top of page

Personal Data Protection (Amendment) Bill 2024 passed by Malaysian Parliament

by MH Law | July 23, 2024 | Legal Update

__________________________________________________________


Overview


The 2024 Bill, also known as the Personal Data Protection (Amendment) Bill 2024, was approved by the Dewan Rakyat (House of Representatives) and the Dewan Negara (Senate) of the Malaysian Parliament on July 16 and 31, 2024, respectively, without any alterations.

The 2024 Bill is scheduled to undergo Royal Assent, and once granted, it will officially become law upon publication in the gazette. Subsequently, the law will take effect on a date determined by the Minister of Digital through a notification in the Gazette.


The 2024 Bill aims to bring Malaysia's data protection laws in line with international standards. The key amendments outlined in our previous Alert1 will be introduced under the 2024 Bill.


________________________________________________


Background Facts


  • An employee worked at various branches of a bank in Thailand from 2011 to 2014.

  • In March 2015, the bank ordered the employee's transfer back to Malaysia with the same grade and terms.

  • The employee objected to this transfer, considering it as constructive dismissal.

  • The Industrial Court awarded the employee RM216,840.00, which the bank tried to challenge through judicial review.

  • The Court of Appeal sided with the bank, citing the Industrial Court's use of the wrong test.

  • The Federal Court reviewed the case to determine the distinction between the "contract test" and the "reasonableness test" in light of industrial jurisprudence changes.

__________________________________________________________


Salient Amendments


A. Increased Penalties for Personal Data Protection

  • Failure to comply with any of the seven personal data protection principles outlined in the PDPA will now result in higher penalties compared to previous regulations.

  • Non-compliance could lead to a data controller facing fines of up to MYR one million (approximately USD 216,000) and/or three years of imprisonment (referred to as "Proposed Penalties").

  • Unless proven otherwise, individuals in positions such as directors, CEOs, COOs, managers, or officers responsible for data controller management may be held accountable for non-compliance and subject to the Proposed Penalties.

  • Currently, the consequences for such non-compliance are limited to fines of up to MYR 300,000 (around USD 64,000) and/or two years of imprisonment.


B. Security Principle Compliance for Data Processors

Currently, the PDPA holds data controllers accountable for legal obligations. However, the Bill will directly enforce data processors to comply with the security principle.

According to the security principle, data processors must implement practical measures to safeguard personal data from loss, misuse, unauthorized access, or accidental disclosure. Furthermore, the Bill stipulates that data processors handling data on behalf of data controllers must:

  • Offer adequate guarantees regarding technical and organizational security measures for the processing

  • Take necessary steps to ensure adherence to these measures

Non-compliance with these requirements will result in the imposition of Proposed Penalties.


C. Mandatory Data Breach Notification

  • Data controllers must inform the Commissioner promptly if they suspect a personal data breach, following the guidelines set by the Commissioner.

  • Failure to comply could lead to fines of up to MYR 250,000 (approximately USD 54,000) and/or two years of imprisonment.

  • If a breach is likely to harm the data subject significantly, data controllers must also notify the data subject promptly according to the Commissioner's guidelines.


D. Obligation to Appoint Data Protection Officers

Each data controller and data processor must designate at least one data protection officer. These officers will be responsible for ensuring the organization's adherence to the PDPA under the supervision of the respective data controller/processor.


E. Upcoming Data Portability Rights

  • Data subjects will soon have the ability to request a data controller to transfer their personal data to another data controller of their choice, provided it is technically feasible and the data formats are compatible.

  • This request can be made by providing written notice electronically to the data controller.


F. Elevation of Biometric Data to Sensitive Personal Data

  • The proposed Bill will broaden the definition of "sensitive personal data" to include biometric data.

  • Biometric data encompasses personal data derived from technical processing associated with a person's physical, physiological, or behavioral characteristics.

  • Consequently, processing biometric data will necessitate a distinct legal basis, such as explicit consent from the data subject.


G. Revised Regulations on Cross-Border Data Transfers

  • The current Personal Data Protection Act (PDPA) grants the Minister authority to:

a. Issue a whitelist of approved destinations outside Malaysia for personal data transfers.

b. Determine cases where cross-border data transfers are deemed necessary in the public interest.

  • The Bill will eliminate these powers and establish a general legal basis for transferring personal data outside Malaysia.

  • Such transfers will be permissible if:

a. The destination country enforces a law akin to the PDPA.

b. The destination country guarantees a level of data protection at least equivalent to that of the PDPA.

  • The existing methods for authorizing cross-border data transfers, like consent from the data subject, will remain unchanged.


H. Exclusion of Deceased Individuals as Data Subjects

  • In accordance with the Bill, the term "data subject" will no longer encompass deceased individuals.

  • As the PDPA defines "personal data" with reference to the "data subject," this change means the PDPA will not apply to situations where a data controller processes personal data of a deceased individual.


__________________________________________________________


Key Takeaways


The Bill, incorporating suggestions from the 2020 public consultation, also includes further adjustments in line with global standards and norms. As discussions on the Bill continue in Parliament, the modifications to the PDPA mentioned above could undergo further refinement.


Apart from amending the main legislation, the PDPA, other steps are being taken as well. The Minister of Digital disclosed in January 2024 that seven guidelines are in progress under the PDPA to enhance the existing regulations on personal data. These include:


  • Guidelines on notifying data breaches, appointing data protection officers, data transfer across borders, and data portability – these will complement the legislative alterations mentioned earlier

  • Guidelines for data protection impact assessments, privacy integration, and managing profiling and automated decision-making – some of these were proposed in the 2020 consultation


Businesses are advised to stay updated on these developments and get ready for potential additional compliance requirements.


__________________________________________________________





Have a question? Please contact us at info@munhoelaw.com

Latest Articles
bottom of page