Cabinet OK’s amending Personal Data Protection Act to curb abuse, breaches

KUALA LUMPUR, July 4 — The Cabinet has approved proposed amendments to the Personal Data Protection Act 2010 (Act 709) that are expected to be tabled in the current parliamentary meeting.

In a statement, Digital Minister Gobind Singh Deo said the amendments were necessary to ensure Malaysia’s data protection laws kept abreast with global standards and developments.

Gobind also said there was a worrying trend of complaints reaching the Office of the Personal Data Protection Commissioner.

“The proposed amendments aim to enhance policies, particularly in terms of security and enforcement, to address issues of personal data breaches and misuse in Malaysia,” he said.

The proposals include making it mandatory for data users (entities processing personal data for commercial transactions) to declare personal data breaches, with non-compliance punishable by fines of up to RM250,000 or imprisonment up to two years or both.

“This amendment is to ensure data breach incidents involving personal data are not excluded from surveillance and enforcement by the PDP Commissioner.

“This obligation is also aimed to serve as an immediate mitigating move to avoid further breaches and implement control measures,” he said.

Other proposals include additional compliance responsibilities for data processors (entity processing personal data for data users), where non-compliance over the aforementioned security principle will see offenders fined up to RM1 million or jail up to three years or both.

“Prior to the proposed amendment, this action can only be imposed on data users. Through this amendment, data processors must be held responsible towards the security of processed personal data to avoid any form of leakages,” he said.

Also proposed was the appointment of data protection officers to liaise between data users and both the PDP commissioner and data subjects (personal data owners).

The remaining amendments are introducing the right to data portability for data subjects and abolishing the requirement to designate specific locations for the transfer of personal data outside of Malaysia.

Gobind said input and views for the proposal were obtained from 719 stakeholders across 40 engagement sessions.

What does the number says

Gobind cited a 5.1 per cent increase in the number of complaints received by the PDP commissioner's office from October 2023 to March 2024.

During that period, 322 complaints were received regarding the misuse and breach of personal data.

In last quarter of 2023, Gobind said a total of 27 personal data breach notifications were received, which rose to 38 in the next quarter.

As of 2023, he said 779 complaints of personal data misuse and breach were received while 288 complaints were received as of June this year.

“Even though on average there is a slight decrease due to continued enforcement, these figures are still a concern,” he said, adding that these concerns stemmed from other crimes such as online scams and identity thefts.