Malaysia

Overview

Malaysia’s privacy landscape is defined by a fundamental contradiction: its Personal Data Protection Act 2010 (PDPA), which took effect on November 15, 2013, explicitly does not apply to the federal government or state governments — the very entities with the greatest capacity to conduct mass surveillance. The PDPA is enforced by the Jabatan Perlindungan Data Peribadi (JPDP), the Department of Personal Data Protection under the Ministry of Communications and Digital. A watershed PDPA Amendment Act 2024, gazetted on October 17, 2024, introduced mandatory breach notification, data portability rights, mandatory Data Protection Officer appointments, and increased penalties to RM 1,000,000 — but did not extend coverage to government bodies.^[1][2]

On the surveillance side, Malaysia’s Special Branch (Cawangan Khas) — one of the oldest intelligence services in Southeast Asia, modeled on the British Special Branch during the colonial era — conducts domestic intelligence under the Royal Malaysia Police. The MEIO (Malaysian External Intelligence Organisation), publicly known as the Research Division of the Prime Minister’s Department, handles foreign intelligence with no publicly known governing statute. The Malaysian Communications and Multimedia Commission (MCMC) regulates internet content and has ordered ISPs to block news outlets, LGBT+ platforms, and other sites deemed objectionable. Malaysia is a party to the Five Power Defence Arrangements (FPDA) alongside Singapore, the United Kingdom, Australia, and New Zealand — the only multilateral defence pact linking these three Five Eyes members to non-Five Eyes states. Geographically, 26+ submarine cable systems land on Malaysian shores, making the country a critical node in the digital infrastructure connecting the Indian and Pacific Oceans through the Strait of Malacca.^[3][4][5]

Data Protection Authority: JPDP

The Jabatan Perlindungan Data Peribadi (JPDP) — the Department of Personal Data Protection — is Malaysia’s data protection authority established under the PDPA 2010, operating under the Ministry of Communications and Digital (formerly the Ministry of Communications and Multimedia). The JPDP registers data controllers (formerly “data users”), investigates complaints, conducts audits, and enforces compliance. Under the 2024 amendments, the JPDP’s enforcement powers have been significantly expanded, with penalties for breaching data protection principles increased from RM 300,000 to RM 1,000,000 and imprisonment from two to three years.^[1][2]

The JPDP has signaled that onsite inspections and audits will be significantly ramped up in the second half of 2025, and has indicated that sector-specific reforms covering Data Protection Impact Assessments (DPIAs), automated decision-making, profiling, and artificial intelligence in data processing will follow by year-end. The mandatory breach notification regime, effective June 1, 2025, requires organizations to notify the JPDP of breaches involving 1,000 or more individuals and to inform affected individuals within seven days if the breach poses a risk of harm.^[6][7]

Key Legislation

Personal Data Protection Act 2010 (PDPA) — Act 709

Malaysia’s primary data protection statute, enacted in 2010 and effective November 15, 2013. The PDPA establishes seven data protection principles: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access. Critically, Section 3(1) exempts the Federal Government and State Governments from the Act’s scope entirely. The PDPA also does not apply to data processed outside Malaysia unless the data is intended for processing within Malaysia. Despite increasing government data breaches, the 2024 amendment did not remove this exemption, though JPDP has indicated future amendments may extend coverage to government bodies.^[1][8]

PDPA Amendment Act 2024 — Act A1727

Gazetted on October 17, 2024, with implementation in three tranches (January 1, April 1, and June 1, 2025). Key changes include: replacing the term “data user” with “data controller”; mandatory appointment of a Data Protection Officer; direct obligations for data processors; mandatory data breach notification; data portability rights; expanded definition of sensitive personal data to include biometric data; enhanced cross-border transfer provisions; and increased penalties to RM 1,000,000 and/or three years imprisonment.^[2][9]

Communications and Multimedia Act 1998 (CMA) — Act 588

Malaysia’s primary law governing telecommunications and internet regulation. Section 233 criminalizes the “improper use” of network facilities or services to create, transmit, or publish content that is “obscene, indecent, false, menacing, or offensive.” Section 233 has been used extensively to prosecute online speech critical of the government, the monarchy, or religion. Penalties were increased under the CMA Amendment Act 2025 (passed December 9, 2024; effective February 11, 2025) from RM 50,000 to RM 500,000 and imprisonment from one to two years. On August 19, 2025, the Court of Appeal unanimously ruled in Heidy Quah v Government of Malaysia that the words “offensive” and “annoy” in Section 233(1)(a) were unconstitutional, though the government has appealed to the Federal Court.^[10][11][12]

