Data Protection

Malaysia’s data protection and privacy regime is anchored by the Personal Data Protection Act 2010 (“PDPA”), its subsidiary legislation, regulations, guidelines, and sectoral Codes of Practice (“COPs”). The PDPA:

• applies to persons processing personal data in commercial transactions, including foreign data controllers using equipment located in Malaysia to process personal data;
• is enforced by the Malaysian Personal Data Protection Commissioner (“Commissioner”);
• was recently amended vide the Personal Data Protection (Amendment) Act 2024, with provisions coming into effect in stages across 2025;
• imposes obligations regarding collection, use, disclosure, and security of personal data; and
• has introduced new obligations such as appointment of Data Protection Officers (“DPOs”), and mandatory data breach notifications (“DBNs”).

Cybersecurity

Cybersecurity is mainly governed by the Cyber Security Act 2024 (“CSA”), the Computer Crimes Act 1997 (“CCA”), the Communications and Multimedia Act 1998 (“CMA”), and their subsidiary regulations, guidelines, and sectoral COPs (for the CSA).

The CSA:

• applies to National Critical Information Infrastructure (“NCII”) sectors (e.g., banking, transport, defence, ICT, utilities) and NCII entities (“NCIIEs”);
• applies extraterritorially if an offence affects NCII;
• is overseen by the National Cyber Security Committee (“NCSC”); while the National Cyber Security Agency (“NACSA”) regulates and enforces compliance, and empowers NCII Sector Leads (“NSLs”) to issue COPs and oversee sectoral-level compliance;
• grants the Chief Executive of NACSA (“Chief Executive”) significant powers, including establishing the National Cyber Coordination and Command Centre System (“NC4”), issuing directives, gathering information, appointing cybersecurity experts, approving COPs, and managing the licensing of cybersecurity service providers (“CSPs”); and
• mandates licensing for CSPs providing certain services (e.g., managed security operation centre monitoring, penetration testing), annual risk assessments, biennial audits, mandatory incident reporting, and penalties including fines and/or imprisonment.

The CCA:

• applies extraterritorially if the offence involves a computer, program or data located in or accessible from Malaysia;
• prohibits unauthorised access to computer programs or data (including to facilitate fraud or dishonesty); unauthorised modification of data or impairment of computer operations; and wrongful communication of access credentials, among others; and
• is enforced by the Royal Malaysian Police.

The CMA:

• regulates the communications and multimedia industries;
• is enforced by the Malaysian Communications and Multimedia Commission (“MCMC”);
• empowers the MCMC to direct individuals and service providers to implement measures against “network security risks”; and
• creates specific offences including unauthorised use of network devices; fraudulent or improper use of network facilities; unlawful interception and disclosure; damage to network infrastructure; and fraud involving access devices.

Data Protection

From 1 June 2025, certain PDPA amendments will take effect, introducing mandatory appointment of DPOs for certain processing activities, mandatory DBNs, and data portability rights. The Commissioner announced in January 2025 that guidelines on data protection impact assessments (“DPIAs”), data protection by design, automated decision-making/profiling (“ADMP”) and an updated version of the Personal Data Protection Standard 2015 (“PDPS”) are anticipated for release in 2025.

Cybersecurity

Additional cybersecurity regulations and guidelines are anticipated under the CSA, such as COPs for NCIIEs, and enforcement guidelines to strengthen risk assessment, audit, licensing, and incident‑reporting obligations.

The Data Sharing Act 2025 (“DSA”) (which was gazetted on 20 February 2025 but will only come into force on a date to be determined by the Malaysian Digital Minister (“Digital Minister”)), aims to regulate structured data exchange among government agencies while enforcing strict privacy and cybersecurity measures.

The CMA was amended in February 2025. Certain amendments on preservation of communications data and restrictions on unsolicited commercial electronic messages will only come into force on a date to be determined by the Malaysian Communications Minister (“Communications Minister”).

Data Protection

The PDPA requires 13 classes of data controllers to register with the Commissioner. These classes include the communications, banking and finance, insurance, health, tourism and hospitality, transportation, education, direct selling, services, real estate, utilities, pawnbroking, and moneylending sectors.

