Professional Documents
Culture Documents
Regulating Blockchain Technology in Data Protection in Malaysia - Nur Afnizan Johan - DRAFT1
Regulating Blockchain Technology in Data Protection in Malaysia - Nur Afnizan Johan - DRAFT1
1
Satoshi Nakamoto, “Bitcoin: A Peer-to-peer Electronic Cash System,” White Paper, 2012, available at:
https://bitcoin.org/bitcoin.pdf, 1-9.
2
Bretton Woods 2016: Consumer Protection in the Digital Currency Economy. (2016). Retrieved from
Consumers' Research: https://consumersresearch.org/research/papers/bretton-woods-2016-protecting-
consumers-in-the-digital-currency-economy/
3
Ibid.
4
“A Glossary of Blockchain Jargon,” MIT Technology Review, available at:
https://www.technologyreview.
com/s/610885/a-glossary-of-blockchain-jargon.
5
DLA Piper,“Blockchain: Background, Challenges and Legal Issues,” available at:
https://www.dlapiper.com/en/uk/insights/publications/2017/06/blockchain-background-challenges-
legalissues.
6
Ibid.
7
Recital 7 of the GDPR; Michelle Finck, “Blockchains and Data Protection in the European Union,”
Max Planck Institute for Innovation & Competition Research Paper No. 18-01, February 7, 2018, 7.
8
Recital 32 of the GDPR; Section 6(1) of the PDPA.
such as public interest9 or the administration of justice.10 A transaction that is suspected of
criminal conduct and is being investigated is one such instance.
Malaysia implemented the Personal Data Protection Act 2010 (PDPA) on November 15, 2013.
11 In general, its regulations are modelled after those of the EU. As with its Commonwealth
equivalents, Malaysia's Federal Constitution and common law do not expressly recognise the
right to privacy.12 Thus, the PDPA marked a pivotal moment in Malaysians' protection of their
personal data and privacy.
The PDPA applies to anybody who processes or exercises control over any sort of personal
data that may be used for commercial reasons. The PDPA applies if the individual is
established in Malaysia and the data is handled there. The PDPA may also apply if personal
data is processed in Malaysia using Malaysian equipment, even if the individual is not
established in Malaysia. The PDPA does not apply to the Federal or State Governments. If
personal data is handled outside of Malaysia, the PDPA does not apply. There is an exception,
however, if the data is processed outside Malaysia with the intention of subsequent
processing in Malaysia. PDPA may be relevant in this instance.13 There are 7 principles that
form the Personal Data Protection. They are the General Principle, the Notice and Choice
Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data
Integrity Principle, and the Access Principle.
1.3 Problem Statement
As data becomes increasingly valuable, emphasis is being directed to data management
systems and architectures. Blockchain technology has been hailed as a potentially
transformative tool for accelerating the expansion of data management systems. A
blockchain is administered by a distributed network of computers that maintains an
immutable set of time-stamped entries. In contrast to conventional centralised designs,
blockchain is decentralised and lacks a single authority. Everything on the blockchain is public.
These characteristics position blockchain as an attractive platform for the development of
user-centric applications. In a blockchain-based system, user data is not held by a single party
and cannot be readily updated.
According to the Malaysian Administrative Modernisation and Management Planning Unit
(MAMPU), blockchain technology is a game changer on a par with the Internet.14 MaGIC, for
example, hosted blockchain-related events for companies in an effort to accelerate the
adoption of blockchain in Malaysia.15
Despite a lack of global recognition for blockchain, Malaysian blockchain developers are
making significant progress and expanding in size. The Rohingya Project is an excellent
9
Section 39(e) of the PDPA
10
Section 6(2)(2) of the PDPA
11
Personal Data Protection Act 2010 (passed June 10, 2010, entered into force November 15,
2013) (PDPA).
12
Maslinda bt Ishak v Mohd Tahir bin Osman [2009] 6 MLJ 826; Lee Ewe Poh v Dr Lim Teik Man
[2011] 1 MLJ 835.
13
Personal Data Protection Act 2010 (Act 709). Malaysia: Parliament of Malaysia, 2010.
14
Inisiatif Teknologi Blockchain dan Teknologi Lejar Teragih (DLT) di Malaysia 2019. (n.d.). Retrieved 19
October, 2021, from MyGovernment: https://www.malaysia.gov.my/portal/content/30633
15
7 Cool Blockchain Projects Made Right Here In Malaysia, Pikri, E., Retrieved 11 July, 2021, from Fintech
News Malaysia: https://fintechnews.my/18476/blockchain/blockchain-malaysiaprojects
illustration of a Malaysian blockchain project's credibility.16 Blockchain technology is being
used to create an immutable digital identity for the refugee Rohingya community. The
majority of data privacy legislation, such as the PDPA, apply when personal data must be
processed. Subsequently, data kept on blockchains is regulated under the PDPA. Additionally,
the PDPA was drafted at a time when blockchain technology was a relatively new technology
in Malaysia. Many countries have been sluggish to incorporate blockchain technology into
their data privacy legislation, with the exception of the French government, which adheres to
both GDPR and its own Network and Information Systems Security (NISD) regulation.17 As a
result, various incompatibilities exist between PDPA and blockchain. Incompatibilities
between PDPA and blockchain would be lack of central entity, anonymity of users, territorial
limitation, and erasure and modification of data.
