Bread & Kaya: 2017 Cyberlaw cases Pt3 – sexual offences against children and computer crimes

By Foong Cheng Leong | Mar 30, 2018
– Sending death threats using someone else’s mobile phone is not OK
– 2018 will mark interesting year for cyber related cases including Uber driver suing Uber

THE first statute in Malaysia to use the term “social media” is part of the law designed to protect children against sexual offences and not any computer crimes related or media related law.

At the same time a bank officer got into hot soup for using their superior’s email account and password. Let’s go through these cases now.

Crime

Sexual Offences Against Children Act 2017

The Sexual Offences Against Children Act 2017 was introduced to address the seriousness of sexual offences committed against children in Malaysia. The ultimate object of the proposed Act is to provide for better protection for children against sexual offences and to safeguard the interest and well-being of children and to provide effective deterrence.

One of the laws introduced is the law against child grooming. S. 12 of the Act states that child grooming is an offence punishable with imprisonment of no more than 5 years and liable for whipping. The Act specifically stated that the following amounts to child grooming :-

(a) A communicates with Z, a child via social media by pretending to be a teenager and develops a love relationship with Z with the intention of using Z in the making of child pornography. A never meets Z. A is guilty of an offence under this section .

(b) A communicates with Z, a child via e-mail and befriends Z with the intention that A’s friends C and B could rape Z. A never meets Z. A is guilty of an offence under this section.

This law is also the first statute in Malaysia to use the words “social media”.

Last year, we were anticipating the amendments of the Communications and Multimedia Act 1998. However, the amendments never came. Nevertheless, numerous people were investigated under s. 233 of the Communications and Multimedia Act 1998. Notably, in the case of Mohd Fahmi Redza Bin Mohd Zarin Lawan Pendakwa Raya dan Satu Lagi Kes (Kuala Lumpur Criminal Application No. 44-103-08/2016), the accused was charged under s. 233 of the Communications and Multimedia Act 1998 for publishing an offensive Instagram posting using the username kuasasiswa. The accused filed an application to strike out the charge on the grounds that:-

– s. 233 of the Communications and Multimedia Act 1998 is unconstitutional and/or ultra vires in view of Article 5(1), 8 and 10(1)(a) of the Federal Constitution
– the charge against him acts as and/or has the characteristic of a censorship and therefore in contravention of the objectives of the CMA according to s. 3(3) of the CMA; and
– the charge against the accused is defective as it does not have the details of the parties that were offended by his acts.

The Public Prosecutor applied to have the matter heard before the Federal Court in respect of the issues on the constitutionality of s. 233 of the CMA (in accordance with ss. 30 and 84 of the Courts of Judicature Act 1964. Upon hearing the parties, the High Court referred the matter to the Federal Court for the latter to decide on the following question:-

Whether Section 233(1)(a) of the Multimedia and Communication Act (Act 588) is Inconsistent with Article 5(1), 8 and 10(1)(a) of the Federal Constitution?

However, the Federal Court dismissed the application for non-compliance of the Courts of Judicature Act 1964 (Federal Court Criminal Application No. 06-04-04/2017(W)).

In Nik Adib Bin Nik Mat v Public Prosecutor (Rayuan Jenayah No 42S(A)-39-7/16), the accused was charged under s.233(1)(a) of the Communications and Multimedia Act 1998 for sending indecent and false photos of cabinet leaders titled “Pesta Bogel” on Facebook. He was also charged under s. 5(1)(a) of the Film Censorship Act 2002 for possession of 883 pieces of pornographic videos in his laptop. The Session Court sentenced him to the maximum sentence of 1 year imprisonment for the first offence and another 1 year imprisonment for the second offence.

On appeal, the High Court Judge stated that “cyber offences are serious offences especially the offence at hand, as those offensive materials could be easily disseminated to the public at large within seconds at a touch of a button” and agreed with the Sessions Court Judge that public interest is of paramount importance and should supersede the interest of the accused.

However, the learned High Court Judge was of the view that personal interest of the accused should not be disregarded at all and thus, allowed the appeal against the sentence. The learned High Court Judge took into account the grounds submitted by the accused and held that the misdirection of Session Court on imposing maximum sentence for the first offence warrants the appellate intervention and a special consideration ought to be given so that he can mend his ways and “turn over a new leaf”.

The High Court substituted the original sentence with 1 week imprisonment and a fine of RM3,000 in default 3 months imprisonment for the first charge and for the second charge, a fine of RM10,000 in default 1 ½ years imprisonment.

In Pendakwa Raya v Dato’ Dr Ahmad Ramzi Bin Ahmad Zubir (Rayuan Jenayah No. T-09-15-01/2014), the Respondent was charged with criminal defamation after he had sent text messages containing death threats to various individuals using another person’s (SP5) mobile phone number via an online platform registered in the name of a colleague of the Respondent (SP16). The said online platform allows users to broadcast SMS to numerous mobile numbers via the Internet. The Respondent had changed the sender’s mobile phone to SP5’s mobile number. The Respondent’s convicted by the Sessions Court but his conviction was overturned by the High Court.

On appeal, the Court of Appeal restored the conviction. In the grounds of judgment, the Court of Appeal discussed on the method used to determine whether the SMS was sent by the Respondent. The investigation had showed that the internet protocol address that was used to send the SMS was registered to the Respondent’s internet account. The MAC Address found was the same MAC Address of the Respondent’s router. According to the evidence provided by Cyber Security Malaysia, a MAC Address is a unique number provided by the Internet Service Provider and in order to connect to the Internet, it must be done through a router.

