myanmar; Part two of a special three-part series. Several Asian countries are out in front protecting their residents' data
Data Privacy in the ASEAN Region
Nora Carol Photography via Getty Images

Jump to:

The Malaysia Personal Data Protection Act 2010 (“Malaysia PDPA”) is the principal piece of legislation regulating personal data in Malaysia. It applies to any person who processes, has control over, or authorizes the processing of any personal data in respect to commercial transactions.

The Malaysia PDPA and its relevant regulations are administered by the Personal Data Protection Commissioner (the “Commissioner”) under the purview of the Ministry of Communications and Multimedia.

The Malaysia PDPA does not apply to federal or state governments or any personal data processed outside Malaysia, unless that personal data is intended to be processed further in Malaysia. It also does not apply to those without an established presence in Malaysia unless the person uses equipment in Malaysia to process personal data (other than for purposes of transit through Malaysia). In this category, such a person must nominate a representative in Malaysia for the purposes of complying with the Malaysia PDPA.

Second of a Three-Part Series

Categories of Protected Data

The Malaysia PDPA regulates two categories of data: (i) personal data and (ii) sensitive personal data.

(a) Personal data is information which relates directly or indirectly to a data subject (i.e., an individual), who is identifiable from that information or from that with other information in the data user’s possession.

The Malaysia PDPA does not apply to any information processed for credit reporting activities which are separately regulated under the Malaysian Credit Reporting Agencies Act 2010.

(b) Sensitive personal data is regulated more closely but does not include the wide range of sensitive categories generally regulated in other countries. It is currently limited to personal data relating to a data subject’s health, political views, religious beliefs, criminal record, or alleged commission of any offence (other categories may be designated by the Minister of Telecommunications and Multimedia (“Minister”) in the future).

The Malaysia PDPA imposes higher compliance obligations for sensitive personal data. For example, the processing of sensitive personal data requires explicit consent from the data subject. For personal data other than sensitive personal data, explicit consent is not required so long as such consent obtained from the data subject can be recorded and properly maintained by the data user.

Key Concepts under the Malaysia PDPA

The Malaysia PDPA deals with three groups of persons:

(a) “Data users,” also commonly referred to as “data controllers” in other jurisdictions, persons who either alone or jointly or in common with others process any personal data or have control over or authorize the processing of personal data.

(b) “Data subjects,” the subjects of the personal data.

(c) “Data processors,” persons, other than employees of the data user, who process the personal data solely on behalf of data users. A data processor does not process the personal data for his or her own purposes.

1. Personal Data Protection Principles

The Malaysia PDPA regulates the processing of personal data by requiring a data user to comply with seven principles (“Processing Principles”) briefly summarized as follows.

(a) General Principle: A data user cannot process personal data about a data subject unless the data subject has given his or her consent to the processing of the personal data or if any exceptions under the Malaysia PDPA apply.

(b) Notice and Choice Principle: The Malaysia PDPA prescribes eight mandatory matters on which the data user must inform a data subject by a written notice. Such a notice must be given in English and the local language(s).

(c) Disclosure Principle: A data user must limit disclosure of the personal data to the purpose which the data subject had been informed of at the time of collection and for which the data subject had consented. Furthermore, personal data cannot be disclosed to anyone other than a third party specified in the notice prepared in compliance with the Notice and Choice Principle.

(d) Security Principle: Practical steps must be taken by a data user to safeguard the personal data from any loss, misuse, modification, unauthorised or accidental access, disclosure, alteration, or destruction. If third party data processors are appointed, the data user must also ensure that they also take these steps.

(e) Retention Principle: A data user must not retain personal data for longer than is necessary to fulfil the purpose for which it was collected.

(f) Data Integrity Principle: A data user must take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and current.

(g) Access Principle: The data subject has the right to access his or her personal data held by the data user; and to correct his or her personal data where it is inaccurate, incomplete, misleading, or not updated.

The Processing Principles and compliance obligations under the Malaysia PDPA are generally applicable only to data users and not directly to data processors.

Failure to adhere to any of the Processing Principles is an offence under the Malaysia PDPA, and failure to comply can result in penalties of between RM 100,000 to RM 500,000 (approximately US$ 24,000 to 120,000) and a term of up to three years imprisonment.