The tension between privacy and blockchain is not unique to the PDPA, but also exists in other
countries' privacy laws. The European Union's General Data Protection Regulation is one such
example (GDPR). Researchers did a study on the incompatibility between blockchain and
GDPR in.18 According to the report, incompatibilities exist in terms of anonymity, applicability
of privacy laws, identification of data controllers and processors, geographical considerations,
cross-border transfers, immutability, and individual rights. The EU's GDPR is a textbook
example of how data protection standards and blockchain are incompatible.
1.4 Research Objective and Research Question
1.4.1 Research Objective
The main objectives of the study are as follows:
• To investigate the legal landscape of data protection in relation to blockchain
technology in Malaysia
• To compare EU regulatory approach towards data protection in blockchain
technology usage
• To identify relevant data protection regulatory approach towards blockchain
technology in Malaysia
1.4.2 Research Question
The following research question will be addressed in this study:
• What is the legal landscape of data protection in relation to blockchain technology
in Malaysia?
• What is EU regulatory approach towards data protection in blockchain technology
usage?
• How should we regulate the data protection towards blockchain technology usage
in Malaysia?
16
Ibid.
17
Aumage, V., & Martin Dit Neuville, C. (2018). France's approach to implementing GDPR and NISD.
Retrieved 5 July, 2021, from Taylor Wessing's Global Data Hub:
https://globaldatahub.taylorwessing.com/article/france
18
H. Baskaran, S. Yussof, F. A. Rahim and A. A. Bakar, "Blockchain and the Personal Data Protection Act
2010 (PDPA) in Malaysia," 2020 8th International Conference on Information Technology and Multimedia
(ICIMU), 2020, pp. 189-193
1.5 Research Methodology
This research uses socio-legal research to analyse the gap in regulation for blockchain
technology in Malaysia to align with data protection concern. Socio-legal research focuses on
the intersection of law and social science. When determining the appropriate strategy to
regulate blockchain technology, it is critical to consider the impact on society, both in terms
of technological usage and the regulatory element of the technology.
Comparative approach is employed to compare the regulatory steps taken by EU country and
further find the best regulatory steps that can be applied in Malaysia. EU was chosen as the
benchmark country in this research as EU is well on track in setting the global benchmark on
data protection. GDPR is becoming the de facto worldwide legal framework due to its
importance in what organisations throughout the world are doing to comply with data
protection rules.19 With the EU having a head start in regulating data protection, this would
serve as a useful baseline for Malaysia, which is still new in implementing this act. Malaysia
implemented the Personal Data Protection Act 2010 (PDPA) on November 15, 2013. 20 In
general, its regulations are modelled after those of the EU. As with its Commonwealth
equivalents, Malaysia's Federal Constitution and common law do not expressly recognise the
right to privacy.21 Thus, the PDPA marked a pivotal moment in Malaysians' protection of their
personal data and privacy.
A doctrinal study is also employed for this research. It is described as the study of legal
theories through the analysis of statutory provisions and cases using reasoning. The emphasis
is on analysing legal concepts, rules, and doctrines. In comparison to non-doctrinal legal
research, which focuses on the relationship of law to society, groups, and individuals. It entails
an empirical examination of the operation of law, namely how a doctrine or principle has been
applied in real-world contexts. Thus, while doctrinal legal study emphasises research in law
that is concerned with the black letter of the law, nondoctrinal legal research is concerned
with research about law. Given that the researcher is attempting to ascertain the legal
landscape around the application of the PDPA and GDPR to blockchain technology, a doctrinal
study would be a more appropriate strategy for determining a solution that accommodates
both the law and the technology. Apart from that, doctrinal research can truly assist the
researcher in identifying the section of the act that is related to or affects technology usage.
The primary and secondary sources will be statutes, international conventions, articles,
books, newspaper clippings, websites, and journals.
1.6 Research Significance
This study contributes to the body of knowledge on regulating data protection in blockchain
technology in Malaysia, given there has been relatively little research on the subject. The
majority of blockchain research is conducted outside of Malaysia and focuses primarily on
cryptocurrency regulatory issues rather than data protection. This study will also contribute
in raising awareness about Blockchain Technology while also reviewing the most appropriate
regulatory strategy for data protection in order to adopt and realise the benefits of this
technology. The study's objective is to make recommendations on how to preserve personal
data while still using the possibilities of technology. Apart from that, using the EU as a
19
Benady, D. (31 May, 2018). GDPR: Europe is taking the lead in data protection. Retrieved 18 September,
2021, from Raconteur: https://www.raconteur.net/legal/data-protection/gdpr-europe-lead-data-protection/
20
Note 21.
21
Note 22.
reference point and replicating their regulatory actions will ensure Malaysia does not fall
behind in terms of law enforcement and technology adoption.
I feel that this technology will have a profoundly beneficial effect on society. The ability of
technology to assist nations in achieving success in a variety of fields enables us to progress
in a globalised world. Additionally, the recommendations derived from this research could
significantly assist legislators in remaining current with the technological development while
ensuring that blockchain technology is properly governed without inhibiting its advancement.
