Thoo Jia En, Elena Siah Hui Lynn, Maryam Khalisa Binti Kamarul Bahrin, Chai Pei Xian
Introduction
Personal Data Protection Act 2010 (“PDPA”) has been the main form of legislation that regulates the processing of personal data in commercial transactions, as well as to protect the interests of data subjects in Malaysia. The Personal Data Protection (Amendment) Act 2024 (“PDPA Amendment Act”) amends the PDPA to be more closely aligned with the international standards, in particular, with the General Data Protection Regulation in the European Union (“EU”) (“EU GDPR”) and the Personal Data Protection Act 2012 in Singapore (“SG PDPA”).
The PDPA Amendment Act is a critical update to Malaysia’s data protection landscape, responding to the growing concerns that the PDPA is outdated and inadequate. In 2020, the Department of Personal Data Protection issued a consultation paper seeking to enhance the enforcement and implementation of the PDPA. This initiative reflected the need to address emerging challenges in data protection with consideration to the evolving economic, social, and technological factors that impact data users and data subjects.
The PDPA Amendment Act
The PDPA Amendment Act was gazetted in October 2024, and as of the date of this article, some of the sections are already in force.
The changes introduced under the PDPA Amendment Act are implemented in 3 tranches, with the first tranche being Sections 7, 11, 13 and 14 of the PDPA Amendment Act relating to ancillary provisions such as rectification of the Malay-language version of the legislative text, revised powers of the Personal Data Protection Commissioner (“Commissioner“) to open and maintain bank accounts, and the service of notice and other documents by way of electronic means. These sections have been in effect since 1 January 2025.
The second tranche of the implementation of the key amendments to the PDPA Amendment Act, set to take effect on 1 April 2025, includes the following:
Feature |
PDPA |
PDPA Amendment Act |
| Section 2:
Terminology for data user |
Originally referred to as “Data user”. |
Revised to “Data controller”. The term “data users” commonly used in the Malaysian context of personal data protection to mean someone who has control over processing of personal data is now replaced with “data controllers”, reflecting in a shift towards an approach aligned with terminology used internationally such as in the EU GDPR and the SG PDPA. |
| Section 3:
Amendment to “definitions” |
– |
Introduced / amended the following in the PDPA: (a) introduced definitions for “personal data breach” and “biometric data”; (b) expanded the definition of “requestor” to encompass individuals making data portability requests; and (c) narrowed the scope of “personal data” to exclude personal data of deceased individuals. (d) “Biometric data” is defined under the PDPA Amendment Act as “personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person” and is categorised as sensitive personal data. |
| Sections 4 and 5:
Penalties for breach of personal data protection principles Obligations on data processors
|
Penalties up to RM300,000 and/or 2 years of imprisonment.
Data processors are not directly obligated.
|
Increased penalties for breach of personal data protection principles to a fine up to RM1million and/or up to 3 years imprisonment.
Extended the security principle to data processors, where they must adhere to security requirements and there is now a direct imposition of penalties on data processors for breach.
|
|
Section 12: Cross border data transfer |
Transfers out to whitelisted countries were allowed with data subject’s consent or for contract necessity. Although no countries were ultimately officially whitelisted. | Removal of the whitelist regime for cross border data transfer. This allows the transfers to countries with similar data protection laws, or adequate protections, with exceptions still apply. |
The third and final tranche of the implementation of the PDPA Amendment Act, set to take effect on 1 June 2025, includes the following:
Feature |
PDPA |
PDPA Amendment Act |
| Section 6: Mandatory appointment of a data protection officer (“DPO“) | Requirement did not exist. | New mandatory requirement on data controllers and data processors to appoint at least 1 DPO. |
| Section 6: Mandatory personal data breach notification | Requirement did not exist. |
Required to notify the Commissioner, as soon as practicable, as well as the affected individual(s) if the breach causes or is likely to cause significant harm to the individual(s). (a) Organisations will now be obligated to report any occurrences of a data breach, regardless of whether such breach causes or is likely to cause significant harm to the affected data subject, to the Commissioner within 72 hours of becoming aware of such breach. (b) It is an offence if a data controller is in breach of this new requirement and may be liable to a fine not exceeding RM250,000 or imprisonment for a term not exceeding 2 years or to both. |
| Section 9: Data subject’s right to data portability(1) | Provision did not exist. | Right granted, subject to technical feasibility and data format compatibility. |
Note (1): Permits the transmission of an individual’s personal data from a data controller to another of his choice by giving a notice in writing in electronic format.
