Launch of Personal Data Protection Guideline for Automated Decision-Making and Profiling

Introduction

Further to our previous News Alert on the release of the second tranche of the Personal Data Protection Guidelines under the Personal Data Protection Act 2010 (“PDPA“) by the Personal Data Protection Department (“JPDP” or Jabatan Perlindungan Data Peribadi), accessible here, this Update provides an overview of the key guidance under the Automated Decision-Making and Profiling (“ADMP“) Guideline.

By way of background, the PDPA does not currently contain specific provisions regulating ADMP. However, any processing of personal data in commercial transactions, including those involving ADMP, must continue to comply with the PDPA and its Personal Data Protection Principles.

“ADM” is defined under the ADMP Guideline as the process of making decisions without any human involvement by wholly or partly automated means. This may include situations where human involvement is minimal, such as where a human only inputs the data and the automated system makes the subsequent decision.

“Profiling” refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject, in particular to analyse or predict aspects concerning that data subject’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The Role of the Data Protection Officer

Where an organisation implements ADMP, the Data Protection Officer (“DPO“) should play a key oversight role in relation to ADMP systems. This includes: (i) supporting the conduct of any Data Protection Impact Assessment (“DPIA“); (ii) acting as the facilitator and point of contact between data subjects and the relevant data controller or data processor; and (iii) assisting with personal data processing matters and the exercise of applicable rights.

The DPO’s involvement is particularly important because ADMP is one of the qualitative factors that may trigger the requirement to conduct a DPIA, regardless of the nature or extent of its intended use. Accordingly, the DPO should ensure that a DPIA is conducted for any data processing involving ADMP elements.

The ADMP Threshold

Not all ADMP activities are subjected to the ADMP Guideline. As such, DPOs are expected to exercise judgment in assessing whether a planned processing activity meets the relevant ADMP threshold. This threshold is met where the outcome of the ADMP process may:

1. result in legal effects concerning the data subject; or
2. significantly affect the data subject

(collectively, the “ADMP Threshold“).

Legal Effects Concerning the Data Subject

The ADMP Threshold is met where the ADMP process produces a decision that may affect a data subject’s legal status or legal rights. This may include decisions resulting in the termination of a contract or entitlement, or the rejection of a social benefit conferred by law.

Significantly Affect the Data Subject

The ADMP Threshold is also met where the ADMP process produces a decision that significantly affects a data subject, which may have the potential to:

1. significantly affect the circumstances, behaviour, or choices of the data subject concerned;
2. have a prolonged or permanent impact on the data subject; or
3. at its most extreme, leads to the exclusion or discrimination of the data subject.

Examples of decisions that may significantly affect a data subject include decisions that affect the data subject’s:

1. financial circumstances, such as eligibility for credit;
2. access to essential services, such as health services;
3. employment opportunities, including decisions that deny an employment opportunity or place the data subject at a serious disadvantage;
4. pricing or commercial terms, such as where one data subject is offered a more favourable or lower price than another;
5. access to education, such as university admissions; or
6. reputation, including decisions that may result in reputational harm.

ADMP Involving Sensitive Personal Data

For clarity, “sensitive personal data” refers to any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence, or biometric data.

Where ADMP involves the processing of sensitive personal data, organisations should ensure compliance with section 40 of the PDPA (“section 40“). Section 40 prohibits the processing of sensitive personal data unless one of the prescribed conditions is satisfied, including where the data subject has given explicit consent, or where the processing is necessary for specified purposes such as: (i) compliance with employment law; (ii) protection of vital interests; (iii) medical purposes; or (iv) legal proceedings or obtaining legal advice.

In addition to obtaining explicit consent where required, organisations should consider implementing enhanced safeguards when processing sensitive personal data for ADMP purposes. These safeguards may include technical measures such as encryption, and organisational measures such as stricter internal access controls. Such safeguards are similarly applicable to the processing of personal data for ADMP.

ADMP and the Notice and Choice Principle

The Notice and Choice Principle under the PDPA provides that where a data controller processes personal data, it must provide the data subject with a written notice containing information on the processing of their personal data.

Thus, if a data processing activity involves ADM or Profiling, the data controller should inform the data subject of this. The written notice may describe the types of decisions made through ADM or Profiling, the reasons for such decisions and their possible consequences. Additionally, the information provided should be as extensive as reasonably practicable, but need not disclose confidential information, trade secrets, intellectual property, proprietary rights or similar information.

Such notices should be easily accessible to data subjects and updated as soon as practicable to reflect any developments in the organisation’s ADMP activities.

ADMP and the Withdrawal of Consent

The PDPA provides data subjects with the right to withdraw their consent to the processing of their personal data by a data controller. The ADMP Guideline clarifies that this right also applies where the processing involves ADMP. Such withdrawal must be made by written notice to the data controller and, upon receipt of the notice, the data controller must cease the relevant processing of the data subject’s personal data, including any ADM or Profiling activities. This right to withdraw consent, including the mechanisms and processes available for exercising it, should be clearly communicated to data subjects.

