Following the passing of the Personal Data Protection (Amendment) Bill 2024 by the Malaysian Parliament in July 2024, three public consultation papers have been issued in relation to the implementation of the following impending new legal obligations:

• Notifying the Personal Data Protection Commissioner and affected data subjects for personal data breach.
• Appointing data protection officer(s).
• Effecting the data subject’s right to data portability.

The deadline to provide feedback is 6 September 2024 (Friday).

The long-awaited Personal Data Protection (Amendment) Bill 2024 has now been made publicly available. Among the key changes it seeks to introduce are: direct obligations for data processors, mandatory data breach notification, requirement to appoint data protection officer(s), new data subject rights on data portability, an expanded definition of sensitive personal data, and a general legal basis for cross-border transfers.

Proposed licensing of social media and internet messaging services providers and a new draft bill on digital safety – these are some of the recent updates in the online content space for Malaysia.

Proposed licensing of social media and internet messaging services providers and a new draft bill on digital safety – these are some of the recent updates in the online content space for Malaysia. On 15 December 2023, the Malaysian Communications and Multimedia Commission (MCMC) reported that there was a significant increase in harmful content on social media and over-the-top platforms in 2023 as compared to in 2022. Against this backdrop, the Malaysian Government (as with its counterparts in the region) is increasingly concerned about online safety and the harms that materialize as part of the proliferation of online content.

The General Code of Practice of Personal Data Protection introduces new legal requirements to be complied with by data users caught within its ambit. It also seeks to provide best practice recommendations with respect to the implementation of principles under the Personal Data Protection Act 2010 and its subsidiary legislation.
Some of the new legal requirements include providing additional mandatory information in a personal data protection notice, complying with any data subjects’ written request not to process their personal data for direct marketing within reasonable time, maintaining a personal data system, and establishing a PDPA compliance framework.

The Malaysian Personal Data Protection Department has just published a questionnaire on Data Protection Officer (DPO) to gather market feedback on the role and qualification of a DPO in Malaysia . The deadline to respond to the Survey is 21 December 2022.

The interim chairman of Malaysian Communications and Multimedia Commission announced that MCMC is undertaking a review of the current online content regulation and framework. This was shared following recent publication of online content deemed to be harmful to national security and harmony. He also noted that countries in the region such as Indonesia, Singapore and Australia have introduced direct regulatory oversight on social media service providers, holding them to greater accountability and responsibility when managing harmful content.

Following a public consultation held in early 2020, certain amendments to the Malaysian Personal Data Protection Act 2010 will be tabled at the Malaysian Parliament for approval in October 2022. These proposals will introduce new obligations on both data users and data processors.

Following the public consultation held in late 2021 on proposed changes to the Malaysian Communications and Multimedia Content Code (“Content Code”), the Communications and Multimedia Content Forum of Malaysia has now issued the revamped version of the Content Code effective from 30 May 2022.

Earlier this year, the Malaysian Personal Data Protection Department released several documents to aid data users in their compliance with the Malaysian Personal Data Protection Act 2010 – these include a guide on privacy notices, new codes of practice applicable to the private healthcare industry and the water utilities industry, as well as circulars reminding prescribed classes of data users of their registration obligations.