Malaysia's Personal Data Protection Commissioner (the "Commissioner") has issued a Public Consultation Paper (PCP) No. 1/2017 entitled Personal Data Protection (Transfer Of Personal Data To Places Outside Malaysia) Order 2017 (the "Consultation Paper"). This marks an important step towards full implementation of the country's personal data export restriction, which is found in section 129(1) of the Personal Data Protection Act 2010 [Act 709] ("PDPA"). The Consultation Paper seeks feedback from the public on the Commissioner's long-awaited draft "white list" of countries to which personal data originating in Malaysia may be freely transferred.
The current law
Section 129(1) of the PDPA provides that:
A data user shall not transfer any personal data of a data subject to a place outside Malaysia unless to such place as specified by the Minister, upon the recommendation of the Commissioner, by notification published in the Gazette.
In the absence of a published white list, data users in Malaysia must currently rely on one of the exemptions provided by section 129(3) of the PDPA in order to transfer personal data outside Malaysia. These exemptions include (among others):
- where the data subject has consented to the transfer;
- where the transfer is necessary for the performance of a contract between the data subject and the data user;
- where the transfer is necessary to protect the vital interests of the data subject; and
- where the data user has "taken all reasonable precautions and exercised all due diligence" to ensure that the personal data will not be processed in the recipient country in a way that would be a contravention of the PDPA.
When the white list is finalised, controllers will be able to freely transfer personal data to countries on the white list without relying on any particular exemptions. Personal data exported from the country will remain subject to the requirements of the PDPA, meaning that, for example, arrangements for secure processing offshore will still need to be put in place.
Criteria for joining the white list
Whether a country qualifies to join the "white list" depends upon whether the Commissioner concludes that the country meets the criteria in section 129(2), namely that: (a) the country has a law which is "substantially similar to" the PDPA, or that "serves the same purposes" as the PDPA, or (b) the country otherwise ensures a level of protection in relation to the processing of personal data that is "at least equivalent to the level of protection afforded" by the PDPA. The Commissioner states in the Consultation Paper that it has considered the following in devising its draft white list:
- countries that have comprehensive data protection laws in place (whether a single comprehensive data protection law or a combination of laws);
- countries that have no comprehensive data protection law but are subjected to binding commitments (e.g. multilateral/bilateral agreements); and
- countries that have no data protection law but have a code of practice or national co-regulatory mechanisms in place.
Countries on the draft white list
The Commissioner's proposed white list is contained in the draft Personal Data Protection (Transfer Of Personal Data To Places Outside Malaysia) Order 2017 ("Draft Order") which forms part of the Consultation Paper. The draft list will no doubt be controversial and may in some cases be difficult to reconcile with the guiding logic for the list.
Perhaps unsurprisingly, the European Economic Area, the UK and jurisdictions that have been recognized by the European Commission as adequate for the purposes of European personal data exports are included on the list, comprising Andorra, Argentina, Canada, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Regionally, Australia, China, Hong Kong, Japan, the Philippines, Singapore, South Korea and Taiwan have all been placed on the draft list. The USA and the Dubai International Finance Centre have also been proposed.
Notable omissions in the region include India and Macau. India's Information Technology Act 2000 is a form of relatively comprehensive data protection law, but pursuant to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, the law is understood to not apply to the personal data of foreign data subjects sent to India for offshore processing. Macau's Personal Data Protection Act, on the other hand, dates back to 2005 and stands as one of the region's closest approximations to European data protection law.
The above list remains open to consultation is subject to change. It may be that some of these countries will be removed from the list, and/or that other countries will be added to the list, when the final Order is published. The deadline for providing feedback on the Consultation Paper is 4 May 2017.
Until the white list is finalised and published in the Gazette, data users must continue to rely on the exemptions provided in section 129(3) when transferring personal data outside Malaysia.
Malaysia is one of eight countries in the Asia-Pacific region that now imposes some form of personal data export control, along with Australia, Japan, India, Indonesia, Macau, Singapore and South Korea. Hong Kong's Personal Data (Privacy) Ordinance contains an export restriction which has, to date, not been brought into force. China currently has some sectoral data localization requirements and with the new Cyber Security Law taking effect on 1 June, 2017, broader localization restrictions are set to apply.
The upshot of the Commissioner's publication of the draft white list is that it may start a dialogue amongst law makers and regulators regionally on efforts towards inter-operability of the region's increasingly dense thicket of cross-border data transfer restrictions and data localization requirements. The APEC Privacy Framework introduced in 2004 was put forward by regional economies as a common set of signposts towards the free flow of personal data across the region, with the intention that increased data protection regulation would be seen as complementary, rather than antagonistic, to free flows of personal data. This ambition has not yet been achieved, and given that the growth of advanced, high tech economies in the region is likely to be aided by moves towards interoperability, Malaysia's open commentary on the adequacy of other data protection laws in the region is a welcome step forward.