The Personal Data Protection Act (PDPA) was enacted in Malaysia on June 2, 2010, and officially came into effect on November 15, 2013. This legislation established Malaysia as the first country in the Association of Southeast Asian Nations (ASEAN) to enact comprehensive privacy laws. In recognizing the rapid expansion of the digital economy, Malaysia acknowledged and understood the imperative need for robust safeguards to foster growth while simultaneously protecting citizens’ rights to privacy.
Since its enactment, Malaysia has made significant strides in enhancing its data protection framework. The recent amendments to the PDPA, introduced in August 2024, represent a proactive effort to further strengthen personal data protection. These changes are designed not only to align with international standards but also to respond effectively to the dynamic and evolving digital landscape.
As businesses navigate these important updates, understanding the implications of the amended PDPA is crucial for ensuring compliance and developing strategic plans. By prioritizing data protection, organizations can build consumer trust with customers, mitigate risks, and position themselves competitively in a landscape that increasingly values privacy and security.
.
Overview of the Amendments
The amendments to the PDPA signify a significant update and substantial enhancement to the existing regulations, reflecting Malaysia’s commitment to safeguarding personal data amid growing concerns over privacy and security. Here are the key changes:
.
- 1. Replacement of “Data Users” with “Data Controllers”
- The amended PDPA replaces all references to “Data Users” with “Data Controllers.” Under the PDPA, “Data Users” refers to “a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data but does not include a Data Processor.” This amendment aligns the terminology with international data protection frameworks, such as the European Union General Data Protection Regulation (GDPR), underscoring Malaysia’s commitment to global standards in data protection.
- While this amendment primarily serves to streamline terminology, it is predominantly cosmetic and will not materially alter the obligations of “Data Users,” now referred to as “Data Controllers,” under the PDPA. Businesses must now adopt the term “Data Controllers” in their practices.
- .
- 2. Increased Accountability for Data Processors
- A significant shift in the amendments is the heightened accountability imposed on “Data Processors”. Under the PDPA, “Data Processors” refers to “any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of their own purposes”. The amended PDPA now imposes direct legal obligations on them to comply with security requirements outlined in the Security Principle under Section 9.
- “Data Processors” must now implement practical steps to protect personal data from loss, misuse, modification, unauthorized or accidental access, disclosure, alteration, or destruction. The amendments introduce direct penalties for non-compliance, with fines of up to RM1,000,000 and/or imprisonment for up to three years. This change enhances accountability within the data protection framework.
- Key compliance measures now require “Data Processors” to implement necessary security protocols, including maintaining detailed records of data processing activities and developing a security policy that meets the minimum standards prescribed by the Commissioner through the Personal Data Protection Standard 2015 (PDP Standard), as mandated by the Personal Data Protection Regulations 2013.
- .
- 3. Appointment of Data Protection Officers
- The amendments introduce a mandatory requirement for both “Data Controllers” and “Data Processors” to appoint one or more Data Protection Officers (DPOs). This new obligation signifies a proactive approach to data protection, placing responsibility on organizations to monitor their adherence to the PDPA. DPOs must be registered with the Personal Data Protection Commissioner (Commissioner) and serve as the primary contact point for data protection matters between the organization and the Commissioner.
- This obligation is limited to certain organizations engaged in large-scale processing of personal data, emphasizing the focus on entities that handle substantial volumes of sensitive information. The DPOs must be ordinarily resident in Malaysia and can be appointed internally or externally.
- While the amendments do not specify penalties for non-compliance with DPO appointment, further guidance will be provided in upcoming Appointment of Data Protection Officer Guidelines (DPO Guidelines). Organizations should review their data protection policies to ensure that the DPO’s role and authority are clearly defined, enabling effective compliance and accountability.
- .
- 4. Increased Penalties for Breaches of Personal Data Protection Principles
- The recent amendments propose significant changes to the penalties for breaches of personal data protection principles outlined in Section 5 of the PDPA. These principles, known as the Personal Data Protection Principles (PDP Principles), are crucial for guiding “Data Controllers” in processing personal data.
- Currently, breaches can result in a maximum penalty of RM300,000 or imprisonment for up to two years. However, the Amendment Bill raises these penalties to a maximum fine of RM1,000,000 and/or imprisonment for up to three years, reflecting a stronger commitment to enforcing compliance.
- Although the increased penalties do not mandate specific compliance actions, they indicate a shift toward stricter enforcement. Businesses should seize this opportunity to review their practices and conduct audits to ensure they demonstrate comprehensive compliance with the PDPA.
- .
- 5. New Mandatory Personal Data Breach Notification Regime
- The amendments introduce a critical requirement for mandatory notification of personal data breaches by “Data Controllers”. Previously voluntary, the Amendment Bill now mandates that “Data Controllers” promptly notify both the Personal Data Protection Commissioner and affected data subjects in the event of a breach of personal data.