Applicants must pay prescribed fees, submit required documents, and obtain a registration certificate from the Commissioner. Processing personal data without registration constitutes an offence, punishable by fines up to RM500,000 and/or imprisonment up to 3 years. Registration is revocable for PDPA noncompliance.

Registration exemptions apply to data controllers who fall outside the prescribed classes. Please refer to Q8 for further information on general exemptions.

Cybersecurity

Under the CSA, CSPs must secure a licence from the Chief Executive, meeting eligibility criteria, and have no criminal record related to fraud, dishonesty, or moral misconduct. Unlicensed provision/advertising of prescribed cybersecurity services is an offence, with fines up to RM500,000 and/or 10 years’ imprisonment on conviction.

CSPs are exempted from licensing if they are government entities, an individual serving related companies, or provide cybersecurity services in respect of computer systems located outside Malaysia.

Under the CMA, providers of network facilities, network or application services, or content applications services must hold an individual or class licence (subject to limited exemptions and ministerial dispensations). Unlicensed operations may incur fines up to RM1,000,000 and/or 10 years’ imprisonment and potential deregistration.

Key definitions under the PDPA are as follows:

• Biometric data: “any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person”;
• Commercial transactions: “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”;
• Data controller (“Controller”): “a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor”;
• Data processor (“Processor”): “any person, other than an employee of the data controller, who processes the personal data solely on behalf of the data controller, and does not process the personal data for any of his own purposes”;
• Data subject (“Subject”): “an individual who is the subject of the personal data and shall not include a deceased individual”;
• Personal data: “any information in respect of commercial transactions, which (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010”;
• Personal data breach: “any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data”;
• Processing: “collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including: (a) the organization, adaptation or alteration of personal data; (b) the retrieval, consultation or use of personal data; (c) the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or (d) the alignment, combination, correction, erasure or destruction of personal data”; and
• Sensitive personal data (“SPD”): “any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence, biometric data, or any other personal data as the Minister may determine by order published in the Gazette”.

The PDPA outlines 7 Personal Data Protection Principles (“PDP Principles”) applicable to personal data processing:

General Principle

Controllers must process personal data only with the Subject’s consent, for lawful purposes necessary for and directly related to the Controller’s activities, and without collecting excessive information.

However, consent is not required if processing is necessary for:

• performance of a contract to which the Subject is a party;
• taking steps at the request of the Subject with a view to enter into a contract;
• Controller’s compliance with legal obligations (non-contractual);
• protection of the Subject’s vital interests;
• administration of justice; or
• exercise of functions conferred by/under law.

Please refer to Q7 for SPD processing consent requirements.

Notice and Choice Principle

Controllers must issue a written personal data protection notice (“PDP Notice”) (in both Bahasa Malaysia and English languages) to Subjects.

The PDP Notice must inform the Subject that their personal data is being processed by/on behalf of the Controller, and provide a description of:

• the categories of personal data processed, including any SPD or data of minors (below 18 years);
• the purpose(s) for collecting and processing personal data;
• any regulatory data collection requirements and applicable retention periods;
• source of data collection;
• Subject’s right to request access and correct their personal data and the contact details for requests;
• the classes of third parties to whom the personal data may be disclosed;
• available options for Subjects to restrict the processing of their personal data (including any linked third‑party data); and
• whether providing the personal data is mandatory or voluntary, and the consequences if mandatory data is not supplied.

The PDP Notice must be provided to Subjects at the point of first requesting or collecting personal data, and before any use or disclosure for purposes beyond its stated scope.

Disclosure Principle

Personal data may only be disclosed with the Subject’s consent, solely for the purpose stated at collection (or a directly related purpose), and only to the third parties or classes thereof specified in the PDP Notice.

However, personal data may be disclosed without consent:

• where disclosure is necessary for the purpose of preventing or detecting crime, or for investigatory purposes;
• where the disclosure was required or authorised by or under any law or by court order;
• where the Controller reasonably believed they were legally entitled to disclose the data or that the Subject would have consented if informed of the circumstances;
• where the Digital Minister justifies disclosure for public interest;
• for the administration of justice;
• to discharge regulatory functions;
• for anonymized statistical or research purposes; or
• for protection of the Subject’s vital interests.

Security Principle

Controllers must implement reasonable, proportionate safeguards (taking into account data sensitivity, storage location and existing system security) to protect personal data from loss, misuse, unauthorized access, disclosure, alteration or destruction.

