Malaysia's Dual Data Governance Framework: A Critical Analysis of the PDPA 2024 and Data Sharing Act 2025
Executive Summary
Malaysia has embarked on an ambitious journey to establish itself as a regional data hub through two significant legislative developments: the Personal Data Protection (Amendment) Act 2024 and the Data Sharing Act 2025. While both laws aim to modernize Malaysia's data governance framework, they present a complex interplay of enhanced protection and facilitated sharing that creates both opportunities and regulatory challenges. This analysis reveals critical gaps and potential areas of misuse that require immediate attention from policymakers and practitioners.
The Legislative Landscape: Two Laws, One Vision
Personal Data Protection (Amendment) Act 2024: Strengthening Privacy Rights
The PDPA 2024 amendments, which came into force in phases starting January 1, 2025, represent Malaysia's most significant data protection reform since 2010. The legislation aligns Malaysia more closely with international standards like the GDPR, introducing transformative changes including:
Key Enhancements:
- Expanded Scope of Sensitive Data: The inclusion of biometric data (fingerprints, facial recognition, behavioral characteristics) reflects the reality of modern digital identity systems
- Mandatory Data Protection Officers: Universal requirement regardless of business size, democratizing data protection responsibility
- Data Portability Rights: Empowering individuals to transfer their data between controllers, subject to technical feasibility
- Enhanced Breach Notification: Dual obligation to notify both the Commissioner and affected individuals when breaches pose significant harm
- Substantially Increased Penalties: Fines up to MYR 1 million and imprisonment up to three years, representing a 233% increase in financial penalties
Extraterritorial Reach: The Act applies to organizations using Malaysian-based equipment for data processing, creating compliance obligations for foreign entities even without physical presence in Malaysia.
Data Sharing Act 2025: Facilitating Public Sector Collaboration
Effective April 28, 2025, the Data Sharing Act creates a structured framework for inter-agency data sharing within Malaysia's public sector. The legislation establishes:
Core Framework:
- National Data Sharing Committee: Centralized governance under the Ministry of Digital, ensuring standardized policies across agencies
- Defined Scope: Limited to public sector agencies as defined under Article 132(1) of the Federal Constitution and statutory authorities
- Purpose-Driven Sharing: Data requests must serve specific objectives including policy enhancement, public safety, emergency response, or public interest
Procedural Safeguards:
- 14-Day Evaluation Period: Mandatory assessment window for data sharing requests
- Comprehensive Refusal Grounds: Nine specific categories where sharing may be refused, including national security, ongoing investigations, and inadequate security measures
- Technical Standards: Requirement for appropriate security and technical safeguards before data transfer
Comparative Analysis: Protection vs. Facilitation
Philosophical Alignment
Both laws reflect Malaysia's commitment to balanced data governance - protecting individual privacy while enabling beneficial data use. However, they operate on fundamentally different principles:
PDPA 2024: Individual-centric, emphasizing consent, transparency, and data subject rights
Data Sharing Act 2025: State-centric, prioritizing administrative efficiency and public benefit
Regulatory Consistency
The laws demonstrate Malaysia's sophisticated approach to differential data treatment based on sector and purpose. Public sector agencies operate under facilitated sharing rules, while private entities face enhanced protection requirements - a recognition that government data use serves broader public interests while requiring different safeguards.
Technical Standards Convergence
Both laws emphasize robust technical and security measures, creating a unified expectation for data handling standards across public and private sectors. This convergence establishes Malaysia as a jurisdiction with comprehensive technical data protection requirements.
Critical Gaps and Vulnerabilities
1. Federal-State Governance Gap
The Challenge: The Data Sharing Act explicitly excludes state governments and their entities, applying only to federal agencies and federal statutory authorities. This creates a significant jurisdictional gap in Malaysia's data governance framework.
Risk:
- No standardized data sharing framework exists for state-to-state or federal-state data sharing
- Inconsistent data governance standards between federal and state levels
- Potential barriers to comprehensive national data integration for policy development
- Regional development disparities due to uneven data sharing capabilities
Recommendation: Develop complementary state-level data sharing legislation or federal-state cooperation agreements to create a unified national data governance framework.
2. Definitional Inconsistencies
The Challenge: The Data Sharing Act defines "data" broadly as "any facts, statistics, instructions, concepts or other information," while the PDPA focuses specifically on "personal data." This creates potential confusion when public sector data sharing involves personal information.
Risk: Government agencies might incorrectly classify personal data sharing as routine data sharing, bypassing PDPA protections.
Recommendation: Explicit cross-referencing provisions requiring PDPA compliance when shared data contains personal information.