In Pendakwaraya v Charles Sugumar a/l M. Karunnanithi (Mahkamah Majistret Kota Bharu Kes Tangkap No: MKB (A) 83-43-02/2016), the accused was charged under s. s. 424 of the Penal Code for dishonestly concealing money of a scam victim in his bank account knowing that the said money does not belong to him. The victim had befriended a person by the name of Alfred Hammon from UK through Facebook. Alfred Hammon then made the victim transfer money to the accused’s bank account on the pretence that he needed the money to cash his cheque of US$3 million. Alfred Hammon promised that he will return the money together with interest. However, after transferring RM36,300 the victim realised that she was scammed.

The accused claimed that he is not part of the scam. The accused claimed that when he was working as a tour driver, he was requested by his customer to receive money on the customer’s behalf. The accused claimed that he did it to give his customer the best service so that he can attract more customers. He said that he was informed by the customer that the customer’s friend had to transfer money to him so that the customer can continue his tour in Malaysia. The accused said that he did not gain any remuneration or commission from that assistance.

The Magistrate acquitted the accused as the Magistrate found that, among others, the accused’s evidence is consistent and is a credible witness. The Magistrate agree that the accused was made a scapegoat by the customer who took advantage of his goodness and sincerity in giving the best service as a tour driver.

Computer Crimes Act

In Rose Hanida Binti Long lwn Pendakwa Raya (Kuala Lumpur High Court Criminal Appeal No. 42K–(115–124)-09/2016), the appellant was charged under the Computer Crimes Act 1997 (unauthorised access to computer material with intent to facilitate the commission of an offence involving fraud or dishonesty or which causes injury) and s. 420 of the Penal Code (for cheating) for making false claims to his employer, a bank, by using his superior’s account and password to without his superior’s knowledge. She was initially sentenced by the Sessions Court with 4 years of imprisonment and fine of RM260,000 in default of 15 months jail. She appealed the sentence but withdrew it later. Notwithstanding that it had been withdrawn, the High Court Judge exercised his revisionary powers and enhanced the sentence to 6 years and fine of RM260,000 in default of 15 months jail due to the seriousness of the offence.

In Kangaie Agilan Jammany lwn PP [2017] 1 LNS 1640, the accused was charged under s. 5(1) of the Computer Crimes Act 1997 for making modification of the contents of Air Asia’s flight booking system without authorisation. The accused had allegedly used the function “move flight function” in those unauthorised transactions to change, among others, the flight details and customers’ emails for the purpose of notification. The said function is a critical function to allow authorised staff to make changes so that no charges are made to customers.

The accused was given an ID ‘6954’ and password to access Air Asia flight booking system but he had limited access to it. Thus, one of the witnesses, SP4, had given his ID and password to the accused after the accused had requested for it on the ground that the latter is unable to access to the system using his own ID. SP4 did not know that the accused had misused his account. The accused had then used the said account to help his family members and friends to get cheaper flight tickets, among others. Air Asia alleged that it had lost about RM229,100.42 due to the accused’s actions.

In the system log, it was found that the accused had changed the flight schedule and also that there were a few customer email notifications which involved the agent code 6954 which had made the flight changes. Further, there was an incident whereby SP4 was asked by the accused to provide his new password after it had been changed.

The Sessions Court found the accused guilty and had applied the statutory presumption under s. 114A of the Evidence Act 1950 after the accused could not rebut the evidence that the agent code 6954 belongs and used by him.

Under 114A of the Evidence Act 1950, a person is deemed to be a publisher of a content if it originates from his or her website, registered networks or data processing device of an internet user unless he or she proves the contrary. In 2014, this new law sparked a massive online protest dubbed the Malaysia Internet Blackout Day or also the Stop114A.

On appeal, the High Court concurred with the Sessions Court Judge. The High Court Judge also held that s. 114A of the Evidence Act 1950 applies retrospectively notwithstanding that the offence was committed prior to the enforcement of s. 114A as the presumption did not alter the original subject matter and even includes the same subject matter that did not prejudice the accused before and after. In other words, without using such presumption, the Prosecution would still have to prove that the Accused was the person who used his ID and password to access the employer’s system had committed an offence to change the flight schedule without authorisation. On the contrary also by applying the presumption of the law, the Prosecution will still have to prove that the accused alone has a specific ID and password to access the system.

Closing

2018 will mark another interesting year for cyber related cases. In late 2017 and early 2018, the following cases have been filed:-

– A Uber driver sued Uber Malaysia Sdn Bhd for non payment of his fees. The interesting question in this case would be whether Uber Malaysia Sdn Bhd is liable to pay such fees or one of Uber’s foreign entities.
– In the Intellectual Property Court of Kuala Lumpur, a brand owner had filed a law suit for trade mark infringement against a web hosting company for hosting a website that sold counterfeit products. The interesting question in this case is whether a webhoster is liable for what their subscribers do.
– In the same Court, a brand owner had also filed a law suit for trade mark infringement against online marketplace operator for using the brand owner’s registered trade mark and allowing their users to sell unauthorised products. The interesting question in this case is whether an online marketplace operator is liable for what their users do on their platform and in particular case, for selling unauthorised products.
– The same Court also granted an application to serve a Writ and Statement of Claim via email and WhatsApp messenger after it could not locate the Defendant at her last known address. Traditionally, when a Defendant cannot be located, Plaintiff would normally ask the Court to allow a notice relating to the lawsuit to be published in the newspaper, among others. We will see more and more substituted service applications to be served electronically.
PKR communications director Fahmi Fadzil filed a civil suit against the Malaysian Communications and Multimedia Commission and Nuemera (M) Sdn Bhd for allegedly failed to protect his personal data which resulted in the leakages of his personal data together with personal information of 46.2 million mobile subscribers. This was one of Malaysians’ biggest data leak.

