In more detail

A brief development timeline of the PDPA Amendment is as follows:

Note that certain ancillary provisions of the PDPA Amendment will come into operation on 1 January 2025. These include the rectification of the legislative text in Malay language, revised powers of the Commissioner to open and maintain bank accounts, and service of notice and other documents by way of electronic means.

The bulk of the key changes to the Personal Data Protection Act 2010 (PDPA), however, will come into force in the second quarter of 2025. We discuss each of these in more detail below.

Data processors to comply with security principle

Effective 1 April 2025, data processors¹ will directly be required to comply with the security principle.

This means that there may be criminal consequences (see "Increased penalties" below), if data processors fail to take practical steps to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, which includes the following:

1. Providing sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out.
2. Taking reasonable steps to ensure compliance with those measures.

Changes to cross-border transfer rules

Effective 1 April 2025, data controllers² will be allowed to transfer personal data to a place outside of Malaysia, if any of the following conditions are met:

1. There is in that place, in force, any law which is substantially similar to the PDPA.
2. That place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA.

Note that the PDPD has earlier proposed the adoption of a transfer impact assessment (TIA) (setting out prescribed steps to take and non-exhaustive factors to consider), in order to rely on either of the above new conditions.

The above means that there will soon be additional legal bases which data controllers may seek to rely on for cross-border transfers, on top of the existing means (e.g., consent of data subjects), but subject to further requirements that the PDPD may introduce (e.g., TIA).

Revised definitions of "personal data" and "sensitive personal data"

Effective 1 April 2025, the definitions of:

• "sensitive personal data" will be expanded to include "biometric data", which is defined as any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person.
• "personal data" will be narrowed to exclude personal data of deceased individuals.

This means that the processing of biometric data will be subject to a separate set of legal bases (e.g., obtaining explicit consent of the data subjects), while deceased individuals' data will be expressly excluded from the requirements under the PDPA. 

Increased penalties

Effective 1 April 2025, the criminal penalties for contravening any of the seven personal data protection principles under the PDPA will have higher upper limits of:

• MYR one million or around USD 230,000 in fine (instead of MYR 300,000 or around USD 69,000).
• Three years in imprisonment (instead of two years).

This means that the potential consequences and exposure will become higher for both data controllers (with respect to all those principles) and data processors (with respect to the security principle) if they fail to comply.

Data protection officer (DPO) appointment

Effective 1 June 2025, each of the data controllers and data processors, will need to appoint at least one DPO, who will be accountable to the respective organisation for its compliance with the PDPA.

Note that the PDPD has earlier proposed that only those carrying out data processing activities of a "large scale" will need to appoint DPO. There are also other proposals, such as who can be appointed as DPO, DPO qualifications, residency, specific responsibilities and reporting line.

The above means that, notwithstanding the catch-all legislative language, it may potentially not be necessary for all data controllers and data processors to appoint DPO. Further, the DPO appointment should also observe the relevant requirements that are being finalised and to be issued.

Mandatory data breach notifications

Effective 1 June 2025, data controllers will need to:

1. Notify the Commissioner "as soon as practicable", if they have reason to believe that a personal data breach has occurred (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data).
2. Additionally, notify the data subject "without unnecessary delay", if the personal data breach causes or is likely to cause significant harm to the data subject.

Note that the PDPD has earlier proposed the specific threshold (including the concept of "significant harm") to trigger notifications, the manner and form of notifications, and the specific timeframe of notifications.

The above means that, notwithstanding the wide legislative language, it may not be necessary for data controllers to make notifications in respect of all personal data breaches. Other details relating to the notifications are also being finalised and will be issued.

Data subject rights to data portability

Effective 1 June 2025, data subjects will have the right to request a data controller to transmit their personal data to another data controller of their choice, subject to technical feasibility and compatibility of the data format.

Note that the PDPA has earlier proposed further details in this regard, including the types of personal data in scope and compliance timelines for meeting such requests.

The above means that data controllers will need to be ready to address requests from data subject to exercise this new right, on top of the existing data subject rights such as access and correction, subject to the implementation details that are being finalised and to be issued.

Conclusion: Next steps forward

The PDPD announced in November 2024 that four guidelines on cross-border data transfer, DPO, data breach notification and data portability will be released by early 2025. These guidelines are likely to materialise ahead of the coming into force of the relevant provisions and help organisations to fill in the implementation details that are lacking under the PDPA Amendment.

Given that no transitional or grace periods have been announced to date, organisations should start preparing for the applicable additional compliance obligations and keep a close eye on this space.

1 Data processors are those (other than employees of the data controller) who process personal data solely on behalf of the data controller and do not process the personal data for any of their own purposes.

2 Data controllers are those (other than data processors) who (either alone or jointly or in common with other persons) process any personal data or have control over or authorize the processing of any personal data.

* * * * *

Chun Hau Ng, Associate, has co-authored this legal update.

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.