Bread & Kaya: 2017 Cyberlaw Cases – WhatsApp Messages and Customs TAP

By Foong Cheng Leong
Mar 26, 2018

Over 50 cyber related cases files in 2017 in Kuala Lumpur High Court

2017 had an interesting array of cyber related issues and laws. Facebook and other electronic platform defamation cases have become a norm. In the Kuala Lumpur High Court itself, there were 50 over cyber related tort cases filed in 2017. Many of them were filed by politicians against other parties including politicians and activists. Some were also filed by companies against individuals who had made disparaging remarks against them.

Interestingly, a defamation case was brought up because of certain defamatory statement via an office intranet.

We also saw how viral contents are treated in Court. Can a Judge rely on a viral video downloaded off the internet as evidence?

Cryptocurrency was one of the biggest news in 2017. Bitcoin shot up to almost US$19,800 (RM77,500) in December 2017. We saw one of the early Bitcoin disputes in one Singapore case. Bank Negara Malaysia issued an exposure draft by the name of Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Digital Currencies (Sector 6). The document outlines the proposed requirements and standards that a digital currency exchanger must carry out as reporting institutions. Notably, Bank Negara said cryptocurrency is not a legal tender in Malaysia.

A driver was reportedly successful in crowdfunding her legal fee of US$15,333 (RM60,000) through Facebook, among others. Sam Ke Ting was charged with dangerous and reckless driving after she had allegedly ploughed into a group of cyclists, killing eight and injuring eight others. The cyclists, aged 13 to 17, were believed to have been blocking the road at around 3am.

These and quite a few others, are notable Malaysian cyberlaw and electronic evidence cases (and some from other countries too) from 2017 that I will summarise over the next three days as part of my yearly tradition of what happened in the preceding year.

WhatApp messages, as much as it brings good to people, it also brought calamity. In Pendakwa Raya v Subbarau @ Kamalanathan (Court of Appeal Criminal Appeal No. N-06B-55-09/2016), the Respondent was charged in the Sessions Court under s. 8(1)(c)(iii) of the Official Secrets Act 1972 (OSA 1972) with having possession in his Samsung mobile phone soft copies of 2014 UPSR examination papers.

It is noted that no 2014 UPSR examination papers were found in the said Samsung mobile phone. However, the mobile phone of one arrested person by the name of Prem Kumar contains the said 2014 UPSR examination papers. The said 2014 UPSR examination papers were sent by the accused’s telephone to Prem Kumar’s WhatsApp account.

Evidence by the Communications and Multimedia Commission showed that the 2014 UPSR examination papers found in Prem Kumar’s mobile phone came from the respondent’s mobile phone. The witness from the Communications and Multimedia Commission explained that the fact that none of the images were found in the respondent’s handphone could be due to the images being deleted and thereafter overridden so that there is nothing left to extract in the handphone. Nonetheless, the Prosecutor argued that evidence clearly shows that the UPSR examination papers came from one source i.e. the respondent’s handphone.

Instead of dealing with the issue of electronic evidence, the Court of Appeal held that only real issue before the Court relates to the question of whether the UPSR examination papers are official secret.

In Pendakwa Raya v Mohd Syafrein Rasid [2015] 1 LNS 943, the accused was charged under Section 130J of the Penal Code for attempting to support the Islamic State and attempted to be a member of the same.

It was revealed in this case that the accused was influenced by what he saw about the war in Syria on Facebook. He even joined a few WhatsApp groups which had members sharing information about the Islamic State and their movement in Syria.

He then decided to travel out from Malaysia to join the Islamic State but was caught at the Immigration counter at the Kuala Lumpur International Airport. He pleaded guilty and was sentenced to two years’ imprisonment.

Admissibility of WhatsApp Chats

What would be the suitable way to admit chat logs from instant messaging applications? Should a party need to get someone from WhatsApp or an IT expert to extract the chat logs from the application? Or do they need to use WhatsApp’s available function to produce the chat logs? Or would print screens of the chatlogs be sufficient?

In Pendakwaraya Lwn Greencity International College Sdn Bhd (Kuala Lumpur Magistrate Department Case Summon No.: 87-309-1/2015), the Court admitted and gave weight to screenshots of WhatsApp messages to prove a mala fide intent by a witness.