PDPA Amendment Act: Impact on Businesses in Malaysia
(a) “Data User” to be replaced with “Data Controller”:
- Cosmetic and will not materially impact the obligations of data users/data controllers under the PDPA. Once this amendment comes into force, existing personal data protection notices, policies or agreements with references to the statutory term “data user” may require updates.
(b) Direct Responsibilities on Data Processors:
- Businesses operating as data processors must reassess their operational and business practices to comply with the new requirements under the PDPA Amendment Act.
(c) Appointment of DPOs:
- Insufficient specifics currently provided for this requirement, such as the minimum qualifications or expertise required of the DPOs, which will likely be provided in the upcoming Data Protection Officer Guidelines being developed by the Commissioner.
- In the meantime, businesses should consider appropriate candidates for the role of DPO and formalise the role within the organisation.
(d) Increased Penalties for Breach of Personal Data Protection (“PDP”) Principles:
- Unless proven otherwise (e.g. offence was committed without individual’s knowledge and/or individual has taken all reasonable precautions and due diligence to avoid committing an offence), directors, CEOs, COOs, managers or officers responsible for the management of the data controller may be deemed to have contravened the PDP Principles, and be severally or jointly liable with the body corporate for the offence (and similarly be liable for the penalties proposed by the PDPA Amendment Act).
- Businesses should provide comprehensive training for employees on the importance of data protection and the specific requirements of the PDP Principles and establish and maintain compliance measures to identify and rectify potential breaches.
(e) Data Subject’s Right to Data Portability:
- Businesses should prepare for the operationalisation of data portability rights, establishing clear protocols for receiving, processing and fulfilling data portability requests within the timeframe. Businesses should be educating their employees on the new right to data portability and on the procedures for such requests.
(f) Principles Removal of the White-list Regime for Cross-border Data Transfers:
- Businesses to undertake regulatory assessments to determine whether the receiving country has an “adequate” level of data protection.
(g) Exclusion of Deceased Individual as Data Subject:
- Businesses to update internal policies and procedures to reflect the exclusion of deceased individuals from data protection rights.
(h) Biometric Data is Sensitive Personal Data:
- Businesses processing biometric data will need to revise their privacy policies to comply with the more stringent consent requirements applicable to sensitive personal data.
PDPA Amendment Act: How It Affects the Banking Industry?
The banking and financial sector is one of the most heavily regulated industry as it processes large volumes of customers’ data on a daily basis. The main regulatory bodies administering the banking sector’s compliance with the PDPA include the:
(a) Association of Banks in Malaysia (“ABM”)
The ABM serves as the appointed data controller forum for banking and financial sectors and is responsible for administering the Code of Practice for data protection. Under Section 26 of the PDPA, the Commissioner has the authority to revoke, amend, or revise the Code of Practice, based on applications from the ABM. The Commissioner and ABM are required to meet annually or whenever necessary to discuss issues such as enforcement actions, complaints, and proposed initiatives.
(b) Bank Negara Malaysia (“BNM”)
Under the Financial Services Act 2013 (“FSA”), banks are bound by a statutory duty of secrecy, which prevents them from disclosing customer information unless permitted by law. Breaching this duty can result in severe penalties, including imprisonment for up to five years or a fine of up to RM10,000,000.
