Malaysia PDPA 2025 Amendments and AI Governance: What Companies Need to Know

Malaysia's Evolving AI Regulatory Landscape

Organizations deploying artificial intelligence in Malaysia face a governance environment that has shifted more in the past eighteen months than in the preceding decade. Two regulatory developments now define how businesses must handle AI across the country, and neither can be addressed in isolation.

The first is the PDPA Amendment Act 2024, which entered phased implementation between January and June 2025 and introduced the most substantial changes to Malaysia's data protection regime since the original act was passed in 2010. The second is the National AI Governance and Ethics Guidelines (AIGE), a voluntary framework published by the Ministry of Science, Technology, and Innovation (MOSTI) in September 2024 that establishes ethical expectations reaching well beyond data protection into algorithmic fairness, transparency, and societal impact.

Adding further urgency, the newly established National AI Office (NAIO) is actively developing dedicated AI legislation with a potential enactment target in the second half of 2026. Bank Negara Malaysia (BNM) has separately released AI governance guidelines for financial services. For C-suite leaders, the message is clear: the window for voluntary, self-directed compliance planning is narrowing.

PDPA 2025 Amendments: What Changed

Malaysia's Personal Data Protection Act 2010 underwent its most significant revision through the Amendment Act 2024, implemented in three phases from January to June 2025. Every provision carries direct implications for AI-driven operations.

Mandatory Data Protection Officer (DPO)

Organizations processing personal data must now appoint a Data Protection Officer, a requirement that transforms AI governance from an informal responsibility into a named, accountable function. The DPO must oversee all AI-related data processing, ensure that training data complies with PDPA requirements, and participate in privacy impact assessments for AI systems. The role can be filled by an existing employee or outsourced to a third party, provided the appointee holds adequate authority and resources to fulfill the mandate.

Mandatory Data Breach Notification

For the first time in Malaysian law, organizations must notify the Personal Data Protection Commissioner and affected individuals when a data breach occurs. This obligation extends explicitly to AI system breaches, including incidents involving training data or model outputs that contain personal information. Notification must be made "as soon as practicable" and must include a description of the breach, the types of data affected, and the remedial steps being taken. Organizations that have treated AI model security as a secondary concern now face a legal reporting obligation that demands incident response infrastructure.

Data Portability

Individuals now hold the right to request their personal data in a portable format. For companies operating AI systems that maintain user profiles, behavioral preferences, or personalization data, this means building technical portability mechanisms into the architecture. Data used to customize AI experiences may need to be transferable to competing services on request, a requirement that touches product design, engineering, and legal teams simultaneously.

Cross-Border Data Transfer

The amendments impose stricter requirements for transferring personal data outside Malaysia. Cloud-based AI processing in foreign data centers must comply, and AI model training that draws on data from Malaysian users must ensure adequate protections are in place. Companies must verify that destination countries meet the data protection standards set by the Commissioner before transfers take place.

National AI Governance and Ethics Guidelines (AIGE)

Released by MOSTI in September 2024, the AIGE Guidelines establish seven principles that together define Malaysia's expectations for responsible AI development and deployment.

The first principle requires that AI systems align with Malaysian values, including the Rukun Negara national principles. The second demands that AI create genuine value for both society and the economy. The third, fairness, mandates that AI must not discriminate or produce unjust outcomes. The fourth principle establishes clear accountability for AI decisions and their consequences. The fifth calls for transparency and explainability, requiring that AI decision-making processes be understandable to those affected. The sixth addresses resilience and security, stipulating that AI systems must be robust against both failures and adversarial attacks. The seventh principle, inclusivity, requires that AI be accessible to and beneficial for all segments of Malaysian society.

Scope and Status

The AIGE framework is currently voluntary and not legally binding, though it is explicitly designed as a living document subject to periodic revision. It applies to all organizations developing or deploying AI in Malaysia. The critical strategic consideration is that these guidelines may evolve into enforceable requirements as Malaysia progresses toward dedicated AI legislation, meaning that early alignment represents not just good practice but regulatory foresight.

The National AI Office (NAIO)

Established in December 2024, NAIO serves as Malaysia's central coordination body for AI policy and is expected to deliver several foundational outputs in 2026.

Key Deliverables (Expected 2026)

NAIO's forthcoming work program includes four major items: the AI Technology Action Plan 2026-2030, which will serve as the country's five-year strategic roadmap; an AI Code of Ethics with potentially enforceable standards; an AI Adoption Regulatory Framework providing structured oversight; and a consolidated set of government datasets intended to support open AI development.

Potential AI Legislation

The Malaysian government is actively considering dedicated AI legislation, weighing three primary approaches. These range from standalone AI law, through enforceable regulations layered onto existing legislation, to expanded voluntary standards backed by enforcement mechanisms. The legislative path chosen will shape compliance obligations for every organization operating AI in the country.

Bank Negara Malaysia (BNM) AI Guidelines

Released in August 2025, BNM's Discussion Paper on AI in the Financial Sector addresses AI governance for financial institutions following a 10-week public consultation that closed in October 2025. The scope covers banks, insurance and takaful operators, and fintech companies.

The paper arrives at a moment when adoption is already widespread: 71% of banking institutions and 77% of insurance operators in Malaysia already use AI, according to BNM's own assessment. Current applications span customer analytics, fraud detection, credit scoring, and compliance automation. The regulatory intent is clearly to establish governance guardrails around technology that the sector has already embraced at scale.

