Personal Data Protection (Amendment) Bill 2024 Tabled in Parliament

On 10 July 2024, the Personal Data Protection (Amendment) Bill 2024 (“2024 Bill”) was tabled at the Dewan Rakyat (House of Representatives) of the Malaysian Parliament for its First Reading, introducing several significant changes to the Personal Data Protection Act 2010 (“2010 Act”).
 
The proposed amendments in the 2024 Bill were drafted to align Malaysian data protection laws more closely with international standards.
 
Highlighted below are the salient amendments proposed in the Bill:
 
  2024 Bill 2010 Act
1. Mandatory appointment of data protection officer (“DPO”).
 
No DPO requirement.
2. Data processors directly obliged to comply with security requirements, including direct imposition of penalties on data processors for breach.
 
Data processors are not directly subject to obligations under the 2010 Act.
3.
Mandatory personal data breach notification to:
  1. Personal Data Protection Commissioner;

  2. Data subjects in the event breach “causes or likely to cause any significant harm”. 
*“Personal Data Breach defined generally as any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data.
 
No mandatory personal data breach notification requirements.
4. Data subject’s right to data portability, subject to “technical feasibility and compatibility of the data format”.
 
No right to data portability.
5. Biometric data considered as “sensitive personal data”.
 
*“Biometric data” defined as personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person.
 
Biometric data not expressly addressed.
6. Increased penalties for breach of personal data protection principles up to RM1,000,000 and/or up to three years imprisonment. Breach of personal data protection principles subject to a fine of up to RM300,000 and/or two years imprisonment.
 
7. Removal of white-list regime for cross border data transfers.

Personal data may be transferred out of Malaysia to a country that has substantially similar laws or where the country ensures equivalent levels of protection.

Otherwise, the exceptions as provided for under the 2010 Act may be relied upon to effect such transfers.
 
Whitelisted countries to which data transfers could be effected (though no whitelisted countries were ultimately gazetted).

Transfers of personal data out of Malaysia may be carried out if exceptions apply e.g. with consent of the data subject, necessary for the performance of the contract.  
8. Replaces the term “Data User” with “Data Controller’.
 
Term used: “Data User”.
9. Personal data of deceased individuals expressly excluded from scope of the Act.
 
Personal data of deceased individuals not expressly addressed.
 
Implications and Next Steps for Businesses 
Consider appropriate candidates for the role of DPO
Establish a data breach notification protocol
Prepare operationalisation of data portability rights
For data processors – to ensure compliance with the Security Principle
It is currently unclear as to whether there will be a grace period to comply with the new provisions under the 2024 Bill.
 
It is also anticipated that some guidelines will be developed to supplement and further clarify the scope of the new provisions and obligations, such as the detailed requirements surrounding the appointment of a DPO, thresholds for data breach notification as well as data portability compliance timelines and applicable exemptions.  
 
The Bill is subject to further debate in Parliament and it remains to be seen whether it will be passed as is, or with further amendments.  Organisations are advised to keep a close eye on the developments.
 
 
Alert by  Jillian Chia (Head/Partner), Natalie Lim (Partner) and Charmayne Ong (Partner) of the Personal Data Protection Practice of Skrine.
 

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.