Bread & Kaya: Cyberstalking, harassment … and road rage

Bread & Kaya: Cyberstalking, harassment … and road rage
Foong Cheng Leong
Jul 17, 2014

- No specific Malaysian law that criminalises stalking or harassment
- Singapore has enacted such laws, and Malaysia should follow suit

THE recent case of a blogger complaining that she had been harassed and stalked by a fan got me thinking about the law in Malaysia with regards to stalking and harassment.

I think this would depend on the acts of the stalker. There is no specific Malaysian law that criminalises stalking and harassment, but there are provisions of law that prohibit certain actions that border on stalking and harassment.

For example:

- Hacking into someone’s computer or mobile device or online account, or installing any trojan or tracking device is a crime under the Computer Crimes Act 1997;
- Sending messages threatening to harm a person – depending on the content, this may amount to a criminal offence under the Communications and Multimedia Act 1998 or Section 503 of the Penal Code (criminal intimidation); and
- Breaking into someone’s home amounts to trespass (installing a closed-circuit TV as in the Nasha Aziz case).

There are many forms of stalking and harassment. I’ve heard of cases where a person would call someone numerous times a day – and in some such cases, keeping silent or even make heavy breathing sounds.

Other cases include following a person from time to time; loitering outside a person’s home (which is a public venue, for example a road); downloading someone’s picture off Facebook and publishing it on blogs or online forums with degrading messages; and even frequently posting annoying or insulting comments on a person’s Facebook page, blog or Instagram account.

A police report would be useful to ward off these people but not all reports will be acted on. Sometimes no threat is made, and there’s ‘only’ persistent annoyance.

One blogger showed me some persistent emails from an alleged stalker, who also contacted the blogger through phone calls and SMS.

However, the nature of the contact was not a threat but merely invitations to go out, despite the fact that the blogger had expressly asked him to stop contacting her. Such contact would stop for a short period, but return thereafter.

One email from the alleged stalker was just a reproduction of chat messages between the alleged stalker and his friend.

A police report was made but the police could not take any action as there was no threat involved.

In such cases, I think that the police should take proactive action by contacting the alleged stalker and warning him against pursuing the matter further. A lawyer’s letter of demand may be useful too.

If all else fails, a restraining order may be obtained from the courts.

The victims are not only women. Vancouver teacher Lee David Clayworth was ‘cyberstalked’ by his Malaysian ex-girlfriend. She posted nude pictures of him and labelled him all sorts of names, according to a CNET report.

A warrant of arrest was issued in Malaysia against his ex-girlfriend but she had reportedly left the country.

Many victims suffer in silence. They try to ignore their stalkers and hope that they go away. Sometimes this works, sometimes it does not.

Our Parliament should introduce a new law to criminalise stalking and harassment. Singapore recently introduced the Protection from Harassment Bill 2014. This new law will provide protection from harassment and anti-social behaviour, such as stalking, through a range of civil remedies and criminal sanctions.

It’s time for our Parliament to look into this before it’s too late.

Regarding the recent Kuantan road rage case, I was asked whether doxing or document tracing by netizens amounts to harassment.

From what I read, some netizens had posted her name, company name and pictures on the Internet, created Facebook pages about her, and also created all sorts of memes featuring her. Some even started bombarding her mobile phone with SMSes and left numerous comments on her company’s Facebook page.

As mentioned, we have no specific law to govern harassment, thus it is difficult to determine whether such acts amount to harassment without a legal definition here.

In my personal opinion, I think there is nothing wrong in exposing the identity of the driver to the public. The lady had posted her own personal information online, thus there is no expectation of privacy with respect to that posted information.

The Personal Data Protection Act 2010 only applies to commercial transactions. But the extraction of her personal information through her licence plate number may be an issue if someone had unlawfully extracted it from a company’s database.

Some messages that were posted may also be subject to the Communications and Multimedia Act 1998 provisions on criminal defamation. Tracking her home address and taking photographs of it may be considered a form of harassment.

She also has rights (that is, copyright) to the pictures that she has taken (selfies especially), but she will not have rights to her modelling pictures if those were taken by a photographer – in that case, the photographer usually has rights to the photographs.



First published on Digital News Asia on 17 July 2014.

PDF    Send article as PDF   

[No. 5/2014] Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

The Malaysia Personal Data Protection Commissioner (Commissioner) has published a proposal paper entitled, “Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010”.

