An Overview Of The 2024’s Proposed Amendments to the Personal Data Protection Act 2010

Note: Barring any further amendments to the law, this article should be read in the context of the Bill being passed in its current form as at the time of writing as of 11 July 2024. The Personal Data Protection (Amendment) Act 2024 (“PDPA Amendments in 2024“) is currently at the 1st reading stage in the Malaysian Parliament. It will proceed through further readings and must be approved by both Houses of Parliament before being presented for Royal Assent by His Majesty The Yang di-Pertuan Agong. Therefore, it may take some time before the Bill legally comes into force.

Malaysia’s Personal Data Protection Act (PDPA) 2010 (“PDPA”) is set to undergo significant updates aimed at aligning with international standards and strengthening the protection of personal data. Here is an overview of the key proposed changes, comparisons with the current provisions, and our insights on these proposed amendments:

Current Position: The term “data user” is used throughout the PDPA.

Proposed PDPA Amendments in 2024: The term “data user” will be replaced with the term “data controller”.

This proposed amendment aligns Malaysia’s data protection terminology with global standards, such as those used in the General Data Protection Regulation (GDPR), ensuring consistency and facilitating international data protection compliance.

Current Position: The PDPA currently does not explicitly define “biometric data” or “personal data breach.”

Proposed PDPA Amendments in 2024:

  • Biometric Data – Introduced as personal data resulting from technical processing related to physical, physiological, or behavioural characteristics, constituting sensitive personal data.
  • Personal Data Breach – Defined as any breach, loss, misuse, or unauthorized access to personal data.

These amendments aim to provide better clarity in the PDPA, ensuring specific categories of sensitive data and incidents are clearly identified and adequately protected.

Current Position: Data processors are not explicitly required to comply with the security principle.

Proposed PDPA Amendments in 2024: Data processors, who process data on behalf of data controllers, must now comply with the security principle under the PDPA.

This amendment requires data processors to implement appropriate technical and organizational measures to protect personal data, thereby ensuring accountability and enhancing overall data protection practices.

Current Position: Penalties for non-compliance include fines up to RM300,000 and imprisonment up to two years.

Proposed PDPA Amendments in 2024: The fines for breaches are increased to RM1,000,000, and the maximum imprisonment term is extended to three years.

These heightened penalties underscore the seriousness of compliance and aim to deter violations by imposing more severe consequences.

Current Position: There is no mandatory requirement for the appointment of DPOs.

Proposed PDPA Amendments in 2024: Data controllers and processors must appoint one or more DPOs responsible for ensuring compliance with the PDPA.

This requirement aligns with international best practices, ensuring that organizations have dedicated personnel to manage and safeguard personal data effectively.

Current Position: There is no explicit requirement for data breach notifications.

Proposed PDPA Amendments in 2024: Data controllers must notify the Personal Data Protection Commissioner of any data breaches as soon as practicable. If the breach causes or is likely to cause significant harm to the data subject, data controllers must notify the affected data subjects promptly. Failure to comply can result in fines up to RM250,000 or imprisonment for up to two years. The form and manner of notification will be further determined by the Personal Data Protection Commissioner.

Introducing mandatory data breach notifications ensures timely awareness and response to data breaches. This requirement aligns with international best practices, enhancing transparency and accountability in data protection.

Current Position: The PDPA does not currently provide a right to data portability.

Proposed PDPA Amendments in 2024: Data subjects can request their personal data to be transferred to another data controller, subject to technical feasibility and compatibility of the data format.

This right enhances data subject control over their personal data and facilitates smoother transitions between service providers.

Current Position: Section 129 of the PDPA prohibits the transfer of personal data to a place outside Malaysia unless such place is specified by the Minister by notification in the Gazette. No such whitelist has been issued and gazetted thus far.

Proposed PDPA Amendments in 2024: Data controllers can transfer personal data to countries that provide adequate protection equivalent to the PDPA. The requirement for the Minister to specify places for data transfers is removed.

The amendment shifts the authority from the Minister to the data controller, allowing the data controller to decide on data transfers based on adequacy standards. This change aims to streamline cross-border data flows while ensuring that data transferred internationally is adequately protected.

Various amendments are proposed to enhance clarity and consistency within the PDPA. These include updates to definitions, procedural changes, and adjustments to ensure the Act remains coherent.

These Proposed PDPA Amendments in 2024 represent a significant step forward in strengthening Malaysia’s data protection framework. By aligning with international standards and addressing emerging data protection challenges, the amendments aim to provide robust safeguards for personal data and enhance trust in the digital ecosystem.

Given the significant amendments, it is high time for companies and organizations in Malaysia to look into PDPA compliance seriously. Companies and organizations that already have a PDPA compliance framework will need to update and revise their framework, while those who do not yet have one will need to start implementing these practices within their organization.

Let LPP Law be Your Legal Advisors

Contact Us illustration
Drop us a message and let us better understand your needs. Get your first consultation within 24-hours, absolutely free of charge.

Leave a Comment

Your email address will not be published. Required fields are marked *

Share this article:

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.

 © Copyright 2020, Lee & Poh Partnership

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.