Malaysia’s Personal Data Protection Act (PDPA) was enacted in 2010 and came into force in November 2013, making Malaysia the first country in the Association of Southeast Asian Nations (ASEAN) to enact comprehensive privacy legislation.
On July 31, 2024, the Personal Data Protection (Amendment) Bill 2024 (PDP Bill) was passed by the Dewan Negara (Malaysia’s Senate). It is expected to receive royal assent and thereafter come into force on a date to be appointed by the Minister of Digital by notification in the Gazette.
The PDP Bill introduces significant amendments to the PDPA, including specific definitions, new obligations on data controllers and stricter penalties for non-compliance. These amendments align the PDPA with internationally recognised standards, positioning Malaysia alongside its regional peers in Asia-Pacific, including Singapore, Indonesia, the Philippines, Thailand and Vietnam.
According to Malaysia’s Digital Minister, Gobind Singh Deo, these changes are driven by rapid technological advancements that necessitate society’s reliance on digital platforms for business, coupled with an expectation of protection. His comments come in response to a recent rise in complaints regarding the misuse and breach of personal data, an increase in personal data breaches, and a growing number of online fraud cases.
We outline below key changes brought about by the PDP Bill and its impact on businesses:
Concluding Remarks
Amendment | Impact on Businesses |
---|---|
1. “Data Controller” to Replace “Data User” The current definition of a “data user” under the PDPA refers to “a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data but does not include a data processor”. The PDP Bill seeks to substitute the term “data user” with “data controller”, aligning with the more widely adopted terminology in personal data protection regimes in other jurisdictions, including the EU and Thailand. | This change is predominantly cosmetic and will not materially impact the obligations of data users/data controllers under the PDPA. However, when the PDP Bill comes into force, existing personal data protection notices, policies or agreements with references to the statutory term “data user” may require updates in accordance with the new legal framework. |
2. Direct Responsibilities on Data Processors Data processors are presently not legally required to comply with the security principle under the PDPA. Instead, the PDPA mandates that data users ensure that data processors:
Additionally, the PDP Bill introduces direct penalties for data processors who fail to comply with the security principle. Data processors found in breach of the security principle will be guilty of an offence and, upon conviction, may face a fine of up to RM1,000,000 and/or imprisonment for up to 3 years. | When the PDP Bill comes into force, businesses operating as data processors must reassess their operational and business practices to comply with the new obligations and requirements under the PDPA. |
3. Appointment of Data Protection Officers The PDP Bill introduces a mandatory requirement for a data controller, and data processors processing data on behalf of the data controller, to appoint one or more Data Protection Officers (DPOs) to ensure compliance with the PDPA. The data controller must notify these appointments to the Personal Data Protection Commissioner (Commissioner) in the manner and form as may be determined by the Commissioner. | The PDP Bill does not give many specifics of this requirement, such as the minimum qualifications or expertise required of DPOs. Further details will likely be provided in the upcoming Data Protection Officer Guidelines being developed by the Commissioner. In the meantime, businesses should consider appropriate candidates for the role of DPO and formalise the role within the organisation with clear responsibilities and authority. |
4. Increased Penalties for Breach of Personal Data Protection Principles Section 5 of the PDPA sets out seven personal data protection principles, for example, the General Principle, the Notice and Choice Principle, and the Disclosure Principle (collectively, PDP Principles). The PDP Bill proposes to increase the penalties for the breach of the PDP Principles to a fine of up to RM1,000,000 and/or a term of imprisonment of up to 3 years, up from the current fine of up to RM300,000 and/or term of imprisonment of 2 years. | Unless proven otherwise (e.g. offence was committed without individual’s knowledge and/or individual has taken all reasonable precautions and due diligence to avoid committing an offence), directors, CEOs, COOs, managers or officers responsible for the management of the data controller may be deemed to have contravened the PDP Principles, and be severally or jointly liable with the body corporate for the offence (and similarly be liable for the penalties proposed by the PDP Bill). Therefore, businesses should provide comprehensive training for employees on the importance of data protection and the specific requirements of the PDP Principles. Businesses will also have to establish and maintain rigorous compliance measures, including regular audits and assessments to identify and rectify potential breaches. |
