Search for:
Cybersecurity, Data and Tech

Malaysia: Public consultations on data breach notification, data protection officer and data portability

By , and 6 Mins Read

In brief

Following the passing of the Personal Data Protection (Amendment) Bill 2024 (“Bill“) by the Malaysian Parliament in July 2024, three public consultation papers have been issued in relation to the implementation of the following impending new legal obligations:

  • Notifying the Personal Data Protection Commissioner (“Commissioner“) and affected data subjects for personal data breach.
  • Appointing data protection officer(s).
  • Effecting the data subject’s right to data portability.

The deadline to provide feedback is 6 September 2024 (Friday).

Contents

  1. In more detail
    1. Data breach notification
    2. Data protection officer
    3. Data portability

In more detail

We have earlier highlighted in our client alert some of the key changes brought by the Bill to the Personal Data Protection Act 2010 (PDPA) and that certain guidelines are being developed to complement the same. 

The recently published public consultation papers shed light on what may be required for compliance with some of the new legal requirements, while giving the opportunity for the public to contribute and shape the final draft of these subsidiary instruments under the PDPA.   

Data breach notification

To recap, the Bill will require data controllers to:

  • Notify the Commissioner “as soon as practicable”, if they have reason to believe that a personal data breach (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data) has occurred.
  • Additionally, notify the data subject “without unnecessary delay”, if the personal data breach causes or is likely to cause significant harm to the data subject.

We have summarised below, the key data breach notification proposals provided for under the Public Consultation Paper No. 01/2024: The Implementation of Data Breach Notification:  

 To the CommissionerTo affected data subjects
Threshold to notifyWhere the personal data breach is likely to cause “significant harm” and/or involve 500 or more affected data subjects. Where the personal data breach is likely to cause “significant harm” to affected data subjects, provided that the number of affected data subjects likely to exceed 500 individuals.
Manner and formBroadly the same as the current voluntary notification form.Notify affected data subjects directly, containing at least certain prescribed details.
Timeframe72 hours after becoming aware of a data breach (i.e., with a reasonable degree of certainty based on sufficient evidence showing that a personal data breach has occurred).At the same time as the notification to the Commissioner, or as soon as practicable thereafter.

“Significant harm” is proposed to mean any of the following:

  • The access, disclosure or loss of personal data from the personal data breach likely to result in bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the data subjects’ credit record, or damage to or loss of property.
  • The access, disclosure or loss of personal data results or is likely to result in serious harm to affected data subjects to whom the information relates, or has been, is being or will likely be misused for illegal purposes.
  • The personal data compromised by the personal data breach includes sensitive personal data or any other information that may be used to enable identity fraud such as usernames, passwords or identification numbers.

This paper also proposes some other aspects, such as certain exemptions to notify affected data subjects, requirement on data controllers to contractually bind data processors to notify them about personal data breach, and specific record-keeping obligations.

Feedback to this paper may be provided via this link.

Data protection officer

To recap, the Bill will require each data controller and data processor to appoint at least one data protection officer(s) (DPO), who will be accountable to the respective organisation for its compliance with the PDPA.

Under the Public Consultation Paper No. 02/2024: The Appointment of Data Protection Officer, some of the key proposals are as follows:

  • Who needs to appoint DPO: Only those carrying out data processing activities of a “large scale” by considering the prescribed factors (no specific quantitative threshold is being proposed).
  • From whom DPO may be appointed: From an external provider or internally among the employees.
  • How to qualify as DPO: Meet a minimum set of prescribed qualities and complete/ obtain such training/ certification as the Commissioner may later require.
  • Where should DPO be: Ordinarily resident in Malaysia, but a single DPO may serve multiple entities within the same group of companies.
  • What are the specific responsibilities of DPO: Carry out data protection impact assessments, ensure internal training is provided, act as a liaison point with data subjects and the Commissioner etc.
  • To whom DPO report: Direct reporting line to the senior management team or equivalent.

Feedback to this paper may be provided via this link.

Data portability

To recap, the Bill will provide data subjects with a right to request data controller to transmit their personal data to another data controller of their choice, subject to technical feasibility and compatibility of the data format.

Under the Public Consultation Paper No. 03/2024: The Right to Data Portability, some of the key proposals are as follows:

  • Readiness: No requirement to adopt new systems/ processes to achieve technical feasibility for data portability, unless specified by the Commissioner or the relevant data controller forum. 
  • Types of personal data in scope: Those personal data that meet all the following requirements: (a) directly provided by the data subject; (b) processed based on consent or contract with the data subject; (c) processed by automated means; and (d) not inferred/ derived data – whitelists of personal data subject to data portability will be issued, and will likely differ across sectors/ industries.
  • Compliance timeline: 21 days, extendable by another 14 days.
  • Fees: May be charged to cover associated compliance costs, subject to a fee cap which may later be introduced.
  • Transmission method: Flexibility to determine the best method available to transmit the requested data, subject to any common set of standards/ or data formats which may later be specified.

Feedback to this paper may be provided via this link.

* * * * *

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Categories:
Tags:
Author

Kherk Ying Chew heads the Intellectual Property and Dispute Resolution Practice Groups of Wong & Partners. She has decades of experience in IP, commercial litigation, corporate compliance, information technology and Internet regulatory issues. She is ranked in Tier 1 for IP in Malaysia by Chambers Asia Pacific which has noted that Kherk Ying is "an acclaimed figure in the sector, drawing praise as a lawyer who is 'really commercial, very practical' and 'knows her subject impressively well." Asia Pacific Legal 500 inducted her into its Hall of Fame in 2021 for IP, it had commented that she is "highly respected for contentious and non-contentious work". Kherk Ying was also named in Benchmark Asia-Pacific’s Top 100 Women in Litigation for IP and Commercial Transactions (2020-2021). Kherk Ying won the Women Lawyer of the Year at the ALB Malaysia Law Awards in 2019. She is highly regarded for IP litigation, and has been named the "Best Female Lawyer in IP Litigation" by Euromoney Asia Women in Business Law Awards 2014. She is also recognised as a Tier 1 lawyer in enforcement and litigation by the World Trademark Review 1000, and ranked as a Tier 1 litigation and transactions professional by IAM Patent 1000. Kherk Ying is a registered trade mark, patent and design agent in Malaysia and the principal author of the CCH published Intellectual Property Laws of Malaysia. She is among the few selected trainers for an IP valuation course by Intellectual Property Corp of Malaysia (MyIPO) and is an accredited IP valuer by the World Trade Institute.

Author

Serene Kan is a partner in the Intellectual Property & Technology Practice Group of Wong & Partners, a member firm of Baker & McKenzie International in Kuala Lumpur.

Author

Chun Hau Ng is an Associate in Wong & Partners, Kuala Lumpur office.

Related Posts