Contents

1.0 Introduction ...................................................................................................................................... 3

1.1 Blockchain background ................................................................................................................. 3
1.2 Data Protection background ......................................................................................................... 3
1.3 Problem Statement ....................................................................................................................... 4
1.4 Research Objective and Research Question ................................................................................. 5
1.4.1 Research Objective ........................................................................................................... 5
1.4.2 Research Question ............................................................................................................ 5
1.5 Research Methodology ................................................................................................................. 6
1.6 Research Significance .................................................................................................................... 6
2.0 Literature Review ............................................................................................................................. 8
2.1 Blockchain literature ..................................................................................................................... 8
2.1.1 Technical Terminology ...................................................................................................... 9
Cryptography ............................................................................................................................. 9
Public Key & Private Key ............................................................................................................ 9
Node........................................................................................................................................... 9
Mining and Mining Pools ......................................................................................................... 10
2.2 PDPA – 7 Principles ..................................................................................................................... 10
2.2.1 Key Definitions ................................................................................................................ 11
Personal data ........................................................................................................................... 11
Sensitive Data .......................................................................................................................... 11
Data Controller......................................................................................................................... 12
Data Processor ......................................................................................................................... 12
Data Subject ............................................................................................................................. 12
Biometric data.......................................................................................................................... 12
Health data............................................................................................................................... 12
Pseudonymisation.................................................................................................................... 12
2.2.2 Scope of application........................................................................................................ 13
Personal scope ......................................................................................................................... 13
Territorial Scope....................................................................................................................... 13
Material Scope ......................................................................................................................... 13
2.2.3 Principles ......................................................................................................................... 14
General principle...................................................................................................................... 14
Notice and choice principle ..................................................................................................... 14
Disclosure principle .................................................................................................................. 15
 Security principle ..................................................................................................................... 16
Retention principle .................................................................................................................. 17
Data integrity principle ............................................................................................................ 18
2.3 GDPR Main principles.................................................................................................................. 18
Personal data ........................................................................................................................... 19
Data processing........................................................................................................................ 19
Data subject ............................................................................................................................. 19
Data controller ......................................................................................................................... 19
Data processor ......................................................................................................................... 19
3.0 Benchmark Country Legal Position (EU & GDPR) .......................................................................... 19
3.1 Legal Landscape .......................................................................................................................... 19
3.2 Blockchain and the GDPR ............................................................................................................ 20
3.3 Act/Section that is incompatible with blockchain ...................................................................... 21
3.3.1 Anonymity, pseudonymity, and privacy law applicability .............................................. 22
3.3.2 Data controller and data processor identification .......................................................... 23
3.3.3 CNIL Guidance ................................................................................................................. 23
3.3.4 Territorial considerations................................................................................................ 24
3.3.5 Cross-border data transfers ............................................................................................ 25
3.3.6 Legitimate reasons for processing personal data ........................................................... 25
3.3.7 Immutability and individuals’ rights ............................................................................... 26
4.0 Malaysian Blockchain & PDPA ....................................................................................................... 27
4.1 Legal Landscape .......................................................................................................................... 27
4.2 Blockchain and the PDPA ............................................................................................................ 30
4.3 Act/Section that is incompatible with blockchain ...................................................................... 30
5.0 Findings ........................................................................................................................................... 31
5.1 Gaps between Malaysia and EU legal approach ......................................................................... 31
5.2 What should be adopted ............................................................................................................ 31
5.3 What can be added/amended .................................................................................................... 31
1.0 Introduction
1.1 Blockchain background
Blockchain is a database of distributed ledgers which are consensus-dependent that
maintains and update the ordered record accordingly into the growing ledger.1 There are
two broad types of blockchain which are public (permissionless) blockchains and private
(permissioned) blockchain. As how the names are, the public blockchain; the ledgers are
open to the public to use and view without any restriction. On the other hand, private
blockchain; the ledger is not open for all and only those who received permission can access
and use the ledger.2 This type of blockchain usually used in banks.3 A block generally contains
four pieces of information: the “hash” of the previous block,4 a summary of the included
transaction, a time stamp, and the POW that went into creating the secure block.5 Each block
contains some data the hash of the block and the hash of the previous block the data that is
stored inside a block depends on the type of blockchain. The Bitcoin blockchain for example
stores the details about a transaction, such as the sender receiver and the number of coins.
A block also has a hash that you can compare to a fingerprint. It identifies a block and all its
contents. it's always unique just as a fingerprint. Once a block is created its hash is being
calculated. Changing something inside the block will cause the hash to change so in other
words; hashes are very useful when you want to detect changes to blocks if the fingerprint
of a block changes it no longer is the same block. Another element inside each block is the
hash of the previous block and this effectively creates a chain of blocks. This chain-like
technique makes a blockchain so secure.6

1.2 Data Protection background

Data protection is based on the principle of data sovereignty, which states that everyone has
the right to govern their personal information.7 When an individual (data subject) freely
exchanges personal information with another individual (data controller), the data controller
is only permitted to use the information for the purpose for which it was shared. Under data
privacy and protection regulations, consent is a fundamental principle. 8 Of course, the right
to data sovereignty, like any other basic right, is not absolute. Without the consent of the data
subject, personal information may be processed and disclosed in exceptional circumstances,

1
Satoshi Nakamoto, “Bitcoin: A Peer-to-peer Electronic Cash System,” White Paper, 2012, available at:
https://bitcoin.org/bitcoin.pdf, 1-9.
2
Bretton Woods 2016: Consumer Protection in the Digital Currency Economy. (2016). Retrieved from
Consumers' Research: https://consumersresearch.org/research/papers/bretton-woods-2016-protecting-
consumers-in-the-digital-currency-economy/
3
Ibid.
4
“A Glossary of Blockchain Jargon,” MIT Technology Review, available at:
https://www.technologyreview.
com/s/610885/a-glossary-of-blockchain-jargon.
5
DLA Piper,“Blockchain: Background, Challenges and Legal Issues,” available at:
https://www.dlapiper.com/en/uk/insights/publications/2017/06/blockchain-background-challenges-
legalissues.
6
Ibid.
7
Recital 7 of the GDPR; Michelle Finck, “Blockchains and Data Protection in the European Union,”
Max Planck Institute for Innovation & Competition Research Paper No. 18-01, February 7, 2018, 7.
8
Recital 32 of the GDPR; Section 6(1) of the PDPA.
such as public interest9 or the administration of justice.10 A transaction that is suspected of
criminal conduct and is being investigated is one such instance.
Malaysia implemented the Personal Data Protection Act 2010 (PDPA) on November 15, 2013.
11 In general, its regulations are modelled after those of the EU. As with its Commonwealth

equivalents, Malaysia's Federal Constitution and common law do not expressly recognise the
right to privacy.12 Thus, the PDPA marked a pivotal moment in Malaysians' protection of their
personal data and privacy.
The PDPA applies to anybody who processes or exercises control over any sort of personal
data that may be used for commercial reasons. The PDPA applies if the individual is
established in Malaysia and the data is handled there. The PDPA may also apply if personal
data is processed in Malaysia using Malaysian equipment, even if the individual is not
established in Malaysia. The PDPA does not apply to the Federal or State Governments. If
personal data is handled outside of Malaysia, the PDPA does not apply. There is an exception,
however, if the data is processed outside Malaysia with the intention of subsequent
processing in Malaysia. PDPA may be relevant in this instance.13 There are 7 principles that
form the Personal Data Protection. They are the General Principle, the Notice and Choice
Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data
Integrity Principle, and the Access Principle.
1.3 Problem Statement
As data becomes increasingly valuable, emphasis is being directed to data management
systems and architectures. Blockchain technology has been hailed as a potentially
transformative tool for accelerating the expansion of data management systems. A
blockchain is administered by a distributed network of computers that maintains an
immutable set of time-stamped entries. In contrast to conventional centralised designs,
blockchain is decentralised and lacks a single authority. Everything on the blockchain is public.
These characteristics position blockchain as an attractive platform for the development of
user-centric applications. In a blockchain-based system, user data is not held by a single party
and cannot be readily updated.
According to the Malaysian Administrative Modernisation and Management Planning Unit
(MAMPU), blockchain technology is a game changer on a par with the Internet.14 MaGIC, for
example, hosted blockchain-related events for companies in an effort to accelerate the
adoption of blockchain in Malaysia.15
Despite a lack of global recognition for blockchain, Malaysian blockchain developers are
making significant progress and expanding in size. The Rohingya Project is an excellent

