Spotlight: how are data protection laws enforced in Malaysia?

The Commissioner is the authority that has been empowered to administer and enforce the PDPA. In carrying out his functions under the PDPA, the Commissioner and his or her officers have been granted with a wide range of investigative and enforcement powers, which include the following:

1. inspection of any personal data system used by data users for the purpose of ascertaining information to assist the Commissioner in making recommendations to the relevant data user relating to the promotion of compliance with the PDPA by the data user;
2. carry out investigations where complaints have been lodged by data subjects or where the Commissioner has reasonable grounds to believe that there may be potential contravention of the PDPA by the data user;
3. issue enforcement notices to data users to direct the relevant data user to take such steps to remedy any contravention of the PDPA or to cease processing personal data pending the remedy of the contravention by the relevant data user;
4. carry out search and seizure with or without warrant on the data user's premises;
5. request access to computerised data when conducting search on the data user's premises;
6. require production of any computer, book, account, computerised data or other document kept by the data user;
7. require attendance of persons acquainted with the case and examine such persons to obtain their statement when carrying out its investigation under the PDPA;
8. arrest without warrant any person reasonably believed to have committed or is attempting to commit an offence under the PDPA; and
9. issue compounds for offences under the PDPA.

Any person that is aggrieved with the decision of the Commissioner under the PDPA may file an appeal against the Commissioner's decision to the Appeal Tribunal established under the PDPA.

ii Recent enforcement cases

The Commissioner's office has been active in carrying out audits and inspections on data users to ascertain the compliance of their personal data systems with the requirements of the PDPA. Based on the latest official statistics in the Commissioner's office Annual Report in 2021, 41 the Commissioner's office carried out 34 inspections on the personal data systems of data users in various different sectors.

Additionally, based on the latest official statistics in the Commissioner's Office Annual Report in 2020, 42 the Commissioner's Office is in the midst of completing 14 investigation papers on 14 cases involving data breaches, and further enforcement actions may be taken once the investigation papers are finalised.

Although the maximum penalty for non-compliance under the PDPA is 500,000 ringgit or imprisonment for a term not more than three years or both, the highest reported compound issued under the PDPA is 37,500 ringgit. The compounds were issued to two different data users for breach of the Security Principle under the PDPA – a data user in the communications sector in 2020, and a data user in the transportation (aviation) sector in 2021. 43

Apart from the above, the Commissioner also works closely with other enforcement agencies such as Cybersecurity Malaysia and the Royal Malaysian Police to investigate data breach incidents and public complaints about the unauthorised use and sale of personal data.

iii Private litigation

The PDPA does not expressly allow aggrieved claimants to pursue civil actions against data users for any breach of the provisions of the PDPA. However, claimants may still initiate civil actions against data users through other cause of actions such as breach of contract for the data user's breach of its obligations to protect the aggrieved claimant's personal data or to prevent disclosure of their personal data to third parties.