Malaysia – Dewan Rakyat Passes Proposed Amendments To PDPA.
As previously discussed in our June 2020 Newsletter and August 2022 Legal Updates, amendments to the Personal Data Protection Act 2010 (Act 709) (“PDPA”) have been in the pipeline. After much anticipation, the Personal Data Protection (Amendment) Bill 2024 (the “Proposed Amendments”) was tabled at the Dewan Rakyat (i.e. the House of Representatives) for its first reading on 10 July 2024 and eventually passed on 16 July 2024. The Proposed Amendments will still have to be tabled at the Dewan Negara (i.e. Senate) and if passed, be subject to royal assent, before the Proposed Amendments become law.
Before delving into the Proposed Amendments, it is to be noted at the outset that the term “data user” will as a result of the Proposed Amendments be substituted with the term “data controller”, which is to be defined in the same manner as the term “data user”. This proposed amendment appears to be merely cosmetic rather than semantic, given the preservation of the statutory definition1 . The discussions below on the key aspects of the Proposed Amendments will therefore adopt the now-preferred term “data controller”.
1. Increased penalties
Under the Proposed Amendments, the penalties for non-compliance with any of the Personal Data Protection Principles will be increased, with fine of up to RM1,000,000 and/or imprisonment for a term not exceeding three years. For context, the PDPA currently provides only for fine of up to RM300,000 and/or imprisonment for a term not exceeding two years.
2. Introduction of compliance responsibilities by data processors
The Proposed Amendments will extend the application of the Security Principle to data processors2 . Noncompliance by a data processor with the Security Principle can be punishable by a fine of up to RM1,000,000 and/or imprisonment for a term not exceeding three years. Currently, proceedings for breach of the PDPA may only be taken against data controllers.
Data processors are generally not in direct contact with the data subjects (i.e. the individuals who are the subject of the personal data), as data processors only perform the processing of personal data on the basis of the instructions given by the data controllers. Through this proposed amendment, notwithstanding the lack of direct contact as mentioned, data processors shall be responsible for the security of the data subjects’ personal data, by taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
3. Mandatory notification of personal data breaches
The Proposed Amendments require data controllers to notify any personal data breach that has occurred to the Personal Data Protection Commissioner (“Commissioner”) as soon as practicable3 . This notification must be implemented in the manner and form to be determined by the Commissioner. Non-compliance with the obligation to notify personal data breaches to the Commissioner is punishable by a fine of up to RM250,000 and/or imprisonment for up to two years.
Further, where the personal data breach causes or is likely to cause any significant harm to a data subject, the data controller shall notify the personal data breach to the data subject without unnecessary delay, in the manner and form as determined by the Commissioner.
This proposed amendment is necessary to ensure that data breach incidents involving personal data are not spared from the monitoring and enforcement activities by the Commissioner. In addition, this obligation is also intended as an immediate mitigation measure by the Commissioner to prevent more serious data breaches and so that data breach control actions can be taken immediately.
For further information, please contact:
Janet Toh Yoong San, Shearn Delamore & Co.
janet.toh@shearndelamore.com