In light of this, data controllers implementing ADMP systems should establish accessible, straightforward and user-friendly mechanisms and processes to enable data subjects to exercise this right.

Exceptions

The ADMP Guideline provides that ADMP may be undertaken where:

1. the processing is necessary for entering into, or performing, a contract between the data subject and the data controller;
2. the processing is necessary for compliance with applicable laws; or
3. the data subject has given prior consent

(collectively, the “Exceptions“).

Notwithstanding the availability of the above Exceptions, the ADMP Guideline states that the data controller must obtain the data subject’s consent for the processing of personal data, including where such processing involves ADMP.

Additionally, the exemptions under Part III of the PDPA (which exempts certain Personal Data Protection Principles in specified circumstances) similarly apply to the processing of personal data involving ADMP.

Artificial Intelligence (“AI”)

In the context of AI, the ADMP Guideline is relevant where AI systems, including Generative AI systems, are used to process personal data in a manner that involves ADMP. Where AI is deployed for such purposes, data controllers may wish to consider adopting the following best practices:

1. identify the commercial objectives of using AI and assess the associated risks before deployment;

2. use AI for profiling in a manner that respects data subjects’ dignity, produces accurate outputs, recognises the limitations of AI, considers potential adverse impacts, and remains limited to its intended purposes;

3. inform data subjects of the use of AI in ADMP through the relevant personal data protection notice or privacy notice, using explanations that are clear, proportionate and not overly technical;

4. implement appropriate measures to mitigate risks of overdependence on AI systems or services;

5. provide appropriate training to relevant personnel on risk assessment, compliance oversight, regulatory requirements, data subject management, and the operations and limitations of AI;

6. avoid relying on AI as the sole factor in making policies or decisions concerning a data subject; and

7. designate suitably trained personnel to review the use of AI in ADMP, with such reviewers being proactive, purposeful, authoritative and competent in evaluating and interpreting AI outputs.

Comment

Although the PDPA does not currently contain standalone provisions regulating ADMP, the ADMP Guideline makes clear that ADMP activities involving personal data must still be assessed against the PDPA.

A key practical point is that organisations should not assume that all ADMP activities will be treated in the same way. The ADMP Threshold, which focuses on whether the outcome of an ADMP process may produce legal effects concerning a data subject or significantly affect the data subject, requires organisations to consider not only the technology used, but also the potential impact of the decision on the individual concerned.

The ADMP Guideline also reinforces the importance of governance and accountability. Organisations implementing ADMP should involve their DPO at an early stage, particularly as the use of ADMP is one of the Qualitative Factors that may trigger the requirement to conduct a DPIA. Organisations should also exercise particular caution where sensitive personal data is involved, as such processing remains subject to Section 40 of the PDPA and may only be carried out where a prescribed condition is satisfied. In addition, data controllers implementing ADMP systems should establish accessible, straightforward and user-friendly mechanisms to enable data subjects to exercise their rights, including the right to withdraw consent to the processing of their personal data.

While not all ADMP involves AI, the ADMP Guideline recognises that AI-enabled ADMP may raise additional risks, including overdependence on AI systems, inaccurate outputs and insufficient human oversight. Organisations using AI in ADMP should therefore ensure that AI is not treated as the sole basis for decisions concerning data subjects, and that suitably trained personnel are appointed to review, interpret and challenge AI-generated outcomes where necessary. These measures may also place organisations in a stronger position to respond to future regulatory developments, including JPDP’s anticipated AI Framework, which may address AI-related data protection and privacy considerations more comprehensively as Malaysia progresses towards its aspiration of becoming an AI Nation by 2030.

Overall, organisations deploying ADMP should review their existing privacy notices, consent mechanisms, DPIA processes and internal governance frameworks. This is particularly important for organisations using AI or automated tools in areas where decision-making may materially affect individuals, such as credit assessment, recruitment, personalised pricing or access to education.

We trust the above provides a helpful overview of the key guidance under the ADMP Guideline. Should you require any clarification or assistance in assessing how the ADMP Guideline may affect your organisation’s existing or proposed processing activities, please feel free to contact us.

Further Information

For more information on the other two Guidelines issued concurrently with the ADMP Guideline, please click on the following links to read our Legal Updates:

• Launch of Personal Data Protection Guideline for Data Protection Impact Assessment 
• Launch of Personal Data Protection Guideline for Data Protection by Design 

For regional Technology, Media and Telecommunications & Data Protection matters, please see Rajah & Tann Asia’s Regional Technology, Media & Telecommunications Practice and Regional Data & Digital Economy Practice for more information.

Contribution Note

This Legal Update is contributed by the listed Contact Partners, with the assistance of Paralegal Leslie Bong.

Please feel free to also contact Knowledge Management at RTApublications@rajahtann.com.