The PDPA extends its applicability to data processing activities based on the establishment of the data user in Malaysia. Section 2(2a) of the PDPA states that the Act applies to a person who is "established in Malaysia" and processes personal data, "whether or not in the context of that establishment". This provision is broad in scope, as it covers data processing activities regardless of whether they are directly related to the Malaysian establishment's activities.

Furthermore, Section 2(4d)(i) expands the definition of "established in Malaysia" to include any person who maintains "an office, branch or agency through which he carries on any activity" in Malaysia. This provision extends the PDPA's applicability to foreign entities that have some form of physical presence in Malaysia, even if they are not formally incorporated under Malaysian law.

The inclusion of the phrase "whether or not in the context of that establishment" in Section 2(2a) is particularly significant. It suggests that the PDPA applies to all data processing activities of an entity established in Malaysia, regardless of whether the processing is directly related to the Malaysian establishment's operations or conducted for the benefit of other branches or affiliates outside Malaysia.

Implications

This broad interpretation of establishment has several implications for businesses:

1. Foreign companies with any form of physical presence in Malaysia (office, branch, or agency) may be subject to the PDPA, even if their main data processing activities occur outside the country.
2. Companies established in Malaysia must comply with the PDPA for all their data processing activities, including those that may be primarily intended for foreign markets or operations.
3. Multinational corporations with Malaysian subsidiaries or branches need to be particularly cautious, as their global data processing activities could potentially fall under the PDPA's scope if they involve the Malaysian establishment in any way.
4. The broad scope of applicability may require companies to implement comprehensive data protection measures across their entire operations, not just for activities specifically related to their Malaysian presence.
5. Companies without a physical presence in Malaysia but processing data of Malaysian residents may still fall outside the PDPA's scope, unless they use equipment in Malaysia for processing (as per Section 2(2b), not quoted here).