Amendments to Personal Data Protection Act 2010 Passed in Dewan Rakyat
July 24, 2024
Insights

The Personal Data Protection (Amendment) Bill 2024 (“the Bill”), which proposed amendments to the Personal Data Protection Act (“PDPA”) 2010, was passed by the Dewan Rakyat without amendments on 16th July 2024. The Bill was tabled by the Digital Minister, YB Gobind Singh Deo (“the Minister”).

Amongst others, the following key changes were proposed in the Bill: -

1. Term “Data User” Replaced with “Data Controller”

The Bill replaced the term “data user” (which refers to a person who processes any personal data or has control over or authorizes the processing of any personal data) with “data controller”.

The Minister explained in Parliament that this is to ensure consistency with the terminology used in most data protection laws internationally, including the European Union’s General Data Protection Regulation (GDPR).

2. Data Processors to Comply with Security Principle

Presently, under the PDPA 2010, the personal data protection principles do not directly apply to data processors (i.e. persons who process the personal data solely on behalf of the data controller and do not process the personal data for any of their own purposes).

The Bill provides that, where data processors process personal data on behalf of data controllers, data processors are required to comply with the Security Principle under s. 9 PDPA 2010. This means that data processors will need to, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

3. Compulsory Appointment of Data Protection Officer

Data protection officers (“DPO”) will be required to be appointed by: -

  1. Data controllers;
  2. Data processors, where the processing of personal data is carried out by a data processor on behalf of the data controller.

The data controller will need to notify the Personal Data Protection Commissioner (“the Commissioner”) on the appointment of the DPO.

DPOs will be accountable to the data controller or data processor (as the case may be) for the compliance with the PDPA 2010. Nevertheless, the appointment of a DPO will not discharge the data controller or data processor from their duties and functions under the PDPA 2010.

However, the Bill does not specify the precise role, functions, and duties of a DPO.  This would likely be clarified in further regulations.

4. Mandatory Personal Data Breach Notification

The Bill recognises the concept of a “personal data breach”. A “personal data breach” is defined in the Bill as any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data.

Where a data controller has reason to believe that a personal data breach has occurred, the data controller will be required to, as soon as practicable, notify the Commissioner. Failure to do so may, upon conviction, result in a fine up to RM250,000.00, or imprisonment for a term up to two (2) years, or both.

Additionally, if the personal data breach causes or is likely to cause any significant harm to the data subject, the data controller will be required to notify the data subject of the said personal data breach.

5. Right to Data Portability

Subject to technical feasibility and compatibility of the data format, a data subject will be able to request the data controller to transmit his personal data to another data controller of his choice directly. This is done by giving a notice in writing by way of electronic means to the data controller.

The Minister explained that this provides a data subject with the convenience of not needing to provide his personal data to the new data controller.

6. Biometric Data as “Sensitive Personal Data”

Presently, under s. 40 PDPA 2010, “sensitive personal data” may only be processed if the data subject gives his explicit consent to the processing of the personal data, the processing is necessary for any of the reasons stated in s. 40 PDPA 2010, or the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

The Bill now recognises “biometric data” as “sensitive personal data”. In the Bill, “biometric data” is defined as “any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person”.

Thus, with this amendment, data controllers may only process biometric data if the above requirements are satisfied.

7. Increase Penalties for Breach of Personal Data Protection Principles

The penalty for data controllers who breach the personal data protection principles in s. 5 PDPA 2010 will be increased to a fine up to RM1 million, or imprisonment for a term not exceeding three (3) years, or both.

The Minister explained that this amendment is to reduce incidents of personal data violations and send a message to all parties involved of the government’s commitment to protect personal data.

8. Changes to Requirements for Cross-Border Data Transfers

Presently, under s. 129 PDPA 2010, a data user shall not transfer any personal data of a data subject to a place outside Malaysia except, amongst others, to certain white-listed areas as specified by the Minister by notification published in the Gazette. Since the PDPA 2010 came into effect, this regime has not been used. The Bill seeks to remove this regime.

Instead, a data controller may transfer personal data of a data subject to any place outside Malaysia if: -

  1. in that place, there is in force any law which is substantially similar to PDPA 2010, or that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by PDPA 2010; or
  2. one of the exceptions in s. 129(3) PDPA 2010 applies. The present exceptions where a data user may transfer personal data to a place outside Malaysia in s. 129(3) PDPA 2010 remain, except that the Bill removes the exception where the transfer is necessary as being in the public interest in circumstances as determined by the Minister.

9. Exclusion of personal data of deceased individuals

The Bill clarifies the definition of “data subject” by expressly excluding deceased individuals.

As the Bill has been passed by the Dewan Rakyat, it now needs to be passed by the Dewan Negara. If the Bill is passed by the Dewan Negara, it will be presented for Royal Assent and will thereafter come into force on a date set by the Minister. There will likely be a transition period for businesses to comply with the new provisions.

Nonetheless, it would be prudent for businesses to take the following steps in anticipation of these proposed amendments to the PDPA: -

  1. Consider candidates to be appointed as a data protection officer;
  2. Ensure that data processors engaged comply with the Security Principle under s. 9 PDPA 2010;
  3. Consider and prepare a personal data breach plan;
  4. Consider and prepare for the exercise of data portability rights;
  5. Review data protection policies to ensure compliance with the PDPA 2010.

*Written by Priscilla Faith Lim (Associate)

For any related enquiries, please contact our Partner, David Mathew (davidmathew@stsp.my) or Associate, Priscilla Faith Lim (priscillalim@stsp.my)  

The content of this article is of a general nature and does not constitute legal or other advice or the provision of legal or other professional services, and shall not be relied upon as such.

Click here to download this article.

More News