The Case for Private Action Rights under Malaysia's PDPA
In the rapidly evolving digital age, the importance of safeguarding personal data has become paramount. The concept of data protection, while integral, is only a subset of the broader notion of privacy. Privacy encompasses a wide array of rights, including the protection against unwarranted intrusion into personal life, freedom of thought, and the right to keep certain information confidential. Data protection specifically deals with the management, processing, and security of personal data, ensuring that individuals maintain control over their personal information. In Malaysia, neither has seen effective development from a jurisprudential standpoint.
The problem statement
Since its inception, the Personal Data Protection Act 2010 has relied solely on public enforcement mechanisms provided for in the Act. This has proven inadequate in addressing the diverse and rapidly evolving challenges in data protection. While the broad framework for data protection exists, regulatory bodies, constrained by resources and bureaucratic processes, often struggle to keep pace with the sheer volume and complexity of data protection issues. As a result, many violations go unaddressed, implementation guidance is severely lacking and individuals are left without sufficient remedies for breaches of their personal data.
Moreover, the lack of a private action framework stifles the development of legal precedents that could provide clearer guidance on the application and interpretation of data protection laws. In jurisdictions where private actions are allowed, courts have played a pivotal role in shaping and refining data protection principles, leading to more robust and dynamic legal frameworks. The absence of such judicial involvement in Malaysia hampers the evolution of a nuanced and comprehensive privacy jurisprudence.
This article proposes that a solution would be the introduction of a statutory right to private action under the PDPA. While only dealing with the narrower scope of personal data protection, it offers a ‘sandbox’ for structured exploration into aspects of privacy.
By enabling individuals to take legal action directly against those who violate their data protection rights within the confined parameters of the PDPA, a platform is created for the systematic development of privacy centered legal precedent whilst not compromising the enforcement and effectiveness of enforcement under the Act. It would certainly be an effective step towards a ‘privacy mature’ jurisdiction.
What is a statutory right of private action?
A statutory right to private action is an explicit right provided for by statute that empowers an affected party to launch a private civil claim in specific instances. To draw on an example, reference is made to Malaysia’s Competition Act 2010. The Competition Act was enacted to essentially promote economic development by promoting and protecting the process of market competition, thereby protecting the interests of consumers.
Section 64 of the Competition Act provides for the right to private action as follows:
(1) Any person who suffers loss or damage directly as a result of an infringement of any prohibition under Part II shall have a right of action for relief in civil proceedings in a court under this section against any enterprise which is or which has at the material time been a party to such infringement.
A similar but more relevant right to private action is seen in Singapore’s PDPA in section 48O of that Act:
48O.—(1) A person who suffers loss or damage directly as a result of a contravention —
(a) by an organisation of any provision of Part 4, 5, 6, 6A or 6B; or
(b) by a person of any provision of Division 3 of Part 9 or section 48B(1), has a right of action for relief in civil proceedings in a court.
(2) If the Commission has made a decision under this Act in respect of a contravention specified in subsection (1), an action accruing under subsection (1) may not be brought in respect of that contravention until after the decision has become final as a result of there being no further right of appeal.
(3) The court may grant to the claimant in an action under subsection (1) all or any of the following:
(a) relief by way of injunction or declaration;
(b) damages;
(c) any other relief as the court thinks fit.
What would a right to private action look like under Malaysia’s PDPA?
A good starting point for drafting such a clause into Malaysia’s PDPA would be to model it after the Singaporean section. The said section allows for the private right to co-exist with the Commissioner’s role and prevents simultaneous overlapping prosecution and claims by virtue of subsection (2).
However, in speculating the trajectory of such a section, we must note that the implementation of the right to private action under the Competition Act in Malaysia has not been particularly successful. At the time of writing this article, there are only 6 reported cases on this section.
Further, the decisions of the Courts seem to raise the threshold for bringing a successful claim. In the High Court in the case of Gabungan Pertubuhan Teksi, Kereta Sewa, Limosin dan Teksi Lapangan Terbang SeMalaysia (GTSM) v GrabCar Sdn Bhd [2022] 10 MLJ the Court decided that there must be a finding by the Competition Commission that the defendant is liable for the matters complained by the plaintiff before any private right of action may be pursued under the Competition Act. This, in effect, hinges any private claim on the proactiveness of the Commission and would act as a significant hurdle to any private claim.
