KUALA LUMPUR, Aug 4 — Communications and Multimedia Minister Tan Sri Annuar Musa today said that several amendments to Act 709 of the Personal Data Protection Act (PDPA) 2010 are in the pipeline to strengthen the law, after a series of personal data breaches in the country this year.
Speaking in the Dewan Rakyat today, Annuar said that once the final draft of the intended amendments is received from the Attorney General's Chambers (AGC), a memorandum would be sent to the Cabinet on the matter to deliberate on the proposed amendments, before having it tabled in Parliament in October.
"Yes, it is true. The government aims to introduce several improvements to this Act for the good in the future and the proposed amendments have already been extended by the Communications and Multimedia Ministry to the AGC on June 28, 2022 for further action by the AGC.
"For information, among the proposed amendments would involve, among others firstly, mandating all data users to appoint a data protection officer, secondly, introduction of data breach notification to mandate all data users report data breach to a PDPA officer within a 72-hour period.
"Thirdly, requiring data processors to comply with security principles under Act 709. Fourthly, to allow the transfer of personal data among data users on the request of the subject of the data, should the technical system allows it and fifth, the abolishment of determination of the list of cross-border places which will replace the list of places or white list with a black list for cross-border transfers of personal data," Annuar revealed.
He said that these suggestions would strengthen the law, given the proposed appointment of personal data officers and notifications on data leakages.
Annuar was responding to a question by Setiu MP Shaharizukirnain Abd Kadir, who asked about the ministry's plan to amend several clauses in the PDPA in fighting cybercrimes that had caused nearly 100 million cases of personal data breach.
He also asked Annuar to state the constraints faced by the ministry, seeing how the Act has not been amended until now.
In May, Transparency International Malaysia (TI-M) expressed concern over the alleged data leaks and sale of personal data belonging to Malaysians and urged the government to publicly disclose the results of police investigation into the matter.
In a statement, TI-M said in a digital age of increasing technological developments, the country must not be complacent towards the growing threat of cybercrimes and the vulnerability of our personal data and privacy.
It also suggested that legislators study what is lacking in existing legislation, leading to solutions that strengthen the existing legal framework surrounding personal data protection.
TI-M was referring to a report by Lowyat.net which stated that the National Registration Department's (NRD) dataset containing information of all Malaysians born between 1940-2004 was being sold on an online database marketplace forum.
The dataset included the full names, identity card numbers, addresses and photographs of approximately 22.5 million Malaysians, allegedly obtained from the myIDENTITY platform, a data-sharing platform that allows agencies to access personal information via a centralised repository.
Home Minister Datuk Seri Hamzah Zainudin was quoted saying in a news report that 104 agencies have permission to access the platform.
Prior to this, a similar sale of data belonging to four million Malaysians was reported in September of last year.
Hamzah has denied that the recent leak is from the Home Ministry, saying that there are mechanisms in place that have verified the data as not coming from the department.