PDPA AI Compliance

PDPA AI compliance describes the legal and operational obligations imposed on organisations that develop, deploy, or operate artificial intelligence systems involving personal data in Malaysia, as governed by the Personal Data Protection Act 2010 (Act 709) and its subsequent amendments. The Act regulates the processing of personal data in commercial transactions and applies to both Malaysian and foreign data users who process the personal data of individuals in Malaysia. As AI systems frequently consume large volumes of personal data — for training, fine-tuning, retrieval, recommendation, and inference — they are squarely within the scope of the PDPA, even when the legal text predates many modern AI techniques.

Statutory Framework

The PDPA establishes seven Personal Data Protection Principles that data users must observe: the General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle, and the Access Principle. Each principle has direct implications for AI systems. The General Principle requires consent for processing, the Notice and Choice Principle requires written notice in Bahasa Malaysia and English specifying the purposes of processing, and the Security Principle requires reasonable steps to protect personal data against loss, misuse, modification, unauthorised access, and unauthorised disclosure.

The Personal Data Protection (Amendment) Act 2024, which received royal assent in 2024 and was operationalised in stages from 2025, introduced significant changes including mandatory data breach notification, mandatory appointment of a Data Protection Officer (DPO) for certain classes of data users, cross-border data transfer reforms, increased penalties, and the recognition of data portability rights for individuals.

Application to AI Systems

Training Data and Lawful Basis

Where personal data is used to train an AI model, the organisation must establish a lawful basis under the PDPA, typically consent or a recognised exemption. Web-scraped datasets that include personal data — even data publicly visible on the internet — are not automatically exempt from PDPA obligations. The JPDP has signalled that organisations training models on Malaysian individuals' data must consider whether the original collection complied with PDPA notice and consent requirements.

Sensitive Personal Data

The PDPA defines sensitive personal data as personal data consisting of information as to the physical or mental health, political opinions, religious beliefs, the commission or alleged commission of any offence, or any other data the Minister may prescribe. Processing of sensitive personal data requires explicit consent. AI systems in healthcare, judicial, or political contexts must therefore be designed with explicit consent flows and additional safeguards.

Automated Decision-Making

While the PDPA does not currently contain a dedicated provision on automated decision-making equivalent to Article 22 of the EU General Data Protection Regulation (GDPR), the Notice and Choice and Disclosure Principles together require that individuals be informed about the purposes for which their data will be processed. The Malaysia AI Governance and Ethics Guideline, published by MOSTI in 2024 alongside the National AI Office, calls for transparency, accountability, and human oversight of consequential automated decisions, supplementing the PDPA's general obligations.

Cross-Border Data Transfers

The 2024 amendments shifted Malaysia from a "white list" approach for cross-border transfers to a system permitting transfers to jurisdictions providing adequate protection or pursuant to specific safeguards. This affects AI deployments that use cloud LLM APIs hosted outside Malaysia: organisations must assess whether the destination jurisdiction is adequate or whether contractual safeguards are in place.

Data Breach Notification

The amendments introduced mandatory notification of significant personal data breaches to the Personal Data Protection Commissioner within prescribed time frames and to affected data subjects where there is a likelihood of significant harm. AI systems are common breach surfaces — through prompt injection attacks, training data extraction, or misconfigured vector databases — and organisations must include AI components in their incident response plans.

Sectoral Codes of Practice

The PDPA framework allows industry sectors to develop codes of practice that elaborate on PDPA obligations in their specific context. The Banking and Financial Sector Code, the Communications Sector Code, the Aviation Sector Code, and others have been registered. As of 2025, discussions are underway on sector-specific guidance for AI in financial services (in cooperation with Bank Negara Malaysia and the Securities Commission Malaysia), in healthcare (in cooperation with the Ministry of Health), and in education.

Enforcement and Penalties

The Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, JPDP) under the Ministry of Digital is the regulator. Penalties under the amended PDPA include fines up to RM 1,000,000 and imprisonment of up to three years for serious offences, with administrative penalties for lesser breaches. The JPDP has the power to investigate complaints, audit data users, and issue enforcement notices.

References

1. Government of Malaysia. (2010). Personal Data Protection Act 2010 (Act 709). Kuala Lumpur: Attorney General's Chambers.
2. Government of Malaysia. (2024). Personal Data Protection (Amendment) Act 2024. Kuala Lumpur: Attorney General's Chambers.
3. Ministry of Science, Technology and Innovation (MOSTI). (2024). National Guidelines on Artificial Intelligence Governance and Ethics. Putrajaya: MOSTI.
4. Bank Negara Malaysia. (2024). Policy Document on Risk Management in Technology (RMiT). Kuala Lumpur: BNM.
5. Department of Personal Data Protection. (2024). Public Consultation Paper on PDPA Amendments. Putrajaya: JPDP.