Abstract
While it is commendable that the Personal Data Protection Act 2010 (‘PDPA’) was finally passed by the Malaysian parliament after a long wait of a decade, the PDPA has received several criticisms due to its peculiar limitations. This chapter addresses many of these limitations and draws comparative analysis with data protection law in other jurisdictions. In addition to the PDPA, there are also several sectoral rules and regulations which specifically govern processing of personal data in certain sectors such as the banking and financial institutions sectors, healthcare sector, insurance sector, telecommunications and multimedia sectors. The Malaysian Parliament also passed the Credit Reporting Agencies Act 2010 to govern the processing of credit information by credit reporting agency in Malaysia. The author examines the relevant rules and regulations in these respective sectors.
There are three methods to gaining wisdom. The first is reflection, which is the highest. The second is limitation, which is the easiest. The third is experience, which is the bitterest (Confucius, 551-479 BC, Teacher, Editor, Politician and Philosopher)
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Malaysia is a federation of 13 states. There is a federal government that functions under the Federal Constitution and 13 states governments that functions under the Federal Constitution and their own state constitution.
- 2.
Section 2 of the Local Government Act 1976 (Act 171) defines ‘local authority’ to include any City Council, Municipal Council or District Council, as the case may be, and in relation to the Federal Territory, it means the Commissioner of the City of Kuala Lumpur. Local authority is also similarly defined in Section 3 of the Interpretation Acts 1948 and 1967 (Act 388) to include any municipal council, town council, town board, local council, rural board, sanitary board or similar local authority established by a written law.
- 3.
[2002] 1 MLJ 508. The court followed the decision of another High Court in Yap Ea Teck v Yang DiPertua Majlis Daerah, Kota Tinggi, Johor [1995] 2 BLJ 157, [1995] MLJ 55.
- 4.
The courts said that as the State Government may from time to time give the local government directions of a general character on the policy to be followed in the exercise of the powers conferred and the duties imposed on the local government, therefore, local government is part of the government.
- 5.
[2003] 6 MLJ 177.
- 6.
[2007] 3 MLJ 12.
- 7.
Central Bank of Malaysia Act 2009 (Act 701).
- 8.
Employees Provident Fund Act 1991 (Act 452).
- 9.
Securities Commission Act 1993 (Act 498).
- 10.
Companies Commission of Malaysia Act 2001 (Act 614).
- 11.
Examples are such as Khazanah Nasional Berhad and Permodalan Nasional Berhad.
- 12.
Yeng (2009).
- 13.
Section 2 of the Official Secrets Act 1972 (Act 88).
- 14.
Parliamentary Debates, (House of Representatives), Twelfth Parliament, Third Session, First Meeting, 5 April 2010, Tuan Lim Lip Eng (Segambut), p. 117; Prof Dr. P Ramasamy (Batu Kawan), p. 128; Tuan Sim Tong Him (Kota Melaka), p. 144.
- 15.
Parliamentary Debates, (House of Representatives), Twelfth Parliament, Third Session, First Meeting, 5 April 2010, Dato’ Seri Utama Dr Rais Yatim, p. 147.
- 16.
Parliamentary Debates, (House of Representatives), Twelfth Parliament, Third Session, First Meeting, 5 April 2010, Dato’ Seri Utama Dr Rais Yatim, p. 156.
- 17.
Section 45(2)(a) of the PDPA.
- 18.
Section 45(2)(e) of the PDPA.
- 19.
Khaw (2002), p. 12.
- 20.
The Oxford English Dictionary (1991), p. 293.
- 21.
Dena Bank, Ahmednagar v Prakash Birbhan Katariya, AIR 1994 Bom 343, 345. The court held that loan advanced for construction of a hospital can be said to be service-oriented, and it is difficult to see how it is profit oriented.
- 22.
Words and Phrases legally defined (1988), p. 283, Re Ashley Colter (1961) Ltd and Minister of Municipal Affairs (1970) 10 DLR (3d) 502, 505, NBCA, Hughes JA.
- 23.
Black’s Law Dictionary (1990), p. 270. Lanski v Montealegre, 361 Mich. 44, N.W. 2d pp. 772–774.
- 24.
Baldeo Kumar v Managing Director AIR 1997 MP 147. The High Court held: ‘on a fair construction of the word “business transaction”, the word cannot be construed to mean a business contract or deal. The word “transaction” is from the verb “transact” which according to dictionary meaning means “to carry through, accomplish, execute, do or to carry on”. Transaction may comprehend a series of many occurrences. It cannot be read narrowly to mean as synonymous to the word “contract”. In fact, in one contract there may be many business transactions’.
