Year in review: Privacy, data protection and cybersecurity in Malaysia

All questions

Year in review

The year 2024 saw the Malaysian government place a strong emphasis on strengthening the country’s legal framework for the digital economy and addressing the risks posed by emerging technologies and increasing cyber threats. These efforts form part of the government’s broader aspiration to position Malaysia as a leader in the global digital economy. The technology and digital economy landscape witnessed significant legal and regulatory developments throughout 2024, many of which have carried over into 2025, with further developments expected in the years ahead.

In the data protection space, 2024 finally saw the introduction and passing of the long-awaited first amendments to the PDPA, through the Personal Data Protection (Amendment) Act 2024 (PDP Amendment Act). Accompanying this is a suite of subsidiary instruments that has since been released in phases to complement the new changes introduced, with more expected to follow. Meanwhile, the cyber security space saw the introduction and enforcement of the CSA as an overarching piece of cyber security legislation.

The long-awaited PDP Amendment Act was passed by the Malaysian Parliament and gazetted as law on 17 October 2024. The amendments had been in the works since the Malaysian Government initiated a review exercise in 2018 to update the PDPA, with the aim of aligning it with international data protection standards and addressing issues arising from new and emerging methods of using and processing personal data.

The PDP Amendment Act officially came into force in stages between 1 January 2025 and 1 June 2025. An overview of the key provisions introduced, along with their respective commencement dates, is set out below:

Alongside the new changes introduced by the PDP Amendment Act, a suite of subsidiary regulations has also been introduced by the Commissioner to complement the amendments. These include the following:

1. the Data Breach Notification Guideline (DBN Guideline);
2. the Appointment of Data Protection Officer Guideline (DPO Guideline);
3. the Cross Border Personal Data Transfer Guideline (CBPDT Guideline);
4. the DPO Competency Guideline (DPO Competency Guideline);
5. the Management of DPO Training Provider Guideline (DPO Training Provider Guideline); and
6. the DPO Professional Development Pathway and Training Roadmap (DPO Training Roadmap).

Further to the above, public consultation papers have also been issued to seek feedback on the following upcoming subsidiary regulations that are currently under development:

1. the Right to Data Portability Guideline (Data Portability Guideline);
2. the Data Protection Impact Assessment Guideline (DPIA Guideline);
3. the Data Protection by Design Guideline (DPbD Guideline);
4. the Automated Decision-Making and Profiling Guideline (ADMP Guideline);
5. amendments to the Personal Data Protection Standard 2015; and
6. amendments to the Personal Data Protection Regulations 2013.

At present, no definitive timeline has been set for the finalisation and issuance of these upcoming subsidiary regulations. In addition to the forthcoming guidelines, we note that there may be further new subsidiary regulations introduced, existing subsidiary regulations may be amended, and further revisions to the PDPA may be undertaken.

Aside from the legislative developments above, there has also been significant developments regarding the status of the appeal in relation to the High Court’s landmark decision in Genting Malaysia Berhad v. Personal Data Protection Commissioner & Ors [2022] 11 MLJ 898 (Genting case), where the High Court ruled that the information-gathering powers of the director general of the Inland Revenue Board of Malaysia (IRB) under the Income Tax Act 1967 (ITA) does not allow the IRB to make blanket demands for personal datasets for data controllers as such blanket request and disclosure of personal data would amount to a breach of the safeguards provided under the PDPA.

In its landmark ruling, the High Court also laid down key principles on the permissible scope of data disclosure requests from government authorities or regulators, notably limiting such requests to those relating only to specific and (or) identifiable individuals.

However, the High Court’s decision was subsequently overturned by the Court of Appeal on technical grounds, and a further application for leave to appeal to the Federal Court has been rejected.

The Malaysian government introduced the DSA which officially came into force on 28 April 2025.

Aimed at facilitating and regulating data sharing between all government agencies in the public sector, the DSA creates a formalised process for one public sector agency to request another public sector agency to share data. The process will involve the agency receiving the request making an evaluation as to whether the purpose of the request warrants sharing of the data, whether the sharing of the data is against public interest, and whether the requesting agency has appropriate security and technical safeguards in place.

The DSA also imposes upon both the providing and the requesting agency duties that they shall adhere to, including but not limited to taking measures to ensure the security and privacy of the data,³ keeping record of all particulars relating to the shared data,⁴ and reporting unauthorised sharing to the director general of the National Digital Department.⁵

Where a third party is engaged by a public sector agency to conduct any data migration, data integration, or data analytics work using the shared data under this Act, the DSA imposes an obligation on the third party to handle the data in compliance with the specific security requirements that will be prescribed under the Act. Failure to comply may expose the third party to potential liabilities, including a fine of up to 1 million ringgit and (or) imprisonment for a term of up to five years.⁶

2024 marked a significant year for cyber security regulation in Malaysia, with the introduction of the CSA, which serves as the primary legislation governing cyber security matters in the country. The CSA aims to enhance the country’s national cyber security and strengthen the protection of NCII against cyber threats and incidents by:

1. defining the authority of the chief executive of NACSA, which will act as the primary regulatory for cyber security matters;
2. defining the roles of NCII sector leads appointed to oversee cyber security compliance at the sector-level, and obligation of NCII entities in protecting NCIIs that are owned or operated by them; and
3. regulating certain cyber security service providers (namely, penetration testing service providers and managed security operation centre monitoring service providers) through a new licensing regime.

At the sectoral regulation level, both the Securities Commission Malaysia (SC) and the Central Bank of Malaysia (BNM) have issued new guidelines, namely the Guidelines on Technology Risk Management (TRM Guidelines) and the revised Exposure Draft for Risk Management in Technology (RMiT), respectively, to enhance the technology risk management measures implemented by regulated entities in their respective sectors.