Malaysia has introduced a new mechanism for sanctioning data protection breaches. Under section 132 of the Personal Data Protection Act 2010 supplemented by the Personal Data Protection (Compounding of Offences) Regulations 2016 (“the Regulations”), enacted on 16 March 2016, certain data protection offences may be “compounded” instead of being formally prosecuted. In other words, offenders may be given the option to pay a certain amount of money and in return no prosecution will be instituted against them in relation to that offence.

How Does The New Regime Work?

Under the new regime, the Data Protection Commissioner may – with the consent of the public prosecutor – make an offer to an alleged offender to compound a compoundable offence. The offer may be made any time after the offence has been committed and before any prosecution has been instituted in relation to it.  The Commissioner may determine the amount to be paid by the offender which amount must not exceed 50% of the maximum fine for the relevant offence. The alleged offender may then accept or reject the offer. If and when an offence has been compounded, no prosecution may be instituted against the alleged offender in respect of that offence.

Which Offences Are Compoundable?

Schedule 1 of the Regulations sets out the offences that may be compounded. These include, for example:

·        contraventions of data protection principles;

·        processing personal data without a valid registration;

·        failure to cease processingafter receiving notice that a data subject has withdrawn its consent to such processing;

·        failure to process sensitive data in accordance with applicable restrictions;

·        failure to comply with an enforcement notice; or

·        failure to cease processing personal data for purposes of direct marketing in accordance with directions from the Commissioner.


Malaysia is not alone in using a compounding mechanism in lieu of prosecution. A similar mechanism can also be found in Singapore data protection legislation. It is also generally not uncommon for compounding mechanisms to be used in lieu of prosecution in Malaysia. This mechanism is frequently used in legislation governing a wide range of sectors such as financial services, telecommunications and public transportation as a means of enforcement.

The new compounding mechanism is expected to ease the current backlog of data protection prosecution cases and may signal the start of a stronger enforcement of Malaysian data protection legislation.

Contributors: Adeline Lew and Kherk Ying Chew