Finally, the recent introduction this month of the Anti-Fake News Bill 2018 is too important for me to leave till next year to comment!

The word “fake news” is defined as any news, information, data and reports, which is or are wholly or partly false, whether in the form of features, visuals or audio recordings or in any other form capable of suggesting words or ideas.

The law applies to fake news concerning Malaysia or the person affected by the commission of the offence is a Malaysian citizen. Any person who, by any means, knowingly creates, offers, publishes, prints, distributes, circulates or disseminates any fake news or publication containing fake news commits an offence and shall, on conviction, be liable to a fine not exceeding RM500,000 or to imprisonment for a term not exceeding 10 years or to both.

The Court may also order the accused to make an apology. Interestingly, the new law allows civil action to be initiated by a person affected by the fake news publication for an order for the removal of such publication. I will write further on this new law on a separate article. [Postscript: The Anti Fake News Act 2018 is now in force effective from 11 April 2018]


First published on Digital News Asia on 30 March 2018

Bread & Kaya: 2017 Cyberlaw Cases Pt2 – viral content, Uber and appearance of an emoji

By Foong Cheng Leong
Mar 29, 2018

A video clip that was viewed 3 million times deemed to be the truth of an incident
Groupon has its day in court, twice with users not happy with merchants

CARRYING off from where I left off in part one of my review of the interesting Cyberlaw related cases that came to the courts in 2017, I start off with viral content and a case where a video was shared almost 50,000 times. And while Uber Technologies is merging its operations with Grab, it still had its day in court last year with a case in Sabah.

Viral Content

The case of Public Prosecutor v Poovarasan Subramaniam & 2 Others [2017] 1 LNS 1619 determined whether a viral video can be admitted as evidence in a criminal trial.

The 3 accused were charged for murder for a man who had allegedly stolen a mobile phone. In the course of trial during the Prosecution’s case, the Prosecution sought to adduce in evidence a VCD containing a video clip that captured a portion of the incident wherein the victim was assaulted by several men. The video clip went viral on the internet and a prosecution witness had downloaded the same from the blog KITABANTAI into the VCD.

The second accused strenuously objected to the admissibility of the VCD principally because the authenticity of the contents of the VCD is questionable. A trial within a trial (TWT) was held to consider the admissibility of the VCD.

During the TWT, the Prosecution called two bloggers, namely the owners of the blogs KITABANTAI and SIAKAPKELI who had published the video clip, to testify as to the origin of the video clip. KITABANTAI stated that the video came from SIAKAPKELI. SIAKAPKELI later revealed that the video clip came from an online news website called MYNEWSHUB. However, the journalist at MYNEWSHUB does not the exact source of the video clip.

Notwithstanding that the person who originally recorded the video clip live and thereafter uploaded the same in the social media could not be traced and produced in Court as witness, the learned High Court Judge was satisfied that the police investigation team and the Prosecution have used their best endeavours to produce the evidence of the chain of movement of the video clip in cyberspace till it was extracted by the police. The said video clip was admitted as evidence following ss. 90A(1) and (2) and 90C of the Evidence Act 1950. The learned Judge stated that he has no reason to believe that the video clip wasn’t authentic in the circumstances.

This case is in stark contrast with the case of Tan Chow Cheang v Pendakwa Raya (Criminal Appeal No. J-05(LB)-54-01/2016). In this case, the accused was charged with drug trafficking under s. 39B of the Dangerous Drugs Act 1952. During the examination of one of the raiding officer, the defence suddenly produced a CCTV recording in a pen drive showing that the drug was planted. On completion of the raiding officer’s evidence, the High Court granted the accused a discharge not amounting to acquittal upon the prosecution’s application notwithstanding that the defence had submitted that the accused was entitled to be acquitted and discharged as upon the production of the CCTV recording, the sole or main prop in the prosecution case collapsed prematurely.

The Court of Appeal agreed with the High Court. The Court of Appeal was of the view that the production of a certificate under s. 90A(2) of the Evidence Act 1950 is not the conclusive way to prove the pen drive’s admissibility. The Court of Appeal held that “to allow it to be admitted in such circumstances in, our view, would be open to abuse. It is not impossible during this era of modern technology for images to be superimposed or tempered with. Therefore, it is only safe for witnesses to be called either to confirm or to rebut it“.

In another case involving viral video (Datuk Wira SM Faisal Sm Nasimuddin Kamal v. Emilia Hanafi & Ors [2017] 1 LNS 1373), the Plaintiff and his ex-wife (1st Defendant) were in Syariah Court of Kuala Lumpur to resolve their matrimonial dispute/issues. Together with them were the family members of the Plaintiff and the 1st Defendant, among others.

On 20.9.2016, the Syariah Court ordered the children of the Plaintiff and 1st Defendant to spend a night with the Plaintiff at his home. The Judge of the Syariah High Court further ordered that the children must not be forced if they do not want to follow the Plaintiff. After that, the proceedings between Plaintiff and 1st Defendant was adjourned for the day.