9
Section 39(e) of the PDPA
10
Section 6(2)(2) of the PDPA
11
Personal Data Protection Act 2010 (passed June 10, 2010, entered into force November 15,
2013) (PDPA).
12
Maslinda bt Ishak v Mohd Tahir bin Osman [2009] 6 MLJ 826; Lee Ewe Poh v Dr Lim Teik Man
[2011] 1 MLJ 835.
13
Personal Data Protection Act 2010 (Act 709). Malaysia: Parliament of Malaysia, 2010.
14
Inisiatif Teknologi Blockchain dan Teknologi Lejar Teragih (DLT) di Malaysia 2019. (n.d.). Retrieved 19
October, 2021, from MyGovernment: https://www.malaysia.gov.my/portal/content/30633
15
7 Cool Blockchain Projects Made Right Here In Malaysia, Pikri, E., Retrieved 11 July, 2021, from Fintech
News Malaysia: https://fintechnews.my/18476/blockchain/blockchain-malaysiaprojects
illustration of a Malaysian blockchain project's credibility.16 Blockchain technology is being
used to create an immutable digital identity for the refugee Rohingya community. The
majority of data privacy legislation, such as the PDPA, apply when personal data must be
processed. Subsequently, data kept on blockchains is regulated under the PDPA. Additionally,
the PDPA was drafted at a time when blockchain technology was a relatively new technology
in Malaysia. Many countries have been sluggish to incorporate blockchain technology into
their data privacy legislation, with the exception of the French government, which adheres to
both GDPR and its own Network and Information Systems Security (NISD) regulation.17 As a
result, various incompatibilities exist between PDPA and blockchain. Incompatibilities
between PDPA and blockchain would be lack of central entity, anonymity of users, territorial
limitation, and erasure and modification of data.
The tension between privacy and blockchain is not unique to the PDPA, but also exists in other
countries' privacy laws. The European Union's General Data Protection Regulation is one such
example (GDPR). Researchers did a study on the incompatibility between blockchain and
GDPR in.18 According to the report, incompatibilities exist in terms of anonymity, applicability
of privacy laws, identification of data controllers and processors, geographical considerations,
cross-border transfers, immutability, and individual rights. The EU's GDPR is a textbook
example of how data protection standards and blockchain are incompatible.
1.4 Research Objective and Research Question
1.4.1 Research Objective
The main objectives of the study are as follows:
• To investigate the legal landscape of data protection in relation to blockchain
technology in Malaysia
• To compare EU regulatory approach towards data protection in blockchain
technology usage
• To identify relevant data protection regulatory approach towards blockchain
technology in Malaysia
1.4.2 Research Question
The following research question will be addressed in this study:
• What is the legal landscape of data protection in relation to blockchain technology
in Malaysia?
• What is EU regulatory approach towards data protection in blockchain technology
usage?
• How should we regulate the data protection towards blockchain technology usage
in Malaysia?

16
Ibid.
17
Aumage, V., & Martin Dit Neuville, C. (2018). France's approach to implementing GDPR and NISD.
Retrieved 5 July, 2021, from Taylor Wessing's Global Data Hub:
https://globaldatahub.taylorwessing.com/article/france
18
H. Baskaran, S. Yussof, F. A. Rahim and A. A. Bakar, "Blockchain and the Personal Data Protection Act
2010 (PDPA) in Malaysia," 2020 8th International Conference on Information Technology and Multimedia
(ICIMU), 2020, pp. 189-193
1.5 Research Methodology
This research uses socio-legal research to analyse the gap in regulation for blockchain
technology in Malaysia to align with data protection concern. Socio-legal research focuses on
the intersection of law and social science. When determining the appropriate strategy to
regulate blockchain technology, it is critical to consider the impact on society, both in terms
of technological usage and the regulatory element of the technology.
Comparative approach is employed to compare the regulatory steps taken by EU country and
further find the best regulatory steps that can be applied in Malaysia. EU was chosen as the
benchmark country in this research as EU is well on track in setting the global benchmark on
data protection. GDPR is becoming the de facto worldwide legal framework due to its
importance in what organisations throughout the world are doing to comply with data
protection rules.19 With the EU having a head start in regulating data protection, this would
serve as a useful baseline for Malaysia, which is still new in implementing this act. Malaysia
implemented the Personal Data Protection Act 2010 (PDPA) on November 15, 2013. 20 In
general, its regulations are modelled after those of the EU. As with its Commonwealth
equivalents, Malaysia's Federal Constitution and common law do not expressly recognise the
right to privacy.21 Thus, the PDPA marked a pivotal moment in Malaysians' protection of their
personal data and privacy.
A doctrinal study is also employed for this research. It is described as the study of legal
theories through the analysis of statutory provisions and cases using reasoning. The emphasis
is on analysing legal concepts, rules, and doctrines. In comparison to non-doctrinal legal
research, which focuses on the relationship of law to society, groups, and individuals. It entails
an empirical examination of the operation of law, namely how a doctrine or principle has been
applied in real-world contexts. Thus, while doctrinal legal study emphasises research in law
that is concerned with the black letter of the law, nondoctrinal legal research is concerned
with research about law. Given that the researcher is attempting to ascertain the legal
landscape around the application of the PDPA and GDPR to blockchain technology, a doctrinal
study would be a more appropriate strategy for determining a solution that accommodates
both the law and the technology. Apart from that, doctrinal research can truly assist the
researcher in identifying the section of the act that is related to or affects technology usage.
The primary and secondary sources will be statutes, international conventions, articles,
books, newspaper clippings, websites, and journals.
1.6 Research Significance
This study contributes to the body of knowledge on regulating data protection in blockchain
technology in Malaysia, given there has been relatively little research on the subject. The
majority of blockchain research is conducted outside of Malaysia and focuses primarily on
cryptocurrency regulatory issues rather than data protection. This study will also contribute
in raising awareness about Blockchain Technology while also reviewing the most appropriate
regulatory strategy for data protection in order to adopt and realise the benefits of this
technology. The study's objective is to make recommendations on how to preserve personal
data while still using the possibilities of technology. Apart from that, using the EU as a

19
Benady, D. (31 May, 2018). GDPR: Europe is taking the lead in data protection. Retrieved 18 September,
2021, from Raconteur: https://www.raconteur.net/legal/data-protection/gdpr-europe-lead-data-protection/
20
Note 21.
21
Note 22.
reference point and replicating their regulatory actions will ensure Malaysia does not fall
behind in terms of law enforcement and technology adoption.
I feel that this technology will have a profoundly beneficial effect on society. The ability of
technology to assist nations in achieving success in a variety of fields enables us to progress
in a globalised world. Additionally, the recommendations derived from this research could
significantly assist legislators in remaining current with the technological development while
ensuring that blockchain technology is properly governed without inhibiting its advancement.
2.0 Literature Review
2.1 Blockchain literature
Blockchain technology became quite popular due to 2017 unprecedented crypto boom
worldwide.22 Fundamentally, this tech was based on a long-standing principles and
techniques in encryption and distributed transaction processing. Following the Bitcoin’s 2009
launch, the first “blockchain” network was introduced by software developers to support
cryptocurrency ecosystem.23 The possibilities of blockchain technology extend far beyond its
original purpose of facilitating trustless, peer-to-peer value transfer, as seen by the
technology's current use cases across a variety of industries. To name a few: supply chain
management,24 the development of smart contracts,25 asset registry administration,26 and
general recordkeeping.27 Despite various use case of blockchain, the implementation of this
technology shares several core elements.28
First element, the distributed ledger technology (DLT). Over a peer-to-peer network, this
software architecture offers a synchronised and shared data structure that numerous users
may access and alter. The ledger forms a chain by chronologically linking each new published
data block to previous blocks of transaction via a cryptographic hashing technique. Complete
copy of the ledger with previous transaction generally retained by participants or nodes.
Second element, consensus mechanism. In place of a traditional centralised administrator,
these algorithms often need a defined majority of participants to validate the legitimacy of
and agree on each new ledger transaction request. Proof-of-work, which is mostly used in
public blockchains, incentivise participants to compete for the right to verify and settle blocks
of transaction by solving computationally intensive puzzles. Proof-of-stake, which assigns
block publishing rights based on participants’ known investment in the blockchain. Proof-of-
authority, which validates a participant’s identity and permission level before authorizing
block publishing rights, is mostly used in private blockchains with known participants.
Third element, selecting between public and private participation. Public or permissionless
blockchains, such as those that underpin the majority of cryptocurrencies, enable
participation by anyone in any place, subject to the implementation's consensus processes.
Private or permissioned blockchains impose automatic or manual restrictions on who may
access and participate in the network and specific transactions. Numerous corporate or

