24 May 2023
By Koay Shiau Ven and Ryan Heng Tzen Wen
In recent months, there have been a series of purported data leaks at the National Registration Department of Malaysia (“NRD”) whereby the personal information of millions of Malaysians had been stolen and put up for sale on the dark web. The NRD has consistently denied responsibility for the leaks and identified that the leaks had originated from several agencies that the NRD had authorised to obtain information from the NRD. As at the date of this article, there has been no reported action taken in respect of the data leaks either by or against the NRD or the government agencies that the NRD had identified as being the parties responsible for the data leaks.
B. Data Breaches
In September 2021, the data of 4 million Malaysians born between the years of 1979 to 1998 were allegedly offered for sale for 0.2 bitcoin, being equivalent to approximately RM35,495.00. In May 2022, there was another alleged data leak wherein the information of 22.5 million Malaysians born between the years of 1940 to 2004 was purportedly stolen from the NRD and put up for sale on a dark web portal for USD10,000.00 – the dark web portal itself had reportedly shared a screenshot from the seller of the information, which claimed that the data being sold in May 2022 was a larger database of information compared to the data that was sold previously in September 2021.
It has been claimed that both of the abovementioned incidents involved the stealing of data from the NRD via the MyIdentity application programming interface, a data-sharing platform used by government agencies to access and store the contact information of citizens and permanent residents who deal with government agencies.
Furthermore, it was reported on 16 February 2023 that the Auditor-General in its annual report for the year 2021 noted that the MySejahtera application suffered as many as 1.12 million attacks as of 27 October 2021. The ramifications of such attacks are significant because the MySejahtera application contains the personal data of an estimated 38 million users.
The implications of such data breaches are wide-ranging, as criminal groups could obtain these personal data to attempt identity fraud against Malaysian citizens, such as taking out loans to commit financial fraud, or facilitate other criminal acts such as scam calls.
C. Shortcomings of the PDPA 2010
As explained above, the recent data breaches faced by the Federal Government of Malaysia have raised questions on the adequacy of the Personal Data Protection Act 2010 (“PDPA 2010”) in tackling the serious issue of the protection of personal data, particularly the issue of data leakages and breaches. The following are some of the main shortcomings of the PDPA 2010 in the context of data breaches:
- Application of the PDPA 2010 to commercial transactions only
Section 2(1) of the PDPA 2010 states that the Act applies only to personal data processed in commercial transactions. “Commercial transactions” are defined under Section 4 of the PDPA to mean:
“any transaction of a commercial nature, whether contractual or not, which includes any matter s relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010.”
Given the narrow scope, non-commercial transactions such as charities, religious activities and health appointments by the MySejahtera application for the COVID-19 vaccination drive are not caught under the PDPA 2010. As a consequence, entities who collect and process personal data for non-commercial transactions are not required to comply with the provisions under the PDPA 2010, which may not even apply if such personal data was subsequently leaked to online forums or black markets for example.
- Inapplicability to the Federal and State Governments
Section 3(1) of the PDPA 2010 states that the PDPA 2010 shall not apply to the Federal Government and State Governments. Given that they are arguably the biggest collector and holder of personal data in Malaysia and in view of the recent data breaches involving them as described above, this lacuna in the PDPA 2010 means that the Federal Government and State Governments would be shielded should there be leakages or personal data breaches on their part.
- Lack of mandatory data breach notification regime
Furthermore, there is no specific provision in the PDPA 2010 that requires a data user to report a data breach incident to the Personal Data Protection Commissioner (“PDPC”). While the PDPC had issued a Data Breach Notification form (“DBN“) allowing data users to report data breaches on their end, such notification is voluntary and is not mandatory for data users.
- Inapplicability of the PDPA 2010 to data processors
Another crucial weakness of the PDPA 2010 is that there exists no clear provision in the PDPA 2010 that places a direct obligation on data processors to comply with that Act. A data processor is defined under the PDPA 2010 as a person who processes personal data solely on behalf of a data user and not for its own purposes. Hence, non-compliance with the PDPA 2010 would be the responsibility of the data users, with data users often mitigating this shortcoming by imposing contractual obligations on data processors such as representations and warranties that the data processors will comply with the PDPA 2010, and indemnity clauses in favour of the data users.
For example, in the data breach incident concerning the personal data of 22.5 million Malaysians, such data leak did not come from data users, but from the agencies who were granted leeway by the Federal Government and State Governments to obtain information. These agencies are ordinarily considered as data processors under the PDPA 2010 and as such are exempted from the direct obligations under it such as implementing the Security Principle over personal data. This example alone demonstrates that the lack of accountability and controls placed on these parties can have serious implications.
