Malaysia Recording Laws: All-Party Consent Rules and Penalties (2026)

Malaysia generally requires the consent of all parties before recording private conversations or phone calls, with narrow exceptions for law enforcement. The Communications and Multimedia Act 1998 Section 234 is the primary prohibition. Penalties reach RM50,000 and one year imprisonment for individuals.

Information last verified on 2026-05-15. This article has not yet been reviewed by a licensed lawyer.

Jurisdiction scope: This article addresses recording and privacy laws in Malaysia under federal law, including the Communications and Multimedia Act 1998 (Act 588), the Personal Data Protection Act 2010 (Act 709), the Penal Code (Act 574), the Evidence Act 1950 (Act 56), and the Online Safety Act 2025 (Act 866). It does not address Syariah law or state-level ordinances. For US recording laws, see US recording laws by state.

Quick Answer: Is Malaysia an All-Party Consent Country?

Malaysia is best understood as an all-party consent jurisdiction for third-party interceptions, with an unsettled rule for participant recordings. Section 234 of the Communications and Multimedia Act 1998 prohibits any person from intercepting communications without authorization. The statute does not contain an explicit exception for a party to the conversation, unlike the US federal Wiretap Act (18 U.S.C. § 2511(2)(d)), which expressly allows one-party consent recording.

In practice, this means that recording a phone call or electronic conversation without telling the other participants carries criminal risk under the CMA. Law enforcement agencies confirm that private individuals who record calls without consent have been prosecuted under Section 234. Malaysian legal practitioners consistently advise that consent of all parties is required before recording any private communication.

The nuance: some practitioners argue that a party to a conversation recording it for their own use does not constitute "interception" because interception presupposes a third party acquiring the contents. This interpretation has not been confirmed by a Malaysian appellate court. Until case law or a legislative amendment clarifies the point, the safest position is to treat Malaysia as requiring all-party consent for any recorded communication.

Overview of Recording Laws in Malaysia

Malaysia has no single, consolidated recording statute. Several overlapping laws govern who can record, when, and under what conditions.

The primary statute is the Communications and Multimedia Act 1998 (CMA), specifically Section 234, which criminalizes unauthorized interception of communications. Layered on top is the Personal Data Protection Act 2010 (PDPA), which treats recorded conversations as personal data subject to consent, storage, and security requirements.

The Penal Code (Act 574), the Evidence Act 1950 (Act 56), the Security Offences (Special Measures) Act 2012 (SOSMA), and the Criminal Procedure Code also apply depending on context. The Online Safety Act 2025 (Act 866) adds a new layer governing platforms that host harmful content, including AI-generated recordings. The Federal Constitution rounds out the picture: Article 5(1) on personal liberty has been interpreted by the Federal Court to include a right to privacy.

For anyone living in, visiting, or doing business in Malaysia, the practical takeaway is straightforward: do not record a private conversation without the knowledge and consent of every person involved, unless you fall into one of a handful of narrow exceptions.

Communications and Multimedia Act 1998: Section 234

Section 234 of the CMA is titled "Interception and disclosure of communications prohibited." It is the cornerstone of Malaysia's recording law framework for electronic communications.

The provision makes it an offense for any person to intercept, attempt to intercept, or procure another person to intercept or attempt to intercept any communication. It also prohibits the disclosure or use of the contents of any communication where the person has reason to believe the communication was unlawfully intercepted.

The term "intercept" is defined broadly under the CMA to include the aural or other acquisition of the contents of any communication through the use of any electronic, mechanical, or other device or apparatus. "Communications" covers sound, data, text, visual images, signals, or any combination of these.

Penalties Under Section 234

A person convicted under Section 234 faces a fine not exceeding RM50,000 (approximately USD 10,700 as of 2026), imprisonment for a term not exceeding one year, or both.

These penalties apply to private individuals. The offense does not require that the intercepted communication was actually used for any harmful purpose. The act of interception alone is sufficient to trigger criminal liability.