However, Mohamad Azhar Abdul Halim v. Naza Motor Trading Sdn Bhd [2017] 1 ILR 292, the Industrial Court disregarded a screenshot of a WhatsApp chat. In this case, the Claimant was dismissed by the Company for misconduct. He had allegedly sent threatening and harassing messages via WhatsApp to a colleague (COW-1) who then left due to the messages. The Claimant brought an action against the Company for wrongful dismissal.

The Company tendered a snapshot image (print screen) of the WhatsApp message. The snapshot did not mention the Claimant’s name, date of WhatsApp message, Claimant’s hand phone number or Claimant’s profile picture nor any other evidence to prove that it was indeed the Claimant who was purportedly having such conversation with COW-1. Meanwhile, COW-1 also admitted that the WhatsApp message that she has is merely screen snapshot/image and not the original WhatsApp messages as she had changed her handphone. Further, she did not screen shot the full conversation between COW-1 and herself.

The Claimant demonstrated to the Court how easy it was to fabricate a WhatsApp conversation that can be done within minutes. The demonstration was witnessed by all parties, including the Company’s learned counsel, who did not cross-examine the Claimant on this matter.The Industrial Court held that the WhatsApp snapshot image does not conclusively prove that it was indeed the Claimant who was purportedly having a conversation with COW-1 because it is undisputed/unchallenged that nowhere in the WhatsApp snapshot image was it mentioned the Claimant’s name, date of WhatsApp message, Claimant’s hand phone number or Claimant’s profile picture nor any other evidence to prove that there in fact was such a conversation. Furthermore, the WhatsApp snapshot image was not proven to be authentic because as demonstrated in Court the WhatsApp message can be fabricated resulting in a fabricated WhatsApp snapshot image of that message. Therefore, there is doubt as to whether the Claimant had a conversation with COW-1 at the material time and had stated the threatening and harassing messages via WhatsApp.

Yahoo Messenger

In 2015, I reported in Rina Simanjuntak v PP (Criminal Appeal No: P-05-256-09/2014), a Yahoo Messenger Chat log saved the life of Rina Simanjuntak who had been sentenced to death by the High Court for drug trafficking. In 2016, Facebook chat messages saved the life of a German by the name of Rudolf Tschernezow who was charged with drug trafficking. The High Court in PP v. Rudolf Tschernezow [2016] 1 LNS 654 held the accused has proven that he is an innocent carrier using those messages. However, the Court of Appeal in PP v Rudolf Tschernezow (Criminal Appeal No J-05(LB)-345-12/2015) overturned the High Court’s decision and sentenced him to death.

In 2017, another lady tried to use her Yahoo Messenger chat logs to save her from the gallows. In Public Prosecutor v Ni Komang Yuningsih (Court of Appeal Criminal Appeal No. B-05(LB)-285-10/2015 (IND)), the Respondent, an Indonesian woman, was charged with drug trafficking under S. 39B(2) of the Dangerous Drugs Act 1952. She was acquitted by the High Court after she proved that she was merely an innocent carrier.

The High Court Judge relied on a print-out of conversation in “Yahoo messenger” and exchange of emails between the Respondent and a Nigerian man by the name of John Amadi who was claimed to be the Respondent’s lover. John Amandi persuaded her to come to Malaysia and had promised to marry her. John Amandi then sent the Respondent to India to meet his brother, Price, to discuss about their wedding. When the Respondent was about to fly to Malaysia, John Amandi’s brother gave her a luggage bag to be given to John Amandi. When she arrived in Kuala Lumpur International Airport, the custom officers found drugs in the luggage bag.

Notwithstanding the discovery, the High Court Judge acquitted the Respondent. The trial judge held that John Amadi and Prince are not fictitious characters but they do exist based on a print-out of Yahoo Messenger chat. The 195 pages printout was held to be impossible to be created by the defence at a very short period of time to strengthen its case and it also has a convincing story line.

Despite the acquittal, the Court of Appeal overturned the acquittal. The Court of Appeal was of the view that the Respondent’s deliberate omission to exercise a reasonable level of diligence in making sure that the bags given by Prince carries no incriminating items is an act of wilful blindness. There were too many inconsistencies with the Respondent’s evidence. She was accordingly sentence to death.

