The Personal Data Protection Act 2010 (PDPA) of Malaysia uses the factor of data processing outside the jurisdiction to limit its scope of applicability. Specifically, the Act excludes personal data processed outside Malaysia from its purview, unless that data is intended for further processing within Malaysia.

Text of Relevant Provision

Section 3(2) of the PDPA states:

"This Act shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia."

Analysis of Provision

This provision establishes a territorial limitation on the PDPA's applicability. The key elements are:

1. "This Act shall not apply" - This phrase clearly excludes certain data processing activities from the PDPA's scope.
2. "to any personal data processed outside Malaysia" - This defines the general rule that data processing occurring outside Malaysia's borders is not subject to the PDPA.
3. "unless that personal data is intended to be further processed in Malaysia" - This exception brings certain cross-border data processing activities back within the PDPA's scope.

The provision creates a balance between respecting the territorial sovereignty of other jurisdictions and protecting personal data that may eventually enter Malaysian territory. It recognizes that in a globalized world, data often crosses borders, and seeks to ensure that data destined for processing in Malaysia is protected, regardless of its origin.

Implications

This provision has several implications for businesses:

1. Companies processing data entirely outside Malaysia are generally not subject to the PDPA, even if the data relates to Malaysian citizens or residents.
2. However, if a company processes data outside Malaysia with the intention of further processing it within Malaysia, the PDPA would apply to that data from the outset.
3. Companies must carefully consider their data flows and processing intentions when determining whether they fall under the PDPA's jurisdiction.
4. Multinational companies with operations both inside and outside Malaysia need to be particularly vigilant, as they may have data that crosses this jurisdictional boundary.
5. Companies outside Malaysia that provide data processing services to Malaysian entities should be aware that if the data is intended for further processing in Malaysia, it may be subject to the PDPA.

This provision allows Malaysian authorities to assert jurisdiction over data that will impact its territory, while avoiding overreach into purely foreign data processing activities. It aligns with the principle of data protection continuity, ensuring that data intended for Malaysian processing is protected throughout its lifecycle, even before it enters Malaysian territory.