Personal Data Protection (Amendment) Bill 2024 passed by Malaysian Parliament

01 August 2024

The Personal Data Protection (Amendment) Bill 2024 (“2024 Bill”) was passed by the Dewan Rakyat (House of Representatives) and the Dewan Negara (Senate) of the Malaysian Parliament on 16 and 31 July 2024 respectively, without any amendments.
 
The 2024 Bill will be presented for Royal Assent, and upon such assent being given, will  become law upon its being gazetted. Thereafter the law will come into operation on a date to be appointed by the Minister of Digital by notification in the Gazette.
 
The 2024 Bill is intended to align Malaysia’s data protection laws more closely with international standards. The salient amendments to be introduced under the 2024 Bill as highlighted in our previous Alert¹ are set out below:
 

	2024 Bill	2010 Act
1.	Mandatory appointment of data protection officer (“DPO”).	No DPO requirement.
2.	Data processors directly obliged to comply with security requirements, including direct imposition of penalties on data processors for breach.	Data processors are not directly subject to obligations under the 2010 Act.
3.	Mandatory personal data breach notification to: Personal Data Protection Commissioner; and   Data subjects in the event breach “causes or likely to cause any significant harm”.   *“Personal Data Breach” defined generally as any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data.	No mandatory personal data breach notification requirements.
4.	Data subject’s right to data portability, subject to “technical feasibility and compatibility of the data format”.	No right to data portability.
5.	Biometric data considered as “sensitive personal data”.   *“Biometric data” defined as personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person.	Biometric data not expressly addressed.
6.	Increased penalties for breach of personal data protection principles up to RM1,000,000 and/or up to three years imprisonment.	Breach of personal data protection principles subject to a fine of up to RM300,000 and/or two years imprisonment.
7.	Removal of white-list regime for cross border data transfers.   Personal data may be transferred out of Malaysia to a country that has substantially similar laws or where the country ensures equivalent levels of protection.   Otherwise, the exceptions as provided for under the 2010 Act may be relied upon to effect such transfers.	Whitelisted countries to which data transfers could be effected (though no whitelisted countries were ultimately gazetted).   Transfers of personal data out of Malaysia may be carried out if exceptions apply e.g. with consent of the data subject, or where transfer is necessary for the performance of the contract.
8.	Replaces the term “Data User” with “Data Controller’.	Term used: “Data User”.
9.	Personal data of deceased individuals expressly excluded from scope of the Act.	Personal data of deceased individuals not expressly addressed.

 
 
Alert by Jillian Chia (Head/Partner), Natalie Lim (Partner) and Charmayne Ong (Partner) of the Personal Data Protection Practice of Skrine.
 
 
This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.