Introduction

This article explores how the changes introduced by the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) impact businesses, enforcement mechanisms, and individuals’ rights.

Technology and the internet are everywhere that most take it for granted. With just a click, huge swathes of information, including personal details, can be made available at one’s fingertips. While technology has undoubtedly made life easier, such as changing how businesses operate, market, or manage finances, it has also created real risks for the protection of privacy.

To align with global standards, the Malaysian government has strengthened its existing Personal Data Protection Act 2010 (“Act”) through the Amendment Act by introducing robust privacy rules, clarify definitions (such as the scope of “personal data”), impose stricter penalties for non-compliance, and hold companies accountable for safeguarding data.

General amendments

The general amendment is made in the Amendment Act for the substitution of the terms "data user" and "data users" with "data controller" and "data controllers." This revision brings Malaysia’s data protection terminology in line with the European Union General Data Protection Regulation.

Data Processors

Prior to the Amendment Act, data processors had no security framework in the processing of personal data. However, the Amendment Act now mandates that data processors adhere to the same compliance standards as data controllers under Section 9 of the Amendment Act. These amendments explicitly portray the obligations and liabilities of data processors, thereby enhancing the security for data processing for both data controllers and data processors.

Biometric Data

With the increased use of biometric identification (i.e. fingerprints, facial recognition) the Amendment Act introduced the definition for biometric data, which is defined as any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person.

Personal Data Breaches

The definition for personal data breach has been broadened to include not only loss or misuse of personal data but also unauthorized access. The expansion of the definition ensures that all areas of data breach is covered to provide a more comprehensive legal framework for handling personal data, obligating data controllers and data processors to ensure that there are proper security measures in place to protect personal data.

Data Protection Officers and Notification of Data Breach

The Amendment Act introduces Division 1A, comprising Sections 12A and 12B, to establish a formal framework for the mandatory appointment of Data Protection Officers (“DPO”) and statutory data breach notification requirements.

Section 12A mandates that both data controller and data processor to appoint at least one DPO. The provision also states that the appointment of a DPO does not absolve data controllers or data processors of their legal obligations, reinforcing the importance of maintaining proper data governance structures.

To mitigate data breaches, it is now required under Section 12B that the data controller upon reasonable believe that personal data breach has occurred, shall at the earliest practicable time notify the Commissioner. In the event that the personal data breach shall cause significant harm to the data subject, the data controller shall notify the data subject that the personal data breach has occurred.

Data Portability Rights

The Amendment Act also introduce a new provision of data portability rights under new Section 43A. This provision grants data subjects the right to request the transfer of their personal data from one data controller to another, provided the transfer is technically feasible. However, the transfer of personal data is subject to the feasibility and compatibility of the data format. This new provision allows data subject to choose which data controller holds their personal data.

Increased Penalties for Non-Compliance

Section 5(2) of the Act has been amended by the Amendment Act to impose a fine of up to Ringgit Malaysia One Million (RM 1,000,000.00) and/or a term of imprisonment not exceeding three years. Furthermore, failure of data controllers to comply with the breach notification requirements is punishable by fines of up to Ringgit Malaysia Two Hundred and Fifty Thousand (RM 250,000.00) or imprisonment for up to two years. The government’s intention to ensure that data controller and data processor understand the importance of compliance with any and all regulation is significant reflected in this Amendment Act.

Cross-Border Data Transfers and the Adequacy Standard

Prior to the Amendment Act, data controllers may only transfer their personal data to countries specified in the Gazette. With the introduction of the Amendment Act, data controllers may now transfer personal data of the data subject to other jurisdiction that has similar laws that have the same purpose of the Act or jurisdiction that has adequate level or protection of personal data. This amendment helps data controllers that operate internationally to streamline cross-border data exchange, while ensuring that the privacy and security of Malaysian data subjects are not compromised. It reflects the increasingly global nature of data processing and the need for Malaysian law to accommodate international data practices.

Electronic Communications and Notifications

The Amendment Act modernizes the communication provisions under Section 136, permitting the service of notices and documents to be carried out via electronic means. This change aligns with technological advancements and reflects current business practices, allowing for quicker, more efficient exchanges of personal data between organizations and regulatory authorities.

Date of Implementation

The Amendment Act was gazetted on 17 October 2024. However, its implementation will be phased across three separate timelines. In essence, provisions on Electronic Communication and Notification will take effect on 1 January 2025. Subsequently, provisions relating to General Amendments, Data Processors, Biometric Data, Personal Data Breaches, and Increased Penalties for Non-Compliance will come into force on 1 April 2025. Finally, provisions concerning Data Protection Officers and Notification of Data Breaches, Data Portability Rights, and Cross-Border Data Transfers and the Adequacy Standard will take effect on 1 June 2025.

Conclusion

The Amendment Act represents a significant step forward in Malaysia’s data protection landscape. These amendments provide enhanced safeguards for personal data. It is imperative for data subjects to understand their rights and for data controllers and processors to adhere to the updated guidelines and responsibilities. By staying informed and compliant, we can collectively ensure the responsible handling of personal data in this digital world.