Personal Data Protection Act 2010 (PDPA) in Malaysia- Case Study & Improvement

Personal Data Protection Act 2010 (PDPA) in Malaysia- Info, Case Study & Improvement. Background Information, A Case study related to the Personal Data Protection Act, Suggestions to improve the Personal Data Protection Act 2010 (PDPA), Conclusion.

Background Information

The Personal Data Protection Act 2010 (PDPA) of Act 709 was passed by the Malaysian Parliament in May 2010 (Personal Data Protection Act, n.d.). After passing the bill related to the personal data protection act 2010 by the Malaysia parliament, it had been sent to the king for getting royal assent. On 2 June 2010, it was received royal assent. Personal Data Protection Act 2010 (PDPA) (n.d.) stated that The Personal Data Protection Act 2010 implemented in Malaysia on 15 November 2013 by way of notification in the government gazette. The prime objective of this act is to protect personal information from the perspective of commercial transactions. The most general principle of this act to prohibit people to use other’s personal data without consent.

“Personal Data Protection Department (PDPD) is an agency under the Ministry of Communications and Multimedia Commission (MCMC)” (Personal Data Protection Act, n.d.). The prime duty of the PAPD department is to supervise the handling of personal data of individuals related to commercial transactions. PAPD wants to ensure that no one misuses and misapplies the other party’s data without taking concern. The maximum penalty is between RM100k to 500k and/or between 1 to 3 years imprisonment for non-compliance (Shahwahid & Miskam, 2014). There is no amendment or modification that has been noticed in the Personal Data Protection Act 2010.

According to Kandiah (2019), The PDPA 2010 act was a need to actualized to enable the confidence of the consumer in electronic commerce and business transactions. Before passing this act it was seen that the rising number of cases related credit card fraud. The theft was selling personal data without customer consent. After passing the PDPA 2010, the amount of fraud cases related to bank cards has been reduced. Now people can trust the company to provide their personal information without hesitation. Therefore, companies and clients both parties are being benefited from passing this act.

Personal Data Protection Act 2010 (PDPA) in Malaysia

Figure 1: Personal Data Protection Act 2010 (PDPA) in Malaysia

A Case study related to the Personal Data Protection Act 2010 (PDPA)

Due to the popularity of the social media platforms, cybersecurity became a major concern that would cause a personal data breach. As one of the cases from Facebook, in December 2019, the personal data of 267 million Facebook users were exposed to an online database. These personal data consist of users’ names, users’ ID, and phone numbers, which could be accessed by anyone through the database.

Although Facebook contacted the internet service provider to remove these data from the servers after discovering the data leak, however, the database was exposed online for two weeks which these data were also posted on a hacker forum already. Regarding the possible reason for this data breach, the security researcher of Facebook claimed that the data is most likely the result of exploiting Facebook’s Application Program Interface (API) by hackers (Ganjoo, 2019). Thus, it is essential to enforce a personal data protection act in the vulnerable cyberspace.

In addition, relating this act specifically in the Malaysian context, on 3 May 2017, Khas Cergas Sdn Bhd, the company that owns Vitoria International College was charged in the Sessions Court for processing personal data of the former employee without a valid certificate of registration issued by the Personal Data Protection Department (PDPD) (Mageswari, 2017). Specifically, this case breached section 16 (1) of the PDPA in which requires the data users to register the applicant and issue a certificate of registration by the PDPD. The offense was allegedly committed by the company at its premises on June 6, 2016. After the Sessions Court judge, the charge which under section 16 (4) of the PDPA claimed on conviction, the company would be liable to a maximum fine of RM 500,000 or imprisonment up to three years, or both (Attorney General’s Chambers of Malaysia, 2016).

 Why PADA is relevant with the new media environment?

With the rapid development and progress of science and technology, the medium of information dissemination is constantly changing. The release of the Personal Data Protection Act (PDPA) in Malaysia had an impact on the new media environment. Next, I will talk about my reasons for the PDPA is relevant now with the new media environment.

Firstly, the Personal Data Protection Act (PDPA) gives people more control over your personal data. More and more people can easily get online due to the rapid development of the network. Besides, there are varieties of social media that were developed, which caused many people to indulge in virtual social media. Unfortunately,a lots of criminals catch the opportunity to steal other people’s personal information. There is no doubt that personal information was stolen that is a terrible thing. If everyone knew the benefits of the Personal Data Protection Act, people can use it to control themselves personal data. Thus, the Personal Data Protection Act is relevant now with the new media environment.

