Malaysia Recording Laws: All-Party Consent Rules and Penalties (2026)

Overview of Recording Laws in Malaysia

Malaysia operates under an all-party consent framework when it comes to recording private conversations, phone calls, and other communications. The country has no single, consolidated recording statute. Instead, several overlapping laws govern who can record, when, and under what conditions.

The primary statute is the Communications and Multimedia Act 1998 (CMA), specifically Section 234, which criminalizes the unauthorized interception of communications. Layered on top of that is the Personal Data Protection Act 2010 (PDPA), which treats recorded conversations as personal data subject to consent, storage, and security requirements.

The Penal Code, the Evidence Act 1950, the Security Offences (Special Measures) Act 2012 (SOSMA), and the Criminal Procedure Code also play roles depending on the context. The Federal Constitution rounds out the picture by protecting personal liberty under Article 5(1), which Malaysian courts have interpreted to include a right to privacy.

For anyone living in, visiting, or doing business in Malaysia, the practical takeaway is straightforward: do not record a private conversation without the knowledge and consent of every person involved, unless you fall into one of a handful of narrow exceptions.

Communications and Multimedia Act 1998: Section 234

Section 234 of the CMA is titled "Interception and disclosure of communications prohibited." It is the cornerstone of Malaysia's recording law framework for electronic communications.

The provision makes it an offense for any person to intercept, attempt to intercept, or procure another person to intercept or attempt to intercept any communication. It also prohibits the disclosure or use of the contents of any communication where the person has reason to believe the communication was unlawfully intercepted.

The term "intercept" is defined broadly under the CMA to include the aural or other acquisition of the contents of any communication through the use of any electronic, mechanical, or other device or apparatus. "Communications" covers sound, data, text, visual images, signals, or any combination of these.

Penalties Under Section 234

A person convicted under Section 234 faces a fine not exceeding RM50,000 (approximately USD 10,700 as of 2026), imprisonment for a term not exceeding one year, or both.

These penalties apply to private individuals. The offense does not require that the intercepted communication was actually used for any harmful purpose. The act of interception alone is sufficient to trigger criminal liability.

2025 CMA Amendments

The Communications and Multimedia (Amendment) Act 2025, which took effect on February 11, 2025, significantly increased penalties across many CMA offenses. For example, the penalty for offenses under Section 233 (improper use of network facilities) jumped from a maximum fine of RM50,000 to RM500,000, and maximum imprisonment went from one year to two years. The amendments also introduced enhanced penalties for offenses committed against minors, carrying up to five years of imprisonment.

While the 2025 amendments primarily targeted content-related offenses and enhanced the Malaysian Communications and Multimedia Commission's (MCMC) enforcement powers, they signal a broader trend toward stricter penalties for communications-related violations in Malaysia.

Personal Data Protection Act 2010 (PDPA)

The PDPA adds a second layer of legal liability for anyone who records conversations in Malaysia. Under the Act, a recorded conversation qualifies as personal data if the individuals in the recording can be identified.

Seven Data Protection Principles

The PDPA establishes seven core principles that govern how personal data, including recordings, must be handled:

1. General Principle (Section 6): Personal data can only be processed with the consent of the data subject.
2. Notice and Choice Principle (Section 7): Data subjects must be informed about the collection of their data and given the opportunity to consent or refuse.
3. Disclosure Principle: Personal data cannot be disclosed to third parties without consent.
4. Security Principle: Recordings must be stored securely with access limited to authorized personnel.
5. Retention Principle: Data cannot be kept longer than necessary for the stated purpose.
6. Data Integrity Principle: Personal data must be accurate, complete, and up to date.
7. Access Principle: Data subjects have the right to access and correct their personal data.

PDPA Penalties

Before the 2024 amendments, breaching the PDPA's data protection principles carried a maximum fine of RM300,000 and up to two years of imprisonment. For unlawful collection, processing, or sharing of personal data, fines could reach RM500,000 with up to three years of imprisonment.

The Personal Data Protection (Amendment) Act 2024, which took effect in stages starting April 1, 2025, raised the maximum fine for principle violations from RM300,000 to RM1 million and increased the maximum prison term from two years to three years. The amendments also introduced mandatory Data Protection Officer (DPO) appointments and data breach notification requirements effective June 1, 2025.

Directors, CEOs, managers, and other senior officers face joint and several liability for organizational non-compliance.

Phone Recording Laws in Malaysia

Recording telephone conversations without the consent of all parties on the call is illegal for private individuals in Malaysia under Section 234 of the CMA.

The prohibition applies regardless of the technology used. Whether the call is made through a traditional landline, a mobile phone, or a Voice over Internet Protocol (VoIP) application, the same rules apply. The CMA defines "communications" broadly enough to cover any transmission of sound, data, or signals through a network.

Who Can Legally Record Phone Calls

Private citizens: Cannot record phone calls without the consent of all parties. Doing so violates Section 234 of the CMA and may also breach the PDPA.

Law enforcement: Police officers may intercept and record phone calls, but only when the Public Prosecutor authorizes the interception under the Criminal Procedure Code. Section 116C of the Criminal Procedure Code (Amendment) Act 2012 permits police to "intercept, listen to or record any conversation by communication" if the Public Prosecutor is satisfied the communication likely contains information relevant to a criminal investigation.

