1. Change in terminology
2. Increased penalties
3. Data processors to comply with the security principle
4. Mandatory data breach notification to the Personal Data Protection Commissioner
The Personal Data Protection Commission has, on 19 August 2024, issued 3 consultation papers (collectively, “Consultation Papers”) including Public Consultation Paper No.01/2024 (The Implementation of Data Breach Notification) to ask for public feedback in relation to the development of the Personal Data Protection (Personal Data Breach Notification) Regulations and the Data Breach Notification Guideline.
These include feedback on: (a) the notification thresholds and timeline for, both, breach notifications to the Commissioner and data subjects; (b) the manner and form in which such notifications are to be made; (c) applicable exemptions from the requirement to notify data subjects of a breach; (d) the obligations of data processors in relation to the breach notification obligations; (e) the concurrent application of the proposed data breach notification regime with that of other laws/ sectoral breach notification regimes; and (d) management of personal data breaches and recordkeeping obligations.
|
|
5. Requirement to appoint data protection officer(s)
|
|
The second public consultation paper, Public Consultation Paper No.02/2024 (The Appointment of Data Protection Officer), seeks for public feedback on: (a) the threshold requirement for mandatory appointment of a data protection officer; (b) consistency with other legal requirements to a role similar to a data protection officer; (c) sector-specific risks for data protection officers to be aware of when carrying out their functions; (d)reporting lines; (e) regional data protection officer appointment and local residency requirements; (f) minimum expertise, qualifications, and certifications; and (g) factors the Commissioner may consider in exercising its discretion to mandate the appointment of a data protection officer.
|
|
6. New rights to data portability
|
|
The third public consultation paper, Public Consultation Paper No.03/2024 (The Right to Data Portability), seeks for public feedback on:(a) the readiness of data controllers for the right to data portability; (b) the types of personal data subject to such right; (c) timeline for compliance after a request from data subjects; (d) whether there should be a time limit /limitation period imposed such requests for personal data processed and retained by the data controller prior to there quest; (e) whether fees are to be chargeable for responding to such requests; and (f) the method for transmitting personal data arising from a data portability request.
|
|
7. Sensitive personal data to include biometric data
|
|
8. Abolishment of the current whitelist cross-border transfer regime
9. Data subjects to exclude deceased individuals
What’s Next?
The amendments proposed by the PDP Bill represent a significant advancement in the country's data protection framework, reflecting a growing commitment to safeguarding personal data in an increasingly digital age. The proposed amendments will, upon coming into force, enhance transparency, accountability, and control for data subjects over their personal data, aligning Malaysia more closely with global data protection standards. The above is also in line with Malaysia’s development of a strong digital infrastructure, which complements other policy developments such as the Cyber Security Act 2024.
The public is strongly encouraged to submit any feed back to the Consultation Papers by the deadline on 6 September 2024 as, moving forward, the PDP Bill, its subsidiary regulations, and related guidelines will undoubtedly play a crucial role in fostering a culture of responsible data management among data controllers and processors and reinforcing public confidence in data protection practices.
|
|
The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.
|
|
Hui Lynn Tan
Partner, Malaysia
Hui Lynn’s areas of expertise include cross border corporate and commercial transactions, FDIs, regulatory compliance, providing legal advice to Malaysian companies listing in foreign countries, prospectus drafting, private mergers and acquisitions, private equity and venture capital, and issues relating to the Labuan IBFC.
Prior to joining RLL, Hui Lynn was the General Counsel and part of the executive team of an international fintech group, leading the global legal and compliance team on legal strategy, risk mitigation, executing strategic plans, developing policies and compliance programmes.
Michelle Koh
Associate, Malaysia
Michelle is an associate in the corporate team of the Kuala Lumpur office and has experience advising local and foreign clients on a range of corporate and commercial transactions including single and muti-jurisdictional mergers and acquisitions, foreign direct investments, regulatory compliance as well as general legal advisory matters.
Prior to joining DFDL, Michelle was an associate in one of Malaysia's leading law firms before taking on an in-house position in the legal team of an international fintech group.
|