On July 31, Malaysia’s Dewan Negara (Senate) passed the Personal Data Protection (Amendment) Bill 2024 (Bill D.R. 21/2024) to help strengthen Malaysia’s data governance regime and better align local laws with international standards. The Bill aims to strengthen security and accountability measures, mitigate personal data breaches and misuse, and empower individuals with greater control over their data. Discussions to amend the Personal Data Protection Act 2010 (PDPA) date back as early as 2020 but faced significant delays due to the pandemic and changes in administration.
The bill outlines seven key amendments, including the inclusion of biometric data as sensitive personal data, new Data Protection Officer (DPO) obligations, and the introduction of data portability rights and mandatory notification of personal data breaches. The amendments will also result in increased penalties for breaches of personal data protection principles from RM300,000 (US$61,181) and/or two years imprisonment to RM1 million (US$227,000) and/or three years imprisonment. Bill D.R. 21/2024 does not provide clear guidance as to whether there will be a grace period to comply with the new provisions.
Following the notification of the amended law in the Federal Official Gazette, seven guidelines under the Personal Data Protection Act (PDPA) are expected to be developed by the Personal Data Protection Department (JPDP) to support the implementation of the amendments, including the Notification of Data Breach Guidelines, Data Protection Officers Guidelines, Data Portability Guidelines, and Cross Border Data Transfer Guidelines and Mechanism. Minister of Digital Gobind Singh Deo also recently announced the development of the National Data Sharing Bill, which is expected to be tabled in 2024 Q4.
