Malaysia Implements Major PDPA Overhaul and Launches Risk-Based Cross-Border Transfer Guidelines

Malaysia's data protection landscape underwent a profound transformation with the phased implementation of the Personal Data Protection (Amendment) Act 2024 (PDPA Amendment) in stages from January to June 2025, alongside the official launch of the Guidelines for Cross Border Personal Data Transfer (CBPDT Guidelines) on April 29, 2025. These developments modernize Malaysia's framework, bringing it closer in line with global standards (like the EU GDPR) and providing a structured, risk-based approach for compliance teams.

Key PDPA Amendments (January – June 2025)

The amendments introduce several critical updates for multinational organizations:

• Terminology Alignment: Replaces the term "data user" with "data controller" and narrows the definition of personal data to exclude deceased individuals, while expanding "sensitive personal data" to include biometric data.
• Direct Processor Liability: Data processors are now directly subject to the Security Principle (PDPA Section 9) and face criminal penalties for failing to implement practical security steps.
• Increased Penalties: The maximum fine for breaches of Data Protection Principles is raised from RM300,000 to RM1,000,000 (~USD 236,000), with a maximum imprisonment term of three years.
• Mandatory DPOs & Breach Notification: Organizations must appoint at least one Data Protection Officer (DPO). Furthermore, data controllers must notify the Commissioner as soon as practicable of any personal data breach, and notify affected individuals without unnecessary delay if the breach is likely to cause significant harm.
• Data Portability: Establishes data subjects' rights to request direct transmission of their personal data between controllers, where technically feasible.

Revised Cross-Border Transfer Regime & CBPDT Guidelines

The PDPA Amendment removes the previous "whitelist" approach—which required a recommendation by the Commissioner and approval by the Minister—replacing it with a risk-based framework under Section 129. The CBPDT Guidelines outline five legal bases for lawful cross-border transfers:

1. Similar Law or Adequate Protection: Transfers are allowed if the destination country has "substantially similar" laws or ensures an "adequate level of protection." Data controllers must perform a Transfer Impact Assessment (TIA) to evaluate destination safeguards. TIA findings are valid for up to three years.
2. Consent: Requires obtaining and recording explicit written consent after notifying the data subject of the transfer's purpose and the classes of third-party recipients.
3. Contractual Necessity or Vital Interests: Allowed if the transfer is "for the core purpose of the contract" with the data subject or a third party (at the data subject's request), or to protect vital interests.
4. Legal Purposes: Allowed for legal proceedings, obtaining legal advice, or establishing, exercising, or defending legal rights.
5. Reasonable Precautions and Due Diligence: The guidelines recognize three compliance mechanisms to prove due diligence:
   • Binding Corporate Rules (BCRs): For intra-group transfers within multinational corporations.
   • Contractual Clauses: Using minimum contractual safeguards (e.g., ASEAN Model Contractual Clauses or EU GDPR Standard Contractual Clauses).
   • Certification: Recognized certifications such as APEC CBPR/PRP or Europrivacy.

Regardless of the transfer basis, organizations must maintain comprehensive transfer records, notify data subjects in writing, and establish contractual safeguards with recipients.