Banks, Insurers to Face New Privacy Rules in Malaysia

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Lien Hoang

Banking and insurance companies doing business in Malaysia will soon be covered by mandatory privacy and data security codes of conduct enforceable in a new digital rights court, a lawyer who drafted the codes told Bloomberg BNA.

Communications companies and law firms are likely to come next, Deepak Pillai, a data privacy partner at Christopher & Lee Ong in Kuala Lumpur, said.

The Malaysian Personal Data Protection Act, similar to other countries’ framework data protection statutes, allows for privacy and data security codes of conduct for specific industry sectors. If new industry codes in Malaysia are approved by the national privacy regulator, they can serve as the basis for legal complaints filed in the digital rights court.

The government is now working with private lawyers to create the codes of practice, said Pillai, who helped draft the banking and insurance codes and is now working on codes for the communications sector. After the Personal Data Protection Commissioner signs off on the proposed codes, they can be enforced through the new court, which will be able to take cases of corporate misconduct, such as breaching or selling client information, he said. He predicted the codes would be approved as soon as March.

The digital rights court began operation in September 2016, hearing social media defamation cases brought under the Communications and Multimedia Act.

When the special court was announced in the summer of 2016, Datuk Seri Azalina Othman Said, a minister in the Prime Minister’s Department, said in a blog post that “the government is of the opinion that the time is high for the establishment of a Special Cyber Court due to the worrying trend of cyber attacks that ranges from hacking, online scams, botnet, web-defacement, information theft, spying, cyber gambling, pornography and so on.”

Special Court’s Expanding Caseload

In addition to banking, insurance and communications companies and law firms, Malaysia’s statute covers health care, real estate and transportation companies. Pillai would not predict when codes would be proposed for those industry sectors. “There’s still a lot to be done,” to cover all the sectors that fall under the framework privacy law’s jurisdiction, he said.

Dhinesh Bhaskaran, a compliance partner at Shearn Delamore & Co. in Kuala Lumpur, told Bloomberg BNA that the special court likely will eventually include cases such as online fraud and hacking. Pallai said compliance will be mandatory for “all licensed institutions” and audited by the privacy regulator, with companies facing fines of up to 500,000 ringgit ($110,000), and corporate executives facing prison terms of up to three years for certain violations.

The Federal Court of Malaysia, which oversees the special court, declined Bloomberg BNA’s request for comment. However, it provided general data on the court’s docket showing there are anywhere from 40 to 80 cases, on average, pending at any given time. Some of the cases date back to 2014 because unresolved cases relating to the internet were transferred to the special court once it opened its doors last year, Bhaskaran said.

Kherk Ying Chew, a Kuala Lumpur-based information technlogy and intellectual property partner at Wong & Partners, a member firm of Baker & McKenzie International, said the special court may open offices outside of the capital. The Malaysian states of Johor and Penang will likely be the focus for expansion of the court “as many cybercrimes have reportedly occurred in these two states,” Chew said.

To contact the reporter on this story: Lien Hoang in Ho Chi Minh City at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security