THE PASSING OF THE PERSONAL DATA PROTECTION (AMENDMENT) BILL 2024

ARC News   •  July 30, 2024

Introduction

In line with Malaysia’s commitment to enhance personal data protection and align with international standards, the recent passing of the Personal Data Protection (Amendment) Bill 2024 (“Amendment Bill”) marks a significant milestone. The Amendment Bill successfully passed through both chambers of the Malaysian Parliament—the Dewan Rakyat (House of Representatives) on 16 July 2024 and the Dewan Negara (Senate) on 31 July 2024.

The amendments to the Personal Data Protection Act 2010 (“PDPA”) aim to strengthen the regulatory framework by, amongst others adopting the concept of data controllers, introducing new obligations for data processors, and expanding the rights of data subjects.

The amendments come at a right time as Malaysia continues to grow its digital economy, where the handling of personal data is integral to many business operations. The amendments are designed to improve the transparency, security, and accountability of personal data processing activities, ensuring that Malaysia keeps pace with global best practices in data protection.

Key Amendments Introduced in the Amendment Bill

Terminology Update: The Amendment Bill introduces a general amendment by replacing the terms “data user” and “data users” with “data controller” and “data controllers”. This change reflects the evolving role of entities that manage personal data, bringing the terminology in line with international practices.

Expanded Definitions: The Amendment Bill introduces definitions for “biometric data” and “personal data breach”. Biometric data, which includes data from physical, physiological, or behavioral characteristics, is now classified under the definition of sensitive personal data. Additionally, the definition of a personal data breach is now clearly outlined, covering breaches, losses, misuse, or unauthorised access of personal data.

Increased Penalties: The amendments enhance the penalties for non-compliance. Data controllers and processors who fail to adhere to the Security Principle could now face fines up to RM 1,000,000 or imprisonment for up to 3 years, an increase from the previous penalty of RM 300,000 or imprisonment for up to 2 years.

Appointment of Data Protection Officers: A significant addition is the requirement for data controllers and processors to appoint one or more Data Protection Officers (“DPO”). These officers will be responsible for ensuring compliance with the PDPA, a move that enhances accountability within organisations. The appointment of the DPO must be notified by the data controller to the Personal Data Protection Commissioner (“Commissioner”).

Mandatory Data Breach Notifications: The Amendment Bill introduces a new requirement for data controllers to notify the Commissioner of any personal data breach as soon as practicable. If the breach is likely to cause significant harm to data subjects, they must also be notified without unnecessary delay.

Rights to Data Portability: The Amendment Bill also introduces the right to data portability, allowing data subjects to request the transfer of their personal data from one data controller to another, subject to technical feasibility and data format compatibility.

Cross-Border Data Transfer: The amendments simplify the process of transferring personal data outside Malaysia. Data controllers may now transfer data to locations that ensure an adequate level of protection comparable to Malaysia’s PDPA, streamlining operations for businesses with international dealings.

These amendments are a testament to Malaysia’s commitment to safeguarding personal data and fostering trust in its digital economy by ensuring the PDPA aligns with global standards.

As the amendments come into effect, organisations must take proactive steps to comply with the new requirements, particularly the appointment of DPOs and adherence to the updated breach notification procedures. The responsibility is now on data controllers and processors to ensure they are equipped to handle these changes and maintain the integrity of the personal data they manage.

This Article is written by Yeo Shu Pin (Partner) and Humaira Ardini Binti Hizamel (Legal Executive) of Messrs. Afif Rahman & Chong.

Disclaimer: Every attempt to ensure the accuracy and reliability of the information provided in this publication has been made. This publication does not constitute legal advice and is not intended to be used as a substitute for specific legal advice or opinions. Please contact the authors for a specific technical or legal advice on the information provided and related topics.

2024-12-01T05:27:43+00:00

Related Posts

© Copyright    |  Afif Rahman & Chong · All Rights Reserved.
The information contained in this website is provided for informational purposes only, and should not be construed as legal advice on any matter.
The transmission and receipt of information contained on this Website, in whole or in part, or communication with ARC via the Internet or e-mail through this website does not constitute or create a lawyer-client relationship between us and any recipient. You should not send us any confidential information in response to this webpage. Such responses will not create a lawyer-client relationship, and whatever you disclose to us will not be privileged or confidential unless we have agreed to act as your legal counsel and you have executed a written engagement agreement with ARC. The material on this website may not reflect the most current legal developments. The content and interpretation of the law addressed herein is subject to revision. We disclaim all liability in respect to actions taken or not taken based on any or all the contents of this site to the fullest extent permitted by law. Do not act or refrain from acting upon this information without seeking professional legal counsel.