D. Proposed Reforms of the PDPA 2010
The PDPC in February 2020 had issued Public Consultation Paper No. PC 01/2020 (“Public Consultation Paper”), which proposed 22 potential avenues of reform to the current provisions of the PDPA 2010. Some of the proposed reforms include the following:
- Extension of the applicability of the PDPA 2010 to the Federal and State Governments
The Public Consultation Paper indicates that the PDPA 2010 may be amended to include both the Federal and State Governments. This is certainly welcomed as this change imposes greater accountability and compliance in regards to the handling, storage, and disclosure of personal data.
- Extension of the applicability of the PDPA 2010 to non-commercial transactions
Furthermore, the Public Consultation Paper proposes to widen the scope of the PDPA 2010 by amending the PDPA 2010 to cover non-commercial activities. This certainly brings the PDPA 2010 in line with other more comprehensive personal data protection legislation such as those in South Korea, Japan, and the European Union. However, the scope of non-commercial activities at the time of writing has not been revealed yet.
- Mandatory data breach notification regime
Among the amendments proposed by the Public Consultation Paper is the imposition of a mandatory data breach notification regime. While no details have been released to the public on the criteria and conditions of such notification, it is likely that in the event the PDPA 2010 is amended to include such a regime, it may include a requirement for a data user to report a data breach within 72 hours from the data breach incident, similar to the timeline under the European Union’s General Data Protection Regulation.
- Imposing a direct obligation on data processors to comply with PDPA 2010’s Security Principle
The Public Consultation Paper also aims to impose a direct obligation on data processors to comply with Section 9 of the PDPA 2010. The PDPC recognises the importance of this reform given that there had been many cases where data breach incidents had involved data processors. Several proposed amendments include imposing a direct obligation on data processors to be registered with the PDPC and expanding the definition of data processors to include those appointed by the Federal Government and/or State Governments.
E. Current Status of the Proposed Reforms of the PDPA 2010
On 4 August 2022, it has been reported that an amendment bill incorporating, inter alia, the following reform proposals under the PDPA Consultation Paper will be tabled in the Malaysian Parliament:
- obligating data processors to comply with the Security Principle under the PDPA 2010;
- the introduction of the right of transfer of personal data (data portability) between data users at the request of the individual (data subject), if the technical system allows it;
- repeal of the Determination of Cross-Border Place List which will replace the place list (whitelist) with a blacklist for the transfer of personal data across borders;
- requiring all data users to appoint a data protection officer, and;
- introducing a mandatory data breach notification that obligates all data users to report data leaks to the PDPC within 72 hours of the data breach.
However, in October 2022, the Malaysian Parliament was dissolved to pave the way for the 2022 Malaysia Elections. In the aftermath of the elections, the current Communications and Digital Minister Fahmi Fadzil (“Minister”) announced on 25 January 2023 that he and the Personal Data Protection Department (“JPDP”) are currently looking at including several improvements to the Amendment Bill (“Improved Bill”). Among the improvements proposed by the Minister include the following:
- Increased penalties for the misuse of data or breaches of the PDPA 2010
The Minister had expressed disappointment that since 2017, the average amount of fines or penalties imposed on about 25 companies involved in data leaks was only an average of RM24,000.00 per company. Given that the records by JPDP indicate that 120 million personal data have been leaked in Malaysia, the current penalties do not serve as a useful deterrent for data users.
- Elevation of the JPDP as a statutory body
The Minister also intends to elevate the JPDP as a statutory body to ensure it has enough resources to combat personal data breaches. Currently, the JPDP is only a government agency under the Ministry of Communications and Digital. The Minister noted that as Malaysia continues to develop the digital economy, is it imperative for the JPDP to have enough resources and manpower to enforce the PDPA 2010 and tackle the increasing number of data breaches.
The Minister is also looking at several additions on new aspects that are reasonable and applicable which can be included in the Improved Bill. It is hoped that these new additions include among others, other reforms critical to combating data breaches in Malaysia, such as extending the applicability of the PDPA 2010 to the Federal Government and State Governments of Malaysia and to non-commercial transactions.
The Minister also announced that the Improved Bill is expected to be presented before the Malaysian Parliament before the end of the year 2023. However, as of the date of this article, no draft amendment bill has been released to the public for viewing yet.
The recent data breaches in Malaysia have highlighted the weaknesses of the PDPA 2010 in tackling and mitigating the serious issue of the protection of personal data. The proposed reforms explained above are welcomed as they would bring the PDPA 2010 to be more in line with more comprehensive personal data protection legislation such as the European Union’s General Data Protection Regulation. Once these amendments come into force, organizations must take note of the regulatory developments, and review and update their existing privacy policies, consent letters, and commercial agreements to ensure their businesses remain compliant.
This material is for general information only and is not intended to provide legal advice. If you have any queries regarding the above, please feel free to contact us at email@example.com.
Personal Data Protection Act 2010 (ACT 709), Section 2(1)
Ibid, Section 4
Ibid, Section 3(1)
Ibid, Section 3(1)
Public Consultation Paper No. PC:01/2020, page 9
Ibid, page 12
Ibid, page 5
Ibid, page 4