It is definitely without doubt that the arrival of Artificial Intelligence (“AI”) has brought tremendous opportunities for organizations across sectors in Malaysia, and companies are now exploring how to adopt and implement AI tools and AI systems within their organizations to further increase effectiveness and efficiency. At the same time, it will naturally raise important legal concerns around personal data protection because, like it or not, we simply can’t be talking about the use of AI without talking about personal data protection, as these two certainly go hand in hand and will increasingly supplement one another moving forward.
Following the very recent PDP Townhall Session held on 17 November 2025 by the Personal Data Protection Department (“PDPD”), chaired by the Personal Data Protection Commissioner (“PDP Commissioner”), among many questions raised during the Townhall, one in particular focused on the potential regulation of AI in relation to personal data protection, specifically, whether Malaysia would eventually see the introduction of AI-specific PDP guidance, regulation or legislation. It was then graciously confirmed during the Townhall that work is certainly underway in this area, and while the final form or scope of the document is yet to be disclosed, references were made to what is informally being discussed as an AI PDP framework, and participants were informed that further developments could be expected in the not-too-distant future.
While further details remain confidential at this moment, both authors of this article, Ong Johnson and Lo Khai Yi, are privileged to have been appointed to the working committees contributing to the drafting of the AI PDP framework. As much as can be shared publicly, the Townhall discussion affirms that the AI PDP framework is coming, and it is something all organizations should be aware of and prepare for, given its significance in guiding responsible AI adoption in Malaysia.
Even as the AI PDP framework awaits formal release or further official updates from the PDP Commissioner, it is understandable that organizations are already reaching out and seeking guidance on preparing internal AI policies. While awaiting the formal release of the AI PDP framework, the use of AI tools or any AI system would still need to, at minimum, fundamentally comply with the core underlying principles of the Personal Data Protection Act 2010 (“PDPA 2010”). Therefore, in this article, we will be highlighting 5 key takeaways for organizations to focus on under the PDPA 2010, which can serve as a practical starting point for the preparation and drafting of AI policies for your organizations.
1. Purpose of Processing
The first key takeaway is the purpose of processing. The fundamental core of the PDPA 2010 largely falls within the scope of the purpose of processing personal data and obtaining consent to process personal data for those purposes. It is a mandatory legal requirement that, within the PDP Notice, a company should clearly specify the types of personal data involved and, more importantly, the purposes of processing that data.
With the evolution of technology and adoption of AI tools and AI systems, it is increasingly common for the scope of processing purposes to expand. Let us consider, for example, an e-commerce company. Typically, for an e-commerce business, the processing of customers’ personal data is generally straightforward and purpose-driven. The primary purposes generally include:
• Order fulfilment: processing customer orders, verifying product selections, and managing inventory.
• Payment processing: handling payment information securely to complete transactions, including authorization, billing, and fraud prevention.
• Delivery and logistics: using customer contact and address details to arrange shipping, track delivery, and resolve delivery issues.
However, with the adoption and implementation of AI tools, an e-commerce company might process customers’ personal data for an even wider scope. For instance:
• Predictive Behaviour Analysis for Marketing: a fashion e-commerce platform uses AI to analyse browsing patterns, purchase history, and social media activity to predict when a customer is likely to update their wardrobe for a new season and to recommend items that may interest a customer.
• Dynamic Pricing Based on Customer Profiling: a consumer electronics retailer uses AI to assess personal data such as income level, device usage patterns, or previous purchase frequency to adjust pricing individually.
In both cases, AI tools expand the scope of processing beyond the original purposes, creating new processing responsibilities for organizations under the PDPA 2010.
2. Consent for Processing
This then brings us to the next key takeaway, which is consent for processing personal data. While certain legal exceptions allow companies to process data without consent, as a general rule, personal data should only be processed with valid consent, and such processing must remain within the consented purposes.
Applying this to the e-commerce example, if a company chooses to extend processing of personal data to include Predictive Behaviour Analysis for Marketing or Dynamic Pricing as illustrated above, it must then update its PDP notice and ensure that proper consent is obtained from data subjects. This ensures that the processing of personal data for new purposes is valid, lawful, and aligned with the PDPA 2010.