Under the PDPS, Controllers and Processors must implement baseline security controls (such as access management, secure storage and transfer protocols). Controllers must ensure Processors guarantee and adhere to these measures, and Processors now carry direct legal duties and penalties under the amended PDPA.

Retention Principle

Controllers must retain personal data only as long as necessary to fulfil the original processing purpose and securely delete it thereafter. While the PDPA leaves exact retention periods to Controllers’ determination (subject to overriding legal requirements), the PDPS recommends disposing of data with no legal value within 14 days and inactive data within 24 months.

Data Integrity Principle

Controllers must take reasonable steps (proportionate to the processing purpose) to ensure personal data remains accurate, complete, up‑to‑date and not misleading; provide mechanisms for Subjects to update or correct their data; and adhere to any data integrity standards issued by the Commissioner.

Access Principle

Subjects have the right to:

• request access to their personal data held by a Controller (via a Data Access Request (“DAR”)); and
• correct their personal data where it is inaccurate, incomplete, misleading, or not up-to-date (via a Data Correction Request (“DCR”)),

except where compliance with a DAR/DCR is refused (please refer to Q27).

Breaches of the PDP Principles may result in fines up to RM1,000,000 and/or imprisonment up to 3 years.

Yes, consent is a fundamental requirement for personal data processing (please refer to the General Principle in Q5).

The PDPA does not specify the exact form and type of consent, but consent must be capable of being recorded and maintained per the Personal Data Protection Regulations 2013 (“PDPR”).

Consent may be given in a variety of forms: written (e.g. by signature or tick on a form), electronic opt‑in (e.g. clicking an unchecked box), deemed (e.g. where notification and continued use of a service indicates agreement), verbal (provided it is recorded, for instance via call logging), or by conduct (where consent is signified by Subject’s actions).

Consent can be express or implied. Implied consent can be construed in certain situations, such as non-objection to processing after being informed and continuing to use a service. However, for SPD, explicit consent that can be recorded and maintained is required.

Consent may be incorporated into broader documents, such as terms of service or application forms. The PDPA does not explicitly address bundling consents for multiple processing operations in a single request. However, the Notice and Choice Principle mandates that each processing purpose be presented separately and transparently, so that consent is specific and informed rather than a blanket approval.

Controllers are restricted from processing SPD unless the Subject has given explicit consent. While the PDPA does not define “explicit consent”, the consent must be capable of being recorded and maintained (please refer to Q6).

SPD may be processed without explicit consent:

• where necessary for the purpose of any legal proceedings, obtaining legal advice, or establishing/exercising/defending legal rights;
• for protection of the Subject’s or another person’s vital interests, where consent cannot be given or reasonably obtained;
• for exercising or performing a Controller’s right or obligation under law in connection with employment; or
• by a healthcare professional or someone with equivalent confidentiality duties (in the healthcare context).

PDP Notices must disclose processing of minors’ personal data, and consent must be obtained from a parent or guardian.

Health information is classified as SPD under the PDPA, and all SPD requirements apply equally to health data. Given its sensitivity, SPD demands enhanced security safeguards particularly in healthcare environments where large volumes of SPD are handled.

Yes, the PDPA:

• does not apply to the Federal and State Governments;
• does not apply if the data is processed extraterritorially and not intended for further processing within Malaysia;
• does not apply to credit reporting agencies (for processing of credit information); and
• excludes deceased individuals from the definition of ‘data subjects’.

The PDPA provides exemptions from certain PDP Principles under specific circumstances. These include exemptions from the General Principle, Notice and Choice Principle, Disclosure Principle, and Access Principle, and related provisions, where personal data is:

• used for personal, family, or recreational purposes;
• processed solely for journalistic, literary, or artistic purposes;
• processed solely for anonymized research and statistics;
• processed for preventing or detecting crimes, prosecuting offenders, or assessing taxes;
• used in legal matters, including for obtaining legal advice;
• processed for discharging regulatory functions; or
• processed for the exercise of functions conferred under law.

Where SPD is processed, Controllers are exempted from the Access Principle and other related provisions (e.g. DARs/DCRs) if compliance is likely to prejudice the Subject.

