Malaysia: Use of Equipment Within Jurisdiction

Use of Equipment in Malaysia for Data Processing

The Personal Data Protection Act 2010 (PDPA) of Malaysia applies to data processing activities involving the use of equipment within Malaysia by entities not established in the country.

Text of Relevant Provisions

PDPA 2010 Sec.2(2)(b):

"Subject to subsection (1), this Act applies to a person in respect of personal data if— [...] (b) the person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia."

Analysis of Provisions

The PDPA extends its territorial scope to encompass data processing activities conducted by entities not established in Malaysia, provided they utilize equipment located within the country for processing personal data. This provision aims to ensure that foreign entities cannot circumvent Malaysian data protection regulations simply by operating from outside the country's borders.

The key elements of this provision are:

"the person is not established in Malaysia" - This refers to data controllers or processors that do not have a physical presence or legal establishment within Malaysia.
"uses equipment in Malaysia" - The term "equipment" is not defined in the Act, but it likely encompasses any physical infrastructure or devices used for data processing activities.
"for processing the personal data" - The equipment must be used specifically for processing personal data, as defined under the PDPA.
"otherwise than for the purposes of transit through Malaysia" - This exclusion clarifies that mere data transit through Malaysian equipment (e.g., data passing through servers located in Malaysia) does not trigger the application of the PDPA.

It's important to note that Section 2(3) of the PDPA requires entities falling under this provision to "nominate for the purposes of this Act a representative established in Malaysia." This ensures that there is a local point of contact for regulatory compliance and enforcement purposes.

Implications

This provision has significant implications for foreign companies processing personal data of Malaysian individuals:

Cloud service providers: Foreign cloud companies with data centers or servers in Malaysia may be subject to the PDPA if they process personal data on those servers.
Online services: International websites or apps that use content delivery networks or caching servers located in Malaysia could potentially fall under the PDPA's jurisdiction.
Data analytics: Foreign companies conducting data analysis using computing resources in Malaysia may need to comply with the PDPA.
IoT devices: Manufacturers of Internet of Things devices that process data using equipment in Malaysia could be subject to the Act.

Companies not established in Malaysia but using equipment in the country for data processing must carefully assess their operations to determine if they fall under the PDPA's scope. If so, they need to ensure compliance with all relevant provisions, including appointing a local representative and adhering to the Personal Data Protection Principles outlined in the Act.

Jurisdiction Overview

Malaysia

🏛️ Government and Public Agency Exemption 📍 Processing by Local Establishment 🎯 Exemption for Specific Purposes of Processing 🔗 Processing in Context of Local Establishment 🏠 Processing in jurisdiction 🖥️ Use of Equipment Within Jurisdiction 💼 Processing by Entity Registered or Incorporated in Jurisdiction 🛃 Exception for Data Processing Outside Jurisdiction 🧓🏿 Long-Term Residency Threshold 💼 Doing Business in Jurisdiction