INTRODUCTION
A. Overview of Malaysia’s Gaming Industry

The global gaming industry has experienced an unprecedented growth, with revenues exceeding USD 193 billion in 2021 and a compound annual growth rate (CAGR) of 15.6% between 2016 and 2021.[1] This expansion is driven by increasing digitalization, rising internet penetration, and the proliferation of mobile gaming.[2] Malaysia has emerged as a significant player in this sector, ranking as the fourth-largest gaming market in Southeast Asia.[3] The country’s gaming industry was projected to generate USD 694 million (RM 2.88 billion) in revenue in 2024, with an expected annual growth rate of 7.5%, reaching USD 807 million (RM 3.35 billion) by 2027.[4]

New business opportunities also arise with the popularity of electronic sports (eSports). The Malaysian government has actively supported the gaming industry through initiatives such as hosting annual international gaming events like LEVEL UP KL[5], financial incentives in the national budget[6], and recognizing gaming as a key sector under the National Creative Industry Policies.[7] Additionally, the establishment of the Malaysia Electronic Sports Federation and the introduction of the National Esports Development Guidelines highlight the country’s commitment to fostering a robust gaming ecosystem.[8]

B. Significance of Data Compliance for the Gaming Industry
Non-compliance with data protection laws and regulations exposes gaming enterprises to significant legal, financial, and reputational risks. Data security breaches can erode consumer trust, resulting in legal liabilities, and disrupt business operations.

Gaming platforms are frequent targets of cyberattacks, including data breaches, phishing scams, and account hijacking.[9] Unauthorized access to player data can lead to identity theft, fraud, and financial losses.[10] In Malaysia, violations of data protection laws can result in fines of up to RM1 million or imprisonment for up to three years.[11] Enterprises that fail to implement robust data protection and cybersecurity measures not only face regulatory penalties but also risk severe damage to their brand reputation.

Ensuring data security and regulatory compliance is essential for protecting players and maintaining a trustworthy gaming environment.[12] By adopting best practices in data handling, gaming enterprises enhance player confidence and gain a competitive edge. With increasing consumer awareness of data privacy, businesses that prioritize compliance can foster long-term customer loyalty through transparent privacy policies, responsible data usage, and clear consent mechanisms.[13] Moreover, adherence to international data standards can open doors to global expansion, offering gaming enterprises greater market opportunities.

This article examines Malaysia’s data protection framework, focusing on the Personal Data Protection Act 2010 (PDPA), cybersecurity risks in the gaming industry, child protection regulations, and the challenges and opportunities for Chinese gaming enterprises expanding into Malaysia. It also provides actionable compliance strategies to help gaming enterprises navigate Malaysia’s regulatory landscape.

MALAYSIA’S DATA PROTECTION FRAMEWORK

A. The Personal Data Protection Act 2010

The PDPA is the cornerstone of Malaysia’s data protection regime, governing the collection, processing, storage, and disclosure of personal data including sensitive personal data in commercial transactions. While other laws, such as the Communications and Multimedia Act 1998 (CMA), Computer Crimes Act 1997 and Cyber Security Act 2024 (CSA), address responsibilities of services providers, cybersecurity and digital content, they lack comprehensive provisions on personal data protection. Additionally, the CSA only applies if the gaming enterprise owns a National Critical Information Infrastructure.[14] The PDPA and its supplementary regulations and instruments apply to all industries, including gaming, and impose strict obligations on data controllers (e.g., gaming enterprises) and processors (e.g., third-party service providers).

The PDPA is enforced by the Personal Data Protection Commissioner. Under section 48, the Commissioner is empowered to monitor and supervise data controllers’ compliance obligations. The Commissioner shall conduct inspections on any personal data system used by a data controller and provide recommendations and comments to promote PDPA compliance.[15] Upon receiving a complaint, or where the Commissioner has reasonable grounds to believe there is contravention of the PDPA, the Commissioner shall initiate investigations into the matter.[16] If the Commissioner determines that a data controller has breached the PDPA, an enforcement notice may be issued, stipulating directions for the data controller to cease the processing of personal data and remedy the contravention.[17] Notably under section 134 of the PDPA, no prosecution for an offense under the PDPA can be initiated without the written consent of the Public Prosecutor.

