1. Introduction
The rapid pace of digitalisation has significantly transformed how personal data is collected, processed, and utilised across both public and private sectors. With the expansion of digital services, e-commerce, and online communications, individuals are increasingly required to share personal information in order to participate in modern economic and social life. At the same time, the rise in cybersecurity threats including data breaches, online fraud, and cyberattacks has led to greater regulatory scrutiny and the development of legal frameworks aimed at safeguarding digital environments. This evolving landscape has placed data governance at the centre of legal and policy discussions in Malaysia.[1]
Data privacy rights generally refer to an individual’s right to control how their personal data is collected, used, disclosed, and stored. In Malaysia, these rights are primarily governed by the Personal Data Protection Act 2010, which establishes key principles such as consent, purpose limitation, and data security. At its core, data privacy seeks to protect individual autonomy and prevent the misuse or unauthorised exploitation of personal information.[2]
In contrast, digital safety concerns the protection of individuals, organisations, and national infrastructure from cyber threats and harmful online activities. This includes measures such as cybersecurity monitoring, fraud prevention, content regulation, and enforcement against cybercrime. Legislative instruments such as the Communications and Multimedia Act 1998, the Computer Crimes Act 1997, and more recently the Cyber Security Act 2024 reflect Malaysia’s efforts to strengthen digital safety and maintain public order in the online environment[3].
While both data privacy and digital safety pursue legitimate and important objectives, they often operate in tension. Measures introduced to enhance digital safety frequently rely on extensive data collection, monitoring, and surveillance, which may encroach upon individual privacy rights. Conversely, strict privacy protections may limit the ability of authorities and organisations to effectively detect and respond to cyber threats. This inherent tension gives rise to a legal conflict, requiring a careful and principled balance between protecting individual rights and ensuring collective security in the digital age.
2. Legal Framework Governing Data Privacy
The primary legislation governing data privacy in Malaysia is the Personal Data Protection Act 2010 (“PDPA”). The PDPA regulates the processing of personal data in commercial transactions and imposes obligations on data users to ensure that personal data is handled responsibly. In particular, section 9 of the PDPA imposes a duty on data users including banks, telecommunications companies, internet service providers (ISPs), and application service providers to take practical steps to protect personal data against loss, misuse, unauthorised access, disclosure, alteration, or destruction[4]. However, the PDPA is limited in scope as it applies only to the private sector, thereby excluding public sector data processing from its protection.
3. Legal Framework for Digital Safety and Cybersecurity
Malaysia’s legal framework for digital safety and cybersecurity is broader and comprises several statutes aimed at regulating online activities, preventing cybercrime, and safeguarding digital infrastructure. The Cyber Security Act 2024 represents a more recent legislative effort to strengthen national cybersecurity by enhancing regulatory oversight and institutional coordination in addressing cyber threats.[5]
In addition, the Communications and Multimedia Act 1998 (“CMA”) plays a central role in regulating the digital communications ecosystem. The Act governs the licensing of network service providers (such as Maxis, Celcom, and Digi) and application service providers (including platforms like Astro GO, KiniTV, and WhatsApp). It empowers the Malaysian Communications and Multimedia Commission (“MCMC”) as the regulator to monitor and supervise licensees. Notably, the MCMC has the authority to direct licensees to block access to certain websites in order to prevent the commission or attempted commission of offences under the CMA, reflecting a strong emphasis on maintaining digital safety and public order.
The Computer Crimes Act 1997 (“CCA”) further complements this framework by criminalising various forms of cyber offences. These include unauthorised access to computer material (commonly referred to as hacking), modification of computer contents such as the spreading of viruses, and the unlawful communication of access codes. A notable illustration is the case of Basheer Ahmad Maula Sahul Hameed v PP, where a bank employee misused a victim’s debit card information to conduct unauthorised withdrawals and transfers, highlighting the real-world implications of such offences.
Additional supporting legislation includes the Digital Signatures Act 1997, which governs the use of digital signatures in secure electronic transactions, and the Electronic Commerce Act 2006, which provides legal recognition for electronic communications and transactions. Alongside these statutes, policy instruments such as the National Cyber Security Policy further reinforce Malaysia’s commitment to strengthening cybersecurity resilience at a national level.[6]
4. Points of Legal Conflict: Privacy vs Safety
The intersection between data privacy and digital safety in Malaysia gives rise to several concrete legal tensions, particularly where regulatory frameworks impose competing or overlapping obligations.
(a) Surveillance and Monitoring vs Consent and Purpose Limitation
Digital safety measures frequently involve the monitoring of online activities, traffic data, and user communications in order to detect and prevent cyber threats. However, such practices may conflict with core principles under the Personal Data Protection Act 2010 (“PDPA”), particularly the requirements of consent and purpose limitation. Monitoring activities undertaken by service providers or pursuant to regulatory directives may extend beyond the original purpose for which personal data was collected, raising questions as to whether such processing remains lawful under the PDPA framework.
