5 Asian Legal Business | December 2024 The Briefs Malaysia’s data centres prompt firms to bolster regulatory expertise Malaysia is rapidly positioning itself as a premier destination for data centres in Asia and potentially worldwide. The country’s strategic location, particularly the border city of Johor Bahru, has attracted substantial investments from global tech giants such as Google, Nvidia, and Microsoft, signalling a transformative phase in Malaysia’s digital infrastructure landscape. To foster this growth while maintaining control, Malaysia has implemented a comprehensive legal framework coupled with attractive incentives. Christopher & Lee Ong (CLO) partners Chor Jack and Leong Li Sze highlight the role of the Malaysia Digital Economy Corporation (MDEC). “The MDEC has introduced an incentive scheme for Malaysia Digital (MD) status companies to apply for certain incentives under the MD Bill of Guarantees, such as income tax exemption, investment tax allowance, foreign knowledge workers quota and passes, exemption from local ownership requirements and flexibility to source capital and funds globally.” However, foreign entities must navigate a complex regulatory environment. Key considerations include foreign investment requirements, land and building approvals, environmental regulations, utility procurement, telecommunications licensing, and data privacy and cybersecurity compliance. Despite Malaysia’s welcoming stance on foreign investment, certain restrictions persist. Natalie Lim and Tan Wei Xian, partners at Skrine, point out specific ownership limitations under the Communications and Multimedia Act 1998 (CMA) for cloud service providers and data centre operators. In addition, “Foreign acquisition or leasing of land might necessitate consent from state authorities and the Economic Planning Unit, particularly if the property value exceeds 20 million ringgit ($4.5 million) or if the acquisition leads to a dilution in Bumiputera ownership,” they add, using the term used to describe Malays and other indigenous ethnic groups in Malaysia. One of the most notable legal challenges arising from the rapid expansion of data centres in Malaysia is related to land use and environmental compliance. The industry’s high energy consumption impacts the country’s net zero targets, while land use and development planning vary by state. “Cognisant of these various issues, the Malaysian government has recently approved the adoption of the Data Centre Planning Guidelines (GPP) to standardise and streamline the application and planning approval process for data centre development,” note Chor and Lim Siaw Wan, head of projects & constructions at CLO. The Malaysian government also announced that it is in the process of finalising sustainable development guidelines for data centres to mediate any potential environmental-related concerns. Apart from that, Lim and Tan highlight electricity supply-related requirements as another area of attention. They suggest that data centre operator engage with Tenaga Nasional Berhad (TNB), the electricity provider of Malaysia, prior to finalising investment decisions to ensure sufficiency of continuous supply of energy. Another key consideration is data protection and cybersecurity compliance, particularly given the sensitivity of data stored on the AI and cloud infrastructure. “Heightened scrutiny would apply for the provision of data storage and cloud services to regulated sectors such as financial services and storage of data for government agencies,” say Lim and Tan. Right now, data centre operators must adhere to various cybersecurity and data protection regulations, including the Personal Data Protection Act 2010 (PDPA), the Cyber Security Act 2024, and security standards prescribed under the CMA. “Additional requirements may also apply depending on the specific industry. For instance, the Central Bank of Malaysia (BNM) has issued several mandatory policy documents which contain specific requirements on the use of cloud services,” add Lim and Tan. Lawyers also note that enforcement authorities must consider that customers, which are data controllers, may be located outside Malaysia and not subject to PDPA regulations. “Clear divisions between the responsibilities of the data centres in Malaysia, and the customers of the data centres (who may or may not be resident in Malaysia) will need to be made in order to determine the reach of the applicable data protection laws and applicable rules relating to cross-border data transfers,” say Deepak Pillai, head of TMT, and Yong Shih Han, TMT partner at CLO. “Malaysian law firms must adapt and bring value-added services to the table, by understanding the unique legal challenges, establishing specialised legal expertise and industry-specific practice groups, and positioning themselves as thought leaders,” say Pillai and Yong.
RkJQdWJsaXNoZXIy MjA0NzE4Mw==