2. Oversight Fragmentation
The Challenge: The laws create parallel oversight mechanisms - the Personal Data Protection Commissioner for private sector compliance and the National Data Sharing Committee for public sector sharing.
Risk: Jurisdictional conflicts when private entities process data originally shared between government agencies, or when public-private partnerships involve data transfers.
Recommendation: Establish clear protocols for inter-regulator cooperation and joint oversight mechanisms for hybrid scenarios.
3. Cross-Border Data Transfer Ambiguity
The Challenge: While the PDPA 2024 removes the white-list mechanism and introduces adequacy assessments, the Data Sharing Act doesn't explicitly address cross-border sharing of government data.
Risk: Government agencies might share sensitive data internationally without adequate protection assessments, potentially undermining Malaysia's data sovereignty.
Recommendation: Explicit cross-border provisions in the Data Sharing Act requiring PDPA-equivalent assessments for international government data transfers.
4. Private Sector Involvement Loopholes
The Challenge: Section 17(2) of the Data Sharing Act allows public agencies to engage third parties for "data migration, data integration or data analytics work" with compliance obligations, but lacks specific oversight mechanisms.
Risk: Private contractors could gain access to vast government datasets without adequate supervision or liability frameworks.
Recommendation: Mandatory data processing agreements, regular audits, and specific liability provisions for third-party processors.
5. Emergency Powers and Rights Suspension
The Challenge: The Data Sharing Act permits sharing for "public emergency" response, but doesn't define the scope of emergencies or protection for individual rights during such periods.
Risk: Over-broad interpretation of emergency powers could justify extensive surveillance or rights violations.
Recommendation: Clear emergency declaration procedures, time-limited powers, and enhanced post-emergency review mechanisms.
Potential Areas of Misuse
1. Surveillance Infrastructure Development
Concern: The combination of enhanced government data sharing capabilities and expanded biometric data collection under the PDPA could facilitate comprehensive surveillance systems.
Mitigation: Strong purpose limitation clauses and regular parliamentary review of data sharing patterns.
2. Commercial Data Harvesting
Concern: The broad definition of legitimate data sharing purposes could enable government agencies to collect and share commercially valuable data without adequate compensation or protection for affected businesses.
Mitigation: Commercial impact assessments and fair compensation mechanisms for business data use.
3. Political Targeting Through Data Integration
Concern: Inter-agency data sharing could enable political profiling and targeting of opposition figures, activists, or dissidents through data correlation across government databases.
Mitigation: Independent judicial oversight for politically sensitive data requests and whistle-blower protections for government employees.
4. Third-Party Data Monetization
Concern: Private contractors engaged under the Data Sharing Act might retain or commercialize insights derived from government data processing.
Mitigation: Strict data retention and deletion requirements, with criminal penalties for unauthorized data commercialization.
Enforcement Challenges and Implementation Gaps
Resource Allocation Disparities
The enhanced penalties under PDPA 2024 create strong incentives for compliance, but the Data Sharing Act relies primarily on administrative oversight. This disparity could lead to uneven enforcement attention, with government data sharing receiving less scrutiny than private sector activities.
Technical Capacity Requirements
Both laws assume sophisticated technical capabilities for data protection and sharing. However, smaller government agencies and businesses may lack the resources for full compliance, creating potential vulnerability points in Malaysia's data protection ecosystem.
International Coordination Complexity
Malaysia's position as a regional data hub requires coordination with other ASEAN data protection frameworks. The current laws lack explicit mechanisms for regional cooperation, potentially hindering Malaysia's hub ambitions.
Strategic Recommendations for Stakeholders
For Policymakers
- Regulatory Harmonization: Develop joint guidelines addressing the intersection between PDPA and Data Sharing Act requirements
- Parliamentary Oversight: Establish regular legislative review mechanisms for data sharing patterns and privacy impact assessments
- Regional Leadership: Create ASEAN-compatible provisions to support Malaysia's data hub objectives
For Legal Practitioners
- Cross-Domain Expertise: Develop competencies in both privacy protection and government data sharing requirements
- Compliance Framework Development: Create integrated compliance programs addressing both laws simultaneously
- International Positioning: Prepare for adequacy assessments with other jurisdictions seeking data transfer arrangements with Malaysia
For Technology Companies
- Privacy by Design: Implement technical solutions that satisfy both individual privacy rights and government sharing capabilities
- Audit Readiness: Prepare for enhanced regulatory scrutiny under both frameworks
- Regional Strategy: Leverage Malaysia's strengthened data protection credentials for regional expansion
For Government Agencies
- Dual Compliance: Ensure data sharing practices meet both Data Sharing Act procedures and PDPA privacy requirements
- Staff Training: Develop comprehensive training programs covering both privacy protection and sharing obligations
- Stakeholder Engagement: Create transparent communication channels with civil society and private sector regarding data use practices
I have a question - Does the Data Sharing Act make Malaysian government more responsible by imposing legal requirements?
