Doing more for data safety
PETALING JAYA: It is now crucial for the government to establish a Personal Data Protection Commission, a move initially planned for 2011 but yet to be realised.
Deepak Pillai, a data protection practitioner with the firm Christopher and Lee Ong, stated that while the recently improved Personal Data Protection Act (PDPA) could encourage better compliance among data users and controllers, its effectiveness remains to be seen.
“Only time will tell how effective the new laws are, as the PDPA has been around since 2011, yet there have been very few cases prosecuted with no major penalties imposed on offenders,” he said when contacted yesterday.
Deepak stressed the need for the establishment of a Personal Data Protection Commission, as it would function more effectively with greater independence and accountability.
“That is why we only have a Personal Data Protection Department at the moment. There are only about 45 personnel working on data protection policies, education and enforcement, which is insufficient to meet the rapid growth of technology.
“A commission would ensure adequate staffing to enforce the law,” he said.
Kelvin Yong, a 38-year-old data expert from Petaling Jaya, said the new PDPA “only gets half of the picture right”.
“PDPA has been around for the past 13 years, yet only a handful of organisations or individuals have been arrested or charged under it. This shows that the law is oblivious to the offender and the victim,” said Yong.
He praised the new requirement for data controllers to be responsible for sensitive personal data and to report breaches promptly.
“This enhances transparency and allows affected individuals to take immediate action to protect themselves, which is a significant improvement over current practices where organisations may deny claims of data breach and sweep it under the rug,” said Yong.
He referred to Section 12B of the amended PDPA, which imposes a fine of up to RM25,000 or a maximum of two years in jail or both, for failing to report data breaches.
Yong emphasised that stricter penalties and mandatory reporting could improve personal data protection, provided they are effectively enforced.
“Presently, we do not have a dedicated body or unit within the private and government sectors to enforce this portion,” he added.
Syafiq Zolkifli, a data programmer from Puchong, said it was high time for the PDPA to be amended to keep pace with technological advancements since its enactment in 2011.
“The amendments will offer broader protection for various types of personal information, especially considering the rapid growth of technologies linked to sensitive data being used,” he said.
He noted the increased use of technologies like QR codes for online transactions in recent years owing to the Covid-19 pandemic.
On the higher penalties under the amended PDPA, Syafiq said this would bolster public trust and confidence in the regulatory system.
Section 5 of the amended PDPA now includes fines of up to RM1mil or three years imprisonment, up from the previous RM300,000 fine and two-year jail term.
He also noted that these amendments support Malaysia’s goal of becoming a regional digital economy hub by ensuring a secure environment for data processing and management.
Chuah Kee Man, a senior lecturer in communication at Universiti Malaysia Sarawak, said the harsher penalties signal the government’s serious stance on personal data protection.
“By specifying penalties for failure to report breaches, the amendments can reinforce the accountability of data controllers,” he said, adding that enforcement of the new law is crucial.
Chuah described the amendments as timely, especially in light of advancements in biometric technology.
“It means that a person’s unique physical characteristics receive the same level of protection as other types of personal data,” he said.
The Personal Data Protection (Amendment) Bill 2024 was passed by the Dewan Rakyat on July 16 and by the Dewan Negara on July 31.
2024-08-05T16:00:00Z