This proposal paper aims to provide guidelines for an individual or organization in the management of CCTV under Personal Data Protection Act 2010 (PDPA). Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline.

I am of the view that this Proposal Paper is not clear as to what kind of CCTV recording is subject to the PDPA. At the last paragraph of page 2, it states that an individual’s image is subject to PDPA when it is involved in a commercial transaction such as for promotion or sale of products and services either by contract or otherwise. Does this mean that all CCTV recordings at business premises and commercial areas such as banks, shopping centres and supermarkets as well as in offices and airports are subject to the PDPA? If so, how would a data user obtain the “recordable consent” (as required by the Personal Data Protection Regulations 2013) from the individuals who are captured through the CCTV?

My personal view of the use of CCTV and PDPA is that it is not subject to the PDPA if it is used for security purposes and not be used for commercial transaction purposes (e.g. to be sold). It would be impracticable for the data user to obtain the “recordable consent” and provide a Privacy Notice, which is mandated to be in writing, fulfill eight (8) requirements, and in two (2) language, to the individual.

If the Commissioner is keen to apply PDPA on CCTV recordings, it should make some adjustments to the application of the seven (7) principles. For example, no recordable consent is required, no requirement to fully comply with the Notice and Choice Principle but merely provide a notice to say CCTV is in operation etc.

Further view of this Proposal Paper will be address in the Malaysian Bar Council’s Ad Hoc Committee for Personal Data Protection.

Download: Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

PDF Creator    Send article as PDF   

BFM Podcast: The Right to be Forgotten

I was interviewed by BFMRadio to talk about privacy laws and the right to be forgotten on 28 May 2014.


If your browser does not support native audio, but you can download this MP3 to listen on your device.

In what could be a landmark case for internet privacy, the European Court of Justice ruled that Google must delete “inadequate, irrelevant or no longer relevant” data from its results when a member of the public requests it. Privacy rights lawyer Foong Cheng Leong joins our resident social media experts Ng Juan Hann from WAGO to explore the implication of the right to be forgotten and whether it contradicts the right to freedom of expression.

Create PDF    Send article as PDF   

Leveraging Big Data

I was quoted in the May 2014 issue of Personal Money.


Leveraging Big Data
Personal Finance
Written by Emily Chow and Sarah Voon of The Edge Malaysia
Friday, 16 May 2014 00:00

UPLOADING photos on Facebook; making an ATM transaction; operating a machine in a factory; making a call from a handphone. On the surface, these activities do not seem to have much in common. But they all contribute to the accruement of big data.

Everything and anything that is, and has ever been, linked up to the digital realm constitute big data. Big data analysis is what many businesses are doing today to enhance their business process.

“Big data isn’t so much the content or amount of the data, but [data on] who is contributing towards it and how often,” says Queenie Wong, head of data management at SAS Institute in Malaysia. The international company is a leader in business analytics software and services, and helps organisations turn large amounts of collected data into information they can use.

“[Companies] have been capturing this information, but it’s expensive to store. Most of the time, you just store and archive it. But with the new trend of big data analytics, how do you capture it [in a meaningful way] to get ahead of the competition and differentiate yourself?”

According to Wong, big data analysis has existed for some time and is being used especially by banks and telecommunications companies. The term was coined and came under the spotlight relatively recently, and businesses are starting to use it in making decisions and maintaining customer relationships.

“When you deal with consumers in today’s business world, it’s not about high value anymore. As a business, I don’t want you to spend thousands or millions of dollars [per transaction]; I’d want you to spend multiple [transactions worth] hundreds of dollars, that add up to more than the [initial] thousand that you might have spent,” she says, emphasising customer loyalty. “It’s easy to acquire customers, but it’s difficult to keep them and make them happy.”

Big data analysis helps in target marketing: Gone are the days of cold-calling and salesmen going door to door to sell their products. Today, a company can anticipate a customer’s need by studying his previous purchases or activities.

“For example, when a bank calls you offering loans and insurance, it isn’t a targeted offer because they don’t know if you’re an existing customer or not, or whether you own any other product in particular,” Wong explains.

“It’s just an outbound call, making it is expensive, and it’s only effective if it gets to the right person [who needs a loan]. The company also wants to make sure that within the first minute of the conversation, the customer wants to hear what it has to say.

“But with big data, we can comprehend the way customers use your service,” she continues. “If you are at a car sales online portal, the bank would want to give you relevant information on car loans [on the website itself]. Say, a customer uses an app on a mobile phone service to buy a train ticket. The information is captured when the ticket is purchased, so the next natural thing to do is to offer hotel stays, which the customer will appreciate. Big data is about anticipating the customer’s next move. It might not be of high value, but it’s very targeted.”