Intelligence agencies: Under the Security Offences (Special Measures) Act 2012 (SOSMA), a police officer of superintendent rank or above may intercept communications without prior Public Prosecutor authorization in urgent and sudden cases involving national security. A written report must be submitted to the Public Prosecutor afterward.

Businesses: Companies operating call centers or recording customer interactions may do so only with explicit consent, as required by the PDPA. Customers must be informed that the call is being recorded and told the purpose of the recording.

The Najib Tapes Precedent

The legal framework around phone recording in Malaysia drew significant public attention following the release of recorded phone conversations allegedly involving former Prime Minister Najib Razak. Malaysian lawyers noted at the time that the recordings would be legal if carried out by enforcement agencies under proper authorization during ongoing investigations, but would be illegal if the phone tapping was done by private parties without lawful authority.

Recording In-Person Conversations

Malaysia does not have a specific statute governing the recording of face-to-face conversations in the same way the CMA addresses electronic communications. However, several laws still apply.

Section 509 of the Penal Code criminalizes any word, gesture, or act intended to intrude upon the privacy of another person. While this provision was originally drafted to address insults to modesty, Malaysian courts have applied it to privacy intrusions including surreptitious recording. Conviction carries imprisonment for a term not exceeding five years, a fine, or both.

The PDPA also applies to in-person recordings if the recorded individuals can be identified. The consent, notice, and security requirements described above remain in effect.

In practice, recording a private in-person conversation without the consent of all parties present carries legal risk under both the Penal Code and the PDPA, even if it does not fall squarely under Section 234 of the CMA.

Recording in Public Places

The rules shift when you move from private conversations to public spaces. Malaysia has no law that specifically prohibits taking photographs or recording video in public areas such as streets, parks, or markets.

The general principle is that a person in a public place has a reduced expectation of privacy. As long as the recording does not involve harassment, obscenity, or an attempt to insult someone's modesty, recording in public is broadly permitted.

However, there are important limits:

• Section 509 of the Penal Code still applies if the recording is intended to harass or intrude on someone's privacy, even in a public setting. Recording someone in a way that is "highly offensive" or shows them in an embarrassing position may cross the line.
• CCTV recordings in semi-public spaces such as shopping malls are regulated under the PDPA. The Personal Data Protection Department has issued guidelines stating that CCTV footage qualifies as personal data if individuals can be identified. Sharing CCTV footage on social media without consent is an offense under Section 5 of the PDPA.
• Private property: Property owners can restrict recording on their premises as a condition of entry.

The takeaway: filming a street scene or recording ambient sound in a public park is generally lawful. Targeting specific individuals for recording, or sharing that footage in ways that identify them, enters more complicated legal territory.

Workplace Recording Laws

Workplace recording in Malaysia sits at the intersection of employment law, the PDPA, and the CMA. The legal landscape here is more nuanced than many people expect.

Can Employees Secretly Record at Work?

Workplace recordings made without the consent of all parties are generally considered illegal under the CMA (for electronic communications) and the PDPA (for identifiable personal data). Courts have treated secret workplace recordings with skepticism.

In a Free Malaysia Today report on the topic, employment lawyers noted that the CMA carries fines up to RM50,000 and imprisonment up to one year, while the PDPA carries fines up to RM300,000 (now RM1 million after amendments) and imprisonment up to two years.

Malaysian courts have also questioned the weight of secretly obtained recordings as evidence. As one employment lawyer put it, the person making the recording would have intentionally said things to improve their case, while the employer, unaware of the recording, was more likely to have been speaking candidly. At least one Industrial Court decision reduced an employee's unfair dismissal compensation specifically because a secret recording was submitted as evidence.

The Izaidin Joinnie Case

In Izaidin Joinnie v Amanah Saham Sarawak Berhad (2018), the court described the secret recording of a board meeting as "the ultimate act of incompatibility," finding that it breached the employee's duty of good faith to the employer.

Can Employers Monitor Employees?

Employers may monitor employees, but with conditions. The PDPA requires that employees be informed about any monitoring, ideally through the employment contract or employee handbook. The Personal Data Protection Department has stated that CCTV installed in the workplace should be for "crime detection and prevention" and cannot be misused for purposes such as staff monitoring.

Employer best practices include:

• Including recording and monitoring policies in employment contracts
• Providing clear notice before implementing any surveillance
• Limiting CCTV to security purposes, not employee productivity tracking
• Securing all recorded data and restricting access to authorized personnel

Admissibility of Recordings as Evidence

Even when a recording was made without proper consent, Malaysian courts have the discretion to admit it as evidence. The question of admissibility is separate from the question of legality.

Evidence Act 1950

The Evidence Act 1950 defines "document" broadly to include "any sound recording, or any electronic, magnetic, mechanical or other recording whatsoever." Phone recordings and other audio files qualify as documents under the Act.

Sections 90A, 90B, and 90C govern the admissibility of documents produced by computers, which includes digital audio recordings. Under Section 90A, a document produced by a computer in the ordinary course of its use may be admitted through a certificate from a person responsible for the computer's management.