;tldr The Data Sharing Act 2025 provides SOME accountability improvements, but government agencies still enjoy substantial leeway compared to private sector entities.
***Key Accountability Improvements in the Data Sharing Act:
-
Structured Oversight Framework -
The National Data Sharing Committee conducts strict evaluations on applications made by respective public sector agencies and decides on whether data can be shared
Centralized governance under the Committee ensures that data-sharing policies are standardized, enhancing accountability and operational efficiency across public sector agencies
-
Formal Procedural Requirements -
Agencies must submit formal requests that include the data requested, the purpose, and the manner of handling the data
The agency must respond within 14 days, and if additional time is required, a written explanation must be provided
-
Mandatory Record-Keeping and Reporting -
Both data provider and data recipient must keep record of all particulars relating to the shared data and report any unauthorized sharing of data to the Director General
-
Criminal Penalties for Violations -
In the event of a breach, those found guilty will face penalties, which may be a fine not exceeding RM1 million, imprisonment for up to five years, or both
However, Government Agencies Still Enjoy Significant Leeway:
-
The Fundamental PDPA Exclusion Remains Unchanged - The Personal Data Protection Act 2010/2024 does not apply to the federal government and state governments Malaysia's PDPA amendments: Delivering enhanced data ...
Malaysia's PDPA applies only to commercial transactional data and does not apply to government data
The Data Sharing Act does NOT subject government data handling to PDPA-level individual privacy rights
-
Limited External Oversight -
The National Data Sharing Committee is internally constituted - comprised entirely of government representatives with no independent oversight body
No external auditing mechanisms or civil society representation in oversight
No individual recourse mechanisms for citizens whose data is shared inappropriately
-
Broad "Public Interest" Justifications -
Data sharing is permitted for broadly defined purposes including "supporting public interest initiatives"
The Committee has discretionary power to determine additional purposes beyond those specified in the Act
"Public interest" remains undefined and subject to government interpretation
-
Internal Self-Policing Mechanism -
Agencies essentially police themselves - the receiving agency evaluates whether sharing is appropriate
No mandatory external validation of "public interest" claims
Limited transparency requirements for sharing decisions
-
Exemptions for Sensitive Government Activities -
Broad exemptions exist for national security, law enforcement investigations, and other government activities
These exemptions could be interpreted broadly to avoid accountability
The Accountability Gap Persists
The fundamental issue remains: Government data is not subject to the same privacy protection standards as private sector data, despite the government collecting vast amounts of personal data including health and financial information.
The Data Sharing Act creates a regulatory framework for government data sharing but does NOT create individual privacy rights or external accountability mechanisms equivalent to those governing private entities.
Bottom Line Assessment:
Marginal Improvement with Persistent Structural Issues:
✅ Better than before: Structured procedures, formal oversight, and criminal penalties represent improvements over the previous ad hoc approach
❌ Still insufficient: Government agencies continue to operate under fundamentally different accountability standards than private entities, with no individual privacy rights, limited external oversight, and broad discretionary powers
The Data Sharing Act addresses administrative efficiency and inter-agency coordination but fails to address the core democratic accountability deficit that has long been criticized regarding government data handling in Malaysia.
The real accountability gap will only be closed when government data handling is subject to the same individual privacy rights and external oversight mechanisms that apply to private sector entities.
Government Liability Analysis - Telco Data Sharing
The Scenario: Critical Legal Dynamics
When a government agency requests sensitive customer information (call records, BTS location data) from telcos, this creates a complex multi-jurisdictional liability framework with significant accountability gaps.
The Liability Framework Breakdown
- INITIAL TRANSFER: Telco to Government
Telco Obligations (Under PDPA 2024):
- Must have legal basis for disclosure (consent or legal obligation) - in this case bypassed through Cabinet approval
- According to Section 39, disclosure of personal data to authorities may be granted for prevention and detection of crime, and for investigative purposes
Must ensure government agency has "appropriate security and technical safeguards"
- Remains the data controller under PDPA during transfer
Government Receipt:
Once data is transferred to government, PDPA protections cease to apply
The Act does not apply to Federal Government and State Governments
- POST-TRANSFER: Government Handling
Government Obligations (Under Data Sharing Act 2025):
Must take necessary measures to ensure the security and privacy of the data including protection from any loss, misuse, unauthorized or accidental modification, access or disclosure
Must keep record of all particulars relating to the shared data and report any unauthorized sharing of data to the Director General
Critical Gap: These obligations are administrative, not individual rights-based.