A video recording was taken after the proceeding in the Syariah Court had ended. The video allegedly showed the aggressive behaviour and use of force by Plaintiff outside the courtroom towards both his 2nd child and wife. The 1st to 4th Defendants then shared the said video clip. The 3rd Defendant had uploaded the video clip on her Snapchat virtual page with the words “SMF shoved them to the ground when he gave up” whereas the 1st Defendant had also uploaded the video clip on her Instagram account with the caption “A mother’s heartache .” On a side note, this is probably the first written judgment in Malaysia featuring an emoji.

The Plaintiff alleged that the video clip went viral. The video clip spread so widely that:

(a) Up to 3 million people viewed the video clip;

(b) Nearly 50 thousand people shared and/or distributed the video clip;

(c) Nearly 15 thousand people made comments, conclusions and/or inferences against the Plaintiff as result of the video clip.”

The Plaintiff sued the Defendants for publishing the video clip. Notwithstanding that the video clip went viral, the High Court struck out the Plaintiff’s case. The learned High Court Judge held that:-

“The video recording that was published was undisputably a recording of an actual and real incident and therefore, cannot be denied as being the truth.”

“The objectionable words and statements complained of are not prima facie defamatory. In fact, the same do not substantially even make reference to Plaintiff nor do they directly or by implication refer to or implicate Plaintiff.”

In Synergistic Duo Sdn Bhd v. Lai Mei Juan [2017] 9 CLJ 244, the Plaintiff sued the Defendant for publishing two (2) Facebook postings in relation to the bad service by BGT Lakeview Restaurant operated by the Plaintiff. The second posting went viral and were shared more than 9,500 times and was reposted and published in newspapers, websites, blogs and other Facebook pages. The Plaintiff submitted that: (i) because of the postings, many of its customers cancelled their bookings and reservations; and (ii) if the Defendant was not restrained by way of an interim injunction, the Plaintiff would continue to suffer grave irreparable loss and damage to its reputation and goodwill.

In granting the Plaintiff’s application for interim injunction, the learned Judicial Commissioner held that the continued publication of postings on the Defendant’s Facebook would cause the Plaintiff’s to suffer further damage to their reputation and goodwill as the potential re-publication of the postings to potentially unlimited number of internet users would irreparably harm the plaintiff’s reputation: which harm cannot be adequately compensated with damages.

Digital Currencies

Due to the rising popularity of digital currencies in Malaysia, Bank Negara issued an exposure draft by the name of Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Digital Currencies (Sector 6). The document outlines the proposed requirements and standards that a digital currency exchanger as defined under the First Schedule of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) must carry out as reporting institutions. This is to ensure effective and robust Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) control measures are in place to safeguard the safety and integrity of the financial system as well as to promote greater transparency in the conduct of digital currencies transactions.

The draft exposure sets out the minimum requirements and standards that digital currency exchangers must observe as reporting institutions to increase the transparency of activities relating to digital currencies and ensure effective and robust AML/CFT control measures are in place to mitigate risks that digital currency exchangers may be used as conduits for illegal activities. Such requirement include conducting risk assessment, risk control and mitigation, risk profiling and customer due diligence, among others.

Digital currency exchangers must also comply with requirements in the document relating to: the identification and verification of customers and beneficial owners, on-going monitoring of customers’ transactions, sanction screening, suspicious transaction reporting and record keeping; transparency obligations; and requirements for the submission of data and statistics to the Bank for the purpose of managing ML/TF risks.

The document is applicable to reporting institutions, regardless that the person is not domiciled in Malaysia, carrying on the following activities listed in Paragraph 25 of the First Schedule to the AMLA:-

activities carried out by any person who provides any or any combination of the following services:

(i) exchanging digital currency for money;

(ii) exchanging money for digital currency; or

(iii) exchanging one digital currency for another digital currency, whether in the course of carrying on a digital currency exchange business or otherwise.

Singapore saw its first cryptocurrency dispute in its Court. The case of B2C2 Ltd v Quoine Pte Ltd [2017] SGHC(I) 11 concerns a cryptocurrency transaction dispute between the Plaintiff (a foreign electronic maker for virtual currency) and Defendant (an online virtual currency exchange platform provider in Singapore) which involves Bitcoin and Ethereum.

The Plaintiff alleged that the Defendant had acted in breach of the contract between them and breach of trust when the platform reversed transactions for the sale and purchase of the cryptocurrencies Bitcoin and Ethereum.

The transactions were unilaterally reversed after the Defendant identified that a technical glitch had occurred to the software used by the platform. Consequently, the Plaintiff had lost the benefit which it could have made if the transaction was not reversed.

The Defendant argued that there was unilateral mistake involved and they are entitled to reverse the transaction. The Plaintiff sought an order for summary judgment.

The Singapore International Court dismissed the summary judgment application by the Plaintiff as there were triable issues raised by Defendant and held that “a thorough investigation of the facts behind the setting of the abnormally high offer price is justified in order to place the court in a proper position fully to assess the state of the Plaintiff’s knowledge”as well as “the law on unilateral mistake where computers are involved in greater detail”.

E-Hailing Services

During the hype of prosecution of drivers of e-hailing vehicle, one Joe Vincent Singgoh sought an order from Court to protect drivers from such prosecution in Sabah. In the case of Joe Vincent Singgoh v Commercial Vehicles Licensing Board Sabah 1 & Ors (Sabah High Court Judicial Review No. BKI-13NCvC-10/10-2016), the Applicant, a person registered with e-hailing service provider Uber Technologies Inc. as a driver, had sought several orders amongst which an order of prohibition against the 1st and 2nd Respondents from relying on the provisions of Section 33 of the Commercial Licensing Vehicles Act 1987 to prosecute or prohibit the Applicant from using the services of Uber Technologies Inc. The Applicant also sought a mandatory injunction was also sought to restrain the prosecution, prohibition of the Applicant to drive or make drives for Uber.

