Topic: Limitations of Malaysia’s data protection Bill

The Personal Data Protection Bill 2009 expected to be enacted by Malaysia’s Parliament this April will add a distinct new flavour to Asia’s growing array of data protection laws. The Bill has been outlined by Abu Bakar Munir (PLBI Newsletter Issue 102, December 2008, p18). This article concentrates on the limitations of the Bill that may prove to be impediments to effective data protection, and on its influences and novel aspects.

The Bill applies only to personal data in ‘commercial transactions’ (s2), though they are defined broadly (‘includes any matters relating to the supply or exchange of goods or services’: s4). Credit reporting agencies are exempt and will be subject to separate legislation (also expected to be tabled in April). There is the usual exemption for ‘personal, family and household affairs’ (s45(1)), but the limitation to ‘commercial transactions’ will also exclude the non-commercial affairs of churches, educational institutions and non-profit organisations. There is no ‘small business exemption’, unlike in Australia or Japan. Processing for the purpose of publishing ‘journalistic, literary or artistic material’ is exempted (except from the Security Principle), but only where the data user reasonably believes that (a) the publication would be in the public interest (taking into account the ‘special importance of public interest in freedom of expression’), and (b) compliance with a particular Principle or provision is ‘incompatible with the journalistic, literary or artistic purposes’ (s45(2)(f)). This is not a blanket ‘media exemption’ but a carefully written partial exemption, and one which will be complex for the media, Commissioner and courts to apply.

It is important that this Act should not unduly restrict freedom of expression in Malaysia. There is a very broad exemption for any processing by commercial organisations ‘for the purpose of discharging regulatory functions’ where application of the Act would be likely to prejudice those functions (s45(2)(e)), and other broad exemptions for prevention of physical or mental harm, for statistical and research uses that do not produce identified outputs, and in connection with court processes. These are not blanket exemptions from all Principles, and typically do not provide exemptions from the Security, Data Integrity and Retention Principles. In addition, there are lengthy lists of exemptions from specific Principles,

particularly Disclosure. The largest omission is that the public sector is not covered at all (s3(1)). Malaysia has no existing protections for personal information which limit State abuses of privacy.

This Bill can only be said to cover part of the private sector, and only then subject to many exceptions, particularly where any State-related activities are concerned. Within its scope it may still be valuable, but the narrow scope must always be kept in mind.