At present, Malaysia does not have any comprehensive data protection law in force. In the absence of an overarching protection of personal information, obligations of secrecy have been imposed in a piecemeal manner by statute or industry codes in specific circumstances. Confidentiality of information is usually protected using contractual obligations or the common law of confidence.

However, this situation will soon change. Malaysia's first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 ("PDPA"), has been passed by the Malaysian Parliament. However, at the time of writing, no date has been set for the PDPA to come into force.


"Personal data" means any information in respect of commercial transactions, which:

  • is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
  • is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.


"Sensitive personal data" means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister of Information, Communications and Culture ("Minister") may determine by order published in the Gazette.


Currently, there is no centralised data protection authority in Malaysia.

Pursuant to the PDPA, a Personal Data Protection Commissioner ("Commissioner") will be appointed to implement the PDPA's provisions. The Commissioner will be advised by a Personal Data Protection Advisory Committee. Decisions of the Commissioner can be appealed against through the Personal Data Protection Appeal Tribunal.


Currently, there is no centralised data protection authority in Malaysia.

When the PDPA comes into operation, the Minister may specify a class of data users who shall be required to be registered as data users.


Currently, there is no requirement for data users to appoint a data protection officer in Malaysia. There is also no such requirement under the PDPA.


Currently, there are no specific legislative requirements for the collection and processing of personal data in Malaysia.

Under the PDPA, subject to certain exceptions, data users are generally required to obtain the consent of data subjects for the processing (which includes collection and disclosure) of their personal data. There are also other obligations imposed on the data user in relation to the processing of personal data, including, for example, requirements to notify the data subjects regarding the purpose for which their personal data are collected.


Currently, there are no specific legislative requirements for the transfer of personal data in Malaysia.

Under the PDPA, a data user may not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been specified by the Minister.

However, there are exceptions to this restriction, such as where:

  • the data subject has given his consent to the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and the data user;
  • the data user has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be processed in a manner which, if that place were Malaysia, would contravene the PDPA; and
  • the transfer is necessary to protect the data subject's vital interests.


Currently, there are no specific legislative requirements for the imposition of security measures for the protection of personal data in Malaysia.

Under the PDPA, data users have an obligation to take "practical" steps to protect personal data.


Currently, there are no specific legislative requirements for data users to notify authorities regarding data protection breaches in Malaysia.

The PDPA is also silent on this issue.


Currently, there are no specific legislative provisions for the enforcement of personal data protection in Malaysia.

Under the PDPA, the Commissioner is empowered to implement and enforce the personal data protection laws and to monitor and supervise compliance with the provisions of the PDPA.

Violation of the PDPA attracts criminal liability. The prescribed penalties include the imposition of fines or a term of imprisonment or both. Directors, CEOs, managers or other similar officers will have joint and several liability for non-compliance by the body corporate, subject to a due diligence defence.

However, there is no express right under the PDPA allowing aggrieved data subjects to pursue a civil claim against data users for breaches of the PDPA.


The PDPA applies to electronic marketing activities that involve the processing of personal data for the purposes of commercial transactions. There are no specific provisions in the PDPA that deal with electronic marketing. However, the PDPA provides that a data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing his personal data for purposes of direct marketing. "Direct marketing" means the communication by whatever means of any advertising or marketing material which is directed to particular individuals.


There are no provisions in the PDPA that specifically address the issue of online privacy (including cookies and location data). However, when the PDPA comes into force, any electronic processing of personal data in Malaysia will be subject to the PDPA and the Commissioner may issue further guidance on this issue.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to