NO&T Asia Legal Review
In October 2024, the Personal Data Protection (Amendment) Act 2024 (the “Amendment Act 2024”) was published in Malaysia’s Federal Gazette, and it is the first amendment to the principal personal data protection legislation in Malaysia, i.e. the Personal Data Protection Act 2010 (the “PDPA”). The amendments to the PDPA consist of, amongst others, the introduction of data breach notifications and appointment of data protection officers, and amendments to the framework regarding cross border transfers of a data subject’s personal data under Section 129 of the PDPA.
In light of the foregoing, on 29 April 2025, the Personal Data Protection Commissioner of Malaysia has issued the Personal Data Protection Guidelines on Cross Border Personal Data Transfer (the “CBPDT Guidelines”) to clarify the requirements for compliance with each condition for transfer of personal data out of Malaysia under Section 129 of the PDPA, and to assist data controllers in deciding which condition may be referred to for any cross border personal data transfer.
Sections 129(1) and 129(2) of the PDPA prior to the Amendment Act 2024 provided that a data controller must not transfer any personal data outside Malaysia unless the place is specified by the Minister responsible for personal data protection in the Gazette and such place must fulfil the following criteria, namely (i) that place must have in force law which is substantially similar to the PDPA, or that serves the same purposes as the PDPA; or (ii) that place must ensure an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA.
Although a public consultation paper was issued by the Personal Data Protection Commissioner of Malaysia in 2017 regarding a proposed “whitelist” of specified countries to which personal data originating in Malaysia can be transferred, the “whitelist” was not published in the Gazette.
Notwithstanding the above, in the past, data controllers have generally relied on Section 129(3) of the PDPA to transfer personal data outside of Malaysia if they fulfil any of the conditions prescribed thereunder. Some examples of the conditions are as follows:
Among the conditions outlined in Section 129(3) of the PDPA, one of the most practical and straightforward conditions that was relied upon by a data controller to carry out a cross border transfer of personal data from Malaysia was to obtain the data subjects’ consent for such cross border transfer. In practice, the consent was obtained by including a statement within the privacy policy/ notice issued to data subjects that their personal data may be transferred outside of Malaysia.
The amended Section 129 of the PDPA came into force on 1 April 2025 and only one of the conditions specified in Section 129(3) thereof, i.e. “the transfer is necessary as being in the public interest in circumstances as determined by the Minister”, was deleted. Accordingly, a data controller may still rely on the other conditions to carry out cross border transfers of personal data, such as having obtained the data subject’s prior consent for the transfer, and having taken all reasonable precautions and exercised all due diligence in relation to the transfer. This article now considers these 2 specific conditions in more detail below.
The CBPDT Guidelines clarified that a data controller relying on the data subject’s prior consent for cross border transfer of personal data must first provide the data subject with a personal data protection notice containing the following details: (i) the class of third parties to whom the data is transferred to; and (ii) the purpose of the transfer. Thereafter, the data controller must obtain the consent of the data subject for the personal data transfer and such consent must be recorded and maintained in accordance with the requirements of the Personal Data Protection Regulations 2013.
Pursuant to Section 129(3)(f) of the PDPA, a data controller may transfer any personal data to a place outside Malaysia if it has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of the PDPA. With regard to this condition, the CBPDT Guidelines clarified that “all reasonable precautions and exercised due diligence” may be deciphered by the following mechanisms:
Binding corporate rules are clarified in the CBPDT Guidelines to mean personal data protection policies that are implemented by, amongst others, a multinational corporate group, or a group of enterprises engaged in a joint economic activity such as franchise, joint venture or professional partnership. These rules must fulfil the requirements set forth in the CBPDT Guidelines, including (i) specifying the parties governed under rules; (ii) specifying the jurisdictions where personal data may be transferred to; (iii) being legally binding on all the parties to the rules and the relevant data subjects whose data is transferred under the rules; (iv) requiring parties to ensure a protection standard equivalent to the PDPA; and (v) being reviewed from time to time for updates.
In respect of contractual clauses, the CBPDT Guidelines cited some international model clauses for a data controller intending to rely on this condition, such as the adoption of the Association of Southeast Asian Nations (ASEAN) Model Contractual Clauses for Cross Border Data Flows or the European Union General Data Protection Regulation (EU GDPR) Standard Contractual Clauses for the Transfer of Personal Data to Third Countries.
