New Report on Limits of “Consent” in Malaysia’s Data Protection Law
Introduction
Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the eighth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Malaysia, including:
- notice and consent requirements for processing personal data;
- the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Malaysia’s Data Protection Landscape
The Personal Data Protection Act 2010 (PDPA) is the main data protection legislation in Malaysia and gives effect to the 7 Data Protection Principles (PDP Principles):
- The General Principle requires data controllers to obtain data subjects’ consent to process their personal data.
- The Notice and Choice Principle requires data controllers to provide data subjects with certain information when their personal data is processed.
- The Disclosure Principle limits the circumstances in which data controllers can share personal data with third parties.
- The Security Principle requires data controllers to protect personal data during processing.
- The Retention Principle limits how long data controllers may retain personal data and establishes a positive obligation to delete or destroy personal data when it is no longer required.
- The Data Integrity Principle requires data subjects to ensure that personal data is accurate, complete, not misleading, and kept up to date.
- The Access Principle provides data subjects with a right to access and correct personal data about them.
The PDPA also establishes the Personal Data Protection Commissioner (PDP Commissioner) as the public body responsible for enforcing and administering the PDPA.
The PDPA is complemented by other sectoral laws, regulations, and guidelines. In addition to various sector-specific laws which limit the disclosure of personal data held by certain regulated entities (e.g., providers of financial services, medical practitioners), the PDP Commissioner has approved and registered seven Personal Data Codes of Practice, which provide more detailed requirements for entities in certain sectors to comply with the PDPA. These sectors include:
- insurance and takaful;
- banking and finance;
- aviation;
- communications;
- utilities; and
- healthcare.
Role and Status of Consent as a Basis for Processing Personal Data in Malaysia
Consent plays a prominent role in the PDPA, as it is the default basis for collecting, using, and disclosing personal data under the PDPA and is also one of several legal bases for transferring personal data out of Malaysia.
The General Principle in Section 6 of the PDPA establishes the default rule that data controllers may only process personal data if they obtain consent from the data subject. However, this default rule is subject to other data protection principles (including purpose limitation) as well as a number of exceptions that apply where processing of personal data is necessary:
- to perform a contract to which the data subject is a party;
- to take steps at the request of the data subject while negotiating a contract;
- to comply with any legal obligation to which the data controller is the subject;
- to protect the vital interests of the data subject;
- for the administration of justice; or
- for the exercise of any functions conferred on any person by or under any law.
These alternatives to consent are similar to those provided under the EU Data Protection Directive 95/46 and its successor, the GDPR.
However, if the personal data in question falls within any of the categories of “sensitive personal data” specified in the PDPA, then the data controller would have to obtain “explicit consent” from the data subject unless an exception applies. These exceptions address a wide range of purposes for which processing of sensitive personal data may be necessary, including:
- engagement in various legal acts, such as seeking legal advice, engaging in a legal proceeding, and exercising legal rights;
- protection of the vital interests of the data subject or another person, where consent cannot be obtained;
- exercise of professional duties under a duty of confidentiality; and
- exercise of other duties prescribed by law.
These categories are not fixed, as the PDPA empowers the Minister of Communications and Multimedia to specify other purposes for which processing of sensitive data is permitted on the basis of necessity.
A challenge when interpreting the PDPA is that the PDPA does not define consent, and the PDPA and its sub-regulations also only provide limited guidance on the forms that valid consent may take. The PDPA’s sub-regulations specify that consent for the processing of personal data may take any form, provided that the consent is capable of being recorded and maintained by the data controller. Consent forms must also be structured to distinguish consent for a specific matter from any other matters included in the form.
While Malaysia’s data protection law would likely recognize express consent (provided that the foregoing requirements are met), it remains unclear whether Malaysia’s data protection law recognizes implied or deemed forms of consent and, if so, whether these forms of consent would be recognized in all instances.
In addition to the obligation to obtain consent under the General Principle in Section 6 of the PDPA, the Notice and Choice principle in Section 7 of the PDPA specifies the minimum information that a data controller must include in its written privacy policy.
Read the previous reports in the series here.