Specific Issues Relevant to the Banking and Financial Sector
It is important to understand the distinction between personal data and sensitive personal data as well as what is not deemed as personal data under the PDPA, as there are different standards imposed when dealing with different types of data under the PDPA. With the PDPA Amendment Act, stricter standards in respect of the handling of sensitive personal data have been imposed, where biometric data is also now considered a type of sensitive personal data. Below is a list of examples of data processed by financial institutions and its respective categories:
(a) Personal Data
-
- Employment information
- Credit evaluation details
- Ownership of assets
- Account balances, credit history, income, and spending patterns
(b) Sensitive personal data
-
- Physical or mental health conditions
- Political opinions
- Religious beliefs
- Criminal records
- Biometric data which includes fingerprints and facial recognition
(c) What is not personal data
-
- Data related to organizations or companies (subject to exceptions)
- Aggregated or anonymised data
- Data of deceased individuals
The PDPA mandates that explicit consent from the customer must be obtained before processing sensitive data. The explicit consent requirement extends to biometric verification and other sensitive personal data processing activities. Explicit consent can be obtained in various forms such as below:
(a) Verbal consent (which must be recorded)
(b) Written consent (e.g., signatures or tick boxes)
(c) By conduct, such as submitting an NRIC for reading during a transaction
Processing of Sensitive Personal Data by Data Controllers
In the case of Public Bank Berhad v. Tan Teck Seng Jason & Anor [2021] MLJU 92, Public Bank Berhad was involved in a dispute with customers who sought to change their addresses after applying for a housing loan. Under the financing documents, the bank required biometric verification for any change of address. However, the customers argued that an email notification should suffice for the update. The issue at hand was whether the bank’s refusal to accept an email notification of the address change violated the PDPA.
The court held that the bank was entitled to require biometric verification as stipulated in the financing documents. In addition, as the bank was a data user under Section 4 of the PDPA, it was bound by the PDPA’s provisions to ensure the security of personal data. It was also highlighted by the court that in the event the bank allowed the change of address to be effected through the unencrypted email notification, the bank would have run the risk of comprising the security of the sensitive personal data of the customers, thereby breaching the security principle under Section 5 of the PDPA. This case emphasises the duty of financial institutions to protect personal data, particularly when handling sensitive customer information.
International Data Protection Standards on Processing of Biometric Data
Clearview AI
In 2022, Clearview AI, a facial recognition platform, was fined €30.5 million by the Dutch Data Protection Authority (“Dutch DPA”) for illegally collecting biometric data without consent. The company collected publicly available images from the internet, including from social media platforms, to build a facial recognition database, violating GDPR regulations. The Dutch DPA highlighted the importance of obtaining clear and informed consent from individuals when collecting and processing sensitive personal data, such as biometric information which can be seen as similar to the standard imposed under Section 6 of the PDPA.
Uber
In August 2024, the Dutch DPA imposed a €290 million fine on Uber for transferring European drivers’ personal data to the U.S. without adequate safeguards, violating the EU GDPR. The compromised data included sensitive information such as account details, taxi licenses, location data, photos, payment details, identity documents, and, in some cases, criminal and medical records. Uber’s failure to protect this data during the transfer period led to one of the largest fines under the EU GDPR to date.
Similar to the above cases, in Public Bank Berhad v. Tan Teck Seng Jason & Anor, the court exercised caution in preventing banks from accepting address change requests via unencrypted email, recognizing that the potential risk of compromising sensitive personal data far outweighed the convenience of such a method.
Analysis under the PDPA Amendment Act
With the PDPA Amendment Act, biometric verification is now classified as sensitive personal data. Similar to the Clearview AI and Uber cases, any data controller in Malaysia must explicitly obtain customer’s consent before collecting and processing sensitive personal data including biometric data, such as fingerprints or facial recognition. These cases demonstrate that Malaysian courts have consistently aligned their approach to sensitive data processing with global standards. In addition, this aspect of the PDPA Amendment Act further enhances the importance of consent, security, and transparency in handling sensitive personal data.
Comparing the EU GDPR, the PDPA and the SG PDPA
The EU GDPR, the PDPA and the SG PDPA share the common goal of protecting personal data. While the EU GDPR is known for its comprehensive and stringent framework, Malaysia and Singapore have taken steps to enhance their data protection laws. Malaysia’s recent PDPA amendments align with international standards, while SG PDPA offers broad applicability and robust safeguards. Below is a detailed comparison of these frameworks.
