Malaysia’s 2024 Data Protection Bill: New Rules, Penalties, and What Businesses Need to Know

Summary

The long-anticipated Personal Data Protection (Amendment) Bill 2024 (“Bill”) has been released to the public. Some of the important updates include:

  • Direct responsibilities for companies handling data
  • Mandatory reporting of data breaches
  • Requirement to appoint data protection officers
  • New rights for individuals to transfer their data
  • A broader definition of sensitive personal data
  • New rules for transferring data overseas

Details

The plan to update the Personal Data Protection Act 2010 (PDPA) dates back to 2020 when the Personal Data Protection Commissioner issued a review paper with 22 suggestions for improvement.

The Bill, which has been delayed by the COVID-19 pandemic and changes in the Malaysian government, is now being debated in Parliament, which is expected to conclude by 18 July 2024. In addition to changes in terminology (like replacing “data users” with “data controllers”), the Bill introduces several important updates to the PDPA.

Higher Penalties

If companies break any of the seven personal data protection rules, they face much higher fines and longer prison terms. Specifically, penalties could reach up to MYR 1 million (~USD 216,000) or three years in jail.

If a violation occurs, leaders like directors, CEOs, COOs, managers, or officers could also be held responsible unless they can prove they didn’t know about the breach and took all reasonable steps to prevent it. Previously, the maximum fine was MYR 300,000 (~USD 64,000) or two years in jail.

Data Processors Now Accountable

Previously, only data controllers (the companies that collect and manage personal data) had legal responsibilities. The Bill now requires data processors (the companies that process data on behalf of others) to also take steps to protect personal data. They must ensure that their security measures are strong and comply with the law. If they fail to do so, they could face the same penalties as data controllers.

Mandatory Data Breach Notification

If a data controller suspects a data breach, they must inform the Commissioner as soon as possible. If they don’t, they could face a fine of up to MYR 250,000 (~USD 54,000) or two years in jail.

If the breach could cause significant harm to the people whose data was leaked, the data controller must also inform those people without delay.

Appointing Data Protection Officers

Both data controllers and data processors must appoint at least one data protection officer. This person will be responsible for ensuring the organization follows the PDPA.

New Rights for Data Portability

Individuals will have the right to request that their personal data be transferred from one company to another, as long as it is technically possible. They can do this by submitting a written notice electronically.

Biometric Data as Sensitive Personal Data

The Bill expands the definition of “sensitive personal data” to include biometric data, such as fingerprints or facial recognition. This means processing this kind of data will require stricter rules, like obtaining explicit consent from the individual.

New Rules for Cross-Border Data Transfers

Currently, the PDPA allows the Minister to decide where data can be transferred outside of Malaysia. The Bill removes these powers and introduces a new rule that data can only be transferred to countries with laws that offer protection similar to the PDPA or if those countries ensure an adequate level of protection.

The existing rules, like needing consent from the individual to transfer their data, remain the same.

Exclusion of Deceased Individuals from Data Protection

The Bill clarifies that the PDPA does not apply to personal data about deceased individuals. This is because the PDPA defines “personal data” in relation to living people.

Conclusion

The Bill takes some ideas from the 2020 public consultation and adds new changes that align with international standards.

Updating the PDPA is just one part of a larger plan. In January 2024, the Minister of Digital announced that seven new guidelines are being developed to support the PDPA. These include guidelines for data breaches, data protection officers, data portability, and cross-border transfers. There will also be new guidelines on data protection impact assessments, privacy by design, and automated decision-making. Businesses should stay informed and prepare for these additional compliance requirements.

Link to news post: https://theedgemalaysia.com/node/717868