Malaysia’s data protection law just got a lot more serious, and the grace period is over. The Personal Data Protection (Amendment) Act 2024 has now completed its phased rollout, with every provision in force and no remaining transition periods.

For most Malaysian businesses, this isn’t a new piece of legislation to learn from scratch, it’s the existing Personal Data Protection Act 2010 with sharper teeth and a longer list of obligations. This article covers what actually changed, why the penalties now matter a lot more, and what it means for the contracts your business already has in place.

A Phased Rollout That’s Now Complete

The Amendment Act was passed by Parliament in 2024 and rolled out in stages, with key provisions on data breach notification and DPO appointment coming into force from June 2025. As of 2026, there’s no longer a grace period to point to — every business handling personal data in Malaysia is expected to already be compliant.

The Penalties Got Much Steeper

This is the change that should get every business owner’s attention. The maximum fine for breaching the PDPA’s core data protection principles has more than tripled, from RM300,000 to RM1,000,000, alongside a jail term that increased from two years to three.

Enforcement is also expected to catch up with the new penalty structure. Commentary on the rollout has noted that the full impact of the RM1 million ceiling is expected to show up in enforcement actions through late 2025 and into 2026, as the Commissioner exercises its expanded powers.

Gavel resting on bank notes, representing the increased PDPA fines in Malaysia

What Actually Changed

Five changes are worth knowing in practical terms:

Why This Is a Contracts Problem, Not Just a Policy Problem

Many businesses treat PDPA compliance as a privacy-policy exercise: update the notice on the website, tick the box, move on. The 2024 amendments make that approach incomplete.

Because data processors are now directly subject to the Act’s security obligations and face criminal liability for failing to meet them, every service agreement, vendor contract, or outsourcing arrangement that involves handling customer or employee data now needs clear terms on who is responsible for what. A generic provision-of-services contract that says nothing about data handling leaves both parties exposed if something goes wrong.

The same goes for any contract that moves data overseas — to a regional headquarters, an offshore payroll vendor, or a cloud provider outside Malaysia. The new cross-border test means a contract that was compliant under the old rules may not automatically satisfy the current one.

Two people signing a business contract document

How C P Ngoo & Co Can Help

Under our Corporate and Commercial practice, we draft and review provision-of-services contracts and sale of goods agreements, and that now routinely includes making sure data handling responsibilities, breach notification duties, and cross-border transfer terms are actually addressed in the agreement, not left to a separate privacy policy that nobody contractually agreed to.

Where a data handling failure turns into a dispute between a business and its vendor or service provider, our Litigation practice covers contractual disputes generally, including disagreements over who was responsible for a breach and what the contract actually required.