PERSONAL DATA PROTECTION (AMENDMENT) BILL 2024: WHAT YOU NEED TO KNOW

Summary Judgements
July 29, 2024
Essential Legal Terms Every Online Business Platform Must Know
August 20, 2024

PERSONAL DATA PROTECTION (AMENDMENT) BILL 2024: WHAT YOU NEED TO KNOW

 

Introduction

The Personal Data Protection Act 2010 (“PDPA”) was enacted to regulate the processing of personal data in commercial transactions (excluding the state government or the Federal Government), ensuring that personal data is managed securely and transparently. Over the past decade, significant advancements in technology and increasing incidences of data breaches, cyber threats and various other crimes such as online fraud, necessitated a review and update of such existing legislation.

As a result, the Malaysian Parliament is on the brink of making significant amendments to the PDPA, embodied in the Personal Data Protection (Amendment) Bill 2024 (the “Bill”). This amendment aims to align Malaysia’s data protection framework with international standards and address the evolving digital landscape. Understanding these changes is crucial for compliance and safeguarding business operations. Here’s a detailed look at the key amendments and their implications.

Key Takeaways

  • Data Processors must now comply with the Security Principle. Failure to do so may cause Data Processors to be directly liable under the PDPA.
  • Increased penalties (up to RM1 million fine and/or 3 years imprisonment) for breach of the Data Protection Principles under the PDPA.
  • Mandatory appointment of a designated Data Protection Officer.
  • Mandatory data breach notification obligations imposed.
  • Introduction of “data portability rights” for data subjects.
  • Removal of country “whitelist” for cross-border transfer of personal data. Any cross-border transfers require internal regulatory assessment by the data controller.

The Bill

The key amendments include:

  1. Amendment to the Existing Definition in Section 4 of PDPA
    • Data Controller: In the existing provision in PDPA, “data user” means “a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor”. The term “data user” is substituted with “data controller” to align with international terminology, including the EU General Data Protection Regulation (GDPR). This change does not alter the definition but standardizes the terminology used.
    • Requestor: In the definition of “requestor”, the words “data access request or data correction request” will be substituted for the words “data access request, data correction request or data portability request”.
    • Data Subject: The definition of “data subject” will not include a deceased individual.
  1. Introduction of New Definitions in Section 4 of PDPA

The Bill introduced new definitions to the Act, including:

    • Biometric Data: It is categorised as sensitive personal data, referring to “any personal data resulting from technical processing related to physical, physiological, or behavioural characteristics.”
    • Personal Data Breach: It is defined as “any breach of personal data, loss of personal data, misuse of personal data or unauthorized access to personal data.”
  1. Additional Responsibility on Data Processors

Data Processor is defined as “any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes.”

Previously, only data users/controllers were required to adhere to the Personal Data Protection Principles, which include: (a) the General Principle; (b) the Notice and Choice Principle; (c) the Disclosure Principle; (d) the Security Principle; (e) the Retention Principle; (f) the Data Integrity Principle; and (g) the Access Principle.

The Bill imposes a new obligation directly on data processors, where the processing of personal data is carried out by a data processor on behalf of the data user/controller. The data processor shall comply with the Security Principle as specified in Section 9 of the PDPA, in relation to taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Failure to comply with this provision may result in penalties (discussed below) being imposed on the data processor.

  1. Increased Penalties for Non-Compliance of the Personal Data Protection Principles:

Non-compliance of the Personal Data Protection Principles is now punishable with fines of up to RM1,000,000 (an increase from a maximum of RM300,000) and/or imprisonment of up to 3 years (an increase from a maximum of 2 years).

  1. The New Concept of “Personal Data Accountability”

Data breaches were the second most reported cybersecurity incident in 2023, according to Cyber Security Malaysia, following fraud crimes. Notable breaches include the compromise of customers’ information of certain telecommunication and multimedia companies, highlighting significant weaknesses in data protection of businesses in Malaysia.

