Understanding Malaysia’s 2024 Data Privacy Reform: Essential Insights for Business Leaders

Introduction

In a significant move to strengthen data protection, Malaysia passed the Personal Data Protection (Amendment) Bill on July 31, 2024. This landmark reform introduces substantial changes to the Personal Data Protection Act (PDPA) 2010, aligning Malaysia’s data privacy laws more closely with international standards.

For professionals and business owners, particularly those operating within or in relation to Malaysia, comprehending these amendments is crucial to ensure compliance and maintain stakeholder trust.

Extraterritorial Scope

The PDPA applies not only within Malaysia but also has extraterritorial reach under certain circumstances:

• Data Processed Within Malaysia: The PDPA applies to all personal data processed within Malaysia, regardless of the nationality or residence of the data subject or the data controller/processor.
• Use of Equipment in Malaysia: Organizations established outside Malaysia are subject to the PDPA if they use equipment located in Malaysia for processing personal data, other than for transit purposes. For instance, a foreign company using servers based in Malaysia to process data will need to comply with the PDPA.

This means that even if your organization is not physically located in Malaysia, you may still be required to comply with the PDPA if you process personal data using equipment in Malaysia.

Key Amendments

1. Updated Definition: “Personal Data”
   The amended PDPA defines “personal data” as any information that relates directly or indirectly to an identifiable individual. This includes any personal data involved in commercial transactions, whether that data is processed manually or automatically. Information like names, identification numbers, addresses, and opinions related to an individual fall within this definition.
2. Updated Definition: “Sensitive Personal Data”
   Under Section 4 of the amended PDPA, “sensitive personal data” includes personal data concerning the physical or mental health, political opinions, religious beliefs, or the commission or alleged commission of an offence. Importantly, the 2024 amendment expands this definition by including biometric data—defined as “any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person.” This includes information such as fingerprints, facial recognition data, and other biometric identifiers. The processing of sensitive personal data requires explicit consent from the data subject.
3. New Definition: “Personal Data Breach”
   The amendment also introduces the term “personal data breach,” defined as “any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data.” This broad definition encompasses various forms of data compromise, including unauthorized access or accidental exposure of data. Under the amended Act, data controllers must now notify the Commissioner of any breach and notify data subjects if the breach is likely to result in significant harm.
4. Mandatory Appointment of Data Protection Officers (DPOs)
   All data controllers and processors must appoint at least one Data Protection Officer. This requirement applies regardless of business size. For example, a multinational corporation with a regional office in Malaysia and an SME offering online services within Malaysia both need to designate a DPO responsible for overseeing data protection compliance.
5. Mandatory Data Breach Notifications
   Organizations are obligated to notify the Personal Data Protection Commissioner (PDPC) as soon as practicable upon becoming aware of a personal data breach. If the breach could cause significant harm to data subjects, they must also be informed without unnecessary delay. For example, if a financial services firm discovers unauthorized access to client financial data, it must promptly report the incident to the PDPC and notify the affected clients.
6. Increased Penalties for Non-Compliance
   Penalties for violations have been significantly increased, with universal applications to individuals and organizations:
   • Fines: Up to MYR 1 million (~USD $215,000), raised from the previous maximum of MYR 300,000.
   • Imprisonment: Up to three years, increased from the previous maximum of two years.
7. Enhanced Cross-Border Data Transfer Regulations
   The amendments replace the previous “white-list” regime. Data controllers may now transfer personal data to jurisdictions that:
   • Have laws substantially similar to the Malaysian PDPA, or
   • Ensure an equivalent level of protection for personal data.

   Organizations must carefully assess the data protection laws of recipient countries or implement appropriate safeguards, such as binding corporate rules or standard contractual clauses.

8. New Subject Data Portability Rights
   The amended PDPA introduces a new right for data subjects to request the transfer of their personal data from one data controller to another. Under section 43a of the amended Act, this right to data portability is “subject to technical feasibility and compatibility of the data format.” Data controllers must facilitate the transfer of personal data within a prescribed period, provided it is feasible to do so.
9. Direct Obligations on Data Processors
   Data processors now have direct legal obligations under the PDPA, particularly concerning the Security Principle. They must take practical steps to protect personal data from loss, misuse, unauthorized access, or disclosure. For example, a third-party payroll processor must ensure robust security measures are in place to protect employee data.

Real-World Implications for Businesses

• Multinational Corporations with operations in Malaysia or using Malaysian data processing equipment must reassess their compliance strategies. For instance, a global e-commerce platform utilizing Malaysian servers must comply with the PDPA, including appointing a DPO and adhering to breach notification requirements.
• Small and Medium-Sized Enterprises (SMEs) are equally obligated to comply with the PDPA. While resource constraints may pose challenges, SMEs can consider outsourcing the DPO role or utilizing compliance software solutions. For example, a local boutique collecting customer information for marketing purposes must ensure data is handled in accordance with the PDPA.

Conclusion

Malaysia’s 2024 data privacy reform significantly elevates the country’s data protection landscape, bringing it closer to international standards like the GDPR. For businesses, both domestic and international, proactive compliance is essential to avoid hefty penalties and to build trust with customers and partners.

The Data Privacy & Cybersecurity team at HBS can help your help your business effectively navigate its compliance requirements in an ever-shifting regulatory environment. We originally assessed Malaysia’s proposed amendments in a previous Data Privacy Blog by Jade Davis.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.