Earlier this week, Comparitech, a British technology website, published its assessment of privacy protection and state surveillance in 47 countries to examine where governments are failing to protect privacy or are creating surveillance states. The assessment was made based on several criteria, which included constitutional and statutory protection, privacy enforcement and government access to data.
Out of the 47 countries, Malaysia was ranked in the bottom five, with a score of 2.64 out of five points for having "some safeguards but weakened protections". The main contentions against Malaysia are that more in-depth privacy laws are required to adapt to technological advances, the mandatory national ID poses data exposure risks, the government is able to share personal data between agencies without constraint and that there have been multiple large data breaches in the country.
Admittedly, there are some gaps in Malaysia's Personal Data Protection Act 2010 ("PDPA"), including that it only applies if personal data is processed for commercial transactions. Further, there is a blanket exemption for the government, which means that the government would not need to comply with the PDPA when processing personal data. That being said, the Department of Personal Data Protection has indicated its intention to amend the PDPA, for greater effectiveness.
Nevertheless, the study overlooked key considerations in relation to Malaysia's data protection safeguards. Even in the wake of technological advancements, the PDPA in its current form adequately protects personal data. This is attributable to the broad definition of "personal data", which encompasses any information in respect of commercial transactions which may identify an individual. As such, facial recognition information, CCTV footage and biometrics are protected under the PDPA. The PDPA has not fallen behind and is in fact geared towards the protection of personal data, regardless of technological advancements.
In order to strengthen the trust in Malaysia's data protection regime, the authorities must quickly take enforcement action against data users in breach of the PDPA. This will prove that the authorities are committed to protecting the personal data of Malaysians and will demonstrate that data privacy rights in Malaysia are being upheld.
This article is reproduced, with permission, from LHAG update (date of issue), a bulletin issued by Lee Hishammuddin Allen & Gledhill, Advocates & Solicitors, Kuala Lumpur, Malaysia.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.