Malaysia is in the process of updating its Personal Data Protection Act to align more closely with laws in other jurisdictions. The law was originally passed in 2010 and then modified this year. As part of the modification process, the country’s Personal Data Protection Department (PDPD) sought input at the end of the summer on different areas of the newly revised law. Included in the request for input was the breach notification process, DPOs, and data portability. The time frame for input ended at the beginning of this month, and we thus expect to see more direction on these points in the near future.
Changes to Breach Notice Process
The first area for which the PDPD sought input was on data breach notifications. The law as revised will impose a new notification obligation. In particular, there will be a mandatory obligation to notify the Personal Data Protection Commissioner in the event of a breach. The PDPD sought input on when that notice would need to be made and the time frame for the notice. In particular, it proposed that the commissioner notice happen only when the breach is of significant scale or will cause significant harm. And, that notice be made 72 hours after a company becomes aware of a breach. It also asked for input on the template form used to notify the commissioner and whether notice to individuals could go by email. And, what the timing should be for individual notice.
Changes to DPO Appointment
The second area that the PDPD sought input was on the new data protection officer obligations. While the law currently does not require a DPO, as amended, companies engaging in “large-scale” processing will need have a DPO. Among other things, the PDPD sought input on whether “large-scale” processing should be an express number or based on certain factors, and what qualifications the DPO should hold.
Changes to Data Portability Obligations
The third area that the department sought input was on data portability, a new right under the Malaysian privacy law. As amended, individuals will be able to ask companies to send their data to third parties. The PDPD wanted to know if those requests should be honored even if companies have technical challenges. It also wanted input on the types of information subject to these requests (like inferred data) and the time period of requested data.
Putting It Into Practice: The changes to the privacy law in Malaysia are a reminder for global companies to have a process in place to (1) monitor for local law developments and (2) take an adaptable approach to privacy programs and privacy compliance. We expect to see ongoing updates to existing laws -like this one in Malaysia- at the same time that legislators around the world implement new laws.