Watch out: The 2025 CMA amendments significantly raised penalties for Section 233 offenses (offensive communications). Section 234 interception penalties were NOT increased by the 2025 amendments. The RM50,000 and one year cap for interception under Section 234 remains unchanged as of February 2026. Do not confuse the two sections when advising on penalty exposure.

2025 CMA Amendments

The Communications and Multimedia (Amendment) Act 2025 (Act A1743), which took effect on February 11, 2025, raised penalties across several CMA offenses and expanded the Malaysian Communications and Multimedia Commission's (MCMC) enforcement powers.

Key changes relevant to recording:

• Section 233 (improper use of network facilities for offensive, threatening, or false communications): penalty raised from RM50,000/1 year to RM500,000/2 years for general offenses; offenses against minors carry up to 5 years imprisonment
• Section 233A (new): prohibits unsolicited commercial electronic messages (spam)
• Section 234: penalty unchanged (RM50,000/1 year)
• MCMC audit authority: expanded to cover all licensees and service providers
• Consumer protection obligations (Section 188): exemptions deleted; all providers now subject to obligations with fines up to RM1 million for non-compliance

Personal Data Protection Act 2010 (PDPA)

The PDPA (Act 709) adds a second layer of legal liability for anyone who records conversations in Malaysia. A recorded conversation qualifies as personal data if the individuals in the recording can be identified.

Seven Data Protection Principles

The PDPA establishes seven core principles governing how personal data, including recordings, must be handled:

1. General Principle (Section 6): Personal data can only be processed with the consent of the data subject.
2. Notice and Choice Principle (Section 7): Data subjects must be informed about the collection of their data and given the opportunity to consent or refuse.
3. Disclosure Principle: Personal data cannot be disclosed to third parties without consent.
4. Security Principle: Recordings must be stored securely with access limited to authorized personnel.
5. Retention Principle: Data cannot be kept longer than necessary for the stated purpose.
6. Data Integrity Principle: Personal data must be accurate, complete, and up to date.
7. Access Principle: Data subjects have the right to access and correct their personal data.

PDPA 2024 Amendments and Updated Penalties

The Personal Data Protection (Amendment) Act 2024, implemented in stages from January to June 2025, was the most significant overhaul of Malaysia's data protection law since its inception. Key changes:

• Phase 1 (January 2025): Administrative changes; new term "data controller" introduced
• Phase 2 (April 2025): Biometric data added to sensitive personal data categories; cross-border data transfer rules amended (Section 129)
• Phase 3 (June 2025): Mandatory Data Protection Officer (DPO) appointments for large-scale processors; mandatory data breach notification; data portability rights

Updated penalties: Breaching the PDPA's data protection principles now carries a maximum fine of RM1 million and up to three years imprisonment. For unlawful collection, processing, or sharing of personal data, fines reach RM500,000 with up to three years imprisonment. Directors, CEOs, managers, and other senior officers face joint and several liability for organizational non-compliance.

Phone Recording Laws in Malaysia

Recording telephone conversations without the consent of all parties is illegal for private individuals in Malaysia under Section 234 of the CMA.

The prohibition applies regardless of the technology used. Whether the call is made through a traditional landline, a mobile phone, or a Voice over Internet Protocol (VoIP) application, the same rules apply. The CMA defines "communications" broadly enough to cover any transmission of sound, data, or signals through a network.

Who Can Legally Record Phone Calls

Private citizens: Cannot record phone calls without the consent of all parties. Doing so violates Section 234 of the CMA and may also breach the PDPA.

Law enforcement: Police officers may intercept and record phone calls, but only when the Public Prosecutor authorizes the interception under the Criminal Procedure Code. Section 116C of the Criminal Procedure Code (Amendment) Act 2012 permits police to "intercept, listen to or record any conversation by communication" if the Public Prosecutor is satisfied the communication likely contains information relevant to a criminal investigation.

Intelligence agencies: Under the Security Offences (Special Measures) Act 2012 (SOSMA), a police officer of superintendent rank or above may intercept communications without prior Public Prosecutor authorization in urgent cases involving national security. A written report must be submitted to the Public Prosecutor afterward.

