Authored By: TAN KAI XIN
Multimedia University
Introduction
In Malaysia, the Personal Data Protection Act 2010 (‘PDPA’) was introduced by Parliament in 2010 and came into effect in 2013. As the cornerstone of the country’s data protection framework, it governs the processing of personal and sensitive data in commercial transactions. In recent years, Malaysia has experienced a surge in data breach incidents, which has called into question the effectiveness of the PDPA. In response, the House of Representatives passed the Personal Data Protection (Amendment) Bill 2024 which aims to better align Malaysia’s legislative framework with international data protection standards. The amendments have been implemented in three phases.[1] Therefore, it raises a critical discussion: Does the PDPA sufficiently protect personal data in today’s digital landscape? This article examines the issues faced by the PDPA, both before and after the amendment and also proposes solutions to address its remaining gaps.
Issue faced by PDPA
Ambiguities in government exemptions
The PDPA has a narrow scope of application, as it is not applicable to (1) Federal and State Governments and (2) non-commercial activities.
Section 3(1) of the PDPA excludes the Federal and State Governments from its purview. However, the issue arises as the term “Government” is ambiguously defined. While the definition provided by the Interpretation Acts of 1948 and 1967 and the Government Proceedings Act 1956 is too broad,[2] the PDPA itself is silent on the matter.[3]
Indeed, the exclusion is against the objective of PDPA to safeguard personal data. A glaring example is the Malaysian Election Commission MySPR data breach incident in 2022, where personal details of 22 million voters, including their full names, identification numbers, email, home addresses, birth dates, and pictures were leaked and sold illegally in the marketplace. Hence, this shows that the government’s exclusion from PDPA is a significant drawback in catering for the needs of protecting millions of individuals.
Lack of extraterritorial jurisdiction
Data breaches nowadays frequently transcend national borders, yet Section 3(2) of PDPA limits its application to data processed abroad unless it is intended for further processing within Malaysia. Moreover, the term “intended” is vague, as mere intention would not simply change the legal status of foreign data processing. As such, it indicates that the PDPA fails to address cross-border data breaches effectively.[4]
The iPay88 Hack incident illustrates this limitation,[5] where the Malaysia payment gateway iPay88 was breached, users’ credit card details were exposed, and the stolen funds were transferred to Cambodian banks. However, Malaysia’s PDPA cannot step in due to its lack of extraterritorial jurisdiction.
Post-amendment
In 2024, the PDPA was amended to be more closely aligned with the international data protection standards, but its effectiveness still remains debatable.
One notable amendment is the removal of the “white-list” regime under Section 129 of PDPA which previously sets out the jurisdictions to which data controllers may transfer data without any additional requirements. However, no countries were ever added to the list since the inception of the PDPA. The amended PDPA now has removed it and allows cross-border data transfer to any jurisdiction subject to the condition that the country has substantially similar data protection laws or ensures an adequate level of protection to the PDPA.
However, this change raises issues in interpreting the term “adequate”, as PDPA lacks clear criteria for assessing adequacy. Therefore, PDPA should establish a well-defined standard for evaluating “adequacy”. Without such clarity, reliance on external experts for evaluations could incur substantial costs and require significant resources.
Another amendment is data controllers will be required to make notifications to both (a) the Personal Data Protection Commissioner; and (b) the affected data subjects where the data breach “causes or is likely to cause any significant harm”. Yet, the term “significant harm” also remains undefined and leads to ambiguity.
Next, in the Amended Act, Section 12A of PDPA mandates the appointment of one or more Data Protection Officers (DPOs) to ensure the organisation’s adherence to the PDPA. However, it does not specify the necessary qualifications or skills required for DPOs. Hence, our government may refer to Articles 37 to 39 of the GDPR,[6] which clearly outlines the scopes, tasks, necessary qualifications or skills needed for DPOs.
Enforcement issue
Personnel
Under Section 47 of the PDPA, Malaysia has its own PDPA Commissioner, but it lacks sufficient authority to execute its duties effectively. For example, the power to make regulations[7] and power to make further exemptions[8] are vested in the Minister, instead of the Commissioner. This limitation weakens the Commissioner’s ability to enforce the PDPA effectively.
Moreover, Malaysia’s PDPA Commissioner lacks independence due to the doctrine of separation of powers under the Federal Constitution. Unlike in many other countries where their Commissioners operate as independent bodies accountable to their respective Parliaments, Malaysia’s Commissioner is not subject to parliamentary oversight,[9] but it is required to report directly to the Minister.