Examples of big data a bank would examine include customers’ ATM transactions and banking details. For a telecommunications company, it would be the way customers use their phones.

Unfortunately, this flood of information can be overwhelming, so companies need to know how to make use of it.

“Every time I make a call, send a message or access broadband, this information is being captured by the telco,” Wong says. “It’s a big dump of information, so businesses need to know what is relevant to them. Data will be used differently based on the maturity level of the companies.”
Such data can also add value to customer interactions.

“Banks have been analysing customer behaviour through credit cards [usage] and are able to detect fraud by notifying customers [of charges made] through text message,” adds Wong.

“But they can do more than this. If you’re travelling overseas and charge something to your card, data will be captured [regarding] your location. Instead of just sending customers a message verifying that they have just charged their card, banks can bring added value by telling them what promotions are [available] nearby if they use their credit cards there.”

Ballooning industry

As big data analysis grows in popularity, or even by necessity, it is predicted that businesses will direct significantly larger sums of resources towards big data analytic tools and solutions. According to the International Data Corporation (IDC) Predictions 2014 report, worldwide spending in this area is likely to increase by 30% this year, exceeding US$14 billion.

“The potential of deriving valuable insights and real-time decision-making from this data avalanche will drive massive investments and create new data-centred analytics and content services,” says the report. In Malaysia, the big data market is expected to reach US$24.2 million (RM46 million) this year.

“Malaysia is moving towards capturing more data — it is starting to recognise the people, process and technology,” observes Wong. “We see an increase in customers asking us to analyse and digest information. Big data isn’t a big bang thing; it is a journey for a business’ internal growth.”

For leading banks in the region, which may already have insight into what customers want through cross-channel banking transactional behaviour analysis, big data allows for increased targeting precision by extending their view of customer behaviour.

“This includes website activity, social engagement, contact centre voice interactions, and location data,” says Donald MacDonald, head of group customer analytics and decisioning at OCBC Bank Singapore.

“New technologies also enable us to react to this data faster than before — in some cases, in real-time — so we can directly engage customers with messages based on where they are and what they are doing right now.”

Apart from customer service and consumer sentiment, OCBC uses big data analytics in marketing analytics, fraud detection, credit quality optimisation and financial forecasting. The bank has spent over S$100 million (RM259 million) on data analytics since 2004, with investments on integrating data from multiple sources to one source, and on tools for analysis.

“Through the use of data analytics, we are able to significantly raise the quantity and targeting sophistication of our marketing activity. We can directly quantify the success of our marketing campaigns by monitoring customers’ individual behaviour to understand who responded to our offers, and then attribute a financial result to each contact,” shares MacDonald.

“Two major [big data] trends we’re focusing on now are speed to insight and contextual awareness.”

Speed to insight refers to the bank leveraging on “data-in-motion”, or data captured when direct interaction occurs with a customer. As this data is put into the bank’s system, its analytical engine updates the bank’s existing knowledge of the customer, and is able to recommend the most relevant products or services in real-time.

“Contextual awareness refers to leveraging additional information on the customers’ current circumstances to improve the relevance of our communications,” MacDonald says. For instance, OCBC could use big data to locate where a customer is, and then recommend merchants based on his preference as well as current location.

“Another example is leveraging voice logs within our contact centre to identify factors such as the increasing frustration of a customer on the line, which might be missed by a staff member,” he continues. “These factors enrich our existing view of the customer… ensuring that our sales and service offers are more targeted and relevant to each individual’s current situation.”

CIMB Group is another bank that leverages on big data initiatives to increase customer satisfaction, and appeal to their needs and lifestyle. The bank, for example, links customers’ Facebook data with its internal data to provide targeted offers to credit and debit cardholders.

“As a result, we discovered that there is an 80% correlation between merchants that customers ‘like’ on Facebook and our existing transaction data of merchants with whom they charge their cards,” says Iswaraan Suppiah, group chief information and operations officer, CIMB Group.

“Additionally, we have noted that banks in other countries are using big data techniques to reduce fraud incidents, or even use social network analysis to determine the creditworthiness of borrowers.”

According to CIMB, big data can also grow revenues faster by better matching its offers to customers’ needs.

