Businesses need clarity as nation strive to meet global best practices in data protection
The passing of amendments to the Personal Data Protection Act (PDPA) is a great step forward on the digital front. Malaysia was the first in ASEAN to enforce a personal data protection act in 2013, followed by Singapore (2014), the Philippines (2016), Thailand (2022), Indonesia (2022) and Vietnam (2023).
However, after a decade of rapid technological progress, coupled with the Generative AI boom, the act could no longer meet global best practices. While the amendment is long needed towards stronger data security, there is also a lack of clarity on certain aspects.
For instance, organisations would have a hard time trying to decipher the new compliance mechanism because of vague descriptions. Important information, such as the time window to report data breaches, is missing. While we cannot wait for perfection, key areas should be stated clearly.
This is critical, especially for small and medium-sized enterprises without resources for legal interpretation, let alone administration. While all SMEs are subjected to the PDPA, the government could differentiate certain parts of regulations according to company size and activities to address the potential disproportionate consequences for smaller start-ups, aside from providing resources, such as training or financial assistance, to help with compliance.
The categories could depend on factors, such as profit, status, employee numbers and/or company activities to level the playing field. For example, the European Union’s (EU) General Data Protection Regulation (GDPR) Act is only applicable to companies employing more than 250 staff members. Those with fewer than 250 employees but process data as a part of their recurrent business operations still need to document their data processing activities. This flexibility is similar to Australia’s Privacy Act and Japan’s Act on the Protection of Personal Information.
GDPR’s requirement of a data protection officer (DPO) is also only mandatory for certain organisations, such as public authorities and bodies, companies with large-scale activities on data monitoring and processing, especially involving sensitive personal data. This is crucial as studies have shown that despite this differentiation, GDPR still has a disproportionate effect on smaller-sized companies in the social media advertising industry.
It gives large platforms an advantage, as advertisers would want to spend with larger players which have the resources to ensure legal compliance. This increases barriers to entry and causes to exit, while in some cases, distorts the directions of R&D innovations of smaller companies for higher acquisition value. That said, other organisations that do not fall into the mandatory compliance must be incentivised to follow suit as a part of data security’s best practices. Trade-offs between innovation, competition and regulation can be minimised through rigorous policy design and implementation.
The government should also release exact guidelines for businesses. They must include case studies and real-world examples to increase compliance rates and remove doubts. The compulsory hiring of DPO should spell their qualifications clearly.
The other areas requiring attention are extra-territorial jurisdiction or cross-border data transfer. Touted as enhancing digital efficiency, the government relaxed this part of governance by removing the white-list system and minister’s approval power for countries with similar PDPA.
However, such approval may create ambiguity and room for exploitation on legal loopholes, making it imperative to build a robust adequacy mechanism. For example, a country might have personal data-protection-related laws but their components fail to meet minimum standards, hence requiring additional processes, such as standard contractual clauses.
Additionally, the PDPA should introduce the right to erasure. At present, the PDPA allows for data subjects to only access (Section 30), make corrections (Section 34) and give consent for data portability (Section 42A). In a world where misinformation and disinformation are prevalent, it is important to ensure the data subjects have the right to erase their personal information from the public digital record.
Finally, the government needs to ensure a continuous feedback mechanism where businesses could share experiences and challenges trying to comply with the regulations. This would ease the personal data protection commissioner’s (PDPC) task of making necessary and timely adjustments while providing support for the economy to thrive. For better prevention, inspections should be conducted regularly to ensure that compliance occurs before a problem pops up rather than penalising after a breach.
It should be noted that one of the major anticipated amendments – the act’s applicability to government agencies and bodies – did not transpire. However, the digital minister did announce ongoing development of a specific act on data sharing in the public sector. Whatever form of shape, either a new act, or amendments to PDPA or the Official Secrets Act (OSA) 1972, regulation on data processing specifically in the public sector is vital to forge public trust as we march towards a GovTech nation.