22
Higgins, S. (29 December, 2017). From $900 to $20,000: Bitcoin's Historic 2017 Price Run Revisited.
Retrieved from CoinDesk: https://www.coindesk.com/markets/2017/12/29/from-900-to-20000-bitcoins-
historic-2017-price-run-revisited/
23
Frankenfield, J. (17 October, 2021). What Is Bitcoin? Retrieved from Investopedia:
https://www.investopedia.com/terms/b/bitcoin.asp
24
Saberi, S., Kouhizadeh, M., Sarkis, J., & Shen, L. (2019). Blockchain technology and its relationships to
sustainable supply chain management. International Journal of Production Research, 2117-2135.
25
ZOU, Weiqin; LO, David; KOCHHAR, Pavneet Singh; LE, Xuan-Bach D.; XIA, Xin; FENG, Yang; CHEN,
Zhenyu; and XU, Baowen. Smart contract development: Challenges and opportunities. (2019). IEEE Transactions
on Software Engineering. 1-20. Research Collection School of Computing and Information Systems.
26
Maayan, G. D. (14 October, 2019). How is Blockchain Changing the Face of Asset Management?
Retrieved from DATAVERSITY: https://www.dataversity.net/how-is-blockchain-changing-the-face-of-asset-
management/#
27
Bhatia, S., Douglas, E.K. and Most, M. (2020), "Blockchain and records management: disruptive force
or new approach?", Records Management Journal, Vol. 30 No. 3, pp. 277-286.
28
Bryce, J. (5 January, 2021). Five core elements of blockchain from Harvard/Gartner. Retrieved from
Business Chief: https://businesschief.com/digital-strategy/five-core-elements-blockchain-harvardgartner
enterprise applications requires access controls or other constraints, such as limiting data
content or storage locations, which private blockchains can provide. These applications,
which frequently use more centralised networks and have fewer participants, benefit from
blockchain characteristics but also share a number of traits and hazards with traditional
centrally managed databases.
Fourth element, Immutability of transactions. Distributed Ledger Technology (DLT)
cryptographically ties each new block to its predecessor, resulting in transaction immutability.
Participants however must evaluate immutability strength in the context of the blockchain's
specific properties, such as security levels and other potential hazards. For example, a "51
percent attack" occurs when a majority of participants are compromised, the consensus
mechanism is overwhelmed, and the blockchain contents are altered for their own gain. To
achieve majority control in a large, resilient network, an attacker would need a significant
amount of money and resources.
2.1.1 Technical Terminology
The International Organization for Standardization (ISO) has established a specific Technical
Committee on Blockchain and Distributed Ledger Technologies (ISO/TC 307) in 2017.29 This
committee aims to take blockchain technologies to the next level in a sense; revolutionizing
financial transaction and ensure efficiencies in health sector, government sector and all
other areas of business that can utilize blockchain technology.30 This part will attempt to
define some of the important terminologies used in blockchain technology.
Cryptography
‘crypto’ is derived from a Greek word ‘kruptus’ which means hidden. In short,
‘cryptography’ can be defined as a way or technique of hiding information from
others. This is done by encrypting the information and the only way to retrieve it is
by decrypting it. The example of cryptography usage in our everyday life is the
product bar code. This code exhibit none of the information stored and in order to
retrieve the information, we will need to decrypt the code beforehand. And only
then the code will be readable and useful.

Public Key & Private Key

Analogically, public key is like our email address while private key is like our
password. Our email address can be shared publicly similar like public key, whereby
our password or private key should be kept secured and should not be disclosed to
the public.

Node
A node is usually defined as someone who is connected to the network with a
computer to verify the transactions they receive, and they will then relay them to
other nodes in a continuous process. If the node does not follow the consensus rule,
other nodes will refuse to relay their block and that block will be deemed useless

29
ISO/TC 307, Blockchain and Distributed Ledger Technologies, available at:
https://www.iso.org/committee/6266604.html
30
Ibid.
 and treated as it never existed.31

Mining and Mining Pools

Mining is defined as the way of validating and compiling the recent transaction in
blockchain realms. Mining involves the attempt to solve a computationally difficult
puzzle. Miner serves as the ‘worker’ in blockchain. Without miners, blockchain
network will not be able to work properly and the chain might lose its value. Miners
mainly authorized the transaction and in turn made it immutable and prevent any
tempering of the information in the blockchain network. Mining on the other hand
is the transaction processing and the mining pool indicates the number of miners
mining on blocks as a group. Miners are rewarded based on the efforts given in
developing the blockchain they are working on.

2.2 PDPA – 7 Principles

The Personal Data Protection Act (PDPA) applies to any person who processes or has
responsibility over the processing of any personal data in the course of a comercial
transaction, regardless of whether the data is collected voluntarily.
In line with the PDPA, the word "processing" is widely defined to cover actions that are
generally carried out on personal data, such as the collection, recording, and storage of
personal data, as well as the carrying out of different operations on the data, such as the
organising, adapting, amending, retrieving, using, revealing, and distributing the data, among
other things. With regard to social media companies who have established a presence (for
example, by establishing a branch office in Malaysia), the common view is that they will be
treated as data users under the PDPA and will be liable to the PDPA for any data that they
handle in Malaysia (such as the personal data of their employees). According to the PDPA,
data that is processed exclusively outside of Malaysia may not be subject to the law's
jurisdiction.
There appears to be some uncertainty about the application of the PDPA when it comes to
data of users of social media platforms if the interpretation taken is that this data is not being
processed by the branch office in Malaysia or that no equipment in Malaysia is being used to
process the data, other than for the purpose of transit through Malaysia, as far as social media
companies are concerned.32 A significant amount of uncertainty exists regarding whether a
nominal user of social media (for recreational and social purposes) would be entitled to the
protections provided by the Personal Data Protection Act due to the fact that the Act only
applies to personal data collected in the course of a commercial transaction under its
provisions.
In most cases, a data user is subject to the requirements established by the Personal Data
Protection Act (PDPA). The Personal Data Protection Act (PDPA) does not apply to a data

31
Bitcoin Forum, “Differences between Miners and Nodes,” available at:
https://bitcointalk.org/index.php? topic=1734235.0.
32
Section 2(2) of the PDPA
processor that is solely responsible for processing personal data on behalf of a data user and
is therefore not directly subject to the Act's provisions.
2.2.1 Key Definitions
Personal data
It is necessary for any data to meet three criteria in order for it to be classified as
'personal data' under the terms of the PDPA namely:33
a. the data must contain information related to commercial transactions;34 and
b. Information must be processed wholly or partly by means of equipment that
operates automatically in response to instructions given for that purpose, or
recorded with the intention that it should be wholly or partly processed by
such equipment, or recorded as part of a relevant filing system or with the
intention that it should form part of a relevant filing system; and information
must be processed wholly or partly by means of equipment that operates
automatically in response to instructions given for that purpose.
c. The information must be related to a data subject who may be identified or
identifiable from the information or other information in the possession of the
data user, either directly or indirectly, in some way.35
Commercial transactions are defined as transactions that are of a commercial nature
and include any subject connected to the provision or exchange of goods or services,
agency, investments, financing, banking, or insurance under the PDPA's first condition.
According to the current state of the law, it is unclear whether an employment
relationship is deemed a commercial transaction and whether employment-related
information would fall under the purview of the PDPA. The definition of 'personal data'
appears to be sufficiently broad to encompass the common categories of personal
information acquired in day-to-day transactions, such as name, address, telephone
number, email address, banking information, and pictures, as well as other sorts of
information.
Sensitive Data
In accordance with the PDPA, sensitive personal data, it is defined as any information
about a data subject that includes information such as:
a. The physical and mental health and condition of the individual.
b. his or her political viewpoints, etc.
c. religious views, or other ideas of a similar type, held by the individual.
d. If he or she is found to have committed or been accused of committing an
infraction, they will be sentenced accordingly.