In addition to the Malaysia PDPA, the Personal Data Protection Regulations 2013 (“Malaysia PDP Regulations”) impose further obligations on data users in the handling of data subjects’ data. In 2015, the Commissioner issued the Personal Data Protection Standard (the “Malaysia PDP Standard”) which sets out the minimum requirements to be complied with by data users. The Malaysia PDP Standard set out the practical steps that must be followed by data users for processing personal data electronically and non-electronically, for example, requiring evidence of prior written authorization from the company’s top management before any transfer of personal data through removable media devices and cloud computing services is allowed.

2. Cross-Border Transfer

Under the Malaysia PDPA, transfer of personal data outside Malaysia is prohibited unless the transfer is made to a jurisdiction approved by the Minister (by a notification published in the Gazette) or where any of the specific exceptions prescribed under the Malaysia PDPA applies. The Commissioner published a consultation paper in 2017 seeking the public’s feedback on the draft whitelist of countries to which personal data may be transferred from Malaysia without having to rely on the exceptions. As of December 2021, the whitelist had yet to be approved.

Until the order is gazetted and comes into effect, any cross-border transfer of personal data has to rely on the Malaysia PDPA’s exceptions. Among the exceptions, companies most often rely on these: where the data user has obtained the data subject’s consent, or where the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in the foreign jurisdiction in any manner which, if it were to be processed in Malaysia, would contravene the Malaysia PDPA.

B. Sector-specific obligations

Certain categories of data are further regulated by sector-specific directives or regulations, for example, banking customers’ data and medical data. As the guidelines are sector-specific, they may impose additional or higher data protection requirements over and above the general obligations in the Malaysia PDP Standard. These guidelines are generally not publicly available and are often issued directly to industry players subject to confidentiality. One example is the set of guidelines issued by the Central Bank of Malaysia to its licensed financial institutions. The Guidelines on Management of the IT Environment require financial institutions to develop a policy on the usage of cryptographic controls for protection of their critical or sensitive information when stored or transmitted over communications networks.

Under the Malaysia PDPA, the Commissioner has designated data user forums in the following sectors to work with sector players in issuing specific codes of conduct for their business:

  • (a) Communications (for licensees);
  • (b) Transportation (aviation);
  • (c) Banking and financial;
  • (d) Insurance; and
  • (e) Utilities (electricity).

Data users in these industries are also required to register as data users in accordance with Personal Data Protection (Registration of Data Users) Regulations 2013 (“PDP Registration Regulations”) under the Malaysia PDPA. The full list of data users required to register is set out in the Personal Data Protection (Class of Data Users) Order 2013 (“PDP Class of Data Users Order”).

Myanmar

There are currently no specific data protection laws in Myanmar. Personal data of individuals are regulated to a certain extent where they fall within the ambit of information protected by the country’s Electronic Transaction Law 2004. The regulatory framework for the protection of data in Myanmar consists of the recent 2021 amendment to the Electronic Transactions Law as well as sector-specific legislation regulating certain categories of data, such as customer information protected under the Telecommunications Law 2013 and the Financial Institutions Law 2016.

A. Law Protecting the Privacy and Security of Citizens 2017

Until recently, the principal legislation regulating privacy and security of information in Myanmar was the Law Protecting the Privacy and Security of Citizens 2017 (the “Privacy Law”). The benefits of the Privacy Law applied to Myanmar citizens only and it had no application to any non-citizens residing in the country. The Privacy Law was administered by the Ministry of Home Affairs, which is responsible for protecting the rights to privacy and security of Myanmar citizens.

Among others, the Privacy Law prohibited the following activities without an order, permission, or warrant issued in accordance with the existing laws or an approval from the President or the government:

  • Spying, investigation, or detection that may affect or adversely impact the dignity, privacy, or security of a citizen; and
  • Requesting or acquiring personal telephonic and electronic communications data from telecommunication operators.

Non-compliance with the above could result in a potential penalty of imprisonment ranging from six months to three years and/or a fine ranging between MMK 300,000 to MMK 1.5 million (approximately US$ 210 to US$ 1,060).

There were no specific requirements under the Privacy Law to obtain prior consent from data subjects to process the data subjects’ personal data, but as a matter of good practice and in line with international practices, data users typically request consent from data users before processing any personal data.

