The Personal Data Protection Act 2010 (PDPA), Malaysia's first comprehensive personal data protection legislation, was enacted on June 2, 2010, and came into effect on November 15, 2013. On February 14, 2020, the Personal Data Protection Commissioner released Public Consultation Paper No. 01/2020 (PC01/2020) to gather public feedback on 22 issues as part of a PDPA review.
In October 2023, the PDP Department highlighted five key issues for the proposed PDPA amendments, with the amendment bill expected in March 2024. Here are the main changes:
Hiring Data Protection Officers (DPOs):
Organizations may be required to appoint a Data Protection Officer to oversee data protection strategies and ensure PDPA compliance. DPOs should report to senior management or the board, emphasizing the importance of data protection within the company.
Simplifying Cross-Border Data Transfers:
Currently, personal data cannot be transferred outside Malaysia without Ministerial approval unless exceptions apply. The proposed changes may allow data transfers for e-commerce and free trade agreements without explicit consent, except for countries on the Minister’s blacklist.
Security Obligations for Data Processors:
Data processors might be directly required to adhere to the PDPA's Security Principle, ensuring the protection of personal data against loss, misuse, unauthorized access, disclosure, or destruction.
Mandatory Data Breach Notifications:
The proposed amendment includes obligatory data breach notifications to authorities, ensuring timely action to mitigate impacts and maintain transparency and trust.
Data Subject’s Civil Right:
The amendment may introduce a specific provision allowing data subjects to sue data users for violations, providing a legal avenue for individuals to seek redress for breaches of their personal data rights.