PETALING JAYA: The Personal Data Protection Act (PDPA) 2010 in its current form is ineffective and needs to be urgently amended with updates to ensure those who cause data breaches are held accountable.
Universiti Sains Malaysia cybersecurity expert Assoc Prof Dr Selvakumar Manickam said two recent data breaches – the first allegedly selling data belonging to 22.5 million Malaysians obtained from the National Registration Department’s MyIdentity Application Programming Interface and the second, which offered to sell data on 802,259 Malaysians that was obtained from the Election Commission website – did not come under the purview of the PDPA.
While Defence Minister Datuk Seri Hishammuddin Hussein was questioned on the first case, he merely said it “does not jeopardise national security”.
To this, Selvakumar told theSun: “The Act does not apply since the security breach happened in a government system. For the same reason, if it does not involve a commercial transaction, social media platforms are also exempted from this Act.
“Even in the case of transactions involving business or private companies, if a data breach occurs in their system, they cannot be forced to admit to the violation.”
He said the PDPA commissioner, who is the person in charge of receiving complaints and investigating issues related to PDPA, is not independent as the individual is appointed by the communications and multimedia minister.
“The government should form a committee made up of experts from academia and law practitioners to perform a complete review of the existing laws, not just the PDPA but all other cyber and computer-related laws such as the Computer Crime Act 1997 or Communications and Multimedia Act 1998.
“This will serve to ensure laws on the protection of data and prevention of damage caused by cyberattacks are relevant and timely,” he said.
Cybersecurity company Novem CS chief executive officer Murugason R. Thangaratnam said the PDPA, in its current state, is outdated and too weak to address threats in the digital world now and in the future.
“More stringent measures need to be taken to tighten our data protection, especially now that many organisations and government sectors are migrating to the Cloud, which currently is dominated by Cloud providers stationed abroad.
“Currently, the PDPA does not cover data stored outside Malaysia. It only covers or applies to personal data involved in commercial transactions within the country,” he said, adding that technological advancements are going to make things more difficult in the future.
Murugason said there are existing data privacy governance such as European Union General Data Protection Regulation and the California Consumer Privacy Act that Malaysia could follow.
“There must be proper coordination among all government agencies involved and private sector stakeholders. For example, the Malaysia Cyber Security Strategy 2020 and Malaysia Digital Economy Blueprint are already there.
“I believe the government is working on the amendments and additions to update the PDPA. How far it has progressed and whether it meets the intended purpose is uncertain,” he said.
Murugason added that the government needs to accept that there is a serious issue concerning cybersecurity and improve policies that govern and guide the people, processes and technology to secure data.
“Everyone needs to play their part. It is easy to blame the government for everything, but if we keep clicking on everything that excites us, and freely give away our data to anyone without first practising proper cyber hygiene ourselves, it is no use crying when our data is compromised.”