2.0 Literature Review
2.1 Blockchain literature
Blockchain technology became quite popular due to 2017 unprecedented crypto boom
worldwide.22 Fundamentally, this tech was based on a long-standing principles and
techniques in encryption and distributed transaction processing. Following the Bitcoin’s 2009
launch, the first “blockchain” network was introduced by software developers to support
cryptocurrency ecosystem.23 The possibilities of blockchain technology extend far beyond its
original purpose of facilitating trustless, peer-to-peer value transfer, as seen by the
technology's current use cases across a variety of industries. To name a few: supply chain
management,24 the development of smart contracts,25 asset registry administration,26 and
general recordkeeping.27 Despite various use case of blockchain, the implementation of this
technology shares several core elements.28
First element, the distributed ledger technology (DLT). Over a peer-to-peer network, this
software architecture offers a synchronised and shared data structure that numerous users
may access and alter. The ledger forms a chain by chronologically linking each new published
data block to previous blocks of transaction via a cryptographic hashing technique. Complete
copy of the ledger with previous transaction generally retained by participants or nodes.
Second element, consensus mechanism. In place of a traditional centralised administrator,
these algorithms often need a defined majority of participants to validate the legitimacy of
and agree on each new ledger transaction request. Proof-of-work, which is mostly used in
public blockchains, incentivise participants to compete for the right to verify and settle blocks
of transaction by solving computationally intensive puzzles. Proof-of-stake, which assigns
block publishing rights based on participants’ known investment in the blockchain. Proof-of-
authority, which validates a participant’s identity and permission level before authorizing
block publishing rights, is mostly used in private blockchains with known participants.
Third element, selecting between public and private participation. Public or permissionless
blockchains, such as those that underpin the majority of cryptocurrencies, enable
participation by anyone in any place, subject to the implementation's consensus processes.
Private or permissioned blockchains impose automatic or manual restrictions on who may
access and participate in the network and specific transactions. Numerous corporate or
22
Higgins, S. (29 December, 2017). From $900 to $20,000: Bitcoin's Historic 2017 Price Run Revisited.
Retrieved from CoinDesk: https://www.coindesk.com/markets/2017/12/29/from-900-to-20000-bitcoins-
historic-2017-price-run-revisited/
23
Frankenfield, J. (17 October, 2021). What Is Bitcoin? Retrieved from Investopedia:
https://www.investopedia.com/terms/b/bitcoin.asp
24
Saberi, S., Kouhizadeh, M., Sarkis, J., & Shen, L. (2019). Blockchain technology and its relationships to
sustainable supply chain management. International Journal of Production Research, 2117-2135.
25
ZOU, Weiqin; LO, David; KOCHHAR, Pavneet Singh; LE, Xuan-Bach D.; XIA, Xin; FENG, Yang; CHEN,
Zhenyu; and XU, Baowen. Smart contract development: Challenges and opportunities. (2019). IEEE Transactions
on Software Engineering. 1-20. Research Collection School of Computing and Information Systems.
26
Maayan, G. D. (14 October, 2019). How is Blockchain Changing the Face of Asset Management?
Retrieved from DATAVERSITY: https://www.dataversity.net/how-is-blockchain-changing-the-face-of-asset-
management/#
27
Bhatia, S., Douglas, E.K. and Most, M. (2020), "Blockchain and records management: disruptive force
or new approach?", Records Management Journal, Vol. 30 No. 3, pp. 277-286.
28
Bryce, J. (5 January, 2021). Five core elements of blockchain from Harvard/Gartner. Retrieved from
Business Chief: https://businesschief.com/digital-strategy/five-core-elements-blockchain-harvardgartner
enterprise applications requires access controls or other constraints, such as limiting data
content or storage locations, which private blockchains can provide. These applications,
which frequently use more centralised networks and have fewer participants, benefit from
blockchain characteristics but also share a number of traits and hazards with traditional
centrally managed databases.
Fourth element, Immutability of transactions. Distributed Ledger Technology (DLT)
cryptographically ties each new block to its predecessor, resulting in transaction immutability.
Participants however must evaluate immutability strength in the context of the blockchain's
specific properties, such as security levels and other potential hazards. For example, a "51
percent attack" occurs when a majority of participants are compromised, the consensus
mechanism is overwhelmed, and the blockchain contents are altered for their own gain. To
achieve majority control in a large, resilient network, an attacker would need a significant
amount of money and resources.
2.1.1 Technical Terminology
The International Organization for Standardization (ISO) has established a specific Technical
Committee on Blockchain and Distributed Ledger Technologies (ISO/TC 307) in 2017.29 This
committee aims to take blockchain technologies to the next level in a sense; revolutionizing
financial transaction and ensure efficiencies in health sector, government sector and all
other areas of business that can utilize blockchain technology.30 This part will attempt to
define some of the important terminologies used in blockchain technology.
