[Malaysia] Public consultation on Automated Decision Making and Profiling Guideline

What

On 24 Mar 2025, the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi Malaysia (JPDP)) published a Public Consultation Paper for the Automated Decision Making (ADM) and Profiling Guideline.

Why

• Malaysia’s Personal Data Protection Act (PDPA) does not contain any provisions on ADM and profiling (ADMP), and ADMP can have a significant impact on individuals’ lives.

• Introducing ADMP requirements will improve and offer better data protection to data subjects, especially considering the risks due to rapid economic development and technological advancements.

• Several jurisdictions including the EU, UK, South Korea, Philippines, Indonesia, and China had implemented requirements in relation to ADMP in their data protection laws. The Guideline would also ensure that Malaysia’s data protection regulatory framework remained current, effective, and aligned with the global standards and legislation.

• Responses to the public consultation would assist the Commissioner in determining how ready data controllers and processors were for ADMP regulation and enforcement.

Structure of Public Consultation Paper

Part 1: Introduction and background

Part 2: Proposed Introduction and requirements for automated decision making and profiling

• A. Introduction to ADMP [should ADMP be regulated, and definitions]

• B. Trigger for regulation [i.e. when ADMP obligations apply]

• C. How to regulate: Right to Refuse, Right to Information, Right to Human Review (collectively, “ADM Restrictions”)

• D. Exceptions to ADM restrictions

• E. Use of personal data for AI training and output

• F. Biometric data

• G. CCTV

This post will walk through the key/interesting points of Part 2 (A)-(G).

General comments

1. How the JPDP proposes to regulate ADMP is similar to how it’s regulated under the GDPR, but with some changes.

2. The Paper is not just about pure ADMP regulation. It also proposes to regulate biometric data and CCTV use in general, and touches on other areas (through questions asked) like targeted advertising towards children/minors.

A. Introduction to automated decision making and profiling

(1) The first proposal is to introduce the concepts of ADMP to Malaysia’s data protection framework.

[This seems to imply that an ADMP Guideline is not a done deal. What’s also relevant is the Paper saying that the public consultation will assist the Commissioner in determining how ready controllers and processors are for ADMP regulation. Nevertheless I think that even if businesses don’t seem ready, it doesn’t mean that the JPDP will drop the ADMP Guideline. JPDP could still issue a Guideline but schedule it to come into effect much later.]

I’m also wondering: if Malaysia’s Personal Data Protection Act does not regulate ADMP, can the JPDP issue a Guideline to regulate it?]

(2) The Paper proposes that “automated decision making” be defined as the “process of making decisions by automated means without any human involvement”, and “automated means” refers to automated data processing using technology where human influence is either excluded or very minimal. The Paper says that ADM may involve profiling.

[Malaysia’s proposed definition of ADM aligns with the UK ICO’s definition of ADM. As a side note, Malaysia often considers what Singapore’s laws say, but Singapore is largely missing from this Guideline because Singapore does not single out and define “ADM”.]

(3) The Paper proposes that “profiling” be defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject, in particular to analyse or predict aspects concerning that data subject's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

[Malaysia’s proposed definition aligns with the GDPR. Singapore does not define “profiling”.]

B. Trigger for regulation

(1) The Paper proposes that ADM “(and by extension profiling)” should only be regulated if “its use results in legal effects concerning the data subject or significantly affects the data subject”.

[First, ADM can involve profiling, but profiling is not a mandatory ingredient in ADM. So I think there’s some conflation in saying “ADM (and by extension profiling)”.

Second, this “trigger” for regulation is very similar to the wording of Article 22(1) GDPR concerning the right not to be subject to a decision based solely on ADMP:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The Paper’s explanation of the “trigger” (e.g. what does “significantly affects the data subject” means) is also very similar to the wording in WP29’s ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation’.