The High Court held that the aggrieved person in this case is not the applicant. The proper person is Uber Technologies Inc. Uber Technologies Inc. has not made any application to the relevant authorities in Sabah for the relevant permits or licences. And in so far as Section 33 is concerned, Uber Technologies Inc. is the ‘person’ responsible to obtain such approvals and not the Applicant. It is not explained or disclosed why this is so.

The Court also held that whatever Uber is promoting is unlawful and illegal. Whether the Government will grant Uber Technologies Inc. the necessary approval or not is a matter for the former to decide as a matter of policy and the Applicants are not entitled to come to court to seek a prohibitive order to pre-empt any legal action that may be taken by the Police of JPJ to enforce the law.

However, the Government will soon be legalising operators of e-hailing service providers and their drivers. The Commercial Vehicle Licensing Board (Amendment) Act 2017 and Land Public Transport (Amendment) Act 2017 were introduced to amend the Commercial Vehicle Licensing Board Act 1987 (“CVLBA”) (applicable to Sabah, Sarawak and the Federal Territory of Labuan) and the Land Public Transport Act 2010 (“LPTA”) (applicable to Peninsular Malaysia) respectively to introduce the licensing of intermediation business. Intermediation business is defined as “business of facilitating arrangements, booking or transactions of e-hailing vehicle (pursuant to the new amendment to CVLBA) and for the provision of land public transport services (pursuant to the new amendment to LPTA). These amendments is clearly intended to regulate e-hailing services such as Uber and Grab.

The Commercial Vehicle Licensing Board (Amendment) Act 2017 and Land Public Transport (Amendment) Act 2017 also introduced a new class of commercial vehicle namely e-hailing vehicle. This would include the cars driving by Grab and Uber drivers.

Once these amendments are enforced, e-hailing providers like Grab and Uber and also their drivers would need to be registered.

E-Commerce

Groupon Malaysia had another challenging year. The Court had to decide in two (2) cases whether Groupon should be liable for the payment made to them for the purchase of products and services on the Groupon website.

In Groupon Sdn Bhd v Tribunal Tuntutan Pengguna & Anor [2016] 1 LNS 555, the Groupon user in this case bought a tour travel package vide its platform from one of Groupon’s merchants and paid RM999 (tour travel package) and RM652 (compulsory airport tax, surcharges and tipping) to Groupon and the merchant respectively. However, the said merchant allegedly cancelled the tour and Groupon made a refund of only RM999 to the user. Dissatisfied, the user demanded the refund of RM652. Upon the rejection by Groupon, the user filed a complaint to the Consumer Tribunal and it held in favour of the user i.e. Groupon is liable for the said amount of RM652.

Groupon contended that there is an exclusion provision in the travel voucher which states that the RM652 charges is to be paid to the merchant, hence, Groupon should not be compelled to pay for monies it had not received in the first place. The Court conceded and held in favour of Groupon, that “it is unmistakable that the airport tax, surcharges and tipping were not included in the tour travel deal. In other words, they were not borne or absorbed by the Applicant”.

In Groupon Sdn Bhd v Tribunal Tuntutan Pengguna & Anor [2016] 1 LNS 1009, similarly, the Groupon user in this case bought a tour travel package vide its platform from one of Groupon’s merchants and paid a RM999 (tour travel package) and RM450 (compulsory airport tax, surcharges and accommodation) respectively to Groupon and the merchant. Therein, the said merchant allegedly cancelled the tour and Groupon made a refund of only RM999 to the user. Dissatisfied, the user demanded the refund of RM450. Upon the rejection by Groupon, the user made a complaint to the Consumer Tribunal and it held in favour of the user i.e Groupon is liable for the third party payment to its merchant.

Groupon contended that there is no contractual relationship between Groupon and the user in the RM450 transaction and hence it shall not be liable to pay. The Court rejected the argument and held in favour of the user that Groupon had acted as an agent for the merchant and made a representation in the travel package voucher, instructing the user to make the RM450 payment to the merchant. Groupon shall be liable for the damages as the contractual relationship was established between Groupon and the user but not between merchant and user.

Defamation

The case of Dato’ Aishaf Falina Bt Ibrahim v Ismail Bin Othman & 2 Ors (Kuala Lumpur Civil Suit No. 22NCVC-352-07/2015) highlighted two interesting points.

The Plaintiff claimed that she was defamed by the retention of the erroneous information in the human resources information system of the 3rd Defendant (her former husband) and its “publication” via the said system. The alleged erroneous information was the information regarding the Plaintiff’s post-divorce marital status with the 1st Defendant, was kept in the 3rd Defendant’s human resources information system for a period of time after she and the 1st Defendant had been divorced. The first question is whether the publication of the erroneous information via the human resources information system amounts to defamation.

The second interesting point is whether the publication on the intranet amounts to publication.

The High Court held that the 2nd and 3rd Defendants are liable in defamation for the retention of erroneous information concerning the Plaintiff’s marital status in the 2nd Defendant’s human resources information system notwithstanding that the error was due to a glitch caused by its source code. The High Court also found that the publication of the erroneous information on the human resources information system via its intranet amounts to publication.

The High Court however dismissed the Plaintiff’s action for tort of misuse of private information as the erroneous information is not private information and there was no misuse of information.