Definition of Personal Data
The EU GDPR defines “personal data” broadly, covering any information that can directly or indirectly identify an individual, including names, identification numbers, location data, and online identifiers. It also extends to physical, physiological, genetic, mental, economic, cultural, or social attributes. Notably, EU GDPR protections apply beyond commercial transactions, covering personal data processed in social, professional, and governmental contexts.
SG PDPA, under Section 2, defines personal data similarly, covering data that can identify an individual, even outside commercial contexts. This makes it broader than PDPA Malaysia, which limits personal data protection to commercial transactions.
Notwithstanding that the PDPA Amendment Act has expanded the definition of “personal data” to include biometric data, the definition of “personal data” in the PDPA is still restricted to information collected during commercial transactions.
Right to Erasure
The EU GDPR’s Article 17 provides individuals with the right to request the erasure of their personal data under specific circumstances, such as when data is no longer necessary for its original purpose or when consent has been withdrawn. Individuals must be made aware of their right to request the deletion of their data. Organizations are required to respond to such objections within 30 days, ensuring individuals retain control over their data.
SG PDPA does not provide an explicit right to erasure but mandates under Section 25 that organizations cease retaining personal data when it is no longer relevant and unnecessary for legal or business purposes.
While the PDPA lacks an explicit right to erasure, the PDPA only provides that data should not be retained longer than necessary for its intended purposes. However, this does not translate into an enforceable right for individuals to request deletion.
Right to Data Portability
Under Article 20 of the EU GDPR, individuals have the explicit right to request their personal data to be transferred to another data controller via a machine-readable format. This allows individuals greater control over their data, enabling them to move their data freely across service providers.
Section 22A of SG PDPA allows individuals to request their personal data in a machine-readable format. However, it does not permit direct transfers between data controllers, unlike the EU GDPR.
PDPA, before its amendment, did not recognize data portability as an independent right. However, with the introduction of Section 43A in the PDPA Amendment Act, individuals can now request the transfer of their personal data to another controller, provided it is technically feasible and compatible in format.
DPOs
Under the EU GDPR, organizations processing sensitive data or monitoring individuals at scale must appoint a DPO. The DPO ensures compliance, maintains documentation, advises on regulatory matters, and acts as a liaison with organisation, authorities and data subjects.
SG PDPA mandates the appointment of DPOs under Section 11(3) to ensure organisations oversee data protection compliance. SG PDPA also provides clearer roles for DPOs under Section 11(5).
Following the PDPA Amendment Act, section 12A introduces a similar requirement, mandating DPO appointments for data users and processors. DPOs must be registered with the Commissioner and can be internally appointed or externally contracted. However, the PDPA Amendment Act does not specify penalties for failing to appoint a DPO.
Extra-Territorial Application
The EU GDPR applies to all individuals in the EU or European Economic Area, regardless of nationality or data processing location. It also applies to businesses outside the EU if they offer goods or services to EU residents, monitor their behaviour, or use EU-based processors. This means that organisations globally, including those in Malaysia, must comply with EU GDPR if they want to offer goods, or services to individuals in the EU.
SG PDPA, under section 2(1), it also applied extraterritorially to organisations that handle the personal data of individuals in Singapore, even if the organisation is based outside Singapore. This is aligned with the EU GDPR’s extra-territorial application.
In Malaysia, the PDPA has more limited extra-territorial application. It only applies to personal data processed outside Malaysia if it is intended for further processing within the country. Foreign data controllers fall under its jurisdiction only if they use equipment in Malaysia for processing, excluding cases of mere data transit.
Conclusion
The PDPA Amendment Act represents a significant step in bringing Malaysia’s data protection framework closer to international benchmarks, particularly with the EU GDPR. While the Malaysian courts as well as the PDPA and the PDPA Amendment Act place similar standards when it comes to processing personal data, there remain areas for improvement. The PDPA could be expanded to cover a broader range of stakeholders and enhanced to include, among others, a more detailed framework in respect of the right to erasure and the right of data portability. As Malaysia continues to strengthen its data protection regime, ongoing legislative improvements such as the above will be essential in keeping up with global developments and international standards.
