Malaysia: Personal Data Protection (Amendment) Act 2024 to come into force

27 Dec 2024    6 minute read
Privacy PII Cybersecurity Data Governance ESG Personal Data

In brief

The key changes introduced by the Personal Data Protection (Amendment) Act 2024 ("PDPA Amendment") will come into force on:

  • 1 April 2025 – direct obligations on data processors to comply with the security principle, changes to cross-border transfer rules, revised definitions of "sensitive personal data" and "personal data", and increased penalties.
  • 1 June 2025 – data protection officer (DPO) appointment, mandatory data breach notifications, and data subject rights to data portability.

We summarise below each of these key changes and what it means for organisations, taking into account the implementation details that are being developed by the Personal Data Protection Department (PDPD).

Contents

In more detail

A brief development timeline of the PDPA Amendment is as follows:

CASE3991248

Note that certain ancillary provisions of the PDPA Amendment will come into operation on 1 January 2025. These include the rectification of the legislative text in Malay language, revised powers of the Commissioner to open and maintain bank accounts, and service of notice and other documents by way of electronic means.

The bulk of the key changes to the Personal Data Protection Act 2010 (PDPA), however, will come into force in the second quarter of 2025. We discuss each of these in more detail below.

Data processors to comply with security principle

Effective 1 April 2025, data processors1 will directly be required to comply with the security principle.

This means that there may be criminal consequences (see "Increased penalties" below), if data processors fail to take practical steps to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, which includes the following:

  1. Providing sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out.
  2. Taking reasonable steps to ensure compliance with those measures.

Changes to cross-border transfer rules

Effective 1 April 2025, data controllers2 will be allowed to transfer personal data to a place outside of Malaysia, if any of the following conditions are met:

  1. There is in that place, in force, any law which is substantially similar to the PDPA.
  2. That place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA.

Note that the PDPD has earlier proposed the adoption of a transfer impact assessment (TIA) (setting out prescribed steps to take and non-exhaustive factors to consider), in order to rely on either of the above new conditions.

The above means that there will soon be additional legal bases which data controllers may seek to rely on for cross-border transfers, on top of the existing means (e.g., consent of data subjects), but subject to further requirements that the PDPD may introduce (e.g., TIA).

Revised definitions of "personal data" and "sensitive personal data"

Effective 1 April 2025, the definitions of:

  • "sensitive personal data" will be expanded to include "biometric data", which is defined as any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person.
  • "personal data" will be narrowed to exclude personal data of deceased individuals.

This means that the processing of biometric data will be subject to a separate set of legal bases (e.g., obtaining explicit consent of the data subjects), while deceased individuals' data will be expressly excluded from the requirements under the PDPA. 

Increased penalties

Effective 1 April 2025, the criminal penalties for contravening any of the seven personal data protection principles under the PDPA will have higher upper limits of:

  • MYR one million or around USD 230,000 in fine (instead of MYR 300,000 or around USD 69,000).
  • Three years in imprisonment (instead of two years).

This means that the potential consequences and exposure will become higher for both data controllers (with respect to all those principles) and data processors (with respect to the security principle) if they fail to comply.

Data protection officer (DPO) appointment

Effective 1 June 2025, each of the data controllers and data processors, will need to appoint at least one DPO, who will be accountable to the respective organisation for its compliance with the PDPA.

Note that the PDPD has earlier proposed that only those carrying out data processing activities of a "large scale" will need to appoint DPO. There are also other proposals, such as who can be appointed as DPO, DPO qualifications, residency, specific responsibilities and reporting line.

The above means that, notwithstanding the catch-all legislative language, it may potentially not be necessary for all data controllers and data processors to appoint DPO. Further, the DPO appointment should also observe the relevant requirements that are being finalised and to be issued.

Mandatory data breach notifications

Effective 1 June 2025, data controllers will need to:

  1. Notify the Commissioner "as soon as practicable", if they have reason to believe that a personal data breach has occurred (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data).
  2. Additionally, notify the data subject "without unnecessary delay", if the personal data breach causes or is likely to cause significant harm to the data subject.

Note that the PDPD has earlier proposed the specific threshold (including the concept of "significant harm") to trigger notifications, the manner and form of notifications, and the specific timeframe of notifications.

The above means that, notwithstanding the wide legislative language, it may not be necessary for data controllers to make notifications in respect of all personal data breaches. Other details relating to the notifications are also being finalised and will be issued.

Data subject rights to data portability

Effective 1 June 2025, data subjects will have the right to request a data controller to transmit their personal data to another data controller of their choice, subject to technical feasibility and compatibility of the data format.

Note that the PDPA has earlier proposed further details in this regard, including the types of personal data in scope and compliance timelines for meeting such requests.

The above means that data controllers will need to be ready to address requests from data subject to exercise this new right, on top of the existing data subject rights such as access and correction, subject to the implementation details that are being finalised and to be issued.

Conclusion: Next steps forward

The PDPD announced in November 2024 that four guidelines on cross-border data transfer, DPO, data breach notification and data portability will be released by early 2025. These guidelines are likely to materialise ahead of the coming into force of the relevant provisions and help organisations to fill in the implementation details that are lacking under the PDPA Amendment.

Given that no transitional or grace periods have been announced to date, organisations should start preparing for the applicable additional compliance obligations and keep a close eye on this space.

1 Data processors are those (other than employees of the data controller) who process personal data solely on behalf of the data controller and do not process the personal data for any of their own purposes.

2 Data controllers are those (other than data processors) who (either alone or jointly or in common with other persons) process any personal data or have control over or authorize the processing of any personal data.

* * * * *

Chun Hau Ng, Associate, has co-authored this legal update.

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information
Kherk Ying Chew
Partner
Kuala Lumpur
Read my Bio
kherkying.chew@wongpartners.com
Serene Kan
Partner
Kuala Lumpur
Read my Bio
serene.kan@wongpartners.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.