Furthermore, Malaysia faces a shortage of skilled personnel. Many enforcement officers receive inadequate training and lack the expertise to tackle complex data breaches effectively.
Awareness
Many individuals, organisations, and corporations are unaware of the existence and purpose of PDPA. A study revealed that only 43.2% of respondents knew about PDPA, and only 39.8% understood it. This indicates that the level of awareness among Malaysians about the existence of PDPA, as well as knowledge about how PDPA can provide protection, needs to be raised.[10]
As a result, many data breach incidents remain underreported. Victims such as the public or organisations are reluctant to reveal information about the incident, which hampers law enforcement from detecting and combating it. For instance, they may choose to remain silent out of fear of potential repercussions if they come forward. Additionally, they might also be fear of injury towards their reputation, fear of retaliation, pressure, and emotional and psychological trauma.
The condition is exacerbated by the fact that some people do not know how or where to report breaches. As a result, only a small fraction of data breaches is reported to the authorities compared to the actual number of incidents that occur.
Compliance
Even though amendments were made in 2024, however, it takes time for people to adapt. People will require time to study and comprehend the new amendment sections, especially those members of the public who are laymen will take longer time. Also, there might be a lack of precedents and interpretations for the ambiguous parts. It will also take time and money for businesses or firms to review and revise their policies and regulations to align with the amendment.
Penalty
Sanctions provided by Malaysia’s PDPA are insufficient. Section 5(2) of PDPA mentions any act that breaches the data protection principles will be liable for a fine not exceeding RM3000 or imprisonment for a term not exceeding two years or both. The main purpose of having punishment is for the purpose of deterrence and retribution, but inadequate punishment will dilute the effectiveness of the Act.
Solutions
Ambiguities in government exemptions
In addressing this issue, we can refer to Singapore, which presents a more transparent alternative. While its government also exempts from its data protection regime, Singapore has introduced the Personal Data Protection (Statutory Bodies) Notification 2013, which explicitly identifies 67 public agencies exempted from the Singapore Personal Data Protection Act 2012, thereby providing clarity on the definition and scope of government exemptions.
Lack of extraterritorial jurisdiction
To resolve the PDPA’s current limitations in transnational data protection, Section 3(2) of the PDPA could be amended to extend the coverage through the inclusion of the phrase “personal data of Malaysians”. It would ensure that any data pertaining to Malaysian citizens, regardless of where it is processed or stored, falls under the Act’s jurisdiction. Besides, the phrase “is intended” should be omitted.
To tackle cross-border data breaches, PDPA can be amended to establish international collaboration similar to those implemented by the United Nations, the G-8 Subgroup on High-Tech Crime, the Organisation for Economic Cooperation and Development and the Council of Europe. It may include mutual recognition of data protection standards, development of expedited procedures for data access across jurisdictions, and alignment with global initiatives like the GAC’s 24/7 network for swift international communication.[11]
Post-amendment
The Public Consultation Paper has clarified the legal requirements for cross-border data transfers under Section 129 of PDPA. To ensure adequacy, the data controller must carry out a transfer impact assessment towards identification of the jurisdictions, assess the level of their data protection laws, and reassess periodically to ensure ongoing compliance. The proposed additional conditions are necessary to protect the vital interest of an individual instead of for a standard practice. Next, the data transfer may be carried out if data controllers have taken all reasonable precautions and exercised due diligence to ensure it would align with PDPA as if processed in Malaysia.
Also, for the evaluation of the “significant harm”, Malaysia can adopt a prescriptive approach as Singapore, by specifying high-risk data types that would be deemed to result in “significant harm” if breached. Otherwise, the Malaysian Data Protection Commissioner can release appropriate guidance on the criteria and assessment of “significant harm”.
Enforcement issue
Personnel
To resolve this issue, Malaysia can refer to the “Criteria and Rules for Credentials Committee and the Accreditation Principles” set by the 23rd International Conference of Data Protection Commissioners, which states that a data protection commissioner must operate as an independent public body and be empowered practically and legally. Hence, this should be applied to our PDPA Commissioner as well.
As Malaysia lacks technical experts, so technical experts in dealing with data breaches shall be hired. This is supported by Datuk Seri Mohd Bakri Omar, the Deputy Inspector General of Police in Malaysia. He had explicitly stated that the Force needed more officers with expertise to better investigate and analyse data breach incidents.
Furthermore, our country shall also provide a comprehensive training programme for personnel so that they can be well-prepared while combatting data breaches. Training content shall include the European Union General Data Protection Regulation’s (GDPR) implementation practices.