WhatsApp and Agreements

Can a legally binding agreement be forged through a WhatsApp conversation? In Shamsudin Bin Mohd Yusof v Suhaila Binti Sulaiman (Shah Alam Magistrate Court Suit No. BA-A72NCvC-384-03/2017), the Magistrate Court answered in the affirmative and held that an agreement was concluded based on oral and WhatsApp messages between the parties.

Would a WhatsApp message constitute written notice under an agreement? In Tengku Ezuan Ismara Tengku Nun Ahmad & Anor v. Lim Seng Choon David [2017] 1 LNS 1840, the Plaintiff sued the 1st Defendant for the return of his money paid for the purchase of the shares in the 2nd Defendant company pursuant to a Shareholders’ Agreement, among others. The 1st Defendant had sold the shares in the 2nd Defendants to the Plaintiff but failed to transfer the shares after being reminded repeatedly.

The Sessions Court allowed the application for summary judgment against the Defendants. The High Court upheld the Sessions Court’s decision. The Court had to decide whether a WhatsApp communication is considered as a “notice” in the context of clause 7 of the Shareholders’ Agreement. Clause 7 of the Shareholders’ Agreement provides –

Any notice required to be served by the parties hereto or by the Directors or EI [the 2nd Defendant] shall be served either by hand, by registered post or couriered post to the address of each party as stated above or by way of telex or facsimile transmission the numbers of which shall be provided by each of the parties to the other.

A skillful reader would know that Clause 7 above provides for only specific methods of transmitting the notice. Nevertheless, the learned Judicial Commissioner held that the WhatsApp message was sufficient to be a notice under Clause 7. She also held that Clause 7 of the Shareholders’ Agreement does not require the notice to be signed. Even if the requirement of a signature is implied into the said clause, that requirement was fulfilled by the Plaintiff. The 1st Defendant has never denied that he received the Plaintiff’s WhatsApp messages requesting for the transfer of the Shares to be effected. The Plaintiff’s WhatsApp messages is identified by the name “David” and the 1st Defendant is identified through his telephone number. As can be seen from the WhatsApp messages Plaintiff identified the 1st Defendant as “Tengku” to which the 1st Defendant has responded (via WhatsApp message too). Thus if the Plaintiff is required to sign as evidence of the Plaintiff’s identity, such requirement is fulfilled via the identity of the Plaintiff which is embedded in the mobile phone.

Electronic Notice

With the Government moving to digitising their services, many deliveries of correspondence are done through the Internet. Such delivery is not only limited to email, but also through their electronic portals. But what if the recipient did not know that a notice had been delivered through the electronic portal? Assuming that there is a deadline for the recipient to do something, when would the time starts to run? Would it be when the notice is published on the electronic portal or when the user logs into the portal to check it?

In Coach Malaysia Sdn Bhd v Ketua Pengarah Kastam Dan Eksais (Kuala Lumpur Originating Summons No: WA-25-193-07/2017) and Transmarco Concepts Sdn Bhd v Director General Of Customs And Excise (Kuala Lumpur Originating Summons No: WA-24-25-05/2017), the taxpayers applied for an extension of time to apply for leave to commence judicial review proceedings against the Director General of the Customs Department’s decisions which were uploaded to the Defendant’s electronic service by the name of Taxpayer Access Point (TAP System). The taxpayers alleged that they were not aware of the decision until they accessed the Tap System.

The High Court held that under subsection 167(3) of the Goods and Service Tax Act 2014 (GST Act), where a taxpayer has given his consent for a notice to be served on him through the electronic service, then the notice shall be deemed to have been served at the time when the electronic notice is transmitted to his account through the electronic service. As such, the clear effect of reading section 167 of the GST Act with Order 53 r 3(6) of the Rules of Court 2012 means that in respect of service of a decision where the taxpayer has opted for electronic service, the taxpayer is deemed to have knowledge of the notice once the notice had been transmitted to his account through the electronic service.

Part 2: The first statute in Malaysia to use the words “social media” and more.



First published on Digital News Asia on 26 March 2018

Comments on the Malaysian e-Court System Phase 2

The Malay Mail interviewed me on my views of the implementation of the new e-Court System Phase 2 some time last year. Some of the issues highlighted below have now been resolved. I am posting this for record purpose.

