Malaysia Draft Privacy Rules Onerous, Some Say

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Lien Hoang

July 22 — Malaysia has invited public comments on a customer information security proposal that some say is reasonable, but others say that it would place too many burdens on businesses.

The Personal Data Protection Commission published draft standards that would give companies three days to revoke access and change passwords whenever an employee with that access stopped working for them. The standards, which would fall under the Personal Data Protection Act of 2010, also would require companies and other data users to change customers' information within seven days of a request. The public comment period ends July 27.

“The point here is, is it practical to expect businesses to react so quickly?” Kuok Yew Chen, a partner at Christopher & Lee Ong in Kuala Lumpur, told Bloomberg BNA July 20.

Correcting, Storing Customer Data 

Under the Personal Data Protection Act, businesses can't take longer than 21 days to correct customers' information. Yew Chen said that is a more feasible timeline. Otherwise, he said, compliance might be tough for both small companies, which sometimes lack resources to implement the rules, as well as big companies, where changes take time because of red tape.

Under the 2010 act, violations are subject to a fine not exceeding 300,000 Malaysian ringgit ($78,804) or imprisonment of no more than two years, or both.

Megat Mohammad Faisal Bin Khir Johari, director of risk consulting at Deloitte in Kuala Lumpur, told Bloomberg BNA July 22 that companies could use more guidance on storing customers' details.

“The commission may want to set a minimum periodic timeline for data users to update their information,” Megat said, such as a yearly update.

Deleting Customer Data 

The draft standards would also require businesses to delete customer data seven days after a commercial transaction, which could be “inconvenient and impractical in some instances,” Kherk Ying Chew, a partner at Baker & McKenzie affiliate Wong & Partners in Kuala Lumpur, told Bloomberg BNA July 20. She recommended the commission change this and other “cumbersome” provisions.

Foong Cheng Leong, co-chair of the Malaysian Bar Council's personal data protection committee, agreed that deletion could be problematic. Malaysian law sets a statutory limit of six years for litigation, so taxpayers and others generally hold onto records for seven years to be safe, Foong told Bloomberg BNA July 22.

Goldilocks Compromise Needed 

Foong said also that the draft standards could become “obsolete” if they are too specific.

For instance, the rules would require companies to install closed circuit cameras wherever they stored data. Just as that technology didn't exist decades ago, it is hard to know what technology will be relevant in the future, Foong said.

The regulations call for cameras and 24-hour security “if necessary,” which has stoked confusion about when it is necessary for businesses to provide that level of protection. Lawyers said they were also perplexed about whether the draft standards would allow just one key when data were stored physically, and if they would require companies to outsource data processing to a third party.

Policy makers need a Goldilocks compromise so that the law isn't so specific as to be onerous, nor so general as to be misinterpreted, lawyers said. They also want a balance between customer privacy and business compliance.

“I don't think the balance is there,” Yew Chen said.

To contact the reporter on this story: Lien Hoang in Ho Chi Minh City at

To contact the editor responsible for this story: Katie W. Johnson at

The public consultation paper on the draft personal data protection standards is available at