top of page

An Overview of the Personal Data Protection (Amendment) Bill 2024

10 Aug 2024

The Personal Data Protection (Amendment) Bill 2024 ("Amendment Bill") was recently passed in the Dewan Rakyat (House of Representatives).[1] We highlight the key changes made by the Amendment Bill to the Personal Data Protection Act 2010 ("PDPA"). As of the date of this article, the Amendment Bill is pending approval from the Dewan Negara (Senate) and Royal Assent.


  1. “Data Controller” to Replace “Data User”[2]

    The term "data user" in the PDPA will be replaced with "data controller." The change is more cosmetic than substantive since the definition of “data controller” remains the same as “data user”, as the Bill seeks to align the terminology with that commonly used in personal data protection framework in other countries, such as the European Union.


  2. Recognition of Biometric Data as Sensitive Personal Data[3]

    Biometric data is expressly defined as personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person and is regarded as sensitive personal data.


  3. Data Subject Excludes Deceased Individuals[4]

    The definition of data subjects has been amended to expressly exclude deceased individuals with the implication that obligations under the Act will cease with respect to deceased data subjects, thereby allowing data controllers discretion in dealing with such personal data.


  4. Data Processor Must Now Comply with Security Principle[5]

    Data processors are those (excluding an employee of the data controller) who process personal data solely on behalf of the data controller, and do not process the personal data for any of their own purposes[6].


    Under the present PDPA regime, only data controllers are legally obligated to comply with the Security Principle outlined in Section 9 of the PDPA[7]. However, the Amendment Bill extends these legal obligations to data processors and prescribes for penalties in the event of breach of such obligations.


  5. Increased Penalties[8]

    The current penalty under the PDPA for breach of the Security Principle is a fine up to RM300,000 and/or imprisonment of up to two (2) years, or both. The penalties have been enhanced by the Amendment Bill to a fine of up to RM1,000,000 and/or imprisonment of up to three (3) years.


  6. Mandatory Data Breach Notification[9]

    This is a key critical change brought about by the Amendment Bill. A “personal data breach” is defined under the Amendment Bill as any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data[10]. Along with this newly inserted definition, data controllers will be legally required to notify the Commissioner "as soon as practicable" if they have reason to believe that a personal data breach has occurred. Failure to do so will be an offence punishable with a fine of up to RM250,000 and/or imprisonment of up to two (2) years. Additionally, if the personal data breach causes or is likely to cause significant harm to the data subject, data controllers will also need to notify the data subject "without unnecessary delay".


  7. Mandatory Appointment of Data Protection Officer(s)[11]

    Data controllers and data processors will be required to appoint one or more data protection officers, who will be accountable for ensuring compliance with the PDPA on behalf of their companies/organisations respectively. Additionally, the data controller shall notify the Commissioner on the appointment of such data protection officer(s) in the manner and form as determined by the Commissioner.


  8. Data Portability Rights[12]

    Data subjects will also be granted a new right to request a data controller to transmit their personal data to another data controller of their choice directly, by giving written notice by way of electronic means to the data controller. However, this request is subject to technical feasibility and compatibility of the data format.


  9. Transfer of Personal Data to Other Countries[13]

    Currently, Section 129 of the PDPA prohibits the transfer of any personal data of a data subject outside Malaysia unless to such places as specified by the Minister in the notification published in the Gazette. However, to date, no “white list” has been issued by the Minister.


    The Amendment Bill does away with this provision by allowing a data controller to transfer personal data to any place outside Malaysia, provided that the destination has laws substantially similar to the PDPA or ensures an adequate level of protection for the processing of personal data equivalent to the PDPA.


Comments:

Regulations and/or guidelines are anticipated to be issued on the implementation of some of these key changes, particularly on the mandatory data breach notification. For instance, there should be greater certainty on the time frame to report data breach, and any exemption to such obligations, since non-compliance attracts criminal penalties. Parallel may be drawn with the UK Data Protection Act 2018 which stipulates that a data controller should notify the Commissioner not later than 72 hours after having become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons.[14] The DPA also specifies what the notification must include,[15] and when a controller is not required to communicate a personal data breach to the data subject.[16] A further update will follow once the Bill is enacted.


You may direct your queries to the sender or our general email address at info@zicoip.com.


By Siew Ling Su, Partner, and Tan Ka Loong Keanu, Pupil-in-Chambers.


1 The Amendment Bill was officially tabled in the Dewan Rakyat on 10 July 2024 for its first reading and was subsequently passed on its second reading on 16 July 2024.

2 Clause 2 of Amendment Bill

3 Clause 3 of Amendment Bill

4 Clause 3 of Amendment Bill

5 Clause 4 of Amendment Bill

6 Section 4 of PDPA

7 Section 5 of PDPA

8 Clause 4 of Amendment Bill

9 Clause 6 of Amendment Bill

10 Clause 3 of Amendment Bill

11 Clause 6 of Amendment Bill

12 Clause 9 of Amendment Bill

13 Clause 12 of Amendment Bill

14 See Section 67(1) & (2) of DPA

15 For notification of a personal data breach to the Commissioner, see Section 67(4) & (5) of DPA; For communication of a personal data breach to the data subject, see Section 68(2) of DPA

16 See Section 68 of DPA

bottom of page