In their article entitled “Lawyers required to go digital by 2018“, I said the following:-

Foong Cheng Leong, the Kuala Lumpur Bar’s Information Technology and Publication Committee chairman, noted that e-filing is partly aimed at ending the maintenance of actual physical files and saves time with the skipping of physical file searches.

“Before e-filing, the court had problem organising their files and many files went missing resulting the loss of judicial and litigants’ time. The e-filing system also allows documents to be viewed quickly without the need to look for the file,” he said.

Foong said the second phase of the e-filing system had some improvements such as a better online file search system that now includes searching of court minutes, but he highlighted several issues such as the use of the security token which he felt was “unnecessary”.

“Although it is now available at an affordable rate, the use of the token creates a ripple effect. For example, the lawyer now would need to apply for the token and learn how to use and install it, safe-keep, protect and observe the expiry date of the token,” he said, arguing that there were other ways to ensure security or to ensure the right person is filing a court document.

He said the online file search function where users have to pay RM8 or RM12 depending on the court tiers for a 30-minute viewing period should be changed, suggesting that the time limit should be scrapped and instead replaced with a pay-per-file system.

The file search function also only allows users to view and print files page by page, but should instead be changed to allow users to download the files to view them directly on their computers, he said.

“The current system still has a lot of bugs. It ought to be have been beta tested properly by users, in particular, the lawyers before rolling them out,” he said, citing as example the timer in the file search system suddenly resetting to 0:00 before the time is actually up.

On the closure of the Service Bureau to lawyers, I stated the following:-

Foong similarly said: “However, the service bureau should still remain to assist lawyers to file their documents. Not every lawyer has litigation cases often and some may even do one or two a year. It makes no commercial sense sometimes to pay for the token to do e-filing. Nevertheless, the Court should allow other parties to open service bureaus to cater the needs of fellow lawyers.”

In Malay Mail’s subsequent article entitled “No more 5am queues to file lawsuits“, I was quoted stating the following:-

Foong Cheng Leong, the Kuala Lumpur Bar’s Information Technology and Publication Committee chairman, said issues that law firms in peninsular Malaysia faced in moving to a new online court filing system had caused the long queues.

During that period, the helpdesk for the online system was overflowing with requests for assistance, with many lawyers complaining that it was not picking up their phone calls, he said.

“I think the long queues at the e-filing service bureau is due to the sudden surge of requests to do e-filing. As many lawyers had problem migrating to the new system, they have no choice but to use the e-filing service bureau. This adds to the usual crowd of lawyers who did not subscribe to the e-filing system.

“The Court was unable to cope with the sudden surge of request and resulted in very long lines. The Court had to limit the number of people who could use the service otherwise their staff would be staying in Court past the normal working hours,” he told Malay Mail Online when asked to weigh in on the issue.

Here’s What You Should Know The Next Time Someone Asks For Your MyKad

I was featured in The Malaysian Digest’s article entitled “Here’s What You Should Know The Next Time Someone Asks For Your MyKad” on 22 February 2018.

If Your Identity Is Stolen, It May Be Difficult To Prove Your Innocence

Although the Private Data Protection Act 2010 (PDPA) that protects our data, which is collected for commercial purposes, from being misused by third parties has been enacted, there are limits to how far the law can protect us especially when our data is collected for non-commercial purposes, which is unregulated and open to abuse.

Foong Cheng Leong, founder of law firm Foong Cheng Leong & Co., relayed that when you simply give out your IC number to anyone asking, you are liable to have more of your information to be collected and can be used for social engineering such as creating a complete profile about you.

“With a complete profile, one can use it to obtain certain things like services, access to bank accounts, mobile numbers, financial information, email, buildings and further information etc.

“One can also use that profile to obtain information of another person e.g. a person close to you, for example, your spouse’s personal information,” he said.

And when our personal data and identity gets stolen, it may not be easy to prove and it will depend on the circumstances.

“But one would have to go through a difficult process of being investigated. He may be arrested, remanded, have his computers and mobile devices ceased, privacy invaded etc.” he said.

Although he has not had any cases involving IC number, he has come across cases involving the misuse of identity.

