MALAYSIA Trends and Developments Contributed by: Janet Toh, Boo Cheng Xuan and Yee Yong Xuan, Shearn Delamore & Co.
Amendments to the Personal Data Protection Act 2010 The Personal Data Protection (Amendment) Act 2024 (the “PDP Amendment Act”), which amends the Personal Data Protection Act 2010 (PDPA), is being implemented in three stages: • 1 January 2025: Sections 7, 11, 13 and 14 of the PDP Amendment Act will take effect; • 1 April 2025: Sections 2, 3, 4, 5, 8, 10 and 12 of the PDP Amendment Act will take effect; and • 1 June 2025: Sections 6 and 9 of the PDP Amendment Act will take effect. Selected legislative amendments brought about by the PDP Amendment Act are summarised as follows. • The term “data user” will be replaced with “data controller”, aligning with global data protection terminology. However, the existing definition for “data user” remains unchanged. • The penalties for non-compliance with any of the Personal Data Protection Principles will be significantly increased, with fines raised from MYR300,000 to MYR1,000,000 and/ or imprisonment extended from a maximum term of two years to a maximum term of three years. • Previously applicable only to data controllers, the Security Principle will directly bind data processors. • Data controllers must notify the Personal Data Protection Commissioner (“Commissioner”) of any personal data breaches as soon as prac - ticable. Failure to do so could result in a fine of up to MYR250,000 and/or imprisonment for up to two years. The relevant data subject must also be notified where the personal data breach causes or is likely to cause any signifi - cant harm to the data subject.
• Both data controllers and data processors must appoint data protection officer(s), who shall be accountable to the data controller or data processor. • Rights to data portability will be introduced in favour of the data subjects, subject to techni - cal feasibility and compatibility of the data format. • In terms of cross-border transfer of personal data, the pre-existing “whitelist” approach will be abolished. Data controllers will be able to transfer personal data out of Malaysia so long as the prescribed conditions are met. The Department of Personal Data Protection has since circulated a series of public consulta - tion papers which generally relate to the issues sought to be addressed by the PDP Amendment Act: • Public Consultation Paper No 01/2024: The Implementation of Data Breach Notification; • Public Consultation Paper No 02/2024: The Appointment of Data Protection Officer; • Public Consultation Paper No 03/2024: The Right to Data Portability; • Public Consultation Paper No 04/2024: Per - sonal Data Protection Standards; and • Public Consultation Paper No 05/2024: Cross Border Personal Data Transfer Guidelines. On 18 November 2024, the Commissioner and Futurise Sdn Bhd issued a joint press release providing updates on Malaysia’s Personal Data Protection and Privacy Regulatory Sandbox. As part of the Sandbox’s deliverables, four guidelines and one standard will be released by early 2025, while further further guidelines will be released in the third quarter of 2025. These guidelines are set to provide clear, actionable frameworks for the private sectors to ensure
246 CHAMBERS.COM
Powered by FlippingBook