Malaysia: Public consultations on data breach notification, data protection officer and data portability

22 Aug 2024    5 minute read
Privacy PII Cybersecurity Data Governance ESG DT Featured Content

In brief

Following the passing of the Personal Data Protection (Amendment) Bill 2024 ("Bill") by the Malaysian Parliament in July 2024, three public consultation papers have been issued in relation to the implementation of the following impending new legal obligations:

  • Notifying the Personal Data Protection Commissioner ("Commissioner") and affected data subjects for personal data breach.
  • Appointing data protection officer(s).
  • Effecting the data subject's right to data portability.

The deadline to provide feedback is 6 September 2024 (Friday).

Contents

  1. In more detail
    1. Data breach notification
    2. Data protection officer
    3. Data portability

In more detail

We have earlier highlighted in our client alert some of the key changes brought by the Bill to the Personal Data Protection Act 2010 (PDPA) and that certain guidelines are being developed to complement the same. 

The recently published public consultation papers shed light on what may be required for compliance with some of the new legal requirements, while giving the opportunity for the public to contribute and shape the final draft of these subsidiary instruments under the PDPA.   

Data breach notification

To recap, the Bill will require data controllers to:

  • Notify the Commissioner "as soon as practicable", if they have reason to believe that a personal data breach (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data) has occurred.
  • Additionally, notify the data subject "without unnecessary delay", if the personal data breach causes or is likely to cause significant harm to the data subject.

We have summarised below, the key data breach notification proposals provided for under the Public Consultation Paper No. 01/2024: The Implementation of Data Breach Notification:  

  To the Commissioner To affected data subjects
Threshold to notify Where the personal data breach is likely to cause "significant harm" and/or involve 500 or more affected data subjects.  Where the personal data breach is likely to cause "significant harm" to affected data subjects, provided that the number of affected data subjects likely to exceed 500 individuals.
Manner and form Broadly the same as the current voluntary notification form. Notify affected data subjects directly, containing at least certain prescribed details.
Timeframe 72 hours after becoming aware of a data breach (i.e., with a reasonable degree of certainty based on sufficient evidence showing that a personal data breach has occurred). At the same time as the notification to the Commissioner, or as soon as practicable thereafter.

 

"Significant harm" is proposed to mean any of the following:

  • The access, disclosure or loss of personal data from the personal data breach likely to result in bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the data subjects' credit record, or damage to or loss of property.
  • The access, disclosure or loss of personal data results or is likely to result in serious harm to affected data subjects to whom the information relates, or has been, is being or will likely be misused for illegal purposes.
  • The personal data compromised by the personal data breach includes sensitive personal data or any other information that may be used to enable identity fraud such as usernames, passwords or identification numbers.

This paper also proposes some other aspects, such as certain exemptions to notify affected data subjects, requirement on data controllers to contractually bind data processors to notify them about personal data breach, and specific record-keeping obligations.

Feedback to this paper may be provided via this link.

Data protection officer

To recap, the Bill will require each data controller and data processor to appoint at least one data protection officer(s) (DPO), who will be accountable to the respective organisation for its compliance with the PDPA.

Under the Public Consultation Paper No. 02/2024: The Appointment of Data Protection Officer, some of the key proposals are as follows:

  • Who needs to appoint DPO: Only those carrying out data processing activities of a "large scale" by considering the prescribed factors (no specific quantitative threshold is being proposed).
  • From whom DPO may be appointed: From an external provider or internally among the employees.
  • How to qualify as DPO: Meet a minimum set of prescribed qualities and complete/ obtain such training/ certification as the Commissioner may later require.
  • Where should DPO be: Ordinarily resident in Malaysia, but a single DPO may serve multiple entities within the same group of companies.
  • What are the specific responsibilities of DPO: Carry out data protection impact assessments, ensure internal training is provided, act as a liaison point with data subjects and the Commissioner etc.
  • To whom DPO report: Direct reporting line to the senior management team or equivalent.

Feedback to this paper may be provided via this link.

Data portability

To recap, the Bill will provide data subjects with a right to request data controller to transmit their personal data to another data controller of their choice, subject to technical feasibility and compatibility of the data format.

Under the Public Consultation Paper No. 03/2024: The Right to Data Portability, some of the key proposals are as follows:

  • Readiness: No requirement to adopt new systems/ processes to achieve technical feasibility for data portability, unless specified by the Commissioner or the relevant data controller forum. 
  • Types of personal data in scope: Those personal data that meet all the following requirements: (a) directly provided by the data subject; (b) processed based on consent or contract with the data subject; (c) processed by automated means; and (d) not inferred/ derived data - whitelists of personal data subject to data portability will be issued, and will likely differ across sectors/ industries.
  • Compliance timeline: 21 days, extendable by another 14 days.
  • Fees: May be charged to cover associated compliance costs, subject to a fee cap which may later be introduced.
  • Transmission method: Flexibility to determine the best method available to transmit the requested data, subject to any common set of standards/ or data formats which may later be specified.

Feedback to this paper may be provided via this link.

* * * * *

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information
Kherk Ying Chew
Partner
Kuala Lumpur
Read my Bio
kherkying.chew@wongpartners.com
Serene Kan
Partner
Kuala Lumpur
Read my Bio
serene.kan@wongpartners.com
Chun Hau Ng
Associate
Kuala Lumpur
chunhau.ng@wongpartners.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.