(b) Data Retention vs Data Minimisation
Cybersecurity and law enforcement objectives often necessitate the retention of data for extended periods to facilitate investigation, detection, and evidentiary use. In contrast, data protection principles emphasise that personal data should not be kept longer than necessary for the fulfilment of its purpose. This creates a tension between operational needs for prolonged data storage and the obligation to minimise data retention, particularly in the absence of clear statutory guidance harmonising these requirements.
(c) Regulatory Powers vs Individual Privacy Rights
Statutes such as the Communications and Multimedia Act 1998 confer broad powers on regulatory authorities, including the ability to direct licensees to block access to online content or platforms. While such powers are intended to safeguard public order and digital safety, their exercise may indirectly involve the processing or restriction of user data and communications. This raises concerns regarding proportionality and the extent to which such measures may encroach upon individual privacy rights without corresponding safeguards.
(d) Public Sector Data Processing vs Lack of Statutory Protection
A significant point of legal conflict arises from the fact that the PDPA does not apply to the public sector. Digital safety initiatives undertaken by governmental authorities, including surveillance, data sharing, and cybersecurity operations, therefore fall outside the scope of statutory data protection obligations. This creates an asymmetry in legal protection, where private sector entities are subject to strict compliance requirements, while similar or more intrusive activities conducted by public authorities may not be governed by equivalent safeguards.
(e) Encryption and Anonymity vs Enforcement Access
The use of encryption and anonymisation technologies serves as a critical tool in protecting personal data and ensuring confidentiality of communications. However, such technologies may also impede the ability of law enforcement agencies to access information necessary for the investigation of cybercrime and other offences. This gives rise to the well-recognised “going dark” problem, where strong privacy protections may inadvertently hinder effective enforcement, thereby illustrating the inherent tension between individual privacy and collective security.
5. Key Gaps and Challenges in Malaysian Law
Notwithstanding the existence of multiple legislative instruments addressing data privacy and digital safety, the Malaysian legal framework remains fragmented and, in certain respects, inadequate in resolving the tensions between these competing objectives.
One of the primary challenges lies in the lack of harmonisation between data protection and cybersecurity laws. The PDPA operates largely in isolation from statutes such as the Communications and Multimedia Act 1998 and the Cyber Security Act 2024, resulting in overlapping obligations without clear guidance on how conflicts should be reconciled. This fragmentation creates uncertainty for organisations required to comply with both privacy obligations and regulatory directives relating to digital safety.
A further gap is the absence of comprehensive oversight mechanisms governing the exercise of powers by authorities in the name of digital safety. While regulators are vested with broad enforcement powers, there is limited statutory guidance on safeguards such as proportionality, necessity, and accountability in the collection and use of personal data for security purposes. This raises concerns regarding the potential for overreach and inconsistent application of such powers.
In addition, the exclusion of the public sector from the PDPA continues to present a structural weakness in Malaysia’s data governance framework. As digital safety initiatives increasingly involve government-led data processing and inter-agency data sharing, the absence of uniform data protection standards undermines the overall coherence of the legal regime.
Another significant challenge relates to the rapid pace of technological development, which has outstripped existing legal frameworks. Emerging technologies such as artificial intelligence, big data analytics, and automated monitoring systems are increasingly utilised for both commercial and security purposes. However, the current legal framework provides limited guidance on how such technologies should be regulated in a manner that balances privacy rights with legitimate safety concerns.
Finally, there remains a broader issue of practical enforcement and compliance. Organisations may face difficulty in navigating competing legal expectations, particularly where compliance with one regulatory requirement may risk breaching another. In the absence of clear regulatory coordination or interpretative guidance, this may lead to inconsistent practices and increased legal risk.
6. Comparative Insight
The PDPA has played an important role in shaping data protection, but its effectiveness in the current digital landscape is increasingly limited. A major weakness lies in its narrow scope, as it applies only to commercial transactions and excludes the public sector. This omission creates a significant gap, considering that government agencies handle large volumes of sensitive personal data without equivalent legal safeguards. The issue is further aggravated by the absence of clear and consistent rules on cross-border data transfers, which currently depend on ministerial discretion rather than established standards.
Enforcement under the PDPA is also relatively weak. The Personal Data Protection Commissioner operates with limited powers and resources, resulting in a compliance-focused rather than proactive approach. In addition, penalties under the Act are modest compared to international standards, reducing their deterrent effect. This contrasts with jurisdictions such as the European Union, where the General Data Protection Regulation (GDPR) is supported by independent regulatory bodies like the European Data Protection Board, which possess stronger enforcement authority and impose significantly higher sanctions.[7]
The PDPA’s principles-based framework has also struggled to keep pace with technological developments. It does not adequately address emerging risks associated with artificial intelligence, automated decision-making, and large-scale data processing, including concerns such as algorithmic bias and intrusive profiling.[8] Furthermore, the Act relies heavily on user consent, which is often undermined by “consent fatigue,” where individuals accept complex terms without full understanding. The lack of advanced data subject rights, such as data portability and the ability to challenge automated decisions, further limits individual control.
