The Data Sharing Act 2025 — A New Regulatory Pillar in Malaysia’s Digital Landscape
By:
1. Dr. Sharen Alzalip (Managing Partner) DBA (UBAS Varsovia), MBA (UWS), LL.B Hons (IIUM)
2. Muhammad Najmuddin Dato’ Muhammad Bukhari (Trainee Associate)LL.B (Hons) (UiTM)
3. Mohammad Adam Khairul Faizi (Trainee Associate) LL.B (Hons) (MMU)
September 3, 2025
On 20 February 2025, the Data Sharing Act 2025 (Act 864) was officially published in the Federal Gazette and has come into effect on 28 April 2025, introducing a dedicated legal framework for structured data sharing across public institutions in Malaysia[1]. The enactment marks a significant step toward strengthening digital governance, transparency, and inter-agency collaboration within the public sector. This article outlines several key features of the Act, particularly provisions relating to the purpose of the legislation, the establishment of a regulatory committee, and penalties for non-compliance where, all of which are expected to shape future operational and legal obligations across government-linked companies and statutory bodies.
The primary objective of the Data Sharing Act 2025 is to regulate the sharing of data between public sector agencies in a manner that is legally consistent, secure, and administratively efficient[2].
The Act: (i) establishes a statutory basis for data exchanges; (ii) clarifies public agencies' obligations regarding data handling; (iii) aligns with frameworks including but not limited to the Official Secrets Act 1972 (Act 88) and other specific written laws listed in the Schedule to the Act; and (iv) supports Malaysia’s broader agenda of digital transformation and data-driven governance.
A central governance mechanism under the Act is the National Data Sharing Committee (“NDSC”)[3], which is tasked with formulating policies, implementing data sharing strategies, and resolving cross-agency operational issues. The NDSC reports directly to the Cabinet and is chaired by the Secretary General of the Ministry responsible for digital affairs. Its membership includes representatives from all ministries including the Prime Minister’s Department, the National Cyber Security Agency (NACSA), the Chief Government Security Office, and the Department of Personal Data Protection. The Committee may also establish subcommittees, consult with subject matter experts, and issue guidelines on compliance, data privacy, and risk management.
In addition, the Act appoints the Director General of the National Digital Department as the key executive authority.[4]This role includes:
· Enforcing and facilitating the NDSC’s policies and decisions;
· Issuing operational guidelines;
· Requiring reports and relevant compliance documentation from public sector agencies;
· Advising the NDSC on technical and enforcement issues.
In recognising the importance of maintaining public trust and ensuring the secure handling of sensitive information, the Act establishes robust safeguards against data sharing violations. To this end, Section 17 prescribes stringent penalties for any misconduct by third-party contractors who mishandle shared data without the explicit consent of the data provider. Such violations may result in a fine of up to RM1,000,000, imprisonment for a term not exceeding five years, or both, underscoring the Act’s uncompromising stance on protecting public data.[5]
In safeguarding public data, the Act introduces grounds for refusal of data sharing as stated in Section 15 that disclosure may be refused where the data could reasonably be expected to reveal, or allow the ascertainment of, the identity of a confidential source of information, or where it could expose the existence or identity of a person placed under a witness protection programme.[6]
Further, refusal is also warranted where disclosure would compromise the operational aspects of law enforcement. This includes revealing investigative measures or procedures such as intelligence-gathering methodologies, investigative techniques or technologies, covert practices, or arrangements for information sharing between enforcement agencies. The confidentiality of such matters is essential to ensure the continued effectiveness, security, and reliability of law enforcement activities.
The Data Sharing Act 2025 is anticipated to serve as a cornerstone in shaping Malaysia’s evolving digital legal landscape, particularly in the context of data governance and regulatory compliance. The enforcement of this Act will not only impose statutory obligations on public bodies and statutory agencies but will also necessitate a comprehensive review and possible restructuring of their internal data management frameworks to ensure full conformity with the Act’s provisions.
In practical terms, this means that agencies must critically assess the adequacy of their existing policies, procedures, and technological safeguards to mitigate risks associated with data access, transfer, and storage. Equally, third-party service providers, including analytics firms, cloud operators, and migration contractors, must recognise that their role in the data value chain attracts direct legal exposure. It is therefore incumbent upon them, alongside corporate legal and compliance units, to revisit existing data processing and sharing arrangements, contractual commitments, and operational protocols.
Failure to align with the Act may give rise not only to statutory liability, including significant fines and custodial penalties, but also to reputational harm and commercial consequences that extend far beyond the regulatory sphere. In this regard, the Act signals a clear legislative intent to strengthen accountability, elevate standards of due diligence, and reinforce public confidence in Malaysia’s digital economy.
For further information or tailored legal advice regarding compliance with the Data Sharing Act 2025, please contact us for further discussion.
