Malaysia: Processing in jurisdiction

The Personal Data Protection Act 2010 (PDPA) of Malaysia uses the factor of processing in jurisdiction to determine its applicability to data processing activities.

Text of Relevant Provisions

PDPA 2010 Sec.2(2b):

"(2) Subject lo subsection (1), this Act applies to a person in respect of personal data if— (b) the person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia."

Analysis of Provisions

The PDPA 2010 extends its applicability to data processing activities that occur within Malaysia's territory, even when the data controller is not established in the country. This is evident from Section 2(2)(b), which states that the Act applies to a person who "uses equipment in Malaysia for processing the personal data".

This provision captures situations where foreign entities utilize equipment located in Malaysia to process personal data. The law specifically excludes cases where the data is merely in transit through Malaysia, focusing on actual processing activities within the country.

It's important to note that this provision is subject to subsection (1) of Section 2, which limits the Act's application to processing of personal data "in respect of commercial transactions". This suggests that the use of equipment in Malaysia for non-commercial purposes may not fall under the Act's purview.

The law also requires entities falling under Section 2(2)(b) to nominate a representative established in Malaysia, as stated in Section 2(3). This ensures that there is a local point of contact for regulatory compliance and enforcement purposes.

Implications

This factor has significant implications for businesses operating in or interacting with Malaysia:

Foreign companies using cloud services or data centers located in Malaysia for processing personal data may be subject to the PDPA, even if they have no physical presence in the country.
Multinational corporations with data processing operations in Malaysia need to comply with the PDPA, regardless of where their headquarters are located.
Companies must carefully consider the location of their data processing equipment and activities, as using equipment in Malaysia for personal data processing could bring them under the PDPA's jurisdiction.
Businesses falling under Section 2(2)(b) must appoint a local representative in Malaysia, which may involve additional administrative and operational costs.
The exclusion of data "in transit" suggests that routing data through Malaysian servers without processing it there would not trigger the Act's applicability.
The limitation to commercial transactions in Section 2(1) may exclude certain non-profit or governmental data processing activities from the Act's scope, even if equipment in Malaysia is used.

Jurisdiction Overview

Malaysia

🏛️ Government and Public Agency Exemption 📍 Processing by Local Establishment 🎯 Exemption for Specific Purposes of Processing 🔗 Processing in Context of Local Establishment 🏠 Processing in jurisdiction 🖥️ Use of Equipment Within Jurisdiction 💼 Processing by Entity Registered or Incorporated in Jurisdiction 🛃 Exception for Data Processing Outside Jurisdiction 🧓🏿 Long-Term Residency Threshold 💼 Doing Business in Jurisdiction