Reliance on the aforesaid contractual clauses or other clauses to carry out cross border transfers of personal data is subject to fulfilment of certain requirements under the CBPDT Guidelines. For example, such clauses must be legally binding on the data controller and the receiver of personal data. The data controller must also ensure the clauses cover (i) the security measures that are to be implemented to provide adequate level of protection (equivalent to the level afforded by the PDPA) in relation to the processing of personal data; and (ii) clauses that state and guarantee that the processing of personal data shall be carried out in compliance with the PDPA. In addition, the data controller must take all reasonable precautions at all times to ensure that the receiver of the personal data complies with the terms provided by the contractual clauses. If the data controller discovers any breach of the contractual clauses by the counterparty, the transfer of personal data to the counterparty must cease until the breach is rectified.
Finally, in terms of cross border transfers relying on the certification avenue, the receiver of the personal data must possess a valid recognised certificate, that is a certificate issued by an accredited body or authority that verifies that a data controller or data processor is in compliance with data protection standards or laws, both locally or internationally. Examples of recognised certificates that are stated in the CBPDT Guidelines include Europrivacy and the Legal Services Operational Privacy Certification Scheme.
If a data controller is not able to rely on any of the specified conditions under Section 129(3) of the PDPA (e.g. prior consent of data subjects or standard contractual clauses), the data controller may still transfer personal data outside of Malaysia upon fulfilment of any of the 2 amended criteria under Section 129(2) of the PDPA.
Pursuant to the Amendment Act 2024, Section 129(1) of the PDPA, namely the “whitelist” provision has been deleted, and Section 129(2) thereof was amended to allow a data controller to transfer personal data outside Malaysia if that place (i) has in force a law which is substantially similar to the PDPA; or (ii) ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA.
The scope of a law that is substantially similar to the PDPA has been clarified in the CBPDT Guidelines to mean that the content of the law such as protection, rights and requirements related to processing including collection, disclosure, retention and cross border personal data transfer are similar to that provided under the PDPA. To ascertain this, the CBPDT Guidelines state that a data controller may conduct Transfer Impact Assessment (“TIA”) to review the relevant personal data protection law of the receiving country/ jurisdiction. The validity period of the findings of such TIA must not exceed 3 years and follow-up TIA must be conducted thereafter.
In addition, if there occurs a change or amendment to the relevant personal data protection laws during the validity period of the TIA, the data controller must conduct a review of the changes or amendments made to determine whether, as a result of the change or amendment, the relevant personal data protection law is still substantially similar to the PDPA. Specific factors to be considered when conducting, and steps to conduct, a TIA are also prescribed in the CBPDT Guidelines.
Similar to the mechanism to ascertain a law substantially similar to the PDPA, the CBPDT Guidelines state that a data controller may conduct TIA to determine if the level of protection of personal data offered by the receiving country/ jurisdiction is equivalent to the PDPA. The CBPDT Guidelines also set forth specific factors to be considered when conducting, and the steps to conduct, such TIA. Examples of the aforesaid factors include (i) whether the receiver has in place any security related certifications which have assessed the systems in place and deemed to be secure; (ii) whether the relevant personal data protection law governing the receiver can be easily enforced; and (iii) the receiver’s past history of compliance with the relevant personal data protection law and whether it has experienced any data breach incidents. As is the case for the TIA to review the receiving country’s personal data protection law, the findings of this TIA also must not exceed 3 years and follow-up TIA must be conducted thereafter in accordance with the CBPDT Guidelines.
The publication of the CBPDT Guidelines provide more clarity and represent a more structured framework in respect of cross border transfers of personal data originating from Malaysia, to be better aligned with other international standards. Moving forward, data controllers and data processors which undertake cross border transfers from Malaysia, must review their existing data privacy policy and personal data protection notices to ensure compliance with the amended Section 129 of the PDPA and the CBPDT Guidelines.
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
Yuan Yao Lee
(March 2025)
Yoshinobu Koyama, Masato Kumeuchi, Masanori Tosu (Co-author)
Patricia O. Ko
(February 2025)
Keiji Tonomura, Minh Thi Cao Koike, Akira Komatsu, Yuki Matsumiya (Co-author)
Yuan Yao Lee
Chattong Sunthorn-opas, Thunsinee Sungmongkol (Co-author)
Yothin Intaraprasong, Yosuke Konno, Naruenad Charoenpakdee, Thunyapuck Saicharoen (Co-author)
Ario Putra Pamungkas
Yuan Yao Lee
Chattong Sunthorn-opas, Thunsinee Sungmongkol (Co-author)
Yothin Intaraprasong, Yosuke Konno, Naruenad Charoenpakdee, Thunyapuck Saicharoen (Co-author)
Ario Putra Pamungkas
Yuan Yao Lee
Yuan Yao Lee
Yuan Yao Lee
Yuan Yao Lee
