An expert has issued a warning regarding a clause within the Personal Data Protection Act 2010 (PDPA) that excludes its application to the federal and state governments, suggesting that it might discourage foreign investors from injecting funds into the country.
Abu Bakar Munir, a member of Universiti Malaya’s law faculty, highlighted that Malaysia and Singapore are the only two nations globally to incorporate such a clause into their statutes, causing concerns among numerous foreign entities and governments, according to FMT.
Munir stated that during most local and international forums and meetings that he attended, this issue is consistently raised, with many asserting its unfairness.
He emphasised that Malaysia was the first ASEAN country to establish personal data protection laws, and he had advised the ministry during their formulation.
He urged against including the exclusion clause to enhance competitiveness and strengthen cybersecurity measures.
Munir pointed out that Singapore, which modeled its data protection laws after Malaysia’s, also retained the exclusion clause. However, Singapore introduced legislation to govern the use of personal data by its public service, a provision not present in Malaysian law.
Munir conveyed concerns from various global players to ministry officials, who are presently reviewing the PDPA. Nevertheless, an official from the Communications and Digital Ministry informed him that the Cabinet had rejected his proposal to remove Section 3 of the PDPA, where the exclusion clause is located.
According to Munir, representatives of international cybersecurity firms and major multinationals like Amazon expressed surprise at Malaysia’s reluctance to eliminate the section.
Aside from his involvement in drafting the PDPA, Munir also provided advice to Indonesia and Saudi Arabia on their data protection laws. He noted that both countries agreed to exclude a similar clause from their legislation.
Munir stressed the importance of holding the government accountable for personal data protection breaches, given the vast personal data banks held by all levels of government, which could be exploited by unscrupulous employees for personal gain.
He stressed that accountability is crucial, as the PDPA is one of the laws that potential investors examine before feeling secure about operating in Malaysia.
Munir also pointed out that this issue has broader implications for governance, aligning with the environmental, social, and governance (ESG) criteria that socially responsible investors use to assess their investments.
