Search for:
Cybersecurity, Data and Tech

Malaysia: Personal Data Protection (Amendment) Bill 2024

By , and 7 Mins Read

In brief

The long-awaited Personal Data Protection (Amendment) Bill 2024 (“Bill“) has now been made publicly available. Among the key changes it seeks to introduce are:

  1. Direct obligations for data processors
  2. Mandatory data breach notification
  3. Requirement to appoint data protection officer(s)
  4. New data subject rights on data portability
  5. An expanded definition of sensitive personal data
  6. A general legal basis for cross-border transfers

In more detail

The intention to amend the Personal Data Protection Act 2010 (“PDPA“) can be traced back as early as the year 2020, when the Personal Data Protection Commissioner (“Commissioner“) issued the Public Consultation Paper No. 1/2020 with 22 proposals as part of a review of the PDPA.

With COVID-19 pandemic and several changes to the Malaysian Cabinet, the Bill has finally seen the light of day and is undergoing parliamentary debate (and hopefully, approval) during the present parliamentary seating running up to 18 July 2024. Besides nomenclature updates (i.e., from “data users” to “data controllers”), the key changes brought to the PDPA by the Bill are discussed in more detail below.

Increased penalties

Non-compliance with any of the seven personal data protection principles under the PDPA will attract higher penalties than before. Specifically,  non-compliance may result in a data controller1 being punished with up to MYR one million (~ USD 216,000) fine and/or three years imprisonment (“Proposed Penalties“).

Unless proven otherwise (e.g., that the offence was committed without the individual’s knowledge and the individual had taken all reasonable precautions and due diligence to prevent the commission of the offence), directors, CEOs, COOs, managers or officers responsible for the management of a data controller may be deemed to have contravened the same and be severally or jointly with the body corporate for the offence (and similarly be liable for the Proposed Penalties).

Currently, the liability for such non-compliance is only up to MYR 300,000 (~ USD 64,000) fine and/or two years imprisonment.

Data processors to comply with security principle

The PDPA currently only imposes legal obligations on data controllers. Under the Bill, the PDPA will directly require data processors2 to comply with the security principle.

Under the security principle, data processors will need to take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. In addition, the Bill also statutorily mandates that data processors in processing on behalf of data controllers, must do both the following:

  1. Provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out
  2. Take reasonable steps to ensure compliance with those measures

A failure to comply with the above will attract the Proposed Penalties.

Mandatory data breach notification

Data controllers will need to notify the Commissioner “as soon as practicable” (in the manner and form as determined by the Commissioner), if they have reason to believe that a personal data breach has occurred (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data). Contravention of this requirement may attract up to MYR 250,000 (~ USD 54,000) fine and/or two years imprisonment.

Further, if the personal data breach causes or is likely to cause significant harm to the data subject, data controllers will additionally need to notify the data subject “without unnecessary delay” (in the manner and form as determined by the Commissioner).

Requirement to appoint data protection officer(s)

Each of the data controllers and data processors, will be required to appoint at least one data protection officer(s). These officers will be accountable to the respective data controller/processor, for the organisation’s compliance with the PDPA.

New data portability rights

Subject to technical feasibility and compatibility of the data format, data subjects will have the right to request a data controller to transmit their personal data to another data controller of their choice, directly by giving a notice in writing by way of electronic means to the data controller.

Biometric data to become sensitive personal data

Under the Bill, the definition of “sensitive personal data” will be expanded to include biometric data. Biometric data is defined as any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person. This means that the processing of biometric data will be subject to a separate set of legal bases e.g., explicit consent of the data subject.

Changes to rules on cross-border transfers

Currently, the PDPA allows the Minister to do the following:

  1. Issue a whitelist of places outside Malaysia to which personal data may be transferred
  2. Determine the circumstances where cross-border transfer of personal data is necessary as being in the public interest

The Bill will remove these two powers, and will introduce a general legal basis for the transfer of personal data to a place outside of Malaysia, i.e., such transfers are allowed in either of the following:

  1. There is in that place in force any law which is substantially similar to the PDPA
  2. That place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA

The existing means of enabling cross-border data transfers (e.g., consent of data subject), remains unchanged.

Data subjects to exclude deceased individuals

Under the Bill, the definition of “data subject” will exclude deceased individuals. As “personal data” is defined under the PDPA with reference to “data subject”, the introduction of this concept will result in the PDPA not applying to instances where a data controller processes personal data of a deceased individual.

Concluding remarks

The Bill reflects some of the proposals raised in the public consultation in 2020, while introducing further changes that are largely aligned with international standards and practices. Given that the Bill is still being discussed at the Parliament, the changes to the PDPA as highlighted above may be further revised.

Amending the principal legislation i.e., PDPA, is a key (but not the only) step being undertaken. The Minister of Digital announced in January 2024 that seven guidelines are being developed under the PDPA to supplement existing laws on personal data. They are:

  • Notification of data breach guidelines, data protection officers guidelines, data portability guidelines, and cross-border data transfer guidelines – these will complement the legislative changes highlighted above
  • Data protection impact assessment guidelines, privacy by design guidelines, and profiling and automated decision making guidelines – some of which have been proposed in the 2020 public consultation paper

Businesses should monitor the development of this space closely, and prepare for the additional compliance obligations which they may be subject to.

1 Data controllers are those (other than data processors) who (either alone or jointly or in common with other persons) process any personal data or have control over or authorize the processing of any personal data.
2 Data processors are those (other than employees of the data controller) who process personal data solely on behalf of the data controller and do not process the personal data for any of their own purposes.

* * * * *

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Categories:
Author

Kherk Ying Chew heads the Intellectual Property and Dispute Resolution Practice Groups of Wong & Partners. She has decades of experience in IP, commercial litigation, corporate compliance, information technology and Internet regulatory issues. She is ranked in Tier 1 for IP in Malaysia by Chambers Asia Pacific which has noted that Kherk Ying is "an acclaimed figure in the sector, drawing praise as a lawyer who is 'really commercial, very practical' and 'knows her subject impressively well." Asia Pacific Legal 500 inducted her into its Hall of Fame in 2021 for IP, it had commented that she is "highly respected for contentious and non-contentious work". Kherk Ying was also named in Benchmark Asia-Pacific’s Top 100 Women in Litigation for IP and Commercial Transactions (2020-2021). Kherk Ying won the Women Lawyer of the Year at the ALB Malaysia Law Awards in 2019. She is highly regarded for IP litigation, and has been named the "Best Female Lawyer in IP Litigation" by Euromoney Asia Women in Business Law Awards 2014. She is also recognised as a Tier 1 lawyer in enforcement and litigation by the World Trademark Review 1000, and ranked as a Tier 1 litigation and transactions professional by IAM Patent 1000. Kherk Ying is a registered trade mark, patent and design agent in Malaysia and the principal author of the CCH published Intellectual Property Laws of Malaysia. She is among the few selected trainers for an IP valuation course by Intellectual Property Corp of Malaysia (MyIPO) and is an accredited IP valuer by the World Trade Institute.

Author

Serene Kan is a partner in the Intellectual Property & Technology Practice Group of Wong & Partners, a member firm of Baker & McKenzie International in Kuala Lumpur.

Author

Chun Hau Ng is an Associate in Wong & Partners, Kuala Lumpur office.

Related Posts