Subjects’ rights under the PDPA, such as the right to access and the right to prevent processing, are also subject to limitations (please refer to Q27).

A Subject’s right to prevent processing applies to processing likely to cause damage or distress to the Subject or another person. However:

• this does not apply where the Subject has consented to the processing; and
• processing may continue if necessary for:
  • the performance of a contract to which the Subject is a party;
  • taking steps at the Subject’s request before entering into a contract;
  • compliance with Controllers’ legal obligations, other than a contractual obligation; and/or
  • protection of the Subject’s or another person’s vital interests.

The Digital Minister may, by order published in the Gazette, exempt any Controllers or class thereof from PDPA provisions; and/or impose terms and conditions on such exemptions and revoke them.

COPs under the PDPA may contain provisions modifying the obligations or rights of Controllers or Subjects within that sector (for example, the COP for private hospitals in the healthcare industry states that such rights may be modified, enhanced, or substituted by the COP) and may be registered by the Commissioner, provided the COP offers an adequate level of protection consistent with the PDPA.

While the PDPA does not presently mandate risk assessments or DPIAs, a public consultation issued by the Commissioner in March 2025 (“PCP”) indicates that proposals for mandatory DPIAs for large-scale or SPD processing are being deliberated and emphasize identifying, assessing, and managing data-related risks.

While there are no standalone COPs specifically addressing processing of different data types, tailored COPs on data processing for banking and finance; private healthcare; communications; water and electricity utilities; insurance and takaful; and aviation sectors, along with a General COP applicable to all other sectors that do not have specific COPs, have been published. The COPs each include sector‑specific PDPA compliance guidance, and provisions on handling different data types (e.g. SPD) within the respective sectors.

Yes. Controllers must keep comprehensive processing records (consents; notices; DARs/DCRs; third‑party disclosure lists; retention schedules; data updates; and transfers (including removable‑media/cloud transfers with management approval)). COPs may impose additional record‑keeping rules, and the Commissioner may inspect these records.

Organisations typically meet these requirements by, among others:

• establishing internal policies (e.g., employee data handling, data processing inventories, DBN procedures, data retention and disposal policies, disposal schedules for inactive data, disaster recovery/business continuity plans);
• having written agreements with Processors;
• documenting data flows;
• retaining documentation for potential regulatory review;
• appointing DPOs when required;
• mapping all personal data activities and risks;
• incorporating employee training in their data protection frameworks;
• enforcing and documenting technical and organisational security measures and clear workflows for DARs/DCRs; and
• regularly reviewing and updating policies in line with legislative changes.

Yes. Please refer to the Retention Principle in Q5 and documentation in Q11 above. The PDPS requires Controllers to determine retention periods based on legislation, keeping data no longer than necessary unless legally required, maintaining records of disposal, disposing of collection forms within a specific timeframe, and preparing a disposal schedule for inactive data.

While not explicitly termed “consultation” in all cases, interaction or communication with the Commissioner is required in the following contexts:

• notification on personal data breaches;
• notification on DPO appointment and DBNs;
• application for registration;
• cooperation for inspections and investigations; and
• complaints by Subjects.

Consultation with the Commissioner is recommended if:

• there is uncertainty or ambiguity as to which COP applies to a particular Controller/class thereof; and/or
• there is uncertainty in interpreting or applying PDPA provisions or related regulations.

Yes, effective 1 June 2025, an organisation must appoint a DPO if it satisfies at least one of the following threshold requirements (per the Guidelines on Personal Data Protection (Appointment of Data Protection Officer) and Circular No. 1/2025 (Appointment of Data Protection Officer issued in early 2025 (collectively, “DPO Guidelines”)):

• it processes personal data exceeding 20,000 Subjects;
• it processes SPD, including financial information, exceeding 10,000 Subjects; or
• its processing involves activities requiring regular and systematic monitoring of personal data.

Organisations must register their DPO with the Commissioner within 21 days from the appointment date and provide the DPO’s business contact information.

The DPO Guidelines outline DPO responsibilities, including:

• acting as the organisation’s main contact point with the Commissioner;
• serving as the liaison point between the organisation and its Subjects;
• advising and supporting the organisation in its data processing activities;
• providing advice and support on implementation of DPIAs based on Commissioner-determined requirements; and
• monitoring the organisation’s compliance with the PDPA (e.g., ensuring proper data breach and security incident management) and its data protection policies, including assigning responsibilities under such policies, raising awareness, conducting employee training, and carrying out personal data protection audits.