- 25.
Munir and Yasin (2002), p. 174.
- 26.
Patrick (2009). The Deputy Minister II of the Ministry of the Information, Communications and Culture, Senator Heng Seai Kie, was quoted as saying that: ‘the drafting and enactment of a law that regulates the collection, processing and storage of people’s personal data is critical in this age of e-commerce. We have read horrifying stories about people losing their money due to credit card fraud, customer-privacy infringements and data theft. Such incidents threaten the integrity of Malaysia as an emerging market economy. Without clear rights and obligations on the collection and storing of personal data, individuals (inside and outside the country) will be reluctant to carry out (electronic) transactions’.
- 27.
Section 2 of the Electronic Commerce Act 2006 (Act 658) defines ‘commercial transactions’ as ‘a single communication or multiple communications of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.’
- 28.
Munir and Yasin argue that that the prudent and sensible approach would be to allow the Electronic Commerce Act 2006 to apply to any electronic communication, rather than commercial transaction. The term ‘communication’ ought to be defined to include any statement, declaration, demand, notice, including an offer and acceptance. This would give legal recognition to all and any electronic communications and at the same time, provides legal recognition to electronic transactions. See Munir and Yasin (2006), p. 2.
- 29.
Parliamentary Debates, (House of Representatives), Twelfth Parliament, Third Session, First Meeting, 5 April 2010, Tuan Lim Lip Eng (Segambut), p. 117; Tuan Saifuddin Nasution bin Ismail (Machang), p. 141; Tuan Sim Tong Him (Kota Melaka), p. 144.
- 30.
Parliamentary Debates, (House of Representatives), Twelfth Parliament, Third Session, First Meeting, 5 April 2010, Dato’ Seri Utama Dr Rais Yatim, p. 146.
- 31.
Section 2(1) of the PIPEDA defines ‘commercial activity’ as ‘any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.’
- 32.
[2004] O.J. No. 3653, 244 DLR (4th) 479 (SCJ).
- 33.
2010 FC 736.
- 34.
In this case, the insurer’s act of hiring private investigator to conduct investigation and surveillance was simply incidental to the primary activity at hand, namely the collection of evidence by the defendant in order to defend herself in the civil action brought against her by the plaintiff.
- 35.
PIPEDA Case Summary #389 – Report of Findings – Law School Admission Council Investigation.
- 36.
PIPEDA Case Summary #345 – Private school not covered by the PIPEDA.
- 37.
Interpretation of ‘Commercial Activity’ under the PIPEDA.
- 38.
Section 66 of the Hong Kong Personal Data (Privacy) Ordinance provides that an individual who suffers damage by reason of a contravention of a provision under this Ordinance shall be entitled to compensation from that data user for that damage. For the avoidance of doubt, it is hereby declared that damage may be or include injury to feelings.
- 39.
Section 134 of the PDPA.
- 40.
Section 13 DPA 1998 (UK).
- 41.
Parliamentary Debates, (House of Representatives), Twelfth Parliament, Third Session, First Meeting, 5 April 2010, Dato’ Seri Utama Dr Rais Yatim, p. 151.
- 42.
Section 47 of the PDPA.
- 43.
Section 53 of the PDPA.
- 44.
Section 54 of the PDPA.
- 45.
Section 57 of the PDPA.
- 46.
Article 28 of the EU Data Protection Directive, Article 23 of the Madrid Resolution 2009.
- 47.
Commission of the European Communities v Federal Republic of Germany (Case Number C-112/05), November 2010.
- 48.
Parliamentary Debates, (House of Representatives), Twelfth Parliament, Third Session, First Meeting, 5 April 2010, Tuan Lim Lip Eng (Segambut), p. 118; Tuan Saifuddin Nasution bin Ismail (Machang), p. 143; Tuan Sim Tong Him (Kota Melaka), p. 145.
- 49.
Parliamentary Debates, (House of Representatives), Twelfth Parliament, Third Session, First Meeting, 5 April 2010, Dato’ Seri Utama Dr Rais Yatim, p. 148.
- 50.
For example, in the UK, The DPA 1998 (UK) has given effect to this provision by inserting a data protection principle into the Act. This principle provides that personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The principle is further supplemented by interpretation provision in Schedule 1 Part II and Schedule 4.
