Published in Asian-mena Counsel: Data + Cyber Security Special Report 2020


Screenshot 2020-11-19 at 1.19.38 PM

Screenshot 2020-11-19 at 12.17.54 PM


DFDL’s William Greenlee sets out the data protection regulatory framework in Malaysia and its recent developments.



During these daunting days of widespread economic disruption and global pandemic, many governments are striving to strike a balance between promoting a vibrant local business environment, ensuring adequate cyber-security, and protecting people’s personal data. This article sets out the data protection regulatory framework in Malaysia and its recent developments.

Overview of the regulatory framework

The Malaysia Personal Data Protection Act 2010 (“Malaysia PDPA”) is the principal legislation regulating personal data in Malaysia. Subject to prescribed exceptions, the Malaysia PDPA applies to any person who processes, has control over, or authorises the processing of any personal data in respect of commercial transactions1. Any information processed for credit reporting activities are carved out and separately regulated under the Malaysian Credit Reporting Agencies Act 2010.

Screenshot 2020-11-19 at 2.21.37 PM

Categories of Protected Data

The Malaysia PDPA regulates two categories of data.

  1. Personal data is information which relates directly or indirectly to an individual, who is identifiable from that information or from that and other information in the data user’s possession. For personal data (not including sensitive personal data), explicit consent is not required if such consent obtained from the individual can be recorded and maintained by the data user.
  2. Sensitive personal data is regulated more closely and is currently limited to personal data relating to a data subject’s health, political views, religious beliefs, criminal record, or alleged commission of any offence. The processing of sensitive personal data requires data subjects’ explicit consent.

Processing Principles

The Malaysia PDPA regulates the processing of personal data by requiring a data user to comply with seven principles (“Processing Principles”).

  1. General Principle: Unless any exceptions under the Malaysia PDPA apply, a data user cannot process personal data without obtaining the subjects’ consent.
  2. Notice and Choice Principle: The Malaysia PDPA prescribes eight mandatory matters which the data user must inform a data subject by a written notice. Such a notice must be given in English and the local language.
  3. Disclosure Principle: A data user must limit disclosure of the personal data to the purpose which the data subject had been informed of at the time of collection and for which the data subject had consented.
  4. Security Principle: Practical steps must be taken by a data user to safeguard the personal data from any loss, misuse, modification, unauthorised or accidental access, disclosure, alteration, or destruction.
  5. Retention Principle: A data user must not retain personal data for longer than is necessary to fulfil the purpose for which it was collected.
  6. Data Integrity Principle: A data user must take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date.
  7. Access Principle: The data subject has the right to access his or her personal data and to correct such data held by the data user where it is inaccurate, incomplete, misleading, or not updated.

Failure to adhere to any of the Processing Principles is an offence under the Malaysia PDPA, and can result in penalties of approximately US$24,000 to 120,000 and a term of up to three years imprisonment.

Screenshot 2020-11-19 at 2.22.24 PM

Cross-Border Transfer

Transfer of personal data outside Malaysia is prohibited unless the transfer is made to a jurisdiction approved by the Minister2 or where any specific exceptions prescribed under the Malaysia PDPA applies. The Commissioner published a consultation paper in 2017 seeking the public’s feedback on the draft whitelist of countries to which personal data may be transferred from Malaysia without having to rely on the exceptions. As of June 2020, the whitelist had yet to be approved.

Recent Developments

The Processing Principles are akin to those in the 1995 EU Data Protection Directives. The regulator’s focus in the nascent years of the Malaysia PDPA has been on fostering awareness among businesses. The shift to enforcement actions have only recently begun. The Commission has been conducting inspections in the form of “audits” at business premises to assess levels of compliance.

A consultation paper was published in February 2020 to seek public’s feedback (“Paper”) on possible amendments to the PDPA.3  The Paper took the laws of various jurisdictions into consideration including the Philippines, Singapore, Japan, and the EU.

Considering the fast-paced development of technology in recent years, the review of this legislation is a commendable effort. The proposals in the Paper, if passed, will completely change how businesses in Malaysia handle data, as they envisage a data protection standard that is much higher than the country’s current existing regime.



  1. Personal Data Protection Act 2010, § 2.
  2. Personal Data Protection Act 2010, § 129.
  3. The Public Consultation Paper No. 01/2010 can be accessed on the official portal of the Department of Personal Data Protection at:



Screenshot 2020-11-19 at 1.24.58 PM




Official Publication: Asian-mena CounselClick Here to read the full issue of Asian-mena Counsel: Data + Cyber Security Special Report 2020.


Related Articles by Firm
Data Privacy in Myanmar
This article by William Greenlee of DFDL sets out the data protection regulatory framework in Myanmar and its recent developments, and concludes with some reflections on the current significant shifts in global data protection standards ...
Related Articles
Related Articles by Jurisdiction
Q&A with Malaysian law firm Putri Norlisa Chair
PNC Law commenced operations on October 1, 2015. We have a very nimble and niche setup, built on our core practice areas in Banking and Finance, Corporate-Commercial ...
Introducing the tort of sexual harassment
The Malaysian Federal Court in the case of Mohd Ridzwan bin Abdul Razak v Asmah binti Hj Mohd Nor recently delivered a landmark judgment ...
Latest Articles