Following a public consultation held in early 2020, certain amendments to the Malaysian Personal Data Protection Act 2010 (“PDPA“) will be tabled at the Malaysian Parliament for approval in October 2022. These proposals will introduce new obligations on both data users and data processors.
In more detail
The Communications and Multimedia Minister (“Minister“) (who oversees the implementation of the PDPA) has indicated that the following proposed amendments to the PDPA are expected to be tabled at Parliament for approval in October 2022 (collectively “Proposed Amendments“):
- Appointment of data protection officer: All data users will each be required to appoint a data protection officer.
- Mandatory data breach notification: All data users will be required to report data breaches to the Malaysian Personal Data Protection Department (“PDPD“) within 72 hours.
- Data processor obligation: Data processors will be required to comply with the security principle under the PDPA.
- Introduction of data portability: Transfers of personal data between data users (upon request from data subjects) will be allowed (if the technical system permits).
- Blacklist for cross-border transfers: The power of the Minister to issue a whitelist will be replaced with a blacklist. Transfers of personal data to blacklisted countries will be prohibited.
Under the PDPA, “data users” are essentially those who have control over or authorise the processing of any personal data (excluding data processors), whereas “data processors” refer to those who process the personal data solely on behalf of the data user and not for any of their own purposes.
The Proposed Amendments formed part of the 22 proposals in the public consultation paper issued by the PDPD in early 2020 to strengthen the PDPA. They are broadly in line with recent data privacy reforms across the region. Businesses should anticipate and prepare for the additional compliance obligations which they may be subject to if the Proposed Amendments are passed and come into force (including undertaking an assessment of the impact of such compliance obligations on its existing contractual commitments and undertakings).
* * * * *
This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.