Awareness
To address this issue, awareness about the dangers that data breaches pose to victims should be provided to the community. Various campaigns through print and digital media can be held more aggressively. Workshops and seminars can also be held regularly as they can help to change societal attitudes towards data breaches, and at the same time, encourage more victims to come forward. For example, Cyber Security Malaysia has launched the “Cyber Security Awareness for Everyone” programme, to educate the public and to reduce the occurrence of online data breaches.[12] Besides, public awareness about PDPA can be raised through social media like Facebook, Twitter, TikTok, etc. The result based on the research clearly indicates that using YouTube to raise awareness is indeed an effective way. A good example of this will be the hashtag campaigns such as #TakNakScam to create a unified online movement.[13]
Compliance
In order to ensure more effective compliance, a tool known as “Data Cart” has been created in accordance with the GDPR in the European Union in 2016. It is especially helpful for assisting employees or data users in processing personal data in compliance with data protection regulations. It mainly helps to standardise access to personal data, streamline data management processes, and bring them in line with data protection policies.[14]
Also, when PDPA law is amended, an adaptation period or grace period is needed for stakeholders or interested parties to comply without penalties to enable them to adapt and adjust themselves accordingly. This would also facilitate smoother compliance.
Penalties
The strategy that can be adopted is to increase the punishment for those who commit cases related to data breaches. For example, Section 1028 of the Identity Theft and Assumption Deterrence Act 1998 of the US provides a 15-year imprisonment for offenders who commit identity theft. Meanwhile, Section 192E of the New South Wales Act provides a 10-year imprisonment for people committing phishing. Both much more severe examples clearly illustrate that the punishment provided in our country is insufficient.
Conclusion
In summary, Malaysia’s PDPA has significant shortcomings, as proven by its ranking as the 5th worst out of 47 countries with a score of 2.64 out of 5 points in terms of data protection through a study conducted by Comparitech, a British tech company. This clearly shows that there are critical loopholes in data protection despite the presence of the PDPA 2010.
While it is undeniable that complete prevention of data breaches is extremely tough, the efforts in data protection measures shall continue and shall improve.
Reference(S)
Primary Sources
Statutes and statutory instruments
General Data Protection Regulation
Government Proceedings Act 1956
Identity Theft and Assumption Deterrence Act 1998 of the US
Interpretation Acts of 1948 and 1967
New South Wales Act
Personal Data Protection (Amendment) Act 2024
Personal Data Protection (Statutory Bodies) Notification 2013
Personal Data Protection Act 2010
Singapore Personal Data Protection Act 2012
Secondary Sources
Online journals
Ahmad Redzuan Bin Mohamad & Mohd Rizal Yaakop & Mohd Azmi Bin Mohd Razif, ‘The Efficacy of the Malaysian Government’s Response towards Cybercrime’ (2024) Open Journal of Political Science, 14(01), 166–176 <https://doi.org/10.4236/ojps.2024.141010>
Ali Alibeigi & Abu Bakar Munir, ‘Malaysian Personal Data Protection Act, a Mysterious Application’ (2020) University of Bologna Law Review, 5(2), 362–374 <https://doi.org/10.6092/ISSN.2531-6133/12441>
Ana I. Cerezo & Javier Lopez & Ahmed Patel, ‘International Cooperation to Fight Transnational Cybercrime’ (2007), WDFIA, 13–27 <https://doi.org/10.1109/WDFIA.2007.4299369>
Huda Hamidon & Salliza Md Radzi & Noor Rahmawati Alias & Noorfadzilah Arifin & Zuriani Ahmad Zukarnain, ‘Personal Data Abuse: Preliminary Survey Among Malaysian Youth Netizens’ (2022) Journal of Information and Knowledge Management (JIKM), 1, <https://ijikm.uitm.edu.my/pdf/special_issue_icis_2022/192-210-Personal-Data-Abuse_Preliminary.pdf>
Jan Tolsdorf & Florian Dehling & Luigi Lo Lacono, Data cart–designing a tool for the GDPR-compliant handling of personal data by employees (2022) Behaviour and Information Technology, 41(10), 2070–2105 <https://doi.org/10.1080/0144929X.2022.2069596>
Mohamad Fadli Zolkipli & Diviya Shini Rajamanickam, Personal Data Protection Awareness through the Use of YouTube among the Youths in UUM (2021) Journal of ICT in Education, 8(2), 60–70 <https://doi.org/10.37134/jictie.vol8.2.6.2021>
Sidi Mohamed Sidi Ahmed & Sonny Zulhuda, ‘Data Protection Challenges in the Internet of Things Era: An Assessment of Protection Offered by PDPA 2010’ (2019) International Journal of Law, Government and Communication, 4(17), 01-12 <https://doi.org/10.35631/ijlgc.417001>
Wilson Ang & Jeremy Lua & Terence De Silva, ‘New Horizons in Data Protection: Malaysia’s Personal Data Protection (Amendment) Act 2024’ (2025) Norton Rose Fulbright <https://www.dataprotectionreport.com/2025/01/new-horizons-in-data-protection-malaysias-personal-data-protection-amendment-act-2024/>
Newspaper articles
‘iPay88 breach only affected card data from online transactions’ New Straits Times (Kuala Lumpur, 7 October 2022) <https://www.nst.com.my/news/nation/2022/10/838175/ipay88-breach-only-affected-card-data-online-transactions>
[1] Wilson Ang & Jeremy Lua & Terence De Silva, ‘New Horizons in Data Protection: Malaysia’s Personal Data Protection (Amendment) Act 2024’ (2025) Norton Rose Fulbright <https://www.dataprotectionreport.com/2025/01/new-horizons-in-data-protection-malaysias-personal-data-protection-amendment-act-2024/>.
[2] “Government” means the Government of Malaysia, comprising the Prime Minister’s Department and all the Ministries; whilst “State Government” means the government of a state, comprising the State Department, State Secretary’s office, land and district offices and local authorities.
[3] Sidi Mohamed Sidi Ahmed & Sonny Zulhuda, ‘Data Protection Challenges in the Internet of Things Era: An Assessment of Protection Offered by PDPA 2010’ (2019) International Journal of Law, Government and Communication, 4(17), 01-12 <https://doi.org/10.35631/ijlgc.417001>.
[4] Ali Alibeigi & Abu Bakar Munir, ‘Malaysian Personal Data Protection Act, a Mysterious Application’ (2020) University of Bologna Law Review, 5(2), 362–374 <https://doi.org/10.6092/ISSN.2531-6133/12441>.
[5] ‘iPay88 breach only affected card data from online transactions’ New Straits Times (Kuala Lumpur, 7 October 2022) <https://www.nst.com.my/news/nation/2022/10/838175/ipay88-breach-only-affected-card-data-online-transactions>.
[6] General Data Protection Regulation.
[7] Personal Data Protection Act 2010, s 143.
[8] Personal Data Protection Act 2010, s 46.
[9] Ali Alibeigi & Abu Bakar Munir, ‘Malaysian Personal Data Protection Act, a Mysterious Application’ (2020) University of Bologna Law Review, 5(2), 362–374 <https://doi.org/10.6092/ISSN.2531-6133/12441>.
[10] Huda Hamidon & Salliza Md Radzi & Noor Rahmawati Alias & Noorfadzilah Arifin & Zuriani Ahmad Zukarnain, ‘Personal Data Abuse: Preliminary Survey Among Malaysian Youth Netizens’ (2022) Journal of Information and Knowledge Management (JIKM), 1, https://ijikm.uitm.edu.my/pdf/special_issue_icis_2022/192-210-Personal-Data-Abuse_Preliminary.pdf.
[11] Ana I. Cerezo & Javier Lopez & Ahmed Patel, ‘International Cooperation to Fight Transnational Cybercrime’ (2007), WDFIA, 13–27 <https://doi.org/10.1109/WDFIA.2007.4299369>.
[12] Ahmad Redzuan Bin Mohamad & Mohd Rizal Yaakop & Mohd Azmi Bin Mohd Razif, ‘The Efficacy of the Malaysian Government’s Response towards Cybercrime’ (2024) Open Journal of Political Science, 14(01), 166–176 <https://doi.org/10.4236/ojps.2024.141010>.
[13] Mohamad Fadli Zolkipli & Diviya Shini Rajamanickam, Personal Data Protection Awareness through the Use of YouTube among the Youths in UUM (2021) Journal of ICT in Education, 8(2), 60–70 <https://doi.org/10.37134/jictie.vol8.2.6.2021>.
[14] Jan Tolsdorf & Florian Dehling & Luigi Lo Lacono, Data cart–designing a tool for the GDPR-compliant handling of personal data by employees (2022) Behaviour and Information Technology, 41(10), 2070–2105 <https://doi.org/10.1080/0144929X.2022.2069596>.
