Print Friendly, PDF & Email

Malaysian Personal Data Protection Act 2010: Does It Apply to Government Agencies?

Section 3(1) of Personal Data Protection Act 20101 (“the Act“) provides that “This Act shall not apply to the Federal Government and State Government”. So, what do Federal Government and State Government mean in this context? Section 3 of Interpretation Acts 1948 and 19672 (“IA 1948 and 1967”) then defines the Federal Government as the Government of Malaysia and State Government as Government of a State. The question here is whether the definition in section 3 is broad enough to cover government agencies.

To date, there are no cases that interpret the meaning of Federal Government or State Government in the context of the Act and this makes the definitions too general and broad. Therefore, since there are no clear limitations or restrictions by any statutes and case laws to the definitions provided in the above, it can be argued that the definition of Federal Government may also include the government agencies since these agencies are invariably part of the government. By virtue of section 3 of the Act, government agencies shall be exempted from liabilities under the Act. In our view, the expression “Federal Government” and “State Government” do not include entities such as government-owned companies for the simple reason that they have their own corporate personalities.


Personal Data Protection Act 2010 and Tort Law

Currently, there is no express right provided within the Act to aggrieved data subjects to pursue a civil claim for breaches under the Act against the government. Nonetheless, they may still rely on the Tort of Negligence and proceed with the matter in a tortious claim against the data user who leaked his personal data provided that if they are able to furnish the court with any evidence that their personal data was leaked by the data users and that leak was due to the negligence on the part of the data users.

Personal data” is defined in section 4 of the Act as any information in respect of commercial transactions, which—

(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;

(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

Hence, any data user who leaks the personal data of a data subject to the public will be exposed to a tortious claim in negligence.

 

Cases Involving Other Governments

At the time this article was written, there are no reported cases where a court of law has ruled that a government agency is responsible for the leakage of data in their possession. However, there are instances where governments have admitted to being the cause of data leaks. For instance3:

Jurisdiction Data Breach
France A cyber-attack on the government’s ‘France-Visas’ website breached the personal details of individuals looking to visit or emigrate to the country.
US (West Virginia) State government revealed that its Mid Atlantic Career Consortium Employment Services (MACC) database was breached after a cyber-attack on Workforce West Virginia, which has the largest database of job seekers in the state.
Government of Quebec, Canada The government of Quebec admitted to a data breach potentially impacting around 360,000 teachers employed in the Canadian province.
New Zealand Generate, a savings scheme provider with links to the New Zealand government, reported a security incident impacting around 26,000 citizens.
UK London’s Metropolitan Police, whose data was managed by Suprema, was exposed to a breach in which a database that included more than one million fingerprints, usernames, passwords, and facial recognition data was leaked.


Conclusion

To conclude, the Act does not apply to the Federal Government and State Government and this position also indirectly applies to government agencies due to the broad definition provided under IA 1948 and 1967. The Act seems to not apply to government-owned entities and government-owned corporations. Nevertheless, to be on the safe side, the Federal Government, State Government, and government-owned agencies should ensure proper management of the data for the simple reason that the government can still be argued to owe a duty of care under the law of torts. Any breach of this duty may still expose the government to civil suits.

——————–

1. https://www.kkmm.gov.my/pdf/Personal%20Data%20Protection%20Act%202010.pdf
2. https://www.jkptg.gov.my/images/pdf/perundangan-tanah/Act_388-intepret.pdf
3. https://portswigger.net/daily-swig/the-latest-government-data-breaches

 

written by:

Dhanya Laxmi Sivanantham (dhanya@azmilaw.com)

Alfred Tan Hsiong Vei (alfred.tan@azmilaw.com)