33
Section 4 of the PDPA
34
Section 4 of the PDPA
35
See also Section 45(2)(c) of the PDPA
 e. any additional personal information that may be determined by the minister
responsible for personal data protection (currently the Minister of
Communications and Multimedia).18
The processing of sensitive personal data is only permitted with the explicit agreement
of the data subject and only in the limited circumstances laid out in the PDPA. 36
Data Controller
Data user refers to a person who processes personal data, either alone or in
conjunction with other people, or who has control over or authorises the processing
of personal data, but it does not include a data processor or any other person who
processes personal data on their behalf.37 The PDPA treats data users in the same way
that EU data controllers do under the General Data Protection Regulation.
Data Processor
As used herein, "data processor" refers to any individual, other than an employee of
the data user, who processes personal data only on the data user's behalf and does
not use the personal data for his or her own benefit.38 Data processors include
companies such as cloud computing service providers that give services to third-party
customers.
Data Subject
The PDPA defines a 'data subject' as an individual who is the subject of personal data
collected by a data controller.
Biometric data
Currently, there are no clear requirements or guidance in the PDPA regarding
'biometric data." Due to the fact that it contains information about the 'physical
condition of the data subject,' this type of information may be considered sensitive
personal data.
Health data
While the term "health data" is not clearly defined in the PDPA, such data would be
considered "sensitive personal data" since it contains information about a data
subject's "physical or mental health or condition," which would fall within the
definition of "sensitive personal data."
Pseudonymisation
At the time of writing, there are no clear requirements or advice in the PDPA on the
subject of "pseudonymisation’.

36
Section 40(1) of the PDPA.
37
Section 4 of the PDPA.
38
Section 4 of the PDPA.
2.2.2 Scope of application
Personal scope
The PDPA applies to anybody who processes or has control over the processing of
personal data (hence referred to as the 'data user'). It's worth noting that the PDPA's
broad definition of processing encompasses a broad variety of operations, including
utilising, disseminating, collecting, recording, and/or keeping personal data.
Additionally, the PDPA refers to data subjects as individuals alone. Additionally, the
PDPA has provisions addressing data processors. A data processor who processes
personal data only on behalf of a data user may not be directly bound by the PDPA's
rules; rather, it is the data user's responsibility to verify that the data processor
complies with the PDPA's applicable laws.
Territorial Scope
The PDPA does not apply to personal data processed outside Malaysia unless the data
is intended to be further processed in Malaysia; it also does not apply to a data user
who is not established in Malaysia unless that person utilises equipment in Malaysia
to process personal data for purposes other than transit through Malaysia. Aside from
the Government of Malaysia (the "Government") and state governments, the PDPA
exempts any information processed for the purposes of a credit reporting firm under
the Credit Reporting Agencies Act 2010 from being subject to its provisions.
Material Scope
According to the PDPA, processing in relation to personal data includes the following
operations or sets of operations on personal data:

• the organisation of personal data;

• the adaptation or alteration of personal data;
• the retrieval, consultation, or use of personal data; and • the erasure of personal
data if it is no longer needed.
• the disclosure of personal data through transmission, transfer, distribution, or any
other means of making it available;
• the arranging, combining, correcting, erasing, or destroying of personally
identifiable information.
Exemptions from the PDPA apply to personal data that is processed solely for the
interests of an individual's personal, family, or home affairs, including recreational
activities, and for no other purpose.
However, the following are exempt from some, but not all, of the PDPA's data
protection standards in specific circumstances:

• processing for the purpose of preventing or detecting crime, investigating,

apprehending, or prosecuting offenders, or assessing or collecting taxes, duties,
or other equivalent impositions;
• in relation to information about a data subject's physical or mental health, the
application of the PDPA's provisions to the data subject would probably result in
 substantial injury to the data subject's or any other individual's physical or mental
health;
• exclusively for the purpose of compiling statistics or conducting research,
provided that the research findings do not identify the data subject;
• in order to comply with any court order or decision;
• for the purpose of carrying out regulatory functions, unless their implementation
would jeopardise the proper performance of those regulatory functions; and
• in support of journalistic, literary, or creative endeavours.
2.2.3 Principles
A data user is obligated to adhere to the seven personal data protection principles, which
are outlined below.
General principle
The General Principle establishes a number of parameters for the handling of personal
information. It states that personal data will not be processed unless and until the
following conditions are met:

• it is done for a legitimate purpose that is directly related to the conduct of the
data user; and
• it is required for, or closely linked to, that purpose; and it is reasonable.
• the information is sufficient and not disproportionate for the purpose for
which it is being used.
Consent must be documented and maintained appropriately by data users, as
stipulated in the 2013 Regulations. Consent must be obtained expressly or via opt-in
techniques, as implicit consent or the use of an opt-out method cannot be
documented. Additionally, it is worth noting that the 2013 Regulations state that the
data user bears the burden of establishing consent. Additionally, the 2013 Regulations
indicate that where consent is required, the demand for consent shall be conveyed in
a manner that distinguishes it from other subjects. Consent must be obtained from
the data subject's parent, guardian, or other person who has parental responsibility
for the data subject if the data subject is under the age of 18.
Notice and choice principle
This principle requires a data user to notify a data subject of certain items relevant to
the data subject's information that is being processed by or on behalf of that data user.
The PDPA requires a data user to notify a data subject in writing, in both the national
language, Malay, and English, of the following:

• that the data subject's personal data is being processed, as well as a description
of the data;
• the reasons for which personal data is being gathered and processed;
• whatever information available to the data user about the source of that
personal data;
 • the right of the data subject to request access to and correction of personal
data;
• the data user's contact information in the event of any enquiries or complaints;
• the manner of third party to whom the data has been or may be given;
• the options and means provided to a data subject to limit data processing; and
• whether it is mandatory or voluntary for the data subject to provide data, and,
if mandatory, the implications of failing to do so.
This notice must be given by the data user "as soon as practicable," which means when
the data user first requests personal data from a data subject, when he or she collects
personal data from the data subject for the first time, or before the data user uses the
data for a purpose other than that for which it was collected or before the data user
discloses the data to a third party, whichever is earlier. In addition, the data subject
must be provided with a clear and easily accessible method of exercising his or her
choice, if and when this is required, in both Malay and English.
Disclosure principle
This principle restricts a data user from exposing the personal data of a data subject
in the following circumstances:

• for any reason other than the purpose revealed, as well as for any purpose that
is closely related to the disclosed purpose; and
• to any party other than the class of third parties that have been disclosed to
the data subject.
However, the dissemination of personal data is permissible in the following
circumstances:

• the data subject has given his or her express consent;