Taking this into account, if the intended effect of the right is to develop this area of law, one variation to any proposed section in Malaysia’s PDPA would be the inclusion of an explicit distinction between the right to private action and the Commissioner’s authority to investigate i.e the rights conferred under subsection (1) shall operate independently of any authority of the Commissioner except as provided for under subsection (2).
As to the scope of the right, it is proposed that at a minimum it should cover the seven (7) principles of the Act. This would allow for greater analysis of the breadth and scope of the said principles. Importantly, as the current national concerns centre around data breaches, it would allow for an additional dimension of protection under the Security Principle.
Effect of the implementation of a right to private action
The most important impact of incorporating the right to private action in Malaysia’s PDPA would be the potential to develop a robust body of jurisprudence in the field of data protection, ultimately serving as a foundational bedrock for further development of the right to privacy. By enabling individuals to pursue legal recourse for data protection violations, this statutory right would bring greater coherence and clarity to the scope of data protection rights and also understand the limitation of data protection thereby acting as a catalyst for the development of other unique legislation.
Courts would be in a position to interpret and apply these rights without being confined to narrow or rigid frameworks. For instance, despite having similar provisions for private action in both Singapore and Hong Kong, the courts in these jurisdictions have reached differing conclusions on whether "loss and damage" can include emotional distress. This diversity in interpretation highlights the flexibility and adaptability of the legal system to address the nuances of data protection issues. Reference to other commonwealth jurisdictions that have developed this area of law, such as the UK, Canada, and Australia, will further enrich the body of precedents available for consideration, providing a wealth of comparative legal insights while ultimately developing a uniquely Malaysian approach.
It is to be noted that the right to private action would increase the accountability of Data Controllers and Data Processors as the standard of proof would adopt the civil standards as opposed to the prosecution by the Attorney General under the Act.
Moreover, the implementation of a clear right to private action would catalyze the development of specialist talent in companies handling personal data and among legal practitioners. This, in turn, would contribute to the evolution of a more 'privacy-mature' jurisdiction. It would foster a professional environment where data protection and privacy are given due importance, leading to better compliance practices and innovative solutions for safeguarding personal data.
Crucially, this development would no longer be solely reliant on the efficacy of the Department of Personal Data Protection or the Commissioner, whose performance has faced scrutiny since the Act's implementation. Instead, it would distribute the responsibility of upholding data protection standards across various stakeholders, thereby creating a more resilient and dynamic data protection ecosystem. This decentralized approach would enhance the overall effectiveness of Malaysia's data protection framework, ensuring that it remains responsive to the ever-evolving landscape of privacy, data protection, and technology.
Additionally, introducing a statutory right to private action would necessitate greater public awareness and education about data protection rights. Empowering individuals with knowledge about their rights and the mechanisms available to enforce them is essential for the success of this statutory provision. Public awareness campaigns, educational programs, and resources provided by both governmental and non-governmental organizations would play a crucial role in ensuring that individuals are well-informed and capable of taking action when their data protection rights are violated. This cultural shift towards a more privacy-conscious society would further reinforce the effectiveness of the PDPA and contribute to a broader respect for privacy in Malaysia.
Conclusion
Introducing a statutory right to private action under Malaysia's PDPA would align with the Digital Ministry's vision for a more comprehensive legal framework that supports economic growth in the tech sector. By empowering individuals to seek redress for data protection violations, this initiative would ensure better compliance and accountability among data handlers, fostering a culture of privacy and data security.
Moreover, this statutory right could act as a gateway to the regulation of more complex technologies, such as artificial intelligence. As the legal landscape evolves to address data protection, it will be better equipped to tackle the nuanced challenges posed by advanced technologies, ensuring that Malaysia remains at the forefront of tech innovation while safeguarding individual privacy rights.
References and additional reading
Ren, R., Saw, T. G., & Balan, S. (2022). IS THERE A PRIVATE RIGHT TO PRIVACY IN MALAYSIA?. IIUM Law Journal, 30(1), 1–32. https://doi.org/10.31436/iiumlj.v30i1.648
Adnan Trakic, Ridoan Karim, Hanifah Haydar Ali Tajuddin, It is time to recognize the tort of invasion of privacy in Malaysia, International Data Privacy Law, Volume 13, Issue 4, November 2023, Pages 299–312, https://doi.org/10.1093/idpl/ipad016
A Tale of Two Cities: The Right of Private Action in Data Protection in Singapore and Hong Kong - https://www.nortonrosefulbright.com/en/knowledge/publications/d820ea00/a-tale-of-two-cities-the-right-of-private-action-in-data-protection-in-singapore-and-hong-kong