The PDPA is built on seven foundational principles that create specific obligations for data controllers (gaming enterprises) operating in Malaysia: –

a) General Principle
Personal data cannot be processed without the data subject’s consent. For individuals under 18, parental or guardian consent is required. Additionally, data processing must be relevant, not excessive, and serves a lawful purpose directly related to the data controller’s activities.[18]

Therefore, the gaming enterprise must only process relevant and necessary data with explicit consent and for game-related activities. For example, when a player signs up for a mobile game, the enterprise can only collect data such as name, age (to ensure age-appropriate content), and payment details if there are in-game purchases. This ensures that players’ privacy is respected from the start of their interaction with the gaming service.[19]

b) Notice and Choice Principle
Gaming enterprises must provide clear personal data protection notices (PDP Notice) to data subjects in both English and Bahasa Malaysia, outlining their data collection and processing practices. The PDP Notice must inform users their rights to opt out or restrict the use of their personal data and to access or correct it. Data controllers must include contact details such as the name, designation, phone number, email address, and other relevant information.[20]

Players are to be given the autonomy to limit or opt-out of certain data processing activities. For instance, a multiplayer game must allow players to choose whether to share their in-game achievements publicly. This transparency builds trust between the gaming enterprise and its players.

c) Disclosure Principle
Personal data cannot be shared with third parties such as advertisers or analytics firms without consent, unless: (i) the disclosure is based on the purpose which has been disclosed at the time of collection of the personal data, or a purpose directly related thereto; and (ii) the third parties to whom the disclosure is made, fall within the class of third parties specified in the privacy notice. The data controller must maintain a list of disclosures to third parties of the personal data that has been or is being processed.[21]

In gaming context, this means that a game developer or provider cannot sell players’ personal information to advertising agencies without consent unless the disclosure and its purpose are covered in the privacy notice. If the gaming enterprise engages third parties such as server providers or cloud storage providers, a list of such disclosures must be available.

d) Security Principle
Data controllers must take practical steps to develop and implement appropriate security measures to safeguard personal data against unauthorized access, modification, loss, misuse, theft, or destruction.[22] These measures must meet the minimum standards outlined in the Personal Data Protection Standard 2015 (Standards). This obligation is now binding on third-party data processors as well to ensure their compliance when processing personal data on behalf of the data controller.[23]

With the large amounts of player data at stake, security is paramount. Gaming enterprises must safeguard against unauthorized access by implementing robust security measures involving the use of encryption for data in transit and at rest, and regular security audits.[24]

e) Retention Principle
Data must not be retained longer than necessary. Once the processing purpose is fulfilled, reasonable steps to ensure the destruction of paper-based personal data and the permanent deletion of electronic data in compliance with the Standards must be taken.[25]

In gaming context, once a player has uninstalled a game or if the data is no longer relevant for gameplay or legal obligations, it must be deleted or destroyed permanently. For example, inactive player accounts or event-specific data must be securely deleted.

f) Data Integrity Principle
Data controllers must take reasonable steps to ensure that personal data is accurate, complete, and up to date [26] by adhering to the Standards.

This is important in the gaming context as incorrect data can lead to issues such as misallocation of in-game rewards. Accurate data is also important to ensure notices and announcements are delivered to the correct recipient. Overall, accurate data provides better gaming experience and avoids disputes with players.

g) Access Principle
Players have the right to access their personal data, subject to a fee, and to request corrections of any inaccuracies. They also have the right to withdraw consent for data processing. The gaming enterprise must respond to such request within 21 days.[27] Players may also stop or prevent the processing of their personal data for direct marketing via cessation notice, which must be complied with by the gaming enterprise promptly. Failure to comply may lead to a fine of up to RM200,000, imprisonment of up to two years, or both.