5. Mandatory Data Breach Notification The PDP Bill introduces the requirement for a data controller to provide data breach notifications to the Commissioner as soon as practicable if the data controller believes a personal data breach has occurred. Additionally, if the breach “causes or is likely to cause significant harm to the data subject”, the data controller must also inform the data subject without unnecessary delay. Failure to comply is an offence for a data controller and can result in a fine of up to RM250,000 and/or imprisonment for up to 2 years. The PDP Bill defines “personal data breach” as any breach, loss, misuse or unauthorised access of personal data. However, the PDP Bill does not provide for the definition of “significant harm”. | The PDP Bill is silent on the specifics for the requirements of this obligation, such as notification thresholds and notification timeframe. Further details are likely to be addressed in the upcoming Data Breach Notification Guidelines. When these details are published, businesses should establish a data breach notification protocol compliant with such guidelines. |
6. Data Subject’s Right to Data Portability The PDP Bill introduces the right to data portability for data subjects, allowing data subjects to request the data controller to transmit his/her personal data to another data controller of his/her choice, provided the transfer is technically feasible and the data formats are compatible. Data subjects can exercise this right by providing written notice through electronic means, and the data controller must complete the transmission of personal data within the prescribed period. | Businesses should prepare for the operationalisation of data portability rights, including developing and implementing processes for handling data portability request (e.g. verifying the feasibility and compatibility of data transfers), establishing clear protocols for receiving, processing and fulfilling data portability requests within the prescribed timeframe, as well as educating employees about the new right to data portability and the procedures for managing such requests. |
7. Removal of the White-list Regime for Cross-border Data Transfers The PDP Bill proposes to remove the current white-list regime is found in section 129 of the PDPA, which has not been utilised since the inception of the PDPA. Under the white-list regime, a data user shall not transfer any personal data of a data subject to a place outside Malaysia, unless it is to a place specified by the Minister (currently the Digital Minister) based on the Commissioner’s recommendation and published in the Gazette. However, the PDP Bill seeks to allow a data controller to transfer the personal data of a data subject to any place outside Malaysia if that place:
| Businesses may be required to undertake regulatory assessments to determine whether the receiving country has an “adequate” level of data protection. |
8. Exclusion of Deceased Individual as Data Subject The PDP Bill refines the existing definition of “data subject” by explicitly excluding deceased individuals. | Businesses to note and update internal policies, and procedures to reflect the exclusion of deceased individuals from data protection rights. |
9. Biometric Data is Sensitive Personal Data The PDP Bill seeks to expand the definition of “sensitive personal data” under the PDPA by expressly including “biometric data”, which is defined as any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person (e.g. facial or fingerprint verification). | Businesses processing biometric data will need to revise their privacy policies to comply with the more stringent consent and security requirements applicable to sensitive personal data under the PDPA. |
The amendments to the PDPA represent a significant advancement in strengthening data protection in Malaysia and reflects the maturing of privacy frameworks globally towards stricter data protection regulations. This provides an opportunity for businesses to enhance their data protection practices and align with global standards. However, the Digital Minister has also announced that several guidelines are being developed to complement the changes introduced by the PDP Bill, including:
- Data Breach Notification Guidelines
- Data Protection Officers Guidelines
- Data Portability Guidelines
- Cross-border Data Transfer Guidelines and Mechanisms
- Data Protection Impact Assessment Guidelines
- Privacy by Design Guidelines
- Profiling and Automated Decision-making Guidelines
Therefore, businesses should monitor the developments in this space closely and be ready to update their privacy policies to address any new compliance requirements.
Privacy World will continue to monitor Asian data privacy legislative developments and keep you in the loop on new developments related to data privacy, cybersecurity and artificial intelligence.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.