Last review date: 31 December 2024
- Personal Data Protection Commissioner (Commissioner) and the Personal Data Protection Department (PDPD) for the PDPA
- National Cyber Security Agency (NACSA) and its Chief Executive for the CSA
- National Digital Department and its Director General for the Data Sharing Bill 2024 (not yet in force)
Last review date: 31 December 2024
We generally anticipate that the PDPD will prioritize the enforcement of the PDPA to ensure the security and protection of personal data in light of the increasing number of data leakage cases. PDPD will likely also continue to carry out its usual inspections on the premises of data controllers to ensure compliance with the PDPA. We also anticipate the PDPD, more generally, to be busy with supporting the coming into force of the Personal Data Protection (Amendment) Act 2024, such as issuing guidelines and educating the public on the same.
The grace period for cyber security service providers to provide services without a license ended on 31 December 2024. We anticipate NACSA may start enforcing the licensing requirement. NACSA will also be working with the appointed national critical information infrastructure (NCII) sector leads to designate NCII entities and develop sector-specific codes of practice under the CSA.
Last review date: 31 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last review date: 31 December 2024
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
Pursuant to the Personal Data Protection (Compounding of Offences) Regulations 2016 and the Cyber Security (Compounding of Offences) Regulations 2024, certain data protection offenses may be "compounded" instead of being formally prosecuted, such as breach of any of the data protection principles, processing of personal data without a certificate of registration issued by PDPD, failing to conduct a cyber security risk assessment in respect of the national critical information infrastructure, etc.
With the consent of the Public Prosecutor, the Commissioner or the NACSA Chief Executive may make an offer to an alleged offender to compound a compoundable offense. The offer may be made any time after the offense has been committed and before any prosecution has been instituted in relation to it. The Commissioner may determine the amount to be paid by the offender which must not exceed 50% of the maximum fine for the relevant offense. Where an offense is compounded, no prosecution may be instituted against the offender in respect of that offense.
☒ criminal penalties from regulators and law enforcement
Contravention of the provisions under the PDPA may amount to an offense, which may attract criminal penalties with a fine of up to MYR 500,000 and/or up to three years’ imprisonment.
Particularly, effective 1 April 2025, non-compliance with any of the personal data protection principles under the PDPA may be punishable by higher penalties i.e., a fine of up to MYR 1,000,000 and/or up to three years’ imprisonment. The personal data protection principles are as follows:
- General principle
- Notice and choice principle
- Disclosure principle
- Security principle
- Retention principle
- Data integrity principle
- Access principle
Contravention of the provisions under the CSA may amount to an offense, which may attract criminal penalties with a fine of up to MYR 500,000 and/or up to ten years’ imprisonment.
☒ private remedies
Individuals may file complaints with the PDPD and report a cyber security incident with NACSA, which may lead to data authority investigations/audits.
☒ other
Seizure of equipment or data for the purposes of investigating the commission of an offense under the PDPA or the CSA.
Last review date: 31 December 2024
☒ individual personal actions
The data subjects do not have express individual rights under the PDPA to bring a claim. The aggrieved data subjects may, however, bring a claim on other grounds such as breach of confidentiality in a civil suit.