Jurisdiction - Malaysia
Reports and Analysis
Malaysia – Data Protection Authorities “Steal A March” On Singapore As New Law Comes Into Force.

25 November, 2013

Malaysia’s long-awaited Personal Data Protection Act (PDPA) has come into force, almost one year after the law was originally scheduled to take effect and three years after it was finalised.

Bryan Tan of Pinsent Masons MPillay said that Malaysia had “stolen a march” on neighbouring Singapore. Singapore passed its own PDPA in October 2012, but its main regulations will not come into effect until 2 July 2014.


“The two countries’ PDPAs are different, but what it generally means for businesses is that a lot of time and effort will need to be spent on compliance,” said Tan. “Perhaps it is a blessing in disguise that both come into force almost at the same time, so companies operating in Singapore and Malaysia can coordinate their compliance in one single project.”


Malaysia’s PDPA was published in the country’s Gazette last week and came into force on 15 November. Businesses that have already collected personal data covered by the Act have been given three months to comply with its provisions.


The Act introduces a single privacy regime in Malaysia for the first time. It is based around seven data protection ‘principles’ which cover subjects including notice, security, retention and access. It will apply to any ‘data user’ who processes or has control over the processing of any personal data relating to individuals, although the Malaysian Government is exempt.


Businesses that are considered data users will have to register with Malaysia’s new Personal Data Protection Commissioner. These will include banks and financial institutions, communications service providers, insurers, transportation firms and utilities. Processing is defined widely in the Act and includes the use, dissemination, collection, recording and storing of personal data.


The PSPA generally prohibits the processing of personal data without the consent of the data subject, with stricter protections given to ‘sensitive’ personal data. Exceptions apply where the processing is necessary for the performance of a contract with the data subject, for compliance with other legal obligations, to protect the “vital interests” of the data subject and for the administration of justice and exercise of legal functions.


Data users must obtain explicit consent from data subjects before they can process any personal data, and must set out the purposes for which the personal data is being requested in a written notice “as soon as practicable” before the data is to be processed. The notice must be provided in English and the national language, and must set out the data subject’s right to request access to and correction of the data and contact details for the data user. It must also set out the ‘class’ of third parties to whom the data user may disclose that data.


The law also gives data subjects the right to access and correct data held about them, and to withdraw consent to data processing at any time. They also have the right to prevent the processing of their personal data if that processing is “causing or is likely to cause substantial damage or substantial distress”. Data subjects also have the right to bring complaints about the use of their personal data to the Personal Data Protection Commissioners.


Pinsent Masons


For further information, please contact:


Marc Dautlich, Partner, Pinsent Masons
[email protected]


Cerys Wyn Davies, Partner, Pinsent Masons
[email protected]


Bryan Tan, Partner, Pinsent Masons
[email protected]


TMT Law Firms in Malayasia


Comments are closed.