Personal Data Protection (Amendment) Bill 2024 passes second reading in Parliament

Co-author: Alexandra Funk (Intern Kuala Lumpur)

On July 16, 2024, the Personal Data Protection (Amendment) Bill 2024 (‘Bill’) passed in the Dewan Rakyat (House of Representatives) of the Malaysian Parliament on its second reading after being read for the first time on July 10, 2024.

Current status quo

Based on the 2023 statistics, the Office of the Personal Data Protection Commissioner (PDP) received a total of 779 complaints on data breaches and abuses, compared to 288 complaints reported up to June this year. Although a slight decline was observed on average, due to the continuous enforcement efforts by the PDP Commissioner’s Office, this amendment is intended to ensure that no data shall be used without the consent of the data owner, and to prevent the misuse and violation of personal data while using existing and future digital platforms. Furthermore, the Bill was drafted to align Malaysia’s data protection regulatory framework with international standards and practices, changes and legal developments.

Upcoming changes

The proposed amendments to the Bill will bring several significant changes to the Personal Data Protection Act 2010 (Act 709) (‘PDPA’), which are highlighted below.

Nomenclature updates

Under the Bill, the term ‘data user’ will be replaced by ‘data controller’.

A data controller (other than a data processor), either alone or jointly with other individuals, processes any personal data or has control over or authorizes the processing of any personal data by determining the purposes and means of processing personal data.

A ’data processor’ (other than an employee of the data controller) processes the personal data only on behalf of the data controller and does not process the personal data for any of their own purposes.

Mandatory data breach notification

Data controllers must notify the Personal Data Protection Commissioner as soon as practicable, if they have reason to believe that a personal data breach has occurred. A ‘personal data breach’ is defined as any breach of personal data protection, loss of personal data, misuse of personal data or unauthorized access to personal data. Violation of this regulation may entail a fine of up to MYR 250,000 and/or imprisonment for a term of up to two years.

Furthermore, in case the personal data breach causes or is likely to cause any significant harm to the data subject, the data controller must also notify the data breach to the data subject without unnecessary delay.

Requirement to appoint a data protection officer (DPO)

Every data controller or data processor shall appoint one or more data protection officers. These officers shall be accountable to the data controller or data processor for the companies’ compliance with the Personal Data Protection Act (PDPA).

Direct obligation for data processors to comply with the Security Principle

Data processors are currently not directly subject to legal obligations under the PDPA. Where the processing of personal data is carried out by a data processor on behalf of the data controller, a new section 5(1A) aims to ensure that a data processor complies with the Security Principle under section 9 of the PDPA.

This means data processors need to take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. In addition to that, a data processor processing data on behalf of a data controller shall, on the one hand, provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out, and on the other hand, take reasonable steps to ensure compliance with those measures.

Increased penalties for breaches of the PDPA

Under the Bill, the penalties for any non-compliance with one of the seven Personal Data Protection Principles committed by data controllers or data processors have been increased. In particular, the fine has been raised from MYR 300,000 to MYR 1 million, and the imprisonment term has been increased from a term not exceeding two years to three years.

New rights to data portability

The new right allows data subjects to request the controller to transfer their personal data to another controller of their choice by directly informing the controller in writing by electronic means. The request for data portability is subject to technical feasibility and compatibility of the data format.

Inclusion of biometric data as a type of sensitive personal data

The definition of “sensitive personal data” is extended to include biometric data.

“Biometric data” is defined as all personal data resulting from the technical processing of a person's physical, physiological or behavioral characteristics.

Changes to rules regarding cross-border data transfers

Currently, personal data may only be transferred outside Malaysia to a place specified by the Minister through a gazette notification. Therefore, the PDPA empowers the Minister to create a “whitelist” of places outside Malaysia to which data can be legally transferred.

The Bill abolishes this whitelist regime and introduces a general legal basis. In future, a controller may transfer a data subject's personal data to a place outside Malaysia if that place has a law in force that is substantially equivalent to the PDPA, or if that place ensures an adequate level of protection in relation to the processing of personal data that is at least equivalent to the level of protection ensured by the PDPA.

The existing exemptions in relation to cross-border data transfers under the current Data Protection Act, e.g. with the consent of the data subject, remain in force, apart from the Minister's power to determine circumstances in which the transfer of personal data is necessary in the public interest.

Personal data of deceased individuals explicitly excluded from scope of the Act

The definition of the term “data subject” explicitly excludes deceased persons. As personal data is defined by reference to a data subject, the PDPA does not apply to cases where personal data of a deceased person is processed.

The Personal Data Protection (Amendment) Bill 2024 only regulates the processing of personal data in business transactions. Just like the existing PDPA, the Bill does not change the status quo as the processing of personal data by the Malaysian Federal and State Governments remains outside the scope of the PDPA. However, other laws such as the Official Secrets Act 1972 and various circulars bind public officers and employees and ensure that the federal and state governments remain accountable and responsible for the handling of personal data.

Conclusion

In summary, companies operating in Malaysia should take note of the above amendments. While the Bill awaits Royal Assent, businesses should already be preparing for the additional compliance obligations they may face, such as updating internal data processing policies and procedures and selecting, appointing and training appropriate individuals for the role of Data Protection Officer.