Amendments to Malaysia’s Personal Data Protection Act 2010 (PDPA)

The State of Privacy in SEA

The tide is turning for privacy in SEA, with over half of the countries in the region now having standalone data privacy and protection related regulations. This marks a significant shift in the data privacy and protection landscape, and as digital economies continue to expand, the demand for such robust regulations is expected to intensify, potentially prompting the remaining nations to adopt similar regimes. These developments underscore a deepening regional commitment to data privacy and protection, although the implementation and enforcement of these laws may vary.

Strengthening data protection in Malaysia

Malaysia, the first country in SEA to regulate the processing of personal data in commercial transactions, is now revising its primary data privacy and protection legislation – the Personal Data Protection Act 2010. More than a decade since its inception, robust data privacy and protection safeguards has never been more crucial in Malaysia. The increasing reliance on digital platforms and innovative technologies amplifies expectations for a series of safeguards against the rising tide of personal data misuse. A concerted effort to embrace data privacy and protection is essential to protect against emerging threats and restore trust in the digital economy, ensuring individuals have control over their personal data in an interconnected world.

Overview of key amendments

The Ministry of Digital, through the Personal Data Protection Commissioner (Pesuruhjaya Perlindungan Data Peribadi (PPDP)) has made amendments to the Personal Data Protection Act 2010, and passed the Personal Data Protection (Amendment) Act 2024. These amendments are intended to ensure that Malaysia’s data privacy and protection regime remains up to date with technological advancements and aligns with international standards.

The amendments were passed by the Dewan Rakyat on 16 July 2024, and subsequently approved by the Senate on 31 July 2024. Following Royal Assent on 9 October 2024, the amendments were officially gazetted by the Attorney-General’s Chambers on 17 October 2024.

These amendments are significant, introducing greater accountability for organisations handling personal data. In summary, the amendments can be outlined as follows:

Novel amendments

• Mandatory appointment of a Data Protection Officer (DPO)
• Mandatory data breach notification to the Commissioner and data subjects
• Rights to data portability

Amendments built upon pre-existing provisions

• Data transfer to countries with equivalent level of protection
• Direct responsibilities on data processors
• Increase of penalties for breach of personal data protection principles

Amendments related to administration & enforcement

• Change of terminology from “data user” to “data controller” and from “data user register, data user form register” to “data controller register, data controller forum register”.
• Inclusion of biometric data as sensitive data, which requires a stricter legal basis for processing (i.e., explicit consent).
• Exclusion of deceased individuals from the definition of data subject.
• Introduction of “personal data breach” definition, which is defined as any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data.
• Expansion of the “requestor” definition to include data subjects who submit data access requests, data correction requests, and data portability requests.
• The Commissioner can designate a body or a data controller as "data controller forums" for specific classes of data controllers.

Important developments on the horizon

Organisations are advised to closely monitor developments in this area and prepare for the additional compliance obligations they may potentially arise. The Personal Data Protection (Amendment) Act 2024 will be further supplemented by forthcoming guidelines, circulars and standard.

These guidelines will specifically address key areas such as data breach notification, the role of data protection officers, data portability, cross-border data transfers, data protection impact assessments, privacy by design, as well as profiling and automated decision-making.

Are you prepared?

The Personal Data Protection (Amendment) Act 2024 will have a significant impact on organisations across four key dimensions: People, Process, Policy, and Technology. These changes necessitate a re-evaluation and adaptation of current practices.

At Deloitte, our Digital Privacy and Trust team provides a suite of services that can help your organisation evolve your program to protect the data and business models that truly matter, while keeping up with the latest regulatory changes. We also offer tailored solutions based on your organisation’s characteristics and needs.

We hope this brochure will guide organisations in navigating the data privacy and protection landscape and requirements in Malaysia.