• the disclosure is required in order to prevent or detect crime, or for the
purpose of conducting investigations;
• It is necessary or authorised by law or court order for the information to be
disclosed.
• acting reasonably in the belief that he has a legal right to divulge the
information;
• It is possible that the data user acted on the reasonable assumption that the
data subject would have given consent if the data subject had been aware of
the disclosure and the circumstances of the disclosure; or
• the publication was permitted as being in the public's interest under the
circumstances as established by the Minister
The 2013 Regulations require that a record of third-party disclosures must also be
maintained by the data user, and that the Commissioner or inspecting officer may
request a copy of this list during an inspection.
Security principle
This principle requires a data user to take certain steps to protect personal data from
being lost, misused, modified, unauthorised or accidental access or disclosure,
alteration, or destruction while it is being used or stored. If the data processing is done
by a data processor on behalf of a data user, the data user must make sure that the
data processor gives enough assurances about the technical and organisational
security measures that will be used in the processing and takes reasonable steps to
make sure that those measures will be used.
Under the PDPA, the following things must be taken into account:

• the type of personal data and the harm that would happen if the data was lost,
mishandled, modified, unauthorised or accidental access or dissemination,
altered, or destroyed;
• the place where the personal data is kept
• any security measures that are built into any equipment where personal data
is kept;
• measure taken to make sure that people who have access to personal data are
trustworthy, honest and competent
• the steps that were taken to make sure that the personal data was safe when
it was sent.
As per the 2013 Regulations, the data user must develop a security policy. The
following is an overview of the security standards mandated by the 2015 Standards:

• to ensure that persons responsible for the management of personal data are
registered through a registration system prior to being provided access to
personal data;
• Personal data must be protected at all times by all employees involved in the
handling of personal data;
• to impose access controls and restrictions;
• security measures such as entry and exit checks, storing personal data in
locations protected from physical and natural hazards and not exposed to the
public; installing CCTV around data storage areas, if necessary; and providing
facilities with 24-hour security, as needed;
• to establish backup and recovery procedures. Users of data should ensure that
the most up-to-date antivirus software is installed and that scheduled malware
monitoring and scanning of operating systems is in place to prevent assaults
on electronically stored data;
• the transfer of personal data through removable media device or cloud
computing service is prohibited unless approved in writing by the data user's
organization's senior management;
• to keep track of any personal data transfers made via removable media devices
or cloud computing services;
 • the transfer of personal data via cloud computing services must adhere to
Malaysian and other countries' personal data protection principles;
• must keep proper records of access to personal data, and those records must
be given to the Commissioner if required to do so; and
• to enter into contracts with data processors, or individuals who process
personal data on the data user's behalf, for the purpose of data processing.
A data user must: In the case of non-electronically processed personal data, he or she
must:

• establish physical security procedures such as keeping all personal data in a

file; locking all files holding personal data; and keeping all essential keys in a
safe place. preserve a record of key storage and save sensitive data in a secure
area;
• the transmission of personal data via traditional methods such as post, hand,
fax, or others must be documented;
• to guarantee that all used paper, printed papers, or other documents
containing clearly identifiable personal data are properly disposed of; and
• If necessary, undertake awareness workshops on the obligation to protect
personal data for all relevant personnel.
Retention principle
This principle states that personal data should not be held longer than is necessary to
accomplish the purpose for which it was collected, and that the data user must erase
or permanently discard all personal data that is no longer necessary for the purpose
for which it was collected. However, under specific circumstances, such as certain tax
rules, minimum data retention durations may be established. It appears improbable
that data retention in accordance with other laws' retention periods would be
regarded a violation of the Retention Principle, though this has not been verified.
The following is a summary of the 2015 Standards' retention requirements:

• to guarantee that all applicable laws governing the processing and storage of
personal data are adhered to prior to disposing of any personal data;
• not to preserve personal data for longer than necessary, unless other
regulatory obligations justify a longer retention time;
• to create and maintain records of the disposition of personal data, which shall
be supplied to the Commissioner upon request;
• to destroy all forms collecting personal data used in commercial transactions
within 14 days, unless the form possesses legislative value in connection with
the commercial transaction;
• to conduct a review of the database and delete any personal data that is no
longer required;
• must maintain a schedule for disposing of inactive personal data for a period
of 24 months; and
 • the use of removable media devices for the storing of personal data is not
permitted without the express authorization of the data user's organization's
higher management.
Data integrity principle
Data users must take reasonable steps to make sure that personal data is accurate,
complete, not misleading, and up to date, taking into account the purpose for which
the data was collected and how it was used.
The following is a quick rundown of the 2015 Standards' data integrity requirements:

• to develop a form for updating personal data that is accessible online or in hard
copy;
• to promptly update personal data upon receipt of a data subject's request for
data correction;
• to ensure compliance with all applicable laws by identifying the types of data
or documents required to substantiate the legitimacy of the data subject's
personal data; and
• to inform data subjects about data updates via a portal or by posting a
notification on the data subject's premises, or through other acceptable
channels.

2.3 GDPR Main principles

As far as privacy and security go, the GDPR is the strictest regulation in existence. While it was
designed and adopted by the European Union (EU), it imposes requirements on organisations
worldwide that target or collect data about EU residents.
May 25, 2018 was the date when the regulation went into force. The GDPR will impose severe
penalties on those who break its privacy and security regulations, with fines up to tens of
millions of euros.
Data privacy and security are becoming increasingly important in the digital age, and the
GDPR is Europe's way of expressing its commitment to these issues. Due to the size and scope
of the rule, as well as the lack of specificity, GDPR compliance can be a scary proposition.
A provision of the 1950 European Convention on Human Rights declares that "everyone has
the right to respect for his or her private and family life, or for his or her home and
correspondence," and that "everyone has the right to freedom of expression." The European
Union has attempted to assure the protection of this right by law on the basis of this
understanding.
As technology evolved and the Internet was created, the European Union realised the need
for more sophisticated safeguards against cybercrime. Consequently, the European Data
Protection Directive, which established basic data privacy and security requirements and on
which each member state developed its own implementing legislation, was adopted in 1995
by the EU. However, the Internet was already transforming into the information
superhighway that it is today. The first banner advertisement emerged on the internet in
1994. In 2000, online banking was available from the vast majority of financial institutions.
Facebook was first made available to the general public in 2006. A Google user filed a lawsuit
against the corporation in 2011 after the firm scanned her emails. Following that, the
European Union's data protection authority said that the EU needed "a comprehensive
approach to personal data protection," and work on updating the 1995 directive began two
months after that.
The General Data Protection Regulation (GDPR) specifies a large number of legal words in
detail. Here are a few of the most essential ones that we use as a reference:
Personal data
Personal data is any information that can be used to identify or contact a specific
individual, whether directly or indirectly. Names and email addresses are obvious
examples of personally identifiable information. Personal data can include geographic
information, race, gender, biometric data, religious beliefs, web cookies, and political
attitudes, among other things. Pseudonymous data can also be included in the
definition if it is relatively easy to identify the source of the data.
Data processing
Data processing can be defined as any action taken on data, whether automated or
manual in nature. The examples given in the text cover gathering, recording,
organising, structuring, storing, using, and erasing... in other words, they encompass
pretty much everything.
Data subject
The individual whose data is being processed is referred to as the data subject. It's
these people who are your consumers or website visitors.
Data controller
The person who determines why and how personal data will be processed is known as
the data controller. This applies to you if you are a business owner or an employee in
your organisation who deals with data.
Data processor
When a third-party processes personal data on behalf of a data controller, this is
referred to as a data processor. Individuals and organisations who fall under this
category are subject to particular requirements under the GDPR. Cloud computing
services such as Tresorit and email service providers such as ProtonMail are examples
of what is available.

