Data Protection: Limits to the Lawfulness of Transborder Flow of Personal Data Outside Malaysia
Data protection has become a critical concept within the legal industry which the government must deal with to assure their citizens’ safety. Within the broader context of privacy-related matters, ‘data protection’ is often referred to as ‘information privacy’, it is the interest of the person to be in control of the information held by others about themselves.
As for Malaysian jurisdiction, Malaysia’s first comprehensive piece of legislation concerning personal data protection, is the Personal Data Protection Act 2010 (the “PDPA 2010”), defines ‘personal data’ as any information in respect of commercial transactions that:
(i) wholly or partly processed by means of equipment that operate automatically in response to certain instructions;
(ii) recorded with the intention that it should be wholly or partly processed by means of the above-mentioned equipment; and
(iii) recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
relates directly or indirectly to a data subject, who is identified or identifiable either from that specific information or from that and other information in the data user’s possession. While “personal data” includes any sensitive personal data or expression of opinion about the data subject, it does not include any information that is processed for the purpose of a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010.
‘Personal data’ can also be referred to as ‘sensitive personal data’, namely any personal data compromising of information related to the physical conditions or mental health of an individual, their political opinions, religious beliefs or other beliefs of a similar nature. The main topic of this article is the consideration of the lawfulness of trans-border flow of personal data outside Malaysia, the PDPA 2010 clearly states that it is prohibited for any transfer of personal data outside the Country unless otherwise specified and gazetted by the Minister.
Accordingly, any violation of such prohibition will constitute a chargeable offence for the person found in violation of the Act. In deciding whether to select a specific country towards which personal data can be transferred or disclosed, the Minister must check whether – within the country – the law is substantially similar to and or serves the same purpose as the PDPA 2010. Alternatively, the Minister must be assured that the foreign country can grant adequate protection for the rights and freedom of data subjects in relation to the collection, holding, processing or use of personal data.
Therefore, it seems appropriate to contemplate whether this approach has potential to negatively impact trade in Malaysia and subsequently cause more damage to Malaysian trades. The requirement that the transfer would only be allowed by an order of the Minister might prove to be cumbersome and impractical, especially in the current instantaneous communication environment we live in today – provided through the Internet – wherein information is transmitted across borders and to any location and arriving at its target destination instantaneously. Therefore, it is reasonable to argue that the most effective approach would be to allow for a transfer unless it could reasonably be shown that the level of protection in the importing country is inadequate.
On the other hand, it is also challenging to assess the level of difficulty which comes from importing a country’s personal data law. It should either have a personal data law that is ‘substantially similar’ to Malaysian law or grant adequate protection for the rights of data subjects. Making such evaluations can be cause issues due to the lack whatsoever of a definition of ‘adequate’ within the PDPA 2010 and a prescription of the criteria to be taken into consideration when assessing adequacy. The above-mentioned restriction on trans-border data apply to all personal data collected, held, processed or used in Malaysia or which is controlled by a data user whose principal place of business is in Malaysia. The latter would suggest that the restriction would apply even if the personal data was not collected, held, processed or used in Malaysia. Once more, it is reasonable to consider how this could affect those companies whose principal place of business is located in Malaysia.
Notwithstanding the above, there are circumstances under which such restriction do not apply, such as,
(i) where the data subject has consented to the transfer,
(ii) the transfer is necessary for the performance of the contract between the data subject and the data user; or
(ii) it is needed for the conclusion of a contract between a data subject and a third party as long as such contract is entered into at the request of the data subject or in his interests.
The above-mentioned does not apply in circumstances where transferring personal data abroad is aimed at obtaining legal advice, defending legal rights, or for the purpose of any legal proceedings. In addition, the data user is equally entitled to spread outside Malaysian personal data if he has reasonable grounds for believing that the transfer will result in the avoidance or mitigation of any adverse action against the data subject.
To conclude, the prohibition is avoidable when the transference of personal data is needed to protect the vital interest of data subject or the public’s interest in circumstances as deemed fit by the Minister. Regardless of the above-listed exceptions, trans-border flow of personal information is allowed when the data user has taken all reasonable precautions to ensure that no requirement under the PDPA 2010 have been violated.
1. The above-mentioned Act passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013.
2. See Section 4 of the PDPA.
3. See Section 129(1) of the PDPA.
4. See Section 129(2) of the PDPA.
5. See Section 129(3) of the PDPA.
Loni Lee (email@example.com)
Margherita Ricci (firstname.lastname@example.org)