Meanwhile, in Lye Eng Eng & Anor v Ho Kee Jin (Kuala Lumpur High Court Civil Appeal No: WA-12BNCVC-174-11/2016), the High Court, on an appeal from the Sessions Court by the Plaintiff, increased the damages awarded to RM35,000 for defaming the 1st Plaintiff by sending an email containing defamatory statements to 23 persons including those who mattered most to him, namely, his children, his friends and business associates. The Court also held that the Sessions Court Judge had failed to take into consideration of the “gravity of the libel”.

Part 3: In the final part we look at a few cases where individuals ran foul of the Communications and Multimedia Act 1998 and some cases under the Computer Crimes Act.


First published on Digital News Asia on 29 March 2018

Bread & Kaya: 2017 Cyberlaw Cases – WhatsApp Messages and Customs TAP

By Foong Cheng Leong
Mar 26, 2018

Over 50 cyber related cases files in 2017 in Kuala Lumpur High Court

2017 had an interesting array of cyber related issues and laws. Facebook and other electronic platform defamation cases have become a norm. In the Kuala Lumpur High Court itself, there were 50 over cyber related tort cases filed in 2017. Many of them were filed by politicians against other parties including politicians and activists. Some were also filed by companies against individuals who had made disparaging remarks against them.

Interestingly, a defamation case was brought up because of certain defamatory statement via an office intranet.

We also saw how viral contents are treated in Court. Can a Judge rely on a viral video downloaded off the internet as evidence?

Cryptocurrency was one of the biggest news in 2017. Bitcoin shot up to almost US$19,800 (RM77,500) in December 2017. We saw one of the early Bitcoin disputes in one Singapore case. Bank Negara Malaysia issued an exposure draft by the name of Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Digital Currencies (Sector 6). The document outlines the proposed requirements and standards that a digital currency exchanger must carry out as reporting institutions. Notably, Bank Negara said cryptocurrency is not a legal tender in Malaysia.

A driver was reportedly successful in crowdfunding her legal fee of US$15,333 (RM60,000) through Facebook, among others. Sam Ke Ting was charged with dangerous and reckless driving after she had allegedly ploughed into a group of cyclists, killing eight and injuring eight others. The cyclists, aged 13 to 17, were believed to have been blocking the road at around 3am.

These and quite a few others, are notable Malaysian cyberlaw and electronic evidence cases (and some from other countries too) from 2017 that I will summarise over the next three days as part of my yearly tradition of what happened in the preceding year.

WhatApp messages, as much as it brings good to people, it also brought calamity. In Pendakwa Raya v Subbarau @ Kamalanathan (Court of Appeal Criminal Appeal No. N-06B-55-09/2016), the Respondent was charged in the Sessions Court under s. 8(1)(c)(iii) of the Official Secrets Act 1972 (OSA 1972) with having possession in his Samsung mobile phone soft copies of 2014 UPSR examination papers.

It is noted that no 2014 UPSR examination papers were found in the said Samsung mobile phone. However, the mobile phone of one arrested person by the name of Prem Kumar contains the said 2014 UPSR examination papers. The said 2014 UPSR examination papers were sent by the accused’s telephone to Prem Kumar’s WhatsApp account.

Evidence by the Communications and Multimedia Commission showed that the 2014 UPSR examination papers found in Prem Kumar’s mobile phone came from the respondent’s mobile phone. The witness from the Communications and Multimedia Commission explained that the fact that none of the images were found in the respondent’s handphone could be due to the images being deleted and thereafter overridden so that there is nothing left to extract in the handphone. Nonetheless, the Prosecutor argued that evidence clearly shows that the UPSR examination papers came from one source i.e. the respondent’s handphone.

Instead of dealing with the issue of electronic evidence, the Court of Appeal held that only real issue before the Court relates to the question of whether the UPSR examination papers are official secret.

In Pendakwa Raya v Mohd Syafrein Rasid [2015] 1 LNS 943, the accused was charged under Section 130J of the Penal Code for attempting to support the Islamic State and attempted to be a member of the same.

It was revealed in this case that the accused was influenced by what he saw about the war in Syria on Facebook. He even joined a few WhatsApp groups which had members sharing information about the Islamic State and their movement in Syria.

He then decided to travel out from Malaysia to join the Islamic State but was caught at the Immigration counter at the Kuala Lumpur International Airport. He pleaded guilty and was sentenced to two years’ imprisonment.

Admissibility of WhatsApp Chats

What would be the suitable way to admit chat logs from instant messaging applications? Should a party need to get someone from WhatsApp or an IT expert to extract the chat logs from the application? Or do they need to use WhatsApp’s available function to produce the chat logs? Or would print screens of the chatlogs be sufficient?

In Pendakwaraya Lwn Greencity International College Sdn Bhd (Kuala Lumpur Magistrate Department Case Summon No.: 87-309-1/2015), the Court admitted and gave weight to screenshots of WhatsApp messages to prove a mala fide intent by a witness.

However, Mohamad Azhar Abdul Halim v. Naza Motor Trading Sdn Bhd [2017] 1 ILR 292, the Industrial Court disregarded a screenshot of a WhatsApp chat. In this case, the Claimant was dismissed by the Company for misconduct. He had allegedly sent threatening and harassing messages via WhatsApp to a colleague (COW-1) who then left due to the messages. The Claimant brought an action against the Company for wrongful dismissal.

