Advanced Search
Copyright © 2012Bloomberg BNA
Subscriber Login Country Portfolios International Tax Centre International Tax Monitor Patent, Trademark & Copyright Journal Privacy & Security Law Report Securities, Regulation & Law Report Tax & Accounting Center Tax Management International Forum Tax Management Transfer Pricing Report Tax Planning International Asia-Pacific Focus Tax Planning International Corporate Restructuring Archive Tax Planning International European Tax Service Tax Planning International Indirect Taxes Tax Planning International Review Tax Treaties Analysis Transfer Pricing Forum Transfer Pricing International Journal Transfer Pricing Library World Communications Regulation Report World Data Protection Report World Intellectual Property Report World Securities Law Report
CANCEL LOGIN
By Brian Chia and Woo Wei Kwang, Partners, Wong & Partners, Kuala Lumpur.
This article is taken from the May 2010 issue of World Data Protection Report Read the full article and every back-issue on free-trial by clicking here
For the first time, Malaysia will soon have privacy-specific legislation. On November 19, 2009, the Personal Data Protection Bill 2010 was tabled in Parliament; on April 5, 2010, the Lower House passed the Bill (see WDPR, April 2010, page 20); and the Bill was passed without changes by the Upper House on May 6, 2010. Following Royal Assent and gazetting, the Personal Data Protection Act 2010 (“PDPA”) will be enforced.
Email a linkPrint this page
At present, apart from certain sectoral secrecy obligations, information of a personal nature is protected only as confidential information through contractual obligations or the common law.
This article summarises the PDPA and highlights some relevant considerations.
The key objective of the legislation is to regulate the processing of personal data in the context of commercial transactions by data users, and to provide a safeguard for the interests of data subjects.
“Commercial transactions” are defined broadly as any transactions of a commercial nature, whether contractual or not, and encompass matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance. The PDPA will give rise to new legal rights and obligations in connection with the employer-employee relationship, merger and acquisition transactions involving personnel issues and the discharge of certain professional services, among others.
Organisations which process their individual customers' personal data will also need to re-evaluate their current data privacy policies, processes and personal data consents.
Individuals will have a new set of PDPA-mandated rights, including being informed about their personal data as well as the right to access, correct and also to control the processing of their personal data by other parties. There are also rights specifically relating to the processing of personal data for direct marketing purposes, and it is expected that the PDPA will cover CCTV, photographs and sound recordings.
A number of advisory, regulatory and enforcement bodies are envisaged. Apart from the Personal Data Protection Commissioner (“Commissioner”), the Personal Data Protection Fund, the Personal Data Protection Advisory Committee and the Appeal Tribunal will also be established pursuant to the PDPA.
Detailed guidelines and codes of practice, with the force of law, will be issued by the Ministry of Information, Culture and Communications. As with other jurisdictions, these guidelines and codes will be critical in clarifying more precisely the scope of application and set out practical recommendations for compliance. The private sector, through data user forums prescribed in the PDPA, is expected to play a key role in the formulation of such codes.
The PDPA applies only to personal data processed in Malaysia. Federal and State governments are excluded from complying, whereas credit reporting or referencing agencies will be separately regulated by another law. Personal data processed only for the purpose of the individual's personal, household affairs and for recreational purposes are completely exempted from the PDPA. Partial exclusions from the PDPA include personal data processed for the prevention or detection of crime, for preparing statistics or research or for only journalistic, literary or artistic purposes. It is expected that the exclusion for personal data processed in the course of “discharging regulatory functions” will be an issue, given its wide meaning.
A three-month transitional period after the coming into operation of the PDPA is granted, in order for data users to comply.
The key rights and obligations in relation to personal data involve three parties: the data user; the data processor and the data subject.
The data subject is the individual to whom the personal data relates. While not expressly stated, the PDPA is likely to apply only to living individuals. The data user is the person, including bodies corporate, who either processes the personal data or gives authorisation for the processing of the data. The data processor is a person who processes the data on behalf of the data user.
To qualify as “personal data,” the data must relate, either directly or indirectly, to a data subject who can be identified from the data. The data must also be capable of being recorded and be capable of automatic or manual processing. “Sensitive personal data”, which require explicit data subject consent, include medical history, religious beliefs, political opinions and the commission or alleged commission of any offence.
This distinction based on “explicit” consent indicates that the data subject's consent concerning personal data generally need not be in writing. Therefore, consent could be implied. A data subject may withdraw his consent to the processing of his personal data by giving the data user a notice in writing. No time limit is stipulated, and it could be possible for the data subject to withdraw consent at any time.
There are seven data protection principles that form the basis of protection:
* General Principle: The processing of personal data requires consent.
* Notice and Choice Principle: Data users are required to notify the data subjects regarding the purpose for which the data is collected and about the right to request access and correction of the personal data.
Can't Login?
Malaysia Personal Data Protection Act
Bloomberg BNA (London office), 1st Floor, 38 Threadneedle Steet,London, EC2R 8AY UK. Tel: (+44) (0) 20 7847 5800 | Fax: (+44) (0) 20 7847 5848Bloomberg BNA (Singapore office), 3 Church Street, Samsung Hub, Level 8, Singapore, 049483 Tel: (+65) 6408 3734 Fax: (+65) 6408 0101
During a recent meeting of the European Council of Finance Ministers, Luxembourg and Austria � two countries with a long tradition of banking secrecy � agreed to a draft directive aimed at strengthening mutual assistance between member states in the recovery of taxes.
The draft directive is aimed at better fulfilling the member states� needs with regard to the recovery of taxes, providing an overhaul of Directive 76/308/EEC (codified by Directive 2008/55/EC), on the basis of which the member states have engaged in mutual assistance since 1976 aimed at clamping down on tax evasion.
The draft directive is intended to provide for an improved assistance system, with rules that are easier to apply, as regardsinformation held by banks and other financial institutions, and provide for more flexible conditions for requesting assistance, requiring the spontaneous exchange of information.
The draft directive is intended to provide for an improved assistance system, with rules that are easier to apply, as regards information held by banks and other financial institutions, and provide for more flexible conditions for requesting assistance, requiring the spontaneous exchange of information.
According to Austria�s Vice Chancellor and Finance Minister, Josef Pr�ll, the agreement is a clear sign that both Austria and Luxembourg are prepared to find solutions to key issues.
Previously, Pr�ll had argued that the tax recovery directive should be examined alongside the reform of the EU Savings Tax Directive and the Mutual Assistance Directive. Defending his decision, however, Pr�ll revealed that he did not want to unnecessarily delay progress.
Under the new draft directive, all EU member states must provide information in accordance with Article 26 of the Organization for Economic Cooperation and Development�s (OECD�s) model agreement on tax information exchange, Pr�ll explained. Austria agreed to conform to the OECD standard last year, he remarked.