Last year, our Associate, Aryn Rozali has shared a comprehensive article on ‘General Overview on PDPA Compliance in Malaysia’. In that piece, Aryn highlighted the anticipated amendments to the Personal Data Protection Act 2010 (“PDPA”), and today we are thrilled to update you on the latest developments.
Exciting news! The Personal Data Protection (Amendment) Bill 2024 (Bill D.R. 21/2024) (“Bill”) was passed in the Dewan Rakyat (or House of Representatives) on 16 July 2024. YB Tuan Gobind Singh Deo, the Minister of Digital, presented it after the first reading on 10 July 2024.
This milestone represents a pivotal moment for data protection in Malaysia, marking a significant enhancement in compliance with personal data protection standards. These amendments aim to better safeguard personal data, aligning Malaysia’s practices with international standards.
Stay tuned as we continue to explore what these amendments mean for businesses and individuals alike!
Key Amendments and their implications
To help you navigate these changes, we have prepared a comprehensive comparison table highlighting the main differences between the PDPA and the Bill, along with the anticipated impacts on businesses and recommended actions.
| Aspect | PDPA 2010 | Bill 2024 | Impact | Action Plan |
|---|---|---|---|---|
| Change of Terminology | The original term used is “Data User”. | The new term “Data Controller” is introduced to substitute “Data User”.[1] | The term “Data User” will be replaced by “Data Controller” to align with EU GDPR.[2] The change is primarily cosmetic and does not impact the obligations of Data User/Data Controller under the PDPA. | Update your internal terminology and documentation to reflect the new term. |
| Expansion of the Definition “Sensitive Personal Data” | Biometric data is not expressly addressed. | The definition of “sensitive personal data” is expanded to include “biometric data”, which refers to any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person[3] such as data processed for facial recognition/fingerprint verification. | Expanded scope of “Sensitive Personal Data” to include biometric information. | Businesses processing biometric data need to review and update data protection policies and procedures. This includes establishing specific measures for handling biometric data to comply with more stringent consent and security requirements. |
| Requirement to Appoint Data Protection Officer (“DPO”) | The requirement to appoint a DPO is not explicitly required. | Data Controllers and Data Processors must appoint a DPO.[4] | Mandatory appointment of DPO where appointed DPO must be registered with the Personal Data Protection Commissioner (“Commissioner”). | Appoint qualified DPO to ensure PDPA compliance and to oversee the implementation of data protection strategies. While the Government has not established specific qualifications for DPO (will likely be detailed in the guidelines by the Commissioner), a good DPO must possess strong IT skills with deep understanding of the organisation’s IT infrastructure and data management systems. The DPO should also be well-versed in up-to-date data protection laws and regulations. |
| Requirement to Notify a Data Breach | The requirement to notify a data breach is not specified. | Data Controllers must promptly notify:
1. The Commissioner of a personal data breach if the Controllers reasonably believe that a personal data breach has occurred;[5] and 2. the Data Subject if the personal data breach causes or likely to cause any significant harm to the Data Subject.[6] |
New obligations for data breach notifications. Non-compliance with this requirement can result in fines of up to RM250,000 or imprisonment for up to 2 years, or both. | Develop a data breach escalation process/notification protocol (further details will likely be detailed in the guidelines by the Commissioner) and train staff on identifying and reporting procedures relating to data breaches. |
| Direct Liability on Data Processor for Security of Personal Data | Data Processors are not directly subject to obligations under the PDPA. | Data Processors are required to comply with the Security Principle.[7] | Data Processors are subject to direct liability for personal data breaches where non-compliance to the Security Principle will result in penalties under the PDPA. | Data Processors need to ensure implementation of adequate measures for preventing data breaches and compliance with the Security Principle. |
| Rights To Data Portability | There is no specific provision for data portability. | Data Subjects can request the transfer of their personal data to another Data Controller of their choice through written notice, subject to technical feasibility and compatibility of the data format.[8] | New rights for Data Subjects concerning data portability. | Implement processes for handling data portability requests and establish procedures for transferring data. |
| Penalties for Non-Compliance of the PDPA | Subject to a maximum fine up to RM300,000 or imprisonment for a term not exceeding 2 years, or both. | Increased maximum fine up to RM1,000,000 or imprisonment for a term not exceeding 3 years, or both.[9] | Increased penalties for non-compliance. | Review and enhance compliance measures to mitigate risks of non-compliance and avoid heavy penalties. |
| Simplified International Data Transfers | Transfers outside Malaysia are not allowed unless they are to “whitelisted” countries, though no such whitelisted countries were ever gazetted. | The white-list regime for cross-border transfers is removed. Cross-border transaction is permitted to countries with substantially similar laws or equivalent levels of data protection.[10] | International data transfers are no longer restricted to “whitelisted” countries, which simplifies international data transfer processes. However, the impact of this change is minimal as Data Controllers were already able to transfer data outside Malaysia under the exceptions specified in Section 129(3) of the PDPA, prior to the amendment. | Update data transfer agreements to align with the new amendment and ensure compliance with data protection standards for international transfers. |
| Personal Data of Deceased Individuals | Personal data of deceased individuals are not expressly addressed. | Personal data of deceased individuals are expressly excluded from the scope of the Act.[11] | The responsibilities for managing the personal data of deceased individuals are expressly excluded from the scope of the Act. This means that organisations are no longer required to apply PDPA principles to such data, which simplifies data management and retention policies. | Conduct an audit of existing data records to identify any personal data of deceased individuals and determine if any adjustments or deletions are necessary. |
Closing Statement
With the introduction of new obligations pursuant to the Bill, businesses will need to revisit and update their policies, procedures, and existing control measures to incorporate the necessary changes. This includes conducting a gap analysis to identify any deficiencies in the current controls and implementing new, effective measures for personal data protection.
Since many specific details about the new requirements are still to come, businesses should keep an eye out for updates, especially any new guidelines from the Commissioner to complement the amendments.
For personalised legal and compliance support, please reach out to our Advisory & Compliance Partner, Mr. Fakhrul Fadzilah (fakhrul@nzchambers.com) or Projects & Infrastructure Senior Associate, Ms. Elise Tam (elise@nzchambers.com). We are here to help you achieve compliance and manage these regulatory updates effectively.
Authors
- Fakhrul Fadzilah
- Elise Tam
References
[1] Clause 2 of the Bill
[2] GDPR (General Data Protection Regulation) governs how the personal data of individuals in the European Union may be processed and transferred (https://gdpr.eu/what-is-gdpr/).
[3] Clause 3(b) of the Bill
[4] Clause 6 of the Bill
[5] Clause 6 of the Bill
[6] Clause 6 of the Bill
[7] Clause 4(a) of the Bill
[8] Clause 4(a) of the Bill
[9] Clause 4(b)(ii) of the Bill
[10] Clause 12 of the Bill
[11] Clause 3(f) of the Bill