The Company tendered a snapshot image (print screen) of the WhatsApp message. The snapshot did not mention the Claimant’s name, date of WhatsApp message, Claimant’s hand phone number or Claimant’s profile picture nor any other evidence to prove that it was indeed the Claimant who was purportedly having such conversation with COW-1. Meanwhile, COW-1 also admitted that the WhatsApp message that she has is merely screen snapshot/image and not the original WhatsApp messages as she had changed her handphone. Further, she did not screen shot the full conversation between COW-1 and herself.

The Claimant demonstrated to the Court how easy it was to fabricate a WhatsApp conversation that can be done within minutes. The demonstration was witnessed by all parties, including the Company’s learned counsel, who did not cross-examine the Claimant on this matter.The Industrial Court held that the WhatsApp snapshot image does not conclusively prove that it was indeed the Claimant who was purportedly having a conversation with COW-1 because it is undisputed/unchallenged that nowhere in the WhatsApp snapshot image was it mentioned the Claimant’s name, date of WhatsApp message, Claimant’s hand phone number or Claimant’s profile picture nor any other evidence to prove that there in fact was such a conversation. Furthermore, the WhatsApp snapshot image was not proven to be authentic because as demonstrated in Court the WhatsApp message can be fabricated resulting in a fabricated WhatsApp snapshot image of that message. Therefore, there is doubt as to whether the Claimant had a conversation with COW-1 at the material time and had stated the threatening and harassing messages via WhatsApp.

Yahoo Messenger

In 2015, I reported in Rina Simanjuntak v PP (Criminal Appeal No: P-05-256-09/2014), a Yahoo Messenger Chat log saved the life of Rina Simanjuntak who had been sentenced to death by the High Court for drug trafficking. In 2016, Facebook chat messages saved the life of a German by the name of Rudolf Tschernezow who was charged with drug trafficking. The High Court in PP v. Rudolf Tschernezow [2016] 1 LNS 654 held the accused has proven that he is an innocent carrier using those messages. However, the Court of Appeal in PP v Rudolf Tschernezow (Criminal Appeal No J-05(LB)-345-12/2015) overturned the High Court’s decision and sentenced him to death.

In 2017, another lady tried to use her Yahoo Messenger chat logs to save her from the gallows. In Public Prosecutor v Ni Komang Yuningsih (Court of Appeal Criminal Appeal No. B-05(LB)-285-10/2015 (IND)), the Respondent, an Indonesian woman, was charged with drug trafficking under S. 39B(2) of the Dangerous Drugs Act 1952. She was acquitted by the High Court after she proved that she was merely an innocent carrier.

The High Court Judge relied on a print-out of conversation in “Yahoo messenger” and exchange of emails between the Respondent and a Nigerian man by the name of John Amadi who was claimed to be the Respondent’s lover. John Amandi persuaded her to come to Malaysia and had promised to marry her. John Amandi then sent the Respondent to India to meet his brother, Price, to discuss about their wedding. When the Respondent was about to fly to Malaysia, John Amandi’s brother gave her a luggage bag to be given to John Amandi. When she arrived in Kuala Lumpur International Airport, the custom officers found drugs in the luggage bag.

Notwithstanding the discovery, the High Court Judge acquitted the Respondent. The trial judge held that John Amadi and Prince are not fictitious characters but they do exist based on a print-out of Yahoo Messenger chat. The 195 pages printout was held to be impossible to be created by the defence at a very short period of time to strengthen its case and it also has a convincing story line.

Despite the acquittal, the Court of Appeal overturned the acquittal. The Court of Appeal was of the view that the Respondent’s deliberate omission to exercise a reasonable level of diligence in making sure that the bags given by Prince carries no incriminating items is an act of wilful blindness. There were too many inconsistencies with the Respondent’s evidence. She was accordingly sentence to death.

WhatsApp and Agreements

Can a legally binding agreement be forged through a WhatsApp conversation? In Shamsudin Bin Mohd Yusof v Suhaila Binti Sulaiman (Shah Alam Magistrate Court Suit No. BA-A72NCvC-384-03/2017), the Magistrate Court answered in the affirmative and held that an agreement was concluded based on oral and WhatsApp messages between the parties.

Would a WhatsApp message constitute written notice under an agreement? In Tengku Ezuan Ismara Tengku Nun Ahmad & Anor v. Lim Seng Choon David [2017] 1 LNS 1840, the Plaintiff sued the 1st Defendant for the return of his money paid for the purchase of the shares in the 2nd Defendant company pursuant to a Shareholders’ Agreement, among others. The 1st Defendant had sold the shares in the 2nd Defendants to the Plaintiff but failed to transfer the shares after being reminded repeatedly.

The Sessions Court allowed the application for summary judgment against the Defendants. The High Court upheld the Sessions Court’s decision. The Court had to decide whether a WhatsApp communication is considered as a “notice” in the context of clause 7 of the Shareholders’ Agreement. Clause 7 of the Shareholders’ Agreement provides –

Any notice required to be served by the parties hereto or by the Directors or EI [the 2nd Defendant] shall be served either by hand, by registered post or couriered post to the address of each party as stated above or by way of telex or facsimile transmission the numbers of which shall be provided by each of the parties to the other.

