Beyond Infrastructure: Legal and Ethical Considerations for Data Centre Investments in Malaysia
Introduction
In recent years, the global economy has shifted decisively towards digital platforms and Cloud-based technologies. Businesses and governments alike are increasingly relying on data-driven systems to support operations, innovation, and services. With heavy streams of information being uploaded to the Cloud, the demand for digital infrastructure has likewise surged particularly for data centres capable of storing, managing, and processing large volumes of information.
Amidst this paradigm shift, Malaysia has leveraged its strategic location and abundant natural resources to establish itself as a rising hub in the global data landscape, coupled with competitive operating costs and supportive government policies to pique investors’ interest.
Yet, the rapid expansion of Malaysia’s data centre sector presents a complex interplay of legal obligations and ethical responsibilities, which investors and operators alike must navigate throughout the project’s lifespan in order to mitigate risks and meet international safety and accountability standards.
Key Legal Requirements for Data Infrastructures
1. Development Phase
Regulatory and Licensing Framework
At this early stage, Malaysia has yet to introduce a single, comprehensive statute specifically governing the development and operation of data centres. Instead, such projects are regulated through a combination of existing laws that collectively shape approval and compliance processes relating to land acquisition, zoning and construction approvals, and also procurement of critical utilities such as water and electricity. To provide guidance to prospective investors, the Ministry of Housing and Local Government issued a planning guideline in October 2024 (“KPKT Planning Guideline”),1 serving as a practical playbook outlining the relevant agencies and processes involved in establishing a data centre, as follows:
In short, prospective investors must navigate a highly regulated planning environment by selecting suitable industrial or commercial land that meets key requirements, including sufficient power capacity, a reliable water supply, and dual-fibre connectivity, all of which are foundational considerations for securing development approvals. Sites must also be located within designated industrial or commercial zones and positioned away from environmentally sensitive areas, flood-prone zones, peatlands, and national security perimeters, while observing adequate buffer zones, building setbacks, and open-space provisions.
According to the KPKT Planning Guideline, projects are further expected to ensure sustainable resource use, including efficient power and water systems, and, from 2026 onwards, compliance with the GBI Data Centre Tool 2.0 to meet national environmental standards.2
2. Operations
The need for compliance extends well beyond development and initial set-up of a data centre. Investors must continuously stay informed and ensure ongoing alignment with regulatory requirements and industry best practices, particularly in relation to personal data protection and cybersecurity obligations.
Personal Data Protection & Data Governance
Investors should be mindful of the EU’s General Data Protection Regulation (“GDPR”), which applies extraterritorially to any organisation processing the personal data of EU residents. Non-compliance can result in severe penalties, including heavy fines for privacy or cybersecurity breaches. For example, in 2024, ClearView AI was fined nearly EUR 100 million (USD 116.62 million) for scraping over 30 billion facial images without consent, violating GDPR transparency and data minimisation requirements.3 These global rules highlight the importance of assessing data protection and cybersecurity risks in any data centre investment.
In Malaysia, a similarly stringent approach is reflected through the Personal Data Protection Act 2010, the core regulatory framework for personal data protection and data governance in local data centres. Operators must implement suitable technical and organisational measures to protect personal data from loss, misuse, unauthorised access, and alteration. This includes ensuring lawful processing, obtaining necessary consents, maintaining accurate data, and limiting retention to legitimate purposes.4 Data centres serving regulated sectors (e.g., banking and finance) are also subject to additional governance frameworks such as Bank Negara Malaysia’s Risk Management in Technology5 standards, which prescribe stringent controls over data confidentiality, resiliency, and outsourcing. Operators remain responsible for ensuring their data handling practices meet statutory transparency, security, and accountability requirements.
For investors, evaluating an operator’s ability to meet these obligations is critical, as lapses can materially affect asset value, operational continuity, and overall investment risk.
Cybersecurity
As repositories of sensitive information, data centres are attractive targets for cyberattacks. In Malaysia, cybersecurity obligations are anchored in the Computer Crimes Act 1997, the Communications and Multimedia Act 1998, and sector-specific regulatory standards.
Operators must implement comprehensive safeguards to protect systems and data from cyber threats, including intrusion detection, network segmentation, access controls, continuous monitoring, and incident response mechanisms. Compliance with recognised frameworks such as ISO/IEC 27001 is widely expected, particularly for data centres serving regulated industries. Collectively, these obligations ensure that facilities maintain high levels of operational security and cyber resilience.
Tax Incentives
Malaysia’s Digital Ecosystem Acceleration Scheme (“DESAC”) offers data centre investors attractive incentives, including a reduced corporate tax rate of 10–15% or investment tax allowances ranging from 30–100% of qualifying capital expenditure for a period of five (5) to ten (10) years.6
To qualify, companies must meet criteria related to capital investment, hiring local high-skilled talent, adopting Industry 4.0 technologies, implementing green initiatives, developing vendors, and demonstrating strong sustainability performance.7
For investors, securing DESAC eligibility should therefore be a priority, as these incentives can materially enhance a project’s financial viability by reducing upfront costs, improving returns on investment, and supporting long-term operational sustainability. As such, DESAC eligibility is a key consideration when selecting sites, structuring investments, and assessing overall project feasibility.