“[This is] to the extent of designing better products and services that are directly relevant to various customer segments. Instead of using a traditional marketing campaign targeted at hundreds of thousands of customers and getting a 2% conversion rate, we can now target 30,000 customers and get a 50% conversion rate,” says Iswaraan.

“By using big data to really get to know and understand our customers, we can cut down on unnecessary ‘marketing’ and have real conversations about real customer challenges that will lead to benefits on both sides.”

Privacy protection and consumer rights

From a social perspective, big data could also benefit the public sector when used by the government, albeit allowing surveillance with an Orwellian touch. Authorities worldwide have been using such information in policy design and logistics planning, and to monitor crime and public security.

In Malaysia, however, data collected by companies cannot be sold or shared with a third party without the subject’s consent, as stated in the Personal Data Protection Act 2010 (PDPA).

Other laws such as the Communications and Multimedia Act 1998, the Computer Crimes Act 1997, and the Penal Code also ensure that collected data must only be used for the original purpose it was lawfully obtained for. This means customers should have willingly imparted their data to companies, with their knowledge.

“It’s fine for a person to use big data for business marketing research purposes, provided the data was acquired lawfully,” says Foong Cheng Leong, a lawyer at Foong Cheong Leong & Co, who specialises in cyberdata cases.

“There are many cases where data is purchased without the knowledge of the subjects within the data,” says Foong. In this case, the subject may exercise his right and file a complaint against the company or person that has been selling the information. Complaints can be made with the Personal Data Protection Commissioner.

“The information includes personal data, such as your name, identity card number, email address, images, your address, and so on, [used] in a commercial transaction,” he says, adding that this is all covered under the PDPA.

However, before a subject exercises his right, he should always read the privacy notices or policies provided by businesses explaining how they will use his data, Foong advises. A company is obliged to disclose how it uses personal data in a privacy notice or policy. This is also to enable the consumer to make informed decisions when sharing information requested by the company.

“With PDPA in force, consumers have a say in how their data is to be treated. They can even control the amount of data being flown out of a company.”

According to Foong, however, there are some cases of companies disclosing certain information necessary to deliver their services to the subject. For example, a telecommunications company may pass its customer’s data to a subcontractor. “[This is in the event] that the subcontractor needs to perform certain services. However, before a company [shares the data, it will make sure that the customer’s] personal data will be kept securely.”

This should also be disclosed to subjects during the time of data collection. Anything beyond what is stipulated in the initial privacy policy that is shared to subcontractors or other third-party services is considered illegal.

Foong says the only way to secure one’s personal data is to only use trusted service providers. Apart from that, he also advises that one should maintain a separate email to sign up for goods or services.

“Make sure you have strong passwords, and do not reuse passwords for different platforms. Phishing is common nowadays. Any email that goes into your junk or spam folders should be read with caution. It is unlikely to be true. Fake calls from unknown parties are also common. Many such callers ask for personal details on the pretext that someone is misusing your data.”

Otherwise, Foong believes that there should not be much to worry about. If users continue to take precautionary measures to protect their data privacy, they should not fear sharing their information online.

However, as an urban population moves towards a technologically driven lifestyle, rapidly expanding digital footprints are inevitable. From SAS Institute’s perspective, a company that chooses to use big data and its analytics has to make it relevant to its customers.

“If you want to use big data and big data analytics, whatever you give back to your customer must be relevant,” Wong says.

“Companies are very cautious with the kind of information they have and I think now with guidelines from Bank Negara Malaysia and the Malaysian Communications and Multimedia Commission, there are clear lines on what you can and cannot do. [Sometimes] there is a grey area, because that has to do with the company’s obligation to the customer and the public. The company then has to decide how they want to address that.”

This article was first published in the May 2014 issue of Personal Money — a personal finance magazine published by The Edge Communications.

PDF Printer    Send article as PDF   

Proposal Paper – Advisory Guideline Related to Consent Required under the Personal Data Protection Act 2010

The Malaysia Personal Data Protection Commissioner (Commissioner) has published a proposal paper entitled, “Advisory Guideline Related to Consent Required under the Personal Data Protection Act 2010”.

This proposal paper discusses the requirements of “consent” under the Personal Data Protection Act 2010. Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline.