Cryptography
‘crypto’ is derived from a Greek word ‘kruptus’ which means hidden. In short,
‘cryptography’ can be defined as a way or technique of hiding information from
others. This is done by encrypting the information and the only way to retrieve it is
by decrypting it. The example of cryptography usage in our everyday life is the
product bar code. This code exhibit none of the information stored and in order to
retrieve the information, we will need to decrypt the code beforehand. And only
then the code will be readable and useful.
Node
A node is usually defined as someone who is connected to the network with a
computer to verify the transactions they receive, and they will then relay them to
other nodes in a continuous process. If the node does not follow the consensus rule,
other nodes will refuse to relay their block and that block will be deemed useless
29
ISO/TC 307, Blockchain and Distributed Ledger Technologies, available at:
https://www.iso.org/committee/6266604.html
30
Ibid.
and treated as it never existed.31
31
Bitcoin Forum, “Differences between Miners and Nodes,” available at:
https://bitcointalk.org/index.php? topic=1734235.0.
32
Section 2(2) of the PDPA
processor that is solely responsible for processing personal data on behalf of a data user and
is therefore not directly subject to the Act's provisions.
2.2.1 Key Definitions
Personal data
It is necessary for any data to meet three criteria in order for it to be classified as
'personal data' under the terms of the PDPA namely:33
a. the data must contain information related to commercial transactions;34 and
b. Information must be processed wholly or partly by means of equipment that
operates automatically in response to instructions given for that purpose, or
recorded with the intention that it should be wholly or partly processed by
such equipment, or recorded as part of a relevant filing system or with the
intention that it should form part of a relevant filing system; and information
must be processed wholly or partly by means of equipment that operates
automatically in response to instructions given for that purpose.
c. The information must be related to a data subject who may be identified or
identifiable from the information or other information in the possession of the
data user, either directly or indirectly, in some way.35
Commercial transactions are defined as transactions that are of a commercial nature
and include any subject connected to the provision or exchange of goods or services,
agency, investments, financing, banking, or insurance under the PDPA's first condition.
According to the current state of the law, it is unclear whether an employment
relationship is deemed a commercial transaction and whether employment-related
information would fall under the purview of the PDPA. The definition of 'personal data'
appears to be sufficiently broad to encompass the common categories of personal
information acquired in day-to-day transactions, such as name, address, telephone
number, email address, banking information, and pictures, as well as other sorts of
information.
Sensitive Data
In accordance with the PDPA, sensitive personal data, it is defined as any information
about a data subject that includes information such as:
a. The physical and mental health and condition of the individual.
b. his or her political viewpoints, etc.
c. religious views, or other ideas of a similar type, held by the individual.
d. If he or she is found to have committed or been accused of committing an
infraction, they will be sentenced accordingly.
33
Section 4 of the PDPA
34
Section 4 of the PDPA
35
See also Section 45(2)(c) of the PDPA
e. any additional personal information that may be determined by the minister
responsible for personal data protection (currently the Minister of
Communications and Multimedia).18
The processing of sensitive personal data is only permitted with the explicit agreement
of the data subject and only in the limited circumstances laid out in the PDPA. 36
Data Controller
Data user refers to a person who processes personal data, either alone or in
conjunction with other people, or who has control over or authorises the processing
of personal data, but it does not include a data processor or any other person who
processes personal data on their behalf.37 The PDPA treats data users in the same way
that EU data controllers do under the General Data Protection Regulation.
Data Processor
As used herein, "data processor" refers to any individual, other than an employee of
the data user, who processes personal data only on the data user's behalf and does
not use the personal data for his or her own benefit.38 Data processors include
companies such as cloud computing service providers that give services to third-party
customers.
Data Subject
The PDPA defines a 'data subject' as an individual who is the subject of personal data
collected by a data controller.
Biometric data
Currently, there are no clear requirements or guidance in the PDPA regarding
'biometric data." Due to the fact that it contains information about the 'physical
condition of the data subject,' this type of information may be considered sensitive
personal data.
Health data
While the term "health data" is not clearly defined in the PDPA, such data would be
considered "sensitive personal data" since it contains information about a data
subject's "physical or mental health or condition," which would fall within the
definition of "sensitive personal data."
Pseudonymisation
At the time of writing, there are no clear requirements or advice in the PDPA on the
subject of "pseudonymisation’.
36
Section 40(1) of the PDPA.
37
Section 4 of the PDPA.
38
Section 4 of the PDPA.
2.2.2 Scope of application
Personal scope
The PDPA applies to anybody who processes or has control over the processing of
personal data (hence referred to as the 'data user'). It's worth noting that the PDPA's
broad definition of processing encompasses a broad variety of operations, including
utilising, disseminating, collecting, recording, and/or keeping personal data.
Additionally, the PDPA refers to data subjects as individuals alone. Additionally, the
PDPA has provisions addressing data processors. A data processor who processes
personal data only on behalf of a data user may not be directly bound by the PDPA's
rules; rather, it is the data user's responsibility to verify that the data processor
complies with the PDPA's applicable laws.
Territorial Scope
The PDPA does not apply to personal data processed outside Malaysia unless the data
is intended to be further processed in Malaysia; it also does not apply to a data user
who is not established in Malaysia unless that person utilises equipment in Malaysia
to process personal data for purposes other than transit through Malaysia. Aside from
the Government of Malaysia (the "Government") and state governments, the PDPA
exempts any information processed for the purposes of a credit reporting firm under
the Credit Reporting Agencies Act 2010 from being subject to its provisions.
