Malaysia’s data protection law is the Personal Data Protection Act (PDPA), which came into force in 2013, which is linked here. After the passage of the law, the Malaysian government has established a Department of Personal Data Protection under the Ministry of Communications and Multimedia, which is headed by a Personal Data Protection Commissioner, who is also Director General of the department. The department has three divisions, the Registration and Operation Division, Monitoring Division, and Legal Division, to handle personal data-related issues.
Personal data is defined as data “that relates directly or indirectly to a data subject, who is identified or identifiable from that information… in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.” Sensitive personal data is defined as “any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette.” The subject of the personal data is the “data subject” and the processor is the “data user”.
Personal data must be processed in compliance with the following seven principles:
- the General Principle
- Data users will not process personal data in absence of consent. This is generally express consent, however, implicit consent may be sufficient if the individual has been made fully aware of why his or her personal data is being processed and that the consent is verifiable afterwards. For sensitive personal data, explicit consent is required. (Source).
- the Notice and Choice Principle
- Upon collection of data, data users must inform data subjects in both written Malay and English, describing the data that is being processed, the purposes for which the data is being collected, the source of the personal data, as well as of the data subjects’ right to access and right to correction of the data, of the groups of third parties to whom the data user may disclose the personal data, and of the choices that the data user offers for limiting the processing of personal data.
- the Disclosure Principle
- Personal data may not be disclosed without the consent of the data subject for any purpose other than the purpose for which the personal data was disclosed at the time of collection.
- the Security Principle
- The data user will protect “any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction” of personal data. When a third party is processing the data, the data user must take measures to guarantee that the third party is capable of reaching compliance with these security preconditions.
- the Retention Principle
- Personal data will not be kept longer than is necessary for the fulfilment of the purpose for which it was collected, and must be destroyed or permanently deleted.
- the Data Integrity Principle
- “A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up to date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.”
- the Access Principle
- “A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date.”
The PDPA confers to data subjects the following rights:
- the right to access personal data;
- the right to correct personal data;
- the right to withdraw consent to process personal data;
- the right to prevent processing likely to cause damage and distress; and
- the right to prevent processing for direct marketing.
In the miscellaneous section, the PDPA also does not permit a data user to transfer any personal data outside Malaysia except to countries specified by the Minister and published in the Gazette.
Later legislation has identified the following classes of data users who must be registered under the law. The include Communications, Banking & Financial institutions, Insurance, Health, Tourism & Hospitalities, Transportation, Education, Direct Selling, Services, Real Estate and Utilities. (Source).
In terms of blockchain smart contracts, in the General Principle, Section 6.2(a), it states that “a data user may process personal data about a data subject if the processing is necessary
- for the performance of a contract to which the data subject is a party;
- for the taking of steps at the request of the data subject with a view to entering into a contract;
- for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract”. This seems to legitimize data processing in terms of smart contracts if as smart contracts are endowed with legal status in Malaysia. This depends on how Malaysian law eventually decides to interpret smart contracts.
Sources