Penalties for Non-compliance
What are the potential penalties / remedies for non-compliance with the key data privacy and security laws in the jurisdiction?

[Last updated date: 1 April 2022]

There are:

☒        administrative remedies / civil penalties applied by regulators and law enforcement

Pursuant to the Personal Data Protection (Compounding of Offences) Regulations 2016, certain data protection offenses may be "compounded" instead of being formally prosecuted, such as breach of any of the data protection principles, processing of personal data without a certificate of registration issued by the PDPD, etc.

With the consent of the Public Prosecutor, the Commissioner may make an offer to an alleged offender to compound a compoundable offense. The offer may be made any time after the offense has been committed and before any prosecution has been instituted in relation to it. The Commissioner may determine the amount to be paid by the offender which must not exceed 50% of the maximum fine for the relevant offense. Where an offense is compounded, no prosecution may be instituted against the offender in respect of that offense.

☒        criminal penalties from regulators and law enforcement

Pursuant to section 5 of the PDPA, a breach of any of the data protection principles is an offense under the PDPA and is punishable by a fine of up to RM 300,000, and/or up to 2 years imprisonment. The data protection principles are as follows:

  • General Principle
  • Notice and Choice Principle
  • Disclosure Principle
  • Security Principle
  • Retention Principle
  • Data Integrity Principle
  • Access Principle

Pursuant to section 16 of the PDPA, certain classes of data users are required to register with the PDPD, such as licensed banks, insurers, private health care institutions, licensed tour operators, direct sales businesses, private higher education institutions and certain utilities and transportation service provider. Data users who fail to do so may be liable for a fine of up to RM 500,000 and/or a term of imprisonment of up to 3 years.

Pursuant to section 129 of the PDPA, a transfer of personal data abroad without any exemptions as stated under the PDPA shall be an offense and is punishable by a fine of up to RM 300,000, and/or up to 2 years imprisonment.

*Please refer to the complete list of offences and penalties under the PDPA at the website of PDPD (available here, in Malay language only).

☒        private remedies

Individuals may file complaints with the PDPD and lead to data authority investigations/audits.

☒        other

Seizure of equipment or data for the purposes of investigation the commission of an offense under the PDPA.

If data subjects have private remedies, what form can these remedies take?

☒         individual personal actions

☐         representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

☐         class actions

The data subjects do not have individual rights under the PDPA. The aggrieved data subjects can however bring a claim on the ground of breach of confidentiality in a civil suit.