Businesses: Companies operating call centers or recording customer interactions may do so only with explicit consent, as required by the PDPA. Customers must be informed that the call is being recorded and told the purpose of the recording.

The Najib Tapes Precedent

The legal framework around phone recording drew significant public attention following the release of recorded phone conversations allegedly involving former Prime Minister Najib Razak. Malaysian lawyers noted at the time that recordings would be legal if carried out by enforcement agencies under proper authorization, but illegal if done by private parties without lawful authority.

Recording In-Person Conversations

Malaysia does not have a specific statute governing the recording of face-to-face conversations in the same way the CMA addresses electronic communications. However, several laws still apply.

Section 509 of the Penal Code (Act 574) criminalizes any word, gesture, or act intended to insult the modesty of a person, and intrusion upon the privacy of another person. Malaysian courts have applied it to some privacy intrusion cases including certain recording scenarios. Conviction carries imprisonment for a term not exceeding five years, a fine, or both.

The PDPA also applies to in-person recordings if the recorded individuals can be identified. The consent, notice, and security requirements described above remain in effect.

In practice, recording a private in-person conversation without the consent of all parties present carries legal risk under both the Penal Code and the PDPA, even if it does not fall squarely under Section 234 of the CMA.

Voyeurism and Hidden Camera Recording

Malaysia does not have a dedicated voyeurism statute. This is a documented legal gap that practitioners and academics have called on Parliament to address.

The current legal tools and their limits:

Section 509, Penal Code is the provision most commonly invoked for voyeurism-adjacent conduct. It covers words, sounds, gestures, or objects exhibited with intent to insult modesty, as well as intrusion upon privacy. In Malinda Ishak v Mohd Tahir Osman & Ors (2009), the Court of Appeal held the defendant liable under Section 509 for secretly photographing a victim in a private act. However, Section 509 has a critical structural limitation: the statute requires a "word, sound, gesture, or object" to be involved. When a hidden spy camera is concealed and the victim is unaware of any object being exhibited, prosecutors face difficulty satisfying this element.

Section 292, Penal Code addresses the sale and distribution of obscene material. It applies to distributing voyeuristic recordings but, like CMA Section 233, does not reach the act of creation or capture itself.

Section 507A-507G, Penal Code (stalking and harassment offenses, added by the Penal Code (Amendment) Act 2017) may apply where voyeuristic recording is used as a tool of stalking or harassment. Section 507A (stalking) carries up to 3 years imprisonment; Sections 507B-507C (harassment causing distress) carry 1-3 years imprisonment.

Sexual Offences Against Children Act 2017 (SOAC): For victims under 18, SOAC Sections 10-12 cover child sexual abuse material and grooming, with penalties up to 5 years imprisonment and a RM10,000 fine for accessing child sexual abuse material.

The gap: For adult victims recorded without consent in circumstances where Section 509's elements are not satisfied (as is common in upskirt cases or spy-camera bathroom recordings), Malaysia currently lacks an adequate statutory remedy. Academics at Malaysian universities and civil society organizations have repeatedly called for Malaysia to adopt a dedicated voyeurism offense comparable to Singapore's Penal Code Section 377BB, which explicitly criminalizes recording private acts without consent. As of May 2026, Parliament has not enacted such a provision. The Digital Minister has announced an AI Bill targeted for mid-2026, which may address some aspects of non-consensual recording, but no voyeurism statute has been tabled.

Watch out: If you discover you have been recorded in a private setting without consent in Malaysia, Section 509 of the Penal Code and the PDPA offer the primary legal remedies. Report the matter to the Royal Malaysia Police (PDRM) for Section 509 prosecution and to the Personal Data Protection Commissioner for PDPA enforcement.

Recording the Police (PDRM)

Recording Royal Malaysia Police Force (PDRM) officers in public during the performance of their duties is not specifically prohibited by Malaysian law. No statute expressly forbids filming police in public spaces.

