Acquisition or leasing of land by a foreign company or a foreign-invested local company in Malaysia requires consent from the state authority. Additionally, under the Guideline on the Acquisition of Properties (“
”) is required if the property value is RM20 million or more and such acquisition results in a dilution of
ownership of property. Approval is subject to the conditions set out in the EPU Guideline, and such other conditions as EPU may apply on a case by case basis.
3. |
Local Licensing Regimes for Operation of Data Centre |
Telecommunications licences required
Data centre operation is not licensable per se but if the data centre provider provides licensable activities under the Communications and Multimedia Act 1998 (“CMA”), appropriate licences become necessary. It ultimately hinges on various factors specific to the data centre’s operations, including network topology. While some data centres may operate without needing a licence, others may require specific licences – in general, data centre providers may find themselves needing the following licences:
(a) |
Network Service Provider (“NSP”) Licence: For network services like gateway services, switching services, bandwidth or access applications services |
(b) |
Network Facilities Provider (“NFP”) Licence: For owning or providing network facilities like fixed links and cables, and radiocommunications transmitters and links. |
(c) |
Applications Services Provider (ASP) Licence: This may be required where the data centre services involve the provision of certain applications services such as Internet access services or cloud services. |
CMA licences can be "individual" or "class", except for ASP Licences, for which only "class" licences are issued. Individual licences are subject to more stringent regulatory control and may come with special conditions. As mentioned, it ultimately depends on the details of the data centre operation, which requires a case-by-case analysis.
Foreign Equity Restrictions on CMA Licence Holders
Only local entities can hold a CMA licence, and the following equity restrictions are typically attached as special conditions to the CMA licences relevant to data centres:
(a) |
Up to 49% foreign participation for individual NFP/NSP licences; and |
(b) |
At least 30% Bumiputera participation for all individual CMA licences. |
Some flexibility on the equity restrictions may be accorded on a case-by-case basis by our telecommunication regulator, the Malaysian Communications and Multimedia Commission (“MCMC”) and the Minister of Communications, on a case-by-case basis. They may place some weight on whether the data centre provider holds a Malaysia Digital status when considering foreign ownership exemptions.
Other regulatory restrictions/requirements
Approvals aside, there are telecoms-related requirements that data centres will have to abide by when operating, such as:
(a) |
Where the provision of data centre services falls within the ambit of our access regime, certain restrictions and requirements will apply, e.g., mandatory standards and regulated pricing. |
(b) |
Relevant voluntary industry codes (known as Technical Codes) issued by MCMC (e.g., the Technical Code on Specifications for Green Data Centres). |
(c) |
The import of data centre equipment into Malaysia will also be subject to import requirements, such as import permits and import duties, which will vary depending on the classification of the equipment. The equipment may also require product certification prior to being imported and used in Malaysia. |
4. |
Central Bank Requirements |
The Central Bank of Malaysia (“BNM”) regulates Malaysia’s foreign exchange through Foreign Exchange Policy Notices (“FX Notices”), which are issued pursuant to the Financial Services Act 2013 (“FSA 2013”). The FX Notices apply to all dealings in Malaysian ringgit and foreign currency, between and amongst Malaysian residents and non-residents. Transactions regulated by FX Notices include the sale, purchase, payment, transfer, remittance, borrowing, lending and guarantees involving Malaysian ringgit and foreign currency. The FSA 2013 also extends BNM’s regulatory jurisdiction over foreign exchange transactions to non-residents of Malaysia, and in respect of acts performed outside Malaysia. Therefore, any dealings in Ringgit and foreign currency by the data centre operators in Malaysia will be subject to compliance with the FX Notices and FSA 2013.
Additionally, if the company provides data centres services to financial institutions (“FI”) in Malaysia, the BNM has issued the Policy Document on Risk Management in Technology (“RMiT Policy Document”) imposing requirements on FIs to ensure resilience and availability objectives of its data centres are aligned with business needs. The RMiT Policy Document also requires, among others, FIs to appoint a service provider to carry out a data centre risk assessment (DCRA) and set proportionate controls aligned with FI’s risk appetite. If the use of data centre services by FIs constitutes a “material outsourcing arrangement” under BNM’s Policy Document on Outsourcing, the FIs are subject to approval and notification requirement imposed by the BNM when engaging data centre providers and to comply with the relevant requirements of the Policy Document on Outsourcing.
5. |
Other Governmental Restrictions in the operation of data centres |
If the data centre provider stores Government information or official secrets (as defined under the Official Secrets Act 1972), the Government may declare the data centre as a “protected area” or “protected place” under the Protected Areas and Protected Places Act 1959, or a “prohibited place” under the Official Secrets Act 1972. If a data centre is declared as a “protected area”, “protected place” or “prohibited place”, security measures must be taken in respect of such area and the level of security required depends on the designation.
(a) |
Malaysia Digital status |
Companies intending to venture into data centre businesses may qualify for Malaysia Digital (“MD”) status, which seeks to enhance Malaysia’s digital capabilities by boosting the digital economy.
The Malaysia Digital Bill of Guarantees (“BOGs”) sets out the various incentives available for MD status companies to apply for; including foreign equity restriction exemptions, allowance to employ foreign knowledge workers, income tax exemption, investment tax allowance and exemption on import duties for multimedia equipment. Grant of these incentives under the BOGs are not automatic and will be assessed on a case-by-case basis.
(b) |
Digital Ecosystem Acceleration (“DESAC”) Scheme |
The DESAC scheme focuses predominantly on two types of digital providers: firstly, the Digital Technology Providers (DTP) that provide digital services based on IR4.0 and digitalisation technology related to manufacturing and manufacturing-related service, and secondly, the Digital Infrastructure Providers (DIP) such as data centres and submarine cables. The DESAC scheme is poised to complement the existing incentives offered to MD status companies.
A newly established company under the DTP category may be eligible for an income tax rate of 0% to 10% for up to 10 years, whereas an existing company under the DTP category that diversifies into new service activities or new service segments is subject to a 10% income tax rate for up to 10 years.
Companies under the DIP category may qualify for an investment tax allowance of 100% on capital expenditure for qualifying activities that can be offset against up to 100% of statutory income for a period of up to 10 years.
7. |
Processing of personal data |
Presently, only data users are responsible for compliance with the Personal Data Protection Act 2010 (“PDPA”). They process personal data for their own purposes or have control over or authorise the processing of personal data, whereas data processors process personal data solely on behalf of the data users and do not process the personal data for any of their own purposes.
Data users must, among others, ensure that data processors comply with and provide sufficient guarantees in respect of the technical and organisational security measures and standards in processing personal data. Consequently, where the data centre provider acts as data processor for its customers, the customer may contractually bind them to comply with certain regulatory obligations or requirements.
If the data centre provider is a licensee under the CMA and to the extent that they act as a data user, they would have to register as data users under the PDPA and further comply with the Personal Data Code of Practice for Licensees under the CMA.
With the Government’s proactive and timely policies which provide a significant catalyst for the business, we remain optimistic about the competitiveness and strategic position of investment in Malaysia’s data centre industry within the region, with much room for growth.
Article by Fariz Abdul Aziz, Natalie Lim and Tan Wei Xian, Partners of Skrine.
1 “Bumiputera” refers to persons of the Malay race, aborigines or natives of Sabah and Sarawak.