Malaysian Data Protection Law Proposed Amendments Move the Law to Align More Closely with International Standards

Background

On July 10, 2024, the Malaysian Parliament introduced and passed a bill to amend its Personal Data Protection law to bring Malaysian data protection laws into closer alignment with international standards, such as the European Union’s General Data Protection Regulation (GDPR) and the data protection frameworks of ASEAN countries like Indonesia, Singapore, the Philippines, Thailand, and Vietnam, ensuring enhanced privacy and security for personal data in line with global best practices.

The Dewan Negara (Senate) is currently in session. Some expect passage, and others expect the bill to be tabled. Nonetheless and as seen in other jurisdictions, we expect passage at some point with a version very similar to what the House of Representative passed. As such, we recommend business clients operating in Malaysia to proactively review their data protection compliance programs and processes. Given the heightened cybersecurity risks, companies should also prepare for data breach incidents with robust incident response protocols and mandatory personal data breach notifications.

Businesses must also be adequately prepared to meet other new substantive requirements, such as revised cross-border data transfer regulations and data portability mandates. Drawing on data protection strategies from other jurisdictions where such requirements are already in place can help manage compliance.

Checklist for Businesses

• If no data breach notification protocol, establish one and conduct tabletop exercises
• Obtain adequate means for data subjects to request data portability
• Ensure operational efficiency and reporting for data portability requests
• Consider appropriate candidates for the role of DPO
• Review contracts with data processors to ensure downstream obligations

We will continue to monitor the progress of the bill and provide updates.

2010 Act	2024 Bill
Term used: “Data User”	Replaces the term “Data User” with “Data Controller.”
Biometric data not expressly addressed.	Biometric data considered as “sensitive personal data.”
Personal data of deceased individuals not expressly addressed.	Personal data of deceased individuals expressly excluded from scope of the Act.
No DPO requirement.	Mandatory appointment of data protection officer (DPO).
Data processors are not directly subject to obligations.	Data processors are directly obligated to comply with security requirements, including direct imposition of penalties on data processors for breach.
No mandatory personal data breach notification requirements.	Mandatory personal data breach notification to Personal Data Protection Commissioner.
No right to data portability.	Data subjects have the right to data portability.
Breach of personal data protection principles subject to a fine of up to RM300,000 and/or two years imprisonment.	Increased penalties for breach of personal data protection principles up to RM1,000,000 and/or up to three years imprisonment.
Whitelisted countries to which data transfers could be effected (no whitelisted countries added). Transfers of personal data out of Malaysia may be carried out if exceptions apply (e.g., with consent of the data subject, necessary for the performance of the contract.	Removal of white-list regime for cross border data transfers. Personal data may be transferred out of Malaysia to a country that has substantially similar laws or where the country ensures equivalent levels of protection or exceptions under 2010 law.

If you have any questions about what these changes may mean for your business, please reach out to the HBS Data Privacy & Cybersecurity team.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.