Other important points to note regarding the DPO role:

• appointments can be internal or external;
• minimum DPO expertise and qualifications include an understanding of corporate governance, IT, and data security, and expertise should be appropriate for the organisation’s data processing activities;
• DPOs must be ordinarily resident in Malaysia (i.e. physically present in Malaysia for at least 180 days within a calendar year) or if not resident, easily contactable by any means. The DPO must, however, be proficient in both Bahasa Malaysia and English languages;
• the organisation must involve the DPO in all its matters relating to personal data protection; and
• DPO appointment and responsibilities are in addition to the organisation’s PDPA compliance obligations.

Although the PDPA itself does not explicitly require employee training, multiple industry COPs (e.g., banking, healthcare, communications, utilities, aviation) emphasize the need for training and awareness. These COPs typically mandate initial and refresher sessions covering PDP Principles, policies, and security measures.

The DPO Guidelines require DPOs to provide employee training on PDP Principles, the organisation’s policies, and personal data handling responsibilities.

Yes. Please refer to the Notice & Choice Principle in Q5 above. PDP Notices can be presented physically or digitally.

Yes, while Controllers retain primary PDPA accountability (including ensuring Processor agreements guarantee adequate technical and organisational security), recent amendments also impose direct duties on Processors (e.g. Security Principle compliance, mandatory DBN requirements and DPO appointment obligations).

The implications are such that Processors now bear direct PDPA obligations and penalties, requiring them to review and strengthen security measures and compliance frameworks. This expansion of responsibility enhances overall data protection by holding every processing party directly accountable, and will likely incur additional costs for appointing and training DPOs.

The PDPA does not specifically address or define ADMP, or monitoring or tracking technologies such as cookies. However, the Digital Minister announced in January 2025 that ADMP guidelines will be developed over the course of 2025. The PCP indicates that such guidelines may potentially include a right for Subjects to refuse to be subjected to decisions based entirely on ADMP. Potential exclusions include contractual or legal necessity for ADMP, or if undertaken with explicit consent. Although there is no dedicated legislation on tracking technologies, they remain subject to the PDP Principles and related obligations.

While targeted or behavioural advertising are not specifically defined, the concept of targeted/behavioural advertising relies on profiling individuals based on their data, which is similar to direct marketing (please refer to Q21) and may potentially be specifically regulated in future (please refer to Q18).

While the PDPA does not define “sale”, it directly criminalises the sale and offering for sale of personal data collected unlawfully (i.e., knowingly or recklessly collecting/disclosing/procuring disclosure of data without the consent of the Controller holding that data). Violators face fines up to RM500,000 and/or imprisonment up to 3 years.

Under the PDPA, direct marketing (defined as “the communication by whatever means of any advertising or marketing material which is directed to particular individuals”) is restricted. Subjects have the right to opt out by providing written notice, compelling Controllers to cease or avoid initiating processing for direct marketing purposes for a reasonable period.

Please refer to Q4 for the definition of biometric data. The PDPA classifies biometric data as SPD, and SPD-related requirements (please refer to Q7 above) apply.

The PDPA does not specifically address AI. However, the proposed ADMP guidelines may apply to certain AI elements if AI is involved in ADMP as automated decision-making tools and have significant effects on individuals. Based on the PCP, the ADMP guidelines may include rights for Subjects such as the right to refuse ADMP, to information on ADMP, and to human review of automated decisions.

However, the National Guidelines on AI Governance & Ethics contain overarching AI considerations in the country and emphasize responsible data protection throughout the AI lifecycle. It also mandates that AI systems incorporate privacy-by-design and security-by-design principles; informed consent is obtained when processing personal data for AI training and deployment; and implementation of robust technical safeguards (such as encryption and access controls) to prevent misuse, bias, or unauthorized access to sensitive information.

Under the PDPA, cross-border transfers are allowed where the recipient jurisdiction offers adequate protection equivalent to the PDPA. Otherwise, transfers must rely on explicit written consent, contractual necessity or vital‑interest grounds and have appropriate safeguards. No prior notice or approval is required if these exceptions apply, and the Commissioner’s forthcoming guidelines are expected to endorse mechanisms such as binding corporate rules and standard contractual clauses.