Additionally, a player has the right to data portability, enabling the player to transfer their data to another data controller via a portability request, subject to technical feasibility and format compatibility.[28]

In the gaming world, a player might want to review their gaming IDs or in-game purchase history or correct their profile information, and the gaming enterprise must comply with the player’s request. The right to data portability allows players to transfer their data such as gaming history to another game server of their choice, although subject to technical feasibility.

CYBERSECURITY AND DATA BREACH

A. Data Breach in the Gaming Industry
Gaming platforms have gradually become a breeding ground for cyber criminals and cybercrimes grow rampant by the day. Digital gaming platforms represent attractive targets for malicious actors due to their combination of valuable personal data, financial transaction systems, and often immature security infrastructures compared to traditional financial institutions. [29]

a) Common Security Incidents
A personal data breach refers to any unauthorized access, loss, misuse, or compromise of personal data. In the gaming industry, such breaches can lead to the theft of usernames, account credentials, and even payment details. These incidents not only jeopardize players’ personal data and privacy but also damage the reputation of gaming enterprises and erode trust within the industry.

One of the most common methods used to facilitate data breaches is phishing. This involves deceptive emails or messages designed to trick individuals into revealing sensitive information or clicking on malicious links.[30] Gamers may receive fake notifications prompting them to log in to counterfeit websites, unknowingly exposing their credentials. Beyond targeting players, phishing schemes also infiltrate gaming enterprises by deceiving employees, potentially leading to widespread security breaches.

Once a perpetrator successfully obtains login credentials through a data breach or phishing attack, they can gain unauthorized access to user accounts, leading to account hijacking. In gaming, compromised accounts can be exploited to steal in-game assets, conduct fraudulent transactions, or spread malware. This not only impacts individual players but also disrupts in-game economies and weakens the overall gaming community.

b) Notable Breaches
Even top gaming enterprises have suffered major data breaches. These breaches underscore the growing risks of cyberattacks in the gaming industry, exposing millions of players to fraud and identity theft leading to dire consequences.

 These incidents highlight the regulatory and reputational risks gaming enterprises face. Beyond direct financial penalties under the PDPA, enterprises experience measurable declines in player engagement following breaches.[31]

B. Legal Obligations under the PDPA
Recognizing increased data breach risks in gaming, the PDPA 2024 amendment mandates Data Breach Notification (DBN) and Data Protection Officer (DPO) appointments, effective 1 June 2025. Given gaming’s extensive data collection, compliance is crucial for safeguarding user data and maintaining trust.

a) Data Breach Notification (DBN)
A DBN formally informs the Commissioner and affected users of data breach incidents. In the gaming industry, where user accounts, payment details, and personal information are frequently processed, breaches involving unauthorized access, data leaks, or hacking pose serious risks.

Notification is required only if a breach meets the “significant harm” threshold, including risks of physical harm, financial loss, credit damage, property loss, or misuse for illegal purposes. Mandatory DBN applies if the breach involves sensitive data, enables identity fraud, or affects more than 1,000 individuals.[32] Gaming enterprises must report breaches to the Commissioner within 72 hours via www.pdp.gov.my[33] and notify affected users within 7 days through direct communication via email or SMS or, if impractical, public announcements on website, forums, or social media.[34] DBN obligations extend beyond reporting. Gaming enterprises must maintain a personal data breach register for at least 2 years from the date of the DBN submission.[35] Failure to comply with DBN requirements can result in a penalty of RM250,000 or imprisonment for up to 2 years, or both.[36]

Aside from mandatory DBNs, the DBN Guidelines emphasize additional responsibilities, including the establishment of a comprehensive data breach management and response plan.[37] This plan should outline measures to identify, contain, mitigate, communicate, and review data breach incidents. Additionally, third-party providers, such as payment processors and server hosts, must contractually agree to report breaches impacting player data.

