Navigating the Digital Tides: Google’s Current Data Protection Challenges in Malaysia

The data protection landscape in Malaysia is undergoing its most significant transformation since the Personal Data Protection Act 2010 (PDPA) came into force. For global technology companies like Google, which operates extensive cloud services and consumer platforms, these changes—spearheaded by the Personal Data Protection (Amendment) Act 2024—present new, immediate, and high-stakes legal compliance challenges.

While no major, unique court cases involving Google are currently dominating headlines, the existing legal friction points lie in adapting internal operations to meet the new, more stringent regulatory requirements and increased government scrutiny over online data usage.

Here are the particular data protection and legal issues that Google, and similarly-situated tech giants, are currently navigating in Malaysia:

1. The High-Stakes Compliance Gauntlet of the PDPA 2024

The amendments to the PDPA, with various sections coming into force in stages throughout 2025, align Malaysia’s laws more closely with global standards like GDPR, significantly raising the compliance bar and the cost of failure.

A. Direct Liability for Data Processors

Perhaps the most crucial change for service providers like Google Cloud is the direct imposition of obligations on Data Processors. Previously, the PDPA only imposed legal duties on "data users" (now "data controllers").

The Amendment Act 2024 now directly requires data processors to comply with the Security Principle. This means Google must not only offer contractual guarantees but is now statutorily required to take practical steps to protect personal data from loss, misuse, modification, or unauthorized access, facing legal consequences if they fail [1, 2].

B. Mandatory Breach Notification and Increased Penalties

The government has introduced a mandatory data breach notification regime [1, 3]. Data controllers must now:

• Notify the Commissioner of any personal data breach "as soon as practicable."

• Notify affected data subjects "without unnecessary delay" if the breach is likely to cause significant harm [1].

Furthermore, penalties for contravening the PDPA principles have been significantly increased—up to MYR 1 million (approximately USD 215,000) and/or up to three years of imprisonment [2, 4]. For a multinational corporation, the sheer scale of potential fines across jurisdictions makes the mandatory notification requirement a critical, high-risk operational challenge.

C. New Accountability Measures: DPOs and Data Portability

The PDPA 2024 introduces two new fundamental requirements [2, 3]:

• Mandatory Appointment of a DPO: Both data controllers and data processors must appoint at least one Data Protection Officer (DPO) to oversee compliance [2].

• Right to Data Portability: Data subjects now have the right to request that their personal data be transmitted directly to another data controller of their choice, subject to technical feasibility [3]. Google must ensure its platforms are technically ready to address such complex transfer requests.

2. Navigating Government Scrutiny on Digital Identity and Online Safety

Beyond legislative amendments, Google is facing direct regulatory pressure from the Malaysian Communications and Multimedia Commission (MCMC) regarding user identity and online governance.

A. The Push for eKYC (Electronic Know Your Customer)

The MCMC has scheduled meetings with Google and other social media platforms to discuss the implementation of an Electronic Know Your Customer (eKYC) verification process [5]. This initiative aims to enforce a minimum age limit (e.g., 16 years old) for social media use and combat online scams and impersonation [5, 6].

The legal dilemma here is profound: implementing eKYC requires platforms to process highly sensitive, official government-issued ID data (like MyKad), which introduces significant new data collection and storage risks. The platforms must find a mechanism that satisfies the government’s need for verification while remaining strictly compliant with the PDPA’s rules for handling sensitive personal data and preventing misuse [5].

3. Shifting Rules for Cross-Border Data Transfers

Malaysia’s approach to international data transfer has also been modernised. The Amendment Act removes the old 'whitelist' regime that required data users to transfer data only to approved countries [3].

The new approach allows data controllers to transfer personal data to any jurisdiction that has:

1. A law that is substantially similar to the PDPA.

2. Ensures an equivalent level of protection to the PDPA [1].

For a company that relies on global data infrastructure like Google Cloud, this requires a continuous assessment and legal assurance process to confirm that data storage locations outside of Malaysia meet this new, more flexible but highly demanding "equivalent protection" standard. Google Cloud, in its compliance documentation, has consistently outlined how its services help customers meet PDPA requirements regarding security and data location [7].

Conclusion

Google’s current data protection legal challenges in Malaysia are less about defending against a single lawsuit and more about a wholesale transition to a modern, high-accountability compliance regime. The PDPA 2024’s introduction of direct processor liability, mandatory breach notification, and new subject rights, coupled with the MCMC’s direct push for eKYC and identity verification, requires a swift and fundamental overhaul of data governance practices to ensure continued operation within Malaysia's increasingly stringent legal boundaries.

Relevant Sources

1. Malaysia: Personal Data Protection (Amendment) Bill 2024 - Baker McKenzie InsightPlus, discussing direct obligations for data processors, mandatory data breach notification, and increased penalties.

2. Important Changes to Malaysia's Data Protection Laws - Data Matters Privacy Blog (Sidley), detailing the mandatory DPO, breach notification, data portability, and increased penalties.

3. Malaysia's Data Protection Act takes shape: What businesses need to know - PS Engage, outlining the mandatory breach notification regime, DPO requirement, and removal of the cross-border 'whitelist' system.

4. Understanding the Personal Data Protection Act and what you can do in case of personal data breach - Malay Mail, confirming the increased maximum penalties and the inclusion of biometric data as sensitive personal data.

5. MCMC To Discuss eKYC Implementation With Social Media Companies Next Week - Lowyat.net, reporting on MCMC meetings with Google, Meta, and others to discuss eKYC implementation in line with the PDPA.

6. Fahmi: MCMC to meet Meta, Google and TikTok on user identity checks and 16+ age rule for social media - Malay Mail, reiterating the MCMC’s objective of using eKYC for age enforcement and safety.

7. Malaysia Personal Data Protection Act PDPA - Google Cloud, outlining Google Cloud's commitment and approach to compliance with the PDPA.