Applicability of Data Protection Law in Malaysia to Organizations Doing Business in the Jurisdiction

The factor of "doing business in the jurisdiction" is utilized to determine the scope of applicability of the Personal Data Protection Act 2010 (PDPA) within Malaysia. This factor ensures that the law applies to organizations with a commercial presence or those engaging in economic activities within Malaysia, regardless of where the data processing occurs.

Text of Relevant Provisions

PDPA 2010 Sec.2(4d)(ii):

"(4) For the purposes of subsections (2) and (3), each of the following is to be treated as established in Malaysia:(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in Malaysia—

• (ii) a regular practice."*

Original (Language):

(4) Bagi maksud subseksyen (2) dan (3), setiap yang berikut hendaklah disifatkan sebagai ditubuhkan di Malaysia:(d) mana-mana orang yang tidak termasuk dalam perenggan (a), (b) atau (c) tetapi mengekalkan di Malaysia—

• (ii) suatu amalan biasa."*

Analysis of Provisions

The provision in PDPA 2010 Sec.2(4d)(ii) establishes that any person who maintains "a regular practice" in Malaysia is to be treated as established in Malaysia for the purposes of the Act. This extends the applicability of the PDPA to foreign entities that engage in regular business activities within Malaysia.

• Scope of Application: The PDPA applies to both domestic and foreign entities that process personal data in the context of commercial transactions. This includes organizations that have a sustained business presence or engage in systematic business practices within Malaysia.
• Regular Practice: The term "regular practice" implies consistent and ongoing business activities, which may include maintaining an office, branch, or agency. This ensures that entities that conduct business in Malaysia are subject to the same data protection obligations as local businesses.

The rationale for including this factor in the law is to ensure comprehensive data protection for individuals in Malaysia by holding foreign businesses accountable for their data processing activities within the jurisdiction. This approach prevents regulatory gaps and ensures that personal data is protected regardless of the origin of the business.

Implications

For Businesses and Data Processors:

• Extended Compliance: Foreign businesses that maintain a regular practice in Malaysia must comply with the PDPA. This includes adhering to principles related to the collection, storage, and processing of personal data as outlined in the Act.
• Regulatory Oversight: The Malaysian Personal Data Protection Commissioner has the authority to enforce compliance with the PDPA for these foreign entities, ensuring that data protection standards are upheld.
• Case Examples:
  • A multinational company with a subsidiary or branch office in Malaysia conducting regular business operations must comply with the PDPA.
  • An international e-commerce platform that targets Malaysian consumers and processes their personal data must adhere to the PDPA, even if its main operations are outside Malaysia.
• Compliance Challenges: Foreign entities must understand and implement Malaysian data protection laws, which may differ from those in their home countries. This may require legal adjustments and operational changes to align with PDPA requirements.

By extending the PDPA's applicability to businesses that engage in regular practices in Malaysia, the law ensures that data protection standards are consistently applied, fostering trust and protecting the personal data of individuals within Malaysia.