Malaysia’s Personal Data Protection Act (PDPA) was one of the earliest enacted in Asia,(1) but not brought into force until 2013. In 2024 it underwent its first significant modernisation.(2) However, the PDPA remains a very limited law, applying only to the private sector, and only to commercial transactions, with few means of enforcement, very limited data subject rights or controller obligations, and a Commissioner with no independence. The amending Act makes modest improvements, including mandatory data breach notification, improved data portability, and higher penalties for breaches.

Guidelines on nine methods of data exports