Countdown to Compliance Personal Data Protection (Amendment) Act 2024 in Force Starting 1 January 2025
InsiderTAPS 6 January 2025
Introduction
The Personal Data Protection (Amendment) Act 2024 (“Amendment
Act”), which represents the first legislative update to the Personal Data
Protection Act 2010 (“PDPA”) since it became effective on 15 November
2013, will be implemented in three phases during the first half of 2025,
beginning on 1 January 2025, followed by 1 April 2025 and 1 June 2025. The
Amendment Act received Royal Assent on 9 October 2024 and was published in the
Federal Gazette on 17 October 2024, following its passage by the House of
Representatives and the Senate of Malaysian Parliament on 16 and 31 July 2024,
respectively.
First phase: 1 January 2025
The first phase of the amendments, which is poised to
take effect on 1 January 2025, is generally administrative in nature. These
amendments are amongst others as follows:
a.
that the procedure for opening, operating and
maintaining any bank accounts for the personal data protection fund established
under the PDPA, is to be carried out in the manner authorized by the Personal
Data Protection Commissioner (“Commissioner”) (rather than by the
Minister of Digital);
b.
that a service of a notice or any other document upon
any person may also be effected by electronic means (in addition to the existing
methods of hand delivery, leaving it at the last-known address or sending it by
A.R. registered post);
c.
that any order, directions, circular, notice or code of
practice issued by the Commissioner before the commencement of the Amendment Act
will remain valid; and
d.
that any investigation, trial, proceedings or action
that is ongoing before 1 January 2025 will continue under the original
provisions of the PDPA and will not be affected by the amendments under the
Amendment Act.
Second phase: 1 April 2025
The second batch comprises the following key
amendments, set to come into force on 1 April 2025:
a.
global change of the term “data user(s)” to the term
“data controller(s)”;
b.
expansion of the definition of “sensitive personal
data” to include “biometric data”, which means any personal data resulting from
technical processing relating to the physical, physiological or behavioural
characteristics of a person;
c.
a new definition for “personal data breach” which means
any breach of personal data, loss of personal data, misuse of personal data or
unauthorized access of personal data;
d.
exclusion of personal data of a deceased individual
from the scope of the PDPA;
e.
expansion of the definition of “requestor” to include
an individual who makes a data portability request;
f.
empowering the Commissioner to designate not only a
body but also a data controller as a data controller forum in respect of a
specific class of data controllers;
g.
a direct obligation on data processor to comply with
the Security Principle when processing personal data on behalf of a data
controller, including imposition of penalties on the data processor for
breaching the Security Principle, with a fine of up to RM1 million and/or
imprisonment for up to 3 years;
h.
an increased penalty rate for the offence committed by
a data controller for breaching the Personal Data Protection Principles, to a
fine of up to RM1 million (previously RM300,000) and/or a term of imprisonment
of up to 3 years (previously 2 years); and
i.
allowing the transfer of personal data to a place
outside Malaysia if there is in that place in force any law which is
substantially similar to the PDPA, or that place ensures an adequate level of
protection in relation to the processing of personal data which is at least
equivalent to the level of protection afforded by the PDPA. There is no longer a
white-list regime for cross-border data transfer.
Third phase: 1 June 2025
The third phase of amendments will become effective on
1 June 2025 and includes the following:
a.
a new obligation on both data controller and data
processor to appoint one or more data protection officers (“DPO”), with
the data controller required to notify the Commissioner of the appointment;
b.
a new obligation on data controller to notify the
Commissioner of a personal data breach as soon as practicable, and if the breach
causes or likely to cause any significant harm to the data subject, to notify
the data subject, failing which may result in a fine of up to RM250,000 and/or
imprisonment for up to 2 years; and
c.
a new right of data portability for data subject who
may request that his personal data be transmitted to another data controller of
his choice, subject to technical feasibility and compatibility of the data
format.
New regulations and guidelines
The Commissioner is formulating new regulations and
guidelines to complement the amendments to the PDPA, which are expected to be
issued in tandem with the implementation of the Amendment Act. The Commissioner
has previously released public consultation papers to gather feedback on these
supplementary regulations and guidelines:
a.