- 51.
Art 25 of the EU Data Protection Directive.
- 52.
Art 25(3) of the EU Data Protection Directive.
- 53.
Working Paper 12 entitled ‘Transfer of Personal Data to Third Countries: Applying Article 25 and 26 of the EU Data Protection Directive’.
- 54.
Although the Working Party also recognised that this feature may not always present in every countries. It is thus necessary to identify the underlying objectives of a data protection procedural system, and on this basis, judge the different judicial and non-judicial procedural mechanisms used in third countries.
- 55.
Munir (2010).
- 56.
As at June 2012, the countries are the US, Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey.
- 57.
Ustaran (2012), p. 174.
- 58.
Such exemptions are similarly provided under Section 129(3) of the PDPA.
- 59.
Grant (2009), p. 48. The author criticised that these Model Contract has a number of problems. First, it would cause complexity where there are multiple transfers within a group of companies, resulting in the need for a contract for each transfer. Secondly, some jurisdictions require local registration and/or notification and approval of the contract while other jurisdictions may not require as such. Thirdly, the contract requires both parties to accept joint and several liability for any breaches of contract. The impact of this is that, the data subject may choose to sue both parties jointly or either one. Given the difficulties of taking legal action in foreign jurisdiction, data subject may choose to sue the party who sends the data, even though the main person who causes the problem may be the party who receives and processes the data.
- 60.
For an analysis of the Model Contract, see Ustaran (2012), pp. 180–183.
- 61.
Munir and Yasin (2010), p. 224.
- 62.
For an analysis of the Binding Corporate Rules, see Ustaran (2012), pp. 184–186.
- 63.
The Honolulu Declaration—Toward a Seamless Regional Economy, the 19th APEC Economic Leaders’ Meeting, 12–13 November 2011.
- 64.
See Banking and Financial Institutions Act 1989 (Act 372); Guidelines on the Provision of Electronic Banking (e-banking) Services by Financial Institutions (BNM); Guidelines on Data Management and Management Information System (MIS) Framework (BNM).
- 65.
See Code of Medical Ethics adopted by the Malaysian Medical Association, Guidelines on the Medical Records and Medical Reports issued by the Malaysian Medical Council and Confidentiality Guidelines issued by the Malaysian Medical Council.
- 66.
See Insurance Act 1996 (Act 553); Code of Ethics and Conduct (Second Edition, February 1999) issued by the Life Insurance Association of Malaysia.
- 67.
See General Consumer Code 2003 drawn up by the Communications and Multimedia Commission; Computer Crimes Act 1997 (Act 563); the Malaysian Communications and Multimedia Content Code (‘Content Code’) developed by the Communications and Multimedia Content Forum of Malaysia.
- 68.
Munir and Yasin (2010), p. 240.
- 69.
Tournier v National Provincial and Union Bank of England [1924] 1 KB 461; recently affirmed by Ng Lee Kiau v Malayan Banking Berhad [2011] 1 LNS 605 and Wong Yeng Mun v CIMB Bank Berhad [2011] 1 CLJ 785.
- 70.
Sections 96–102 of the BAFIA. Banking secrecy provisions are also similarly found under Section 34 of the Islamic Banking Act 1983 and Section 178 of the Labuan Financial Services and Securities Act 2010.
- 71.
Section 103(1)(a) and Fourth Schedule of the BAFIA.
- 72.
Section 106 of the BAFIA.
- 73.
[1997] 2 CLJ Supp 552.
- 74.
[1995] 3 CLJ 35.
- 75.
Section 132 of the Evidence Act 1950 provides that a witness is bound to answer any relevant question put to him, whether in examination-in-chief, cross-examination or re-examination and that he cannot refuse to answer on the ground of self-incrimination. The Parliament has taken away the common law privilege of not answering on the ground of self-incrimination.
- 76.
Fraser v. Evans [1969] 1 QB 349.
- 77.
Section 98(1)(a) of the BAFIA.
- 78.
Section 98A of the BAFIA.
- 79.
Section 98(1)(b) of the BAFIA.
- 80.
Section 99(1)(a) of the BAFIA.
- 81.
Section 99(1)(b) of the BAFIA.
- 82.
Section 99(1)(c) of the BAFIA.
- 83.
Section 99(1)(d) of the BAFIA.
- 84.
Section 99(1)(e) of the BAFIA.