Court Requirements for Admissibility

The landmark case of Mohd Ali bin Jaafar v Public Prosecutor established five criteria for admitting tape recordings:

1. The recording device was clean and functional before use
2. The machine functioned properly without tampering
3. A witness identified the voices after playback
4. A transcript was prepared from the conversation
5. A witness verified the recording matched the transcript

The Justin Maurice Read v Petroliam Nasional Berhad (2017) case later added stricter standards for digital recordings, rejecting a handphone recording due to a broken chain of custody and the inability to confirm accuracy.

Industrial Court Exception

Section 30(5) of the Industrial Relations Act 1967 gives the Industrial Court broader latitude. It permits the court to consider evidence that might be inadmissible in other courts, including illegally obtained evidence, if that evidence is relevant to the equity, good conscience, and substantial merits of the case.

This means that in unfair dismissal disputes, secretly recorded workplace conversations are more likely to be heard, even though the person who made the recording may still face separate criminal liability for making it.

Constitutional Privacy Protections

The Federal Constitution of Malaysia does not contain an explicit right to privacy. However, the courts have read privacy protections into Article 5(1), which guarantees that "no person shall be deprived of his life or personal liberty save in accordance with law."

In the landmark decision of Sivarasa Rasiah v Badan Peguam Malaysia, the Federal Court held that "personal liberty" under Article 5(1) includes within its scope other rights, including the right to privacy.

A critical limitation exists: this constitutional protection applies only against government action. It does not provide a direct remedy for privacy violations between private individuals. For disputes between private parties, the PDPA, Penal Code, and CMA serve as the primary legal tools.

In Lew Cher Phow v Pua Yong Yong, a civil court found that CCTV surveillance directed at a neighbor's property constituted an "unwarranted violation" of privacy and dignity, demonstrating that courts are willing to enforce privacy standards even in disputes between private citizens through other legal avenues.

Business Compliance Guide

Businesses operating in Malaysia that record any form of communication, whether customer calls, security footage, or workplace monitoring, must navigate a web of legal requirements.

Call Recording

• Play an automated recording notice at the start of every call disclosing that the conversation is being recorded
• State the purpose of the recording, such as quality assurance or training
• Obtain verbal or written consent before proceeding
• Store recordings securely with access restricted to authorized staff
• Establish clear data retention policies and avoid keeping recordings longer than necessary
• Respond promptly to customer requests for data access or deletion

CCTV and Video Surveillance

• Install cameras only for legitimate security purposes, primarily crime detection and prevention
• Post visible signage informing people they are being recorded
• Do not share footage on social media or with unauthorized third parties
• Secure all footage against unauthorized access or tampering
• Register with the Personal Data Protection Department if required under your industry sector

Data Protection Officer Requirement

Following the 2024 PDPA amendments, organizations engaged in large-scale processing of personal data must appoint a Data Protection Officer (DPO) as of June 1, 2025. The DPO is responsible for ensuring compliance with all PDPA requirements, including those related to recording and monitoring.

Data Breach Notification

Also effective June 1, 2025, organizations must notify the Commissioner of the Department of Personal Data Protection and affected individuals in the event of a data breach involving recorded personal data.

Penalties Summary

Law	Maximum Fine	Maximum Imprisonment
CMA Section 234 (interception)	RM50,000	1 year
CMA Section 233 (after 2025 amendment)	RM500,000	2 years
PDPA (principle violations, post-2025)	RM1,000,000	3 years
PDPA (unlawful data processing)	RM500,000	3 years
Penal Code Section 509 (privacy intrusion)	Fine (discretionary)	5 years

Senior officers of organizations face personal liability. Directors, CEOs, and managers may be held jointly and severally liable for their company's data protection violations under the PDPA.

Key Differences from Other Countries

Malaysia's recording law framework differs from many Western jurisdictions in several important ways:

• All-party consent: Unlike some jurisdictions that permit one-party consent recording, Malaysia requires the consent of all parties to a private conversation.
• No tort of privacy invasion: Unlike the United States or United Kingdom, Malaysia does not recognize a standalone tort of invasion of privacy. Remedies for recording violations come through criminal statutes rather than civil lawsuits.
• Limited constitutional protection: The right to privacy is implied rather than explicit in the Federal Constitution, and it only constrains government actors.
• Separate regimes for electronic vs. in-person: Electronic communications are governed primarily by the CMA, while in-person conversations fall under the Penal Code and PDPA, creating a somewhat fragmented legal landscape.

Practical Advice

• Never record a private conversation in Malaysia without the knowledge and consent of every person involved.
• If you need to record a business call, play a disclosure notice at the start of the call and obtain consent.
• Recordings made in public spaces are generally permissible, but avoid targeting specific individuals or publishing identifying footage without consent.
• If you receive a secretly recorded conversation, be aware that possessing or disclosing it may itself be an offense under Section 234 of the CMA.
• Workplace recordings carry dual risk: criminal liability under the CMA and PDPA, plus potential negative consequences in employment disputes.
• Consult a Malaysian lawyer before making any recording that involves legal or business implications.