|
2024 Bill |
2010 Act |
1. |
Mandatory appointment of data protection officer (“DPO”).
|
No DPO requirement. |
2. |
Data processors directly obliged to comply with security requirements, including direct imposition of penalties on data processors for breach.
|
Data processors are not directly subject to obligations under the 2010 Act. |
3. |
Mandatory personal data breach notification to:
- Personal Data Protection Commissioner;
- Data subjects in the event breach “causes or likely to cause any significant harm”.
*“Personal Data Breach” defined generally as any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data.
|
No mandatory personal data breach notification requirements. |
4. |
Data subject’s right to data portability, subject to “technical feasibility and compatibility of the data format”.
|
No right to data portability. |
5. |
Biometric data considered as “sensitive personal data”.
*“Biometric data” defined as personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person.
|
Biometric data not expressly addressed. |
6. |
Increased penalties for breach of personal data protection principles up to RM1,000,000 and/or up to three years imprisonment. |
Breach of personal data protection principles subject to a fine of up to RM300,000 and/or two years imprisonment.
|
7. |
Removal of white-list regime for cross border data transfers.
Personal data may be transferred out of Malaysia to a country that has substantially similar laws or where the country ensures equivalent levels of protection.
Otherwise, the exceptions as provided for under the 2010 Act may be relied upon to effect such transfers.
|
Whitelisted countries to which data transfers could be effected (though no whitelisted countries were ultimately gazetted).
Transfers of personal data out of Malaysia may be carried out if exceptions apply e.g. with consent of the data subject, necessary for the performance of the contract. |
8. |
Replaces the term “Data User” with “Data Controller’.
|
Term used: “Data User”. |
9. |
Personal data of deceased individuals expressly excluded from scope of the Act.
|
Personal data of deceased individuals not expressly addressed. |