3.0 Benchmark Country Legal Position (EU & GDPR)

3.1 Legal Landscape
We are living in a time of fast technological advancement. Despite the fact that this presents
humanity with incredible chances to improve our level of life, it also pushes lawmakers to
work around the clock in order to analyse and incorporate the technology's consequences
into legislation. A similar situation exists in this study, which is concerned with the conflict
between the recently enacted European Union General Data Protection Regulation (GDPR)
and the rapid emergence of blockchain and other distributed ledger technologies (DLTs). The
General Data Protection Regulation (GDPR) was drafted in the context of a future in which
personal data is controlled by centralised and identifiable actors. Blockchain operates in a
very different way. It is the goal of this technology to decentralise the processing of personal
data, hence removing control over personal data from the hands of centralised bodies.
It is not only because of the decentralised nature of blockchain technology that legal and
compliance issues arise. Transactions, code (e.g., smart contracts), and blocks in general on a
blockchain have the potential to be nearly unalterable, which may have implications for data
subjects' privacy rights.
In May 2018, the General Data Protection Regulation (GDPR) of the European Union became
legally binding. It is based on the European Union's 1995 General Data Protection Regulation.
The GDPR's primary goal is to protect individuals' personal data. Its primary goal is to allow
the free flow of personal data between the EU's various member states. Second, it sets a
framework for the protection of fundamental rights, which is based on Article 8 of the Charter
of Fundamental Rights, which states that "everyone has the right to data protection." There
are a number of requirements imposed by the legal framework on data controllers, which are
the entities in charge of deciding the means and purposes of data collection and processing.
A number of rights are also granted to data subjects – the natural individuals to whom
personal data relates – which can be enforced against data controllers under certain
circumstances.

3.2 Blockchain and the GDPR

A basic right in the European Union is the right to data protection, which is recognised as such
by the European Commission. According to Article 8 of the Charter of Fundamental Rights,
everyone has the right to have personal data about him or herself protected from disclosure
to third parties.39 As a consequence, personal data 'must be processed fairly for specified
purposes and on the basis of the consent of the person concerned or some other legitimate
basis laid down by law' under Article 8(2) of the Charter. In addition, the Charter stipulates
that everyone has the right to access personal data that pertains to them, as well as the right
to have such data rectified if necessary.40 A further provision of Article 16 TFEU stipulates
that the Parliament and the Council are required to adopt rules pertaining to the protection
of individuals in relation to the processing of personal data by Union institutions and
organisations, offices and agencies, as well as by the Member States when carrying out
activities that fall within the scope of Union law.41

39
Article 8(1) of the Charter of Fundamental Rights. Article 16(1) TFEU
40
Article 8(2) of the Charter of Fundamental Rights.
41
Article 16(2) TFEU.
Following in the footsteps of the 1995 European Union Data Protection Directive, the General
Data Protection Regulation (GDPR) establishes a precise legislative framework that
harmonises data protection across all of the European Union's member states.42 It seeks to
achieve two goals at the same time. On the one hand, it strives to enhance fundamental rights
by ensuring that natural persons have a high level of protection under the law. On the other
hand, it seeks to achieve an economic goal by removing the barriers that prevent personal
data from being transferred between different member states in order to strengthen the
Digital Single Market.43 The GDPR further highlights that, while data protection is recognised
as a fundamental right, it is not an absolute right and must instead be examined in the context
of its purpose in society, as well as in the context of other fundamental rights in accordance
with the concept of proportionality.44

3.3 Incompatibility with blockchain

Recent data privacy legislation and frameworks do not appear to have focused on blockchain
technology and its unique features. Features of blockchain technology that address privacy
issues include encryption and data integrity verification. In contrast to the GDPR's centralised
controller-based data processing concept, blockchain technology's dispersed peer-to-peer
network architecture often conflicts with it. The lack of centralised control, immutability, and
eternal data storage of blockchain make current data protection rules impossible to reconcile.
There is currently limited regulatory advice on resolving such conflicts.
Several significant issues exist between blockchain technology and data privacy standards
that should be considered:

• Diverse opinions on anonymity and pseudonymity and their implications for

the application of various data protection and privacy legislation
• How to determine who is the data controller and who is the data processor in
various blockchain technology implementations
• Consequences for distributed blockchain networks on a territorial scale
• When and how cross-border data transfers take place, as well as any limits on
them
• Using blockchain use cases to apply criteria for lawful reasons for processing
personal data
• Balancing the immutability of transactions and data preservation
requirements of blockchain applications with the rights of individuals

42
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC.
43
Article 1(1) GDPR and Recital 10 GDPR.
44
Recital 4 GDPR.
3.3.1 Anonymity, pseudonymity, and privacy law applicability
According to most privacy regulations, such as the GDPR, personal data processing is the
primary factor that determines their applicability. Personal data regulations apply to
blockchain systems that explicitly record personal data on the blockchain. There are some
blockchains that do record, process, or use personal data to manage transactions, but there
are others that do not.
Some proponents of the blockchain believe that the use of public-private key encryption
ensures users' privacy and anonymity. This is a skewed interpretation of what constitutes
personal information under GDPR because of the following reasons.

• Blockchain transactions and other publicly available data can be used to link
persons to their public keys. Individuals can be identified through the use of public
keys, blockchain transactions, and other publicly available data by some firms.
• There is a wide definition of "personal data" in the GDPR (see The EU's GDPR).
When objective considerations like prices and time, as well as current and
predicted technologies, are taken into account, the identification barrier is low,
identifying any method that is "reasonably likely to be implemented".45
Tokenization’s of personal information rather than anonymised data is a better approach
from a privacy perspective:

• Each one is associated with a specific person.

• There are situations where reidentification is feasible.
Blockchain advocates also say their systems are anonymous since they record transaction
data that:

• A public blockchain address, not the underlying owner's identity or any other
personally identifying information, is referenced.
• Often do not display public blockchain addresses that are not encrypted.
This usage contrasts with data privacy rules, which require that personal information be
anonymized or deidentified if it cannot reasonably be linked to an identifiable individual.
Pseudonymization strategies mitigate risk but do not eliminate regulatory requirements.
Concerns over reidentification have prompted certain blockchains, notably privacy-oriented
cryptocurrencies, to attempt to mitigate the danger of identifying individual participants by:

• Using a variety of mitigation measures to safeguard transactional and other

data.
• Introducing novel cryptographic techniques.

45
Recital 26, GDPR
3.3.2 Data controller and data processor identification
In terms of data privacy laws and frameworks, the GDPR makes a very clear distinction
between:

• Controllers and their processors

• Individuals who provide personal information.
Distributed peer-to-peer network means it can be hard to figure out who decides what data
is used for and how it's used.
Private blockchains are easier to deal with than public blockchains in this case. Here, a central
operator or a group of people are likely to be a controller or joint controllers if they:

• Control the blockchain system in the same way that a traditional system
architecture would.
• Decide what personal data will be used for and how it will be used.
Other people who help run the blockchain for the central operator, like nodes or miners, can
take on the role of processor. The private blockchain operator or consortium must make sure
that these service providers are held accountable and that regulations are met by putting in
place appropriate data processing agreements or other contracts. Instead, private
blockchains where the central operator does all of the technical support work may not have
data processors or service providers by default.
Public blockchains usually don't have a single person in charge, which makes it hard to assign
traditional accountability for controllers and processors. As an example:

• During the block verification process, each public blockchain node processes
the identical transaction data independently. As a result, each blockchain node
could be classified as a joint controller under the GDPR, however authorities and
commentators alike are hesitant to draw this conclusion for all nodes.46
• On the other hand, if no entity clearly controls the data, participants might
continue to refute that there is no controller and, therefore, no processors.
Argument: However, this argument may not be compatible with the GDPR,
because it says that personal data processing must be done with "clear allocation
of tasks".47
With the exception of the French data protection authority (Commission Nationale de
l'informatique et des Libertés (CNIL)), data protection authorities and other regulators have
been sluggish to handle blockchain technology.
3.3.3 CNIL Guidance
The CNIL has given some very cautious advice about how the GDPR might apply to some
blockchain technology use cases. The CNIL Guidance focuses on a lot of different people who
work with the blockchain, like:

46
Articles 4(7) and 26, GDPR
47
Recital 79, GDPR
 • Participants with full writing privileges who can enter transactions on the
blockchain and transmit data to miners for validation.
• Accessors that can keep full copies of a blockchain but can only read them.
• Miners who check transactions and make new blocks in accordance with the
implementation's governance model.
Participants who make these kinds of distinctions are in charge of the personal data they put
on a blockchain, because they decide what to do with it and how. These decisions are usually
not made by people who just access or mine things, so they aren't in charge. The CNIL
guidance also says that people who put their own personal data on a blockchain for personal
reasons aren't controllers under the GDPR's "household exception".48
Even though third parties may become processors when they act for someone else, they
should sign data processing agreements.
Regarding miners, the CNIL directive states:

• It doesn't matter if miners only validate transactions and aren't involved in the
transactions' objects, like miners who just build new blocks in accordance with
the technical protocol. In this case, they are not controllers, says the CNIL.
• According to the CNIL, miners may be data processors in some cases, like when
insurance companies use their own private blockchain to mine transactions for
customers on their own behalf.
The CNIL Guidance isn't clear about this, but it may mean that in some cases, miners may not
be both a data controller and a data processor.
3.3.4 Territorial considerations
Data privacy laws may be based on one or both of the following:

• The location of the person.