However, with the proclamation of a one-year emergency and the change in the government by the Myanmar military, the specific provisions of the Privacy Law relating to protecting the privacy of citizens of Myanmar has been “temporarily” suspended.

B. Electronic Transaction Law 2004

Presently, the relevant law concerning data protection is the Electronic Transaction Law 2004 (the “ET Law”). Under the ET Law, the following activities are prohibited:

  • Stealing or causing loss and damage to electronic records, or electronic data messages;
  • Intercepting any communication within a computer network, using, or granting access to any person of any communication without permission from the originator and addressee.
  • Communicating to any other person directly or indirectly with a security number, password or electronic signature of any person without permission or consent of such person.
  • Creating, modifying, or altering information, or distribution of such information which is deemed to be detrimental to the interest of any person.

In February 2021, the ET Law was amended and an entire chapter dedicated to the protection of personal data has been added. Pursuant to this amendment, a personal data holder is expected to undertake the following:

  • Systematically maintain and protect personal data based on the type of data and confidentiality level.
  • In the absence of a specific permit under the law or approval from the owner of personal data, not allow any person or organization to scrutinize the personal data; not inform or distribute such personal data to any person or organisation; not alter, delete, copy, and submit any personal data as evidence.
  • Not use personal data for any administrative purposes which are not consistent with the objective of protecting the personal data of the public.
  • Systematically delete personal data which are collected for a specified time period after the lapse of the time period.

Failure to manage personal data in accordance with the ET Law may lead to imprisonment for a term of one to three years or a fine of up to MMK 10 million (approximately US$ 7,100) or both.Any misuse of personal data without approval may lead to imprisonment for a term ranging from one to three years or a fine of up to MMK 5 million (approximately US$ 3,550) or both. The ET Law has extraterritorial jurisdiction and applies to every person who commits any actionable offence beyond the territory of Myanmar using any form of electronic technology.

However, the above protections for data will not apply to the management of personal data for the following activities:

  • Submission of evidence to the court or any other administrative body in respect of cyber-crimes, cyber-terrorism, and related matters.
  • Inspection or inquiry by any regulatory bodies for criminal cases.
  • Inspection of cases of cybersecurity and cybercrime which affects the national solidarity, peace and security of the country.

Therefore, while the amendment has generally introduced data protection related controls in the ETL, it is not applicable to inspections to be carried out by the Myanmar military. The amendment provides the military with legal authority to gain access and control over the personal data of Myanmar citizens.

C. Competition Law 2015

Under the Competition Law 2015, every person is prohibited from disclosing or using secrets of another business. A person guilty of an offence under this law is subject to imprisonment for up to two years and/or a fine of up to MMK 10 million (approximately US$ 7,100).

D. Sector-specific legislation

There are very few sector-specific laws that govern aspects of data protection and privacy issues in Myanmar.

Telecommunications Law 2013

The Telecommunications Law 2013 primarily imposes duties and responsibilities on licensees that obtain a telecommunication service license from the Ministry of Transport and Communications. It is generally prohibited under the law to disclose any information secured on encrypted systems to any third party by any means. Violators are subject to imprisonment for a term not exceeding one year and/or a fine.

Telecommunication service licensees are obliged to securely maintain information and content that is transmitted or received through their telecommunication services. Such information may include confidential personal information of individual users and may not be disclosed to third parties unless under any applicable exceptions prescribed under other existing laws, such as court-ordered disclosures. A court order is required for the disclosure of information kept on secured or encrypted systems, and any violation may result in a prison sentence of up to one year and/or a fine. Licensees have an obligation to provide specific written protections to end-users relating to personal data and information privacy.

Financial Institutions Law 2016

The Financial Institutions Law 2016 (the “FIL”) imposes restrictions on institutions licensed under this law. Financial institutions are required to keep information secret relating to the affairs or the accounts, records, and transactions of their customers. There are limited exceptions to the duty to maintain banking secrecy, such as disclosure to the Central Bank of Myanmar (the “CBM”) or disclosure to comply with a court order. A variety of administrative penalties may be imposed by the CBM for breach of any of the FIL’s provisions, including banking secrecy.