The clearest legal analysis comes from lawyers and civil rights organizations: Lawyers for Liberty stated there are "no legal provisions criminalising the act of recording police" under Malaysian law. The Malaysian Bar has issued similar positions affirming that video recording of public acts by public officials does not constitute a criminal offense.

The relevant provisions and their limits:

Section 186, Penal Code criminalizes voluntarily obstructing a public servant in the discharge of their duties. Passive filming does not satisfy the "voluntarily obstructs" element. As DAP MP Ramkarpal Singh noted, Section 186 requires active hindrance, not mere documentation.

CMA Section 233 covers grossly offensive or threatening communications transmitted over a network. MCMC and legal practitioners confirmed in April 2025 that Section 233 does not encompass the act of recording police officers or sharing that recording online.

The contested area: Sharing recordings of police operations online may carry additional risk if the shared content is deemed "grossly offensive" under the amended CMA Section 233, or if sharing is argued to compromise an ongoing investigation. The Home Ministry took the position in August 2022 that live-streaming police arrests could amount to obstruction under Section 186. Lawyers have consistently disputed this interpretation, and no Malaysian court has issued a binding ruling confirming the Home Ministry's position.

Practical guidance: Recording police in a public place is broadly lawful in Malaysia, provided you do not physically interfere with the officer's duties. Maintain a safe distance, do not prevent an officer from acting, and be aware that live-streaming an active investigation carries contested legal risk.

Recording in Public Places

The rules shift when you move from private conversations to public spaces. Malaysia has no law that specifically prohibits taking photographs or recording video in public areas such as streets, parks, or markets.

The general principle is that a person in a public place has a reduced expectation of privacy. As long as the recording does not involve harassment, obscenity, or an attempt to insult someone's modesty, recording in public is broadly permitted.

However, there are important limits:

• Section 509 of the Penal Code still applies if the recording is intended to harass or intrude on someone's privacy, even in a public setting. Recording someone in a way that is "highly offensive" or shows them in an embarrassing position may cross the line.
• CCTV recordings in semi-public spaces such as shopping malls are regulated under the PDPA. The Personal Data Protection Department has issued guidelines stating that CCTV footage qualifies as personal data if individuals can be identified. Sharing CCTV footage on social media without consent is an offense under Section 5 of the PDPA.
• Private property: Property owners can restrict recording on their premises as a condition of entry.

The takeaway: filming a street scene or recording ambient sound in a public park is generally lawful. Targeting specific individuals for recording, or sharing that footage in ways that identify them, enters more complicated legal territory.

Workplace Recording Laws

Workplace recording in Malaysia sits at the intersection of employment law, the PDPA, and the CMA. The legal landscape here is more nuanced than many people expect.

Can Employees Secretly Record at Work?

Workplace recordings made without the consent of all parties are generally considered illegal under the CMA (for electronic communications) and the PDPA (for identifiable personal data). Courts have treated secret workplace recordings with skepticism.

Employment lawyers have noted that the CMA carries fines up to RM50,000 and imprisonment up to one year, while the PDPA carries fines up to RM1 million (post-2025 amendment) and imprisonment up to three years.

Malaysian courts have also questioned the weight of secretly obtained recordings as evidence. As one employment lawyer noted, the person making the recording would have intentionally said things to improve their case, while the employer, unaware of the recording, was more likely to have been speaking candidly. At least one Industrial Court decision reduced an employee's unfair dismissal compensation specifically because a secret recording was submitted as evidence.

The Izaidin Joinnie Case

In Izaidin Joinnie v Amanah Saham Sarawak Berhad (2018), the court described the secret recording of a board meeting as "the ultimate act of incompatibility," finding that it breached the employee's duty of good faith to the employer.

Can Employers Monitor Employees?

Employers may monitor employees, but with conditions. The PDPA requires that employees be informed about any monitoring, ideally through the employment contract or employee handbook. The Personal Data Protection Department has stated that CCTV installed in the workplace should be for "crime detection and prevention" and cannot be misused for purposes such as staff productivity monitoring.