Personal Data Protection (Personal Data Breach
Notification) Regulations and Data Breach Notification Guideline (see
Public Consultation Paper
No. 01/2024),
which
seek to address:
i.
notification thresholds for data breach notification (“DBN”)
to the Commissioner (with proposals to clarify that the DBN requirement applies
only in cases where the breach is likely to cause or have caused significant
harm and/or where the breach is likely to be or is of a significant scale,
taking into account certain factors);
ii.
notification thresholds for DBN to affected data
subjects (with proposals to clarify what constitutes “significant harm”);
iii.
manner and form of DBN to the Commissioner (with
proposals to adopt the current template for voluntary notification, with
appropriate modifications to simplify the content and presentation style and
standardize the required response);
iv.
manner and form of DBN to affected data subjects (with
proposals mandating the minimum information to be provided in the notification);
v.
timeframe for DBN to the Commissioner (with proposals
requiring notification within 72 hours of becoming aware of the breach);
vi.
timeframe for DBN to affected data subjects (with
proposals to clarify that “without unnecessary delay” means at the same time as
the notification to the Commissioner or as soon as practicable thereafter);
vii.
exemptions from providing DBN to affected data subjects
(with proposals to exclude the DBN requirement in cases where a data controller
has implemented appropriate technological and organizational protection measures
that renders it unlikely that the breach will result in significant harm to
affected data subjects, or where the personal data compromised or affected by
the breach is protected by security measures that make the information
unintelligible or meaningless to unauthorized individuals);
viii.
data processor’s obligation to comply with the DBN
requirement (with proposals to contractually obligate the data processor to
promptly notify the data controller of any personal data breach and provide all
reasonable and necessary assistance);
ix.
concurrent application of the DBN regime under the PDPA
with other laws or sector-specific breach notification regimes (with proposals
for the PDPA’s DBN regime to operate separately and concurrently with other
relevant DBN requirements imposed under other laws, without overriding such
requirements or laws); and
x.
management of personal data breaches and record-keeping
obligation (with proposals to provide guidance on best practices for a data
controller to effectively respond to the breaches, investigate and contain them,
and implement measures to prevent the recurrence of similar breaches in the
future).
b.
Personal Data Protection (Data Protection Officer)
Regulations and Data Protection Officer Guideline (see
Public Consultation Paper
No. 02/2024),
which seek to address:
i.
threshold requirement for mandatory appointment of DPO
(with proposals for this requirement to apply only to a data controller or data
processor who carries out data processing activities of a large scale, taking
into account certain factors);
ii.
consistency with other legal requirements for roles
similar to a DPO (with proposals allowing the DPO to undertake additional job
functions beyond data-specific roles);
iii.
sector-specific risks for DPO when carrying out his
functions (with proposals outlining the minimum responsibilities of the DPO);
iv.
reporting line for DPO (with proposals requiring that
the DPO has a direct reporting line or access to senior management team of the
data controller or data processor, or to the personnel in an equivalent
position);
v.
regional appointment of DPO and local residency
requirement (with proposals allowing a single DPO to serve multiple entities
within the same group of companies for a data controller or data processor, and
requiring the DPO to be ordinarily resident in Malaysia);
vi.
minimum expertise and qualifications of DPO and
certification requirements (with proposals for the appointed DPO to meet a
prescribed minimum set of expertise and qualifications, and to complete the
required training or certification programmes); and
vii.
factors the Commissioner may consider in exercising
discretion to mandate appointment of DPO (with proposals for the Commissioner to
be empowered to direct certain classes or specific data controller or data
processor to appoint a DPO on a case-by-case basis, taking into account certain
factors).
c.
Personal Data Protection (Right to Data Portability)
Regulations and Data Portability Guidelines (see
Public Consultation Paper
No. 03/2024),
which seek to address:
i.
readiness for the right to data portability (with
proposals for this requirement to apply when there is technical feasibility
between the data controller and receiving data controller);
ii.
types of personal data subject to the right to data
portability (with proposals to limit the types of personal data to those
directly provided by the data subject, processed based on consent (or explicit
consent) or based on a contract to which the data subject is a party, processed
by automated means, and excluding inferred or derived data);
iii.
timeline for complying with a data portability request
(with proposals to comply with the request within 21 days, with a possible
extension of 14 days, similar to the timelines for data access and correction
requests);
iv.
historical data (with proposals that no time limit be
imposed on data portability requests for personal data previously collected and
retained by a data controller);
v.
fees (with proposals allowing a data controller to
charge a capped fee, similar to that for data access requests); and
vi.
transmission of personal data arising from a data
portability request (with proposals allowing a data controller to determine the
best method for transmitting the requested data, provided that it complies with
any common standards or formats specified by the Commissioner or relevant data
controller forum, or that there are appropriate security measures to ensure the
data is securely transmitted to the correct destination or receiving data
controller).
d.
