This article is the first in a series of insights exploring data privacy regulatory developments in the Gulf Cooperation Council (GCC) and beyond. In this article, we summarise recent amendments to the Malaysian Personal Data Protection Act 2010 (MY PDPA) and consider key compliance alignment and divergences in the GCC, Malaysia and Europe.
MY PDPA – an amended (re)introduction
On 31 July 2024, the Malaysian Parliament passed the Personal Data Protection (Amendment) Bill 2024, introducing fundamental changes to the MY PDPA. The changes came into full legal force on 1 June 2025.
As a brief (re)-introduction, the MY PDPA is the primary legislation governing personal data in Malaysia. The MY PDPA addresses subject matters which will be familiar to data privacy practitioners in the GCC and beyond – including data subject rights, international data transfers, and in respect of processor engagement.
The MY PDPA applies to the processing of personal data in commercial transactions by:
- persons established in Malaysia (e.g. with a regular practice in Malaysia); and
- persons not established in Malaysia that use equipment in Malaysia to process personal data otherwise than for purposes of transit through Malaysia,
save that personal data processed outside Malaysia will not be subject to the MY PDPA, unless that personal data is intended to be further processed in Malaysia.
The recent amendments to the MY PDPA significantly bolstered its robustness and introduced material compliance changes. The table below summarises (non-exhaustively) key post-amendment MY PDPA compliance considerations.
|
Subject Matter |
Position in Pre-Amendment MY PDPA |
Changes in Post-Amendment MY PDPA |
|
Data protection officer (DPO) |
Data protection officer (DPO) No specific requirements. |
New DPO appointment requirement on data controllers and data processors. |
|
Data breach notification |
Voluntary breach reporting obligation. |
New mandatory breach reporting obligation for data controllers. |
|
Data subject rights |
Five (5) express data subject rights:
|
New data portability right for data subjects. |
|
International/ Cross-border personal data transfers |
Outbound transfers of personal data from Malaysia are permitted if prescribed conditions under the MY PDPA are complied with (e.g. where the transfer is to a whitelisted country which the Minister considers to have substantially similar laws / offers an adequate level of protection to the MY PDPA, or the data subject has consented to the transfer etc.). |
Removal of the whitelisting regime. New mechanism introduced allows data controllers to make outbound transfers of personal data where the recipient jurisdiction's laws are substantially similar to / offer adequate level of protection to the MY PDPA. |
|
Data processor obligations |
Data processors were not directly regulated under the MY PDPA and were subject to security requirements under the MY PDPA indirectly through agreements with data controllers. |
Imposition of direct obligations for data processors to comply with security requirements under the MY PDPA. |
|
Sensitive personal data |
Definition of "sensitive personal data" covers information relating to health or condition of data subjects. |
New specific concept of "biometric data" as a sub-category of sensitive personal data. |
|
Regulatory penalties |
Penalties of up to RM300,000 (approx. USD 70,000) and / or imprisonment of up to two (2) years for non-compliance with core provisions of the MY PDPA (i.e. the seven (7) Personal Data Protection Principles under the MY PDPA). |
Enhanced regulatory penalties of up to RM1,000,000 (approx. USD 240,000) and / or imprisonment for up to three (3) years for failure to comply with certain core provisions of the MY PDPA (i.e. the seven (7) Personal Data Protection Principles under the MY PDPA). |
Alongside the amendments detailed above, the Malaysian Personal Data Protection Commissioner (Commissioner) issued guidelines earlier this year covering DPO appointments, breach notification and cross-border transfers of personal data, which provide much-welcome clarity on the application of the new amendments to the MY PDPA.
Most recently, the Commissioner published additional DPO-related guidance in the form of a DPO Competency Guideline, DPO Professional Development Pathway & Training Roadmap and a Management of DPO Training Service Provider Guideline.
By the end of 2025, we expect to see a continued surge of activity in the Malaysia data privacy regulatory landscape through the anticipated release of:
- an additional suite of guidance documents surrounding data protection impact assessments, data protection by design and automated decision-making and profiling; and
- a revamped set of binding personal data protection standards,
with potential further amendments to the MY PDPA and related regulations to potentially follow shortly thereafter. Given these significant changes, entities processing personal data under the MY PDPA are urged to re-consider the sufficiency of their existing compliance postures and implement the appropriate compliance uplifts.