Employer best practices include:

• Including recording and monitoring policies in employment contracts
• Providing clear notice before implementing any surveillance
• Limiting CCTV to security purposes, not employee productivity tracking
• Securing all recorded data and restricting access to authorized personnel

Admissibility of Recordings as Evidence

Even when a recording was made without proper consent, Malaysian courts have the discretion to admit it as evidence. The question of admissibility is separate from the question of legality.

Evidence Act 1950

The Evidence Act 1950 (Act 56) defines "document" broadly to include "any sound recording, or any electronic, magnetic, mechanical or other recording whatsoever." Phone recordings and other audio files qualify as documents under the Act.

Sections 90A, 90B, and 90C govern the admissibility of documents produced by computers, which includes digital audio recordings. Under Section 90A, a document produced by a computer in the ordinary course of its use may be admitted through a certificate from a person responsible for the computer's management.

Court Requirements for Admissibility

The landmark case of Mohd Ali bin Jaafar v Public Prosecutor established five criteria for admitting tape recordings:

1. The recording device was clean and functional before use
2. The machine functioned properly without tampering
3. A witness identified the voices after playback
4. A transcript was prepared from the conversation
5. A witness verified the recording matched the transcript

Justin Maurice Read v Petroliam Nasional Berhad (2017) later added stricter standards for digital recordings, rejecting a handphone recording due to a broken chain of custody and the inability to confirm accuracy.

Industrial Court Exception

Section 30(5) of the Industrial Relations Act 1967 gives the Industrial Court broader latitude. It permits the court to consider evidence that might be inadmissible in other courts, including illegally obtained evidence, if that evidence is relevant to the equity, good conscience, and substantial merits of the case.

This means that in unfair dismissal disputes, secretly recorded workplace conversations are more likely to be heard, even though the person who made the recording may still face separate criminal liability for making it.

Constitutional Privacy Protections

The Federal Constitution of Malaysia does not contain an explicit right to privacy. However, the courts have read privacy protections into Article 5(1), which guarantees that "no person shall be deprived of his life or personal liberty save in accordance with law."

In Sivarasa Rasiah v Badan Peguam Malaysia, the Federal Court held that "personal liberty" under Article 5(1) includes within its scope other rights, including the right to privacy.

A critical limitation exists: this constitutional protection applies only against government action. It does not provide a direct remedy for privacy violations between private individuals. For disputes between private parties, the PDPA, Penal Code, and CMA serve as the primary legal tools.

In Lew Cher Phow v Pua Yong Yong, a civil court found that CCTV surveillance directed at a neighbor's property constituted an "unwarranted violation" of privacy and dignity, demonstrating that courts are willing to enforce privacy standards between private citizens through statutory and common-law avenues.

Deepfakes and AI-Generated Content

Malaysia's legal framework for deepfakes and AI-generated recordings is fragmented across multiple statutes. No single law directly criminalizes the creation of a deepfake, but distribution falls under several provisions.

Current Legal Tools for Deepfakes

CMA Section 211(1): Prohibits providing "indecent, obscene, false or offensive in character" content with intent to annoy, abuse, threaten, or harass. This provision applies to online distribution of deepfake intimate images or recordings. Penalties: fine up to RM50,000 and/or one year imprisonment.

CMA Section 233 (post-2025 amendment): Prohibits using a network facility for grossly offensive, threatening, or false communications. Non-consensual distribution of AI-generated intimate imagery falls within "indecent or obscene content." Penalties: RM500,000 and/or 2 years imprisonment; offenses against minors carry up to 5 years imprisonment.

Defamation Act 1957: Provides a civil tort remedy when deepfake content is defamatory. Victims may claim damages for reputational harm.

PDPA: If a deepfake recording includes identifiable personal data, collecting or processing it without consent violates the PDPA's General Principle (Section 6). Penalty: RM1 million and/or 3 years imprisonment post-2025 amendment.