Security Offences (Special Measures) Act 2012 (SOSMA)

Enacted on June 18, 2012, replacing the Internal Security Act 1960 (ISA), which had permitted indefinite detention without trial renewable at the home minister’s discretion. SOSMA allows police detention of up to 28 days without a court order for persons suspected of involvement in security offences. While presented as an improvement over the ISA, human rights organizations have criticized SOSMA for retaining broad detention powers, lacking meaningful judicial oversight during the 28-day period, and using an overbroad definition of “security offence.” SOSMA detentions surged in 2024. The Prime Minister directed a review of SOSMA as of February 14, 2025.^[13][14]

Sedition Act 1948

A colonial-era law criminalizing speech with “seditious tendency,” including speech that would “bring into hatred or contempt or to excite disaffection against” the government. Despite repeated government promises to repeal it, the Act remains in force and has been used to prosecute online speech, including social media posts criticizing the monarchy or the Prime Minister.^[15]

Official Secrets Act 1972 (OSA)

Prohibits the dissemination of information classified as an official secret, with mandatory imprisonment of one to seven years. The classification of a document as an official secret is not subject to judicial review. The OSA has been used to restrict reporting on government corruption, particularly during the 1MDB scandal.^[16]

Surveillance and Intelligence

Special Branch (Cawangan Khas)

The Special Branch (SB), known in Malay as Cawangan Khas, is Malaysia’s primary domestic intelligence agency, operating as a division of the Royal Malaysia Police. Established during the British colonial era and modeled on the UK Special Branch, it is one of the oldest intelligence services in Southeast Asia. The SB played a central role during the Malayan Emergency (1948–1960), successfully infiltrating the Malayan Communist Party’s chain of command. Today, the SB is headed by a Director with the rank of Commissioner of Police and operates through compartmentalized divisions designated by “E” codes for targeted intelligence on internal security threats, subversive activities, extremism, and espionage. The SB has been instrumental in counter-terrorism operations against Jemaah Islamiyah and ISIS-affiliated networks.^[3]

MEIO (Malaysian External Intelligence Organisation)

The MEIO, publicly known as the Research Division of the Prime Minister’s Department, is Malaysia’s foreign intelligence agency. Established in the 1960s during the Indonesia-Malaysia Confrontation (Konfrontasi), it was set up largely under the auspices and guidance of the UK’s Secret Intelligence Service (MI6). The MEIO is estimated to employ between 300 and 1,000 personnel, with approximately half stationed abroad. Its remit covers intelligence collection, analysis, and “special operations” (operasi khas) in support of national security. No public law governs the MEIO’s operations, making it one of the most opaque intelligence agencies in the region. In 2018, a letter from MEIO Director-General Hasanah Abu Hamid to CIA Director Gina Haspel was leaked, revealing that the agency had solicited US support for then-Prime Minister Najib Razak’s administration — the letter was confirmed as genuine and classified under the Official Secrets Act.^[17][18]

MCMC (Malaysian Communications and Multimedia Commission)

The MCMC is the statutory body regulating the communications and multimedia industry under the CMA 1998. Beyond spectrum management and licensing, the MCMC functions as Malaysia’s internet censor, ordering ISPs to block websites, requiring content takedowns, and overseeing lawful interception capabilities. In 2023–2024, the MCMC ordered ISPs to block several news outlets perceived as critical of the government, as well as Grindr, an LGBT+ dating app. Freedom House rated Malaysia’s internet freedom at 60 out of 100 (partly free) in its 2024 assessment, noting the MCMC’s expanding content-blocking orders. The 2025 CMA amendments further expanded MCMC powers to compel service providers to disclose user data and suspend non-compliant content platforms.^[4][10]

Internal Security Act Legacy

The Internal Security Act 1960 (ISA) permitted 60 days of police detention followed by two-year detention orders renewable indefinitely on the home minister’s authority alone. Thousands were detained under the ISA over its five decades, including political opponents, trade unionists, religious figures, and journalists. The ISA was repealed in 2012 and replaced by SOSMA, which reduced but did not eliminate the framework for detention without trial.^[14]