Divergence – MY PDPA vs. GCC (and wider) regulations
Recent Malaysian regulatory developments provide further demonstration of a global appetite for robust, GDPR-inspired regulation and data protection standards. While Malaysia has welcomed substantive data privacy provisions through the MY PDPA since 2010, recent years have seen the United Arab Emirates (through, in particular the free zones of the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Markets (ADGM)), Bahrain and Oman establish their own dedicated personal data protection enactments, with the DIFC and ADGM data privacy frameworks closely resembling "GDPR-style" regulatory requirements.
Notwithstanding the GDPR-inspired, "Brussels Effect", we continue to see a "tailoring" trend of multinational privacy laws – with rules drafted to reflected local expectations, compliance appetites and preferences. The effect of this trend has been (and continues to be) the introduction of practical divergences and differing regulatory obligations – including those which entities well-adapted to GDPR standards and requirements should take careful note of. Successful multinational privacy compliance, increasingly, requires a bespoke rather than "one-size-fits-all" approach.
Examples of practical divergence between MY PDPA and GCC/ EU laws include the following:
- While the requirement to perform data transfer impact assessments (DTIA) (which are aimed at assessing the safeguards personal data will receive under the importing jurisdiction's frameworks) in light of cross-border data transfers is well-established for those familiar with GDPR and certain GCC requirements, the Malaysian Personal Data Protection Guidelines on Cross Border Transfers of Personal Data provides that DTIA findings carried out pursuant to cross border transfers under the MY PDPA, are valid for three (3) years only and as such, DTIA findings must effectively be refreshed every three (3) years;
- Both the ADGM Data Privacy Regulations 2021 (ADGM DPR) and MY PDPA grant data subjects rights of access in respect of their personal data. However, the scope of accessible information, compliance obligations and timeline differ under both. For example, the ADGM DPR requires data controllers to inform data subjects of the action taken on a requests within two (2) months of receiving the request – if the data controller does not action the data access request or requires more than two (2) months to provide information on the action taken, data controllers are required to inform data subjects of the exnsion required to provide the information / refusal to act, together with the reasons for the delay / inaction, within the same period. By contrast, the MY PDPA generally requires data controllers to comply with data subject access requests within twenty-one (21) days from receiving the request at the first instance and in any event no later than fourteen (14) days thereafter. If the data controller refuses to action the data access request or is unable to comply with the request within the twenty-one (21) day-period, the data controller must inform data subject of the refusal / inability to comply, within the twenty-one (21)-day period;
- Under Bahrain Law No. 30 of 2018 with Respect to Personal Data Protection, data controllers are (subject to certain exemptions – including in respect of employee related data processing, and where a Data Protection Guardian (similar to a DPO) has been appointed) required to notify the Bahrain Personal Data Protection Authority of most " automated processing operations" and provide details including categories of proposed personal data processing and affected data subjects. This obligation materially differs from the data controller registration requirement under the MY PDPA, which only requires prescribed classes of data controllers (e.g. licensed financial institutions, licensed telecommunications providers etc.) to register with the Commissioner.
Effective multinational compliance strategies across the GCC, SEA and more broadly also require analysis of wider considerations, including:
- the extraterritoriality of various data protection laws which may produce potentially far-reaching impact and trigger a wider scope of compliance requirements;
- variable data localisation requirements (e.g. for United Arab Emirates, localisation requirements for payment processing data and health information); and
- sector-specific requirements for organisations operating in highly-regulated sectors (e.g. banking and financial services, or telecommunications).
Next Steps
Given the above, entities (in particular those with GCC / EU nexus) that process personal data under the MY PDPA are advised to re-assess their existing compliance processes, procedures and agreements in order to update them in line with the latest amendments, whilst at all times remain vigilant of future regulatory changes to come.
More broadly, in light of the trend toward regulatory divergence – effective multinational privacy compliance rarely permits a "one-size-fits-all" analysis. Finding a robust, effective and defensible position – especially where an organisation would prefer as far as possible to adopt a uniform approach globally – requires careful consideration and balancing of evolving regulatory developments and a sound understanding of exposure, enforcement realities, and internal governance and risk appetites.
At Trowers & Hamlins, we combine our long-standing, on-the-ground, multi-jurisdictional presence with a wealth of data privacy expertise to deliver effective and bespoke advice, insights and assistance to best suits the needs of leading domestic and global organisations.