Updated Personal Data Protection Standards (“Standards”)
(see
Public Consultation Paper
No. 04/2024),
which seek to:
i.
replace the prescriptive “black and white” rules in the
Standards with “outcome-based” requirements;
ii.
replace the specific security standards for
electronically and non-electronically processed personal data, respectively,
with general security standards which are applicable to both;
iii.
expand the retention standards to cover the retention
period, documentation and records for the retention and disposal of personal
data, methods for destruction or deletion of personal data and third-party
retention of personal data;
iv.
expand the data integrity standards to include measures
for data validation and verification, data quality monitoring, data consistency
and data lifecycle management; and
v.
recognize industry certifications as a means for a data
controller or data processor to demonstrate compliance with the Standards (for
instance, ISO 27001 certification for information security management system,
ISO 27017 certification on information security controls for the provision and
use of cloud services, and ISO 27701 certification for privacy information
management system).
e.
Cross-Border Personal Data Transfer Guidelines (see
Public Consultation Paper
No. 05/2024),
which seek to address the following, including the prescribed conditions for
transferring personal data to a place outside Malaysia (“that place”):
i.
new conditions that there is in that place in force any
law which is substantially similar to the PDPA, or that place ensures an
adequate level of protection in relation to the processing of personal data
which is at least equivalent to the level of protection afforded by the PDPA
(with proposals requiring a data controller to conduct a transfer impact
assessment to determine whether that place has such a law or protection level);
ii.
consent as the basis for the transfer (with proposals
requiring a data controller to notify data subjects in writing about the
cross-border data transfer and to obtain their consent);
iii.
necessity for performance of contract or protection of
vital interests of data subjects as the basis for the transfer (with proposals
requiring a data controller to consider certain factors to determine whether the
transfer is necessary for these purposes);
iv.
use of binding corporate rules (with proposals to
recognize this as proof that the data controller has taken all reasonable
precautions and exercised all due diligence to justify the transfer);
v.
use of standard contractual clauses (with proposals to
recognize this as proof that the data controller has taken all reasonable
precautions and exercised all due diligence to justify the transfer);
vi.
use of certification mechanism (with proposals to
recognize this as proof that the data controller has taken all reasonable
precautions and exercised all due diligence to justify the transfer); and
vii.
record-keeping obligation (with proposals requiring a
data controller to keep and maintain relevant records that sufficiently
demonstrate that the transfer complies with the applicable condition(s) under
the PDPA).
Next steps
The Amendment Act marks a pivotal step forward in
strengthening Malaysia’s data protection framework, aligning it more closely
with global practices and international standards. These amendments ensure that
personal data protection remains a central priority in an increasingly digital
world. With the Amendment Act coming into force, it is essential for
organizations to proactively familiarize themselves with the new obligations and
take necessary steps to adequately prepare for the upcoming amendments. These
include:
a.
reviewing and updating internal data protection
policies, practices and procedures to align them with the new requirements;
b.
developing a data breach crisis plan that establishes
clear protocols for addressing personal data protection breaches; and
c.
revisiting contracts with third-party data processors
to ensure they include appropriate indemnities and warranties to safeguard the
organization in the event of a data breach.
This approach will not only ensure compliance with the
amended PDPA, but also foster a robust culture of privacy and accountability
within the organization.
By embracing
these changes, businesses can better safeguard individuals’ personal data,
mitigate potential risks and enhance their reputation as responsible stewards of
privacy in a rapidly evolving digital landscape.
This article
is authored by our Partner, Ms Lee Lin Li and Senior Associate, Ms Chong Kah
Yee. The information in this article is intended only for general information
and is not a legal opinion or professional advice.
Lee Lin Li
Partner
T: +603 2050 1898
linli.lee@taypartners.com.my
Chong Kah Yee
Senior Associate
T: +603 2050 1831
kahyee.chong@taypartners.com.my