Malaysia has issued a public consultation paper Personal Data Protection (Transfer Of Personal Data To Places Outside Malaysia) Order 2017, including a draft initial “whitelist” of jurisdictions deemed adequate for overseas data transfers. The consultation closes on 4 May 2017.

The draft whitelist, if passed, will be the first of its kind in the region, and may serve as the blueprint of similar whitelists for neighbouring jurisdictions whose laws anticipate a whitelist (although the test for adequacy varies between the data protection laws across Asia). While the draft whitelist reflects the jurisdictions in the EU adequacy list, it is by contrast notably longer and contains a much more diverse range of jurisdictions, including some with very new data protection regimes.

The proposed whitelist in the draft is as follows:

  1. European Economic Area (EEA) member countries
  2. United Kingdom
  3. The United States of America
  4. Canada
  5. Switzerland
  6. New Zealand
  7. Argentina
  8. Uruguay
  9. Andorra
  10. Faeroe Islands
  11. Guernsey
  12. Israel
  13. Isle of Man
  14. Jersey
  15. Australia
  16. Japan
  17. Korea
  18. China
  19. Hong Kong
  20. Taiwan
  21. Singapore
  22. The Philippines
  23. Dubai International Financial Centre (DIFC)