Legal Updates for March 2022

Latest Guidelines on Personal Data Protection Notices under the Personal Data Protection Act 2010 (PDPA)

The Personal Data Protection Act 2010 ("PDPA") is the main legislation which regulates the processing of personal data in the context of commercial transactions. Pursuant to section 7 of the PDPA (the Notice and Choice Principle), every data user must prepare a written statement which sets out the information as prescribed under the PDPA.

In this regard, the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi or "JPDP ") recently issued the Guide to Prepare Personal Data Protection Notice ("Guidance Note ") to provide guidance to all data users on the preparation of simple but comprehensive personal data protection notices (also known as "privacy notices "), which are aligned with the current business ecosystem as well as the personal data protection landscape in Malaysia.

Pursuant to the issuance of the Guidance Note, this Update seeks to provide a brief summary of the requirements for the preparation of privacy notices, as well as the potential impact on data users vis-à-vis their compliance with the Notice and Choice Principle.


Determining the Extent of Inland Revenue Board’s Powers to Request for Disclosure of Personal Information: Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors

Under the Income Tax Act 1967 ("ITA"), the Inland Revenue Board of Malaysia ("IRB") has broad powers and tools to ensure effective collection of tax revenue for the Malaysian government. This includes wide information gathering powers such as those provided for under Section 81 of the ITA which empowers the Director General of the IRB ("DGIR") to demand any person to disclose any information or particulars that is in the possession or control of the person for the purposes of the ITA.

The scope of the DGIR’s power to request information was recently tested in the case of Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors (Case No. WA-25-83-02/2020), where the DGIR relied on Section 81 of the ITA to make a blanket demand for customers’ personal data from Genting Malaysia Berhad ("GMB"). The High Court in its decision ruled in favour of GMB and held that the Personal Data Protection Act 2010 ("PDPA") does not allow the DGIR to make such demands in view of the protection afforded to individuals by the PDPA over their personal data.

This Update therefore seeks to provide a summary and brief analysis of the High Court case, and examine the potential impact of the High Court’s decision on organisations carrying out personal data processing activities under the PDPA.