Eugene Ee and Daniel Wah discuss the key changes introduced by the Personal Data Protection (Amendment) Bill 2024.
The Personal Data Protection (Amendment) Bill 2024 (“PDP Bill”), tabled in the Malaysian Parliament on 10 July 2024, is poised to significantly advance Malaysia’s data protection framework. The proposed amendments to the current Personal Data Protection Act 2010 (“PDPA 2010”) aim to modernise the law, aligning it more closely with international standards and addressing the evolving challenges of data protection in the digital age. The PDP Bill introduces several key changes that will likely have far-reaching implications for businesses, individuals, and the overall data ecosystem in Malaysia.
1. Terminology Change and Scope Clarification
The proposed shift from the term “Data User” to “Data Controller” seeks to align the terminology under the PDPA 2010 with international standards. When the PDP Bill eventually comes into force, existing personal data protection notices, policies or agreements will have to be updated to reflect the change.
Additionally, the PDP Bill explicitly excludes the data of deceased individuals from the scope of the PDPA 2010, in line with the European Union General Data Protection Regulation.
2. Mandatory Appointment of Data Protection Officer
One of the most notable changes in the PDP Bill is the mandatory appointment of a Data Protection Officer (“DPO”) by the data controller, who will be accountable for the compliance with the PDPA 2010. Data controllers must notify the Personal Data Protection Commissioner (“Commissioner”) on the appointment of the DPO in the manner and form determined by the Commissioner. This requirement aligns Malaysia with other jurisdictions that recognise the critical role of DPOs in ensuring organisational compliance with data protection laws. The introduction of this role represents a shift towards more proactive and structured data governance within organisations.
While the PDP Bill does not specify the minimum qualifications or expertise required of the DPOs, the new requirement is likely to necessitate certain organisational changes as businesses will need to identify suitable candidates for the new role, presumably an individual with some expertise in data protection laws and practices or upskilling existing employees in this area. Although this requirement may initially be seen as burdensome, particularly for smaller organisations, it has the potential to foster a culture of data protection awareness and compliance throughout the organisation.
3. Direct Obligations on Data Processors
The PDP Bill extends legal obligations to data processors, in particular security obligations, requiring them to (1) offer adequate assurances about the technical and organisational safeguards in place for processing personal data; and (2) take appropriate actions to adhere to these safeguards, with a focus on meeting security standards. This marks a significant change from the PDPA 2010, which primarily focuses on the obligations of data controllers (previously termed “data users”). By making data processors directly accountable, the PDP Bill acknowledges the crucial role these entities play in data handling and processing.
This change is likely to lead to a reassessment of data processing agreements and practices. Data processors will need to implement robust security measures and may face direct penalties for non-compliance. This could potentially increase the costs of data processing services as processors invest in compliance measures. However, it also provides an opportunity for processors to differentiate themselves based on their security and compliance standards.
4. Mandatory Data Breach Notification
The introduction of the mandatory data breach notification requirement brings Malaysia in line with global best practices. The proposed amendments require data controllers to notify the Commissioner as soon as practicable if they have reason to believe a personal data breach has occurred. These amendments, if enforced, will enhance transparency and allow affected individuals to take necessary measures in the event of a breach. The dual notification requirement (to both the Commissioner and affected data subjects) also ensures comprehensive coverage and increases accountability.
Furthermore, the definition of a “personal data breach” in the PDP Bill is broad, potentially encompassing a wide range of incidents. This could lead to a substantial volume of reported breaches and, consequently, greater public awareness of data protection issues. Organisations are expected to develop and implement robust breach detection and notification protocols to comply with this requirement.
5. Right to Data Portability
The PDP Bill aims to introduce data portability rights to empower data subjects. This right, subject to technical feasibility, would give data subjects greater control over their personal data, enabling the transfer of data between service providers. This provision could have significant implications for competition in data-driven industries, potentially making it easier for consumers to switch providers.
However, the requirement for “technical feasibility and compatibility” may pose challenges in terms of implementation. Industry-wide standards or guidelines may be needed to ensure effective data portability across different platforms and services.
6. Inclusion of Biometric Data as Sensitive Personal Data
The PDP Bill also seeks to expand the definition of “sensitive personal data” to include biometric data, reflecting the growing use of biometric technologies and the associated privacy risks. This classification will require organisations handling biometric data to implement stronger protection measures and potentially reassess their data collection and processing practices.
As biometric technologies continue to evolve and find new applications, this provision establishes a framework for the responsible use and protection of this particularly sensitive form of personal data.
7. Increased Penalties
The PDP Bill significantly increases penalties for breaches of personal data protection principles underscoring the seriousness with which the Malaysian government views data protection violations. Currently, a data user who contravenes the PDPA 2010 is liable to a maximum fine of RM300,000 (approx. USD70,000) and/or imprisonment for a term not exceeding two years. However, the PDP Bill seeks to increase fines up to RM1,000,000 (approx. USD230,000) and imprisonment for a term of up to three years.
This change is likely to elevate data protection to a board-level concern for many organisations, given the potential financial and reputational risks associated with non-compliance.
8. Cross-Border Data Transfers
The PDP Bill also proposes the removal of the white-list regime for cross-border data transfers in favour of a more flexible approach. It seeks to allow personal data to be transferred outside Malaysia to a country with laws substantially similar to the PDPA 2010 or to a country that provides equivalent levels of protection in relation to the processing of personal data. This change offers more flexibility for international data flow while still ensuring adequate protection for personal data transferred out of Malaysia.
Organisations engaged in cross-border data transfers will need to identify potential situations involving the transfer of data overseas to assess if such transfer would be in compliance with this provision.
Conclusion
The PDP Bill marks a significant overhaul of Malaysia’s data protection framework, aligning it with international standards and enhancing protection for data subjects. However, businesses will likely face challenges, including increased compliance costs, operational changes, and the need for extensive staff training when the amendments eventually come into force. Technical upgrades may be necessary to meet new requirements, particularly regarding data portability and security, and existing contracts might require revision.
While the PDP Bill has the potential to strengthen trust in Malaysia’s digital economy, its success hinges on effective implementation and enforcement. Clear regulatory guidelines and proactive adaptation by organisations will be essential as they navigate these changes, turning compliance into an opportunity to build trust with customers and stakeholders.
Eugene is a Partner at Wong Jin Nee & Teo. His practice principally focuses on contentious IP and commercial matters. Outside the courtroom, he assists clients in the enforcement of their IP rights and also advises on regulatory compliance, consumer laws and data protection matter.
Daniel is an Associate at Wong Jin Nee & Teo. His practice focuses on IP litigation, enforcement and brand protection. He also advises on franchise, regulatory as well as media and advertising compliance.