INTRODUCTION In January 2012, the European Commission set out plans for data protection reform across the EU in order to make Europe “fit for the digital age”*. Fast forward to today, an agreement was reached on what that involved and how it will be enforced via the introduction of the GDPR. The GDPR is Europe’s new framework for data protection laws, replacing the previous 1995 Data Protection Directive. This new EU framework applies to organisations in all member-states and has implications for businesses and individuals across Europe, and beyond.
GDPR v PDPA The objective of the EU’s GDPR and Malaysia’s PDPA is to protect an individual’s right on their personal data. However there are more robust rights granted to data subjects under the GDPR. The following are a few examples of the various differences.
Under the PDPA, personal data means information processed in respect of commercial transactions, from which a data subject can “be identified or is identifiable”3. The GDPR also takes a similar approach to the PDPA by not setting out strict rules as to what classes of information are personal data. Both focus on the identifiability of a data subject to determine whether or not a class of information would constitute personal data. However, the GDPR applies to automated processing of personal data which forms or are intended to form part of a fi ling system. As such, the application of the GDPR does not seem to be limited to “commercial transactions”.
Right to be forgotten
Right to be forgotten entitles the data subject to have their data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Section 10 of the Malaysian PDPA merely provides that personal data of data subjects shall not be kept for “longer than is necessary”. In contrast, Article 17 of the GDPR grants data subjects the right to actively object to the processing of personal data and imposes a one month time limit to respond to such a request.
Right to data portability
The GDPR also provides a right to “data portability” which allows individuals to obtain their personal data in a machine readable format, and to request for the move, copy or transfer of personal data easily from one controller to another in a safe and secure way, without affecting its usability. This is to be contrasted with the PDPA, which only provides for the right to request from a data user the personal data processed by the data user in an intelligible form.
APPLICATION The GDPR applies to organisations that control or process personal data of subjects in the EU and it also applies to organisations located outside of the EU i.e. Malaysia, if they control or process personal data of data subjects residing in the EU. There are two questions that should be addressed to determine if you or your business is (or had previously done so) collecting, storing or processing personal data of residents in the EU:
i. Does your business have any direct/indirect presence in Europe; and/or
ii. Does your business offer any goods or services to/monitor the behaviour of individuals in the EU?
If the answers to any of these questions are in the affirmative, then yes, the GDPR will apply to the Malaysian business as well.
APPLICABLE TESTS Two tests have been established in determining whether or not your business offers any goods or services to, or monitor the behavior of, individuals in the EU. The tests are as follows:
(a) Goods and Services
Test In relation to what amounts to offering of goods and services to data subjects in the EU, the relevant test to consider is the Goods and Services Test.
There are two elements that need to be fulfilled under this test to determine if your business would be caught by the GDPR, (i) firstly, it must be apparent that your business or company envisages offering goods and services to data subjects in the EU; and (ii) secondly, whether you or your business make a conscious decision, or have the intention of making its services available to customers based in the EU.
While it is insufficient to only consider mere accessibility of the business website in the EU or the use of a language generally used in the third country where the business is established, certain factors may make it apparent that the business or company envisages offering goods or services to data subjects in the EU. An example would be the use of a language or a currency generally used in the EU with the possibility of ordering goods and services in that other language, or mentioning EU customers or users.
(b) Monitoring Test
On the other hand, the Monitoring Test is the monitoring of behaviours that involves the tracking of the behaviour of data subjects on the Internet and the subsequent processing of such personal data for other purposes, such as profiling in order to make decisions regarding the data subject or to analyse or predict the data subject’s personal preferences, behaviours and attitudes. Profiling is basically the automated processing of personal data for evaluating aspects, in particular to analyse or make predictions about individuals. The use of the word “evaluating” suggests that profiling involves some form of assessment or judgment about a person.
CONCLUSION Overall, the GDPR has wide ranging consequences for Malaysian businesses, particularly ones that serve customers or deal with individual data from all parts of the world, especially with the EU member states. The introduction of the GDPR presents an opportunity for Malaysian businesses to buckle up and set a higher standard of protection and procedure to ensure that their business processes are in sync with the changes in both the local and global personal data protection regulatory regime.