KUALA LUMPUR: The proposed amendment to the Personal Data Protection Act (PDPA) 2010 will include an increase in penalties up to RM1 million or imprisonment for up to three years for any violation of the existing laws.
The original penalty was RM300,000 or imprisonment for up to two years.
Digital Minister Gobind Singh Deo said the amendments include ensuring the appointment of data protection officers by an organisation that controls data and that the provisions related to data protection are complied with.
These officers serve as liaisons with the PDP department during data breach incidents and ensure organisational compliance with the seven principles of personal data protection outlined in the Act.
He said the data controller or data processor for each organisation needs to inform the PDP Commissioner about the appointment of the officer.
"This amendment will create a responsibility for each data controller to report any personal data breach incidents as soon as possible.
"If the data breach results in significant harm to the data subject, the data controller must act immediately to make that report," he said in the statement.
He added failure by the data controller to report any incidents as stated, upon conviction, can be punished with a fine not exceeding RM250,000 or imprisonment for a term not exceeding two years or both.
"This amendment will establish the right to data portability, where a data subject can request the data controller to transfer their personal data to a data controller of their choice.
"This will facilitate the data transfer process as needed under certain circumstances," he said.
Earlier, the amendment to the PDP Act 2010, aimed at aligning with international standards, was tabled for the first reading in Dewan Rakyat by Gobind, with a second reading to follow in the same session.
The Act will see an amendment to Section 129 to allow data controllers to transfer personal data outside Malaysia if the destination has laws substantially similar to the Act.
A new proposed section 12a will require a data controller to appoint one or more data protection officers, while proposed new section 12b will also be included to provide for the procedure relating to data breach notification.
The bill also proposes amending Section 21 of the Act to enable the commissioner to designate not only a body but also a data controller as a data controller forum in respect of a specific class of data controllers.
It also sought to introduce a new section into the Act to provide for the rights to data portability of a data subject, subject to technical feasibility and compatibility of the data format.