Overall, these shortcomings suggest that the PDPA is increasingly ill-equipped to meet the demands of digitalisation. Comprehensive reform is needed, including expanding its scope to the public sector, strengthening enforcement mechanisms, clarifying cross-border data rules, and introducing protections suited to modern technologies. Without such changes, Malaysia risks falling behind more robust frameworks like the GDPR.
7. The Way Forward: Balancing Competing Interests
Moving forward, Malaysia’s data protection framework requires comprehensive reform to remain effective in an increasingly complex digital environment. A key priority is to expand the scope of the PDPA to include public sector data processing, thereby ensuring consistent standards of accountability and protection across both government and private entities. In parallel, clearer and more structured rules governing cross-border data transfers should be introduced, replacing reliance on ministerial discretion with defined legal standards or safeguards.[9] These reforms are essential not only to strengthen data protection, but also to ensure that measures adopted for digital safety, such as surveillance or data sharing operate within clear legal boundaries and do not disproportionately infringe individual privacy rights.
Institutional strengthening is equally crucial. The role of the Personal Data Protection Commissioner should be enhanced through greater independence, increased resources, and broader enforcement powers, including the ability to conduct proactive audits and impose meaningful penalties. Such improvements would enable a more responsive and effective regulatory system capable of addressing evolving technological risks. Strengthening the Commissioner’s powers would also ensure that enforcement actions taken in the name of digital safety are subject to oversight, reducing the risk of excessive or unjustified intrusion into personal data.
Beyond structural reforms, the legal framework must also adapt to emerging technologies. This includes introducing modern data subject rights, such as data portability and the right to challenge automated decision-making, as well as safeguards against risks posed by artificial intelligence and large-scale data processing. Incorporating principles of data ethics and algorithmic transparency would further ensure that technological advancements do not undermine individual rights. Additionally, requiring data protection impact assessments for high-risk processing activities would promote a more proactive approach to risk management as the already standard practice in jurisdictions like EU and Singapore.[10] In particular, these safeguards are crucial as digital safety measures increasingly rely on automated systems and large-scale data monitoring, which may otherwise compromise individual privacy if left unchecked.
Finally, achieving a sustainable balance between data privacy and digital safety requires a more integrated regulatory approach by ensuring that security-driven data practices remain proportionate, necessary, and accountable. Data protection laws should be aligned with broader frameworks on cybersecurity, artificial intelligence, and digital governance to create a coherent and resilient system for better digital safety. Such coordination would not only strengthen public trust but also support Malaysia’s participation in cross-border data flows and the global digital economy.
8. Conclusion
The relationship between data privacy and digital safety reflects an inherent tension that requires careful legal balancing. While Malaysia’s legal framework seeks to protect both individual privacy rights and the security of the digital environment, it remains fragmented and, at times, insufficiently equipped to reconcile competing interests.
The existence of overlapping obligations, gaps in oversight, and evolving technological risks highlights the need for a more coherent and integrated regulatory approach. Ultimately, the goal is not to prioritise one over the other, but to ensure that digital safety measures are proportionate and accountable, while data privacy rights remain meaningful and effectively protected.
Authors:
- Aireen Natasha
- Zahid Zulkifli
- Imanee Sabreena
[1] Lim, J.X.X. and Zulkifli, F.A. (2026) Safeguarding Consumers’ Privacy in Malaysia’s DigitalEconomy Landscape, 6(1), 2 -22
[2] Alibegi, A. and Munir, A.B. (2020) Malaysian Personal Data Protection Act,a Mysterious Application, 5(2), 362-374
[3] Malaysia Cyber Security Strategy 2020 – 2024 (2020)
[4] Personal Data Protection Act S2 (2012)
[5] Chan, C (2024) Cyber Security Act 2024 A new era for cybersecurity in Malaysia at https://www.pwc.com/my/en/assets/publications/2024/pwc-my-cyber-security-act-2024-new-era-for-cybersecurity-in-malaysia.pdf
[6] Yik, C.S. (2018) Basics of Cyber Security Law in Malaysia at https://chialee.com.my/basics-of-cyber-security-law-in-malaysia/
[7] Ismail, S., Ismail, Z. H., Hasanudin, S. F., & Ghazali, S. F. (2026). A Legal Analysis of Malaysia’s Privacy Law: Towards A More Resilient Legal Framework inThe Digital Era. International Journal of Law, Government and Communication, 11(43), 41-51.
[8] Ibid
[9] Ibid
[10] Wright, D., & Raab, C. (2022). Privacy impact assessment. Springer