Ethical Dimensions
1. Anti-Bribery & Corruption
Anti-bribery and corruption requirements for data centre investors and operators in Malaysia are primarily governed by the Malaysian Anti-Corruption Commission Act 2009, including the corporate liability provision under Section 17A.
Organisations must therefore implement adequate procedures to prevent corrupt practices in all dealings, particularly in land acquisition, licensing, procurement, and engagement with public authorities. This includes adopting policies on gifts, hospitality, conflicts of interest and third-party management, as well as conducting due diligence on contractors and partners.
Companies are also expected to maintain transparent procurement processes, proper financial controls, and staff training programmes, as non-compliance may result in severe penalties, including substantial fines and potential liability for directors and senior management.
2. Anti-Modern Slavery (“AMS”) Laws
Data centre construction projects carry heightened risks of labour exploitation, particularly where migrant workers are recruited through unethical brokers, employed with improper permits, or subjected to harmful practices such as passport retention, underpayment, or wage withholding. These conditions may amount to forced labour and would be classified as “modern slavery” under international legislation and domestic legislation with extraterritorial reach such as the Modern Slavery Act 2015 enacted by the Parliament of the United Kingdom.8
While Malaysia has ratified the International Labour Organisation’s Forced Labour Convention, 1930 (No. 29) (ILO Convention 29)9 and recognises a general right against slavery and forced labour under its Federal Constitution,10 protections against modern slavery are dispersed across multiple laws, rather than being consolidated into a single, comprehensive statute. These include the Anti-Trafficking in Persons and Anti-Smuggling of Migrants Act 2007, Employment Act 1955, and the Passports Act 1966, much like the current legislative framework for establishing data centres.
For foreign investors that are subjected to stricter home legislation and Environmental Social Governance (ESG) obligations, this can present a challenge in meeting higher labour standards than those required locally. Such elevated expectations often translate to increased financial burdens on local stakeholders, who are expected to implement due diligence and AMS enforcement mechanisms across supply chains.
A collaborative approach is therefore required to balance elevated AMS expectations with practical capacity. This includes contractual obligations outlining each stakeholder’s responsibilities, recognition of third-party certifications to reduce administrative burdens, and capacity-building support. Coupled with fair pricing for subcontractors, these measures help align all participants, from direct contractors to upstream vendors, around responsible labour practices, mitigating legal and reputational risk while strengthening ethical resilience across the data centre construction ecosystem.
Moving Forward: Responsible Growth in a Digital Era
For investors, success in Malaysia’s data centre landscape will hinge on an approach integrating ethical governance, responsible labour practices, and transparency within operations. This means designing facilities that are secure and sustainable, establishing governance structures that anticipate regulatory evolution, and fostering a culture of accountability that extends across all levels.
Beyond immediate compliance considerations, investors and operators must recognise that Malaysia’s regulatory and ethical expectations will continue to evolve in accordance with global standards. As jurisdictions worldwide strengthen safeguards on data protection, cybersecurity, sustainability, and labour rights, the ability to demonstrate proactive risk management and adherence to international best practices will become a key differentiator. By investing early in resilient infrastructure, robust internal controls, and collaborative supply-chain oversight, investors can minimise operational disruptions and position themselves as reliable contributors to Malaysia’s digital transformation.
1. ‘Planning Guideline for Data Centre’ (Department of Town and Country Planning of the Ministry of Housing and Local Government, 2024) <https://mytownnet.planmalaysia.gov.my/ver2/gp/GPP%20Pusat%20Data%20ENG.pdf> accessed 16 November 2025.
2. Green Building Index, ‘GBI Tools’ <https://www.greenbuildingindex.org/gbi-tools/> accessed 16 November 2025.
3. ‘Clearview AI Faces Criminal Complaint in Austria for Suspected Privacy Violations’ (Reuters, 2025) <https://www.reuters.com/sustainability/society-equity/clearview-ai-faces-criminal-complaint-austria-suspected-privacy-violations-2025-10-28/> accessed 16 November 2025.
4. Personal Data Protection Act 2010, ss 5, 6, 7, 10.
5. ‘Risk Management in Technology (RMiT)’ (Bank Negara Malaysia, 2023) <https://www.bnm.gov.my/documents/20124/938039/PD-RMiT-June2023.pdf> accessed 16 Novmber 2025.
6. ‘Guidelines and Procedures for the Application of Digital Ecosystem Acceleration (DESAC) Scheme’ (Malaysian Investment Development Authority, 2022) <https://www.mida.gov.my/wp-content/uploads/2024/12/DESAC-Guideline_MIDA.pdf> accessed 16 November 2025.
7. Ibid.
8. Modern Slavery Act 2015, s 1.
9. International Labour Organization, “C029 – Forced Labour Convention, 1930 (No. 29)” (1930) <https://normlex.ilo.org/dyn/nrmlx_en/f?p=1000:11200:0::no:11200:p11200_country_id:102960> accessed 16 November 2025.
10. Federal Constitution, Art 6.
Written by:
Gavin Chan Zi Jian (Associate) gavin.chan@azmilaw.com
Arienne Lim Li-Ann (Associate) ariennelim@azmilaw.com
Pugalanthyi Pillai a/l Vedikaran (Associate) pugalanthyi@azmilaw.com
Muhammad Amsyar Akif Amran (Trainee Solicitor) amsyarakif@azmilaw.com
Corporate Communications, Azmi & Associates – 4 February 2026