Download: Proposal Paper – Advisory Guideline Related to Consent Required under the Personal Data Protection Act 2010.pdf

PDF    Send article as PDF   

Bread & Kaya: A look at Malaysian cyberlaw cases

Bread & Kaya: A look at Malaysian cyberlaw cases

Foong Cheng Leong
Feb 17, 2014

- A summary of the plethora of Malaysian cases involving the online world in 2013
– The Government still needs to look at legislation to address many other issues

Bread & Kaya by Foong Cheng Leong

I HAVE been summarising some interesting cases related to online disputes from around the world every year since 2011.

For a summary of 2010 cases, click here; for 2011 cases click here; and for 2012 cases, click here.

Compiling legal cases is a hobby of mine. I recently published a compilation of Malaysian trademark cases under the title Compendium of Intellectual Property Cases – Trade Marks. This book consists of 70 reported and unreported Malaysian trademark cases.

The year 2013 was one packed with an unprecedented number of legal cases concerning the Malaysian Internet sphere so much so that I have enough cases for one full article!

Facebook and Twitter

Facebook and Twitter related lawsuits have flooded the Malaysian Courts.

In National Union of Bank Employees v Noorzeela Binti Lamin (Kuala Lumpur High Court Suit No. S-23-NCVC-14-2011), the plaintiff initiated an action against the defendant for posting alleged defamatory comments on her Facebook page.

The defendant denied making such comments on Facebook, and claimed that his sister operated the Facebook account, also testifying that “maybe someone hack[ed] my Facebook [account].”

The defendant further contended that the plaintiff had failed to take any steps to check the details of the owner of the Facebook account or the Internet address with the Facebook administrator to confirm that the account belonged to the first defendant.

Notwithstanding this evidence, the defendant admitted in her Statement of Defence that she had published the comments. As a result, the court held that she was bound by her pleadings and therefore could not dispute that she did not post the comments.

In Dato Seri Mohammad Nizar Bin Jamaluddin v Sistem Televisyen Malaysia & Anor (Kuala Lumpur High Court Suit No: 23 NCvC-84-07/2012) , the plaintiff, a well-known politician, filed an action against the defendants for defaming him through the first defendant’s television news report of materials regarding the plaintiff’s tweets on his Twitter account.

The plaintiff alleged that the news report wrongly accused him of making the allegation that the Sultan of Johor had used public funds to bid for car plate number WWW1.

The High Court held that the plaintiff’s tweets, read and understood by any reasonable man, clearly insinuated that the Sultan of Johor had used public funds for the WWW1 bid. Thus, the court held that the defendants succeeded in their defence based on justification.

However, the court held that the defendants did not practise responsible journalism because they failed to verify the truth of his tweet messages with the plaintiff, or to obtain his comments on the matter.

It said the defendants’ publication was lop-sided, leaning towards giving a negative impression about the plaintiff, even before the police completed their investigations. The court also stated that there should be freedom on the part of the plaintiff to tweet his personal messages on his own Twitter account for as long as the laws on defamation and sedition, and other laws of the land, were not breached.

Mohammad Nizar also initiated legal action against Malay-language daily Utusan Malaysia for allegedly misreporting his tweets (see Datuk Seri Mohammad Nizar Jamaluddin lwn. Utusan Melayu (M) Berhad [2013] 1 LNS 592). He succeeded and was granted, among others, damages of RM250,000.

The learned High Court Judge also commented that Utusan Malaysia did not practice responsible journalism.

In Salleh Berindi Bin Hj Othman v Ruslili Nurzahara Hassan (Kota Kinabalu High Court Suit No. BKI-23-1/6-2012), Salleh, a schoolteacher, sued his colleague for damages of RM1 million for publishing three photographs of him on his colleague’s Facebook page. The photographs showed Salleh sleeping on a sofa in the teacher’s room.

Similarly, Salleh also sued his other colleagues for the sum of RM10 million for posting several entries and comments on their Facebook pages (Salleh Berindi Bin Hj Othman v Abdul Hamid Ahmad & 4 Others (Kota Kinabalu High Court Suit No. K-22-134-2011)).

Salleh failed in both suits.

In Nor Hayati Binti Ali v Wan Nuredayu Binti Wan Shaharuddin & Ors (Kuantan Sessions Court Civil Suit No. 53-218-2012), the Kuantan Sessions Court granted a modest sum of RM20,000 against the first defendant for defaming the plaintiff on Facebook.

The use of Facebook pages as evidence in court is becoming the norm these days. However, such evidence is not always acceptable.

In Tan Swee Ean v Adrian Tan Soon Beng & Anor (Penang High Court Divorce Petition No. 33-295-201), the High Court rejected a wife’s allegation that his husband had committed adultery based on pictures downloaded from a Facebook account belonging to the wife’s friend. The Court held that such pictures are hearsay.