Material Scope
According to the PDPA, processing in relation to personal data includes the following
operations or sets of operations on personal data:
• it is done for a legitimate purpose that is directly related to the conduct of the
data user; and
• it is required for, or closely linked to, that purpose; and it is reasonable.
• the information is sufficient and not disproportionate for the purpose for
which it is being used.
Consent must be documented and maintained appropriately by data users, as
stipulated in the 2013 Regulations. Consent must be obtained expressly or via opt-in
techniques, as implicit consent or the use of an opt-out method cannot be
documented. Additionally, it is worth noting that the 2013 Regulations state that the
data user bears the burden of establishing consent. Additionally, the 2013 Regulations
indicate that where consent is required, the demand for consent shall be conveyed in
a manner that distinguishes it from other subjects. Consent must be obtained from
the data subject's parent, guardian, or other person who has parental responsibility
for the data subject if the data subject is under the age of 18.
Notice and choice principle
This principle requires a data user to notify a data subject of certain items relevant to
the data subject's information that is being processed by or on behalf of that data user.
The PDPA requires a data user to notify a data subject in writing, in both the national
language, Malay, and English, of the following:
• that the data subject's personal data is being processed, as well as a description
of the data;
• the reasons for which personal data is being gathered and processed;
• whatever information available to the data user about the source of that
personal data;
• the right of the data subject to request access to and correction of personal
data;
• the data user's contact information in the event of any enquiries or complaints;
• the manner of third party to whom the data has been or may be given;
• the options and means provided to a data subject to limit data processing; and
• whether it is mandatory or voluntary for the data subject to provide data, and,
if mandatory, the implications of failing to do so.
This notice must be given by the data user "as soon as practicable," which means when
the data user first requests personal data from a data subject, when he or she collects
personal data from the data subject for the first time, or before the data user uses the
data for a purpose other than that for which it was collected or before the data user
discloses the data to a third party, whichever is earlier. In addition, the data subject
must be provided with a clear and easily accessible method of exercising his or her
choice, if and when this is required, in both Malay and English.
Disclosure principle
This principle restricts a data user from exposing the personal data of a data subject
in the following circumstances:
• for any reason other than the purpose revealed, as well as for any purpose that
is closely related to the disclosed purpose; and
• to any party other than the class of third parties that have been disclosed to
the data subject.
However, the dissemination of personal data is permissible in the following
circumstances:
• the type of personal data and the harm that would happen if the data was lost,
mishandled, modified, unauthorised or accidental access or dissemination,
altered, or destroyed;
• the place where the personal data is kept
• any security measures that are built into any equipment where personal data
is kept;
• measure taken to make sure that people who have access to personal data are
trustworthy, honest and competent
• the steps that were taken to make sure that the personal data was safe when
it was sent.
As per the 2013 Regulations, the data user must develop a security policy. The
following is an overview of the security standards mandated by the 2015 Standards:
• to ensure that persons responsible for the management of personal data are
registered through a registration system prior to being provided access to
personal data;
• Personal data must be protected at all times by all employees involved in the
handling of personal data;
• to impose access controls and restrictions;
• security measures such as entry and exit checks, storing personal data in
locations protected from physical and natural hazards and not exposed to the
public; installing CCTV around data storage areas, if necessary; and providing
facilities with 24-hour security, as needed;
• to establish backup and recovery procedures. Users of data should ensure that
the most up-to-date antivirus software is installed and that scheduled malware
monitoring and scanning of operating systems is in place to prevent assaults
on electronically stored data;
• the transfer of personal data through removable media device or cloud
computing service is prohibited unless approved in writing by the data user's
organization's senior management;
• to keep track of any personal data transfers made via removable media devices
or cloud computing services;
• the transfer of personal data via cloud computing services must adhere to
Malaysian and other countries' personal data protection principles;
• must keep proper records of access to personal data, and those records must
be given to the Commissioner if required to do so; and
• to enter into contracts with data processors, or individuals who process
personal data on the data user's behalf, for the purpose of data processing.
A data user must: In the case of non-electronically processed personal data, he or she
must:
• to guarantee that all applicable laws governing the processing and storage of
personal data are adhered to prior to disposing of any personal data;
• not to preserve personal data for longer than necessary, unless other
regulatory obligations justify a longer retention time;
• to create and maintain records of the disposition of personal data, which shall
be supplied to the Commissioner upon request;
• to destroy all forms collecting personal data used in commercial transactions
within 14 days, unless the form possesses legislative value in connection with
the commercial transaction;
• to conduct a review of the database and delete any personal data that is no
longer required;
• must maintain a schedule for disposing of inactive personal data for a period
of 24 months; and
• the use of removable media devices for the storing of personal data is not
permitted without the express authorization of the data user's organization's
higher management.
Data integrity principle
Data users must take reasonable steps to make sure that personal data is accurate,
complete, not misleading, and up to date, taking into account the purpose for which
the data was collected and how it was used.