• The place where personal data is processed.

The GDPR is in place:

• one that relates to personal data processing by industries in the European Union (EU)
or the European Economic Area (EEA):
• Regardless of where the personal data is stored, if the personal data is used to offer
goods or services to people in the EU or to keep track of people's online behaviour in the
EU, they must be protected.49

Traditional centralised systems, on the other hand, are far easier to evaluate and apply restrictions to
than decentralised blockchain systems. More conservative blockchain projects that deal with sensitive
data may try to limit members by jurisdiction, although it is impossible to reliably verify online
locations. Private blockchains are more likely than public blockchains to impose constraints on their
governance structures and agreements in order to limit their regulatory scope. Using public
blockchains to store and process personal data may be considered a great practise, but:

48
Article 2, GDPR
49
The EU’s GDPR and Draft E-Privacy Regulation.
 • Keeping track of a lot of different rules can cost a lot of money.
• When encryption is done with a common public-private key pair, many countries may
be able to use them in their own ways.

3.3.5 Cross-border data transfers

There are a lot of different jurisdictions that use blockchain technology, which makes it difficult to
figure out which laws apply in each one. It also causes problems for those who try to stop cross-border
data transfers. In particular, the GDPR:

• Allows personal data to be sent to countries outside of the European Union only in
certain cases.
• To provide the equivalent or an appropriate degree of protection, the recipient
country must implement specific measures.

Unless the European Commission makes an adequacy decision for the recipient location, there are
extra safeguards that the controllers must put in place. Standard contractual terms, binding company
policies, codes of conduct, and certification processes are all examples of safeguards that can be
implemented.

These safety measures:

• Usually require a central compliance programme to be set up.

• They are especially hard to think about in public blockchains because they don't have
a clear group of participants.

Other countries may want to limit the amount of data that can be sent across borders, and they may
want to use the same safeguards.

3.3.6 Legitimate reasons for processing personal data

Many countries have rules governing the handling of personal data that place restrictions on
what can and cannot be done with it. As an example:
In order to comply with the GDPR, data controllers must only process personal data with the
consent of the data subject or for as long as it is required to:

• entering into or carrying out a contract.

• adhering to the controller's legal responsibilities
• The data subject's or another natural person's essential interests must be
safeguarded.
• in the interest of the public or for the government:
• Pursuing the legitimate interests of the controller or a third party, unless the
interests or basic rights and freedoms of the data subject outweigh them;50
These options aren't clear if they include "perpetual distributed blockchain storage," but it's
not clear yet. Participants in the blockchain can ask for permission from their users or data
subjects, as needed. However, consent isn't always the best choice for controllers under the
GDPR because it must be:

• specific;

50
Article 6, GDPR.
 • well-informed; and
• clear51
Even if consent procedures comply with GDPR or other applicable standards:

• People can change their minds at any time, and there is no reason why.
• the personal data may be stored in such a way that it cannot be removed,
rendering subsequent processing illegal.
When deciding what data to retain and how to record it in blockchain applications,
organisations need to take into account eventualities like consent revocation.
3.3.7 Immutability and individuals’ rights
Individuals are progressively granted rights under data privacy laws, with the goal of:

• Regaining personal data control for individuals.

• Provide individuals with the option of choosing to secure their personal data
from commercialization and misuse without their consent or other legitimate
grounds.
It's the right to change data and be forgotten, also known as "the right to be forgotten," that
is at odds with blockchain technology's transaction immutability features. Blockchains, in
particular implementations that enable ownership, supply chain, and other recordkeeping
tools, such as smart contracts, are likely to be able to address data modifications by recording
further transactions. These further transactions, on the other hand, do not erase any data
that was already on the blockchain. The similar technique can be used to update multiple
process steps and status values.
Blockchain technology may conflict with the right to be forgotten based on how strict
governments define "erasure." strict technical erasure of blockchain data, in a current
standard blockchain architecture, needs to include both of the following:

• A reverse deconstruction of the blockchain up to the target record.

• A reconstruction of the blockchain from the point where the data was deleted
to the point where the data was added again.
This type of operation:

• Conflicts with the fundamental design principles of a blockchain technology

• Requires a large amount of processing power from participants.
• Consent is required from the necessary number of participants or in
accordance with other regulations outlined in the blockchain's governance model.
• Therefore, it would only be possible as an extreme exception in operation, akin
in effort to a "hard fork" in public blockchain communities, in which a group votes
to separate the code of a particular blockchain and operate a modified, parallel
implementation.

51
GDPR Article 4(11)
These very strict technical steps:

• Are very hard to put into practise every time people try to use their rights.
• May be smoother in private blockchain governance models where there is a
single person in charge.

4.0 Malaysian Blockchain & PDPA

4.1 Legal Landscape
The Personal Data Protection Act 2010 (PDPA), which went into effect on November 15, 2013,
establishes a comprehensive cross-sectoral framework for the protection of personal data in
commercial transactions.
Given the increased number of incidences of credit card fraud, identity theft, and the selling
of personal data without customer authorization, the PDPA was viewed as a critical enabler
in strengthening consumer confidence in electronic commerce and corporate transactions.
Prior to the PDPA, data protection responsibilities were dispersed across several sectoral
secrecy and confidentiality obligations, while personal information was generally safeguarded
as confidential information through contractual obligations or civil actions for breach of
confidence.
The PDPA imposes stringent standards on anybody who collects or analyses personal data
(data users) and offers individual rights to 'data subjects.' It is enforced by the Commissioner
of the Department of Personal Data Protection (the Commissioner) and is based on a set of
data protection principles similar to those found in the European Union's (EU) Data Protection
Directive 95/46/EC;52 as a result, the PDPA is often referred to as European-style privacy law.
The PDPA has an important limitation in that it does not applicable to the federal or state
governments.53
The processing of information by a credit reporting organisation is also excluded from the
PDPA. In the past, credit reporting organisations were not subject to any regulatory authority
in Malaysia, resulting in widespread criticism for faulty credit information reporting. The
Credit Reporting Agencies Act 2010, which went into effect on January 15, 2014, now requires
the registration of persons carrying on credit reporting businesses under the regulatory
oversight of the Registrar Office of Credit Reporting Agencies, a division of the Ministry of
Finance tasked with developing a regulated and structured credit information sharing
industry.
The PDPA lists the security principle as one of its data protection principles. According to this
concept, an organisation must guarantee that both technological and organisational security
measures are in place to protect the personally identifiable information that it processes. The
ISO/IEC 27001 Information Security Management System (ISMS), an international standard