Sex bloggers ‘Alvivi’ (Alvin Tan Jye Yee and Vivian Lee May Ling) were charged under Subsection 4 (1)(c) of the Sedition Act 1948, Penal Code, and Subsection 5(1) of the Film Censorship Act 2002 for displaying pornographic pictures on their blog and posting their controversial ‘Bah Kut Teh’ picture on their Facebook page, which allegedly insulted Muslims during the holy month of Ramadhan.

Blogs

In 2011, Sri Muda state assemblyman Mat Shuhaimi Shafiei was charged with sedition over a blog post which allegedly insulted the royal institution. He challenge the constitutionality of S. 4(1)(c) of the Sedition Act 1948 but failed in the Court of Appeal as reported in Mat Shuhaimi bin Shafiei v Pendakwa Raya.

His appeal to the Federal Court is now pending.

Pro-Umno blogger ‘Papa Gomo’ was also ordered to pay a businessman RM500,000 in damages over a defamation suit.

Forums

Notwithstanding the introduction of Section 114A (which makes website operators liable for their users’ posts), there were not many lawsuits taken against forum owners.

However, in Gloco Malaysia Sdn Bhd v Lam Ming Yuet (Shah Alam High Court Suit No. 22NCVC-1284-10/2012), the plaintiff sued its former employee for posting her experience working with the plaintiff on the popular forum LowYat.net.

The High Court dismissed the plaintiff’s action on, among others, the grounds that such postings were not defamatory.

The Enforcement Division of the Ministry of Domestic Trade, Cooperatives and Consumerism, with the help of other authorities, arrested the operator of JIWANG.org for hosting links to music, television shows and movie files via the website JIWANG.org.

Interestingly, one can be arrested for hosting links instead of hosting the content itself!

Wikipedia

In the past, the Malaysian courts have referred to Wikipedia articles as evidence or guidance.

However, in Ganga Gouri ap Raja Sundram Mohd Faizal Bin Mat Taib (Kuala Lumpur Civil Suit No. 21 NCvC-168-07/2012), the High Court rejected evidence from a Wikipedia page used to rebut an expert’s testimonial.

The Court highlighted that Wikipedia has a legal disclaimer stating that “Wikipedia does not give legal opinions. There is absolutely no assurance that any statement contained in an article touching on legal matters is true, correct or precise.”

In Mycron Steel Berhad v Multi Resources Holdings Sdn Bhd (High Court Suit No: KCH-22-80-2011), the High Court declined to take judicial notice of an economic downturn based on an extract from Wikipedia on a write-up titled Subprime Mortgage Crisis because it was not evidence adduced at the trial or an authored publication on the subject.

However, in Lee Lai Ching v Lim Hooi Teik [2013] 1 LNS 18, the learned High Court Judge downloaded a Wikipedia page relating legal issues on parental testing in other jurisdictions.

Closing

Although Malaysia had a plethora of cyberlaw cases flooding its courts in 2013, we can see that there are many issues that our laws have not specifically dealt with. Our Government has yet to come out with legislation or regulations to deal with issues such as:

1) Instigating netizens or setting an online mob against a person with intent to hurt that person through bodily harm or damage to reputation. We have seen many cases where Facebook pages or blogs were set up to set upon angry netizens against a person.

2) Cyberstalking and publication of images of young girls on a blog without their consent (although I would argue Copyright Act 1987 applies). See my previous Digital News Asia (DNA) article here.

3) Disseminating gruesome images of victims. See my previous DNA article here.

4) A law to absolve electronic platform providers (e.g. forums) from liability when a user makes an unlawful posting. The United Kingdom has introduced the Defamation Act 2014 to protect operators of websites.

5) Guidelines for Internet service providers (ISPs) to follow before a website can be blocked from access by the general public. Instead of allowing the Government or ISPs to arbitrary block websites without notifying the public, there should be a rule to make any decision to block a website published in the Government Gazette and any party may challenge such a decision unless there are good reasons to exempt such publication (e.g. for national security reasons). The arcane Printing Presses and Publications Act 1984 has similar provisions and I don’t see why we can’t have the same thing for blocked websites!


First published on Digital News Asia on 17 February 2014.

PDF Creator    Send article as PDF   

【更新】免權益受影響‧消費人應回覆通知書

I was quoted by Sin Chew Daily in this article “【更新】免權益受影響‧消費人應回覆通知書“.