“I had one case where the employee was charged in Court under the Computer Crimes Act 1997 for unauthorised modification of content.

“His office account and internet account were used to delete a database of his employer. Fortunately, we managed to prove that it was not him who did it,” he said.

Foong also said that cases of identity theft are not just a few in the country, as he shared the most well-known case which is the case of Adorna Properties Sdn Bhd v Boonsom Boonyanit.

“The land owner lost her land after it was fraudulently transferred to a third party and subsequently sold to a bona fide purchaser – see https://asklegal.my/p/boonsom-boonyanit-adorna-properties-indefeasible-title-national-land-code-1. Note that the position of this law has changed – see http://www.skrine.com/better-late-than-never,” he shared.

He said that the best way to protect our data is by ensuring that it is always secure and that we control the circulation of our data.

When Businesses Use Your Photo Without Permission, Here’s What You Do

I was featured in Malaysian Digest’s article entitled “When Businesses Use Your Photo Without Permission, Here’s What You Do” on 24 January 2018 on what customers can do to protect their personal data. I said the following:-

Customers Need To Be Proactive To Protect Their Privacy

What then do we, as customers, can do to protect our privacy and what rights do we have as a civilian?

Foong Cheng Leong, founder of law firm Foong Cheng Leong & Co. and the Bar Council cyber law and information technology committee deputy chairperson, explained that when it comes to invasion of privacy, it depends on the scenario.

If it’s a photo taken in a public place with many other people like a group photo, it is unlikely an invasion of privacy nor it is anything unlawful.

“If the photo was a photo taken during the business transaction between the customer and the business, it could amount to a breach of Personal Data Protection Act 2010 or invasion of privacy. For example, a photo taken by a doctor of its patient during treatment.

“Also, if the photo belongs to the customer, it could amount to copyright infringement,” he said, while advising that it would be prudent to add a watermark to our photos.

And if we do find our photo being featured in advertisements without consent, we should write to the business asking them to remove it.

“They can also consider filing a complaint to the Personal Data Protection Commissioner for them to investigate the matter,” he advised.

When social media rants can land you in court

I was featured in The Star Newspaper’s article entitled “When social media rants can land you in court” on 5 January 2018 on the issue of reviewing a business online. I said the following:-

Meanwhile, Bar Council cyberlaw and information technology committee co-chairman Foong Cheng Leong told The Star that a person was free to post a review of a restaurant, on Facebook or elsewhere.

However, he said such a review should not be defamatory.

“Defamatory statements would mean the statement would expose the plaintiff to hatred, ridicule or contempt in the mind of a reasonable man, or would tend to lower the plaintiff in the estimation of right-thinking members of the public generally,” he said.

Nonetheless, Foong said sometimes it is hard to differentiate between what is defamatory or not.

“Generally, insults, negative reviews, or statements of opinion are fine. I can always say a restaurant food is terrible. It is fair comment.”

The interview by The Star Newspaper was a follow up of a decision by the High Court of Malaya in the case of Champ’s Express Heritage Sdn Bhd & Anor v Pak Loo Ke (Kuala Lumpur High Court Suit No. 23NCVC-94-12/2015). The High Court held that the Defendant had defamed the Plaintiffs when she published a posting on the 1st Plaintiff’s Champ’s Bistro, BSC. The Facebook posting had questioned the level of hygiene of the Plaintiffs’ food and also the 3rd Plaintiff, who is the founder of the 1st and 2nd Plaintiffs, among others. The same posting was made the Defendant’s Instagram account. The Defendant was a kitchen helper for 2 weeks before she published the alleged defamatory postings.

The Star Newspaper reported that the Plaintiff had succeeded in proving defamation, and the Defendant had failed in her defence of justification and fair comment.

Sugar Daddy and Sugar Babies Website – Is it illegal?

I was interviewed by The Star on the issue of legality of a local website that connects “sugar daddies” with “sugar babies”. In the article entitled “A raw nerve hit, but no laws broken“, I said the following:-

There is no law against couple matching services in Malaysia unless it is for prostitution or other illegal purposes, said Bar Council cyber law and information technology committee deputy chairman Foong Cheng Leong.

While the website’s service and users may be entering a moral grey area, Foong said “immoral doesn’t necessarily mean unlawful”.

