Malaysia proposes supplementary guidance to amended data privacy laws

On 16 July 2024, the Personal Data Protection (Amendment) Bill 2024 was passed in Malaysia to introduce some key changes to the Personal Data Protection Act (the "Amended PDPA").  These key changes include, amongst other things, mandatory breach notification, data protection officer appointment and the right to data portability. The cross-border data transfer regime has also been modified.

In September and October 2024, the Malaysia Personal Data Protection Commissioner (the "Commissioner") issued five public consultation papers in respect of the new requirements under the Amended PDPA (the "Public Consultation Papers"). The consultation period ended on 18 October 2024. Details of the Public Consultation Papers on these key changes are set out below.

1. Mandatory data breach notification
2. Mandatory appointment of data protection officer
3. Right to data portability
4. Cross-border data transfers

1. Mandatory data breach notification

Under the Amended PDPA, data controllers must notify the Commissioner of a suspected or actual personal data breach. Data breaches which meet certain thresholds must be notified to: (i) the Commissioner; and (ii) the impacted data subjects.

Notification to the Commissioner

Notification to the Commissioner is mandatory where:

• 1. the personal data breach is likely to cause or has caused “significant harm”; or
  2. the personal data breach is likely to be or is of a “significant scale”.
• Significant harm: A data breach is deemed to cause "significant harm":
  • where the access, disclosure or loss of personal data results or is likely to result in bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the data subjects’ credit record, or damage to or loss of property;
  • where the access, disclosure or loss of personal data results or is likely to result in serious harm to affected data subjects, or has been, is being or will likely be misused for illegal purposes; or
  • where the compromised personal data includes sensitive personal data or information that may be used to enable identity fraud such as usernames, passwords or identification numbers.
• Significant scale: "Significant scale" means more than 500 data subjects.

Notification to impacted data subjects

Notification to data subjects is mandatory where both the significant harm and significant scale thresholds are met, unless an exemption is applicable.  However, notification to data subjects may be exempted where: (i) appropriate protection measures are in place that make it unlikely that the breach will result in significant harm; or (ii) the compromised data is secured by technical and organisational measures that render it incomprehensible to unauthorised individuals.

Impacted data subjects should be notified directly unless the effort to do so is disproportionate, in which case a public communication or statement is required. The notification must include at a minimum the details of the breach, the potential effects of the breach, the remedial actions taken, recommended steps for data subjects and relevant contact points for the data subject to contact the organisation.

Timing for notification

Notification to the Commissioner should be made within 72 hours of the organisation becoming aware of a breach. The proposal recommends adopting the current template reporting form for voluntary notifications for the mandatory regime.

If notification to affected data subjects is required, they should be notified concurrently with the notification to the Commissioner or as soon as possible thereafter.

Data processors should notify data controllers of a data breach

Data controllers should contractually require their data processors to inform them of any data breaches.

2. Mandatory appointment of data protection officer

The Amended PDPA introduces a mandatory requirement for data controllers and data processors to appoint a data protection officer ("DPO") if they carry out "large scale" data processing activities. Factors of what constitutes "large scale" include the number of data subjects, the volume, range, and nature of data being processed, and the duration and geographical extent of processing.

Under the Public Consultation Paper, the DPO may be appointed internally or externally and the DPO may serve multiple entities within the same group of companies. The DPO must be ordinarily resident in Malaysia and have prescribed expertise and qualifications, including strong knowledge of data protection laws, an understanding of the business and personal data processing operations of the organisation, and integrity.

3. Right to data portability

The Amended PDPA grants data subjects the right to data portability ie the right to request the transfer of their personal data from one data controller to another.

Under the Public Consultation Paper, data controllers are only required to comply with data portability requests if there is technical feasibility between the data controller transferor and the data controller recipient. Data controllers may be required to comply with a common set of technical standards as specified by the Commissioner from time to time.

The right to data portability is limited to only a prescribed set of personal data (eg personal data provided by the data subject or data processed by automated means). The Commissioner has proposed that a data controllers will only be required to transmit data belonging to the categories listed in a whitelist to be issued by the Commissioner or industry/ sector regulators.

Data controllers are required to comply with a request within 21 days of receiving the request, or no later than 14 days after the initial 21-day period. It is also proposed that data controllers may charge a reasonable fee to cover associated costs of complying with such requests.

4. Cross-border data transfers

Before the amendment, the Malaysia PDPA adopted the white-list regime which sets out the jurisdictions to which data controllers may transfer personal data without any further steps or requirements, However, no country has ever been added to the list since the inception of PDPA.

The Amended PDPA removes the white-list regime and allows data controllers to transfer any personal data to any jurisdiction outside of Malaysia which has similar data protection laws or ensures an equivalent level of protection to the PDPA. Section 129 of the PDPA provides different legal bases for transferring personal data out of Malaysia, ie such transfers are allowed in either of the following:

1. there is in that place in force any law which is substantially similar to the PDPA;
2. that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA (eg standard contractual clauses); or
3.  consent of data subjects.

A data controller must meet at least one of the three conditions for cross-border data transfers.

The Public Consultation Papers provide clarity on how some of the legal bases can be satisfied:

• In relation to condition (ii) above, it is proposed that a data controller must carry out a transfer impact assessment ("TIA") before a cross-border data transfer. As part of this TIA, a data controller should identify all jurisdictions to which personal data will be transferred, assess the level of data protection laws available in the destination jurisdictions, and conduct TIAs periodically to ensure ongoing compliance.
• In relation to condition (iii) above, the proposed process for obtaining consent requires data controllers to inform data subjects of the transfer via a privacy notice, which should set out the purpose of the data transfer and the classes of overseas third-party recipients that will have access to the personal data.

Further, two additional conditions have been proposed in the Public Consultation Papers:

1. Cross-border data transfers are necessary for contractual purposes or to protect vital interests of a data subject. The Public Consultation Papers propose certain factors to consider in determining necessity, eg the transfer must be for specific reasons or purpose rather than a standard practice or for a general purpose, and the specified purpose cannot be reasonably accomplished through other methods.
2. Data controllers may also carry out cross-border data transfers if they have taken all reasonable precautions and exercised due diligence to ensure that the way personal data will be processed would not contravene the Malaysian PDPA if it were processed in Malaysia. There are three ways through which this condition can be fulfilled: (i) the use of binding corporate rules which are applicable to intra-group transfers only; (ii) the use of standard contractual clauses, which will be either local Malaysia standard contractual clauses to be issued or overseas standard contractual clauses (ie the ASEAN Model Contractual Clauses or the EU Standard Contractual Clauses); and (iii) the use of certification mechanisms.

Finally, it is proposed in the Public Consultation Papers that data controllers carrying out cross-border data transfers must maintain records containing recipients' details (including their names, company registration numbers, and contact details of DPOs or equivalent), the country to which personal data is being transferred, type of data transferred, and reasons for the transfer.