Malaysia’s Personal Data Protection Act (PDPA) was enacted in 2010 and came into force in November 2013, making Malaysia the first country in the Association of Southeast Asian Nations (ASEAN) to enact comprehensive privacy legislation.
On July 31, 2024, the Personal Data Protection (Amendment) Bill 2024 (PDP Bill) was passed by the Dewan Negara (Malaysia’s Senate). It is expected to receive royal assent and thereafter come into force on a date to be appointed by the Minister of Digital by notification in the Gazette.
The PDP Bill introduces significant amendments to the PDPA, including specific definitions, new obligations on data controllers and stricter penalties for non-compliance. These amendments align the PDPA with internationally recognised standards, positioning Malaysia alongside its regional peers in Asia-Pacific, including Singapore, Indonesia, the Philippines, Thailand and Vietnam.
According to Malaysia’s Digital Minister, Gobind Singh Deo, these changes are driven by rapid technological advancements that necessitate society’s reliance on digital platforms for business, coupled with an expectation of protection. His comments come in response to a recent rise in complaints regarding the misuse and breach of personal data, an increase in personal data breaches, and a growing number of online fraud cases.
We outline below key changes brought about by the PDP Bill and its impact on businesses:
2. Direct Responsibilities on Data Processors
Data processors are presently not legally required to comply with the security principle under the PDPA. Instead, the PDPA mandates that data users ensure that data processors:
any place outside Malaysia if that place:
The PDP Bill seeks to introduce a direct legal obligation for data processors to comply with the PDPA, specifically requiring them to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction of personal data.
Additionally, the PDP Bill introduces direct penalties for data processors who fail to comply with the security principle. Data processors found in breach of the security principle will be guilty of an offence and, upon conviction, may face a fine of up to RM1,000,000 and/or imprisonment for up to 3 years.
7. Removal of the White-list Regime for Cross-border Data Transfers
The PDP Bill proposes to remove the current white-list regime is found in section 129 of the PDPA, which has not been utilised since the inception of the PDPA. Under the white-list regime, a data user shall not transfer any personal data of a data subject to a place outside Malaysia, unless it is to a place specified by the Minister (currently the Digital Minister) based on the Commissioner’s recommendation and published in the Gazette. However, the PDP Bill seeks to allow a data controller to transfer the personal data of a data subject to any place outside Malaysia if that place:
The amendments to the PDPA represent a significant advancement in strengthening data protection in Malaysia and reflects the maturing of privacy frameworks globally towards stricter data protection regulations. This provides an opportunity for businesses to enhance their data protection practices and align with global standards. However, the Digital Minister has also announced that several guidelines are being developed to complement the changes introduced by the PDP Bill, including:
Therefore, businesses should monitor the developments in this space closely and be ready to update their privacy policies to address any new compliance requirements.