The Creation Gap

A significant gap remains: the creation of deepfakes is not explicitly criminalized under any Malaysian statute as of May 2026. The Ministry of Communications has acknowledged this gap. The Digital Minister announced in late 2025 that an AI Bill is targeted for mid-2026, which may introduce specific deepfake creation offenses. Until then, prosecution must rely on distribution-based offenses or general criminal provisions where applicable.

From January 2024 through March 2026, the MCMC submitted 6,987 deepfake content takedown requests, with approximately 95 percent (6,657 pieces) successfully removed. The Ministry of Communications is actively using ONSA 2025 subsidiary instruments to pursue legal action against social media platforms facilitating deepfake distribution.

Online Safety Act 2025 (ONSA)

The Online Safety Act 2025 (Act 866) represents Malaysia's most comprehensive response to harmful online content. Parliament passed the Act in December 2024; it was gazetted in May 2025 and came into force on January 1, 2026.

What ONSA Covers

ONSA establishes a regulatory framework for Application Service Providers and Content Application Service Providers operating in or targeting Malaysia. Platforms with 8 million or more Malaysian users are automatically deemed to hold a Class licence and bear prescribed duties.

Harmful content addressed by ONSA includes:

• Child sexual abuse material (priority harmful content)
• Online financial fraud (priority harmful content)
• Obscene and indecent content
• Material causing harassment, distress, fear, or alarm
• Content inciting violence or terrorism
• Material inducing self-harm in children
• Content promoting ill-will that disturbs public tranquility
• Drug-related material

AI-generated harmful content, including deepfakes disseminated without consent, falls within ONSA's "harmful content" definition under the harassment, indecent content, or false information categories.

ONSA Does Not Apply to Individual Users

A critical limitation: ONSA only regulates platform providers, not individual users. If a user creates and posts a deepfake, the ONSA penalty falls on the platform for failing to remove it, not on the creator. Individual liability for creating or sharing deepfakes remains governed by the CMA, Penal Code, and PDPA.

Platform Penalties Under ONSA

• Non-compliance with prescribed duties: financial penalty up to RM10,000,000
• Failure to meet response timeframes for priority harmful content removal: up to RM1,000,000
• Platforms must also implement risk management systems, online safety plans, and child-specific safeguards

ONSA and Private Messaging

ONSA explicitly does not extend to private one-to-one messaging and does not authorize general monitoring of users. This means end-to-end encrypted messaging between two individuals sits outside ONSA's scope.

Business Compliance Guide

Businesses operating in Malaysia that record any form of communication must navigate several legal requirements.

Call Recording

• Play an automated recording notice at the start of every call disclosing that the conversation is being recorded
• State the purpose of the recording, such as quality assurance or training
• Obtain verbal or written consent before proceeding
• Store recordings securely with access restricted to authorized staff
• Establish clear data retention policies and avoid keeping recordings longer than necessary
• Respond promptly to customer requests for data access or deletion

CCTV and Video Surveillance

• Install cameras only for legitimate security purposes, primarily crime detection and prevention
• Post visible signage informing people they are being recorded
• Do not share footage on social media or with unauthorized third parties
• Secure all footage against unauthorized access or tampering
• Register with the Personal Data Protection Department if required under your industry sector

Data Protection Officer Requirement

Following the 2024 PDPA amendments, organizations engaged in large-scale processing of personal data must appoint a Data Protection Officer (DPO) as of June 1, 2025. The DPO is responsible for ensuring compliance with all PDPA requirements, including those related to recording and monitoring.

Data Breach Notification

Also effective June 1, 2025, organizations must notify the Commissioner of the Personal Data Protection Department and affected individuals in the event of a data breach involving recorded personal data.

Cross-Border Recording Scenarios

Cross-border recording presents distinct legal complexity for Malaysia.

PDPA Cross-Border Data Transfer Rules (Section 129)

The Personal Data Protection (Amendment) Act 2024 revised Section 129 of the PDPA, which came into force on April 1, 2025. The previous ministerial whitelist approach (requiring Commissioner recommendation and Ministerial approval for transfers to approved countries) was replaced with a risk-based framework.

