Malaysia | Upcoming Amendments to the Personal Data Protection Act 2010

It has been announced by the Minister of Communications and Multimedia (“Minister”) during the Parliamentary session on 4 August 2022 that the following amendments to the Personal Data Protection Act 2010 (Act 709) (“PDPA”) are expected to be tabled in Parliament come October 2022:

1. Mandatory Appointment of Data Protection Officer
   
   The PDPA does not presently require data users to appoint any data protection officer (“DPO”). The proposed amendment, if passed by Parliament, would make it a legal requirement for DPOs to be appointed by data users. 

2. Mandatory Data Breach Notification
   
   While not legally necessary, data users have been able to make data breach notifications to the Personal Data Protection Commissioner (“Commissioner”) on a voluntary basis, based on a Data Breach Notification form publicly accessible on the official portal of the Department of Personal Data Protection. Through the proposed amendments, however, data users will be expected to comply with the new statutory obligation to report incidents of data breaches to the Commissioner within 72 hours. 

3. Compliance with Security Principle by Data Processors
   
   The PDPA at present does not impose direct obligations on a data processor, defined to mean any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes.
   
   The proposed amendments are said to aim at extending the applicability of the security principle under Section 9 of the PDPA to data processors. This likely means that data processors will, as with data users, have to take practical steps to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. 

4. Right to Data Portability
   
   The proposed amendments also aim to introduce a new data portability provision into the PDPA, to support transfer of personal data between data users upon the request of a data subject, where it is technically feasible. 

5. Abolishment of White-List for Cross-Border Transfer
   
   Section 129 of the PDPA at present prohibits the transfer of personal data to places outside Malaysia unless to such places as specified by the Minister by notification published in the Gazette (“Whitelist”).
   
   The proposed amendment seeks to replace the Whitelist with a “blacklist” which will generally allow cross-border transfers of personal data except for transfers to blacklisted destinations.
   
   The efficacy of this approach in facilitating cross-border transfer while safeguarding the rights and interests of data subjects remains to be tested.
   
   Businesses will likely have to undergo adaptations in terms of their business and operational practices where the processing of personal data is concerned, should the legislature vote in favour of the proposed amendments. It is therefore crucial that businesses keep abreast with the progress of the upcoming amendments to ensure continued compliance with the PDPA.