Malaysia: Proposed Amendments to the Personal Data Protection Act 2010

DFDL Malaysia (Robyn Lynn & Lee)

4th September 2024
The Personal Data Protection (Amendment) Bill 2024 (“PDP Bill”) was passed by the Dewan Rakyat (House of Representatives) on 16 July 2024 and, subsequently, by the Dewan Negara (the Senate) on 31 July 2024.

The Personal Data Protection (Amendment) Bill 2024 (“PDP Bill”) was passed by the Dewan Rakyat (House of Representatives) on 16 July 2024 and, subsequently, by the Dewan Negara (the Senate) on 31 July 2024. The PDP Bill is not yet in force. To come into effect, it must be presented for Royal Assent and will only become law upon publication in the Gazette on a date to be appointed by the Digital Minister.

The PDP Bill proposes several revisions to the Personal Data Protection Act 2010 (“PDPA”) to bring Malaysian data protection legislation closer in line with international norms. The key amendments introduced by the PDP Bill are set out below:

1. Change in terminology

2. Increased penalties

3. Data processors to comply with the security principle

4. Mandatory data breach notification to the Personal Data Protection Commissioner

 

The Personal Data Protection Commission has, on 19 August 2024, issued 3 consultation papers (collectively, “Consultation Papers”) including Public Consultation Paper No.01/2024 (The Implementation of Data Breach Notification) to ask for public feedback in relation to the development of the Personal Data Protection (Personal Data Breach Notification) Regulations and the Data Breach Notification Guideline.

These include feedback on: (a) the notification thresholds and timeline for, both, breach notifications to the Commissioner and data subjects; (b) the manner and form in which such notifications are to be made; (c) applicable exemptions from the requirement to notify data subjects of a breach; (d) the obligations of data processors in relation to the breach notification obligations; (e) the concurrent application of the proposed data breach notification regime with that of other laws/ sectoral breach notification regimes; and (d) management of personal data breaches and recordkeeping obligations.

5. Requirement to appoint data protection officer(s)

 

The second public consultation paper, Public Consultation Paper No.02/2024 (The Appointment of Data Protection Officer), seeks for public feedback on: (a) the threshold requirement for mandatory appointment of a data protection officer; (b) consistency with other legal requirements to a role similar to a data protection officer; (c) sector-specific risks for data protection officers to be aware of when carrying out their functions; (d)reporting lines; (e) regional data protection officer appointment and local residency requirements; (f) minimum expertise, qualifications, and certifications; and (g) factors the Commissioner may consider in exercising its discretion to mandate the appointment of a data protection officer.

6. New rights to data portability

 

The third public consultation paper, Public Consultation Paper No.03/2024 (The Right to Data Portability), seeks for public feedback on:(a) the readiness of data controllers for the right to data portability; (b) the types of personal data subject to such right; (c) timeline for compliance after a request from data subjects; (d) whether there should be a time limit /limitation period imposed such  requests for personal data processed and retained by the data controller prior to there quest; (e) whether fees are to be chargeable for responding to such requests; and (f) the method for transmitting personal data arising from a data portability request.

7. Sensitive personal data to include biometric data

8. Abolishment of the current whitelist cross-border transfer regime

9.  Data subjects to exclude deceased individuals

What’s Next?

The amendments proposed by the PDP Bill represent a significant advancement in the country's data protection framework, reflecting a growing commitment to safeguarding personal data in an increasingly digital age. The proposed amendments will, upon coming into force, enhance transparency, accountability, and control for data subjects over their personal data, aligning Malaysia more closely with global data protection standards. The above is also in line with Malaysia’s development of a strong digital infrastructure, which complements other policy developments such as the Cyber Security Act 2024.

The public is strongly encouraged to submit any feed back to the Consultation Papers by the deadline on 6 September 2024 as, moving forward, the PDP Bill, its subsidiary regulations, and related guidelines will undoubtedly play a crucial role in fostering a culture of responsible data management among data controllers and processors and reinforcing public confidence in data protection practices.

The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

Hui Lynn Tan

Partner, Malaysia

Hui Lynn’s areas of expertise include cross border corporate and commercial transactions, FDIs, regulatory compliance, providing legal advice to Malaysian companies listing in foreign countries, prospectus drafting, private mergers and acquisitions, private equity and venture capital, and issues relating to the Labuan IBFC.

Prior to joining RLL, Hui Lynn was the General Counsel and part of the executive team of an international fintech group, leading the global legal and compliance team on legal strategy, risk mitigation, executing strategic plans, developing policies and compliance programmes.

Michelle Koh

Associate, Malaysia

Michelle is an associate in the corporate team of the Kuala Lumpur office and has experience advising local and foreign clients on a range of corporate and commercial transactions including single and muti-jurisdictional mergers and acquisitions, foreign direct investments, regulatory compliance as well as general legal advisory matters.

Prior to joining DFDL, Michelle was an associate in one of Malaysia's leading law firms before taking on an in-house position in the legal team of an international fintech group.

Please Login or Register for Free now to view all updates and articles

 Login  Sign Up

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

DFDL Malaysia (Robyn Lynn & Lee)

Since 2023, our firm has been on a journey to offer high-quality, integrated, and tailored legal services to help our clients achieve their business goals. Our partners in Malaysia have extensive expertise in various corporate transactions, together with the DFDL network, we combine our international and local experience and industry knowledge to serve you better. Our client-focused approach, openness and unwavering commitment to value creation enable us to consistently surpass our clients’ expectations.

Click here to view the author's profile

Author

Tags

  • Malaysia
  • Legal Updates
  • Data Protection & Privacy

Related Content

  • No related content

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.

 

A leading provider of legal and tax know-how and information for Asia.

Useful Links

Contact Us

Hong Kong, China
Tel: +852 3001 8810
support@legalcentrix.com

Copyright © 1997 - 2024 Legal Centrix. All Rights Reserved Privacy Policy | Terms of Use

Some text to show in popup