In addition to the Security Principle obligations highlighted in Q5, Controllers must ensure that any engaged Processors adhere to sufficient technical and organisational security measures under clearly defined contractual terms. Following the PDPA amendments, Processors also have direct security obligations (please refer to Q17).

Controllers in regulated industries (such as banking) must also comply with additional regulator‑issued security guidelines along with sectoral COPs, with the strictest standard prevailing in any conflict.

Documented security governance, physical and logical access controls and secure data‑transfer protocols are also mandated by the PDPS.

Additional security obligations vis-à-vis DBNs (please refer to Q26) and DPO appointments (please refer to Q14) also apply to Controllers and Processors.

Non‑compliance exposes Controllers and Processors to increased fines, imprisonment and enforcement actions by the Commissioner.

Yes, please refer to Q4 for the definition of “personal data breach”. In addition to Security Principle obligations, the PDPA requires Controllers to contractually obligate Processors to notify the Controller of data breaches and assist the Controller in handling breaches; submit a DBN to the Commissioner within 72 hours of breach detection; and inform affected Subjects within 7 days. DBNs must detail the breach’s nature, timing, affected data, suspected cause, number of impacted individuals and records, and remedial measures to enable Subjects to mitigate potential harm.

The PDPA establishes individual rights for data access and correction (please refer to the Access Principle in Q5). Although there is no explicit “right to deletion”, Subjects are entitled to withdraw consent, obligating Controllers to cease processing immediately.

Controllers must generally comply with a DAR/DCR within 21 days of receipt. If the Controller cannot comply within this period, they must inform the requestor in writing of the inability and the reasons therefor, before the period expires. Controllers have a maximum of 14 additional days after the initial period in order to fully comply with the DAR/DCR.

Controllers may refuse a DAR or DCR if:

• the requester’s identity cannot be adequately verified;
• compliance would disclose another individual’s data without consent or reasonable justification;
• access provision cost/burden is disproportionate to the privacy risk;
• compliance would violate a court order;
• it would reveal the Controller’s confidential commercial information;
• data access is regulated/restricted by another law;
• the data was processed for crime prevention, detection, prosecution or tax assessment;
• the data pertains to physical or mental health information; and/or
• the data is retained solely for backup or archival purposes.

If a Controller refuses a DAR/DCR, they must provide written notice and reasons for refusal to the Subject within 21 days of the request.

Controllers may charge the maximum fee prescribed by the PDPR for access requests, with fees varying by data type (personal or sensitive) and whether a copy is requested.

No. The PDPA does not create a private right of action for Subjects. The Malaysian Court of Appeal in the case of Ranjan Paramalingam & Anor v Persatuan Penduduk Taman Bangsar Kuala Lumpur [2023] 1 MLJ 459 determined that PDPA violations do not give rise to a civil cause of action.

Please refer to Q28.

The Commissioner oversees PDPA enforcement, and is empowered to issue enforcement notices, conduct investigations and inspections, and authorize officers to exercise enforcement powers. Offenders may be arrested without a warrant and may be liable to fines and/or imprisonment. Please refer to Q31 for the scope of such penalties.

PDPA violations can result in fines from RM10,000 up to RM1,000,000 and/or imprisonment up to 3 years, depending on the specific offence. Specific breaches, such as failing to submit a DBN, may incur fines up to RM250,000 and/or imprisonment up to 2 years, while unauthorized data collection or selling can attract fines up to RM500,000 and/or up to 3 years’ imprisonment. Additional penalties exist for obstruction and non-compliance with data transfer regulations.

No. The PDPA specifies maximum fines and imprisonment terms but does not include detailed guidelines or rules for calculating fines or sanction thresholds. Authorities assess penalties based on the nature and severity of the violation.

Yes. Affected parties may seek judicial review in the High Court on grounds of illegality, unreasonableness, or procedural impropriety. Under the PDPA, aggrieved parties may file a notice of appeal within 30 days to the Appeal Tribunal. Appeals can address decisions such as registration refusals, enforcement notices, or investigation actions. The appeal notice must outline the decision’s substance and include appellant’s contact information. The Appeal Tribunal’s decision is final, binding, and enforceable with leave from the Sessions Court if required.