- 85.
Section 99(1)(f) of the BAFIA.
- 86.
Section 99(1)(g) of the BAFIA.
- 87.
Section 99(1)(h) of the BAFIA.
- 88.
Section 99(1)(i) of the BAFIA.
- 89.
Section 100 of the BAFIA.
- 90.
Sections 103 and 104 of the BAFIA.
- 91.
The E-Banking Guidelines which was issued in 2010, replaced the Minimum Guidelines on the Provision of Internet Banking Services by Licensed Banking Institutions that was issued in 2000.
- 92.
Section 4 of the PDPA.
- 93.
W v Egdell & Ors [1989] 2 WLR 689, [1990] 1 All ER 835 (CA).
- 94.
There are certain provisions on patients’ privacy under the Private Healthcare Facilities and Services Regulations 2006.
- 95.
Paragraph 3 of Section II of the Code of Medical Ethics.
- 96.
Specific Relief Act 1950 (Revised 1974), Section 52 illustration (i) and Section 53 illustration (f).
- 97.
Section 10 of the Prevention and Control of Infectious Diseases Act 1988.
- 98.
Section 18 of the Drug Dependents (Treatment and Rehabilitation) Act 1983.
- 99.
Paragraph 4 of Section II of the Code of Medical Ethics.
- 100.
Breen v Williams [1996] CLR 186.
- 101.
Mclnerney v MacDonald [1992] 2 SCR 138.
- 102.
Reid (2003), p. 61.
- 103.
For example, the Access to Health Records Act 1990 (UK); Health Information Privacy Code 1994 (New Zealand); and Health Insurance Portability and Accountability Act 1996 (US).
- 104.
Paragraph 7 of Section II of the Code of Medical Ethics.
- 105.
Section 196 of the Insurance Act 1996.
- 106.
The Insurance Code comprised three parts—Guidelines on the Code of Conduct, Code of Ethics and Conduct for Life Insurance Selling, and Statement of Life Insurance Practice.
- 107.
The term ‘life insurance’ covers all types of home service and/or ordinary life insurance, all types of annuities, pension contracts, investment-linked insurances, and permanent health insurance.
- 108.
Statement of Philosophy of the Insurance Code, p. 4.
- 109.
Employees include directors (executive and non-executive), employees and intermediaries of a life insurance company.
- 110.
‘Life Insurance Companies’ refer to insurers duly registered to conduct life insurance business by Bank Negara Malaysia in accordance with Section 4 of the Insurance Act 1996.
- 111.
Paragraph 1 of the Insurance Code (Guidelines on the Code of Conduct).
- 112.
Paragraph 3 of the Insurance Code (Guidelines on the Code of Conduct).
- 113.
Paragraph 6.1 of Part 1 of the GCC.
- 114.
Paragraph 1 of Part 1 of the GCC.
- 115.
Section 4 of the PDPA.
- 116.
Section 2 of the CRAA.
- 117.
Section 11 of the CRAA.
- 118.
Section 12 of the CRAA.
- 119.
Tan (2010).
- 120.
Section 47 of the Central Bank of Malaysia Act 2009.
- 121.
Section 2 of the CRAA.
- 122.
Section 2 and First Schedule of the CRAA.
- 123.
[2011] 9 CLJ 439.
- 124.
[2012] 8 MLJ 51.
- 125.
[2012] 2 CLJ 886.
- 126.
Section 22 of the CRAA.
- 127.
Section 6 of the PDPA.
- 128.
Munir and Yasin (2010), p. 225.
- 129.
Rule 2(1) New Zealand Credit Reporting Privacy Code 2004.
- 130.
Munir and Yasin (2010), p. 228.
- 131.
See Section 2 of the CRAA which says that a credit business reporting business means a business that involves the processing of credit information for the purpose of providing a credit report to another person whether for profit, reward or otherwise.
- 132.
Munir and Yasin (2010), p. 235.