b) Data Protection Officer (DPO)
A DPO ensures a gaming enterprise’s compliance with data protection laws and strengthens data security practices. A DPO is required if the enterprise processes personal data of over 20,000 users, handles sensitive data of more than 10,000 users (e.g., payment details or biometric data), or conducts regular user monitoring through behaviour tracking, analytics, or personalized marketing.[38] The enterprise must register the DPO and submit their business contact details within 21 days via https://daftar.pdp.gov.my.[39]

The DPO’s key responsibilities include advising on data protection requirements, ensuring compliance with the PDPA, assessing data processing risks, and conducting data protection impact assessments. They also oversee data breach management and security incidents. For data subjects, the DPO serves as the primary contact for complaints, educates users on their rights, and manages breach notifications. Additionally, they act as the liaison between the enterprise and the Commissioner, facilitating investigations and industry compliance efforts.

By fulfilling these responsibilities, the DPO helps gaming enterprises implement robust data protection measures, maintain regulatory compliance, and reinforce user trust in their gaming platforms.

PROTECTING CHILDREN IN THE GAMING INDUSTRY

A. The Legal Framework
In a survey conducted in 2020, 73% of Malaysian gamers were aged between 16 to 24 years old.[40] With the growing number of minors engaged in the industry, enterprises must prioritize child online safety by monitoring and regulating game content to ensure a safe and appropriate gaming environment for children. While the PDPA does not specify provisions for children’s personal data, its principles apply equally to minors and adults. However, since minors cannot provide valid consent, parental or guardian consent is required.

The legal landscape extends beyond data protection to encompass content regulation through the CMA and the Content Code 2022 (Content Code). These regulations impose strict limitations on game content that may be accessed by minors, prohibiting material deemed indecent, obscene, or grossly offensive.[41] The publication of such content carries criminal liability, including fines of up to RM1 million or imprisonment of up to 10 years.

The Content Code sets out ethical guidelines for content providers such as gaming enterprises, emphasizing self-regulation while aligning with local cultural values. It mandates that content aimed at children be age-appropriate, as it influences their social attitudes and development. Gaming enterprises must regulate material selection, characterization, and plot development, adhering to strict guidelines on violence, safety, and imitable acts. For instance, content may include violence only if essential to the plot, while animated content should not glorify or center around violence. Any depiction of violence must humanize its consequences. Sensitive themes like domestic conflict, crime, or drug use must be handled carefully to avoid distressing young viewers, and content must not depict dangerous acts that children might imitate.[42]

The Content Code further reinforces child protection by prioritizing children’s welfare, ensuring that it does not cause physical or emotional harm, promote abuse, or expose them to moral dangers.[43] The Online Safety Bill 2024[44] further strengthens these measures by requiring licensed service providers to implement safeguards ensuring child safety online.

Beyond game content, regulatory guidelines extend to in-game communications, advertisements, and live interactions. Many online games feature real-time chat functions, player-to-player messaging, and live-streamed events, all of which pose risks of exposing minors to inappropriate interactions, cyberbullying, or exploitative content. Gaming enterprises must implement content moderation measures, including AI-driven filters, real-time monitoring, and reporting mechanisms to prevent harmful communication.[45] Similarly, advertisements within games targeting children must adhere to strict ethical standards, avoiding misleading claims, inappropriate themes, or excessive commercialization.[46]

Additionally, gaming enterprises must ensure compliance with child safety standards, particularly in data protection and content monitoring. Enforcement mechanisms empower regulators, including the Malaysian Communications and Multimedia Commission, to investigate and penalize non-compliance through fines, content takedowns, service suspensions, and, in severe cases, criminal charges.

By enforcing these regulations and guidelines, Malaysia aims to create a safer digital environment for children, ensuring that gaming content remains appropriate and free from harm.

