Window for Input on Malaysian Privacy Law Closing

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Lien Hoang

Aug. 28 — With regulators poised to begin enforcing updates to Malaysia's data protection law by 2016, companies doing business there should give input to the government on the law while they still can, Kuok Yew Chen, a partner at Christopher & Lee Ong in Kuala Lumpur said Aug. 26.

It used to be somewhat easy to buy e-mail and phone number lists for marketing but things are “no longer business as usual,” he said. Malaysian regulators are finalizing an update to the Personal Data Protection Act and have already started more than 30 investigations, Yew Chen said.

The Malaysian privacy authorities “are taking a more independent role,” he said at the Data Privacy Asia conference in Singapore.

The Personal Data Protection Commission is holding nationwide forums to allow each sector to have a say in how its data use is regulated, Yew Chen said.

“Now is the time to speak up,” he said. “The regulator, at this point in time, is quite approachable.”

The Personal Data Protection Act was enacted in 2010 but didn't take effect until November 2013.

Malaysia regulates users of data via 11 economic sectors—health care, communications, financial, real estate, transportation, education, insurance, tourism and hospitality, direct marketing, utilities and professional services.

Vague Regulations 

The rules implementing the framework privacy act are vague, Lady Ivy Enriquez-Francisco, regional compliance counsel for consulting company Towers Watson, in Taguig City, Philippines, told Bloomberg BNA Aug. 26 on the sidelines of the conference.

Because the rules are evolving, a lot of questions are unresolved, she said. It is still unclear whether Malaysia's legislation is retroactive and whether companies need consent to hold onto the records they collected decades earlier, she said.

“We need more guidelines from the commissioner on how to interpret the law,” Enriquez-Francisco said.

Yew Chen said the uncertainty in the law and the cost of compliance means businesses with large client databases haven't caught up with the Malaysian privacy law.

Implied Consent?

Government regulators haven't confirmed whether they will recognize implied consent, Yew Chen said.

Lee Ping, legal counsel for industrial gas company Singapore Oxygen Air Liquide Private Ltd. in Singapore, told Bloomberg BNA Aug. 26 that failing to recognize implied consent could be a problem. Companies couldn't obtain consent every time their security cameras record passersby, for example, she said.

“I think in certain circumstances, implied consent is necessary,” she said.

Looking Ahead

Malaysia is working on a list of foreign jurisdictions to which it would allow personal data to be transferred, according to Yew Chen.

Malaysia is also considering creating a telemarketing do not call list, while possibly allowing them to make first-time cold-calls without consent, he said.

The country will also likely move to regulate businesses beyond the 11 economic sectors now covered by the law, he said.

Malaysian regulators have also invited comment on data security rules, which some have already labeled as onerous.

To contact the reporter on this story: Lien Hoang in Singapore at

To contact the editor responsible for this story: Donald G. Aplin at