【更新】免權益受影響‧消費人應回覆通知書
2014-03-04

(雪蘭莪‧八打靈再也3日訊)個人資料保護局和法律界都促請消費人在收到資料用戶(data user)的通知書後,履行個人義務,主動聯絡相關公司,表明同意或不同意個人資料被使用,而非置之不理,以免權益受到影響。

2010年個人資料保護法令自去年11月15日起生效,它要求處理個人資料的公司如商業銀行、電訊公司、房地產商等,在限期內通知客戶,告知已收集的個人資料用途,而客戶若有異議,則不能再使用他們視為隱私的資料。

近期大小公司紛紛寄出通知書給消費人,但大部份人選擇忽視或不採取進一步行動,等於授權給相關公司繼續使用其資料。

馮正良:有異議者個別處理
吉隆坡律師公會資訊工藝及出版委員會主席馮正良表示,被視為資料用戶的各大公司擁有成千上萬的個人資料,他們沒有辦法一一等每位消費人同意後,才使用他們的資料。

“這樣的方法不可行,要等每個人同意可能沒辦法做生意,因此他們採取的方式,是寄發通知書給消費人,告知法令所要求的事務,然後有異議者再個別處理。”

他說,如果消費人已表明不願個人資料被使用,過後卻繼續接收到電話等訊息,可直接向個人資料保護局投訴。

馮正良認為,受2010年個人資料保護法令規範,影響最大的行業分別為電訊業和銀行業,業者擁有大量個人資料,如今要一一通知。

所謂個人資料包括名字、身份證號碼、電話號碼、住址、電郵等,而許多消費人投訴個人資料外泄或被轉賣給第三方的行銷公司,常接到來歷不明的促銷電話或手機簡訊,而上述法令7項原則中,最重要的一項是不可在未經當事人允許下,處理其私人資料。

個人資料保護局續辦醒覺運動

此外,個人資料保護局發言人表示,該局未來將陸續舉辦更多消費人醒覺運動,說明個人權益,減少個人資料被用作商業用途的機率。

她也促請消費人採取主動,在收到通知書後,若不願意個人資料被繼續使用,就聯絡相關公司表達意願。

“不要怕麻煩。”

草擬個人資料保護指南

另一方面,個人資料保護局也積極在收集各界的意見和回饋,準備草擬遵守2010年個人資料保護指南。

任何資料用戶或個人,若對法令及草擬中的指南有意見,歡迎以書面方式在3月20日以前提出建議。

相關信件除了可寄至布城通訊部6樓的個人資料保護局外,也能電郵至pcpdp@pdp.gov.my。

此外,該局也提醒那些被列入資料用戶分類通令,但至今仍未登記的資料用戶,儘快隨表格一起提呈延誤解釋信。

資料用戶群組指令所闡明的11個在商業交易中使用個人資料的領域為通訊、銀行及金融機構、保險、醫療保健、旅遊及酒店、交通、教育、直銷、服務、房地產及公用設施,有關登記期限已在上個2月15日截止。

消聯:蒐集分享個人資料

須消費者“明確同意”

馬來西亞消費人協會聯合會首席執行員拿督保羅西華促請個人資料保護委員會,在有關法令中明文規定資料用戶公司需獲得消費者的“明確同意”,否則將不被允許蒐集、利用或分享消費者個人資料。

他今日受訪時表示,無論資料用戶公司通過何種管道告知消費者該公司的隱私權政策,消費者應被給予明確選擇同意或不同意其個人資料被收集、使用或披露給第三方,簽署白紙黑字的同意書是其中一個例子。

他表示,該會不能接受企業通過“默許同意”或“選擇退出”的同意行使模式,企圖取巧地避開有關法令的限制。

他說,2010年個人資料保護法令的第一原則就是“不可在未經當事人允許下,處理其私人資料。”,企業現在的做法已違反該法令的精神。

他認為,個人資料保護委員會必須明文規定所謂“同意”必須是“明確同意”,而任何形式的`默許同意’都不被允許,才能解決目前的狀況。

(星洲日報/報道:盧慧菁)

Create PDF    Send article as PDF   

Personal Data Protection Act 2010: Our details are worth protecting

I was quoted by Rakyat Post in their article “Personal Data Protection Act 2010: Our details are worth protecting.



Personal Data Protection Act 2010: Our details are worth protecting

The Personal Data Protection Act 2010 intends to protect personal data and stop it from being distributed.

