The Personal Data Protection (Amendment) Bill 2024 (“PDP Bill”) was passed by the Dewan Rakyat (House of Representatives) on 16 July 2024 and, subsequently, by the Dewan Negara (the Senate) on 31 July 2024. The PDP Bill is not yet in force. To come into effect, it must be presented for Royal Assent and will only become law upon publication in the Gazette on a date to be appointed by the Digital Minister.
The PDP Bill proposes several revisions to the Personal Data Protection Act 2010 (“PDPA”) to bring Malaysian data protection legislation closer in line with international norms. The key amendments introduced by the PDP Bill are set out below:
1. Change in terminology
2. Increased penalties
3. Data processors to comply with the security principle
4. Mandatory data breach notification to the Personal Data Protection Commissioner
The Personal Data Protection Commission has, on 19 August 2024, issued 3 consultation papers (collectively, “Consultation Papers”) including Public Consultation Paper No.01/2024 (The Implementation of Data Breach Notification) to ask for public feedback in relation to the development of the Personal Data Protection (Personal Data Breach Notification) Regulations and the Data Breach Notification Guideline.
These include feedback on: (a) the notification thresholds and timeline for, both, breach notifications to the Commissioner and data subjects; (b) the manner and form in which such notifications are to be made; (c) applicable exemptions from the requirement to notify data subjects of a breach; (d) the obligations of data processors in relation to the breach notification obligations; (e) the concurrent application of the proposed data breach notification regime with that of other laws/ sectoral breach notification regimes; and (f) management of personal data breaches and record keeping obligations.
5. Requirement to appoint data protection officer(s)
The second public consultation paper, Public Consultation Paper No.02/2024 (The Appointment of Data Protection Officer), seeks for public feedback on: (a) the threshold requirement for mandatory appointment of a data protection officer; (b) consistency with other legal requirements to a role similar to a data protection officer; (c) sector-specific risks for data protection officers to be aware of when carrying out their functions; (d) reporting lines; (e) regional data protection officer appointment and local residency requirements; (f) minimum expertise, qualifications, and certifications; and (g) factors the Commissioner may consider in exercising its discretion to mandate the appointment of a data protection officer.
6. New rights to data portability
The third public consultation paper, Public Consultation Paper No.03/2024 (The Right to Data Portability), seeks for public feedback on: (a) the readiness of data controllers for the right to data portability; (b) the types of personal data subject to such right; (c) timeline for compliance after a request from data subjects; (d) whether there should be a time limit / limitation period imposed such requests for personal data processed and retained by the data controller prior to the request; (e) whether fees are to be chargeable for responding to such requests; and (f) the method for transmitting personal data arising from a data portability request.
7. Sensitive personal data to include biometric data
8. Abolishment of the current whitelist cross-border transfer regime
9. Data subjects to exclude deceased individuals
What’s Next?
The amendments proposed by the PDP Bill represent a significant advancement in the country’s data protection framework, reflecting a growing commitment to safeguarding personal data in an increasingly digital age. The proposed amendments will, upon coming into force, enhance transparency, accountability, and control for data subjects over their personal data, aligning Malaysia more closely with global data protection standards. The above is also in line with Malaysia’s development of a strong digital infrastructure, which complements other policy developments such as the Cyber Security Act 2024.
The public is strongly encouraged to submit any feedback to the Consultation Papers by the deadline on 6 September 2024 as, moving forward, the PDP Bill, its subsidiary regulations, and related guidelines will undoubtedly play a crucial role in fostering a culture of responsible data management among data controllers and processors and reinforcing public confidence in data protection practices.
The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.
