Malaysia: Privacy Law Reform In Malaysia: One Step Closer To Mandatory Breach Notification

Currently, Malaysia does not have a data breach notification requirement under the Personal Data Protection Act 2010 (“PDPA“). One of the proposed amendments to be tabled for Parliament discussion in October 2022 is the introduction of a mandatory data breach notification regime.

Proposed amendments to the PDPA are expected to be tabled at the next Parliament sitting in October 2022.  These amendments were selected from the public consultation paper on proposed reforms to the PDPA issued by the Personal Data Protection Commission (“PDPC“) in February 2020. Although there are 22 proposed amendments in the public consultation paper, it has been reported that only 5 out of those 22 proposed amendments will be tabled for discussion this year.

The proposed amendments include the introduction of a mandatory data breach notification requirement under the PDPA, which will require notifiable personal data breaches to be reported to the PDPC within 72 hours. The PDPC has proposed to issue guidelines to assist organisations to comply with this new notification requirement.

Based on publicly available information, the other 4 proposed amendments to be tabled for Parliament discussion are:

• impose a direct obligation on data processors to comply with security principles under the PDPA;
• require the appointment of a data protection officer;
• the right to data portability, i.e. a data user should transfer personal data of a data subject to another data user in a user-friendly machine readable format at the request of the data subject data if this is technically feasible; and
• instead of a whitelist, a blacklist of jurisdictions for cross-border data transfer out of Malaysia would be issued.

Our observations

Similar to other jurisdictions across Asia, the proposed amendments to PDPA will bring the Malaysia PDPA more in line with the EU General Data Protection Regulation, which is often regarded as the global standard.

It would be advisable for businesses to follow these developments closely to ensure that their current business practices will be updated to comply with the new requirements under PDPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.