The Bill aims to enhance data protection by introducing the “Personal Data Accountability”, with two new sections:

    • Section 12A: Appointment of Data Protection Officers (DPOs):

Data users/controllers and data processors are now required to appoint one or more Data Protection Officers (“DPOs”). The data user/controller shall notify the Personal Data Commissioner (“Commissioner”) on the appointment of data protection officer in the manner and form as determined by the Commissioner.

Recognizing that smaller companies might face challenges in appointing DPOs due to cost constraints, there are no stringent requirements for high-level qualifications for DPOs. The focus is on ensuring compliance rather than academic credentials.

    • Section 12B: Data Breach Notification:

Previously, data breach notifications were not mandatory, and data users/controllers were advised to make such notifications as a matter of good practice. Now, data users/controllers are mandated to notify the Commissioner of data breaches as soon as practicable, in a manner and in a form to be determined by the Commissioner. Failure to comply with this requirement is punishable with a fine of up to RM250,000 and/or imprisonment of up to 2 years.

  1. The New Right of Data Portability

To allow data subjects to have their personal data transferred directly to another data controller, minimizing the need to resubmit personal information when switching controllers. The Bill introduced the right of data subjects to request the transfer of their personal data from one data controller to another. To exercise this right, data subjects must submit a written request via electronic means to data controller, provided that the data format is technically feasible and compatible. Upon receiving such a request, the data controller is required to complete the data transfer within a specified period.

  1. New Responsibility for the Data Controller in Cross-Border Data Transfers

Previously, Section 129 of PDPA required that personal data may only be transferred to places outside Malaysia as specified by the Minister in a notification published in the gazette. This power granted to the Minister is removed. The amendment allows personal data to be transferred outside Malaysia if the receiving country has an adequate level of protection in relation to the processing of personal data that is at least equivalent to the level of protection provided by PDPA.

The data controller has the responsibility to ensure that the place where the data is transferred to or outside of Malaysia has a level of data protection that is equivalent to the PDPA. Failure of the data officer to comply with this requirement is punishable with a fine of up to RM300,000 and/or imprisonment of up to 2 years. Businesses engaged in cross-border transactions are therefore advised to evaluate the data protection frameworks of their foreign partners to ensure compliance.

  1. New Service Method

The existing provision of Section 136 only allows delivery of notice or document by hand or by post or leaving the notice or document at the last known address of residence or place of care. The revised provision now includes delivery via electronic means.

Future Developments

There are also plans to develop seven (7) new guidelines to supplement the PDPA, including: Notification of Data Breach Guidelines; Data Protection Officers Guidelines; Data Portability Guidelines; Cross Border Data Transfer Guidelines and Mechanism; Data Protection Impact Assessment Guidelines; Privacy by Design Guidelines; and Profiling and Automated Decision-Making Guidelines.[1]

Additionally, by the end of this year (2024), Parliament aims to present the Data Sharing Act (Omnibus Act) to establish the main principles for the Bill.[2]

Conclusion

The passing of the Bill at the House of Representatives (Dewan Rakyat) signifies the progress in the ongoing efforts of the current government to improve the country’s data protection framework.

Bundled together with the anticipated introduction of the Cybersecurity Act (which is expected to come into force soon) and the increased enforcement efforts of the Personal Data Protection Commission, businesses should ensure that they are not caught lacking behind in the ever-evolving digital landscape.

Additionally, these changes underscore the importance of robust data protection practices. By embracing these amendments, businesses can not only ensure compliance but also build stronger relationships with their customers and partners, positioning themselves for success in this increasingly digital global economy.

 

Key Contacts

  • YEOW JIE HAN (Partner)

Corporate Commercial, Intellectual Property & Technology
+6017 368 3975
[email protected]

  • TEOH KAI LIN (Legal Associate)

Corporate Commercial, Intellectual Property & Technology
+6013 330 1063
[email protected]

Comments are closed.