How to Comply

Step 1: PDPA Compliance Foundation

The starting point is structural. Organizations that have not yet appointed a Data Protection Officer should do so immediately, as this underpins every subsequent compliance activity. Data breach notification procedures must be implemented and tested before an incident occurs, not during one. Cross-border data transfer arrangements for AI systems require review against the amended requirements, and data portability mechanisms need to be built into systems that hold personal data used in AI-driven personalization or profiling.

Step 2: AI Data Audit

With the DPO role established, the next priority is a comprehensive mapping of all personal data flowing through AI systems, covering training data, operational inputs, and model outputs. Each data processing activity must be tied to a lawful basis under the PDPA. Organizations should assess whether existing consent is current and sufficiently specific for AI-related uses, which often differ materially from the purposes for which data was originally collected. Data retention policies for AI training data must be documented and defensible.

Step 3: AIGE Alignment

Organizations should map every deployed AI system against the seven AIGE principles, with particular attention to fairness, transparency, and accountability, the three areas where gaps are most commonly found. Governance measures should be implemented to close identified gaps, and the alignment work should be thoroughly documented. Even though the AIGE framework remains voluntary today, this documentation will prove valuable when binding requirements arrive.

Step 4: Prepare for AI Legislation

The regulatory trajectory points unmistakably toward binding AI law. Organizations should monitor NAIO announcements and consultations, participate in public comment periods when they open, and engage with industry associations and NAIO working groups. The most important investment, however, is building governance infrastructure now that can be adapted to enforceable requirements when they materialize. Organizations that treat current voluntary frameworks as a rehearsal for mandatory compliance will hold a significant advantage over those that wait.

Related Regulations

Malaysia's AI governance framework does not exist in isolation. Singapore's PDPA and its more mature AI governance regime, developed through the Infocomm Media Development Authority (IMDA), provide a comparable and in many respects more advanced reference point. Indonesia's PDP Law introduces similar GDPR-inspired data protection requirements in the neighboring market. The ASEAN AI Governance Guide offers a regional framework with which Malaysia's AIGE guidelines are designed to align. Domestically, Malaysia's Human Resources Development Fund (HRDF) supports AI training programs that complement governance efforts by building organizational capacity to implement these requirements.

What the AIGE Framework Introduces Beyond Traditional PDPA Requirements

The relationship between the PDPA amendments and the AIGE framework is complementary rather than duplicative, and understanding this distinction is essential for compliance planning. The AIGE framework, developed by MOSTI in collaboration with the Malaysia Digital Economy Corporation (MDEC), represents a significant expansion beyond the data protection focus of the PDPA into broader questions of algorithmic governance.

The original PDPA excluded the Malaysian federal and state governments from its scope, a significant limitation that the 2025 amendments address by extending coverage to public sector data processing activities. The amendments also introduce mandatory data breach notification requirements that were previously absent from Malaysian law, strengthen cross-border transfer restrictions, and increase maximum financial penalties. The appointment of a Data Protection Commissioner with expanded enforcement authority replaces the previous Commissioner structure, aligning Malaysia's institutional architecture more closely with international supervisory body models.

The AIGE framework operates on a fundamentally different plane. While the PDPA amendments address the protection of personal data, the AIGE framework establishes broader AI governance expectations covering fairness, transparency, accountability, safety, and societal impact assessment. Organizations deploying AI systems in Malaysia must now navigate both instruments simultaneously: the PDPA governing data inputs and processing activities, and the AIGE framework addressing algorithmic outputs, decision-making impacts, and ethical considerations.

Practical Compliance Architecture for AI Deployments in Malaysia

Organizations operating AI systems within Malaysian jurisdiction should implement parallel compliance workstreams, each addressing a distinct regulatory layer.

The first workstream is data protection compliance. This requires conducting Data Protection Impact Assessments (DPIAs) for all AI processing activities involving personal data, registering with the Department of Personal Data Protection under the Commissioner's updated framework, and implementing consent mechanisms compliant with the PDPA's seven data protection principles: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access.

The second workstream is AI governance compliance. Organizations should map every deployed AI system against the AIGE framework principles, conducting proportionality assessments that evaluate the risk level of each application against its societal benefit. This approach mirrors the methodology recommended by Singapore's IMDA framework but must be adapted to Malaysian regulatory expectations and the specific requirements of the AIGE guidelines.

The third workstream addresses sectoral overlay requirements. Industries regulated by Bank Negara Malaysia must additionally comply with the Risk Management in Technology (RMiT) framework's AI-relevant provisions. Healthcare organizations must follow Ministry of Health digital health guidelines. Telecommunications operators face requirements from the Malaysian Communications and Multimedia Commission (MCMC). These sectoral obligations layer on top of the PDPA and AIGE requirements rather than replacing them.

The fourth workstream covers cross-border considerations. Organizations transferring AI training data or model outputs to jurisdictions outside Malaysia must ensure compliance with the PDPA's cross-border transfer provisions under Section 129. Available mechanisms include contractual safeguards, binding corporate rules, and transfers to countries that the Commissioner has approved as providing adequate data protection standards.

Malaysian organizations should also monitor developments from the National AI Office, which coordinates national AI strategy implementation including the National AI Roadmap 2025-2030 objectives. The regulatory landscape is converging toward a comprehensive, enforceable AI governance regime, and the organizations that build compliance infrastructure now will be best positioned when that convergence reaches its conclusion.