THE Personal Data Protection Act 2010 is necessary because personal data is often the cause of constant unwelcome calls from companies, and can be used by malicious people to break into networks.

Personal Data Protection Department Deputy Director-General Dr Zainal Abidin Sait said personal data used in commercial transactions had value while personal data available online may not.

“My name on Facebook would not be useful for marketing. I don’t give my real information in Facebook, but in commercial transactions, I give my real name, my real data.”

He said there were penalties for those who did not adhere to the law, but that was not the reason the law was gazetted.

“The intention of this law is not to issue summonses to people. The intention of the law is to ensure the personal data of all Malaysians, which is collected from all over the place by these agencies, is managed properly and systematically.”

Zainal Abidin also said the PDPA would not hamper doctors and banks.

This is because for doctors, processing without consent can still be carried out with conditions, while banking transactions made via contracts do not fall under the law.

Solicitor Foong Cheng Leong said laws similar to the Personal Data Protection Act (PDPA) 2010 had been implemented around the world.

“But in Southeast Asia, we are the first to come up this law. Singapore has a similar law. It came after ours, but came into force earlier than us.”

Foong is a lawyer focusing on Intellectual Property, Information Technology, Internet, Social Media and Cyber laws, Franchise, Privacy and Data Protection laws.

In the past, people had been selling personal data without repercussions, but that will all change now.

“The new law is to protect personal data and stop it from being distributed. Now under the law, it is subject to consent. If individuals want to receive all these things, then they (the companies) can send. Otherwise they can’t,” Foong said.

Websense Inc Asia Pacific Sales Engineering Director William Tam pointed out that personal information was highly valuable, not just to sell insurance or credit cards.

“When we look at what happened at many large retailers over the years, such as TJ Maxx and Target, personal data was pure gold to people with a malicious intent.”

He said cybercriminals were not just after credit card details as even simple personal contact details could be used in social engineering to create a very powerful lure that could be the way into a company’s network and lead to a highly targeted attack.

“Once individuals understand their rights under the PDPA, they can be the key driving force in encouraging businesses to comply with the same standard.”

There is no need for the Personal Data Protection Act 2010 because customer information is already treated with complete confidentiality, say stakeholders.

THE Personal Data Protection Act 2010 is unnecessary for the banking and health industry. It also hinders insurance agents and marketers in conducting their business.

Although banks will comply with the Act, Association of Banks in Malaysia (ABM) Executive Director Mei Lin Chuah said it was already common practice in banks to respect the personal data of those who bank with them.

“All this while, our members have taken the necessary steps to ensure that customer information is treated with the greatest of confidentiality as a matter of policy which, in a certain fashion, has now become a requirement of law.

“Our member banks have in place controls and systems to ensure that customer information is kept confidential at all times.

“Further to this, banks have their strict internal rules on confidentiality and information security which all bank employees must abide by. Failure to comply with the internal rules will lead to disciplinary action against the employee,” said Mei.

Malaysian Medical Association (MMA) President Datuk Dr N.K.S. Tharmaseelan said including doctors under the Act was redundant. It was unfair to slap them with a fine as no announcement on this had been made earlier, he added.

“The Commissioner of the Personal Data Protection Department did not send out any circular whatsoever to inform doctors about this registration exercise, but still expects all to know,” said Dr Tharmaseelan in a statement.

“Doctors were given till Feb 15, 2014 to register or be slapped with a fine of RM500,000.

“It appears redundant as the doctors are strictly regulated by MMC on confidentiality. Doctors now have to face this additional burden.

“Doctors have always been guided by the Hippocratic Oath since the birth of modern medicine, but now we have a law which has become a hippopotamus that will run through our practice.

“This was another law passed without consulting stakeholders, in this case doctors. But we hope common sense will prevail and an exemption is granted,” said Dr Tharmaseelan.

Insurance agents, direct sellers and telemarketers rely on gathering personal information to find customers.
“Basically, information about people can’t be passed around any more without their permission,” said an insurance agent who did not want to be named.

The Act made it more difficult to initiate contact with a person through the telephone, which is known as “cold calling”, and is often done using bank databases sold by middlemen.

“When you apply for a loan or credit card, whatever information you give them is what these databases will contain,” said the agent, adding that direct sellers and telemarketers relied heavily on such databases to make sales.

PDF Printer    Send article as PDF   
1 2 3 19  Scroll to top