The following is a quick rundown of the 2015 Standards' data integrity requirements:
• to develop a form for updating personal data that is accessible online or in hard
copy;
• to promptly update personal data upon receipt of a data subject's request for
data correction;
• to ensure compliance with all applicable laws by identifying the types of data
or documents required to substantiate the legitimacy of the data subject's
personal data; and
• to inform data subjects about data updates via a portal or by posting a
notification on the data subject's premises, or through other acceptable
channels.
39
Article 8(1) of the Charter of Fundamental Rights. Article 16(1) TFEU
40
Article 8(2) of the Charter of Fundamental Rights.
41
Article 16(2) TFEU.
Following in the footsteps of the 1995 European Union Data Protection Directive, the General
Data Protection Regulation (GDPR) establishes a precise legislative framework that
harmonises data protection across all of the European Union's member states.42 It seeks to
achieve two goals at the same time. On the one hand, it strives to enhance fundamental rights
by ensuring that natural persons have a high level of protection under the law. On the other
hand, it seeks to achieve an economic goal by removing the barriers that prevent personal
data from being transferred between different member states in order to strengthen the
Digital Single Market.43 The GDPR further highlights that, while data protection is recognised
as a fundamental right, it is not an absolute right and must instead be examined in the context
of its purpose in society, as well as in the context of other fundamental rights in accordance
with the concept of proportionality.44
42
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC.
43
Article 1(1) GDPR and Recital 10 GDPR.
44
Recital 4 GDPR.
3.3.1 Anonymity, pseudonymity, and privacy law applicability
According to most privacy regulations, such as the GDPR, personal data processing is the
primary factor that determines their applicability. Personal data regulations apply to
blockchain systems that explicitly record personal data on the blockchain. There are some
blockchains that do record, process, or use personal data to manage transactions, but there
are others that do not.
Some proponents of the blockchain believe that the use of public-private key encryption
ensures users' privacy and anonymity. This is a skewed interpretation of what constitutes
personal information under GDPR because of the following reasons.
• Blockchain transactions and other publicly available data can be used to link
persons to their public keys. Individuals can be identified through the use of public
keys, blockchain transactions, and other publicly available data by some firms.
• There is a wide definition of "personal data" in the GDPR (see The EU's GDPR).
When objective considerations like prices and time, as well as current and
predicted technologies, are taken into account, the identification barrier is low,
identifying any method that is "reasonably likely to be implemented".45
Tokenization’s of personal information rather than anonymised data is a better approach
from a privacy perspective:
• A public blockchain address, not the underlying owner's identity or any other
personally identifying information, is referenced.
• Often do not display public blockchain addresses that are not encrypted.
This usage contrasts with data privacy rules, which require that personal information be
anonymized or deidentified if it cannot reasonably be linked to an identifiable individual.
Pseudonymization strategies mitigate risk but do not eliminate regulatory requirements.
Concerns over reidentification have prompted certain blockchains, notably privacy-oriented
cryptocurrencies, to attempt to mitigate the danger of identifying individual participants by:
45
Recital 26, GDPR
3.3.2 Data controller and data processor identification
In terms of data privacy laws and frameworks, the GDPR makes a very clear distinction
between:
• Control the blockchain system in the same way that a traditional system
architecture would.
• Decide what personal data will be used for and how it will be used.
Other people who help run the blockchain for the central operator, like nodes or miners, can
take on the role of processor. The private blockchain operator or consortium must make sure
that these service providers are held accountable and that regulations are met by putting in
place appropriate data processing agreements or other contracts. Instead, private
blockchains where the central operator does all of the technical support work may not have
data processors or service providers by default.
Public blockchains usually don't have a single person in charge, which makes it hard to assign
traditional accountability for controllers and processors. As an example:
• During the block verification process, each public blockchain node processes
the identical transaction data independently. As a result, each blockchain node
could be classified as a joint controller under the GDPR, however authorities and
commentators alike are hesitant to draw this conclusion for all nodes.46
• On the other hand, if no entity clearly controls the data, participants might
continue to refute that there is no controller and, therefore, no processors.
Argument: However, this argument may not be compatible with the GDPR,
because it says that personal data processing must be done with "clear allocation
of tasks".47
With the exception of the French data protection authority (Commission Nationale de
l'informatique et des Libertés (CNIL)), data protection authorities and other regulators have
been sluggish to handle blockchain technology.
3.3.3 CNIL Guidance
The CNIL has given some very cautious advice about how the GDPR might apply to some
blockchain technology use cases. The CNIL Guidance focuses on a lot of different people who
work with the blockchain, like:
46
Articles 4(7) and 26, GDPR
47
Recital 79, GDPR
• Participants with full writing privileges who can enter transactions on the
blockchain and transmit data to miners for validation.
• Accessors that can keep full copies of a blockchain but can only read them.
• Miners who check transactions and make new blocks in accordance with the
implementation's governance model.
Participants who make these kinds of distinctions are in charge of the personal data they put
on a blockchain, because they decide what to do with it and how. These decisions are usually
not made by people who just access or mine things, so they aren't in charge. The CNIL
guidance also says that people who put their own personal data on a blockchain for personal
reasons aren't controllers under the GDPR's "household exception".48
Even though third parties may become processors when they act for someone else, they
should sign data processing agreements.