Government Liability Assessment: The Brutal Truth**
❌ LIMITED CRIMINAL LIABILITY ONLY
If government loses/leaks/has data stolen:
✅ Criminal Penalties Possible:
Fines up to RM1 million and imprisonment up to 5 years for government employees who misuse shared data
Applies to unauthorized sharing, misuse, or failure to implement security measures
❌ NO Civil Liability to Individuals:
No compensation rights for affected telco customers
No individual recourse mechanisms under Data Sharing Act
No breach notification requirements to affected individuals
No external oversight of government data handling
❌ NO PDPA-EQUIVALENT PROTECTIONS
Practical Liability Scenarios
Scenario 1: Government Employee Sells Call Records
- Criminal liability: Yes, up to RM1 million + 5 years imprisonment
- Civil liability to customers: Minimal to none
- Enforcement: Depends on internal government detection and prosecution
Scenario 2: Government Database Hacked
- Mandatory reporting: Only to Director General (internal)
- Customer notification: NOT REQUIRED
- Compensation: NO statutory mechanism
- Remedies: Customers must pursue common law negligence (extremely difficult to prove)
Scenario 3: Government Shares Data Inappropriately
- Oversight: National Data Sharing Committee (all government appointees)
- Individual recourse: NONE
- Transparency: NO public reporting requirements
The Accountability Black Hole
Critical Vulnerabilities:
Legal Immunity Gap:
There is currently no express right provided within the Act to aggrieved data subjects to pursue a civil claim against data users for breaches
Government enjoys even broader immunity than private sector
Oversight Vacuum:
- No independent regulator for government data handling
- Self-policing mechanism with no external accountability
Remedy Desert:
- No compensation mechanisms for affected individuals
- No individual standing to challenge government data handling
- No mandatory public disclosure of breaches
Enforcement Reality:
- Criminal penalties require government to prosecute itself
- No external trigger mechanisms for investigations
- No civil society oversight
Bottom Line: Government Enjoys Massive Liability Shield
Harsh Reality:
Government agencies have SIGNIFICANTLY LESS liability exposure than the telcos who originally collected the data.
The liability transfer works like this:
Telco collects data: Full PDPA compliance required, individual rights, Commissioner oversight, civil liability
Government requests data: Telco must comply if legal basis exists
Government receives data: PDPA protections disappear, minimal accountability, no individual rights
Government loses/misuses data: Limited criminal liability, NO civil liability, NO individual recourse
Strategic Implications:
For Telcos: Consider enhanced due diligence and contractual protections when sharing with government
For Government: Current framework provides substantial protection from liability
For Individuals: Minimal legal recourse once data reaches government hands
For Malaysia: Significant accountability deficit undermines data governance credibility
The government essentially operates in a "liability-lite" environment compared to private sector entities handling the same sensitive data.
This represents one of the most significant flaws in Malaysia's dual data governance framework - creating perverse incentives where the most powerful data handlers (government agencies) face the least accountability.
Conclusion: Navigating Malaysia's Data Governance Evolution
Malaysia's dual data governance framework represents an ambitious attempt to balance individual privacy rights with administrative efficiency and economic development. The PDPA 2024 and Data Sharing Act 2025 collectively position Malaysia as a jurisdiction with sophisticated data protection standards while enabling beneficial data use for public purposes.
However, the success of this framework depends on addressing the identified gaps and potential misuse scenarios. The intersection between enhanced privacy protection and facilitated government data sharing creates complex compliance challenges that require careful navigation by all stakeholders.
As Malaysia continues its journey toward becoming a regional data hub, the evolution of these laws will serve as a critical test case for other jurisdictions seeking to balance privacy, security, and innovation in the digital age. The framework's ultimate success will be measured not just by compliance rates or economic benefits, but by its ability to maintain public trust while enabling legitimate data-driven governance and economic development.
The path forward requires continued stakeholder engagement, regular legislative review, and adaptive implementation that responds to emerging challenges while maintaining the core principles of privacy protection and public benefit that underpin both laws.
Author: ORCID ID - Suresh Ramasamy: 0000-0003-4562-037X
This article is mirrored in Linkedin at https://www.linkedin.com/pulse/malaysias-dual-data-governance-critical-analysis-ts-dr-suresh-4zagc/