[1]Data Sharing Act 2025 [Act 864]
[2] Section 13, Data Sharing Act 2025 (Act 864)
[3] Sections 5–10 Data Sharing Act 2025 (Act 864)
[4] Sections 11 Data Sharing Act 2025 (Act 864)
[5] Sections 17 Data Sharing Act 2025 (Act 864)
[6] Sections 15 Data Sharing Act 2025 (Act 864)
Disclaimer: The contents are for general information purposes only and do not constitute legal advice and should not be relied upon as such.
Credits: The featuring photos in this article are taken from internet sources for illustration purpose.
The primary objective of the Data Sharing Act 2025 is to regulate the sharing of data between public sector agencies in a manner that is legally consistent, secure, and administratively efficient[2].
The Act: (i) establishes a statutory basis for data exchanges; (ii) clarifies public agencies' obligations regarding data handling; (iii) aligns with frameworks including but not limited to the Official Secrets Act 1972 (Act 88) and other specific written laws listed in the Schedule to the Act; and (iv) supports Malaysia’s broader agenda of digital transformation and data-driven governance.
A central governance mechanism under the Act is the National Data Sharing Committee (“NDSC”)[3], which is tasked with formulating policies, implementing data sharing strategies, and resolving cross-agency operational issues. The NDSC reports directly to the Cabinet and is chaired by the Secretary General of the Ministry responsible for digital affairs. Its membership includes representatives from all ministries including the Prime Minister’s Department, the National Cyber Security Agency (NACSA), the Chief Government Security Office, and the Department of Personal Data Protection. The Committee may also establish subcommittees, consult with subject matter experts, and issue guidelines on compliance, data privacy, and risk management.
In addition, the Act appoints the Director General of the National Digital Department as the key executive authority.[4]This role includes:
· Enforcing and facilitating the NDSC’s policies and decisions;
· Issuing operational guidelines;
· Requiring reports and relevant compliance documentation from public sector agencies;
· Advising the NDSC on technical and enforcement issues.
In recognising the importance of maintaining public trust and ensuring the secure handling of sensitive information, the Act establishes robust safeguards against data sharing violations. To this end, Section 17 prescribes stringent penalties for any misconduct by third-party contractors who mishandle shared data without the explicit consent of the data provider. Such violations may result in a fine of up to RM1,000,000, imprisonment for a term not exceeding five years, or both, underscoring the Act’s uncompromising stance on protecting public data.[5]
In safeguarding public data, the Act introduces grounds for refusal of data sharing as stated in Section 15 that disclosure may be refused where the data could reasonably be expected to reveal, or allow the ascertainment of, the identity of a confidential source of information, or where it could expose the existence or identity of a person placed under a witness protection programme.[6]
Further, refusal is also warranted where disclosure would compromise the operational aspects of law enforcement. This includes revealing investigative measures or procedures such as intelligence-gathering methodologies, investigative techniques or technologies, covert practices, or arrangements for information sharing between enforcement agencies. The confidentiality of such matters is essential to ensure the continued effectiveness, security, and reliability of law enforcement activities.
The Data Sharing Act 2025 is anticipated to serve as a cornerstone in shaping Malaysia’s evolving digital legal landscape, particularly in the context of data governance and regulatory compliance. The enforcement of this Act will not only impose statutory obligations on public bodies and statutory agencies but will also necessitate a comprehensive review and possible restructuring of their internal data management frameworks to ensure full conformity with the Act’s provisions.
In practical terms, this means that agencies must critically assess the adequacy of their existing policies, procedures, and technological safeguards to mitigate risks associated with data access, transfer, and storage. Equally, third-party service providers, including analytics firms, cloud operators, and migration contractors, must recognise that their role in the data value chain attracts direct legal exposure. It is therefore incumbent upon them, alongside corporate legal and compliance units, to revisit existing data processing and sharing arrangements, contractual commitments, and operational protocols.
Failure to align with the Act may give rise not only to statutory liability, including significant fines and custodial penalties, but also to reputational harm and commercial consequences that extend far beyond the regulatory sphere. In this regard, the Act signals a clear legislative intent to strengthen accountability, elevate standards of due diligence, and reinforce public confidence in Malaysia’s digital economy.
For further information or tailored legal advice regarding compliance with the Data Sharing Act 2025, please contact us for further discussion.
[1]Data Sharing Act 2025 [Act 864]
[2] Section 13, Data Sharing Act 2025 (Act 864)
[3] Sections 5–10 Data Sharing Act 2025 (Act 864)
[4] Sections 11 Data Sharing Act 2025 (Act 864)
[5] Sections 17 Data Sharing Act 2025 (Act 864)
[6] Sections 15 Data Sharing Act 2025 (Act 864)
Disclaimer: The contents are for general information purposes only and do not constitute legal advice and should not be relied upon as such.
Credits: The featuring photos in this article are taken from internet sources for illustration purpose.