“Payment for companionship is legal. This is unless the companionship falls under prohibited acts, which include prostitution and soliciting prostitution,” he said.

Foong was commenting on a Malaysia-based online dating platform which matches established, wealthy men or “sugar daddies” with women who are seeking financial support.

MCMC also said operating, providing and using an online service or application is not an offence under the Communications and Multimedia Act 1998.

“However, action can be taken if such a service is being used to disseminate illicit content such as obscenities, nudity, pornography and others,” it said.

Other enforcement agencies like the police may also pursue various actions under the relevant laws if there are elements of prostitution, extortion, blackmail and scams.

“Should consumers feel the app is inappropriate due to its content, they can reach out to the MCMC or the police. Investigations will be undertaken to assess if such contravene the existing laws.”

I was also interview by Digital New Asia on the same issue in their article “TheSugarBook – sweet endings or bitter disappointment?“. The relevant excerpts are as follow:-

One of the most-asked questions about TheSugarBook is whether or not such a service is legal.

“There is no law against couple matching services in Malaysia unless it is for prostitution or other illegal purposes,” says Foong Cheng Leong (pic, above), deputy chairperson of The Malaysian Bar’s Information Technology & Cyber Law Committee.

..

It must be pointed out that other popular dating apps such as Tinder or Grindr (a social networking app for LGBTQ people) could also have users who met on the app engaging in illegal activities outside of it. Many of these platforms do not enable users to report other users or have such strict regulations regarding user profiles as TheSugarBook does and it is quite usual for users to state on their profiles that they are only looking for casual sex.

According to Foong, such platforms should not be liable for what its users do outside the platform.

Though TheSugarBook does seem to be using discretion when it comes to ensuring no underage activity, none of these checks can actually guarantee that a user cannot lie their way through to a verified profile. A user could use someone else’s photo and enter their age as older, as they could on their Facebook profile, and a college student could very well be under 18.

However, being below 18 is not actually a legal requirement for registering a profile on a dating app in Malaysia. “Currently, there are no laws stipulating the minimum safety requirements of a couple matching platform,” says Foong.

“Assuming that a minor circumvents the age requirement and falsely pretends to be a person of 18 and above, I don’t think such platform would be doing anything illegal,” he continues.

BFM Podcast: LANDMARK #22: WHAT HAPPENS WHEN OUR PERSONAL DATA IS LEAKED

Late last year, it was reported that the private data of 46.2 million mobile phone subscribers were leaked sometime in the middle of 2014. All 14 telcos were affected in what is Malaysia’s biggest ever data breach. Explaining what this means for you and me is lawyer Foong Cheng Leong. He chairs the KL Bar’s Information Technology and Publications Committee.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

SayaKenaHack.com and Privacy

Recently, tech blogger Keith Rozario created the website SayaKenaHack.com, a platform to allow people to check if they were affected by the data leakage of 46.2 million mobile phone subscribers. The website allowed users to key in their identity card number and the website will inform the users whether they are affected by the leakage. If they are affected, the website will yield a masked mobile number. Some users have complained that those masked numbers do not resemble their mobile numbers.

The Malaysian Communications and Multimedia Commission (MCMC), under s. 263 of the Communication and Multimedia Act 1998 (CMA), directed internet service providers to block the website SayaKenaHack.com on the ground that it had contravened s. 130 of the Personal Data Protection Act 2010 (PDPA).S. 263(2) of the CMA and s. 130 of the PDPA provide the following:

Section 263. General duty of licensees.

(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.

130 Unlawful collecting, etc., of personal data

(1) A person shall not knowingly or recklessly, without the consent of the data user-

(a) collect or disclose personal data that is held by the data user; or

(b) procure the disclosure to another person of personal data that is held by the data user.

(2) Subsection (1) shall not apply to a person who shows-

(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data-

(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or

(ii) was required or authorized by or under any law or by the order of a court;

(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;

(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or

(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.

(3) A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1) commits an offence.

(4) A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).

(5) A person who offers to sell personal data commits an offence if-

(a) he has collected the personal data in contravention of subsection (1); or

(b) he subsequently collects the personal data in contravention of subsection (1).

(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.

