Announcements have been made by YB Dato' Sri Ahmad Shabery bin Cheek, Minister of Communications and Multimedia, that the Personal Data Protection Act 2010 ("PDPA") which was passed by the Malaysian Parliament in 2010, will come into force on 16 August 2013. It is reported that Tuan Haji Abu Hassan Ismail will likely to be appointed as the Personal Data Protection Commissioner. Nonetheless, to date, the official Gazette formalizing the date of coming into force has not been published.
Once the PDPA comes into force, data users will have a three-month transitional period to comply with its provisions in respect of existing personal data being processed, but will have to immediately comply with its provisions in respect of new personal data collected.
There are seven data protection principles that form the basis of protection under the PDPA:
- General Principle
- Notice and Choice Principle
- Disclosure Principle
- Security Principle
- Retention Principle
- Data Integrity Principle
- Access Principle
The principles will provide protection to the individual’s personal data, thereby safeguarding the interests of consumers, and e-commerce, network and nonnetwork facility practitioners.
The penalties for breaching the PDPA include the imposition of fines of up to RM500,000 and/or a term of imprisonment not exceeding two years. Directors, CEOs, COOS, managers or other similar officers have joint and several liability for non-compliance by the body corporate, subject to the due diligence defence. The Commissioner is not empowered to order compensation for damage suffered, and there is no express right to pursue a civil claim for non-compliance.
While the scope, rights and obligations prescribed by the PDPA will become more clearly defined and also evolve through the regulations, guidelines, codes of practice and court decisions, organisations must now begin to examine their current policies, processes, contractual right rights and obligations and third party notifications which relate to personal data.