Malaysia: Malaysian Personal Data Protection Act 2010: Does It Apply To Government Agencies?

Section 3(1) of Personal Data Protection Act 2010¹ ("the Act") provides that "This Act shall not apply to the Federal Government and State Government". So, what do Federal Government and State Government mean in this context? Section 3 of Interpretation Acts 1948 and 1967² ("IA 1948 and 1967") then defines the Federal Government as the Government of Malaysia and State Government as Government of a State. The question here is whether the definition in section 3 is broad enough to cover government agencies.

To date, there are no cases that interpret the meaning of Federal Government or State Government in the context of the Act and this makes the definitions too general and broad. Therefore, since there are no clear limitations or restrictions by any statutes and case laws to the definitions provided in the above, it can be argued that the definition of Federal Government may also include the government agencies since these agencies are invariably part of the government. By virtue of section 3 of the Act, government agencies shall be exempted from liabilities under the Act. In our view, the expression "Federal Government" and "State Government" do not include entities such as government owned companies for the simple reason that they have their own corporate personalities.

Personal Data Protection Act 2010 and Tort Law

Currently, there is no express right provided within the Act to aggrieved data subjects to pursue a civil claim for breaches under the Act against the government. Nonetheless, they may still rely on the Tort of Negligence and proceed with the matter in a tortious claim against the data user who leaked his personal data provided that if they are able to furnish the court with any evidence that their personal data was leaked by the data users and that leak was due to the negligence on the part of the data users.

"Personal data" is defined in section 4 of the Act as any information in respect of commercial transactions, which—

a. is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;

b. is recorded with the intention that it should wholly or partly be processed by means of such equipment; or

c. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

Hence, any data user who leaks the personal data of a data subject to the public will be exposed to a tortious claim in negligence.

Cases Involving Other Governments

At the time this article was written, there are no reported cases where a court of law has ruled that a government agency is responsible for the leakage of data in their possession. However, there are instances where governments have admitted to being the cause of data leaks. For instance³:

Conclusion

To conclude, the Act does not apply to the Federal Government and State Government and this position also indirectly applies to government agencies due to the broad definition provided under IA 1948 and 1967. The Act seems to not apply to government owned entities and government owned corporations. Nevertheless, to be on the safe side, the Federal Government, State Government, and government owned agencies should ensure proper management of the data for the simple reason that the government can still be argued to owe a duty of care under the law of torts. Any breach of this duty may still expose the government to civil suits

Footnotes--------------------

1. https://www.kkmm.gov.my/pdf/Personal%20Data%20Protection%20Act%202010.pdf
2. https://www.jkptg.gov.my/images/pdf/perundangan-tanah/Act_388-intepret.pdf
3. https://portswigger.net/daily-swig/the-latest-government-data-breaches

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.