On 31 July 2024, the Personal Data Protection (Amendment) Bill 2024 (“Bill”)[1], aimed at enhancing data privacy protocols in commercial transactions and bolster protections against personal data breaches and instances of misuse within Malaysia, was passed in the Dewan Negara on its second reading. The Bill was tabled in the Dewan Rakyat for its first reading on 10 July 2024 and is set to be presented to the Yang di-Pertuan Agong for his Royal Assent, before it becomes an Act of Parliament.
This alert outlines several key proposed amendments to the Personal Data Protection Act (“PDPA”) 2010 as set out in the Bill, which would have a beneficial impact on Malaysian data privacy’s legal landscape if gazetted into law.
Key Proposed Amendments to the PDPA 2010
1. Definitions
(a) The Bill proposes to introduce new definitions and amend existing definitions, as follows:
(b) “biometric data” is defined as any personal data resulting from technical processing relating to the physical, physiological, or behavioural characteristics of a person;
(c) “personal data breach” is defined as any breach, loss, misuse, or unauthorized access of personal data;
(d) the defined term “data user” is substituted with the term “data controller”; and
the definition of “data subject” expressly excludes a deceased individual. With this proposed amendment, the PDPA 2010 would not apply to the personal data of a deceased person.
2. Mandatory Appointment of Data Protection Officer(s)
Data controllers and data processors at present are not obligated to appoint a data protection officer (DPO) under the PDPA 2010.
Pursuant to the Bill, the requirement to appoint one or more data protection officers to ensure compliance with the PDPA 2010, is mandatory.
In this regard, one way for such data protection officer(s) to ensure compliance is to engage legal firms to (i) carry out a gap analysis exercise on the existing data protection policies and practices in the relevant organization to identify potential areas which require updates and improvements, and (ii) provide trainings and workshops to their employees and staff on the implementation of such updated policies and practices to increase awareness.
3. Mandatory Data Breach Notification
Presently, data controllers are not compelled to notify any data breach incidents to the Personal Data Protection Commissioner (“Commissioner”), although Section 106 of the PDPA 2010 provides an avenue for any relevant person to make a complaint to the Commissioner for an act or practice that may contravene the data protection laws.
One of the proposed amendments under the Bill is the introduction of a mandatory statutory requirement for data controllers to as soon as practicable notify the Commissioner of any incidents of data breaches, if the data controller has reason to believe that a data breach has occurred. Further, data controllers are also required to notify the data subject in the manner and form as determined by the Commissioner without unnecessary delay if such data breach incident is likely to cause any significant harm to the data subject.
Failure to comply with the data breach notification requirement is an offence and on conviction, a data controller may be liable for a fine not exceeding RM 250,000 or imprisonment for a maximum term of 2 years.
4. The Right to Data Portability
The current PDPA 2010 does not confer to data subjects the right to obtain and reuse their personal data for their own purposes across different service providers.
The Bill introduces a new data portability provision of Section 43A to allow data subjects to request data controllers to transmit their personal data to another data controllers of his choice directly by giving written notice to the data controllers by way of electronic means, subject to technical feasibility and compatibility of the data format.
The concept of data portability would streamline data transfers between service providers, giving data subjects greater control over their personal information. Nevertheless, organizations should implement adequate measures to ensure the secure transfer of personal data.
5. Transfer of Personal Data to Jurisdictions outside of Malaysia
Section 129(1) of the PDPA 2010 currently prohibits the transfer of personal data to jurisdictions outside of Malaysia, save and except for the jurisdictions which are included in a whitelist to be issued and gazetted by the and Minister of Digital. To date, no whitelist has been gazetted by the Minister.
The Bill revises Section 129 by removing the provisions relating to the issuance of whitelist and empowering data controllers to transfer data across borders, provided that the criteria as set out in the Act is satisfied. This amendment is poised to foster a more dynamic digital economy and boost cross-border collaborations.
6. Data Processors to Comply with the Security Principle
Under the PDPA 2010, where the processing of personal data is carried out by data processors on behalf of the data controllers, the obligation lies with the data controllers to ensure that the data processors have in place technical and organizational security measures and comply with such measures.
Under the Bill, data processors are required to comply specifically with the Security Principle under Section 9 of the PDPA 2010 – such as to employ practical security measures to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction and take steps to comply with such measures.
7. Increased Penalties for Breach of Personal Data Protection Principles
Under the Bill, the penalty for non-compliance with the personal data protection principles outlined in Sections 6, 7, 8, 9, 10, 11 and 12 of the PDPA 2010 for both data controllers and data processors are fines up to RM1,000,000 or imprisonment up to 3 years or both.
Conclusion
The proposed amendments to the Personal Data Protection Act 2010, as outlined in the Personal Data Protection (Amendment) Bill 2024, represent a significant step forward for Malaysia in the data protection landscape, bringing Malaysia's data protection regulatory framework in line with international standards and the European Union’s General Data Protection Regulation.
Organizations are strongly advised to conduct a comprehensive review of their existing data protection measures to ensure continued adherence to the PDPA 2010 in a data-driven world.
With our vast experience in drafting and reviewing data protection policies and procedures adopted by commercial organizations and advising on data protection laws, our team of dedicated lawyers is ready to assist your organization in establishing a robust data privacy compliance framework, tailored to meet the demands of these new regulatory requirements.
21 August 2024