Malaysia: Personal Data Protection (Amendment) Bill 2024

In brief

The long-awaited Personal Data Protection (Amendment) Bill 2024 ("Bill") has now been made publicly available. Among the key changes it seeks to introduce are:

  1. Direct obligations for data processors
  2. Mandatory data breach notification
  3. Requirement to appoint data protection officer(s)
  4. New data subject rights on data portability
  5. An expanded definition of sensitive personal data
  6. A general legal basis for cross-border transfers

Contents

In more detail

The intention to amend the Personal Data Protection Act 2010 ("PDPA") can be traced back as early as the year 2020, when the Personal Data Protection Commissioner ("Commissioner") issued the Public Consultation Paper No. 1/2020 with 22 proposals as part of a review of the PDPA.

With COVID-19 pandemic and several changes to the Malaysian Cabinet, the Bill has finally seen the light of day and is undergoing parliamentary debate (and hopefully, approval) during the present parliamentary seating running up to 18 July 2024. Besides nomenclature updates (i.e., from "data users" to "data controllers"), the key changes brought to the PDPA by the Bill are discussed in more detail below.

Increased penalties

Non-compliance with any of the seven personal data protection principles under the PDPA will attract higher penalties than before. Specifically,  non-compliance may result in a data controller1 being punished with up to MYR one million (~ USD 216,000) fine and/or three years imprisonment ("Proposed Penalties").

Unless proven otherwise (e.g., that the offence was committed without the individual's knowledge and the individual had taken all reasonable precautions and due diligence to prevent the commission of the offence), directors, CEOs, COOs, managers or officers responsible for the management of a data controller may be deemed to have contravened the same and be severally or jointly with the body corporate for the offence (and similarly be liable for the Proposed Penalties).

Currently, the liability for such non-compliance is only up to MYR 300,000 (~ USD 64,000) fine and/or two years imprisonment.

Data processors to comply with security principle

The PDPA currently only imposes legal obligations on data controllers. Under the Bill, the PDPA will directly require data processors2 to comply with the security principle.

Under the security principle, data processors will need to take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. In addition, the Bill also statutorily mandates that data processors in processing on behalf of data controllers, must do both the following:

  1. Provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out
  2. Take reasonable steps to ensure compliance with those measures

A failure to comply with the above will attract the Proposed Penalties.

Mandatory data breach notification

Data controllers will need to notify the Commissioner "as soon as practicable" (in the manner and form as determined by the Commissioner), if they have reason to believe that a personal data breach has occurred (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data). Contravention of this requirement may attract up to MYR 250,000 (~ USD 54,000) fine and/or two years imprisonment.

Further, if the personal data breach causes or is likely to cause significant harm to the data subject, data controllers will additionally need to notify the data subject "without unnecessary delay" (in the manner and form as determined by the Commissioner).

Requirement to appoint data protection officer(s)

Each of the data controllers and data processors, will be required to appoint at least one data protection officer(s). These officers will be accountable to the respective data controller/processor, for the organisation's compliance with the PDPA.

New data portability rights

Subject to technical feasibility and compatibility of the data format, data subjects will have the right to request a data controller to transmit their personal data to another data controller of their choice, directly by giving a notice in writing by way of electronic means to the data controller.

Biometric data to become sensitive personal data

Under the Bill, the definition of "sensitive personal data" will be expanded to include biometric data. Biometric data is defined as any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person. This means that the processing of biometric data will be subject to a separate set of legal bases e.g., explicit consent of the data subject.

Changes to rules on cross-border transfers

Currently, the PDPA allows the Minister to do the following:

  1. Issue a whitelist of places outside Malaysia to which personal data may be transferred
  2. Determine the circumstances where cross-border transfer of personal data is necessary as being in the public interest

The Bill will remove these two powers, and will introduce a general legal basis for the transfer of personal data to a place outside of Malaysia, i.e., such transfers are allowed in either of the following:

  1. There is in that place in force any law which is substantially similar to the PDPA
  2. That place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA

The existing means of enabling cross-border data transfers (e.g., consent of data subject), remains unchanged.

Data subjects to exclude deceased individuals

Under the Bill, the definition of "data subject" will exclude deceased individuals. As "personal data" is defined under the PDPA with reference to "data subject", the introduction of this concept will result in the PDPA not applying to instances where a data controller processes personal data of a deceased individual.

Concluding remarks

The Bill reflects some of the proposals raised in the public consultation in 2020, while introducing further changes that are largely aligned with international standards and practices. Given that the Bill is still being discussed at the Parliament, the changes to the PDPA as highlighted above may be further revised.

Amending the principal legislation i.e., PDPA, is a key (but not the only) step being undertaken. The Minister of Digital announced in January 2024 that seven guidelines are being developed under the PDPA to supplement existing laws on personal data. They are:

  • Notification of data breach guidelines, data protection officers guidelines, data portability guidelines, and cross-border data transfer guidelines – these will complement the legislative changes highlighted above
  • Data protection impact assessment guidelines, privacy by design guidelines, and profiling and automated decision making guidelines – some of which have been proposed in the 2020 public consultation paper
Businesses should monitor the development of this space closely, and prepare for the additional compliance obligations which they may be subject to.

1 Data controllers are those (other than data processors) who (either alone or jointly or in common with other persons) process any personal data or have control over or authorize the processing of any personal data.
2 Data processors are those (other than employees of the data controller) who process personal data solely on behalf of the data controller and do not process the personal data for any of their own purposes.

 


* * * * *

LOGO Malaysia_Wong & Partners_KualaLumpur

© 2024 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.