By Rachel Gong, PhD, Deputy Director of Research at Khazanah Research Institute, Khazanah Research Institute
Malaysia is drafting three data regulations to improve personal data protections, government accountability, and data sharing efficiency across government agencies. Increasing engagement with public interest technologists and building policymakers’ technological expertise, as well as setting sector-specific regulations, can support a responsive regulatory environment.
TFGI’s report, “Evolution of Tech Regulation in the Digital Economy,” identifies four common goals of tech regulators in Southeast Asia. In this article, I focus on one of those four goals where there is room for improvement in ASEAN: safeguarding personal data to foster trust. I highlight three data regulations being developed in Malaysia: the Personal Data Protection Act (PDPA), the Freedom of Information Act (FOI Act), and the Omnibus Act.
In general, personal data protection laws regulate the processing of individuals’ personal data to prevent misuse or abuse. Meanwhile, freedom of information laws uphold the public’s right to access information from its government. An omnibus law, by definition, packages multiple disparate bills into one single act unified in its purpose. In the context of data regulation in Malaysia, the Omnibus Act was proposed in 2023 as a means of regulating data sharing across all government agencies.
Amending the Personal Data Protection Act (PDPA): Expanding to the Public Sector?
When it was first introduced in 2010, Malaysia’s PDPA was the first personal data protection law in Southeast Asia. Other countries followed, e.g., Singapore and the Philippines in 2012, Thailand in 2019, Indonesia in 2022, and Vietnam in 2023. However, while Singapore and the Philippines have amended their data privacy laws since their inception, Malaysia’s PDPA has remained in its original form.
In 2021, the Malaysian government released its Digital Economy Blueprint, indicating its commitment to “strengthening data protection and related regulatory frameworks to ensure holistic personal data protection and privacy.” This included a target of reviewing the PDPA by 2025. To its credit, the government has concluded its review and proposed amendments to the law, which were scheduled to be tabled at Parliament in March 2024.
As it stands, Malaysia’s PDPA applies only to commercial transactional data and does not apply to government data. Ideally, proposed amendments to the PDPA should include one that expands the scope of the PDPA to personal data managed by the government, as is the case, for example, in the Philippines. Given the amount of personal data, including health and financial data, collected, stored, and accessed by the government, Malaysia’s overarching data privacy law should apply to the public sector as well as the private sector.
If this is not to be the case, citizens’ personal data that rests in the hands of the government should be protected through other laws, clearly spelled out to the public. In Singapore, for example, the Public Sector Governance Act (PSGA) regulates how government agency officials may share data. Data protections and the right to privacy must be balanced with a need for data access in the public interest, including policy planning, service delivery, and socio-economic growth.
Tabling a Freedom of Information Act (FOI Act): Improving Accountability and Analysis
This is where an FOI Act, sometimes called a Right to Information Act (RTI Act), comes in. This act upholds the public’s right to access information held by the public sector, enabling individuals and organisations to request and receive data and information from their government. There are, of course, exceptions to data sharing, such as in cases involving government information that would compromise national security. Malaysia has been considering tabling such a law at the federal level since 2018.
In 2023, Prime Minister Anwar Ibrahim announced that the Special Cabinet Committee on National Governance had “agreed in principle to the enactment of a Freedom of Information Act to establish clear parameters and guidelines to give the public access to information from public bodies and the government.” Minister in the Prime Minister’s Department (Law and Institutional Reform), Azalina Othman, subsequently said that the introduction of such a law would have to go hand in hand with amendments to the Official Secrets Act (OSA). The OSA is currently the law that regulates government data, allowing individual government agencies to unilaterally decide what constitutes restricted, confidential, or secret information.
Globally, FOI Acts have typically been used by journalists, scholars, and activists to access government information to hold public officials accountable for their actions. In 2000, a Thai journalist requested and received information under the Official Information Act (OIA, Thailand’s version of an FOI Act), uncovering large-scale corruption within the Thai government. Subsequently, more restrictive amendments were proposed to Thailand’s OIA, possibly to curtail such use.
An FOI Act would have additional benefits now that public services are turning digital (e.g., electronic tax filing) and public data are being digitised (e.g., public transportation maps and weather pattern data). Access to government data would not only improve government transparency and accountability but also offer new opportunities for research and evidence-based policymaking. For example, access to weather pattern trends could enable climate researchers to identify hotspots for heat waves or floods, facilitating the development of better climate adaptation policies.
Casting a Wide Net with the Omnibus Act: Cross-agency Cloud Computing and Cybersecurity
Data governance is more than a binary of data protection and information freedoms. Data governance is needed all along the data value chain, and an Omnibus Act for data governance has the potential to address multiple concerns simultaneously.
With the aim of making better data-driven policies, Malaysia’s Economy Ministry proposes to unify government data sources across all government agencies. In principle, this seems sound. In practice, however, there are many complications, such as incompatible databases and data storage standards, potentially increased cybersecurity risks in consolidating personal data using cloud storage and computing, and an assortment of agency-specific data governance circulars and rules that need adjustments.
The Omnibus Act was proposed to resolve as many of these issues as possible. The Omnibus Act is also intended to support the use of the government’s Central Database Hub (PADU) and facilitate PADU as the default government database going forward. The Act has the potential to play a key role in data governance by promoting open government data by default, streamlining data governance rules across government agencies, and enforcing cybersecurity and data privacy best practices. However, it remains to be seen what exactly will be included in this Act, scheduled to be tabled in 2024.
Recommendations for a Responsive Regulatory Environment
Governments around the world are increasing their tech regulations to rein in exploitative use of technology. However, technological innovation outpaces lawmaking. As such, it is important to have a responsive regulatory environment that can adapt to changing circumstances.
The following three recommendations can support the establishment and maintenance of a responsive regulatory environment:
The broad definition of data complicates the regulation of various data types generated and analysed for different purposes. Government or public data, typically collected using public funds, should be regulated differently from intellectual property resulting from private research and development efforts. Consumer data utilised for marketing and advertising should be subject to different regulations than data from health records used for healthcare service delivery or public health policy.
Identifying sector-specific data requiring additional protection or oversight against misuse and regulating them separately, such as health data, can facilitate future amendments to these regulations without impacting general-purpose data regulations.
While there’s often emphasis on a multistakeholder approach to governance, the third sector—particularly public interest technologists—is frequently overlooked or underrepresented. Formally, this constitutes an emerging interdisciplinary field seeking socially responsible technology solutions for public benefit.
Informally, this field is occupied by civic tech practitioners, citizen scientists, digital rights activists in civil society, and researchers and lobbyists in industry and academia. Increased engagement between policymakers and these technological experts can enhance assessments and adjustments of tech regulatory environments, contributing to capacity building among policymakers.
Just as public policymakers find it useful to be versed in income inequality and trade tariffs, familiarity with technological issues like cross-border data flows and algorithmic management can be equally beneficial.
Well-informed and technology-savvy policymakers and their staff are better equipped to address challenges stemming from competing interests around technology adoption. Consultations and partnerships with regional counterparts, as part of initiatives like the ASEAN Framework on Digital Data Governance, can complement engagements and consultations with public interest technologists.
The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.
About the writer:
Dr. Rachel Gong is a Deputy Director of Research at Khazanah Research Institute (KRI). Her ongoing research focuses on digital policy, including digital inclusion, the digital economy, and digital governance. She has provided input to policymakers on topics ranging from developing a digital inclusion index and measuring the digital economy to improving data protections and designing interoperable digital systems.