Personal Data Protection Department issues Public Consultation Papers on Personal Data Protection Standards and Cross Border Transfers

The Department of Personal Data Protection (“JPDP”) issued two public consultation papers (“PCP”) on 1 October 2024 to seek feedback from the public on (i) the proposed amendments to the existing Personal Data Protection Standard 2015 and (ii) the aspects to be addressed in the proposed guidelines on cross border personal data transfers, pursuant to the new provisions introduced when the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) comes into operation1. JPDP had also issued three PCP earlier on 19 August 2024 – please see our previous Alert for further details.
 
The PCP (which are published in bilingual format with the Bahasa Malaysia version preceding the English language version) are as follows: 
  1. PCP No. 04/2024: Personal Data Protection Standards 
The Personal Data Protection Commissioner (“Commissioner”) is developing a revised set of security, retention and data integrity standards, to bring them in line with international best practices. This PCP seeks to gather views and feedback from the public regarding aspects that should be addressed in the proposed revised standards, which include: 
  • replacing “black and white” rules (i.e. prescriptive and specific instructions or measures that data controllers must comply with) with requirements that are outcome-based;
  • the key elements to be addressed under the security, retention, and data integrity standards; and
  • the role of certification schemes to demonstrate compliance with the standards. 
  1. PCP No. 05/2024: Cross Border Personal Data Transfer Guidelines 
To recap, the Amendment Act will introduce several amendments to section 129 of the Personal Data Protection Act 2010 (“PDPA”), i.e. the removal of the whitelist regime and placing the responsibility of determining whether another country has adequate laws or protection to safeguard personal data on the data controller (instead of the Minister), and the deletion of one of the exceptions for cross border transfers (i.e. transfer is permitted where necessary for public interest).
 
The Commissioner is developing a Guideline on Cross Border Personal Data Transfer to provide further guidance on the conditions to carry out cross border transfers. As such, this PCP seeks to gather views and feedback from the public regarding aspects that will be or should be addressed in the proposed guidelines, which include: 
  • the new conditions introduced under section 129 of the PDPA;
  • the consent requirements;
  • the factors to be considered when relying on certain conditions for cross border transfers i.e. whether the transfer is considered “necessary” for the relevant purposes such as for the performance of a contract, to protect the vital interests of the data subjects, etc.; and
  • the introduction of cross border transfer mechanisms such as Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), recognition of certifications such as the Asia Pacific Economic Cooperation Cross Border Privacy Rules System (APEC CBPR). 
Interested parties and members of the public may submit their views and feedback on the PCP to JPDP by 18 October 2024 via the following links: 
 
Alert by Jillian Chia (Head/Partner), Natalie Lim (Partner), Charmayne Ong (Partner) and Beatrice Yew (Senior Associate) of the Personal Data Protection Practice of Skrine.
 
 

1 The Personal Data Protection (Amendment) Bill 2024 will become law upon receipt of Royal Assent and gazettement. It will come into operation on a date to be appointed by the Minister by notification in the Gazette.

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.