Regarding miners, the CNIL directive states:
• It doesn't matter if miners only validate transactions and aren't involved in the
transactions' objects, like miners who just build new blocks in accordance with
the technical protocol. In this case, they are not controllers, says the CNIL.
• According to the CNIL, miners may be data processors in some cases, like when
insurance companies use their own private blockchain to mine transactions for
customers on their own behalf.
The CNIL Guidance isn't clear about this, but it may mean that in some cases, miners may not
be both a data controller and a data processor.
3.3.4 Territorial considerations
Data privacy laws may be based on one or both of the following:
• one that relates to personal data processing by industries in the European Union (EU)
or the European Economic Area (EEA):
• Regardless of where the personal data is stored, if the personal data is used to offer
goods or services to people in the EU or to keep track of people's online behaviour in the
EU, they must be protected.49
Traditional centralised systems, on the other hand, are far easier to evaluate and apply restrictions to
than decentralised blockchain systems. More conservative blockchain projects that deal with sensitive
data may try to limit members by jurisdiction, although it is impossible to reliably verify online
locations. Private blockchains are more likely than public blockchains to impose constraints on their
governance structures and agreements in order to limit their regulatory scope. Using public
blockchains to store and process personal data may be considered a great practise, but:
48
Article 2, GDPR
49
The EU’s GDPR and Draft E-Privacy Regulation.
• Keeping track of a lot of different rules can cost a lot of money.
• When encryption is done with a common public-private key pair, many countries may
be able to use them in their own ways.
• Allows personal data to be sent to countries outside of the European Union only in
certain cases.
• To provide the equivalent or an appropriate degree of protection, the recipient
country must implement specific measures.
Unless the European Commission makes an adequacy decision for the recipient location, there are
extra safeguards that the controllers must put in place. Standard contractual terms, binding company
policies, codes of conduct, and certification processes are all examples of safeguards that can be
implemented.
Other countries may want to limit the amount of data that can be sent across borders, and they may
want to use the same safeguards.
• specific;
50
Article 6, GDPR.
• well-informed; and
• clear51
Even if consent procedures comply with GDPR or other applicable standards:
• People can change their minds at any time, and there is no reason why.
• the personal data may be stored in such a way that it cannot be removed,
rendering subsequent processing illegal.
When deciding what data to retain and how to record it in blockchain applications,
organisations need to take into account eventualities like consent revocation.
3.3.7 Immutability and individuals’ rights
Individuals are progressively granted rights under data privacy laws, with the goal of:
51
GDPR Article 4(11)
These very strict technical steps:
• Are very hard to put into practise every time people try to use their rights.
• May be smoother in private blockchain governance models where there is a
single person in charge.
52
The EU Data Protection Directive 95/46/EC has now been replaced with the EU General Data Protection
Regulation, which came into force on 25 May 2018.
53
There is some ambiguity about which public entities fall within this definition. It does not appear that agencies
and statutory bodies established under Acts of Parliament or state enactments to perform specific public
functions, such as Bank Negara Malaysia (BNM), the Employees Provident Fund, the Securities Commission
Malaysia and the Companies Commission of Malaysia, fall within the scope of this exemption.
that addresses information technology system risks such as hacker assaults, viruses, malware,
and data theft, is the main standard for cyber risk management in Malaysia.
Sectoral authorities such as the Central Bank of Malaysia (BNM) and the Securities
Commission Malaysia have also been actively addressing cybersecurity risks in their
respective industries by providing recommendations and establishing compliance criteria
(discussed in Section IX). The junction of privacy and cybersecurity is also manifested in the
degree of tolerance for government surveillance activity: the PDPA does not restrict
government access to personal data (discussed in Section VI).
National security, law enforcement, and counter-terrorism are among the grounds stated to
justify broad government access and use.
Tan Sri Muhyiddin Yassin, Malaysia's Prime Minister, introduced the MyDIGITAL initiative
earlier this year, a fresh and comprehensive approach meant to anchor the country's digital
economy by 2030. The Malaysian Digital Economy Blueprint (Blueprint) outlines the efforts
and actions required to carry out the MyDIGITAL programme. The Blueprint contains steps to
strengthen the data protection framework, including a review of the PDPA
Public discussions on prospective revisions to the Personal Data Protection Act (PDPA) were
previously announced by the Minister of Communications and Multimedia in 2020. According
to the Minister, the Communications and Multimedia Ministry had detected shortcomings in
the PDPA's personal data protection legislation when compared to that of ASEAN member
nations, Japan, South Korea, and the General Data Protection Regulation of the European
Union (GDPR). 54
Commissioner issued Public Consultation Paper No. 01/2020 on Personal Data Protection Act
2010 (Act 709) in February of 2020. (the PDPA Consultation Paper). Some concerns were
addressed in the PDPA Consultation Paper, including the right to data portability, reporting
data breach occurrences and privacy by design as well as processing personal information in
cloud computing. Regarding the PDPA Consultation Paper, nothing has been said.