References
Black’s Law Dictionary (1990) 16th edn. St. Paul Minn, West Publishing Co, p 270
Code of Ethics and Conduct (Second Edition, February 1999) issued by the Life Insurance Association of Malaysia. http://www.liam.org.my/index.php?option=com_content&view=article&id=563&Itemid=74. Accessed 24 May 2012
Code of Medical Ethics adopted by the Malaysian Medical Association. http://www.mma.org.my/Portals/0/pdf/MMA_ethicscode.pdf. 20 May 2012
Confidentiality Guidelines issued by the Malaysian Medical Council. http://mmc.gov.my/v1/docs/2011%203%20Confidentiality%20guidelines%20Approved%20on%2011%20October%202011_1.pdf. Accessed 21 May 2012
General Consumer Code 2003 drawn up by the Communications and Multimedia Commission. http://www.kpkk.gov.my/akta_kpkk/GeneralConsumerCode%20Malaysia.pdf. Accessed 15 June 2012
Grant H (2009) Data Protection 1998–2008. Comput Law Secur Rev 25:48
Guidelines on the Medical Records and Medical Reports issued by the Malaysian Medical Council. http://mmc.gov.my/v1/docs/Medical%20Records%20&%20Medical%20Reports.pdf. Accessed 21 May 2012
Hawkins JM, Allen R (eds) (1991) The Oxford English Dictionary. Clarendon, Oxford, p 293
Interpretation of ‘Commercial Activity’ under the PIPEDA. http://www.priv.gc.ca/leg_c/interpretations_03_ca_e.asp#_ftnref1. Accessed 3 Jun 2012
Khaw LT (2002) Towards a personal data protection regime in Malaysia. J Malays Comp Law 11:12, available via http://www.commonlii.org/my/journals/JMCL/2002/11.html. Accessed 30 May 2012
Malaysian Communications and Multimedia Content Code developed by the Communications and Multimedia Content Forum of Malaysia. http://cmcf.my/download/CONTENT_CODE_%28V6-Final%29.pdf. Accessed 16 Jun 2012
Munir AB (2010) ‘Malaysian Data Protection Law is Inadequate’, (7 January 2010) a blog post posted on 7 January 2010. http://profabm.blogspot.com/2010/01/malaysian-data-protection-law-is.html. Accessed 28 May 2012
Munir AB, Yasin SH (2002) Privacy and data protection. Sweet & Maxwell Asia, Kuala Lumpur
Munir AB, Yasin SH (2006) Electronic Commerce Bill 2006: an oversight or wanting a different or …? Malayan Law J 4:2
Munir AB, Yasin SH (2010) Personal data protection in Malaysia, Law and Practice. Sweet and Maxwell Asia, Kuala Lumpur
Patrick S (8 October 2009) Bill to Better Protect Your Personal Data, The Star. http://star-techcentral.com/tech/story.asp?file=/2009/10/8/technology/20091008134431&sec=technology. Accessed 16 Apr 2012
PIPEDA Case Summary #345 - Private school not covered by the PIPEDA. http://www.priv.gc.ca/cf-dc/2006/345_20060705_e.asp. Accessed 3 Jun 2012
PIPEDA Case Summary #389 - Report of Findings - Law School Admission Council Investigation. http://www.priv.gc.ca/cf-dc/2008/389_rep_080529_e.asp. Accessed 3 Jun 2012
Reid A (2003) Privacy and the health industry. Allied Health Professions 5:61, http://www.austlii.edu.au/au/journals/LegIssBus/2003/7.pdf. Accessed 23 May 2012
Saunders JB (1988) Words and Phrases legally defined, 3rd edn. Butterworths, London, p 283
Tan S (2010) Credit Reporting Agencies Limited to 5. http://www.theedgemalaysia.com/business-news/164357-credit-reporting-agencies-limited-to-5.html. Accessed 5 Jun 2012
Ustaran E (2012) International data transfer, in European Privacy, law and practice for data protection professionals. IAPP Publication
Working Paper 12 entitled ‘Transfer of Personal Data to Third Countries: Applying Article 25 and 26 of the EU Data Protection Directive’. http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/1998/wp12_en.pdf. Accessed 9 Jun 2012
Yeng AC (2009) Personal Data Protection: Govt Has Own Mechanisms. http://thestar.com.my/news/story.asp?file=/2009/7/15/nation/20090715212420&sec=nation. Accessed 15 Apr 2012
List of Material
APEC Privacy Framework. http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx. Accessed 18 Jun 2012
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Cieh, E.L.Y. (2013). Limitations of the Personal Data Protection Act 2010 and Personal Data Protection in Selected Sectors. In: Ismail, N., Yong Cieh, E. (eds) Beyond Data Protection. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33081-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-33081-0_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33080-3
Online ISBN: 978-3-642-33081-0
eBook Packages: Humanities, Social Sciences and LawLaw and Criminology (R0)