Conventus Law

Conventus Law

by

Malaysia – Understanding The PDPA And its Amendments.

The Personal Data Protection Act 2010 is Malaysia’s primary legislation governing the processing of personal data in commercial transactions. Its main purposes are: 

  1. To protect the personal data of individuals in commercial transactions; 
  1. To regulate the processing of personal data; and 
  1. To prevent misuse of personal information. 

The PDPA is built on several basic tenets, including: 

  • Consent: Data users must obtain consent before collecting or processing personal data. 
  • Notice and Choice: Individuals must be informed about how their data will be used. 
  • Disclosure: Personal data should only be disclosed for purposes consented to by the individual. 
  • Security: Data users must take practical steps to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure. 
  • Retention: Personal data should not be kept longer than is necessary. 
  • Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up to date. 
  • Access: Data subjects have the right to access and correct their personal data. 

Data Protection Concerns 

In recent years, data protection has become a critical concern globally, including in Malaysia. The rise of digital technologies, increased data collection, and sophisticated cyber threats have led to growing risks of data breaches, identity theft, and misuse of personal information. These concerns have highlighted the need for stronger, more comprehensive data protection laws that can keep pace with technological advancements and evolving threats. 

Key Amendments 

Digital Minister, Gobind Singh Deo announced on 4 July 2024, that the approved amendments aim to strengthen policies related to security and enforcement. The proposed changes include: 

  1. Mandatory personal data breach notifications; 
  1. Additional compliance responsibilities for data processors; 
  1. Appointment of Data Protection Officers; 
  1. Introduction of data subjects’ right to data portability; and 
  1. Removal of the white-list regime for cross-border data transfers. 

These amendments result from extensive consultations, involving input from 719 stakeholders across 40 engagement sessions. 

Why Amendments are Needed 

The amendments to the PDPA are necessary for several reasons: 

  • Technological Advancements: The rapid pace of technological change has created new challenges in data protection that weren’t anticipated when the original Act was passed. 
  • Global Alignment: Many countries have updated their data protection laws (eg, GDPR in Europe). Malaysia needs to ensure its laws are compatible with international standards to facilitate cross-border data flows and international business. 
  • Increasing Cyber Threats: The rise in cybercrime and data breaches necessitates stronger protective measures and clearer procedures for handling breaches. 
  • Enhancing Individual Rights: The amendments aim to give individuals more control over their personal data, aligning with global trends in data protection. 
  • Addressing Gaps: The current law has certain gaps, such as the lack of mandatory breach notifications, which these amendments seek to address. 

Recent Statistics 

Recent statistics underscore the urgency of these changes: 

  • A 5.1% increase in complaints received from October 2023 to March 2024; 
  • 322 complaints regarding misuse and breach of personal data in this period; 
  • A significant 41% increase in personal data breaches in 2024 compared to 2023; 
  • 34,497 online fraud cases reported nationwide in 2023, resulting in RM1.218 billion in losses; and 
  • 10,348 telecommunications crime cases in 2023, involving losses of RM352.9 million. 

Potential Outcomes 

If the amendments are passed, several positive outcomes can be anticipated: 

  • Increased Data Security: Mandatory breach notifications and stricter compliance requirements should lead to improved data security practices among businesses. 
  • Enhanced Consumer Trust: With stronger protections and more control over their data, consumers may feel more confident in sharing their information with businesses. 
  • International Competitiveness: By aligning with global standards, Malaysia may become a more attractive destination for international businesses and data-driven industries. 
  • Improved Incident Response: Clear procedures for data breaches should lead to faster, more effective responses to data incidents. 
  • Greater Accountability: The appointment of Data Protection Officers and increased responsibilities for data processors will create clearer lines of accountability. 
  • Potential Challenges: While beneficial overall, these changes may initially pose compliance challenges for businesses, particularly smaller enterprises. 

Conclusion 

As Malaysia moves to align its data protection legislation with global standards, businesses should prepare for additional compliance obligations. These changes are expected to enhance security measures and address the growing challenges of data protection in the digital age, marking a crucial step in Malaysia’s efforts to strengthen its data protection framework and respond to the evolving landscape of digital threats and data privacy concerns. 

WRITTEN BY

Richard Wee Chambers
For further information, please contact:

Richard Wee – Richard Wee Chambers, Richard Wee Chambers
justright@richardweechambers.com

Richard graduated with a Bachelor of Laws (Hons) from the University of London in 1996, completed the Certificate in Legal Practice in 1998 and was admitted as an Advocate and Solicitor of the High Court of Malaya in 1999.

Believing in professional development, Richard continues to acquire new skills and knowledge. He holds a certificate in Strategic Conflict Management for Professionals, awarded by the Singapore Mediation Centre (2011), a certificate of attendance for the Asian Domain Name Dispute Resolution Centre workshop (2014) awarded by the Kuala Lumpur Regional Centre for Arbitration (KLRCA) (now known as the Asian International Arbitration Centre (AIAC)) and a certificate from the Southeast Asia Regional Anti-Doping Organization (SEARADO) (2018) for Result Management for Anti-Doping.

In 2016, Richard obtained the Certificate of Sports Arbitration from AIAC, a qualification which is a preparatory step towards appointment as a Sports Arbitrator.

In 2019, Taylor’s University appointed Richard as a member of the Legal Profession Advisory Panel, which he continues to serve to date.

In 2019, the Society of Inns of Courts of Malaysia admitted Richard as a member.

In 2019, FIFA and Football Association of Malaysia appointed Richard to the Appeals Committee of the National Disputes Resolution Chambers (NDRC). Richard continues to be a member of NDRC in 2021 and 2022.

In 2020, the Ministry of Youth and Sports appointed Richard to the advisory Panel of Experts.

In 2020, the National Sports Institute appointed Richard as a committee member of the Sports Technology Research and Development Funding Committee.

In 2020, the Malaysia Digital Economy Corporation (MDEC) appointed Richard Wee Chambers as the regulatory partner of the Fintech Booster Programme, a capacity-building platform for fintech start-ups and companies.

In 2021, the Ministry of Science, Technology and Innovation (MOSTI) appointed Richard as a member of the Panel of Experts of the Research and Development Fund for Technology.

In 2021, Richard was admitted to the Association of Anti-Bribery Management System Practitioners of Malaysia.

In 2021, the Union Cycliste Internaationale (UCI) appointed Richard as a member of the Disciplinary Commission and the UCI Arbitral Board, respectively.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES