Yes. The Personal Data Protection Act 2010 ("PDPA") prohibits the transfer of personal data outside Malaysia, unless that jurisdiction has been specified by the new minister of communications and digital ("Minister") and published in the Gazette. To date, the Minister has yet to specify any country to which personal data may be transferred without any restrictions. Note, that there have been proposals to replace the current white-list regime with a blacklist regime (i.e., data users will generally be allowed to transfer personal data to any jurisdiction save for those blacklisted by the Minister). However, this has not yet been implemented.

Subject to further updates, it is generally recommended that data users obtain data subjects' consent prior to any cross-border transfers, as consent is one of the exceptions to the prohibition. Where it is impractical to obtain consent, data users may choose to rely on other exceptions under the PDPA, such as the following:

• Where the transfer is necessary to (i) perform a contract between the data subject and the data user, or (ii) conclude or perform a contract between the data user and a third party that (A) is entered into at the data subject's request, or (B) is in the data subject's interests
• Where data users have taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner that, if that place is Malaysia, would be a contravention of the PDPA