Internet Infrastructure and Submarine Cables

Submarine Cable Hub

Malaysia is one of the most significant submarine cable hubs in the Asia-Pacific region, with 26+ cable systems landing on its shores. Cable landing stations are concentrated in Mersing, Cherating, and Kuantan on the east coast of Peninsular Malaysia, and in Kota Kinabalu, Kuching, Bintulu, and Miri in East Malaysia (Sabah and Sarawak). Major cable systems include SEA-ME-WE 3 (retired December 2024), SEA-ME-WE 4, SEA-ME-WE 5, SEA-ME-WE 6, APCN-2, APG, AAG, MCT, SEAX-1, SKR1M (domestic), ASE, and BDM, among others. The planned MYUS cable (~2027) will provide direct connectivity to the United States.^[19][20]

Strait of Malacca Chokepoint

Malaysia’s position along the Strait of Malacca — the shortest sea route between the Indian and Pacific Oceans, transited by over 80,000 vessels annually — makes it a critical chokepoint for both maritime shipping and submarine cable infrastructure. Numerous cables traverse the Strait between Singapore, Indonesia, and Malaysia before continuing into the South China Sea toward Japan, Korea, and beyond. The Strait of Malacca is recognized as one of the world’s three primary submarine cable chokepoints, alongside the Luzon Strait and the Suez Canal–Red Sea passage. Any disruption to cables in this corridor would trigger connectivity crises across the entire Asia-Pacific region.^[21][22]

MyIX (Malaysia Internet Exchange)

The Malaysia Internet Exchange (MyIX) is a not-for-profit, neutral internet exchange point connecting local and international ISPs, data centers, and content providers. MyIX connects over 100 different networks, including major international platforms such as Google, Facebook, Microsoft, Amazon, Alibaba, Cloudflare, and Tencent. Internet traffic on the MyIX network has grown over 70 times since 2009.^[23]

SKR1M Domestic Cable

The Sistem Kabel Rakyat 1 Malaysia (SKR1M) is a 3,700 km domestic submarine cable system connecting Peninsular Malaysia to Sabah and Sarawak (East Malaysia), linking Cherating, Mersing, Kota Kinabalu, Kuching, Bintulu, and Miri. Established as a public-private partnership between Telekom Malaysia and the Malaysian Government through the MCMC, SKR1M provides lit capacity of 4 Tbps upgradeable to 12.8 Tbps.^[20]

Data Retention

Malaysia has no specific mandatory data retention law for the telecommunications industry as of early 2025. However, the CMA provides the framework for lawful interception: the Minister of Communications may require licensed operators to implement interception capabilities, and licensed providers must comply with lawful interception requests from regulatory authorities. The CMA Amendment Act 2025 introduced a new Section 112 on “Preservation of communications data,” though its commencement date has been deferred to a date to be determined by the Minister. Once in effect, this provision is expected to formalize data preservation obligations for licensed providers.^[24]

The PDPA’s Retention Principle requires data controllers to destroy personal data once it is no longer needed for its original purpose — but because the PDPA does not apply to the federal or state governments, there is no data minimization or retention limitation applicable to government surveillance data.^[1]

International Data Sharing Agreements

Five Power Defence Arrangements (FPDA)

The FPDA, established in 1971, is a series of multilateral defence agreements between Malaysia, Singapore, the United Kingdom, Australia, and New Zealand. It is the only multilateral defence pact that links three Five Eyes member states (UK, Australia, New Zealand) to non-Five Eyes nations (Malaysia, Singapore). While the FPDA is nominally consultative rather than a binding mutual defence treaty, it includes intelligence-sharing components focused on counter-terrorism threats to Malaysia and Singapore. The arrangement has increasingly taken on a maritime character, reflecting security challenges in the Strait of Malacca and the South China Sea. Through the FPDA, Malaysia maintains institutional intelligence links to the Five Eyes network without formal Five Eyes membership.^[5][25]

ASEAN Cooperation

Malaysia participates in ASEAN data governance frameworks, including the ASEAN Model Contractual Clauses (MCCs) published in January 2021 for cross-border data transfers within the region. A joint guide aligning ASEAN MCCs with EU Standard Contractual Clauses was published by the European Commission and ASEAN in 2023.^[26]

EU Adequacy and Cross-Border Transfers

Malaysia does not have an EU adequacy decision. Under the 2024 PDPA amendments, data controllers may transfer personal data outside Malaysia if the destination country has substantially similar law or ensures an adequate level of protection equivalent to the Malaysian PDPA. The JPDP maintains a whitelist of approved jurisdictions for cross-border transfers.^[2]

