Introduction
The Personal Data Protection Act 2010 (“PDPA”) was enacted to regulate the processing of personal data in commercial transactions (excluding the state government or the Federal Government), ensuring that personal data is managed securely and transparently. Over the past decade, significant advancements in technology and increasing incidences of data breaches, cyber threats and various other crimes such as online fraud, necessitated a review and update of such existing legislation.
As a result, the Malaysian Parliament is on the brink of making significant amendments to the PDPA, embodied in the Personal Data Protection (Amendment) Bill 2024 (the “Bill”). This amendment aims to align Malaysia’s data protection framework with international standards and address the evolving digital landscape. Understanding these changes is crucial for compliance and safeguarding business operations. Here’s a detailed look at the key amendments and their implications.
Key Takeaways
The Bill
The key amendments include:
The Bill introduced new definitions to the Act, including:
Data Processor is defined as “any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes.”
Previously, only data users/controllers were required to adhere to the Personal Data Protection Principles, which include: (a) the General Principle; (b) the Notice and Choice Principle; (c) the Disclosure Principle; (d) the Security Principle; (e) the Retention Principle; (f) the Data Integrity Principle; and (g) the Access Principle.
The Bill imposes a new obligation directly on data processors, where the processing of personal data is carried out by a data processor on behalf of the data user/controller. The data processor shall comply with the Security Principle as specified in Section 9 of the PDPA, in relation to taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Failure to comply with this provision may result in penalties (discussed below) being imposed on the data processor.
Non-compliance of the Personal Data Protection Principles is now punishable with fines of up to RM1,000,000 (an increase from a maximum of RM300,000) and/or imprisonment of up to 3 years (an increase from a maximum of 2 years).
Data breaches were the second most reported cybersecurity incident in 2023, according to Cyber Security Malaysia, following fraud crimes. Notable breaches include the compromise of customers’ information of certain telecommunication and multimedia companies, highlighting significant weaknesses in data protection of businesses in Malaysia.
The Bill aims to enhance data protection by introducing the “Personal Data Accountability”, with two new sections:
Data users/controllers and data processors are now required to appoint one or more Data Protection Officers (“DPOs”). The data user/controller shall notify the Personal Data Commissioner (“Commissioner”) on the appointment of data protection officer in the manner and form as determined by the Commissioner.
Recognizing that smaller companies might face challenges in appointing DPOs due to cost constraints, there are no stringent requirements for high-level qualifications for DPOs. The focus is on ensuring compliance rather than academic credentials.
Previously, data breach notifications were not mandatory, and data users/controllers were advised to make such notifications as a matter of good practice. Now, data users/controllers are mandated to notify the Commissioner of data breaches as soon as practicable, in a manner and in a form to be determined by the Commissioner. Failure to comply with this requirement is punishable with a fine of up to RM250,000 and/or imprisonment of up to 2 years.
To allow data subjects to have their personal data transferred directly to another data controller, minimizing the need to resubmit personal information when switching controllers. The Bill introduced the right of data subjects to request the transfer of their personal data from one data controller to another. To exercise this right, data subjects must submit a written request via electronic means to data controller, provided that the data format is technically feasible and compatible. Upon receiving such a request, the data controller is required to complete the data transfer within a specified period.
Previously, Section 129 of PDPA required that personal data may only be transferred to places outside Malaysia as specified by the Minister in a notification published in the gazette. This power granted to the Minister is removed. The amendment allows personal data to be transferred outside Malaysia if the receiving country has an adequate level of protection in relation to the processing of personal data that is at least equivalent to the level of protection provided by PDPA.
The data controller has the responsibility to ensure that the place where the data is transferred to or outside of Malaysia has a level of data protection that is equivalent to the PDPA. Failure of the data officer to comply with this requirement is punishable with a fine of up to RM300,000 and/or imprisonment of up to 2 years. Businesses engaged in cross-border transactions are therefore advised to evaluate the data protection frameworks of their foreign partners to ensure compliance.
The existing provision of Section 136 only allows delivery of notice or document by hand or by post or leaving the notice or document at the last known address of residence or place of care. The revised provision now includes delivery via electronic means.
Future Developments
There are also plans to develop seven (7) new guidelines to supplement the PDPA, including: Notification of Data Breach Guidelines; Data Protection Officers Guidelines; Data Portability Guidelines; Cross Border Data Transfer Guidelines and Mechanism; Data Protection Impact Assessment Guidelines; Privacy by Design Guidelines; and Profiling and Automated Decision-Making Guidelines.[1]
Additionally, by the end of this year (2024), Parliament aims to present the Data Sharing Act (Omnibus Act) to establish the main principles for the Bill.[2]
Conclusion
The passing of the Bill at the House of Representatives (Dewan Rakyat) signifies the progress in the ongoing efforts of the current government to improve the country’s data protection framework.
Bundled together with the anticipated introduction of the Cybersecurity Act (which is expected to come into force soon) and the increased enforcement efforts of the Personal Data Protection Commission, businesses should ensure that they are not caught lacking behind in the ever-evolving digital landscape.
Additionally, these changes underscore the importance of robust data protection practices. By embracing these amendments, businesses can not only ensure compliance but also build stronger relationships with their customers and partners, positioning themselves for success in this increasingly digital global economy.
Key Contacts
Corporate Commercial, Intellectual Property & Technology
+6017 368 3975
[email protected]
Corporate Commercial, Intellectual Property & Technology
+6013 330 1063
[email protected]