Between January 2017 and February 2018, eight companies have been hauled up by the Personal Data Protection Department (“PDPD”) for breaching the Personal Data Protection Act 2010 (“PDPA”). Three out of the 8 companies were charged in 2017:
First Data User Charged under the PDPA
On 3rd May 2017, Khas Cergas Sdn. Bhd., which operates Victoria International College, was charged in the Sessions Court for processing personal data of former employees without a valid certificate of registration issued by the Personal Data Protection Commissioner. The private college operator was the first to be brought to court for failing to comply to section 16(1) of the PDPA. Under Section 16(4), a company can be fined up to RM500,000, or imprisonment of its officer(s) for up to three years, or both.
On 16th November 2017, the PDPD requested the Malaysian Communications and Multimedia Commission (“MCMC”) to blocksayakenahack.com. Sayakenahack.com is a micro site set up by tech blogger Keith Rozario for Malaysians to check if their personal data had been compromised in the recent vast data leak that reportedly involved 46.2 million mobile service customers.
MCMC has blocked the website after receiving an application from the PDPD under Section 130 of the PDPA which outlawed any release of private information without the owner’s consent through any platform including the internet. This year, the PDPD also took action against five companies in the hospitality, health and the human resources industry for failing to obtain consent from data subjects and processing personal data without being registered - a common omission but failure to comply will result in hefty fines and/or imprisonment. Three of these cases will be tried at the Kuantan Sessions Court on 5th February 2018 and another two cases will be tried on 7th February 2018 at the Kuala Lumpur Sessions Court.
According to the Personal Data Protection Commissioner, Mobile apps are not required to register under the PDPA but they must still comply with the PDPA since they process personal data in commercial transactions. An issue that arises would be whether mobile apps for the designated eleven areas of industries require regulation under the PDPA. It remains to be seen whether cases involving mobile apps would see its day in court pertaining to the PDPA.
Enforcement activities are expected to go into full swing in 2018 and all data users are advised to fully operationalise their data protection policies and procedures in line with the PDPA.
We believe the above provides you with an interesting update pertaining to the PDPA and its implementation. Please feel free to get in touch with us should you require any assistance pertaining to the above or any other aspect of personal data protection.