PETALING JAYA: A clause in the Personal Data Protection Act 2010 (PDPA) which excludes its application to the federal and state governments may deter foreign investors from injecting funds into the country, an expert has warned.
Abu Bakar Munir of Universiti Malaya’s law faculty said Malaysia and Singapore are the only countries in the world to have such a clause in its statute, raising questions among many foreign entities and governments.
“Participants in most forums and meetings that I attend locally and also abroad have raised this matter, saying it is unfair,” he told FMT.
Abu Bakar said Malaysia was the first country in Asean to draw up personal data protection laws.
“I was an adviser to the ministry and was involved in drawing it up. I told them we should not have this (the exclusion clause) in order to be more competitive and tighten our cyber security,” he said.
Abu Bakar said Singapore, which based its data protection laws on the Malaysian statute, also retained the exclusion clause. However, it has introduced legislation to govern the use of personal data by its public service, something not provided for under Malaysian law.
He said he has conveyed the concerns of various global players to officials of the ministry, which is presently reviewing the PDPA.
However, he said an official at the communication and digital ministry informed him that the Cabinet had rejected his proposal to remove Section 3 of the PDPA where the exclusion clause is found.
According to Abu Bakar, representatives of international cyber security firms and major multinationals like Amazon have expressed surprise at Malaysia’s refusal to remove the section.
Apart from being on the team which drew up the PDPA, Abu Bakar has also advised Indonesia and Saudi Arabia on its data protection laws. He said both countries agreed to his proposal to omit a similar clause from their legislation.
“As we know, the government at all levels has the largest personal data bank which can easily be abused by irresponsible employees for personal gain. It must be held responsible for such breaches.
“We are talking about accountability. It is vital because the PDPA is among the laws that potential investors scrutinise before feeling safe about operating in Malaysia,” he said.
Abu Bakar said the issue also reflects on governance, which is an element of environmental, social and governance (ESG).
“Most socially responsible investors use ESG criteria to screen their investments,” he said.