The Personal Data Protection (Amendment) Bill 2024 (“the Bill”), which proposed amendments to the Personal Data Protection Act (“PDPA”) 2010, was passed by the Dewan Rakyat without amendments on 16th July 2024. The Bill was tabled by the Digital Minister, YB Gobind Singh Deo (“the Minister”).
Amongst others, the following key changes were proposed in the Bill: -
The Bill replaced the term “data user” (which refers to a person who processes any personal data or has control over or authorizes the processing of any personal data) with “data controller”.
The Minister explained in Parliament that this is to ensure consistency with the terminology used in most data protection laws internationally, including the European Union’s General Data Protection Regulation (GDPR).
Presently, under the PDPA 2010, the personal data protection principles do not directly apply to data processors (i.e. persons who process the personal data solely on behalf of the data controller and do not process the personal data for any of their own purposes).
The Bill provides that, where data processors process personal data on behalf of data controllers, data processors are required to comply with the Security Principle under s. 9 PDPA 2010. This means that data processors will need to, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
Data protection officers (“DPO”) will be required to be appointed by: -
The data controller will need to notify the Personal Data Protection Commissioner (“the Commissioner”) on the appointment of the DPO.
DPOs will be accountable to the data controller or data processor (as the case may be) for the compliance with the PDPA 2010. Nevertheless, the appointment of a DPO will not discharge the data controller or data processor from their duties and functions under the PDPA 2010.
However, the Bill does not specify the precise role, functions, and duties of a DPO. This would likely be clarified in further regulations.
The Bill recognises the concept of a “personal data breach”. A “personal data breach” is defined in the Bill as any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data.
Where a data controller has reason to believe that a personal data breach has occurred, the data controller will be required to, as soon as practicable, notify the Commissioner. Failure to do so may, upon conviction, result in a fine up to RM250,000.00, or imprisonment for a term up to two (2) years, or both.
Additionally, if the personal data breach causes or is likely to cause any significant harm to the data subject, the data controller will be required to notify the data subject of the said personal data breach.
Subject to technical feasibility and compatibility of the data format, a data subject will be able to request the data controller to transmit his personal data to another data controller of his choice directly. This is done by giving a notice in writing by way of electronic means to the data controller.
The Minister explained that this provides a data subject with the convenience of not needing to provide his personal data to the new data controller.
Presently, under s. 40 PDPA 2010, “sensitive personal data” may only be processed if the data subject gives his explicit consent to the processing of the personal data, the processing is necessary for any of the reasons stated in s. 40 PDPA 2010, or the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
The Bill now recognises “biometric data” as “sensitive personal data”. In the Bill, “biometric data” is defined as “any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person”.
Thus, with this amendment, data controllers may only process biometric data if the above requirements are satisfied.
The penalty for data controllers who breach the personal data protection principles in s. 5 PDPA 2010 will be increased to a fine up to RM1 million, or imprisonment for a term not exceeding three (3) years, or both.
The Minister explained that this amendment is to reduce incidents of personal data violations and send a message to all parties involved of the government’s commitment to protect personal data.
Presently, under s. 129 PDPA 2010, a data user shall not transfer any personal data of a data subject to a place outside Malaysia except, amongst others, to certain white-listed areas as specified by the Minister by notification published in the Gazette. Since the PDPA 2010 came into effect, this regime has not been used. The Bill seeks to remove this regime.
Instead, a data controller may transfer personal data of a data subject to any place outside Malaysia if: -
The Bill clarifies the definition of “data subject” by expressly excluding deceased individuals.
As the Bill has been passed by the Dewan Rakyat, it now needs to be passed by the Dewan Negara. If the Bill is passed by the Dewan Negara, it will be presented for Royal Assent and will thereafter come into force on a date set by the Minister. There will likely be a transition period for businesses to comply with the new provisions.
Nonetheless, it would be prudent for businesses to take the following steps in anticipation of these proposed amendments to the PDPA: -
*Written by Priscilla Faith Lim (Associate)
For any related enquiries, please contact our Partner, David Mathew (davidmathew@stsp.my) or Associate, Priscilla Faith Lim (priscillalim@stsp.my)
The content of this article is of a general nature and does not constitute legal or other advice or the provision of legal or other professional services, and shall not be relied upon as such.
Click here to download this article.
