The Personal Data Protection Department (“JPDP” or Jabatan Perlindungan Data Peribadi) has issued a public consultation paper inviting feedback on the proposed amendments to the Personal Data Protection Regulations 2013 (“PDP Regulations“). The PDP Regulations are a key piece of subsidiary legislation under the Personal Data Protection Act 2010 (“PDPA“) that clarifies and elaborates on the specific compliance measures required to fulfil the obligations under the seven Personal Data Protection Principles (“PDP Principles“) set out in the PDPA.
Following the recent legislative changes introduced by the Personal Data Protection (Amendment) Act 2024 (“Amendment Act“), the proposed amendments to the PDP Regulations are intended to enhance the guidance provided in the PDP Regulations, support the implementation of the changes introduced by the Amendment Act, and ensure alignment with the updated provisions of the amended PDPA.
Key proposed amendments outlined in the public consultation paper include the following:
- Standardisation of terminology used: For example, the paper defines notices issued under the Notice and Choice Principle as “personal data protection notices”, and replaces references to “data users” with “data controllers” in line with the changes introduced by the Amendment Act;
- Introduction of new terminology/concepts: For instance, the paper has proposed definitions for new terms such as “business contact information”;
- Expanded guidance on compliance with PDP Principles: This includes proposed clearer guidance on valid methods of obtaining consent from data subjects under the General Principle, as well as proposals for minimum contractual clauses that must be included in agreements with data processors;
- Extension of penalty provisions to data processors: Specifically, the paper extends penalties for non-compliance with the requirements under the PDP Regulations relating to the Security Principle to data processors. This aligns with the changes introduced by the Amendment Act, which impose a direct obligation on data processors to comply with the Security Principle; and
- Expansion of inspection powers: The paper enhances the powers of the Commissioner and inspection officers to carry out more robust audits and inspections of personal data protection systems.
Businesses should take note that the proposed amendments introduced by the public consultation paper will undoubtedly impact the existing personal data protection compliance framework of organisations once they are finalised, as the PDP Regulations serve as the primary subsidiary instrument clarifying the compliance measures required by the PDP Principles under the PDPA. Accordingly, we strongly encourage organisations to review the public consultation paper and provide feedback, particularly regarding any concerns about the practicability or potential challenges that may be faced in implementing the proposed amendments. Additionally, if further clarification is needed on specific aspects addressed in the public consultation paper, organisations should also highlight these issues as part of their feedback.
The consultation period is open until 8 September 2025, and the online feedback form is accessible here.
This Alert is issued by the Contact Partners from the Technology, Media & Telecommunications, Data Privacy & Protection Practice Group whose contact details are set out on the right column of this page.
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