- A “personal data breach” encompasses any loss, misuse, or unauthorized access to personal data. If a “Data Controllers” believes a personal data breach has occurred, he must inform the Commissioner as soon as practicable. If the breach is likely to cause significant harm to data subjects, they must notify affected individuals without undue delay. Non-compliance could result in penalties, including fines of up to RM250,000 and/or imprisonment for up to two years.
- While the Bill outlines the necessity for timely notifications, it does not define “significant harm.” Further guidance on the notification process, including applicable thresholds and timeframes, will be detailed in the forthcoming Data Breach Notification Guidelines (DBN PCP).
- .
- 6. Data Subject’s Right to Data Portability
- The amendments introduce a new right for data subjects: the right to data portability. This allows individuals to request that a “Data Controller” transmit their personal data directly to another “Data Controller” of their choice, provided the transfer is technically feasible and the data formats are compatible.
- For instance, this enables data subjects to request the direct transmission of their personal data from one healthcare provider to another. To exercise this right, individuals must provide written notice through electronic means, and “Data Controllers” are obligated to complete the transmission within a specified timeframe. However, this right is not absolute; it is contingent on technical feasibility and compatibility of data formats.
- Notably, the amendments do not outline penalties for “Data Controllers” who fail to comply. Further guidance on the implementation of the right to data portability will be detailed in the forthcoming Data Portability Guidelines (Data Portability PCP).
- .
- 7. Removal of the White-list Regime for Cross-border Data Transfers
- The amendments also propose the removal of the white-list regime, previously established under Section 129, which has not been utilized since the PDPA’s inception. This regime required “Data Users” to transfer personal data only to jurisdictions specified by the Minister based on the Commissioner’s recommendations.
- The new provisions allow “Data Controllers” to transfer personal data to any country, provided that the recipient’s laws are substantially similar to the PDPA or offer an adequate level of protection. While this shift empowers organizations to assess data protection laws abroad, it may pose challenges, particularly for smaller entities that may need to engage external legal experts for compliance.
- The absence of a centralized adequacy mechanism could lead to inconsistent evaluations among “Data Controllers”, complicating cross-border data flows. To assist with these changes, the Commissioner is developing the Cross-Border Data Transfers Guidelines to clarify necessary steps for compliant outbound transfers.
- .
- 8. Exclusion of Deceased Individuals as Data Subjects:
- The amendments refine the definition of “data subject” by explicitly excluding deceased individuals.
- .
- 9. Recognition of Biometric Data as Sensitive Personal Data:
- The PDP Bill expands the definition of “sensitive personal data” under the PDPA to include “biometric data.” This type of data is defined as any personal data resulting from technical processing related to an individual’s physiological or behavioral characteristics, such as fingerprints, facial recognition, or voice patterns.
- By categorizing biometric data as sensitive, the amendments impose stricter consent and security requirements due to the inherent risks associated with its misuse. Previously, the PDPA recognized four types of sensitive personal data, including information about physical health, political opinions, and religious beliefs. The addition of biometric data emphasizes the need for heightened vigilance in its handling, especially as its use in sectors like security and healthcare continues to rise. Examples now explicitly recognized include retinal analysis, keystroke dynamics, gaze analysis and handwritten signature analysis, reflecting the need for heightened vigilance in its handling and processing.
- .
Implications for Businesses
These amendments present both challenges and opportunities for businesses operating in Malaysia. Companies must take proactive steps to ensure compliance with the new regulations. Here are some considerations for organizations:
- · Review and Revise Policies:
- Businesses should revisit their privacy policies and data handling procedures to align with the new consent and accountability requirements, updating internal documentation and training staff accordingly.
- .
- · Investment in Data Security:
- To comply with increased accountability, companies should invest in robust data security measures. This includes implementing advanced technological solutions to protect personal data and regular audits to assess compliance with the amended PDPA.
- .
- · Enhancing Consumer Trust:
- By adopting transparent data practices and prioritizing data protection, businesses can build trust with consumers. Demonstrating a commitment to safeguarding personal data can serve as a competitive advantage in an increasingly privacy-conscious market.
- .
- · Legal and Compliance Consultations:
- Engaging legal professionals or data protection experts will be vital for navigating the complexities of the amended PDPA. These experts can provide guidance on compliance strategies and help organizations prepare for potential audits or investigations.
- .
Conclusion
The recent amendments to Malaysia’s Personal Data Protection Act mark a significant advancement in the country’s efforts to enhance personal data protection. As businesses adapt to these changes, staying informed and proactive will be essential to ensure compliance and protect consumer rights. With the growing global emphasis on data privacy, Malaysia’s updated PDPA positions the nation as a proactive player in the realm of data protection, fostering a more secure environment for both consumers and businesses alike.
About the Authors
Low Khye Yen
Partner
Banking & Finance, Real Estate,
Trust, Wills & Probate
Halim Hong & Quek
kylow@hhq.com.my
More of our articles that you should read: