On 26 October 2025, the United States and Malaysia signed an Agreement on Reciprocal Trade concerning cross-border data transfer regulation. The Agreement commits Malaysia to ensuring protected cross-border transfer of electronic data across trusted borders. Further, Malaysia must refrain from measures that discriminate against US digital services and digitally-distributed products and endeavour to to collaborate on related cybersecurity matters.
On 26 October 2025, the United States and Malaysia signed an Agreement on Reciprocal Trade. The Agreement provides that Malaysia shall not impose digital services taxes discriminatory against US companies in law or in fact.
On 26 October 2025, the United States and Malaysia signed an Agreement on Reciprocal Trade prohibiting the imposition of customs duties on electronic transmissions, committing both parties to support an international moratorium on such duties. The agreement affirms the right to impose compatible internal taxes or charges on electronic transmissions, provided they align with existing Global Agreement on Tariffs and Trade (GATT) and World Trade Organisation (WTO) Global Agreement on Trade in Services (GATS) agreements.
On 26 October 2025, the United States and Malaysia signed an Agreement on Reciprocal Trade that outlines technology transfer requirements. The Agreement specifies that Malaysia shall not compel US companies to transfer proprietary knowledge or accord preference to a particular technology as a condition for doing business within its jurisdiction. This does not apply in instances of government procurement, and further does not prohibit businesses from negotiating contracts with source code transfer requirements within the terms and conditions. Additionally, it allows for access to software used for critical infrastructure. Moreover, it allows for Parties involved in the creation of international contracts to require the modification of source code to comply with laws and regulations. There is also an exception to the prohibition on conditional technology transfer for investigations. Finally, this provision does not apply to measures adopted for prudential reasons.
On 14 September 2025, the Competition Commission of Malaysia closes the public consultation on the final report of the inquiry into the market review on the digital economy ecosystem. The review applied to five sectors, including mobile operating systems, e-commerce marketplaces, digital advertising, online travel agencies, and data protection. The recommendations addressed competition issues and strengthen the regulatory framework for a fairer digital economy.
On 8 September 2025, the Malaysian Data Protection Authority closes the consultation on the regulation amending the Personal Data Protection Regulations 2013 (335/2013). First, the draft regulation changes all references in the original Regulation from “data user” to “data controller”. Second, the draft regulation obliges data controllers to display business contact information for appointed Data Protection Officers or other individuals responsible for handling matters relating to personal data. This information must be included in the personal data protection notice in Malay and English, to be given to the data subject. Third, the phrase “minimum requirements” was replaced with the phrase “specified requirements” to emphasise the binding nature of the requirements and to set expected results for data controllers. Fourth, the draft regulation clarifies the definition of “valid consent” and the requirement to obtain consent before data processing occurs, rather than during or after processing. Fifth, security policies must now explicitly include procedures for managing data breach incidents. Sixth, data controllers must have a written contract with any data processors they use. This contract must specify the purpose, data types, security measures, and the rights and obligations of each party. Seventh, data processors are now directly obligated to protect personal data against threats and can be fined directly for violations (up to MYR 250'000, imprisonment up to two years, or both). Eighth, the scope of information that can be requested by inspecting officers is clarified and expanded. These changes aim to harmonise the terms used in the Regulation with those used in a parallel amendment to Act 709.
On 28 August 2025, the Gig Workers Bill was passed by the House of Representatives. The Bill applies to the country's 1.2 million gig workers across platform-based services, including e-hailing and food delivery, and specified sectors, including acting, journalism, care services, and creative industries. The Bill introduces protections, including mandatory written service agreements, worker rights against unfair termination and discrimination and platform transparency requirements for automated decision-making systems. It also introduces payment safeguards with seven-day deadlines, a three-tier dispute resolution system culminating in a new Gig Workers Tribunal, mandatory social security registration and contributions, occupational health and safety obligations for contracting entities, and establishment of a Consultation Council for policy guidance.
On 26 August 2025, the Competition Commission of Malaysia opened a public consultation on the final report of the inquiry into the market review on the digital economy ecosystem, until 14 September 2025. The review applies to five sectors, including mobile operating systems, e-commerce marketplaces, digital advertising, online travel agencies, and data protection. The recommendations address competition issues and strengthen the regulatory framework for a fairer digital economy.
On 25 August 2025, the Gig Workers Bill was introduced to the House of Representatives. The Bill applies to the country's 1.2 million gig workers across platform-based services, including e-hailing and food delivery, and specified sectors, including acting, journalism, care services, and creative industries. The Bill introduces protections, including mandatory written service agreements, worker rights against unfair termination and discrimination and platform transparency requirements for automated decision-making systems. It also introduces payment safeguards with seven-day deadlines, a three-tier dispute resolution system culminating in a new Gig Workers Tribunal, mandatory social security registration and contributions, occupational health and safety obligations for contracting entities, and establishment of a Consultation Council for policy guidance.
On 22 August 2025, the Malaysian Data Protection Authority opened a consultation on the regulation amending the Personal Data Protection Regulations 2013 (335/2013) until 8 September 2025. First, the draft regulation changes all references in the original Regulation from “data user” to “data controller”. Second, the draft regulation obliges data controllers to display business contact information for appointed Data Protection Officers or other individuals responsible for handling matters relating to personal data. This information must be included in the personal data protection notice in Malay and English, to be given to the data subject. Third, the phrase “minimum requirements” was replaced with the phrase “specified requirements” to emphasise the binding nature of the requirements and to set expected results for data controllers. Fourth, the draft regulation clarifies the definition of “valid consent” and the requirement to obtain consent before data processing occurs, rather than during or after processing. Fifth, security policies must now explicitly include procedures for managing data breach incidents. Sixth, data controllers must have a written contract with any data processors they use. This contract must specify the purpose, data types, security measures, and the rights and obligations of each party. Seventh, data processors are now directly obligated to protect personal data against threats and can be fined directly for violations (up to MYR 250'000, imprisonment up to two years, or both). Eighth, the scope of information that can be requested by inspecting officers is clarified and expanded. These changes aim to harmonise the terms used in the Regulation with those used in a parallel amendment to Act 709.
On 19 August 2025, the Malaysia Competition Commission (MyCC) closes the consultation on the draft final report of the Digital Economy Ecosystem Market Review under section 11 of the Competition Act (Act 712). The review examines five strategic sectors, namely mobile operating and payment systems, e-commerce (retail marketplace), digital advertising services, online travel agencies (OTAs), and data privacy and protection as a cross-cutting theme. The consultation is informed by stakeholder engagement, including focus groups, interviews with government agencies, industry players and associations, as well as written submissions received during the earlier consultation on the Interim Report. Based on these findings, MyCC will identify barriers relating to market structure, competition and regulation, and formulate recommendations for relevant regulatory bodies.
On 13 August 2025, the Malaysia Competition Commission (MyCC) opened a public consultation on the draft final report of the Digital Economy Ecosystem Market Review under section 11 of the Competition Act (Act 712), until 19 August 2025. The review examines five strategic sectors, namely mobile operating and payment systems, e-commerce (retail marketplace), digital advertising services, online travel agencies (OTAs), and data privacy and protection as a cross-cutting theme. The consultation is informed by stakeholder engagement, including focus groups, interviews with government agencies, industry players and associations, as well as written submissions received during the earlier consultation on the Interim Report. Based on these findings, MyCC will identify barriers relating to market structure, competition and regulation, and formulate recommendations for relevant regulatory bodies.
On 13 August 2025, the Ministry of Digital launched the National Cloud Computing Policy (NCCP) as a framework for cloud adoption across the country’s digital ecosystem. The policy is structured around five thematic areas covering public sector transformation, private sector development, data protection and privacy, digital inclusion, and environmental considerations. Implementation measures, referred to as Cloud Stacks, correspond to each area. The NCCP includes a multi-tier data classification framework that requires data to be categorised into four sensitivity levels: public, internal, restricted, and confidential. Each level is associated with defined technical and deployment requirements. Public data may be processed on public cloud infrastructure with basic protections, while data classified as confidential is subject to sovereign cloud processing within Malaysia, with national encryption standards, access controls, and monitoring requirements. Public sector organisations must also comply with the Official Secrets Act and apply additional guidance issued by the National Digital Department and the Chief Government Security Office. The NCCP adopts a coordinated implementation model involving government agencies, service providers, academic institutions, and the public. It includes periodic policy reviews, interim updates, and a performance monitoring mechanism to align with technological and regulatory developments.
On 3 August 2025, Malaysia’s Ministry of Digital adopted the National Cloud Computing Policy (NCCP) as a framework for cloud adoption across the country’s digital ecosystem. The policy is structured around five thematic areas covering public sector transformation, private sector development, data protection and privacy, digital inclusion, and environmental considerations. Implementation measures, referred to as Cloud Stacks, correspond to each area. The NCCP includes a multi-tier data classification framework that requires data to be categorised into four sensitivity levels: public, internal, restricted, and confidential. Each level is associated with defined technical and deployment requirements. Public data may be processed on public cloud infrastructure with basic protections, while data classified as confidential is subject to sovereign cloud processing within Malaysia, with national encryption standards, access controls, and monitoring requirements. Public sector organisations must also comply with the Official Secrets Act and apply additional guidance issued by the National Digital Department and the Chief Government Security Office. The NCCP adopts a coordinated implementation model involving government agencies, service providers, academic institutions, and the public. It includes periodic policy reviews, interim updates, and a performance monitoring mechanism to align with technological and regulatory developments.
On 1 August 2025, the Department of Personal Data Protection released the data protection officer (DPO) competency guideline, which provides a structured framework for assessing and developing the functional competencies required of Data Protection Officers (DPOs) under the Personal Data Protection Act 2010 (Act 709), as amended by the Personal Data Protection (Amendment) Act 2024. The guideline sets out six core competency areas, namely advisory and support, risk management and assessment, compliance oversight and monitoring, audit and reporting, communications and stakeholder engagement, and regulatory and data subject management, mapped against a knowledge, skills, and abilities (KSA) model. These competencies are organised into two tiers: fundamental, which outlines minimum expectations for all DPOs, and advanced, which applies to complex environments requiring leadership of organisation-wide data protection strategies. The guideline is designed to be used in conjunction with the appointment of data protection officer guideline, the DPO professional development pathway and training roadmap, and the DPO training service providers guideline, and aims to support DPOs in exercising their responsibilities with sufficient independence and access to senior management, ensuring integrated and accountable data protection operations across all organisational functions.
On 1 August 2025, the Department of Personal Data Protection released the data protection officer (DPO) professional development pathway and training roadmap, outlining a prospective framework to support the structured development of DPO capabilities aligned with the DPO competency guideline. The roadmap introduces a two-tier training structure, fundamental and advanced, designed according to the complexity and sensitivity of personal data processing activities. The fundamental tier focuses on six core competencies required for baseline DPO functions, while the advanced tier addresses broader responsibilities and permits recognition of internationally certified qualifications subject to review. Training delivery is facilitated through recognised training providers and may include assessments to validate competency acquisition. The roadmap also details a prospective professional certification structure comprising Certified Data Protection Officer (Fundamental) and Certified Data Protection Officer (Advanced) credentials, administered under arrangements determined by the Commissioner. Certification recognition is categorised into short-term certificates of completion and long-term professional certifications. The roadmap is to be read in conjunction with the Personal Data Protection Act 2010 (Act 709), the DPO Competency Guideline, and the Management of DPO Training Service Providers Guideline, and remains subject to approval, implementation, and ongoing review by the Commissioner.
On 1 August 2025, the Department of Personal Data Protection released the guideline on the management of data protection officer (DPO) training service providers developed pursuant to Sections 48(b) and 48(k) of the Personal Data Protection Act (Act 709), as amended by the Personal Data Protection (Amendment) Act 2024. The guideline establishes a prospective recognition and oversight framework for DPO training service providers to ensure alignment with statutory requirements and competency expectations. It applies to all providers offering courses or programmes for appointed DPOs and sets standards for training content, delivery, trainer qualifications, assessment mechanisms, and quality assurance. Recognised providers must demonstrate subject-matter expertise and the capability to deliver structured training in areas including legal and regulatory knowledge, operational and risk awareness, professional conduct, scope of responsibilities, and DPO independence. The Guideline outlines application and renewal procedures for formal recognition, including eligibility criteria, required documentation, assessment processes, and potential revocation mechanisms. It must be read together with Act 709, the Data Protection Officer (DPO) Competency Guideline, and the DPO Professional Development Pathway and Training Roadmap, and may be supplemented by circulars or instruments issued by the Commissioner to maintain regulatory alignment and enforce compliance.
On 28 July 2025, the Department of Personal Data Protection of Malaysia issued a notice urging companies and organisations that process personal data in commercial transactions to register as data users under the Personal Data Protection Act 2010 [Act 709]. The Act imposes a mandatory registration obligation, requiring entities to submit an application to the Personal Data Protection Commissioner via the Personal Data Protection System (SPDP) and pay a prescribed fee. It was highlighted that the Commissioner is actively monitoring compliance, and those receiving a Data User Registration Compliance Notice must register within 14 days.
Last updated: 26/10/2025