Data breach act malaysia

Last review date: 31 December 2023

☒ omnibus – all personal data

☒ sector-specific — e.g., financial institutions, governmental bodies

Aviation, utilities, insurance/takaful, banking and financial sectors, telecommunications, healthcare, tourism and hospitality business, education, service industry (i.e., legal, audit, accountancy, engineering or architecture), housing developers, pawnbrokers and moneylenders

Last review date: 31 December 2023

• Personal Data Protection Act 2010 (PDPA)
• Personal Data Protection Regulations 2013
• Personal Data Protection (Registration of Data User) Regulations 2013
• Personal Data Protection (Fees) Regulations 2013
• Personal Data Protection (Class of Data Users) Order 2013
• Personal Data Protection (Class of Data Users) (Amendment) Order 2016
• Personal Data Protection (Compounding of Offences) Regulations 2016
• Personal Data Protection (Appeal Tribunal) Regulations 2021
• Personal Data Protection Standard 2015 (PDPS)
• General Code of Practice of Personal Data Protection (GCOP)

Last review date: 31 December 2023

• Personal Data Protection Act 2010
• Computer Crimes Act 1997
• Communications and Multimedia Act 1998
• Communications and Multimedia (Licensing) Regulations 2000
• Communications and Multimedia (Compounding of Offences) Regulations 2001
• Digital Signature Act 1997
• Digital Signature Regulations 1998
• Electronic Commerce Act 2006
• Penal Code - the Penal Code criminalizes certain cyber-related activities such as online cheating, fraud, criminal defamation, intimidation and pornography.

Are new or material changes to those key data privacy and cybersecurity laws anticipated in the near future?

Last review date: 31 December 2023

In February 2020, the Malaysian Personal Data Protection Commissioner (Commissioner) issued Public Consultation Paper (PCP) No. 1/2020, with an aim to collect feedback on its proposal to update the PDPA. The PCP proposes, amongst others, that the PDPA be amended to provide further clarity on the scope and application of consent provided through the personal data life cycle. Feedback was also sought on (i) the extension of obligations to data processors; (ii) the reporting of data breaches; and (iii) providing a right to commence civil litigation against data users.

Following the public consultation, the then Communications and Multimedia Minister (Minister) (who oversees the implementation of the PDPA) indicated that the following proposed amendments to the PDPA would be tabled in the Malaysian Parliament:

• Appointment of data protection officer: All data users will each be required to appoint a data protection officer.
• Mandatory data breach notification: All data users will be required to report data breaches to the Malaysian Personal Data Protection Department (PDPD) within 72 hours.
• Data processor obligation: Data processors will be required to comply with the security principle under the PDPA.
• Introduction of data portability: Transfers of personal data between data users (upon request from data subjects) will be allowed (if the technical system permits).
• Blacklist for cross-border transfers: The power of the Minister to issue a whitelist will be replaced with a blacklist. Transfers of personal data to blacklisted countries will be prohibited.

Even though it was originally anticipated that the foregoing proposals would be tabled and debated in the Malaysian Parliament by the end of 2023, at the time of writing, there had been no progress on that front, and it is unclear when they will be implemented.

During the 12 th Malaysia Plan midterm review (12MP MTR) held on 11 September 2023, the Prime Minister of Malaysia indicated that existing laws will be amended to enhance the effectiveness of combating cybercrime activities, and the pioneering use of the national biometric registry system known as the National Digital Identity (NDI) for secure and protected identity verification is expected to be launched in 2025. However, we are not currently aware of the exact changes that will be made to the existing data privacy and/or cybersecurity laws.