Malaysian Ministers periodically since 1998 announced their intentions to introduce comprehensive data protection legislation. In 2010 the Personal Data Protection Act 2010 (PDPA) was enacted, but not brought into force. A new Personal Data Protection Department was created to oversee the implementation of the Act in 2011.
It was not until 15 November 2013 that the Act was brought into force and Abu Hassan Ismail (previously Director-General of the Department) was appointed as Personal Data Protection Commissioner. A number of Regulations came into force on the same day. Data users had three months to 15 February 2014 to comply with Act and Regulations. It is the first data privacy Act in the ASEAN region to be fully in force. This article analyses the main features of the new Act.
While the PDPA has many deficiencies, this data privacy legislation will be a significant step forward for Malaysians. In the hands of a Commissioner committed to privacy protection, and a government which does not impede this, much will be achievable. However, the range of enforcement methods is insufficient: there are no provisions by which complainants may seek compensation or most other remedies.
If the Act is well managed and gains credibility, Malaysian politics may deliver further improvements to it in future, particularly in expansion of scope to cover the public sector, and provision of some avenue for compensatory damages. For Malaysians to be able to focus on real issues in data protection, because of the existence of this Act, will inevitably increase the demand for better protection.The 'if' is important: hope for a brighter future will be misplaced if the problems evident in Malaysian public administration and justice continue.