Under revised Section 129, a data controller may transfer personal data, including audio or video recordings of identifiable individuals, outside Malaysia if one of the following conditions is met:

• The destination jurisdiction has data protection laws substantially similar to the PDPA
• The destination jurisdiction ensures an adequate level of protection at least equivalent to the PDPA
• The data subject has given explicit consent after receiving a written notice specifying the class of recipient and the purpose of the transfer
• Other prescribed exceptions apply (contractual necessity, legal proceedings, vital interests)

The Personal Data Protection Commissioner issued the Guidelines on Cross Border Personal Data Transfer (CBPDT Guidelines) on April 29, 2025, clarifying compliance requirements.

Which Law Governs Cross-Border Phone Calls?

When a phone call is made between a party in Malaysia and a party in another jurisdiction, both laws potentially apply to their respective parties. For the Malaysian party, CMA Section 234 and the PDPA govern. If the foreign jurisdiction permits one-party consent recording, that only protects the foreign party recording from their end. The Malaysian party remains bound by Malaysian law.

PDPA extraterritorial reach: The PDPA applies to organizations outside Malaysia if they use equipment located in Malaysia for processing personal data (other than transit purposes) or if they offer goods and services within Malaysia. A foreign call center recording conversations with Malaysian customers may therefore be subject to the PDPA.

Recording by Foreigners Visiting Malaysia

Foreign nationals present in Malaysia are subject to Malaysian law. A visitor recording a conversation using a device in Malaysia is bound by the CMA and the PDPA regardless of their home country's rules.

Penalties Summary

Senior officers of organizations face personal liability. Directors, CEOs, and managers may be held jointly and severally liable for their company's PDPA violations.

Key Differences from Other Countries

Malaysia's recording law framework differs from many Western jurisdictions in several important ways:

• No explicit one-party consent exception: Unlike the US federal Wiretap Act and many common-law countries, the CMA does not contain an express exception permitting a party to a conversation to record it. The practical effect is closer to an all-party consent regime.
• No dedicated voyeurism statute: Unlike Singapore (Section 377BB), the UK (Voyeurism (Offences) Act 2019), and Australia (various state acts), Malaysia has not enacted a specific voyeurism offense. Section 509 is the closest provision but has significant limitations.
• No tort of privacy invasion: Malaysia does not recognize a standalone tort of invasion of privacy. Remedies come through criminal statutes and the PDPA rather than civil privacy claims.
• Limited constitutional protection: The right to privacy is implied under Article 5(1), not express, and it only constrains government actors.
• Platform-focused online safety law: ONSA 2025 places accountability on platforms rather than individual users for harmful content, unlike the UK's Online Safety Act 2023, which creates individual offenses for certain types of harmful content.

Practical Advice

• Do not record any private conversation in Malaysia without the knowledge and consent of every person involved.
• If you need to record a business call, play a disclosure notice at the start of the call and obtain consent before proceeding.
• Recordings made in public spaces are generally permissible, but avoid targeting specific individuals or publishing identifying footage without consent.
• If you receive a secretly recorded conversation, be aware that possessing or disclosing it may itself be an offense under Section 234 of the CMA.
• Workplace recordings carry dual risk: criminal liability under the CMA and PDPA, plus potential negative consequences in employment disputes.
• To record police in public, do so passively without interfering with the officer's duties; avoid live-streaming active investigations.
• For cross-border calls with Malaysians, the Malaysian party requires all-party consent regardless of your home jurisdiction's rules.
• Consult a Malaysian lawyer licensed with the Malaysian Bar before making any recording that involves legal or business implications.

Disclaimer

This article provides general legal information about recording and privacy laws in Malaysia. It is not legal advice. The laws described apply under federal Malaysian law as in force as of May 2026. Laws may change; consult the Malaysian Attorney General's Chambers and the Personal Data Protection Department for current statutory text. For advice specific to your situation, consult a lawyer licensed with the Malaysian Bar.

---

Last updated: 2026-05-15. Statutes cited reflect their in-force version as of May 15, 2026.