On 4 July 2024, the Digital Minister, Gobind Singh Deo announced that the Malaysian Cabinet has approved the proposed amendments to the Personal Data Protection Act 2010 (“PDPA”) which will be tabled in the current parliamentary session[1].

Of the proposed amendments in the public consultation paper[2], the Cabinet has approved the following for tabling in Parliament:

1. Mandatory data breach notification (please refer to this link which we wrote about date breach notification for your information)
2. Additional compliance responsibilities for data processors
3. Appointment of data protection officers
4. Right to data portability
5. Removal of the white-list regime for cross-border data transfers

The Digital Minister also provided recent statistics that underline the urgency of these amendments:

• There was a 5.1% increase in complaints from October 2023 to March 2024, wherein 322 complaints were received regarding the misuse and breach of personal data.
• Personal data breaches saw a significant 41% increase in 2024 compared to 2023.
• The National Scam Response Centre reported 34,497 online fraud cases in 2023, resulting in losses of RM1.218 billion. Telecommunications crimes, including SMS contests, online impersonation and phone call scams, were particularly prevalent, with 10,348 cases causing RM352.9 million in losses.

The proposed amendments to the PDPA aim to bolster security measures to protect personal data of members of the public.

First Reading on 10 July 2024

The Personal Data Protection (Amendment) Bill 2024 (“Bill”) was tabled for its first reading in Parliament on 10 July 2024[3]. The following is a comparative analysis of some of the more significant proposed amendments:

(a) “Data User” to be replaced with “Data Controller”

Under the PDPA, the term “data user” refers to a person who, either alone or jointly with others, processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor. The Bill proposes replacing this term with “data controller” throughout the PDPA.

(b) Appointment of Data Protection Officers

Under the PDPA, there is no requirement for data users (or, if amended, data controllers) to appoint data protection officers. The Bill now introduces a mandatory requirement for a data controller to appoint one or more data protection officers for ensuring compliance with the PDPA. If personal data is processed by a data processor on behalf of the data controller, the data processor must also appoint one or more data protection officers to be accountable on compliance. The data controller must notify such appointment to the Personal Data Protection Commissioner (“Commissioner”). The Bill highlights that appointing data protection officers does not exempt the data controller or data processor (as the case may be) from their obligations under the PDPA.

(c) Mandatory Data Breach Notification

Under the PDPA, there is no mandatory requirement for data users to provide data breach notifications. The Bill introduces this requirement and provides that if a data controller has reason to believe that a personal data breach has occurred, the data controller must notify the Commissioner as soon as practicable. If the breach causes or is likely to cause significant harm to the data subject, the data controller must also inform the data subject without unnecessary delay. Failure to comply with these requirements is an offence for a data controller and can result in a fine of up to RM250,000 and/or a term of imprisonment of up to 2 years.

It is worth noting that the Bill defines “personal data breach” to mean any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data.

(d) Direct Responsibilities on Data Processors

Presently, under the security principle, it is the data user’s responsibility to ensure that the data processor provides sufficient guarantees regarding the technical and organizational security measures governing the processing. The data user must also ensure that the data processor takes reasonable steps to ensure compliance with those measures. In other words, data processors are not directly subject to obligations under the PDPA.

The Bill proposes to impose direct responsibilities on data processors to comply with the security principle when processing personal data on behalf of a data controller. Additionally, the Bill introduces direct penalties for data processors who fail to comply with the security principle. Data processors who are found in breach of the security principle will be guilty of an offence and, upon conviction, may face a fine of up to RM1,000,000 and/or a term of imprisonment of up to 3 years.

(e) Data Subject’s Right to Data Portability

Under the PDPA, data subjects do not have the right to request the data user to transmit their personal data to another data user of their choice. The Bill introduces the right to data portability for data subjects, provided that the transfer is technically feasible and the data formats are compatible. Data subjects can exercise this right by giving the data controller a written notice through electronic means. Upon receiving the request for data portability, the data controller must complete the transmission of personal data within the prescribed period.

(f) Removal of the White-List Regime for Cross-Border Data Transfers

Under Section 129 of the PDPA, a data user shall not transfer any personal data of a data subject to a place outside Malaysia unless it is to a place specified by the Minister (presently, the Digital Minister) based on the Commissioner’s recommendation and published in the Gazette. This regulatory framework is known as the white-list regime.

The Bill proposes to remove the white-list regime. Consequently, a data controller may transfer personal data of a data subject to any place outside Malaysia if that place has laws substantially similar to the PDPA, or if that place ensures an adequate level of protection for the processing of personal data, equivalent to the protection provided by the PDPA.

(g) Exclusion of Deceased Individual as Data Subject

Under the PDPA, a “data subject” refers to an individual who is the subject of personal data, without any further specification regarding deceased individuals. The Bill explicitly excludes deceased individuals from the definition of “data subject”.

(h) Biometric Data is Sensitive Personal Data

The Bill introduces “biometric data” to the PDPA, which means any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person. Biometric data is proposed to be included as sensitive personal data within the definition of the PDPA.

(i) Increased Penalties for Breach of Personal Data Protection Principles

Under the PDPA, the breach of any of the personal data protection principles is an offence which attracts a fine of up to RM300,000 and/or a term of imprisonment of up to 2 years.

The Bill proposes to increase the penalties to a fine of up to RM1,000,000 and/or a term of imprisonment of up to 3 years.

For more information about the personal data protection principles, you may refer to our article at this link.

For a complete list of all proposed amendments, you are encouraged to refer directly to the Bill itself at this link.


[1] FreeMalaysiaToday. (2024, July 04). Cabinet okays amendments to Personal Data Protection Act. https://www.freemalaysiatoday.com/category/nation/2024/07/04/cabinet-okays-amendments-to-personal-data-protection-act/

[2] Department of Personal Data Protection. Public Consultation Paper No. 01/2020. https://www.pdp.gov.my/jpdpv2/assets/2020/02/Public-Consultation-Paper-on-Review-of-Act-709_V4.pdf

[3] TheStar. (2024, July 10). PDPA amendment Bill tabled for first reading. https://www.thestar.com.my/news/nation/2024/07/10/pdpa-amendment-bill-tabled-for-first-reading

This article is not intended to be legal advice. For further information on the above or if you have any questions on intellectual property, franchising or TMT matters, please contact Lee Lin Li.

Lee Lin Li
Partner
T: +603 2050 1898
linli.lee@taypartners.com.my

Chong Kah Yee
Senior Associate
T: +603 2050 1831
kahyee.chong@taypartners.com.my

Veronnie Thu
Associate
veronnie.thu@taypartners.com.my