52
The EU Data Protection Directive 95/46/EC has now been replaced with the EU General Data Protection
Regulation, which came into force on 25 May 2018.
53
There is some ambiguity about which public entities fall within this definition. It does not appear that agencies
and statutory bodies established under Acts of Parliament or state enactments to perform specific public
functions, such as Bank Negara Malaysia (BNM), the Employees Provident Fund, the Securities Commission
Malaysia and the Companies Commission of Malaysia, fall within the scope of this exemption.
that addresses information technology system risks such as hacker assaults, viruses, malware,
and data theft, is the main standard for cyber risk management in Malaysia.
Sectoral authorities such as the Central Bank of Malaysia (BNM) and the Securities
Commission Malaysia have also been actively addressing cybersecurity risks in their
respective industries by providing recommendations and establishing compliance criteria
(discussed in Section IX). The junction of privacy and cybersecurity is also manifested in the
degree of tolerance for government surveillance activity: the PDPA does not restrict
government access to personal data (discussed in Section VI).
National security, law enforcement, and counter-terrorism are among the grounds stated to
justify broad government access and use.
Tan Sri Muhyiddin Yassin, Malaysia's Prime Minister, introduced the MyDIGITAL initiative
earlier this year, a fresh and comprehensive approach meant to anchor the country's digital
economy by 2030. The Malaysian Digital Economy Blueprint (Blueprint) outlines the efforts
and actions required to carry out the MyDIGITAL programme. The Blueprint contains steps to
strengthen the data protection framework, including a review of the PDPA
Public discussions on prospective revisions to the Personal Data Protection Act (PDPA) were
previously announced by the Minister of Communications and Multimedia in 2020. According
to the Minister, the Communications and Multimedia Ministry had detected shortcomings in
the PDPA's personal data protection legislation when compared to that of ASEAN member
nations, Japan, South Korea, and the General Data Protection Regulation of the European
Union (GDPR). 54
Commissioner issued Public Consultation Paper No. 01/2020 on Personal Data Protection Act
2010 (Act 709) in February of 2020. (the PDPA Consultation Paper). Some concerns were
addressed in the PDPA Consultation Paper, including the right to data portability, reporting
data breach occurrences and privacy by design as well as processing personal information in
cloud computing. Regarding the PDPA Consultation Paper, nothing has been said.
For businesses operating during the conditional movement control order period (the
Advisory) in light of the pandemic of covid-19 (covid-19), the Commissioner issued an advisory
on the collecting, processing, and keeping of personal data by enterprises authorised to
operate (the Advisory). It was a requirement for businesses to collect visitors' or customers'
names and phone numbers in the event that contact tracing became necessary, so the
advisory offered business operators with guidelines on how to maintain compliance with the
PDPA while collecting or processing such information.
To yet, the Commissioner's enforcement efforts have focused on simple infractions, such as
processing personal data without a registration certificate. By the end of July 2021, there have

54
https://www.malaymail.com/news/malaysia/2020/02/12/minister-govt-to-consult-public-on-amendments-
to-personal-data-protection-l/1836984
been at least five convictions in enforcement cases. The vast majority of convictions are for
the offence of processing personal data without a certificate of registration. 55
The Commissioner's office has also visited a number of businesses in the following sectors:
utility, insurance, healthcare, banking, education, direct selling, tourism and hospitality, real
estate, and services. (retail and wholesale).
PDPA section 101 gives the Commissioner authority to examine corporate personal data
systems and make suggestions on how to comply with the law. The organisation is given only
a brief heads-up about the upcoming trip. This could lead to criminal prosecution under the
PDPA if an organisation fails to implement the corrective measures during a post-inspection
review. the forms and notices used to collect personal data; the internal standard operating
procedures used to manage personal data within the organisation; the individual in charge of
personal data management within the organisation and their knowledge of the law; and
finally, the organization's compliance with the seven principles of data protection set forth by
the Commissioner's office will all be examined in detail. At a time when Malaysia was under
a movement restriction order, there was an increase in the usage of and reliance on
technology, raising awareness of cybersecurity risks. Cybersecurity events totaled 4,615
between January and May of 2021. Among the most common were fraud, intrusion, and
malicious code (Malware).56
There is currently no law in Malaysia that specifically addresses offences linked to
cybersecurity. Enforcers like the National Cyber Security Agency must rely on existing laws,
such as the Communications and Multimedia Act 1998 (CMA) and Defamation Act 1957, to
tackle cyberthreats.57
General principles governing the legal requirements for processing personal data (e.g., with
consent or in accordance with applicable law), notice (internal privacy notices for employees
and external privacy notices for consumers), choice, disclosure, data security, integrity and
retention, and rights of access are all included in the PDPA's seven data protection principles.
An organization's failure to adhere to these rules violates the law.58
On December 23, 2015, the European Union's Personal Data Protection Standards 2015 (the
Standards) went into effect and are now considered the "minimum" standards that
companies must adhere to when handling the personal data of their customers and
employees. Companies that fail to comply face criminal penalties.
In addition, the PDPA establishes a co-regulatory model that emphasises the development of
enforceable industrial codes of practise for personal data protection against the backdrop of
government legislative obligations.

55
Section 16(4) of the PDPA
56
https://www.malaymail.com/news/malaysia/2021/06/02/minister-4615-cybersecurity-incidents-reported-
in-malaysia-from-jan-may/1979083
57
See Section IX.i.
58
Section 5(2) of the PDPA.
The Commissioner has authorised and registered a number of codes of practise, including the
Personal Data Protection Code of Practice for the:
a. utilities sector (electricity);59
b. insurance/takaful industry;60
c. banking and financial sector;61
d. licensees under the Communications and Multimedia Act 1998;62 and
e. Malaysian aviation sector.63
It is also anticipated that a code of conduct for legal professionals would be established.
Considering that the Codes establish sector-specific prescriptions, it is likely that they will
establish the expected requirements for a given sector, in addition to and above the
Standards.
Additionally, non-compliance with the codes will result in legal consequences.64

4.2 Blockchain and the PDPA

4.3 Act/Section that is incompatible with blockchain
The Personal Data Protection Act is comprised on seven fundamental principles. They are the
General Principle, the Notice and Choice Principle, the Security Principle, the Data Integrity
Principe, the Disclosure Principle, he Retention Principle, and the Access Principle. For this
chapter, we will only dwell into the Access Principle, the Security Principle and the Retention
Principle as they are more relevant to data protection.
Retention Principle: If any processed personal data has served its intended purpose, it should
not be maintained for any longer period of time than is absolutely required. After the data
has served its purpose, the data user is responsible for destroying or permanently deleting all
of the data that was collected.
Access Principle: A data user gives a data owner access to his personal data. The owner shall
be allowed to update inaccurate, misleading, out-of-date, or incomplete personal data, unless
the PDPA prohibits such access.
Security Principle: When processing personal data, the data user should take reasonable
means to safeguard the data against loss, misuse, modification, unauthorised or accidental
access, change, destruction, or disclosure.

59
he Personal Data Protection Code of Practice for the Utilities Sector (Electricity) came into effect from 23
June 2016. The Personal Data Protection Code of Practice for the Utilities Sector (Electricity) Version 2.0 came
into effect from 21 January 2020
60
With effect from 23 December 2016.
61
With effect from 19 January 2017.
62
With effect from 23 November 2017
63
With effect from 21 November 2017.
64
Section 29 of the PDPA.
The majority of data privacy legislation, such as the PDPA, apply when personal data must be
processed. Subsequently, data kept on blockchains is regulated under the PDPA. Additionally,
the PDPA was drafted at a time when blockchain technology was a relatively new technology
in Malaysia. Many countries have been sluggish to incorporate blockchain technology into
their data privacy legislation, with the exception of the French government, which adheres to
both GDPR and its own Network and Information Systems Security (NISD) regulation.65 As a
result, various incompatibilities exist between PDPA and blockchain.
Lack of central entity
Anonymity of users
Territorial limitation
Erasure and modification of data

5.0 Findings
5.1 Gaps between Malaysia and EU legal approach
5.2 What should be adopted
5.3 What can be added/amended

65
V. Aumage and C. Martin Dit Neuville, France's approach to implementing GDPR and NISD - Taylor Wessing's
Global Data Hub, TaylorWessing,https://globaldatahub.taylorwessing.com/article/frances-approach-
toimplementing-gdpr-and-nisd, Accessed 16 February 2020.