Note: Barring any further amendments to the law, this article should be read in the context of the Bill being passed in its current form as at the time of writing as of 11 July 2024. The Personal Data Protection (Amendment) Act 2024 (“PDPA Amendments in 2024“) is currently at the 1st reading stage in the Malaysian Parliament. It will proceed through further readings and must be approved by both Houses of Parliament before being presented for Royal Assent by His Majesty The Yang di-Pertuan Agong. Therefore, it may take some time before the Bill legally comes into force.
Malaysia’s Personal Data Protection Act (PDPA) 2010 (“PDPA”) is set to undergo significant updates aimed at aligning with international standards and strengthening the protection of personal data. Here is an overview of the key proposed changes, comparisons with the current provisions, and our insights on these proposed amendments:
Terminology Update
Current Position: The term “data user” is used throughout the PDPA.
Proposed PDPA Amendments in 2024: The term “data user” will be replaced with the term “data controller”.
This proposed amendment aligns Malaysia’s data protection terminology with global standards, such as those used in the General Data Protection Regulation (GDPR), ensuring consistency and facilitating international data protection compliance.
New Definitions
Current Position: The PDPA currently does not explicitly define “biometric data” or “personal data breach.”
Proposed PDPA Amendments in 2024:
- Biometric Data – Introduced as personal data resulting from technical processing related to physical, physiological, or behavioural characteristics, constituting sensitive personal data.
- Personal Data Breach – Defined as any breach, loss, misuse, or unauthorized access to personal data.
These amendments aim to provide better clarity in the PDPA, ensuring specific categories of sensitive data and incidents are clearly identified and adequately protected.
Enhanced Responsibilities of Data Processors
Current Position: Data processors are not explicitly required to comply with the security principle.
Proposed PDPA Amendments in 2024: Data processors, who process data on behalf of data controllers, must now comply with the security principle under the PDPA.
This amendment requires data processors to implement appropriate technical and organizational measures to protect personal data, thereby ensuring accountability and enhancing overall data protection practices.
Increased Penalties
Current Position: Penalties for non-compliance include fines up to RM300,000 and imprisonment up to two years.
Proposed PDPA Amendments in 2024: The fines for breaches are increased to RM1,000,000, and the maximum imprisonment term is extended to three years.
These heightened penalties underscore the seriousness of compliance and aim to deter violations by imposing more severe consequences.
Data Protection Officers (DPOs)
Current Position: There is no mandatory requirement for the appointment of DPOs.
Proposed PDPA Amendments in 2024: Data controllers and processors must appoint one or more DPOs responsible for ensuring compliance with the PDPA.
This requirement aligns with international best practices, ensuring that organizations have dedicated personnel to manage and safeguard personal data effectively.
Data Breach Notification
Current Position: There is no explicit requirement for data breach notifications.
Proposed PDPA Amendments in 2024: Data controllers must notify the Personal Data Protection Commissioner of any data breaches as soon as practicable. If the breach causes or is likely to cause significant harm to the data subject, data controllers must notify the affected data subjects promptly. Failure to comply can result in fines up to RM250,000 or imprisonment for up to two years. The form and manner of notification will be further determined by the Personal Data Protection Commissioner.
Introducing mandatory data breach notifications ensures timely awareness and response to data breaches. This requirement aligns with international best practices, enhancing transparency and accountability in data protection.
Rights to Data Portability
Current Position: The PDPA does not currently provide a right to data portability.
Proposed PDPA Amendments in 2024: Data subjects can request their personal data to be transferred to another data controller, subject to technical feasibility and compatibility of the data format.
This right enhances data subject control over their personal data and facilitates smoother transitions between service providers.
Cross-Border Data Transfers
Current Position: Section 129 of the PDPA prohibits the transfer of personal data to a place outside Malaysia unless such place is specified by the Minister by notification in the Gazette. No such whitelist has been issued and gazetted thus far.
Proposed PDPA Amendments in 2024: Data controllers can transfer personal data to countries that provide adequate protection equivalent to the PDPA. The requirement for the Minister to specify places for data transfers is removed.
The amendment shifts the authority from the Minister to the data controller, allowing the data controller to decide on data transfers based on adequacy standards. This change aims to streamline cross-border data flows while ensuring that data transferred internationally is adequately protected.
Miscellaneous Amendments
Various amendments are proposed to enhance clarity and consistency within the PDPA. These include updates to definitions, procedural changes, and adjustments to ensure the Act remains coherent.
Conclusion
These Proposed PDPA Amendments in 2024 represent a significant step forward in strengthening Malaysia’s data protection framework. By aligning with international standards and addressing emerging data protection challenges, the amendments aim to provide robust safeguards for personal data and enhance trust in the digital ecosystem.
Immediate Action Required
Given the significant amendments, it is high time for companies and organizations in Malaysia to look into PDPA compliance seriously. Companies and organizations that already have a PDPA compliance framework will need to update and revise their framework, while those who do not yet have one will need to start implementing these practices within their organization.
Edwin is a corporate and technology lawyer. He is also the founder and deputy managing partner of Lee & Poh Partnership (LPP Law). Edwin has advised a range of companies from technology startups to multinational corporations on a range of matters. In 2020, Edwin was named as a Malaysian Rising Star by Asian Legal Business, a finalist for the Young Lawyer of the Year at the ALB Malaysia Law Awards as well as a lawyer in the annual ALB publication of Asia 40 under 40.
View his full profile here.