REGULATORY COMPLIANCE AND RISK MANAGEMENT FOR CHINESE ENTERPRISES

A. A Comparison between laws
In contrast, there is no one single comprehensive data protection legislation in the People’s Republic of China (PRC). Instead, rules relating to personal information protection and data security are part of a complex framework spread across various legal documents. That said, the three main pillars of the personal information protection framework in the PRC are the Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL), and the Data Security Law (DSL).[47] The scope of the PIPL, CSL and DSL (collectively referred to as “PRC Laws”) are akin to the PDPA in terms of data protection obligations. Both jurisdictions uphold similar data subject rights such as right to access, correction and cessation of processing. However, the laws in PRC are generally stricter and adopt a more specified approach.

a) Scope of Application
The PDPA only protects personal data in commercial transactions, with no regulatory powers over data abuse in non-commercial transactions and government administrative actions. PRC Laws on the other hand covers personal information processing activities in various fields, including business operations, government management, social services, etc., with a broader scope of application.[48]

b) Data Classification
The PDPA does not have differential treatment towards different types of data. However, in the PRC, a data classification system is implemented. The DSL provides for a “classified and graded” data protection system.[49] The PIPL distinguishes between personal information and sensitive personal information where data of a minor is categorized as sensitive information. For sensitive information, the data controller must obtain consent of the data subject which is separate from general consent.[50] The data collected is then classified according to its importance and risk level for implementation of different processing standards.

c) Cross-border Data Transfer
The amendments to the PDPA abolish the whitelist regime for cross-border data transfer, enhancing data subject rights to a certain extent and indicating a relatively flexible attitude towards cross-border data flow. However, cross-border data transfer under the PRC regime is strictly regulated. For some important data and personal information of critical information infrastructure operators, there are data localization requirements. Data must be stored within the territory of China, and cross-border transfer is subject to strict review and approval.

d) Penalty Mechanism
The penalties in Malaysia are fixed fines and terms of imprisonment. In contrast, the PRC Laws stipulate that illegal processing of personal information may result in fines of up to RMB50 million or 5% of the annual turnover of the previous year for businesses, and any individual may be personally liable to up to RMB1 million.[51] In PRC, an aggrieved person may also institute civil action against a data controller for contravention of its data protection laws. Conversely, there is no civil recourse in Malaysia, and an aggrieved person may only lodge a complaint to the Commissioner. It is then up to the Commissioner to enforce action against such non-compliances.

e) Data Breach Notification
In the PRC, although there is no unified and specific legal provision clearly stating the time limit and specific process for data breach notification like Malaysia, PRC Laws require network data processors to establish and improve network data security management systems and be responsible for handling security incidents. For example, the DSL requires the establishment of a data security emergency response mechanism.

f) Data Protection Officer
PRC does not have a mandatory requirement for all organizations to appoint a dedicated DPO. However, for some key industries and organizations, there are relevant requirements for data security management personnel. For example, CSL requires network operators to appoint a network security management agency and a network security person responsible. The Network Data Security Management Regulations stipulate the responsibilities of network data security management agencies and network data security responsible persons.[52] In addition, the PRC government encourages the cultivation of data security-related professionals through Data Security Officer Certification issued by the China Cybersecurity Review Technology and Certification Center.[53]

From a regulatory perspective, the distinction between the frameworks of both jurisdictions may create compliance challenges for Chinese enterprises operating in Malaysia and vice versa.

B. Challenges and Opportunities for Chinese Gaming Enterprises in Malaysia
a) Challenges
The PDPA encompasses seven data protection principles as discussed above. Chinese gaming enterprises must ensure that all data processing activities, from user registration to behavioral analysis, comply with these principles.

