On 10 July 2024, Digital Minister, Gobind Singh Deo ("Minister") tabled the long-awaited Personal Data Protection (Amendment) Bill 2024 ("Amendment Bill"), which has been in development since 2018, for the Malaysian Parliament's approval.
The Minister aims to secure the approval for the Amendment Bill from both houses of Parliament, namely, the House of Representatives (Dewan Rakyat) and the Senate (Dewan Negara), during the current parliamentary session, which concludes in July 2024. The Amendment Bill was passed at the House of Representatives on 16 July 2024, and is currently awaiting the Senate's approval.
Key proposed changes as stipulated in the Amendment Bill are as follows:
- Replacement of the term "data users" with "data controllers";
- Recognition of biometric data as sensitive personal data;
- Increased penalties for breach of the personal data protection principles;
- Extension of the Security Principle to data processors;
- New data protection officer appointment obligation;
- New mandatory data breach notification obligation;
- New right to data portability for data subjects; and
- Removal of whitelisting regime for cross-border data transfers.
For more information about the key changes that will be introduced by the Amendment Bill, please click here for our Legal Update.
The Cyber Security Bill 2024 ("Bill"), aimed at enhancing the country's cybersecurity and strengthening the protection of the National Critical Information Infrastructure ("NCII") from cyber threats and incidents, was passed by the Malaysian Parliament in April 2024.
The Bill has since received royal assent and was gazetted as the Cyber Security Act 2024 (Act 854) ("CSA") on 26 June 2024, although it has yet to come into force, and will only take effect on a future date to be gazetted by the Malaysian Government. This is expected to occur by the third quarter of 2024.
Now that the CSA has been gazetted, businesses can expect the following to happen next:
- Publication of the Names of NCII Sector Leads
The Minister will designate one or more NCII Sector Leads for each of the identified 11 NCII Sectors, by publishing the names of the appointed NCII Sector Leads on the National Cyber Security Agency ("NACSA") website.
- Issuance of Subsidiary Regulations
The Malaysian Government and NACSA are currently developing subsidiary regulations to supplement the CSA including:
- the Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024, which will clarify the licensing requirements for cybersecurity service providers;
- the Cyber Security (Compounding of Offences) Regulations 2024, which will identify the relevant offences under the CSA which are compoundable, and other ancillary procedural requirements;
- the Cyber Security (Risk Assessment and Audit) Regulations 2024, which will clarify the requirements of cybersecurity risk assessment and audit that NCII Entities will be required to carry out under section 22 of the CSA; and
- the Cyber Security (Cyber Security Incident Notification) Regulations 2024, which will set out further details regarding the cybersecurity incident notification obligation to the Chief Executive of NACSA and NCII Sector Leads imposed on NCII Entities.
c. Preparation of Codes of Practice
Once the NCII Sector Leads for the identified 11 NCII Sectors are appointed, they will develop sector-specific codes of practice for their respective sectors that set out the minimum cybersecurity measures, standards and processes that NCII Entities must implement and comply with to protect their NCII.
All relevant businesses and stakeholders should stay abreast of developments relating to the implementation of the CSA, and initiate steps and allocate resources in preparation for compliance with the CSA.
For more information on the regulatory structure and key requirements introduced by the CSA, click here for our previous Legal Update and here for our Snapshot Deck.
Since 2023, the Ministry of Communications ("Ministry") and the Malaysian Communications and Multimedia Commission ("MCMC") have been collaborating to introduce new licensing requirements for social media platforms to enhance online safety and address the publication harmful content on these platforms.
The Ministry recently updated that the proposed licensing framework will apply to social media platforms and internet messaging services, but will not be a blanket licensing requirement. Instead, the licensing requirement will only target larger platforms or services that meet a certain threshold (e.g. platforms or services with certain number of users) in Malaysia.
Additionally, the Ministry and MCMC are finetuning further details on the implementation of the proposed licensing framework. While there is no indicative timeline for when the framework will be finalised and introduced, it is being treated as a priority and the Ministry and MCMC hope to introduce these new licensing requirements sometime this year.
Social media platforms and internet messaging services providers are advised to stay informed about developments regarding the upcoming licensing framework.
On 31 May 2024, the Malaysia Digital Economy Corporation ("MDEC"), with the support of the Ministry of Digital and the Ministry of Finance, introduced a new outcome-based tax incentive scheme ("MD Tax Incentive") for eligible Malaysia Digital Status ("MD Status") (formerly known as Multimedia Super Corridor Status ("MSC Status")) companies.
The MD Tax Incentive aims to create a more conducive environment for foreign investments in the digital economy and ecosystem in Malaysia. It offers reduced tax rates (RTR) on qualifying intellectual property (IP) and non-IP incomes, and investment tax allowances (ITA) for capital expenditures.
For more information about the qualifying criteria and the benefits offered under the MD Tax Incentive, please click here to read our Legal Update.
In addition to the other updates provided here regarding regulatory developments in Malaysia's technology, media, and telecommunications sector, the Malaysian Government has announced or provided updates on several initiatives for the sector that may take shape in the coming months.
