One of the most commonly asked questions we face today is: when will the current Personal Data Protection Act 2010 (“PDP Act”) receive its long-overdue amendments? As personal data becomes increasingly important in our digital world, ensuring robust protection measures is crucial. Around the globe, laws like the General Data Protection Regulation (“GDPR”) in the EU, along with similar frameworks in the UK and Singapore, set high standards for privacy and data protection. Finally, Malaysia is catching up with the introduction of the much-anticipated Personal Data Protection (Amendment) Bill 2024 (“PDP Amendment Bill”). These amendments introduce substantial changes to the current data protection regime, which all companies, data protection officers and general counsels should take note of.
In this article, we decode the PDP Amendment Bill and highlight top ten crucial insights for general counsels.
- 1. Current Status of the Personal Data Protection (Amendment) Bill 2024
- On 10 July 2024, the PDP Amendment Bill was tabled at the Dewan Rakyat (House of Representatives) of the Malaysian Parliament for its First Reading, introducing several significant changes to the PDP Act. Currently, the PDP Amendment Bill is subject to debate in Parliament, and it remains to be seen whether it will be passed as is or with further amendments. Therefore, all companies and general counsels should closely monitor the development of this PDP Amendment Bill.
- 2. Change from “Data User” to “Data Controller”
- In the current PDP Act, a “data user” is defined as a person who processes any personal data or has control over or authorizes the processing of any personal data. The PDP Amendment Bill seeks to substitute “data user” with “data controller”, aligning more closely with the common terminology used in other jurisdictions such as the EU, UK, and Singapore. Therefore, if “data user” is referenced in any of your PDP notices or agreements, you should be prepared to make necessary changes to reflect this amendment.
- 3. The New Role of Data Processors
- The current PDP Act mainly focuses on “data users” or “data controllers,” without imposing direct obligations on “data processors.” A “data processor” is any person who processes personal data on behalf of a data controller and does not process it for their own purposes, and the lack of direct legal obligation on a “data processor” has always been a key criticism to the current PDP Act.
- The PDP Amendment Bill now imposes direct legal obligations on data processors to comply with security principles – this means data processors must take practical steps to protect personal data from loss, misuse, unauthorized access, and other risks. This change will significantly impact companies operating as data processors, requiring them to adjust their operational practices accordingly.
- 4. Appointment of Data Protection Officer
- The PDP Amendment Bill makes it mandatory for data controllers and data processors to appoint a Data Protection Officer (“DPO”) who will be accountable for compliance with the PDP Act. This is a significant shift, as organizations can no longer merely designate a contact person in their PDP Notice. The DPO will be held accountable for any breaches of the law, making it a crucial role that companies must take seriously.
- 5. Mandatory Data Breach Notification to the Personal Data Protection Commissioner
- One of the most anticipated changes is the mandatory notification of data breaches to the Personal Data Protection Commissioner. If a data controller believes a personal data breach has occurred, they must notify the Personal Data Protection Commissioner. This requirement mirrors the strict data breach notification rules in the recently enacted Cyber Security Act 2024.
- This is a strict mandatory requirement as stated in the PDP Amendment Bill. The reading of the PDP Amendment Bill suggests that the duty to notify the Personal Data Protection Commissioner applies regardless of the severity or gravity of the personal data breach. This means that even minor breaches must be reported, emphasizing the importance of transparency and accountability in handling personal data. Many companies may not currently have protocols in place to capture or acknowledge any personal data breaches. This lack of preparation can lead to significant legal and financial repercussions under the new amendments. Therefore, companies should provide comprehensive training to relevant personnel to ensure they understand the importance of this requirement and the procedures for reporting breaches. This proactive approach will help ensure that all personal data breaches are promptly and accurately reported to the Personal Data Protection Commissioner, thereby enhancing the overall data protection framework within the organization.
- 6. Data Breach Notification to Data Subjects
- In addition to notifying the Commissioner, if a personal data breach is likely to cause significant harm to the data subject, the data controller must also notify the affected individual without delay. This dual notification requirement highlights the critical need for companies to establish clear protocols and provide comprehensive training for efficient data breach management. However, the definition of what constitutes “significant harm” to the data subject remains unclear at this time.
- 7. Right to Data Portability
- The PDP Amendment Bill introduces the right to data portability, allowing data subjects to request the transfer of their personal data to another data controller of their choice. This request is subject to technical feasibility and compatibility of the data format. Data portability empowers individuals by giving them greater control over their personal data and how it is processed.
Moving forward, companies should emphasize and focus on data portability to foster competition and innovation among data service providers. When individuals can easily transfer their data from one data service provider to another, it reduces the barriers to switching services or reduce the risk of vendors lock-in, encouraging companies to offer better products and services to retain their customers. This increased mobility of personal data can lead to improved user experiences and drive advancements in data-driven services, ultimately benefiting consumers and the market as a whole. - 8. Removal of White-List Countries for Cross-Border Data Transfers
- The current PDP Act limits personal data transfers to only the “white-list” countries. However, no such “white-list” has been gazetted.
- The PDP Amendment Bill removes this “white-list” regime, by allowing data controllers to transfer personal data to any country if the receiving country meets one of two conditions: (i) it has a data protection law substantially similar to Malaysia’s; or (ii) it offers an adequate level of protection equivalent to Malaysian law. This change addresses one of the most frequently asked questions about the current data transfer restrictions, offering more operational flexibility.
- 9. Introduction of Biometric Data
- The PDP Amendment Bill includes personal data resulting from technical processing related to physical, physiological, or behavioral characteristics, known as biometric data. This addition enhances personal data protection by making it more comprehensive and safeguarding data subjects’ privacy more effectively.
- 10. Heavier Penalties for Non-Compliance with Personal Data Protection Principles
- Under the current PDP Act, data controllers are obligated to comply with seven personal data protection principles: (i) the general principle, (ii) the notice and choice principle, (iii) the disclosure principle, (iv) the security principle, (v) the retention principle, (vi) the data integrity principle, and (vii) the access principle. Failure to comply with these principles can result in a fine of up to three hundred thousand ringgit or imprisonment for a term not exceeding two years, or both.
- The PDP Amendment Bill seeks to introduce even heavier penalties for data controllers that fail to comply with these personal data protection principles. If found liable, the penalty can now be as severe as one million ringgit or imprisonment for a term not exceeding three years, or both. This significant increase in penalties underscores the importance of prioritizing compliance with personal data protection laws. Companies must take proactive measures to ensure they adhere to these principles to avoid severe legal and financial consequences.
Conclusion
These amendments to the Personal Data Protection Act 2010 mark a significant shift towards a more comprehensive and robust data protection regime in Malaysia. Companies and general counsels must stay informed and prepared to adapt to these changes to ensure compliance and protect personal data effectively.
If you would like to learn more about personal data protection law in Malaysia, our team of seasoned professionals is here to assist. With in-depth expertise in the Personal Data Protection Act 2010, we are well-equipped to provide you with comprehensive advice and guidance. Please reach out to us to discuss your specific needs and ensure your compliance with the latest regulations.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Transactions and Dispute Resolution, Technology,
Media & Telecommunications, Intellectual Property,
Fintech, Privacy and Cybersecurity
johnson.ong@hhq.com.my
.
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications, Intellectual
Property, Corporate/M&A, Projects and Infrastructure,
Privacy and Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read: