DFDL Malaysia (Robyn Lynn & Lee)

Pursuant to a notification in the Gazette published on 24 December 2024, the Personal Data Protection (Amendment) Act 2024, is set to come into effect in 3 phases. We set out below an overview of each phase.

*Our previous article on the proposed amendments introduced by the Personal Data Protection (Amendment) Bill 2024 is accessible here.

Pursuant to a notification in the Gazette published on 24 December 2024, the Personal Data Protection (Amendment) Act 2024 (“PDPA Amendment Act”), which received royal assent on 9 October 2024, is set to come into effect in 3 phases. The first phase will commence on 1 January 2025, followed by the second phase scheduled on 1 April 2025, and the final phase on 1 June 2025. We set out below an overview of each phase.

First phase

Sections 7, 11, 13 and 14 of the PDPA Amendment Act to be effective on 1 January 2025

  • Allows for service of notices or any other document which may be given under the Personal Data Protection Act 2010 (“PDPA”) upon any person by way of electronic means. 
  • The amendments are generally administrative in nature and do not impose new obligations.

Second phase

Sections 2 – 5, 8, 10 and 12 of the PDPA Amendment Act to be effective on 1 April 2025

(a) Change in terminology and revision to definitions

  • Substitution of the term “data user” with “data controller”.
  • Definition of “sensitive personal data” expanded to include “biometric data”.
  • “Personal data breach” defined to mean any breach, loss, misuse or unauthorized access of personal data.
  • Exclusion of personal data of deceased individuals from the scope of the PDPA.

(b) New obligation on data processors

  • Data processors will be directly regulated under the security principle outlined in section 9 of the PDPA when processing personal data.
  • Non-compliance will result in penalties imposed directly on data processors.

(c) Increased penalties

  • Maximum penalties for non-compliance with the personal data protection principles increased to a fine of RM1,000,000 from RM300,000 and/or imprisonment for a term of 3 years from 2 years.

(d) Amendments to cross-border data transfers

  • Removal of whitelisting regime.
  • Permits for the transfer of personal data to countries with substantially similar data protection laws or equivalent levels of protection.

Third phase

Sections 6 and 9 of the PDPA Amendment Act to be effective on 1 June 2025

(a) Mandatory appointment of data protection officer

  • Both data controllers and data processors must appoint a data protection officer to oversee compliance with the PDPA.

(b) Mandatory data breach notification

  • Data controllers are required to notify the Personal Data Commissioner (“Commissioner”) of personal data breaches.
  • Where the breach is likely to cause significant harm to the data subject, to notify the data subject.

(c) New rights to data portability for data subjects

Guidelines and Revised Personal Data Protection Standard to be Issued

According to an announcement by the Commissioner on 18 November 2024, four guidelines and a revised version of the Personal Data Protection Standard are expected to be issued in early 2025, with the remaining three guidelines to follow in the third quarter of 2025. The first four guidelines to be published addresses areas such as the Data Protection Officer, Data Breach Notification, Cross-border Data Transfer and Data Portability. It is anticipated that these guidelines will provide clearer details and practical steps to facilitate compliance with the amended regulations. While we await the finalized guidelines, businesses and organizations are encouraged to review its existing privacy policies and personal data processing practices, and to identify any updates require to align with the amendments introduced by the PDPA Amendment Act.

DFDL Compliance and Investigations Practice Group

DFDL’s compliance and investigations practice works side-by-side with other practice groups and leverages our expertise across a range of compliance risks including data protection, cyber security, anti-bribery and anti-corruption, anti-money laundering, legal design for UX/UI compliance, and human rights supply-chain due diligence. With our extensive experience in Asian emerging markets we can help in proactively assessing compliance risks, developing policies and procedures, as well as support with compliance failure mitigation and investigations.

Written by Hui Lynn Tan

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

Hui Lynn Tan, Partner
Malaysia
Hui Lynn’s areas of expertise include cross border corporate and commercial transactions, FDIs, regulatory compliance, providing legal advice to Malaysian companies listing in foreign countries, prospectus drafting, private mergers and acquisitions, private equity and venture capital, and issues relating to the Labuan IBFC.

Please Login or Register for Free now to view all updates and articles

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

DFDL Malaysia (Robyn Lynn & Lee)

Since 2023, our firm has been on a journey to offer high-quality, integrated, and tailored legal services to help our clients achieve their business goals. Our partners in Malaysia have extensive expertise in various corporate transactions, together with the DFDL network, we combine our international and local experience and industry knowledge to serve you better. Our client-focused approach, openness and unwavering commitment to value creation enable us to consistently surpass our clients’ expectations.

Click here to view the author's profile

Author

Tags

  • Malaysia
  • Legal Updates
  • Data Protection & Privacy

Related Content

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.