Whether it is a global company keen to reduce costs by outsourcing, or an SME looking to expand internationally, Asia’s increasingly skilled local work force, local tax incentives and growing demand mean it is a market that cannot be ignored.
With opportunities, however, risks are often on the horizon. More companies are involved in cross-border transfers of personal data than ever before. A vital task when considering such transfers is to ensure the personal data is appropriately protected. Malaysia was the first country in the Association of South-East Asian Nations to pass specific and wide-ranging data protection legislation. This article provides a brief summary of some key aspects of Malaysia’s new data protection law and assesses the resulting potential for Malaysia, and other Asian countries contemplating their own data protection legislation, to raise their international profile and secure more international trade. Consideration is also given to some best practice when sending data outside the European Economic Area (EEA).
Malaysia: the Personal Data Protection Act 2010
Malaysia’s Personal Data Protection Bill 2010 (PDPB) was granted Royal Assent on June 2, 2010 and gazetted on 10 June 2010, becoming the Personal Data Protection Act 2010 (PDPA). The appointment of a commissioner to enforce the PDPA is expected to take place in 2012. The new legislation means a significant change in the way in which personal data in Malaysia will be protected.
The primary aim of the PDPA is to govern how personal data should be processed by data users so as to protect the data subjects. To be defined as personal data, the data must relate (directly or indirectly) to a data subject who is identifiable either from that information or from that information combined with the use of other information held by the data user. The personal data itself must be capable of manual or automatic processing. The PDPA makes separate provision for sensitive personal data which covers areas such as religious beliefs, medical records and political views.
Significantly, the processing of personal data has to take place in the context of a commercial transaction for the PDPA to apply. To qualify as a commercial transaction, the PDPA makes clear that the transaction must ‘[be] of a commercial nature whether contractual or not which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance but does not include a credit reporting business carried out by the credit reporting agency under the Credit Reporting Agencies Act 2010.’ The PDPA also grants access, correction and certain control rights to the data subject.
The PDPA prohibits the transfer of personal data outside Malaysia unless the country where the data is to be transferred has protections of the same standard as (or at a higher standard than) the PDPA. However, the PDPA does carve out some restrictions to this requirement, such as where the data subject has given his consent, or where the data user has taken all reasonable steps to ensure the processing of the personal data outside Malaysia would not itself constitute a breach of the PDPA if that same processing took place in Malaysia.
Contravening the PDPA could lead to a fine not in excess of RM 300,000 (about £62,500), a term of imprisonment not exceeding two years, or potentially both. The senior management of a company will have joint and several liability, although the expected proper due-diligence defence may be available. The PDPA stipulates that the role of implementing and supervising compliance with its requirements lies with a Personal Data Protection Commissioner.
The PDPA and a Potential Adequacy Finding
The European Commission has found some non-EEA countries to have an ‘adequate’ level of protection allowing the unburdened transfer of personal data to them from EEA countries. Such countries include Andorra, Argentina, Canada, Jersey, Guernsey, the Isle of Man, Switzerland and, with limitations, Israel and the Faroe Islands. The comprehensive data protection laws of these countries can have a very significant role in attracting overseas investment. In April 2011, the European Commission issued a decision that the New Zealand Privacy Act is adequate and there has been significant increased interest in New Zealand’s outsourcing sector as a result. Advantages of an adequacy finding by the European Commission include reduced red tape when making cross-border data transfers and international recognition for the recipient country as a model country credited with a gold-standard legal framework and culture of good governance in the data protection arena.
Professor Abu Bakar Munir of the faculty of law at the University of Malaysia has noted that the PDPA might have missed its opportunity to meet the European Commission’s standards in respect of the adequacy principles imposed by Article 25(2) of the Data Protection Directive. The Working Party assessment framework document proposes that an assessment of adequacy be based on content principles and procedural/enforcement requirements. In terms of the procedure test, it is necessary for the authority responsible for enforcing the law to be independent. However, as Professor Abu Bakar notes, in the case of the PDPA, the actual enforcement authority is the Data Protection Commissioner who will be accountable to the Information, Communication and Culture Minister. This post is unlikely to be seen as independent. In assessing adequacy, the Working Party has also said a country’s data protection law must apply to both the public and private sector. However, the Federal and State Government is exempt from the application of the PDPA under section 3.
Another difficulty is that section 2 of the PDPA states that it is applicable only to the processing of personal data in the context of a commercial transaction. This will not sit easily with the Working Party’s adequacy requirement that a country’s data protection law needs to govern the processing of all personal data, whatever the purpose of the processing may be.
In June 2010, the government of Malaysia announced the Tenth Malaysia Plan with a view to creating increased reforms to the service sector and attracting more direct foreign investment. If the European Commission Working Party does not make an adequacy finding, the cross-border transfer of personal data can still take place, but further hurdles have to be overcome. If the PDPA could reach the adequacy tests, the transfer of personal data from EEA countries could happen much more efficiently and open many more doors to trade for Malaysia.
Following Malaysia’s Lead
The introduction of the PDPA must be seen as a welcome first step. As Professor Graham Greenleaf of the faculty of law at the University of New South Wales notes, ‘If the [PDPA] is well managed, Malaysia politics may still be able to deliver further improvements to it in the future.’ British companies with a reputation for good governance in handling customer data that trade in Malaysia have also welcomed the introduction of the PDPA.
By introducing the PDPA, Malaysia is establishing a culture of data protection compliance, which it can use to increase its profile on the international stage. The international community is now looking to see how, and if, other countries in Asia will follow Malaysia’s example. China and Indonesia are presently working on their own data protection legislation and Singapore is expected to introduce data protection legislation in 2012.
In 2010, a World Bank study ranked Malaysia 21st globally in terms of ease of doing business, while Indonesia came notably lower at 121. A similar World Bank report estimated that the procedural hurdles required to enforce a contract in Indonesia involve 40 steps, higher than the estimate for Malaysia at 30 steps. As Asian countries like Indonesia strive to grow their IT and outsourcing services sectors, their European trading partners will inevitably be reassured if they introduce comprehensive data protection laws. If the European Commission was to make a subsequent adequacy finding in its favour, the recipient country could find itself becoming a go-to destination for global outsourcers.
For the moment, businesses in the UK considering the benefits of outsourcing to Asia should be mindful of UK legal requirements and the ICO’s recommended best practice guidelines to protect personal data: (i) select a reputable organisation offering suitable guarantees about their ability to ensure the security of personal data; (ii) make sure the contract with the organisation is enforceable both in the UK and in the country in which the organisation is located; (iii) make sure the organisation has appropriate security measures in place; (iv) make sure that they make appropriate checks on their staff; (v) audit the other organisation regularly to make sure they are ‘up to scratch’; (vi) require the organisation to report any security breaches or other problems, including requests for information under foreign legislation; (vii) have procedures in place that allow you to act appropriately when you receive one of these reports.
With the global business community’s ever increasing desire to achieve gold standards in data protection, and the prize of winning overseas investment and international recognition, it is an exciting time to watch how Asian countries will continue to develop increasingly comprehensive data protection legislation.
Adrian Rafferty is an associate in the Commercial department of Stevens & Bolton LLP and has worked in-house in the Asia Pacific region. Adrian can be contacted at adrian.rafferty@stevens-bolton.com.
