The Personal Data Protection Act 2010 (“PDPA”) of Malaysia has finally come into force, after several delays. The law applies to any 'data user' who processes or has control over the processing of individuals’ personal data. The Act calls for certain data users (as designated by the Minister) to register their data processing activities. Currently these include entities in the following industries: communications, banking and finance, insurance, health care, tourism and hospitality, transportation, education, direct sales, services, real estate, and utilities sectors. Companies in these sectors will have three months to register with the commissioner, and registrations will need to be renewed every two years. As with privacy laws in other countries, the Act includes general principles about how to use personal information, including (inter alia) notice and choice, security, data integrity, and access. The law does not apply to the processing of personal data outside Malaysia, unless the personal data is intended to be processed further in Malaysia. Special attention under the law should be given to outsourcing, as well as cross-border transfers. The latter cannot be made unless the recipient is located in a country that has been approved by the Minister, or under other specific exceptions, including if the data subject has provided consent or if the transfer is necessary to perform a contract between the data user and the data subject. The law was effective as of November 15 for information gathered after that date, and will be effective for information gathered before that date on February 15.
TIP: The Malaysian law is very similar to the EU Data Privacy Directive, so companies familiar with those requirements will not find this law different. If you have operations in Malaysia and are a “data user,” you should ensure that you are familiar with and following the law, and if you fall into a designated sector, that you make any appropriate filings by the February deadline.