How are data and cybersecurity laws/regulations implemented?
Last review date: 31 December 2024
☒ omnibus – all personal data
☒ sector-specific — e.g., financial institutions, governmental bodies
What are the key data privacy laws and regulations?
Last review date: 31 December 2024
- Personal Data Protection Act 2010 (PDPA)
- Personal Data Protection (Amendment) Act 2024
- Personal Data Protection Regulations 2013
- Personal Data Protection (Registration of Data User) Regulations 2013
- Personal Data Protection (Fees) Regulations 2013
- Personal Data Protection (Class of Data Users) Order 2013
- Personal Data Protection (Class of Data Users) (Amendment) Order 2016
- Personal Data Protection (Compounding of Offences) Regulations 2016
- Personal Data Protection (Appeal Tribunal) Regulations 2021
- Personal Data Protection Standard 2015 (PDPS)
- General Code of Practice of Personal Data Protection
What are the key cybersecurity laws and regulations?
Last review date: 31 December 2024
- Cyber Security Act 2024 (CSA)
- Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024
- Cyber Security (Notification of Cyber Security Incident) Regulations 2024
- Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024
- Cyber Security (Compounding of Offences) Regulations 2024
- Personal Data Protection Act 2010
- Computer Crimes Act 1997
- Communications and Multimedia Act 1998
- Communications and Multimedia (Licensing) Regulations 2000
- Communications and Multimedia (Compounding of Offences) Regulations 2001
- Digital Signature Act 1997
- Digital Signature Regulations 1998
- Electronic Commerce Act 2006
- Penal Code - the Penal Code criminalizes certain cyber-related activities such as online cheating, fraud, criminal defamation, intimidation and pornography
What are the key laws and regulations relating to non-personal data?
Last review date: 31 December 2024
- Data Sharing Bill 2024 (not yet in force). Note, however, that this is intended to govern data sharing among public sector agencies only.
Are new or material changes to those key data and cybersecurity laws anticipated in the near future?
Last review date: 31 December 2024
Yes.
The changes introduced by the Personal Data Protection (Amendment) Act 2024 to the PDPA will come into force on:
- 1 January 2025 – ancillary changes such as the rectification of the legislative text in Malay language, revised powers of the Personal Data Protection Commissioner to open and maintain bank accounts, and service of notice and other documents by way of electronic means.]
- 1 April 2025 – direct obligations on data processors to comply with the security principle, changes to cross-border transfer rules, revised definitions of "sensitive personal data" and "personal data" and increased penalties.
- 1 June 2025 – data protection officer (DPO) appointment, mandatory data breach notifications, and data subject rights to data portability.
In November 2024, the Personal Data Protection Department announced that:
- A revised version of the PDPS and four new guidelines on cross-border data transfers, DPOs, data breach notifications, and data portability, are expected to be released in early 2025.
- Three new guidelines on data protection impact assessment, profiling and automated decision making, and privacy by design, are expected to be released in the third quarter of 2025.
The Data Sharing Bill 2024 has been passed by the Malaysian Parliament in December 2024. When in force, it will regulate the sharing of data within the control of a public sector agency with another public sector agency and other related matters.