In many of the security conferences we have covered in Malaysia, the Personal Data Protection Act 2010 (PDPA) sometimes gets a mention, especially leading up to the introduction of the EU’s General Data Protection Regulation (GDPR) last year. Similar to the GDPR, PDPA was introduced years ago to safeguard the personal data of Malaysian citizens with respect to commercial transactions.
Companies and marketers, for example, would have to obtain consent and provide adequate notice if they want to process personal data or disclose it to a third party. They must take reasonable security measures to ensure personal data is safe and is not misused, including by their own employees. Companies must take reasonable security measures and practices to ensure your personal data is safe and is not abused, including by their own employees, and they’re not allowed to keep personal data any longer than necessary.
Sound familiar? Well, many of these provisions are similar to what the GDPR is also enforcing. Anyone who breaches any of the principles contained within the PDPA is liable to a fine not exceeding RM300,000 and/or a jail term not exceeding two years – on paper at least. Perhaps not as steep as GDPR’s “4% of a company's global annual turnover” fine, but possibly enough to serve as a deterrent.
In reality, however, enforcement has been severely lacking and we rarely see any company getting as much as a slap on the wrist for mishandling or misusing customer data, even when the data of over 46 million mobile subscribers were reportedly leaked from a dozen of Malaysian mobile phone operators in 2017. As such, this new exposé by Free Malaysia Today, stating that peddlers are selling the personal information (including full names, phone numbers, MyKad details and postal addresses) of millions of Malaysians are being sold online for as low as RM150, shouldn’t really come as a shock.
Anecdotally, as someone who resides in Malaysia, getting unsolicited calls and text messages every now and then from random companies offering things like insurance, dodgy investments, loans or even gambling site offers have become a nuisance that won’t go away. Some of these cold-call sales offers are outright scams. It definitely helps scammers make their case and be much more convincing when they have your personal information at hand.
It seems like these companies are heedlessly sharing customer information without any real repercussions. Truth be told, the PDPA is definitely a case of all bark and no bite. It’s time that better laws are drafted and enforced to help bring existing legislation in line with the digital age and protect the personal data and privacy of Malaysian citizens.