For example, the amended PDPA imposes direct responsibily on data processors and mandates data controllers and processors to appoint DPOs. Since a DPO must be a resident of Malaysia and master the national language and English, Chinese gaming enterprises acting as data controllers or processors would likely turn to outsourcing, which increases compliance costs and management complexity.[54]Further with the increased penalties, Directors, CEOs, COOs, managers, or officers responsible for the management of data controllers may be held jointly or severally liable.[55] The high-penalty risk poses a significant threat to Chinese gaming enterprises, and non-compliance could lead to substantial financial losses, disruption to business operations or damage to their reputation.

Chinese gaming enterprises may have different levels of awareness and attitudes towards data protection and privacy. Some practices that are common in the Chinese market, such as personalized recommendations[56] and targeted advertising[57], may be regarded as privacy invasion in Malaysia, requiring Chinese gaming enterprises to adjust their marketing and service strategies according to local cultural characteristics to avoid triggering user dissatisfaction and regulatory risks.

b) Opportunities
With the latest PDPA amendments coming into full force, Malaysia’s framework is evolving toward greater alignment with international standards like the European General Data Protection Regulation, particularly in areas of user rights and breach notification. For gaming enterprises, this creates both compliance challenges and opportunities to differentiate through strong data stewardship. Those who invest in robust PDPA compliance programs, can improve their data security management levels, protect user personal data, and thus simultaneously improve user trust, operational resilience, and preparedness for other regulated markets. This is beneficial for attracting and retaining local users, helping enterprises establish a good brand image in the Malaysian market.

By implementing relevant measures, Chinese gaming enterprises can effectively reduce the risk of data breaches, avoid the financial losses and reputational damage caused by data leaks, and ensure the stable operation of their businesses. The PDPA provides a clear legal framework and specific requirements for data processing in commercial transactions, offering guidance for the data related operations of Chinese gaming enterprises in Malaysia.

Enterprises can refer to the regulations to formulate corresponding data management policies and procedures, standardize data processing activities, and improve operational efficiency and management levels. The PDPA applies equally to all enterprises in the Malaysian market, creating a fair competitive environment. Chinese gaming enterprises can compete with local and other international gaming enterprises on an equal footing in terms of data protection, which is conducive to their full play of technological and operational advantages and better integration into the local market.

C. Compliance Strategies
a) Formulation of policies and frameworks
Gaming enterprises must formulate detailed data protection policies in line with the seven data protection principles. The policies must clearly define the scope and duties of the gaming enterprises, their employees and third-party data processors. Balance must be struck between business goals of the enterprise and the data protection and privacy rights of their users to ensure a sustainable relationship. For example, when collecting player information, only the necessary data in line with the specified purpose is collected and processed. Gaming enterprises must also implement regular internal audits to check for compliance with data protection laws and ensure systematic enforcement of company policies.

b) Strengthen Technical Protection Measures
When transmitting and storing player data, advanced encryption technologies such as Advanced Encryption Standard should be used to ensure that data, especially sensitive data, cannot be read or modified by unauthorized personnel.[58] For example, user passwords are encrypted and stored in the database, and data is encrypted during transmission between the game client and the server. A secure network architecture should be built, and firewalls, intrusion detection systems, and other security devices are deployed to prevent external network attacks.[59]

c) Ensuring clear and user-friendly privacy policies
Before users register or engage in the game, they must be clearly informed of the game’s privacy policy, including how their data will be collected, used, and shared. The privacy policy shall be presented in simple and clear language that is easy for users to understand. The privacy policy must be in both Bahasa Malaysia and English while Mandarin is optional for Chinese users.[60]

The enterprise may also keep its users educated and trained in data protection knowledge through in-game announcements, official websites, social media, and other official channels. For instance, players may learn the importance of setting strong passwords and the two-factor authentication. The game’s official website may also publish articles on data protection tips and conduct online quizzes to encourage users to learn.

d) Working with legal advisors and data compliance consultants
To navigate Malaysia’s regulatory framework, gaming content and child safety, gaming enterprises are strongly recommended to engage local legal advisors and data compliance consultants. Legal advisors help interpret and implement laws and regulations. They assist in drafting terms of service, privacy policies, and community guidelines to ensure adherence to regulations, particularly those upholding data protection and prohibiting indecent or harmful content. Additionally, they guide enterprises on age-appropriate content restrictions, licensing, and regulatory approvals for features like in-game purchases and advertisements.

