19 July 2024

On 31 July 2024, the Senate (Dewan Negara) passed the Personal Data Protection (Amendment) Bill 2024 (“PDP Bill”). It had been passed by the Dewan Rakyat on 16 July 2024. The PDP Bill will be presented for Royal Assent and become law upon their publication in the Federal Gazette of Malaysia.

This article sets out the key changes introduced by the PDP Bill.

Key points

The PDP Bill will amend the Personal Data Protection Act 2010 to enhance the processing of personal data framework to be in line with international standards and practice.

The amendments are wide ranging and include:

  • Scope and applicability of the PDPA
  • Adoption of concept of “data controller”
  • Obligations of data processors
  • Increase of penalties for breach of the key principles
  • Appointment of a data protection officer
  • Mandatory data breach notification
  • Rights to data portability
  • Cross-border transfers of personal data

Background

The Personal Data Protection Act 2010 (“PDPA”) is the primary legislation governing all matters pertaining to the usage of personal data in commercial transactions in Malaysia. The PDP Bill will amend the PDPA to enhance the processing of personal data framework to be in line with international standards and practice. The Personal Data Protection Commissioner (“PDP Commissioner”) is expected to issue relevant guidelines in respect of the proposed amendments to the PDPA, such as the Notification of Data Breach Guidelines and the Data Protection Officers Guidelines.

Scope and Applicability

Under the current PDPA regime, “sensitive personal data” includes any health information, political opinions, religious beliefs or other beliefs of a similar nature, the commission of an offence, alleged or otherwise, or any other personal data as the Digital Minister of Malaysia may determine.

The PDP Bill seeks to expand the definition of “sensitive personal data” to include biometric data, which is defined as “any personal data resulting from technical processing relating to the physical, physiological, or behavioural characteristics of a person.

The PDP Bill will also exclude the personal data of a deceased individual from the applicability of the PDPA, which is in line with the current scope of the European Union General Data Protection Regulation.

Adoption of concept of “data controller”

Under the current PDPA regime, the term “data user” is broadly defined as any person who processes personal data, has control over, or authorises the processing of any person data for his own commercial purposes. The PDP Bill seeks to substitute the term “data user” with “data controller”, which is the more widely adopted terminology in personal data protection regimes in other jurisdictions including the European Union and Thailand. As and when the PDP Bill comes into force, references to the statutory term “data user” in existing personal data protection notices, policies or agreements may need to be revised to reflect the updated legal position.

Obligations of data processors

Currently, the PDPA only imposes a legal obligation on data users to ensure that data processors:

  • provide sufficient guarantees in respect of the technical and organisational security measures governing the processing of personal data to be carried out; and
  • take reasonable steps to comply with those measures.

Under the existing regime, there is no specific legal obligation for data processors to comply with the PDPA. The PDP Bill will amend the PDPA to impose a direct legal obligation on data processors to comply with the PDPA, particularly in respect of the obligation to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction of personal data, also known as the “Security Principle”. Once the PDP Bill comes into force, businesses operating as data processors must reassess their operational and business practices as they would now be directly subject to new obligations and requirements under the PDPA.

Increase of penalties for breach of PDP Principles

Section 5 of the PDPA sets out seven principles (collectively, “PDP Principles”) with which a data user must comply. The PDP Principles include, among others:

  • the General Principle, where data users must obtain consent from the data subjects prior to processing their personal data (save in exceptional circumstances);
  • the Notice and Choice Principle, where data users must provide a written notice in the English and Malay languages to the data subjects containing statutorily required information; and
  • the Disclosure Principle, where data users must not disclose the personal data of the data subjects to third parties without the data subject’s consent (save in exceptional circumstances).

The current PDPA regime provides that a data user who contravenes the PDP Principles will be liable to a fine not exceeding RM300,000 and/or imprisonment for a term not exceeding two years. Under the PDP Bill, failure to comply with the PDP Principles will warrant a maximum fine of RM1,000,000 and/or imprisonment for a term not exceeding three years.

Appointment of data protection officer

The PDP Bill also seeks to introduce a new legal obligation on data users and data processors to appoint one or more data protection officers who would be accountable to the data controller in relation to compliance with the PDPA. Data controllers must notify the PDP Commissioner of the appointed data protection officer in the manner and form as may be determined by the PDP Commissioner.

Mandatory data breach notification

The PDP Bill requires a data controller to notify the PDP Commissioner as soon as practicable if they reasonably believe that a personal data breach has occurred. The data breach notification is to be made in the manner and form as determined by the PDP Commissioner.

In the event that the personal data breach causes or is likely to cause any significant harm to the data subject, the data controller is required to notify the data subject without unnecessary delay. Failure to notify the PDP Commissioner of a personal data breach may result in a maximum fine of RM250,000 and/or maximum imprisonment term of two years.

This amendment is likely in response to the number of complaints of misuse and breach of personal data received by the Office of the PDP Commissioner. It has been reported that there have been 288 complaints received by the Office as of June 2024 and 779 complaints received in 2023.

Rights to data portability

The PDP Bill will introduce the right to data portability for data subjects. In summary, data subjects may request the data controller to transmit his/her personal data to another data controller of his/her choice directly via a written notice by way of electronic means to the data controller, subject to technical feasibility and compatibility of the data format.

Cross-border transfer of personal data

Under the existing PDPA regime, a data user must not transfer any personal data to a place outside Malaysia unless, among other things, the transfer is to a place specified by the Minister of Digital in Malaysia. The PDP Bill seeks to remove such provision from the PDPA and to allow personal data to be transferred outside of Malaysia to a country that has substantially similar laws as the PDPA or to a country that has an adequate level of protection in relation to the processing of personal data which is equivalent to that afforded by the PDPA. While such a change will facilitate cross-border data transfer exercises, it will also likely require businesses to undertake regulatory assessments as to whether the receiving country has an “adequate” level of data protection. 

 

Further information

This alert has been prepared with the assistance of Associate Siah An Gel and Legal Executive Mohamad Syafiq bin Mohamad Tazri.

More