Personal Data Protection (Amendment) Bill 2024
Introduction
On 10 July 2024, the Personal Data Protection (Amendment) Bill 2024 (“Amendment Bill”) was officially tabled in the Dewan Rakyat (House of Representatives) of the Malaysian Parliament for its first reading. Subsequently, the Dewan Rakyat approved the Amendment Bill on its second reading on 16 July 2024. The Amendment Bill will now be presented to the Dewan Negara (Senate) of the Malaysian Parliament and, if passed, for Royal Assent.
In response to the growing importance of personal data in today’s digital age, the Amendment Bill proposes important changes to the Personal Data Protection Act 2010 (PDPA) (Act 709) (“the Act”). These amendments aim to strengthen data protection measures for commercial transactions, reflecting technological advancements.
Key amendments introduced in the Amendment Bill
1. Replacement of Term ‘Data User’ with ‘Data Controller’
The term “data user” has been replaced with “data controller” throughout the Act.
2. Exclusion of Deceased Individuals from the Definition of Data Subject
Deceased individuals are no longer considered data subjects under the Amended Bill.
3. Recognition of Biometric Data as Sensitive Personal Data
Biometric data, previously excluded from the definition of personal data, is now categorised as sensitive personal data. Biometric data is personal data processed technically relating to a person’s physical, physiological, or behavioural characteristics, such as fingerprint or face recognition.
4. Direct Obligation for Data Processors
Prior to the amendment, data processors were not explicitly accountable for adhering to the seven (7) Personal Data Protection Principles outlined in the Act. The Amendment Bill imposes a direct obligation on data processors to comply with the Personal Data Protection Principles stated in the Act.
5. Increased Penalties for Breach of Personal Data Protection Principles
The original penalty under the Act for a data controller’s non-compliance with the Personal Data Protection Principles was a fine up to RM300,000.00 or imprisonment of up to two (2) years, or both. The Amendment Bill now imposes a fine of up to RM1,000,000.00 or imprisonment of up to three (3) years, or both.
6. Mandatory Appointment of Data Protection Officer (DPO)
The Act made no provision to appoint personnel to address complaints or reports of data breaches. The Amendment Bill now mandates data processors to appoint a DPO responsible for ensuring compliance. The data controller must notify the Commissioner of the appointment of a DPO.
7. Mandatory Personal Data Breach Notification
Data controllers must notify the Commissioner of any personal data breach. If such a personal data breach is likely to cause significant harm to the data subject, the data controller is obligated to notify the personal data breach to the data subject without unnecessary delay.
8. Rights to Data Portability
Data subjects can now request that their personal data be transferred directly to another data controller of their choice by providing notice in writing by electronic means. Such a request is subject to technical feasibility and compatibility of the data format. Upon receiving the request, the data controller is required to complete the transmission of personal data within the prescribed period.
9. Removal of the Whitelist Regime for Cross-Border Data Transfer
Previously, the transfer of personal data outside Malaysia was restricted to locations published in the Gazette (Whitelist). The Amendment Bill allows data controllers to transfer any personal data of a data subject to any place out of Malaysia, provided that the country has substantially similar laws or where the country ensures an equivalent level of protection.
Conclusion
Malaysia’s data privacy landscape is poised for a significant revamp with the introduction of the Amendment Bill. Therefore, stakeholders and businesses are urged to proactively assess the potential impact and prepare for potential compliance requirements as the Amendment Bill moves through the legislature.