Important Changes to Malaysia’s Data Protection Laws
In July 2024, Malaysia’s legislative body approved significant changes to the country’s Personal Data Protection Act. The changes have the effect of aligning Malaysia’s personal data protection laws more closely with international data protection laws. The effective date and other implementation guidelines are expected to follow closely.
Important amendments to Malaysia’s data protection law are imminent. The effective date of the amendments is yet to be announced, but the key changes to the Malaysia Personal Data Protection Act (PDPA) are as follows:
- Replacement of the term “data user” with “data controller”: The amended PDPA replaces the term “data users” with “data controllers”. A data controller refers to a person who has control over or authorizes the processing of any personal data. This is purely a change in the terminology and does not have any substantive impact.
- Mandatory data breach notification: Data controllers must notify the Data Protection Commissioner (Commissioner) of any personal data breaches as soon as practicable. Data subjects must also be notified without unnecessary delay if the data breach causes or is likely to cause significant harm to the data subject. The amended PDPA is silent on the specifics of the requirements, such as the notification threshold, timeline, or format; the government may release further guidance.
- Mandatory obligation to appoint a Data Protection Officer (DPO): Data controllers and processors must appoint at least one DPO, and data controllers must notify the appointment to the Commissioner. The amended PDPA is silent on the specifics of the requirements, such as the qualifications or expertise of the DPO and whether the DPO must be based within Malaysia, but the government may release further guidance.
- Changes to the rules on cross border data transfers: The amended PPDA removes the “white-list” regime that was found in the previous legislation (the “white-list” sets out the jurisdictions to which data controllers may transfer personal data without any further steps or requirements), but no country has ever been added to the list. The amended PDPA allows data controllers to transfer any personal data to any jurisdiction outside of Malaysia which has similar data protection laws or ensures an equivalent level of protection to the PDPA.
- Increased regulation of data processors: Presently, data processors are not directly subject to data protection obligations. The PDPA now imposes a direct obligation on data processors to comply with the data protection obligations stated in the PDPA, for example, to protect data from loss and misuse.
- Right to data portability: The amended PDPA confers on data subjects the additional right to data portability, subject to technical feasibility and compatibility of the data format. Data subjects can now ask for their personal data to be transferred to another data controller of their choice by providing written notice given by electronic means.
- Expanded definition of sensitive personal data: The definition of “sensitive personal data” is expanded to include biometric data. Biometric data refers to personal data resulting from the technical processing of a person’s physical, physiological, or behavioral characteristics. Explicit consent is required to process sensitive personal data.
- Increased and new penalties for PDPA breaches and non-compliance: The penalties for non-compliance with data protection principles under the PDPA have been increased from a fine of up to MYR300,000 (approximately USD72,000) and/or imprisonment up to two years to a fine of up to MYR1,000,000 (approximately USD215,000) and/or imprisonment up to three years.
In addition, the Malaysia Digital Minister announced in January 2024 that the Commissioner will develop seven guidelines to supplement the PDPA, covering data breach notification, data protection officer appointment, data portability, cross-border data transfer, data protection impact assessment, protection of privacy through technological design, and profiling and automated decision-making.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.