Please note that Chooi & Company does not give any advice via mass communication, and any such communication should be dismissed as it does not originate from us.

In this regard, we wish to inform you that a mass-mailer being circulated under the title “NEW EPF RULES” which purports to be issued by the firm, is not issued by the firm and we have nothing to do with its contents. You are urged to exercise caution when you receive such messages and notify us at contact@chooi.com.my if you do.

Key Amendments to the Personal Data Protection Act 2010

July 2024 

By Lim Tsu Qi 

The Personal Data Protection (Amendment) Bill 2024 (“PDP Amendment Bill”) was recently passed by the House of Representatives (Dewan Rakyat) on 16 July 2024, and is now pending approval by the Senate (Dewan Negara). 

The following is a summary of the key amendments to the Personal Data Protection Act 2010 (“PDPA 2010”):

(a) Data Controllers

The term “data users” is replaced with the words “data controllers”, aligning with terminology commonly used in data protection laws of other jurisdictions.

(b) Data Subjects

The definition of data subject has been amended to clarify that a data subject does not include deceased individuals. 

(c) Biometric Data

The definition of “sensitive personal data” has been expanded to include biometric data. Explicit consent from the data subject will be required to be obtained for processing biometric data. Biometric data is defined as any personal data resulting from technical processing related to the physical, physiological or behavioural characteristics of a person. Examples include fingerprints, facial scans, and voice recognition. 

(d) Compliance with the Security Principle by the Data Processor

The PDP Amendment Bill extends the Security Principle to require data processors who process personal data on behalf of a data controller to also comply with the Security Principle under Section 9 of the PDPA 2010. Failure to comply will result in the data processor being directly liable for penalties under the PDPA 2010. 

(e) Increase in Penalties

The existing penalties for a breach of personal data protection principles is a fine of up to RM300,000 or imprisonment for a term not exceeding 2 years, or both. The PDP Amendment Bill raises these penalties to a fine of up to RM1million or imprisonment for a term not exceeding 3 years, or both.

(f) Appointment of Data Protection Officer

A new Division 1A of Part II (Accountability of Personal Data) is inserted. It introduces the requirement for the appointment of a data protection officer (“DPO”). Data controllers (formerly known as data users) and data processors are required to appoint at least 1 DPO who will be accountable for the data controllers/processors compliance with the PDPA 2010. 

Guidelines will likely be issued by the Personal Data Protection Commissioner (“PDP Commission”) detailing the appointment criteria and notification procedures for the data protection officer. 

(g) Data Breach Notification

The PDP Amendment Bill imposes a duty on data controllers to notify (i) the PDP Commissioner of the occurrence of any data breach; and (ii) the data subject if the breach is likely to cause significant harm to the data subject. Failure to comply with this notification requirement may be liable to a fine of up to RM250,000, or imprisonment for a term not exceeding 2 years, or both.

Personal data breach is defined as any breach, loss, misuse or unauthorised access of personal data. The manner of notification is not detailed in the PDP Amendment Bill and will likely be specified in guidelines issued by the PDP Commissioner.

(h) Rights to Data Portability 

The PDP Amendment Bill introduces the right of data subject to data portability. A data subject may request a data controller to transmit his personal data to another data controller of his choice directly by giving an email notice. However, such a request is subject to the technical feasibility and compatibility of the data format. 

(i) Removal of Whitelist Regime for Cross-Border Data Transfers

The PDP Amendment Bill removes Section 129(1) of the PDPA which provided for the whitelist regime for cross-border data transfers, even though no whitelisted countries have been gazetted to date. Data controllers must now adhere to the requirements outlined in the amended Section 129(2) and Section 129(3) of the PDPA 2010 when transferring personal data outside Malaysia. 

(j) Electronic Notice 

Section 136 of the PDPA 2010 is amended to include the service of notice or any documents by way of electronic means.

This material is for general information only and is not intended to provide legal advice. If you have any queries regarding the above, please feel free to contact us at insights@chooi.com.my.