As a result of its data protection efforts, Malaysia became a member of the Asia Pacific Economic Cooperation's Cross-border Privacy Enforcement Arrangement in 2023 and subsequent planned amendments to the Personal Data Protection Act 2010 mark another critical step forward in strengthening the country's strategic positioning as an international business center.
Designed to act on promises of improvements, driving enhancement and acceleration of trust domestically, and supporting foreign investors, the proposed changes will indisputably bring Malaysia even closer to global standards and sought recognition among its regional peers in the Association of Southeast Asian Nations — such as Indonesia, Philippines, Singapore, Thailand or Vietnam — that have worked on changes to personal data protection laws in recent years.
An Act to amend the Personal Data Protection Act 2010, which introduces significant amendments to the PDPA 2010, passed Malaysia's Senate 31 July, marking a significant development in the country's personal data protection landscape.
The amendments are expected to be fully enacted by late 2024 or early 2025, following the final stages of legislative approval and Royal Assent.
The revisions aim to address growing data privacy and security concerns, especially in the context of digitalized and global business models requiring high volume and legally efficient international data transfers.
Background and expected next steps
The PDPA 2010 was Malaysia's first comprehensive legislation on personal data protection, designed to regulate the processing of personal data in commercial transactions and safeguard the privacy rights of individuals. It entered into force in November 2013.
As data-driven and global business models have evolved and the volume of international data flows has increased, the PDPA 2010 was criticized for being outdated and insufficient in addressing data protection challenges and the need for a comprehensive reform became increasingly evident.
Key amendments
The PDPA amendments introduce several significant changes while strengthening the protection of personal data with adequacy and equivalence to international standards in mind.
Mandatory breach notification. One of the most anticipated changes is the introduction of a mandatory data breach notification requirement. Under the amended PDPA, organizations will be obligated to report data breaches to the Personal Data Protection Commissioner within 72 hours of becoming aware of the breach.
This fully aligns Malaysia's regulations with international standards such as the EU's General Data Protection Regulation.
Data processor accountability. The amendments would expand the PDPA's scope by imposing direct obligations on data processors, not just data controllers. Data processors, who process personal data on behalf of data controllers, would be held fully accountable for their data handling practices and data security.
This change aims to enhance the overall data governance framework by ensuring all entities involved in the processing of personal data adhere to stringent data protection standards.
Appointment of data protection officer. To further underpin the accountability principle, the PDPA amendments create an obligation for data controllers and data processors to appoint at least one DPO.
The requirement aligns Malaysia's standards with the EU regime under which controllers and processors need to have a dedicated role within their organizations that is intended to support privacy culture and facilitate implementation of new privacy requirements through raising awareness and monitoring compliance.
Controllers and processors will need to notify the Data Protection Commissioner of DPO appointments.
Strengthened enforcement powers. Enhanced enforcement powers bring particularly important changes, including the ability to impose higher fines and penalties — including imprisonment — for non-compliance. Seen as an important cornerstone of the accountability principle and aiming to deter PDPA violations, fines for breaches are being increased to MYR1 million, while the maximum imprisonment term is being extended up to three years.
Additionally, the PDPC is now empowered to conduct proactive audits of organizations to ensure PDPA compliance.
New data categories. The amendments address the increased use of biometric data, which was previously excluded from the definition of personal data. Biometric data is defined as "personal data resulting from technical processing relating to the physical, physiological or behavioral characteristics of a person" and it is categorized as sensitive personal data.
Data of deceased persons is excluded from the amendments and placed expressly outside the PDPA's application.
Increase in data subject rights. The amended PDPA grants data subjects a right to portability, subject to "technical feasibility and compatibility of the data format."
Enhanced cross-border data transfer rules. The revisions introduce stricter controls on the transfer of personal data outside Malaysia.
While the PDPA permits international transfers if the receiving country has adequate data protection laws (whitelisted countries) or under circumstances of public interest, the amendments would require data controllers to undertake a more rigorous assessment of the receiving country's data protection framework to ensure adequate safeguards.
Existing means of enabling cross-border data transfers — data subject consent, for example — will remain unchanged.
Expected impact
The revised PDPA's focus on international data transfers is particularly noteworthy.
By introducing stricter cross-border transfer requirements, Malaysia is positioning itself as a jurisdiction that upholds international privacy standards. The enhanced regulatory framework is expected to boost confidence of international businesses operating in Malaysia and provide clearer guidelines and stronger protections.
With these measures in place, and subject to additional work needed in the area of accessibility of personal data by government authorities and related effective legal remedies, foreign companies may find Malaysia a more attractive destination for data-related operations, including data centers and regional operational hubs.
The stricter international data transfer controls are also expected to offer better protection for Malaysian consumers, ensuring their data is handled with care regardless of where it is processed. This could lead progressively to an overall increase in consumer trust and confidence in digital services.
Finally, by adopting GDPR-like standards, Malaysia may enhance its prospects of being recognized as an adequate jurisdiction by the EU. Such recognition if granted under the standard EU conditions would allow for the free flow of personal data between Malaysia and the EU without additional safeguards, significantly easing compliance burdens for businesses already engaged or seriously considering international data exchanges.
Implementation of these amendments is anticipated to significantly impact Malaysia's data protection regime, improving transparency and accountability among businesses, and Malaysia's global data protection ranking, potentially leading to further increase of foreign investment in the country.
The proposed changes also present challenges, however, particularly for small and medium-sized enterprises that may struggle to comply with the more stringent requirements. To mitigate these challenges, the government may need to enhance support through guidelines, FAQs and resources to help businesses adapt.
The PDPA amendments mark a critical step forward in strengthening data protection in Malaysia. By aligning with international standards and addressing the complexities of modern data processing, the country is poised to enhance its digital economy while safeguarding the privacy rights of its citizens.
The full impact of these changes will unfold as the revised PDPA is implemented, with the potential for promising benefits both domestically and internationally.
Pavla Jonette, CIPP/E, is privacy specialist and senior project lead, compliance transformation, at CACEIS Bank. This article does not constitute legal advice.