In the Personal Data Protection Commissioner Khalidah Mohd Darus’s media statement dated 17 November 2017, the Commissioner stated that SayaKenaHack.com was blocked because it had contained personal data which had been collected without the consent of the data user pursuant to s. 130 of the PDPA. The Commissioner then advised members of the public to be vigilant when sharing personal data with others, among others.

Unfortunately, Keith Rozario decided to close SayaKenaHack.com upon being blocked. It would be interesting if he had filed an action to challenge the blocking order. So far, there is no reported case on anyone challenging a “blocking order” by MCMC in Court.

There ought to be checks and balances against such blocking order. Under the s. 10A of the Sedition (Amendment) Bill 2015, the Public Prosecutor must make an application to a Sessions Court Judge to direct an officer authorised under the Communications and Multimedia Act 1998 to prevent access to any seditious publication. Likewise, s 263 of the CMA should be amended to reflect such checks and balances.

I was interviewed by The Star, on my personal capacity (not on behalf of Bar Council, as earlier reported by The Star), on this issue. In The Star’s article dated 18 November 2017 entitled “SayaKenaHack.com only provides information, does not allow data download“, I was asked whether SayaKenaHack.com was in contravention of s. 130 of the PDPA. I replied:-

SayaKenaHack.com did not breach Section 130 of the Personal Data Protection Act 2010 (PDPA), says the Bar Council cyber law and information technology committee.

The committee’s co-chairman Foong Cheng Leong said the website was merely a platform for users to check whether their personal data had been leaked or breached.

“Currently, the Malaysian Communications and Multimedia Commission (MCMC) is blocking the website for breaching Section 130 of the PDPA for unlawful collection of personal data.

“If the website allows people to download the personal data of others, then it will be a violation of PDPA.

“Therefore, the website did not violate the PDPA,” he said when contacted yesterday.

In The Star’s article dated 31 October 2017 entitled “M’sia sees biggest mobile data breach“, I added:-

“..assuming that the leak was after the enforcement of the Personal Data Protection Act 2010, there might have been a breach of the Act’s Security Principle by the data users.

The Security Principle requires data users to process personal data securely, but there is not much customers can do other than file a complaint with the Personal Data Protection Commissioner

There may be a recourse against the telecommunication companies for negligence i.e. failing to ensure that the subscribers’ personal data are adequately protected. In an article dated 20 November 2017 in The Other, I said:-

For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”

Currently, a company is now being investigated for causing the said personal data protection leakage.

On a separate issue, in The Star’s article dated 26 November 2017 entitled “Going full force to enforce Act“, the Personal Data Protection Commissioner stated that 3 companies have fined for contravening the PDPA.

The Commissioner added that mobile applications are not required to be registered under the PDPA. But the operators must comply with the PDPA since they process personal data in commercial transactions.

I was asked to comment on this issue. I said:-

..an individual has a right under the PDPA to request a copy of the personal data processed by the data user.

“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.

“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.

Foong urges the public to always be aware of what companies will use their data for by reading the privacy policy.

“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.

Withholding Tax Exemption on Payment to Non Residents For Technical Advice, Assistance, etc

The Minister of Finance has granted withholding tax exemption (WHT) on payments to non-residents that fall within Section 4A(i) and (ii) of the Income Tax Act in respect of offshore services via the Income Tax (Exemption) (No. 9) Order 2017.

In effect this reverts to the previous position, such that intellectual property services (such as trade mark, industrial designs and patent registrations) provided and performed from 6 September 2017 by a foreign intellectual property agent outside of Malaysia will be exempt from WHT.

Seminar on GET WIRED! Updates on Tech Laws and Cyber Security (24 Aug 2017)

The Bar Council Information Technology and Cyber Laws Committee is organising a seminar focusing on the important aspects of information technology (“IT”) and cyber law on 24 August 2017.

In this seminar, I will speak on the topic of “Practical Steps in Tracing a Person Online“. I will speak on keyword search investigation, and discovery orders and cases relating to discovery orders against data processors.

The other topics would be “Search and Seizures of Computers — Advising Clients” by Ravin Vello, “Wrap n Snap: Technology IP Mash-up” by Suaran Singh and “Overview of Malaysian Cyber Laws and Latest Updates” by Deepak Pillai.


Click on image to enlarge

You may register for the event at here

1 2 3 26  Scroll to top