Malaysia introduces watershed amendments to Personal Data Protection Act 2010

On 16 July 2024, the Malaysian Dewan Rakyat (House of Representatives of the Malaysian Parliament) passed the Personal Data Protection (Amendment) Bill 2024 (the PDP Bill). The PDP Bill, which had been under review by the Malaysian Government for some years, introduces significant changes to Malaysia’s Personal Data Protection Act 2010 (the Malaysian PDPA), aimed at aligning the Malaysian approach more closely with international data protection regimes.

Upcoming Changes

With thanks to Malaysian law firm Skrine, we summarise below the key changes that will be effected by the PDP Bill:

  1. Requirement to appoint data protection officer (DPO): Data controllers and data processors will be required to appoint a DPO – in contrast, there is presently no DPO requirement under the Malaysian PDPA.
  2. Direct obligations for data processors: Data processors will be directly subject to obligations under the Malaysian PDPA, in particular security obligations. Data processors will also be potentially subject to the direct imposition of penalties for breach of their obligations.
  3. Mandatory notification of personal data breaches: While the Malaysian PDPA currently does not contain any mandatory personal data breach notification obligations, the PDP Bill introduces a mandatory personal data breach notification obligation. In the event of a personal data breach, data controllers will be required to make notifications to both (a) the Personal Data Protection Commissioner; and (b) the affected data subjects where the breach “causes or is likely to cause any significant harm”. However, the PDP Bill does not provide a definition for “significant harm” – it remains to be seen if Malaysia will adopt a prescriptive approach (like Singapore) by prescribing the types of personal data which, if impacted in a data breach, would be deemed to result in “significant harm”, or if the Malaysian Data Protection Commissioner will release appropriate guidance on the criteria and assessment of “significant harm”.
  4. New data subject rights on data portability: Data subjects will be able to request data controllers transit their personal data to another data controller of their choice, although this right will be subject to technical feasibility and compatibility of the data format.
  5. An expanded definition of “sensitive personal data”: The expanded definition of “sensitive personal data” under the Malaysian PDPA will expressly include biometric data, which is defined as personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person.
  6. Revised cross-border data transfer approach: The Malaysian PDPA currently provides that personal data may only be transferred to a place outside Malaysia as specified by the Minister of Digital in Malaysia. The PDP Bill will revise this approach to provide that a data controller may transfer personal data of a data subject to any place outside Malaysia if: (1) that place has in force any law which is substantially similar to the Malaysian PDPA or (2) that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the Malaysian PDPA.
  7. Increased penalties: The potential penalties for breach of personal data protection principles have been increased to RM 1,000,000 and/or up to three years imprisonment, from the previous limit of RM 300,000 and/or up to two years of imprisonment.

Next Steps and Implications

The PDP Bill is likely to be presented at the Dewan Negara (Senate) at its next session (scheduled from 22 July 2024 until 1 August 2024); once passed by the Dewan Negara, the PDP Bill will be presented for Royal assent. The PDP Bill will come into force on a date to be appointed by the Minister of Digital, by notification in the Gazette.

The PDP Bill represents a watershed moment in Malaysia’s data protection landscape, and brings the Malaysian PDPA in closer alignment not only with internationally recognised data protection regimes such as the European Union’s General Data Protection Regulation (GDPR), but with Malaysia’s regional peers in ASEAN such as Indonesia, Singapore, Philippines, Thailand and Vietnam, who have all enacted similar changes to their personal data protection laws in recent years.

The Malaysia Personal Data Protection Commissioner is expected to issue relevant guidelines – to supplement and further clarify the scope of the new provisions and obligations (e.g., the detailed requirements surrounding the appointment of a DPO, the thresholds for personal data breach notification as well as data portability compliance timelines and applicable exemptions).

These changes, along with the enhanced penalties (which include criminal sanctions) for breach of the substantive obligations under the Malaysian PDPA, reflect a renewed focus on the part of the Malaysian Government on improving data protection standards in Malaysia.

While it is not clear at this stage when the proposed changes to the Malaysian law will come into effect, businesses with operations in Malaysia should take stock of the upcoming changes, start reviewing their data protection compliance program and related processes in Malaysia and undertake a gap analysis to ensure that they will be in a position to comply with the Malaysian PDPA once the new changes come into effect. In light of the heightened cybersecurity risks, companies should also take steps to prepare for data breach incidents, including with incident response protocols and table-top exercises.

In particular, businesses will need to ensure that they are adequately prepared to comply with the new substantive requirements, such as the mandatory personal data breach notification requirement, the revised cross-border data transfer approach and data portability requirement. In this regard, businesses can take reference from data protection strategies developed in other jurisdictions and internationally, where such requirements have been mandatory for some time, to manage compliance with these substantive requirements.

We will monitor and provide further updates on the progress of the PDP Bill. In the meantime, please feel free to reach out to us if you have any questions.