On the other hand, data compliance consultants assist in implementing secure data storage, data encryption, parental consent mechanisms, and age verification systems to protect minors’ personal information. Consultants also ensure ethical advertising practices, preventing targeted marketing or behavioral tracking of children.

CONCLUSION
To sum up, data compliance is a fundamental pillar of success for gaming enterprises, ensuring adherence to legal and regulatory frameworks while safeguarding player data and maintaining ethical business practices. As the gaming industry continues to expand globally, the risks associated with data breaches, cyber threats, and regulatory violations have become more pronounced. To mitigate these risks, enterprises must implement comprehensive data protection strategies, integrate robust cybersecurity protocols, and regularly assess their compliance policies to stay aligned with evolving legal landscapes and industry standards.

Moreover, data compliance plays a crucial role in fostering trust and credibility among players, regulators, and stakeholders. A proactive approach to data protection through data encryption, secure data storage, transparent data handling policies, and strict adherence to jurisdictional regulations can significantly reduce exposure to legal repercussions, reputational damage, and financial loss. Additionally, as regulatory bodies continue to tighten their supervision over data processing activities, gaming enterprises must remain agile by continuously reviewing and updating their compliance frameworks while educating employees to ensure adherence to best practices.

Ultimately, by prioritizing data compliance, gaming enterprises can create a safer and more secure environment for players, promote responsible gaming, and achieve sustainable business growth. In an industry that thrives on digital engagement and user experience, ensuring data privacy and regulatory compliance is not merely a prerequisite but a competitive advantage. Enterprises that proactively integrate compliance measures into their operations will be better equipped to adapt to regulatory changes, enhance customer satisfaction and sustain long-term success in a data-driven market.

REFERENCES

[1] *ey-tmt-gaming-metaverse-report-final.pdf

[2] https://www.statista.com/topics/12637/gaming-market-in-malaysia/#topicOverview

[3] https://themalaysianreserve.com/2024/10/10/malaysias-path-to-become-south-east-asias-gaming-powerhouse/

[4] https://www.nst.com.my/news/nation/2024/04/1039566/gaming-industry-revenue-set-hit-rm288-bil-says-gobind

[5] https://www.mida.gov.my/de/the-gaming-industry-a-new-game-of-growth/

[6] https://www.mida.gov.my/de/the-gaming-industry-a-new-game-of-growth/

[7] https://www.mida.gov.my/de/the-gaming-industry-a-new-game-of-growth/

[8] https://www.thestar.com.my/tech/tech-news/2023/06/20/ministry-introduces-national-esports-development-guidelines-to-protect-players

[9] https://www.trendmicro.com/vinfo/us/security/news/online-privacy/data-privacy-and-online-gaming-why-gamers-make-for-ideal-targets

[10] https://www.trendmicro.com/vinfo/us/security/news/online-privacy/data-privacy-and-online-gaming-why-gamers-make-for-ideal-targets

[11] Section 5, PDPA

[12] https://www.bdo.com/insights/industries/gaming-leisure/transforming-gaming-s-data-security-management

[13] https://tsaaro.com/blogs/regulation-of-online-gaming-industry-why-is-it-important-from-a-privacy-standpoint/

[14] A NCII is defined as a computer or system whose disruption would be harmful to crucial national and government functions, public safety, or public order in Malaysia.