Secondly, the Personal Data Protection Act (PDPA) deals with personal data related to commercial transactions. Since the human appeared, business activities had not stopped. The release of the Personal Data Protection Act (PDPA) in Malaysia has significantly reinforced the protection of personal data in relation to commercial transactions. It imposed strict restrictions on some people who collect, record, and process personal data. There is no denying that this action let personal information in business transactions has been protected under the law. Thus, the Personal Data Protection Act is relevant now with the new media environment.

Last but not least, the Personal Data Protection Act (PDPA) lets a person reduce unwanted telemarketing messages received.  Have you been harassed by an advertising call?Have you ever been harassed by a fraudulent phone call? Due to the popularity of mobile phones and some mobile devices, more and more people’s personal information does not feel leaked. Our information needs to be protected and we want to have a safe network environment so, the Personal Data Protection Act(PDPA) is relevant now with the new media environment.

Suggestions to improve the Personal Data Protection Act 2010 (PDPA)

Although the establishment of PDPA has provided great help for the protection of personal information at the commercial level, after a long period of practice, some problems have still been exposed.

Firstly, we must reduce the impact on the personal data life cycle management process. Collection, use, storage, and destruction should be minimized in every aspect.

Secondly, comprehensively consider the operating methods of different companies and find the best and generally applicable specific terms to minimize the changes in business processes made by the company to adapt to the terms.

Third, the establishment of a central database to achieve unified management of global information can not only facilitate the integration of information but also simplify the process of cross-border personal data transmission. For example, during the MCO, everyone uses ZOOM to conduct virtual courses. After we install ZOOM, usually there will be a pop-up window at the bottom of the screen “Allow ZOOM to obtain your location permission”.  Usually, no one cares about this problem, but in fact, your geographic location has been exposed.  The next step is to bind the account.

Usually, everyone binds their Google account by default, so that ZOOM directly obtains our email address. We recall further, what personal information did you provide when you first registered your Google account? Name, date of birth, nationality, region, these four items can be said to be the most basic personal privacy. Since we provide ZOOM with our Google mailbox, the personal information that we leaked when registering Google mailbox does not rule out that ZOOM’s company has learned all of them. Imagine that the ID card and passport that you usually hide in the innermost layer of the wallet or in the innermost drawer have been completely wiped out by strangers.

What should we do in this situation? We can only rely on legal protection. According to PDPA, “from a business perspective, the unauthorized use of other people’s information is prohibited.” When we registered with Google, it was equivalent to allowing Google to obtain and use our personal information.  However, for ZOOM, we only allow it to bind our Google account (Google mailbox), which does not mean that we also agree to it to obtain our name, age, nationality, and region. This problem is exactly what needs to be resolved urgently.


There are many areas involved in personal data. With the rapid development and wide application of information technology, human beings have gradually entered the era of new media. The protection of personal data is also particularly important. In the media field, while the continuous changes in media technology have had a profound impact on the media, the privacy of personal data has been greatly challenged.

The Survey Report on the Protection of the Rights and Interests of Chinese Netizens (2015) shows that in the past year, netizens have lost approximately RMB 80.5 billion, or RMB 124 per capita, due to personal information leakage, spam, and fraudulent information. (The State Council Information Office of the People Republic of China. 2015). It can be seen that personal data protection plays an important role in the media field. Personal data security even affects the security of collective interest, and the protection of corresponding laws and regulations is very important.

The world is suffering from data privacy leaks, and one of the most effective tools to solve this problem is to perfect the privacy protection law. Many countries/regions in the world have strict regulations on data privacy and security. The release of the Personal Data Protection Act (PDPA) in Malaysia has significantly reinforced the protection of personal data in relation to commercial transactions.


Attorney General’s Chambers of Malaysia. (2016). Personal Data Protection Act 2010. Retrieved from

Chua, H. N., Herbland, A., Wong, S. F., & Chang, Y. (2017). Compliance to personal data protection principles: A study of how organizations frame privacy policy notices. Telematics and Informatics, 34(4), 157-170.

Ganjoo, S. (2019, December 20). Facebook faces another data breach, data of 267 million users exposed. India Today. Retrieved from

Kandiah, S., (2019). The Privacy, Data Protection and Cybersecurity Law Review – Edition 6 MALAYSIA. Retrieved from

Mageswari, M. (2017, May 3). Company behind Victoria International College charged with personal data-related offence. The Star. Retrieved from

Personal Data Protection Act (n.d.). Retrieved from