Malaysia | Upcoming Amendments to the Personal Data Protection Act 2010

It has been announced by the Minister of Communications and Multimedia (“Minister”) during the Parliamentary session on 4 August 2022 that the following amendments to the Personal Data Protection Act 2010 (Act 709) (“PDPA”) are expected to be tabled in Parliament come October 2022:

  1. Mandatory Appointment of Data Protection Officer

    The PDPA does not presently require data users to appoint any data protection officer (“DPO”). The proposed amendment, if passed by Parliament, would make it a legal requirement for DPOs to be appointed by data users. 

 

  1. Mandatory Data Breach Notification

    While not legally necessary, data users have been able to make data breach notifications to the Personal Data Protection Commissioner (“Commissioner”) on a voluntary basis, based on a Data Breach Notification form publicly accessible on the official portal of the Department of Personal Data Protection. Through the proposed amendments, however, data users will be expected to comply with the new statutory obligation to report incidents of data breaches to the Commissioner within 72 hours. 

 

  1. Compliance with Security Principle by Data Processors

    The PDPA at present does not impose direct obligations on a data processor, defined to mean any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes.

    The proposed amendments are said to aim at extending the applicability of the security principle under Section 9 of the PDPA to data processors. This likely means that data processors will, as with data users, have to take practical steps to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. 

 

  1. Right to Data Portability

    The proposed amendments also aim to introduce a new data portability provision into the PDPA, to support transfer of personal data between data users upon the request of a data subject, where it is technically feasible. 

 

  1. Abolishment of White-List for Cross-Border Transfer

    Section 129 of the PDPA at present prohibits the transfer of personal data to places outside Malaysia unless to such places as specified by the Minister by notification published in the Gazette (“Whitelist”).

    The proposed amendment seeks to replace the Whitelist with a “blacklist” which will generally allow cross-border transfers of personal data except for transfers to blacklisted destinations.

    The efficacy of this approach in facilitating cross-border transfer while safeguarding the rights and interests of data subjects remains to be tested.


    Businesses will likely have to undergo adaptations in terms of their business and operational practices where the processing of personal data is concerned, should the legislature vote in favour of the proposed amendments. It is therefore crucial that businesses keep abreast with the progress of the upcoming amendments to ensure continued compliance with the PDPA.

Get in touch

Christina S. C. Kow

Partner / Head, Financial Services / Head, Islamic Finance / Personal Data Protection & Privacy Law / Technology, Media & Telco
Read more

Karen Abraham

Partner / Head, Intellectual Property / Head, Japan Desk / Technology, Media & Telco / Personal Data Protection & Privacy Laws / India Desk
Read more

K. Shanti Mogan

Partner / Head, Arbitration & Mediation / Head, Competition Law & Antitrust / Dispute Resolution / Personal Data Protection & Privacy Laws / Regulatory Compliance & Enforcement / Technology, Media & Telco /
Read more

Timothy Siaw

Partner / Head, Technology, Media & Telco / Intellectual Property / Healthcare and Life Sciences
Read more

Irene Yong

Partner / Head, Tax Advisory / Japan Desk / Personal Data Protection & Privacy Laws / Technology, Media & Telco
Read more

Janet Toh Yoong San

Partner / Head, Personal Data Protection & Privacy Laws / Intellectual Property / Technology, Media & Telco
Read more

Lilien Wong

Partner, Dispute Resolution / Competition Law & Antitrust / Arbitration & Mediation / Personal Data Protection & Privacy Laws / Regulatory Compliance & Enforcement
Read more

Lai Zhen Pik

Partner / Corporate/ M&A / Technology, Media & Telco (TMT) / China Desk
Read more