For businesses operating during the conditional movement control order period (the
Advisory) in light of the pandemic of covid-19 (covid-19), the Commissioner issued an advisory
on the collecting, processing, and keeping of personal data by enterprises authorised to
operate (the Advisory). It was a requirement for businesses to collect visitors' or customers'
names and phone numbers in the event that contact tracing became necessary, so the
advisory offered business operators with guidelines on how to maintain compliance with the
PDPA while collecting or processing such information.
To yet, the Commissioner's enforcement efforts have focused on simple infractions, such as
processing personal data without a registration certificate. By the end of July 2021, there have
54
https://www.malaymail.com/news/malaysia/2020/02/12/minister-govt-to-consult-public-on-amendments-
to-personal-data-protection-l/1836984
been at least five convictions in enforcement cases. The vast majority of convictions are for
the offence of processing personal data without a certificate of registration. 55
The Commissioner's office has also visited a number of businesses in the following sectors:
utility, insurance, healthcare, banking, education, direct selling, tourism and hospitality, real
estate, and services. (retail and wholesale).
PDPA section 101 gives the Commissioner authority to examine corporate personal data
systems and make suggestions on how to comply with the law. The organisation is given only
a brief heads-up about the upcoming trip. This could lead to criminal prosecution under the
PDPA if an organisation fails to implement the corrective measures during a post-inspection
review. the forms and notices used to collect personal data; the internal standard operating
procedures used to manage personal data within the organisation; the individual in charge of
personal data management within the organisation and their knowledge of the law; and
finally, the organization's compliance with the seven principles of data protection set forth by
the Commissioner's office will all be examined in detail. At a time when Malaysia was under
a movement restriction order, there was an increase in the usage of and reliance on
technology, raising awareness of cybersecurity risks. Cybersecurity events totaled 4,615
between January and May of 2021. Among the most common were fraud, intrusion, and
malicious code (Malware).56
There is currently no law in Malaysia that specifically addresses offences linked to
cybersecurity. Enforcers like the National Cyber Security Agency must rely on existing laws,
such as the Communications and Multimedia Act 1998 (CMA) and Defamation Act 1957, to
tackle cyberthreats.57
General principles governing the legal requirements for processing personal data (e.g., with
consent or in accordance with applicable law), notice (internal privacy notices for employees
and external privacy notices for consumers), choice, disclosure, data security, integrity and
retention, and rights of access are all included in the PDPA's seven data protection principles.
An organization's failure to adhere to these rules violates the law.58
On December 23, 2015, the European Union's Personal Data Protection Standards 2015 (the
Standards) went into effect and are now considered the "minimum" standards that
companies must adhere to when handling the personal data of their customers and
employees. Companies that fail to comply face criminal penalties.
In addition, the PDPA establishes a co-regulatory model that emphasises the development of
enforceable industrial codes of practise for personal data protection against the backdrop of
government legislative obligations.
55
Section 16(4) of the PDPA
56
https://www.malaymail.com/news/malaysia/2021/06/02/minister-4615-cybersecurity-incidents-reported-
in-malaysia-from-jan-may/1979083
57
See Section IX.i.
58
Section 5(2) of the PDPA.
The Commissioner has authorised and registered a number of codes of practise, including the
Personal Data Protection Code of Practice for the:
a. utilities sector (electricity);59
b. insurance/takaful industry;60
c. banking and financial sector;61
d. licensees under the Communications and Multimedia Act 1998;62 and
e. Malaysian aviation sector.63
It is also anticipated that a code of conduct for legal professionals would be established.
Considering that the Codes establish sector-specific prescriptions, it is likely that they will
establish the expected requirements for a given sector, in addition to and above the
Standards.
Additionally, non-compliance with the codes will result in legal consequences.64
59
he Personal Data Protection Code of Practice for the Utilities Sector (Electricity) came into effect from 23
June 2016. The Personal Data Protection Code of Practice for the Utilities Sector (Electricity) Version 2.0 came
into effect from 21 January 2020
60
With effect from 23 December 2016.
61
With effect from 19 January 2017.
62
With effect from 23 November 2017
63
With effect from 21 November 2017.
64
Section 29 of the PDPA.
The majority of data privacy legislation, such as the PDPA, apply when personal data must be
processed. Subsequently, data kept on blockchains is regulated under the PDPA. Additionally,
the PDPA was drafted at a time when blockchain technology was a relatively new technology
in Malaysia. Many countries have been sluggish to incorporate blockchain technology into
their data privacy legislation, with the exception of the French government, which adheres to
both GDPR and its own Network and Information Systems Security (NISD) regulation.65 As a
result, various incompatibilities exist between PDPA and blockchain.
Lack of central entity
Anonymity of users
Territorial limitation
Erasure and modification of data
5.0 Findings
5.1 Gaps between Malaysia and EU legal approach
5.2 What should be adopted
5.3 What can be added/amended
65
V. Aumage and C. Martin Dit Neuville, France's approach to implementing GDPR and NISD - Taylor Wessing's
Global Data Hub, TaylorWessing,https://globaldatahub.taylorwessing.com/article/frances-approach-
toimplementing-gdpr-and-nisd, Accessed 16 February 2020.