3. Identifying Who Processes Personal Data
The third key takeaway concerns who exactly is using AI tools to process personal data. When organizations rely on AI tools, such processing may take place internally or through outsourced arrangements with third-party service providers. From an operational standpoint, companies may outsource AI processing to third parties for various reasons, including for example, access to more advanced AI infrastructure, specialised technical expertise, enhanced processing capabilities, or operational efficiency.
Similarly, those familiar with the PDPA 2010 will understand that any disclosure of personal data to third parties should be properly described within the PDP Notice, where a clear description of the third parties to whom personal data will be disclosed, together with the purposes of such third-party disclosure, must be included. Unless a disclosure falls within the limited statutory exceptions, any disclosure of personal data to a third party would generally require consent from the data subjects.
Therefore, if a company intends to adopt AI tools, particularly where AI processing is outsourced by transferring personal data to a third-party provider, it becomes essential for the company to obtain the necessary consent from data subjects. The PDP Notice must also be appropriately updated to reflect these new third-party disclosure arrangements and purposes, ensuring that the use of AI aligns with the disclosure principle under the PDPA 2010.
4. Location of Processing and Cross-Border Data Transfers
Naturally, the topic of third-party disclosure leads to the fourth key takeaway, which is the geographical location where AI-related data processing occurs.
Whether a company processes personal data using AI internally or through outsourcing arrangements, it is important to determine where the personal data is stored and processed. This includes understanding whether the underlying databases, AI infrastructure, or cloud environments are situated within Malaysia or hosted overseas.
Any transfer of personal data outside Malaysia constitutes a cross-border personal data transfer. This may be triggered in two common scenarios:
• Outsourcing to foreign AI service providers, where personal data is transferred to a third party operating outside Malaysia; or
• Using cloud-based AI systems, where even internal processing involves storing or accessing personal data in servers located outside Malaysia.
In both scenarios, the legal considerations governing cross-border data transfers under the PDPA 2010 will apply. Should a cross-border personal data transfer occur, naturally, the legal considerations and principles applicable to cross-border transfers will apply, including the need for a Transfer Impact Assessment and other relevant legal requirements.
5. Personal Data Minimization
The fifth and final takeaway is a concept that has gained significant traction internationally, which is personal data minimization. This principle has become increasingly relevant as organizations explore AI-driven solutions and seek more efficient yet responsible methods of handling personal data.
At its core, data minimization means using only the personal data that is strictly necessary to achieve the intended processing purpose, but nothing more. In many cases, the desired outcomes can be fully achieved without retaining information that identifies the data subjects, and this is where de-identification techniques such as anonymization and pseudonymization, come into play.
Of course, different organizations will have different operational needs, and not all AI use cases require the same level or granularity of personal data. However, especially in the context of AI systems, it is rarely necessary to feed a full set of identifiable personal data into an AI model for it to function effectively. This is also precisely why personal data minimization has become a key governance principle in jurisdictions with more mature AI and data protection frameworks.
Companies should therefore develop internal policies and decision frameworks that assess whether anonymization, pseudonymization, or even a hybrid of these approaches, would be the most appropriate method of processing personal data within the broader context of AI deployment with organizations.
Conclusion
Of course, the above are just five key takeaways reflecting the core understanding and principles of the PDPA 2010 in relation to personal data processing using AI tools. With the ongoing development and eventual release of the AI PDP framework, a fuller picture and more detailed guidance on the use of personal data in the context of AI processing can be expected. This is an area that all organizations must pay close attention to, particularly as AI has increasingly become an integral part of daily business operations, and it is clear that the AI PDP will inevitably intertwine with the PDPA 2010, reinforcing and complementing Malaysia’s broader PDP framework.
The recent Townhall session exemplifies the substantial effort and commitment invested by the PDPD and the PDP Commissioner in advancing Malaysia’s personal data protection landscape. By facilitating direct engagement with industry stakeholders and addressing complex, emerging issues such as AI, these initiatives meaningfully contribute to the development of a robust and forward-looking data protection ecosystem. In this context, organizations would do well to monitor closely the development of the AI PDP framework and take proactive steps to align internal policies and practices in anticipation of its eventual release.
The Technology Practice Group of Halim Hong & Quek continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
If you have any questions on personal data protection, please feel free to reach out to the partners at the Technology Practice Group, Ong Johnson and Lo Khai Yi, for consultation.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read:
