The Amendments to the Personal Data Protection Act 2010 – What You Need to Know

Introduction

On 16.7.2024, the Personal Data (Amendment) Protection Bill 2024 (the “Bill”) officially passed its 1^st and 2^nd Reading in Malaysia’s Dewan Rakyat (Houses of Representatives) , and on 31.7.2024, the Bill was passed by Malaysia’s Dewan Negara (Senate).

The Bill makes several key needed changes to the Personal Data Protection Act 2010 (the “Act”) in an effort to “improve the provisions relating to the processing of personal data so as to be in line with international standards and practices”[1].

Once these amendments come into effect, companies must update (or at least review) their data protection policies. We have summarised the key changes for you:

Key Change 1 – Changed terms and biometric data

Clause 3 of the Bill introduces the term “biometric data”, which is defined as:

“…any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person”

Biometric data is probably most commonly processed by medical data processors as well as websites, which collect medical and behavioural data, respectively.

Biometric data now forms part of sensitive personal data within the meaning of the Act. Hence, a failure to process biometric data in accordance with Section 40 of the Act will result in a fine of up to RM200,000.00, imprisonment of up to two years or both, under Section 40(4). Data controllers processing biometric data must thus take special care not to contravene the requirements of Section 40.

Also, as a general change to the Act, Clause 2 of the Bill substitutes the terms “Data User” for “Data Controller”. This change was made to ensure conformity with international data protection legislation, including the GDPR[2], but overall has no direct effect that businesses need to be aware of.

Key Change 2 – Data processors must now comply with the security principle and increased penalties when companies don’t comply with the Security Principle

The Bill introduces a new subsection, among others, to Section 5 of the Act, which sets out the Personal Data Protection Principles. The most important of these is the Security Principle, which is set out in Section 9 of the Act.

In essence, the Security Principle requires any Data Processor to safeguard personal data against any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard to the factors listed in Section 9 of the Act, i.e.:

1. to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
2. to the place or location where the personal data is stored;
3. to any security measures incorporated into any equipment in which the personal data is stored;
4. to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
5. to the measures taken for ensuring the secure transfer of the personal data.

Parliament recognised the fact that an absence of responsibility under the Security Principle vis-à-vis Data Processors was a serious oversight. Hence, the new subsection 1A now obliges data processors to comply with the Security Principle.

Indeed, compliance with Section 9 has become even more important – Parliament has increased the penalty for contravention of this Section from RM300,000 or imprisonment for two years or both to RM1,000,000.00 or imprisonment for three years or both, in an effort to deter personal data breaches.

Companies must therefore ensure their data protection policies ensure compliance with the Security Principle in Section 9. This would involve, among others,  reviewing your data storage methods to ensure they aren’t susceptible to unforeseen loss, misuse, etc.

Key Change 3 – Data Breach notification and requirement to appoint Data Protection Officers

The Bill defines a Personal Data Breach as follows:

“…any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data”

In practice, this would be an accidental disclosure of data by an employee or a cyber-attack by a malicious third party, among others.

Through the new Section 12B, where a data controller reasonably believes that a data breach has occurred, they are required to notify the Personal Data Protection Commissioner (who possesses several supervisory powers under the Act). as soon as practicable. Contravention of this section will be punishable by a fine not exceeding RM250,000.00 or imprisonment for a term not exceeding two years or to both.

Where this breach may involve significant harm to a data subject, i.e., by disclosing some sensitive health information, the notification must be in a form prescribed by the Commissioner without unnecessary delay.

Further, the new Section 12A of the Act requires data controllers (or data processors, as the case may be) to appoint one or more data protection officers who shall be accountable to the said controller for compliance with the Act. Essentially, these data protection officers must aid and ensure data processors comply with the Act.

While there is no specific penalty for contravention of this provision, it may still fall within the ambit of an enforcement notice from the Commissioner after an investigation following a complaint of non-compliance under the Act – failure to comply with an Enforcement Notice is an offence, punishable by a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

Key Change 4 – Right of Data Portability

Under the new section 43A of the Act, provides for a data subject’s (i.e., an individual who is the subject of the personal data) right to data portability. Essentially, any data subject can now request a data controller to transfer their data to another data controller, though this request is subject to technical feasibility and compatibility. The data controller is required to complete the transmission within “the period as may be prescribed”.

For example, a data subject can now request one company to transfer all his data to another company, and the company must comply with that request.

Key Change 5 – Transfer of Personal Data outside of Malaysia

The Act currently provides that personal data may only be transferred outside of Malaysia to countries specified by notification in the Gazette.

Clause 12 amends Section 129 of the Act to provide that a data controller may transfer data to any country or place outside of Malaysia that ensures comparable levels of protection to that provided under the Act. This significantly liberalises the Data Transfer mechanisms under the Act and should allow businesses to transfer data across a much wider selection of jurisdictions.

Conclusion

In conclusion, the amendments to the Act represent a significant step forward in aligning Malaysia's data protection laws with international standards. For businesses operating in Malaysia,  compliance with the new laws is crucial to minimise their reputational risks and avoid hefty penalties. With new obligations related to biometric data, enhanced security measures, mandatory breach notifications, and the appointment of data protection officers, companies must take a proactive approach to revisiting and strengthening their data protection frameworks.

In particular, the introduction of the right to data portability and the relaxed restrictions on cross-border data transfers open new opportunities but also present challenges that require careful planning and implementation. As businesses navigate these amendments, it is crucial to engage legal experts who can provide tailored advice and assist in building robust compliance strategies. Otherwise, they risk fines that are potentially in the millions.

[1] Explanatory Statement Personal Data Protection (Amendment) Bill 2024
[2] Hansard DR, 16.07.2024,  page 63

‍