Currently, the liability for such non-compliance is only up to MYR 300,000 (~ USD 64,000) fine and/or two years imprisonment.

Data processors to comply with security principle

The PDPA currently only imposes legal obligations on data controllers. Under the Bill, the PDPA will directly require data processors² to comply with the security principle.

Under the security principle, data processors will need to take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. In addition, the Bill also statutorily mandates that data processors in processing on behalf of data controllers, must do both the following:

1. Provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out
2. Take reasonable steps to ensure compliance with those measures

A failure to comply with the above will attract the Proposed Penalties.

Mandatory data breach notification

Data controllers will need to notify the Commissioner "as soon as practicable" (in the manner and form as determined by the Commissioner), if they have reason to believe that a personal data breach has occurred (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data). Contravention of this requirement may attract up to MYR 250,000 (~ USD 54,000) fine and/or two years imprisonment.

Further, if the personal data breach causes or is likely to cause significant harm to the data subject, data controllers will additionally need to notify the data subject "without unnecessary delay" (in the manner and form as determined by the Commissioner).

Requirement to appoint data protection officer(s)

Each of the data controllers and data processors, will be required to appoint at least one data protection officer(s). These officers will be accountable to the respective data controller/processor, for the organisation's compliance with the PDPA.

New data portability rights

Subject to technical feasibility and compatibility of the data format, data subjects will have the right to request a data controller to transmit their personal data to another data controller of their choice, directly by giving a notice in writing by way of electronic means to the data controller.

Biometric data to become sensitive personal data

Under the Bill, the definition of "sensitive personal data" will be expanded to include biometric data. Biometric data is defined as any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person. This means that the processing of biometric data will be subject to a separate set of legal bases e.g., explicit consent of the data subject.

Changes to rules on cross-border transfers

Currently, the PDPA allows the Minister to do the following:

1. Issue a whitelist of places outside Malaysia to which personal data may be transferred
2. Determine the circumstances where cross-border transfer of personal data is necessary as being in the public interest

The Bill will remove these two powers, and will introduce a general legal basis for the transfer of personal data to a place outside of Malaysia, i.e., such transfers are allowed in either of the following:

1. There is in that place in force any law which is substantially similar to the PDPA
2. That place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA

The existing means of enabling cross-border data transfers (e.g., consent of data subject), remains unchanged.

Data subjects to exclude deceased individuals

Under the Bill, the definition of "data subject" will exclude deceased individuals. As "personal data" is defined under the PDPA with reference to "data subject", the introduction of this concept will result in the PDPA not applying to instances where a data controller processes personal data of a deceased individual.

Concluding remarks

The Bill reflects some of the proposals raised in the public consultation in 2020, while introducing further changes that are largely aligned with international standards and practices. Given that the Bill is still being discussed at the Parliament, the changes to the PDPA as highlighted above may be further revised.

Amending the principal legislation i.e., PDPA, is a key (but not the only) step being undertaken. The Minister of Digital announced in January 2024 that seven guidelines are being developed under the PDPA to supplement existing laws on personal data. They are:

• Notification of data breach guidelines, data protection officers guidelines, data portability guidelines, and cross-border data transfer guidelines – these will complement the legislative changes highlighted above
• Data protection impact assessment guidelines, privacy by design guidelines, and profiling and automated decision making guidelines – some of which have been proposed in the 2020 public consultation paper

1 Data controllers are those (other than data processors) who (either alone or jointly or in common with other persons) process any personal data or have control over or authorize the processing of any personal data.
2 Data processors are those (other than employees of the data controller) who process personal data solely on behalf of the data controller and do not process the personal data for any of their own purposes.