Breaches of data protection
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Breaches of data protection law can lead to administrative sanctions and criminal penalties.
Depending on the nature of the offence, contravening the PDPA may lead to a fine between 100,000 ringgit and 500,000 ringgit or imprisonment of one to three years or both although certain offences are compoundable, which may allow reduced penalties.
Breach of the PDPA may result in an inquiry or investigation by the Commissioner (either on its own initiative or based on a complaint received). If, following the investigation, the Commissioner decides that the PDPA has been contravened, the Commissioner may serve an enforcement notice, specifying, inter alia, the breach, the steps required to be taken to remedy the breach within a certain period and directing, if necessary, the relevant data user to cease processing the personal data. Fines of up to 200,000 ringgit or two years’ imprisonment or both are possible for failure to comply with the Commissioner’s enforcement notice.
Generally, a breach of any of the seven data protection principles may incur a fine of up to 300,000 ringgit or two years’ imprisonment or both.
The Commissioner may also revoke the registration of a data user in certain circumstances, for example, if the data user has failed to comply with the provisions of the PDPA or with any conditions imposed as part of the registration.
If a business commits an offence, its directors, chief executive officers, chief operating officers and other similar officers may be charged severally or jointly for non-compliance by the business, subject to certain limited defences.
Notification of data breach
Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?
The PDPA does not currently provide for this but the authorities issued a public consultation paper entitled ‘The Implementation of Data Breach Notification’ that seeks to introduce a data breach notification regime, where data users will be required to notify regulators and affected individuals in the event of a data breach. The consultation paper sets out, among other things, the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident and to provide details about the data at risk, actions that have been taken or will be taken to mitigate the risks to the data, details of notifications to affected individuals and details of the organisation’s training programmes on data protection. However, the consultation paper has yet to be gazetted as law.