The Central Role of the Personal Data Protection Act 2010 (PDPA)
At the heart of datacentre compliance in Malaysia lies the Personal Data Protection Act 2010 (PDPA). The PDPA regulates the processing of personal data in commercial transactions and establishes seven data protection principles, including General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access.
For datacentre operators, the Security Principle is particularly significant. Section 9 of the PDPA imposes a legal obligation to take “practical steps” to protect personal data from loss, misuse, modification, unauthorised or accidental access, or disclosure. In practice, this extends to ensuring both technical safeguards—encryption, firewalls, intrusion detection—and organisational safeguards, such as staff vetting and access control policies. The Personal Data Protection Commissioner has also issued subsidiary Codes of Practice that provide more granular requirements.
Cross-border transfers of personal data are another critical compliance issue. Section 129 of the PDPA restricts transfers of personal data outside Malaysia unless the destination jurisdiction has been whitelisted by the Minister or the data subject has consented. For multinational cloud operators, this provision has practical implications on system architecture, particularly where data mirroring or failover storage involves foreign servers.
Cybersecurity Obligations and Critical National Information Infrastructure
Beyond personal data regulation, datacentres are also subject to Malaysia’s cybersecurity framework. The National Cyber Security Policy (NCSP), though not a statute in itself, establishes guiding principles for safeguarding Critical National Information Infrastructure (CNII). Where datacentres host systems or datasets considered CNII—for example, financial systems, healthcare records, or government databases—they may be subject to heightened scrutiny and mandatory audits.
In addition, the Communications and Multimedia Act 1998 (CMA) governs network facilities and services. Depending on the scope of activity, datacentre operators may be required to obtain licensing or registration from the Malaysian Communications and Multimedia Commission (MCMC). Non-compliance with licensing obligations can result in statutory penalties, including fines and revocation of authorisation.
Land Use, Environmental and Energy Regulation
The physical establishment of a datacentre engages a different suite of laws relating to land use and environmental control. Under the Town and Country Planning Act 1976 and its subsidiary state enactments, land must be appropriately zoned for industrial or infrastructure use before construction may proceed. Building plan approvals and development orders must be obtained from local planning authorities.
Given the significant energy footprint of datacentres, environmental law plays a central role. The Environmental Quality Act 1974 mandates environmental impact assessments (EIA) for prescribed activities, and while datacentres are not explicitly listed, projects above a certain scale—particularly where power generation or water cooling facilities are involved—may trigger EIA requirements. Compliance with energy efficiency standards is increasingly relevant, with Tenaga Nasional Berhad (TNB) and the Energy Commission imposing conditions relating to load demand, connection infrastructure, and carbon emissions reporting.
Taxation, Foreign Investment and Incentives
From a commercial law perspective, datacentre operators must also navigate Malaysia’s taxation and investment control landscape. The Income Tax Act 1967 governs tax liabilities, while the Promotion of Investments Act 1986 allows for pioneer status or investment tax allowances for projects in high-value sectors such as digital infrastructure. The Malaysian Investment Development Authority (MIDA) has published guidelines on incentives for green technology and datacentre investments, but these incentives are conditional upon compliance with sustainability and local content requirements.
Foreign ownership of datacentres is generally permitted, but may attract scrutiny under the guidelines of the Economic Planning Unit (EPU), particularly if the project involves strategic assets or exceeds prescribed thresholds of shareholding. Sectoral equity conditions, though largely liberalised, remain applicable in certain circumstances.
Contractual and Risk Allocation Mechanisms
Finally, legal compliance in Malaysia is reinforced through private law instruments, particularly service level agreements (SLAs). These contracts are not merely commercial arrangements but also vehicles for legal compliance. They typically include representations and warranties regarding PDPA compliance, indemnities for data breaches, and allocation of liability for downtime or service interruptions.
Malaysian courts have increasingly recognised the enforceability of such provisions, provided they do not contravene public policy or statutory requirements. Operators are therefore advised to ensure that contractual risk allocation aligns with statutory duties, as failure to do so may not only expose them to contractual liability but also regulatory sanctions.
The regulatory environment for datacentres in Malaysia is both complex and fragmented. Operators must approach compliance as a multi-disciplinary exercise, covering privacy and data protection, cybersecurity, land use and environmental law, investment regulations, and contractual frameworks. Unlike in some jurisdictions, there is no single datacentre law; instead, operators must weave together a compliance strategy that addresses overlapping statutory and regulatory demands.
As Malaysia positions itself as a regional hub for digital infrastructure under the MyDIGITAL blueprint, regulatory scrutiny will only intensify. For investors and operators, the legal challenge is not only one of compliance, but also of foresight: anticipating regulatory changes, embedding compliance into operational models, and ensuring that datacentre operations remain both lawful and resilient in an era of escalating digital dependence.
Kevin Wu is the editor and focuses on curating stories and articles relevant for the modern-day business owner and corporate leaders in the South-east Asia region. More about Kevin Wu
This article was contributed and sponsored by Kevin Wu & Associates, a full-service law firm based in Kuala Lumpur with practice areas in corporate, dispute resolution, criminal, family office and company secretarial services. KWA offers preliminary consultation and legal advisory to all Temasek Post readers.
Email: office@kevinwuassociates.com
WhatsApp: +60108278164
