On 10 July 2024, the Personal Data Protection (Amendment) Bill 2024 (“Amendment Bill”) was tabled in the Parliament for its first reading., The proposed amendments will bring significant changes to the Personal Data Protection Act 2010 (“PDPA 2010”) and align it with international data privacy and protection standards. In February 2020, a review of the PDPA 2010 was conducted by the Department of Personal Data Protection, leading to the release of Public Consultation Paper No. 01/2020[1]. Notably, most of the proposed amendments in the bill are based on the contents of this Public Consultation Paper.
- Replacement of the term “data user” with “data controller”
Firstly, the term “data user” will be replaced with “data controller“. This change aligns the terminology with the General Data Protection Regulation (GDPR), providing clarity and consistency with international practices. Despite being largely cosmetic, the adoption of the term “data controller” helps to clearly define the responsibilities of those who determine the purposes and means of processing personal data under the PDPA 2010.
- Biometric Data as a new form of Sensitive Personal Data
New definition for “biometric data” has been introduced as a new form of sensitive personal data under the PDPA 2010. “Biometric data” refers to personal data derived from technical processing related to an individual’s physical, physiological, or behavioural traits, likely covering new forms of data such as fingerprints, iris scans, facial recognition, and voice patterns. This inclusion is crucial due to the increasing use of biometric technologies in various sectors. Accordingly, businesses should reassess whether their current data protection strategies are sufficient to handle this new form of data and meet the updated regulatory requirements.
- Increased penalties for breach of personal data protection principles
Penalties for breaching personal data protection principles under the PDPA 2010 will be significantly increased. The maximum penalties will rise from “300,000 ringgit or imprisonment up to two years, or both” to “1 million ringgit or imprisonment up to three years, or both”. This substantial increase aims to serve as a stronger deterrent against violations and highlights the importance of protecting personal data.
- Mandatory Data Breach Notification
The amendment also mandates the prompt reporting of personal data breaches. Data controllers will be required to report any incidents of personal data breaches to the Personal Data Protection Commissioner (“Commissioner”) as soon as practicable. The aim is to ensure that breaches are addressed quickly, minimizing potential harm to individuals and allowing for timely regulatory intervention. Failing to notify can result in fines of up to RM250,000 and/or imprisonment for up to two years, or both.
- Data Processor Compliance
The existing PDPA 2010 only regulates data controllers, but with the proposed amendments, data processors will now also be required to adhere to the Security Principle. This change seeks to extend the accountability for data protection beyond data controllers. Failure to comply with the PDPA 2010 provisions will result in data processors being liable for penalties under the Act as well.
- Appointment of Data Protection Officer
Another significant change is the requirement for data controllers and data processors to appoint Data Protection Officer (“DPO”). The DPO will act as the liaison between the data controller, the Commissioner, and the data subjects, ensuring a dedicated point of contact for data protection issues and improving communication and compliance.
- Data Portability Rights
Under the new Section 43A, the amendment also grants data subjects the right to data portability. This means that individuals can request the transfer of their personal data from one data controller to another via electronic notice and enhancing individuals’ control over their personal data. However, this is subject to technical feasibility and data format compatibility as explained in the explanatory statement to the amendment bill.
- Simplified International Transfer
Finally, under Section 129 of the PDPA 2010, the requirement for gazette notifications for transferring personal data outside Malaysia will be abolished. Data controllers will be allowed to transfer personal data to countries with similar data protection laws or adequate protection levels without needing a gazette notification. This simplification facilitates smoother international data transfers while maintaining high data protection standards.
Conclusion
While the Amendment Bill has introduced several new obligations, it has not provided sufficient details on how organizations should ensure compliance. This lack of clarity may lead to challenges for organizations trying to understand and implement the necessary changes to their data protection practices. The specifics of these obligations and the practical steps for compliance may be elaborated in the forthcoming Guidelines developed by the Commissioner and the Department of Personal Data Protection[2].
These Guidelines are anticipated to provide a clearer framework for organizations, detailing the processes and measures needed to adhere to the new requirements. Until these Guidelines are published, organizations may need to rely on best practices from international standards and seek professional advice to navigate the compliance landscape.
Adnan Sundra & Low – Sri Sarguna Raj, Steven Cheok Hou Cher & Nicole Chong
This article is prepared by the Partners above from the Intellectual Property, Sports & Gaming Practice Group, with the assistance of Soo An Qi & Lim Chaw Zen (Senior Associate & Associate, Adnan Sundra & Low).
This alert contains general information only. It does not constitute legal advice or an expression of legal opinion and should not be relied upon as such.