Bilateral Relationships

Malaysia maintains bilateral intelligence and security relationships with the United States, China, and other major powers. The MEIO’s 2018 letter to the CIA revealed the depth of the Malaysia-US intelligence relationship. Malaysia has also expanded defence and security cooperation with China, while maintaining its traditional FPDA ties to the UK, Australia, and New Zealand — a balancing act characteristic of Malaysian foreign policy.^[18]

The Privacy Backdoor Effect

Malaysia’s PDPA 2010 explicitly exempts federal and state government data processing from its scope — a fundamental structural asymmetry: the law constrains private-sector handlers but places no restriction on government surveillance. International intelligence sharing and Malaysia’s cable hub position amplify this gap for both residents and foreign nationals:

• FPDA Intelligence Sharing: Through the Five Power Defence Arrangements, Malaysia maintains intelligence-sharing links with Singapore, Australia, New Zealand, and the United Kingdom (a Five Eyes member). Intelligence shared through FPDA channels reaches Five Eyes databases outside any Malaysian privacy law constraint.
• Strait of Malacca Cable Chokepoint: Malaysia’s 26+ submarine cable systems passing through Malaysian territorial waters create a chokepoint where Special Branch and MEIO can access communications under the Communications and Multimedia Act without any equivalent of GDPR protection for foreign nationals.
• CMA and MCMC Monitoring Authority: MCMC has broad administrative authority to direct ISPs to monitor and block traffic; this authority extends to foreign-origin communications transiting Malaysian networks.
• No EU Adequacy: Malaysia has no EU adequacy decision, meaning EU-origin data transferred to Malaysia does not automatically receive EU-standard protections; private-sector handlers require SCCs or BCRs.
• SOSMA and OSA Access: Communications obtained under SOSMA or the Official Secrets Act are admissible in evidence with restricted judicial oversight, and may include foreign-origin communications.

For Malaysian persons, PDPA 2010 applies only to private-sector data processing — government agencies including Special Branch, MEIO, and MCMC are statutorily exempt. For foreign nationals whose data or communications transit Malaysian infrastructure, no Malaysian privacy law provides protection; the operative frameworks are the CMA 1998, SOSMA 2012, and OSA 1972, all authorizing access with minimal judicial oversight. The PDPA’s government exemption means Malaysia’s data protection law is structurally incapable of protecting either residents from government surveillance or foreign nationals from interception.

Recent Developments

CMA Section 233 Ruled Partly Unconstitutional (August 2025)

On August 19, 2025, the Court of Appeal unanimously struck down the words “offensive” and “annoy” from Section 233(1)(a) of the CMA in the Heidy Quah case, ruling they violated Articles 8 and 10 of the Federal Constitution. The government has appealed to the Federal Court, and the 2025 CMA amendments retained the word “annoy” and replaced “offensive” with “grossly offensive.”^[12]

CMA Amendment Act 2025 (February 2025)

Passed on December 9, 2024, and effective February 11, 2025, the amendments expanded MCMC powers to compel user data disclosure, suspend non-compliant content platforms, and increased Section 233 penalties from RM 50,000 to RM 500,000. Civil society organizations condemned the amendments as a step backwards for freedom of expression.^[10]

PDPA Amendment Act 2024 Implementation (January–June 2025)

The watershed PDPA amendments took effect in three tranches: January 1, April 1, and June 1, 2025. The June 1 tranche brought mandatory breach notification and DPO appointment requirements into force. Penalties increased to RM 1,000,000. The term “data user” was replaced with “data controller” throughout the Act.^[2][9]

SOSMA Review Ordered (February 2025)

Following a surge in SOSMA detentions in 2024, including mass arrests related to the GISBH organization, Prime Minister Anwar Ibrahim directed a review of the Security Offences (Special Measures) Act as of February 14, 2025.^[13]

MCMC Content Blocking Expansion (2023–2024)

The MCMC ordered ISPs to block several news outlets critical of the government and the LGBT+ dating app Grindr. Freedom House downgraded Malaysia’s internet freedom score to 60 out of 100 (partly free) in its 2024 assessment.^[4]

Section 233 Prosecutions Surge (2024–2025)

Investigations and arrests under laws restricting freedom of expression rose 23% in 2025 compared to 2024, with Section 233 of the CMA and the Sedition Act being the primary instruments used against online speech.^[15][27]

Sources