[15] Section 101, section 102, PDPA

[16] Section 105, PDPA

[17] Section 108, PDPA

[18] Section 6, PDPA

[19] https://www2.deloitte.com/us/en/pages/risk/articles/game-on-securely-data-privacy-and-the-gaming-industry.html

[20] Section 7, PDPA

[21] Regulation 5, Personal Data Protection Regulations 2013

[22] Section 9, PDPA

[23] S5(1A), PDPA

[24] https://www.bdo.com/insights/industries/gaming-leisure/transforming-gaming-s-data-security-management

[25] Section 10, PDPA

[26] Section 11, PDPA

[27] Section 12, PDPA

[28] Section 43A, PDPA

[29] https://www.imperva.com/blog/understanding-cyber-threats-in-gaming/

[30] https://www.ncsc.gov.uk/guidance/phishing#section_2

[31] https://www.imperva.com/blog/understanding-cyber-threats-in-gaming/

[32] Para 5.2 DBN Guidelines

[33] Para 6.1, Para 7.1, DBN Guidelines

[34] Para 9.1, Para 10.1, Para 10.3, 10.4, DBN Guidelines

[35] Para 14.1, Para 14.2, DBN Guidelines

[36] Section 12B(3), PDPA

[37] Para 11, DBN Guidelines

[38] Para 4.2, DPO Guidelines

[39] Para 7.1, Para 7.2 DPO Guidelines

[40]https://www.statista.com/statistics/1117575/malaysia-age-breakdown-of-online-gamers/

[41] Section 211, Section 233, CMA

[42] Part 2 Paragraph 8, Content Code

[43] Part 10 Paragraph 4, Content Code

[44] The Bill will become law upon receipt of Royal Assent and being gazetted and will become effective on a date to be appointed by the Minister of Communications.

[45] https://www.ofcom.org.uk/siteassets/resources/documents/research-and-data/online-research/other/cambridge-consultants-ai-content-moderation.pdf?v=324081

[46] Part 3 Paragraph 7, Content Code

[47] https://www.dlapiperdataprotection.com/index.html?c=CN&t=law

[48] https://www.ey.com/en_my/insights/forensic-integrity-services/how-chinas-data-privacy-and-security-rules-could-impact-your-business

[49] https://www.pwc.com/id/en/pwc-publications/services-publications/legal-publications/a-comparison-of-cybersecurity-regulations/china.html

[50] https://www.ey.com/en_my/insights/forensic-integrity-services/how-chinas-data-privacy-and-security-rules-could-impact-your-business

[51] https://www.ey.com/en_my/insights/forensic-integrity-services/how-chinas-data-privacy-and-security-rules-could-impact-your-business

[52] https://www.lw.com/admin/upload/SiteAttachments/China-Clarifies-Privacy-and-Data-Security-Requirements-in-Network-Data-Security-Management-Regulations.pdf

[53] https://www.isccc.gov.cn/zxyw/shy/jcypx/sjaqg/2023/909485.shtml

[54] https://www.ibm.com/think/insights/data-protection-strategy, the global average cost to remediate a data breach in 2023 was USD 4.45 million, a 15 percent increase over three years.

[55] S133

[56] https://sidecar.ai/blog/ai-driven-personalization-insights-from-china

[57] https://gab-china.com/advertising-in-china-best-practices-and-top-strategies/

[58] https://www.techtarget.com/searchsecurity/definition/Advanced-Encryption-Standard

[59] https://www.ibm.com/think/insights/data-protection-strategy

[60] https://techinsights.linklaters.com/post/102j72m/minecraft-or-minefield-what-games-companies-need-to-know-about-the-pdpcs-adviso

This article is authored by our Partner, Ms Lee Lin Li, Senior Associate, Ms. Chong Kah Yee and our pupil, Ms Wong Yun Xin. The information in this article is intended only for general information and is not a legal opinion or professional advice.

Lee Lin Li
Partner
T: +603 2050 1898
linli.lee@taypartners.com.my

Chong Kah Yee
Senior Associate
T: +603 2050 1831
kahyee.chong@taypartners.com.my


Wong Yun Xin
Pupil
yunxin.wong@taypartners.com.my