Protection file

Malaysian Personal Data Protection Act 2010: Does It Apply to Government Agencies? – Private life

Malaysia: Malaysian Personal Data Protection Act 2010: Does It Apply to Government Agencies?

To print this article, simply register or connect to

Section 3 (1) of the Personal Data Protection Act 20101(“The Act”) provides that “This Act does not apply to the Federal Government and the State GovernmentSo what do the federal and state governments mean in this context? Section 3 of the 1948 and 1967 Interpretation Acts2(“IA 1948 and 1967”) then defines the federal government as the government of Malaysia and the state government as the government of a state. The question here is whether the definition in section 3 is broad enough to cover government agencies.

To date, no case has interpreted the meaning of federal government or state government in the context of the law, making the definitions too general and too broad. Therefore, given that there are no clear limitations or restrictions by laws and case law to the definitions provided in the above, it can be argued that the definition of the federal government can also include government agencies since these agencies are invariably part of government. Under section 3 of the law, government agencies are exempt from all liability under the law. In our view, the terms “federal government” and “state government” do not include entities such as state-owned enterprises for the simple reason that they have their own legal personality.

Personal Data Protection Act 2010 and tort law

At present, the law does not provide any express right for affected persons to bring a civil action for violation of the law against the government. Nonetheless, they can still invoke the tort of negligence and pursue the case as part of a tort action against the data user who disclosed their personal data provided that if they are able to provide the court with the evidence. that their personal data was disclosed by the data users and this leak was due to the negligence of the data users.

Personal data“is defined in article 4 of the law as any information relating to commercial transactions, which:

a. is processed in whole or in part by means of equipment operating automatically in response to instructions given for this purpose;

b. is recorded with the intention that it be processed in whole or in part by means of such equipment; Where

vs. is registered under a relevant classification system or with the intention of being part of a relevant classification system.

Thus, any data user who discloses the personal data of a data subject to the public is liable to tort for negligence.

Cases involving other governments

At the time of writing, there were no reported cases where a court has ruled that a government agency is responsible for the data breach in its possession. However, there are cases where governments have admitted to being the source of data leaks. For example3:


Data breach


A cyberattack on the government’s “France-Visas” website violated the personal data of people wishing to visit or emigrate to the country.

United States (West Virginia)

The state government has revealed that its Mid Atlantic Career Consortium Employment Services (MACC) database was breached after a cyber attack on Workforce West Virginia, which has the largest database of job seekers in the world. ‘State.

Government of Quebec, Canada

The government of Quebec has admitted a data breach potentially affecting approximately 360,000 teachers employed in the Canadian province.

New Zealand

Generate, a savings program provider with ties to the New Zealand government, reported a security incident affecting around 26,000 citizens.


The London Metropolitan Police, whose data was managed by Suprema, was exposed to a breach in which a database containing more than a million fingerprints, usernames, passwords and data facial recognition has been disclosed.


To conclude, the law does not apply to federal and state governments and this position also indirectly applies to government agencies due to the broad definition provided in IA 1948 and 1967. The law does not appear to apply. apply to public entities and public companies. . Nonetheless, as a safety measure, the federal government, state government and government agencies must ensure proper management of data for the simple reason that the government can still be accused of having a duty of care under the law. misdemeanors. Failure to do so may still expose the government to civil lawsuits.

Footnotes ——————–


The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR POSTS ON: Malaysia Privacy

Data Protection Laws In India – Everything You Need To Know

Vaish Associates Advocates

Data protection refers to all of the privacy laws, policies and procedures that aim to minimize the privacy intrusion caused by the collection, storage and dissemination of personal data. Personal data generally refers to information or data relating to an individual who can be identified from that information or data, whether collected by a government or private organization or agency.