Businesses should note the following upcoming developments in the technology, media and telecommunications regulatory landscape which may introduce new compliance requirements for businesses:
- New Omnibus Data Sharing Bill/National Data Sharing Bill
The Malaysian Government plans to introduce a new Omnibus Data Sharing Bill / National Data Sharing Bill by the end of 2024 to regulate data sharing and facilitate the use of cloud storage among government agencies in the public sector;
- New Online/Digital Safety Bill
The Malaysian Government aims to table a new Online/Digital Safety Bill for the Malaysian Parliament's approval by the end of 2024. While the Government has not announced the specifics that will be addressed in the Bill, it is reported that it may include provisions to facilitate and regulate information requests from regulatory authorities regarding online security issues;
- Malaysia's Participation in the Asia-Pacific Economic Cooperation's ("APEC") Cross-Border Privacy Rules
The Personal Data Protection Department ("JPDP" or Jabatan Perlindungan Data Peribadi) recently announced its intention to participate in APEC's Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) System. The system will enable certified businesses to perform cross-border data transfers within participating APEC economies without complying with additional requirements. No definitive timeline has been specified by JPDP regarding Malaysia's official induction into the system as a participating APEC economy;
- New Malaysian Media Council Bill
The Malaysian Government aims to table the proposed Media Council Bill for Parliament’s approval by the end of 2024. This Bill will promote self-regulation of media practitioners through the establishment of an independent media council that will be responsible for developing and enforcing codes of conduct for media practitioners; and
- New Cyberbullying Law
The Digital Minister, Gobind Singh Deo, recently proposed the development of a new law to impose responsibilities on social media platform providers or owners for the misuse of these platforms, resulting in, among others, cyberbullying by users. Currently, no further details have been provided although the Law Minister, Azalina Othman Said, has recently mentioned that the Malaysian Government will consider proposals to define "cyberbullying" and make it a crime under the Penal Code.
The Companies Act 2016 ("CA") was amended on 1 April 2024 to close the gaps in the previous Beneficial Ownership ("BO") reporting framework.
The definition of a "beneficial owner" in the context of a company now means "a natural person who ultimately owns or controls a company and includes a person who exercises ultimate effective control over a company", in sync with Bank Negara Malaysia's Guidance on Beneficial Ownership.
In the Companies Commission of Malaysia's ("SSM") Guidelines for the Reporting Framework for Beneficial Ownership of Companies issued at the same time as the CA amendment, "ultimate effective control" arises where an individual holds less than 20% shares or voting rights, but still exercises significant control or influence over the directors or management of the company, whether formally or informally. Thus, an individual who is not a member, director or officer in a company can also be construed as a BO.
A Malaysian incorporated company or a foreign company that is registered with SSM as a branch of a foreign company ("Subject Company") must issue a written notice to its members to inquire whether the member is a BO of the Subject Company, or if not, to indicate, so far as possible, the person(s) who is the BO. SSM initially required Subject Companies to lodge the determined BO information on or before 30 June 2024, but this deadline has been extended to 30 September 2024 by SSM's Practice Directive No. 9/2024.
The CA also closes the gap by imposing a duty on a person who is a BO to notify the Subject Company as soon as practicable accordingly, in addition to his duties to notify the Subject Company of changes in his BO information, including his cessation.
Malaysian public listed companies and foreign public listed companies should note that the exemption from the BO reporting framework which previously applied to them pre-1 April 2024 has now ceased to apply.
In 2021, the High Court ("HC") delivered a landmark decision in the case of Genting Malaysia Berhad v Pesuruhjaya Perlindungan Data Peribadi & Ors [2022] 11 MLJ 898 ("Genting"). The case involves a judicial review application by Genting Malaysia Berhad ("GMB") against the Director General of Inland Revenue (DGIR) in respect of the latter's request to access GMB’s database containing personal data of all its loyalty programme members.
The HC ruled in favour of GMB and held that regulatory authorities, such as the Inland Revenue Board ("IRB"), do not have the power to request bulk disclosure of personal data due to the safeguards provided under the Personal Data Protection Act 2010 (PDPA).
The HC also established specific principles governing data disclosure requests made by enforcement and regulatory authorities. For more information about the principles expounded by the HC, please click here to read our Legal Update on the HC's decision.
In April 2024, the Court of Appeal ("COA") overruled the HC's decision on procedural grounds. While the COA is yet to release its full grounds of judgment, IRB has indicated that the COA ruled that GMB was time-barred from initiating the action in the first place due to non-compliance with the timeframe for filing judicial review applications under the Rules of Court 2012.
GMB has since filed an appeal to the Federal Court ("FC") against the COA's decision, and the matter is currently pending before the FC.
This is one of the few cases that reached the Court for reinstatement of a patent application which was refused due to non-compliance of a deadline. While the Court ultimately ruled in favour of the applicant, it serves as reminder that the deadlines prescribed by law are strict and failing to adhere to them may have dire consequences.
Sage Therapeutics filed a patent application in January 2018. In March 2022, the Registrar issued an adverse report with substantive requirements to be addressed by June 2022. No response was filed by the deadline. Some eight months later, the patent agent discovered the report and requested an extension and reinstatement of the patent application, citing human error. The agent had followed up with the patent office in July 2022 but received no response. It is pertinent to note that the Patents Act 1983 ("PA") and its regulations were substantially amended in 2022.
In June 2023, the Registrar issued a notice of refusal due to the lack of response to the adverse report. The Plaintiff requested an oral hearing, which took place, and in December 2023, the Registrar upheld the refusal. The Plaintiff then filed an action in the High Court to reinstate the patent application and allow the extension, arguing that the unamended Regulation 53 of the Patent Regulations 1986 ("PR") (which pertains to a request for an extension of time under a general provision), which had no time limit, should apply.
The Registrar maintained that the amended Regulation 53 of the PR, which imposes a six-month deadline for extensions, was applicable. As the extension request was filed beyond this deadline, the Registrar claimed it no longer had the authority to grant it.
The Judicial Commissioner rejected both parties' arguments, interpreting section 30(4) of the PA (a specific provision that addresses extension of time to respond to an adverse report), which was not amended in 2022. This section allows for a one-time extension without a specified deadline or limit on the duration. Given the lack of prejudice to the Registrar, the High Court ruled in favour of the Plaintiff, allowing the reinstatement and extension of the patent application.
