Following the passing of the Personal Data Protection (Amendment) Bill 2024 (“Bill“) by the Malaysian Parliament in July 2024, three public consultation papers have been issued in relation to the implementation of the following impending new legal obligations:

  • Notifying the Personal Data Protection Commissioner (“Commissioner“) and affected data subjects for personal data breach.
  • Appointing data protection officer(s).
  • Effecting the data subject’s right to data portability.

The deadline to provide feedback is 6 September 2024 (Friday).


Contents:

  1. In more detail
    1. Data breach notification
    2. Data protection officer
    3. Data portability

In more detail

We have earlier highlighted in our client alert some of the key changes brought by the Bill to the Personal Data Protection Act 2010 (PDPA) and that certain guidelines are being developed to complement the same. 

The recently published public consultation papers shed light on what may be required for compliance with some of the new legal requirements, while giving the opportunity for the public to contribute and shape the final draft of these subsidiary instruments under the PDPA.   

Data breach notification

To recap, the Bill will require data controllers to:

  • Notify the Commissioner “as soon as practicable”, if they have reason to believe that a personal data breach (i.e., any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data) has occurred.
  • Additionally, notify the data subject “without unnecessary delay”, if the personal data breach causes or is likely to cause significant harm to the data subject.

We have summarised below, the key data breach notification proposals provided for under the Public Consultation Paper No. 01/2024: The Implementation of Data Breach Notification:  

“Significant harm” is proposed to mean any of the following:

  • The access, disclosure or loss of personal data from the personal data breach likely to result in bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the data subjects’ credit record, or damage to or loss of property.
  • The access, disclosure or loss of personal data results or is likely to result in serious harm to affected data subjects to whom the information relates, or has been, is being or will likely be misused for illegal purposes.
  • The personal data compromised by the personal data breach includes sensitive personal data or any other information that may be used to enable identity fraud such as usernames, passwords or identification numbers.

This paper also proposes some other aspects, such as certain exemptions to notify affected data subjects, requirement on data controllers to contractually bind data processors to notify them about personal data breach, and specific record-keeping obligations.

Feedback to this paper may be provided via this link.

Data protection officer

To recap, the Bill will require each data controller and data processor to appoint at least one data protection officer(s) (DPO), who will be accountable to the respective organisation for its compliance with the PDPA.

Under the Public Consultation Paper No. 02/2024: The Appointment of Data Protection Officer, some of the key proposals are as follows:

  • Who needs to appoint DPO: Only those carrying out data processing activities of a “large scale” by considering the prescribed factors (no specific quantitative threshold is being proposed).
  • From whom DPO may be appointed: From an external provider or internally among the employees.
  • How to qualify as DPO: Meet a minimum set of prescribed qualities and complete/ obtain such training/ certification as the Commissioner may later require.
  • Where should DPO be: Ordinarily resident in Malaysia, but a single DPO may serve multiple entities within the same group of companies.
  • What are the specific responsibilities of DPO: Carry out data protection impact assessments, ensure internal training is provided, act as a liaison point with data subjects and the Commissioner etc.
  • To whom DPO report: Direct reporting line to the senior management team or equivalent.

Feedback to this paper may be provided via this link.

Data portability

To recap, the Bill will provide data subjects with a right to request data controller to transmit their personal data to another data controller of their choice, subject to technical feasibility and compatibility of the data format.

Under the Public Consultation Paper No. 03/2024: The Right to Data Portability, some of the key proposals are as follows:

  • Readiness: No requirement to adopt new systems/ processes to achieve technical feasibility for data portability, unless specified by the Commissioner or the relevant data controller forum. 
  • Types of personal data in scope: Those personal data that meet all the following requirements: (a) directly provided by the data subject; (b) processed based on consent or contract with the data subject; (c) processed by automated means; and (d) not inferred/ derived data – whitelists of personal data subject to data portability will be issued, and will likely differ across sectors/ industries.
  • Compliance timeline: 21 days, extendable by another 14 days.
  • Fees: May be charged to cover associated compliance costs, subject to a fee cap which may later be introduced.
  • Transmission method: Flexibility to determine the best method available to transmit the requested data, subject to any common set of standards/ or data formats which may later be specified.

Feedback to this paper may be provided via this link.

Author

Kherk Ying Chew heads the Intellectual Property and Dispute Resolution Practice Groups of Wong & Partners. She has decades of experience in intellectual property (IP), commercial litigation, corporate compliance, information technology and Internet regulatory issues.

Author

Serene Kan is a Partner in Baker McKenzie's Kuala Lumpur office.

Author

Chun Hau Ng is an Associate in Baker McKenzie's Kuala Lumpur office.