The Commissioner has adopted a proactive enforcement stance, conducting more audits, inspections and investigations (especially on security breaches) in view of the PDPA amendments, and is prioritizing elevated compliance standards and modernized oversight to treat data as a national asset and bolster accountability and protection.

Yes. Under the CSA, NCIIEs must conduct annual risk assessments, and biennial audits at a minimum (or more frequently if directed); submit each report to the Chief Executive within 30 days; and comply with any follow‑up directives or mandated cybersecurity exercises. Sector-specific COPs to be issued are expected to contain further controls.

CSPs must also retain detailed service records (client, service type, date/time) for at least 6 years and produce them on demand.

Although the CCA does not prescribe specific controls, it criminalizes unauthorized access and modification of computer systems, effectively requiring organisations to implement reasonable security measures to prevent such misuse.

The CMA enshrines information security and network reliability as core objectives and empowers the MCMC to issue binding written notices under its network security provisions, where failure to comply carries fines up to RM1,000,000 and/or imprisonment up to 10 years. It also authorises registration of certifying agencies; requires licence‑holders to prevent their services from facilitating offences and to comply with regulatory notices; and grants the Communications Minister authority to mandate record‑keeping and communications‑data retention to support cybersecurity investigations.

While no Malaysian cybersecurity law explicitly mandates supply‑chain management, CSA‑required risk assessments and audits must evaluate supplier vulnerabilities, and forthcoming sector‑specific COPs may potentially introduce dedicated supply‑chain controls.

Although the CMA does not explicitly mandate supply‑chain controls, its broad security objectives and notice powers can target vendors whose products pose network risks; require licensees to oversee partners; extend record‑retention obligations to supplier communications; and empower MCMC‑registered certifying agencies to audit compliance with any adopted supply‑chain standards.

Yes. The CSA requires information on cybersecurity incidents to be provided to the Chief Executive (please refer to Q41).

The DSA requires government agencies to share data via a structured framework; comply with prescribed security and legal protocols (e.g. confidentiality, national security); restrict use to authorized purposes; and report each data‑sharing request (including request details, outcomes and reasons for any refusal) to the Director General of the National Digital Department (“DG”).

Under the CMA, the MCMC can issue written notices compelling information disclosure to mitigate network risks (including data-sharing); authorised officers may demand preservation and disclosure of communications data for investigations; the Communications Minister can prescribe record‑keeping and retention rules; and the MCMC may conduct audits with full access to information.

While not explicitly mandating a “chief information security officer,” the CSA requires NCIIEs to designate personnel responsible for cybersecurity, who need to:

• implement and oversee COPs;
• conduct and report annual cyber‑security risk assessments and biennial audits to the Chief Executive;
• appoint contact point to fulfil obligations for providing information to, and notifying, their NSL of new or materially changed NCII;
• assign accountability for interpreting and complying with Chief Executive’s directives; and
• ensure participation in any cybersecurity exercises as directed.

By contrast, the DSA requires government agencies to report particulars of inter‑agency data sharing to the DG, while the CCA addresses criminal offences related to computer misuse without prescribing specific cybersecurity roles within organisations.

The CMA does not expressly require dedicated cybersecurity roles, but licensees’ obligations, the MCMC’s directive powers, and the general emphasis on information security and network reliability imply that appointing responsible individuals may be mandated via subsidiary legislation, guidelines or specific instructions.

Yes, there are sector-specific guidelines and regulations for different industries. For example, the Central Bank of Malaysia under its Risk Management in Technology (RMiT) Policy Document, mandates that all licensed financial institutions establish and maintain a formal technology‑risk management framework, covering governance, risk assessment, security controls, and incident response; the Securities Commission Malaysia’s Guidelines on Technology Risk Management for capital markets firms requires enhanced oversight of technology‑related risks, periodic audits, and frameworks for outsourcing and third‑party arrangements; and the MCMC’s Information and Network Security Guidelines set best practices for the communications sector aimed at enhancing information and network security and resiliency.

Further, under the CSA, each NSL is responsible for preparing a COP to be endorsed by the Chief Executive. Such COPs have yet to be published at the time of writing but are required to outline necessary measures, standards, and processes required to secure sectoral NCIIs.

