In brief

  • New privacy legislation will affect storage of employment and payroll data, and all outsourcing in Malaysia.
  • Significantly, the new Act includes potential imprisonment for breach.  

The Personal Data Protection Bill was passed by the lower house of the Malaysian Parliament on 5 April 2010 and then passed unamended by the Upper House on 6 May 2010. Following Royal Assent and gazetting, the Personal Data Protection Act 2010 (the Act) will take effect.


The Act has a long and complex history, with a Bill having been initially drafted in 2001, but not tabled in Parliament until some 8 years later.

Key provisions

The Act applies to all private sector data collection and processing which occurs in Malaysia in a commercial context. This includes the collection and processing of employee and payroll data, but clearly also covers data collected from customers and business partners.

The Malaysian provisions broadly follow the European Union approach to the protection of personal data, although some of the more bureaucratic elements of the EU Directive have been excluded.

In simple terms, the Act sets out requirements for the collection, storage, use and transmission of personal data, and allows a data subject to inspect personal data under a defined set of conditions and to require correction of erroneous records. On a cautionary note, the Act provides for penalties including imprisonment for breaches of the Act. There has been scholarly criticism of the system of enforcement with the suggestion that the rules as currently drafted may be unworkable.

Press reports suggest that the office of the Privacy Commissioner will come into operation in the first quarter of 2011, so more practical guidance on the full implications of the new legislation should start to flow during the course of next year. There is a 3 month ‘grace period’ described in the Act which does give businesses some latitude to rectify any problems which may surface in the initial stages of the new regime.

Implications for employers

The introduction of this Act will have a significant impact on practices relating to the collection, use, storage and transmission of employee data. This will apply to employers with operations in Malaysia, as well as those that have engaged Malaysia’s cost effective outsourced service offerings for processing employee data and payroll.

The new rules may potentially ease restrictions on inbound data from the EU and other jurisdictions with developed data privacy regimes and assist data processors providing services on an outsourced basis, although the new requirements may drive up the cost of operations.

Users of outsourced data processing services in Malaysia should ensure that their contractual arrangements clearly attribute responsibility for compliance with the new law. Furthermore, employers with operations on the ground in Malaysia may need to amend their business processes for data collection and use and upgrade their IT security standards to bring them into compliance with the new law.