Malaysia’s groundbreaking Cross Border Data Transfer Guidelines explained

Observation: The CBPDT Guidelines set out a comprehensive list of factors for assessing the “substantially similar” condition. However, the use of the term “similar” introduces a degree of interpretability, as the CBPDT Guidelines do not define a clear threshold or prescribe factors for what is considered “similar.” For instance, it is not clear to what extent the data protection officer requirement needs to mirror the PDPA’s requirement, with regards to the prescribed thresholds that trigger such appointment, as well as the local residency and dual language proficiency pre-requisites such officer needs to have. 

4. How should data controllers determine if there is an “adequate level of protection”?

Similar to question 2 above, data controllers must conduct a TIA to determine that the level of protection of personal data offered by the receiving jurisdiction is equivalent to the PDPA.

Such TIA must:

1. identify the countries to which personal data is to be transferred;
2. assess the mechanism to protect personal data of the destination jurisdiction based on the factors listed below (see question 5);
3. based on the findings of the TIA, determine (i) whether there are protection measures in place to ensure that the personal data is provided with an adequate level of protection equivalent to the PDPA, and (ii) whether there are further measures that must be taken by the recipient to ensure that personal data is adequately protected; and
4. ensure that the decision to transfer personal data complies with the PDPA.

6. What are the sources that can be relied on when conducting a TIA?

The TIA may be carried out by referring to the following source of information: 

1. the laws, regulations, guidelines and circulars that relate to personal data protection;
2. case law or decisions taken by independent judicial or administrative authorities regarding personal data protection matters;
3. reports from intergovernmental organisations, independent oversight bodies, business and trade associations and professional bodies;
4. news reports of data breaches;
5. reports provided by the recipient relating to the personal data protection practices and history of said data controller/data processor;
6. research articles relating to personal data protection laws and practices of receiving country/jurisdiction; and
7. such other sources of information that are credible and not outdated relating to personal data protection.

7. What is the validity period for the TIA?

In contrast to the European Union’s General Data Protection Regulation (GDPR), which sets no validity period for TIAs, the CBPDT Guidelines limit the validity of TIA findings to a maximum of three years, after which data controllers must carry out a follow-up TIA.

Observation: While the CBPDT Guidelines require data controllers to assess whether the foreign law remains substantially similar to the PDPA or continues to provide adequate protection, they do not specifically address the status of data transfers during the period between a legal change and the completion of the updated TIA. This gap could create some degree of uncertainty particularly if the implementation period is short, and may expose Organisations to potential non-compliance with the CBPDT Guidelines or the PDPA if personal data continues to be transferred during that interim period.

8. Must consent be obtained from data subjects for cross border data transfers?

Similar to the GDPR, where consent is required, data controllers can transfer personal data to a place outside Malaysia if the data subject has given their consent to the transfer⁵.

To obtain consent, the data controllers must first provide a personal data protection notice to the data subject containing the following information regarding cross border transfers of personal data:

1. third parties to whom the data is transferred; and
2. the purpose of the transfer.

After the data subject has been provided with the personal data protection notice, data controllers must obtain consent of data subject for the personal data transfer. The consent must be recorded and maintained in accordance with the requirements of the Personal Data Protection Regulations.

9. Are there any exceptions to the legal requirements under Section 129(1) of the PDPA?

Section 129(3) of the PDPA permits cross border transfers without the need to satisfy the “substantially similar laws” or “adequate level of protection” conditions, provided specific exceptions are met:

Transfer necessary for the performance of a contract between data subject and data controller 

Data controller who has a contract with data subject may refer to Section 129(3)(b) of the PDPA for cross border personal data transfers if:

1. based on the list of factors,⁶ the transfer is necessary for data controller to carry out obligations in the contract; and
2. the obligations must be for the core purpose of the contract.

There must be a direct and objective link between the performance of contract and the cross border personal data transfers.

Transfer necessary for conclusion or performance of contract between data controller and third party

Data controller may refer to Section 129(3)(c) of the PDPA for cross border personal data transfers if:

1. the transfer is necessary for the conclusion or performance of a contract between the data controller and a third party;
2. the contract (i) is entered into at the request of the data subject, or (ii) is in the interests of the data subject;
3. based on the list of factors,⁷ the transfer is necessary for the conclusion or performance of the contract.

Transfer for the purpose of legal proceedings 

Data controller may refer to Section 129(3)(d) of the PDPA for cross border personal data transfer if the transfer is for the purpose of:

1. legal proceedings;
2. obtaining legal advice; or
3. establishing, exercising or defending legal rights.

Observation: The CBPDT Guidelines require that personal data be transferred for a specified purpose rather than a general one. While this helps prevent blanket personal data transfers, it may also increase the risk of non-compliance if the original specified purpose is no longer applicable over time.

1. Conduct data mapping exercise 

Data controllers should conduct a data mapping exercise to determine the jurisdictions involved in any transfer of personal data from Malaysia. This exercise will enable a more robust assessment process that ensures compliance with these CBPDT Guidelines.

2. Internal review of data protection policies  

Data controllers should review their data privacy policies to assess the feasibility of each of the applicable legal mechanisms afforded by the CBPDT Guidelines. 

3. Update data protection clauses in new and existing agreements involving the processing of Malaysia originating/outbound transfers of personal data 

Organisations can conduct a comprehensive review of both new and existing agreements to ensure that the data protection clauses are compliant with the CBPDT Guidelines. These clauses should address the issue of cross border personal data transfer specifying the data subject rights. 

Conclusion 

The CBPDT Guidelines introduce a more structured and prescriptive framework for cross border personal data transfers in Malaysia. While the CBPDT Guidelines align Malaysia more closely with global standards, there remain areas which would benefit from further clarity which will undoubtedly arise as organisations in Malaysia come into compliance with the recent spate of groundbreaking developments across Malaysia’s data protection regulatory landscape.

Should you need assistance or have enquiries about whether and how this new regulatory requirement affects your organisation, please reach out to your usual contact at Hogan Lovells or the authors.

Authored by Charmian Aw and Audrey Koh.