International standards such as the ISO/IEC 27001 play a major role in shaping Malaysia’s cybersecurity framework and aligning it with international best practices. In response to rising cyber threats and the growing digital landscape, the government mandated in 2010 that all NCIIEs implement an Information Security Management System (ISMS) based on this standard. This move supports multiple national goals such as addressing increasing cyber threats and strengthening Malaysia’s position in international digital economy relations.

Under the CSA, a “cybersecurity incident” is “an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cybersecurity of that computer or computer system or another computer or computer system“.

NCIIEs must notify the Chief Executive and the relevant NSLs of any cybersecurity incidents within 6 hours of discovery and submit details of the authorised person, NCIIE, sector, NSL, and information about the incident (type, description, severity, date/time of occurrence and discovery) via the NC4. Within 14 days, further updates on the incident must be provided, including potential impact, action taken, and tactics, techniques, and procedures used. Failure to comply with subsequent directives may result in corrective measures, fines up to RM200,000, and/or imprisonment for up to 3 years.

Under the CMA, the MCMC may issue written notices to impose measures against “network security risks” (broadly including cybersecurity incidents), with non‑compliance attracting significant penalties, and its directive powers (together with licensees’ general duties) allow incident‑management and notification requirements to be introduced via subsidiary legislation, guidelines or specific instructions.

Enforcement is carried out via a multi-layered framework:

• under the CSA, the Chief Executive may exercise various enforcement powers (please refer to Q43);
• authorised officers possess full investigative powers—search, seizure, data access and production of records—under both the CSA and the Criminal Procedure Code;
• non‑compliance with codes, reporting or licensing obligations (including operating without a CSP licence) attracts fines and/or imprisonment, and the Chief Executive may issue, renew, suspend or revoke such licences; and
• prosecutions for any CSA, CCA or DSA offences require the Public Prosecutor’s written consent.

Under the CSA, the Chief Executive may issue binding directives to NSLs and NCIIEs; compel the production of information and documentation; appoint experts; endorse sectoral COPs; approve and mandate risk assessments and audits (including frequency and scope); conduct cyber‑security exercises; investigate incidents through authorised officers endowed with police‑grade search, seizure and data‑access powers; license and regulate CSPs, and require immediate notification of security incidents.

Under the DSA, the DG is empowered to demand relevant information from government agencies and to require them to report both authorised and unauthorised data‑sharing activities.

The CMA is mainly enforced by the MCMC through investigations, information gathering, issuing directions and mandatory standards, and facilitating the prosecution of offences. The MCMC is empowered to ensure compliance and address network security risks, with substantial penalties for non-compliance. New amendments on network security enhance the MCMC’s ability to enforce measures against network security risks.

The range of sanctions for cybersecurity law violations (variable depending on specific offence and security) are as follows:

• CSA: fines from RM100,000 to RM500,000 and/or up to 10 years’ imprisonment. COP non-compliance attracts similar sanctions.
• CCA: fines from RM25,000 to RM150,000 and/or imprisonment from 3 to 10 years.
• DSA: fines up to RM1,000,000 and/or imprisonment up to 5 years.
• CMA: fines up to RM1,000,000 and/or imprisonment up to 10 years.

No. The CSA, CCA, DSA, and CMA specify maximum fines and imprisonment terms but do not include detailed rules or guidelines for calculating fines or sanction thresholds. Enforcement authorities assess penalties based on the nature and severity of violations.

Yes. Affected parties may seek judicial review in the High Court on grounds of illegality, unreasonableness, or procedural impropriety. For decisions under the CSA, such as licensing refusals, appeals must be lodged in writing to the Communications Minister within 30 days. Decisions under the CMA, may first be challenged by requesting a written statement of reasons and then appealed to the Appeal Tribunal (whose merits‑based review is final) for most MCMC decisions or directions (with certain exclusions). For other enforcement actions, including forfeiture orders, the case may progress through the court hierarchy for review.

Cybersecurity enforcement has intensified following the CSA’s enactment and CMA amendments. Key priorities under the CSA include mandatory incident reporting, regular risk assessments, and audits for NCIIEs, while deterrence of offensive online content under the CMA has increased focus. The CSA expands regulatory coverage to 11 NCII sectors and imposes strict penalties for non-compliance, including fines and imprisonment.