Proposed Amendments to the Personal Data Protection Act 2010 (PDPA): Latest Updates

Introduction

In 2018, the Malaysian Government, through the then Communications and Multimedia Minister, announced its intention to carry out a comprehensive review and update the Personal Data Protection Act 2010 ("PDPA"), with a view to aligning the PDPA with international standards and in particular the European Union's General Data Protection Regulation ("GDPR").[1]

Following the announcement, the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi) ("JPDP") carried out a review of the PDPA in 2019, which resulted in the issuance of a public consultation paper in February 2020 titled "Public Consultation Paper No. 01/2020 on Review of the PDPA" ("Public Consultation Paper"). In the Public Consultation Paper, the Personal Data Protection Commissioner ("Commissioner") identified 22 general areas within the PDPA which may be subject to amendment, together with brief points explaining the proposed amendments for the purpose of soliciting public feedback.

In February 2021, pursuant to the Malaysian Digital Economy Blueprint, the Malaysian Government acknowledged the importance of facilitating seamless and secure data flows for the development of Malaysia's digital economy, and announced its aim to review and amend the PDPA by 2025. This was again reiterated in the Twelfth Malaysia Plan (2021-2025) tabled by the Prime Minister in September 2021.

As of the date of this Update, no draft amendment bill has been tabled in the Malaysian Parliament.

However, in a recent conference organised and conducted by JPDP, further insights on the possible amendments to the PDPA were indicated by JPDP.

This article seeks to provide a quick update on the status of the proposed amendment bill, as well as further details regarding the proposed changes that will be included in the amendment bill as recently indicated by JPDP.

Public Consultation Paper and Status of Proposed Amendment Bill

Pursuant to the Public Consultation Paper issued in February 2020, the Commissioner had indicated several areas to be considered for the purpose of amendments to the PDPA, including proposals to: (i) impose direct obligations on data processors; (ii) introduce a right to data portability; (iii) impose criteria and requirements to appoint data protection officers within organisations; (iv) introduce a mandatory data breach notification requirement; (v) establish a do-not-call registry; and (vi) introduce civil remedies for aggrieved data subjects.

As of the date of this Update, apart from the Public Consultation Paper, no exposure draft of the amendment bill has been made public. Notwithstanding this, JPDP has indicated that an amendment bill has been prepared by the Attorney General's Chambers and it is the intention of JPDP that the amendment bill will be tabled before the Malaysian Parliament sometime later this year. Whether this will happen remains to be seen bearing in mind the legislative backlog of Parliament.

Latest Updates on the Proposed Amendments

The following is a list of some of the key amendments sought to be made to the PDPA together with more recent information which, taken together, serves to give an indication of the scope of changes being contemplated by the Commissioner:

(1) Appointment of Data Protection Officer

Currently, it is not a mandatory requirement under the PDPA for data users to appoint data protection officers ("DPO"). Pursuant to the Public Consultation Paper, the Commissioner has proposed to make it mandatory for data users to appoint DPOs, as well as to issue guidelines on the relevant criteria for the appointment of DPOs (e.g. the categories of data users which are required to appoint DPOs).

Recently, JPDP has further indicated that the amendment bill will likely include an obligation on data users to appoint at least one DPO for their organisation.

(2) Mandatory Data Breach Notification

There is currently no mandatory requirement under the PDPA for data users to notify the Commissioner of any data breach incident involving personal data. Data breach notifications to the Commissioner are currently made by the data users on a voluntary basis, if at all.

JPDP has recently confirmed that a mandatory data breach notification regime will be introduced in the amendment bill, and that data users will be required to report data breach incidents to the Commissioner within 72 hours from the detection of the data breach incident, based on the template data breach notification form provided by the Commissioner. JPDP however did not provide further details as to the conditions and criteria for such notification to be made (e.g. number of affected data subjects, whether only confirmed data breach incidents meeting a certain threshold must be notified to the Commissioner, etc).

(3) Direct Obligation on Data Processors to Comply with the Security Principle

Under the current PDPA, data processors do not have any direct obligation to comply with the requirements of the PDPA. Non-compliance with any of the PDPA provisions by the data processors would be the responsibility of the data users.

Pursuant to the Public Consultation Paper, and in view of the increasing frequency of data breach incidents involving data processors, the Commissioner has proposed to introduce provisions in the PDPA to directly regulate data processors as well.

In particular, JPDP has recently confirmed that the proposed amendment bill will impose a direct obligation on data processors to comply specifically with the Security Principle provided under section 9 of the PDPA.

(4) Right to Data Portability

Data portability provides individuals with the right to obtain and reuse their personal data for other purposes across different service providers. It is also the right of data subjects to obtain access to their personal data in a structured, machine-readable format which can be transferred from one data user to another in order to obtain services.

In this regard, JPDP has recently confirmed that a new provision will be introduced in the amendment bill to grant data subjects the right to data portability under the PDPA.

(5) Removal of White-List Regime for Cross-Border Transfer of Personal Data

In respect of cross-border transfers of personal data, section 129(1) of the PDPA currently prohibits the transfer of any personal data outside of Malaysia, unless the recipient countries have been whitelisted by the Communications and Multimedia Minister (“Minister”) in the Federal Gazette.

Pursuant to the Public Consultation Paper, the Commissioner has proposed to revise the provision in the PDPA relating to transfer of personal data outside of Malaysia, in order to provide further clarity on the conditions for cross-border data transfers.

In this regard, JPDP has recently indicated that the "white-list" regime under section 129 of the PDPA will be replaced with a "black-list" regime. Under the black-listing regime, data users will generally be allowed to transfer personal data overseas, save and except for jurisdictions which have been black-listed by the Minister.

(6) Extension of the Application of PDPA to both Federal Government and State Governments

Both the Federal Government and the State Governments are currently excluded from the application of the PDPA pursuant to section 3(1) of the PDPA.

In view of increasing reports of data breach incidents involving the Government, JPDP has indicated that the amendment bill will extend the application of the PDPA to require both the Federal Government and the State Governments to comply with the requirements under the PDPA, when carrying out personal data processing activities. JPDP has further stated that should this proposal be implemented, there will be a need for JPDP to be an independent commission in order to be able to effectively carry out its regulatory powers under the PDPA.

The proposed changes highlighted above should be welcomed as it would bring the PDPA more aligned with international standards such as the GDPR. Organisations will need to take note of these proposed changes, and in the event that the amendment bill is passed by the Malaysian Parliament during the course of this year, organisations will need to review and update their data protection policies and practices to ensure continued compliance with the PDPA.

We trust the above provides you with a quick update on the proposed amendments to the PDPA. Should you require any assistance or clarification regarding the Public Consultation Paper and the updates provided by JPDP as mentioned above, or about any other matter pertaining to personal data protection, please feel free to get in touch with us at your convenience.

Register now for your free, tailored, daily legal newsfeed service.

Proposed Amendments to the Personal Data Protection Act 2010 (PDPA): Latest Updates

Filed under

Topics

Laws

Popular articles from this firm

Seven Strategic Moves After an OSHA Incident *

The Enforcement of Accounting Fraud under the Capital Markets and Services Act 2007 *

Government Procurement Bill 2025 Passed by Malaysian Parliament *

Malaysia’s Corporate Green Power Programme: Virtual Power Purchase To The Fore *

Whistleblower Protection Act 2010: Sustainable a Decade on? *

Professional development

Related practical resources PRO

Related research hubs

GDPR

Digital economy

Malaysia

IT & Data Protection