A skillful reader would know that Clause 7 above provides for only specific methods of transmitting the notice. Nevertheless, the learned Judicial Commissioner held that the WhatsApp message was sufficient to be a notice under Clause 7. She also held that Clause 7 of the Shareholders’ Agreement does not require the notice to be signed. Even if the requirement of a signature is implied into the said clause, that requirement was fulfilled by the Plaintiff. The 1st Defendant has never denied that he received the Plaintiff’s WhatsApp messages requesting for the transfer of the Shares to be effected. The Plaintiff’s WhatsApp messages is identified by the name “David” and the 1st Defendant is identified through his telephone number. As can be seen from the WhatsApp messages Plaintiff identified the 1st Defendant as “Tengku” to which the 1st Defendant has responded (via WhatsApp message too). Thus if the Plaintiff is required to sign as evidence of the Plaintiff’s identity, such requirement is fulfilled via the identity of the Plaintiff which is embedded in the mobile phone.

Electronic Notice

With the Government moving to digitising their services, many deliveries of correspondence are done through the Internet. Such delivery is not only limited to email, but also through their electronic portals. But what if the recipient did not know that a notice had been delivered through the electronic portal? Assuming that there is a deadline for the recipient to do something, when would the time starts to run? Would it be when the notice is published on the electronic portal or when the user logs into the portal to check it?

In Coach Malaysia Sdn Bhd v Ketua Pengarah Kastam Dan Eksais (Kuala Lumpur Originating Summons No: WA-25-193-07/2017) and Transmarco Concepts Sdn Bhd v Director General Of Customs And Excise (Kuala Lumpur Originating Summons No: WA-24-25-05/2017), the taxpayers applied for an extension of time to apply for leave to commence judicial review proceedings against the Director General of the Customs Department’s decisions which were uploaded to the Defendant’s electronic service by the name of Taxpayer Access Point (TAP System). The taxpayers alleged that they were not aware of the decision until they accessed the Tap System.

The High Court held that under subsection 167(3) of the Goods and Service Tax Act 2014 (GST Act), where a taxpayer has given his consent for a notice to be served on him through the electronic service, then the notice shall be deemed to have been served at the time when the electronic notice is transmitted to his account through the electronic service. As such, the clear effect of reading section 167 of the GST Act with Order 53 r 3(6) of the Rules of Court 2012 means that in respect of service of a decision where the taxpayer has opted for electronic service, the taxpayer is deemed to have knowledge of the notice once the notice had been transmitted to his account through the electronic service.

Part 2: The first statute in Malaysia to use the words “social media” and more.



First published on Digital News Asia on 26 March 2018

Comments on the Malaysian e-Court System Phase 2

The Malay Mail interviewed me on my views of the implementation of the new e-Court System Phase 2 some time last year. Some of the issues highlighted below have now been resolved. I am posting this for record purpose.

In their article entitled “Lawyers required to go digital by 2018“, I said the following:-

Foong Cheng Leong, the Kuala Lumpur Bar’s Information Technology and Publication Committee chairman, noted that e-filing is partly aimed at ending the maintenance of actual physical files and saves time with the skipping of physical file searches.

“Before e-filing, the court had problem organising their files and many files went missing resulting the loss of judicial and litigants’ time. The e-filing system also allows documents to be viewed quickly without the need to look for the file,” he said.

Foong said the second phase of the e-filing system had some improvements such as a better online file search system that now includes searching of court minutes, but he highlighted several issues such as the use of the security token which he felt was “unnecessary”.

“Although it is now available at an affordable rate, the use of the token creates a ripple effect. For example, the lawyer now would need to apply for the token and learn how to use and install it, safe-keep, protect and observe the expiry date of the token,” he said, arguing that there were other ways to ensure security or to ensure the right person is filing a court document.

He said the online file search function where users have to pay RM8 or RM12 depending on the court tiers for a 30-minute viewing period should be changed, suggesting that the time limit should be scrapped and instead replaced with a pay-per-file system.

The file search function also only allows users to view and print files page by page, but should instead be changed to allow users to download the files to view them directly on their computers, he said.

“The current system still has a lot of bugs. It ought to be have been beta tested properly by users, in particular, the lawyers before rolling them out,” he said, citing as example the timer in the file search system suddenly resetting to 0:00 before the time is actually up.

On the closure of the Service Bureau to lawyers, I stated the following:-

Foong similarly said: “However, the service bureau should still remain to assist lawyers to file their documents. Not every lawyer has litigation cases often and some may even do one or two a year. It makes no commercial sense sometimes to pay for the token to do e-filing. Nevertheless, the Court should allow other parties to open service bureaus to cater the needs of fellow lawyers.”

In Malay Mail’s subsequent article entitled “No more 5am queues to file lawsuits“, I was quoted stating the following:-

Foong Cheng Leong, the Kuala Lumpur Bar’s Information Technology and Publication Committee chairman, said issues that law firms in peninsular Malaysia faced in moving to a new online court filing system had caused the long queues.

During that period, the helpdesk for the online system was overflowing with requests for assistance, with many lawyers complaining that it was not picking up their phone calls, he said.

“I think the long queues at the e-filing service bureau is due to the sudden surge of requests to do e-filing. As many lawyers had problem migrating to the new system, they have no choice but to use the e-filing service bureau. This adds to the usual crowd of lawyers who did not subscribe to the e-filing system.

“The Court was unable to cope with the sudden surge of request and resulted in very long lines. The Court had to limit the number of people who could use the service otherwise their staff would be staying in Court past the normal working hours,” he told Malay Mail Online when asked to weigh in on the issue.

Here’s What You Should Know The Next Time Someone Asks For Your MyKad

I was featured in The Malaysian Digest’s article entitled “Here’s What You Should Know The Next Time Someone Asks For Your MyKad” on 22 February 2018.

If Your Identity Is Stolen, It May Be Difficult To Prove Your Innocence

Although the Private Data Protection Act 2010 (PDPA) that protects our data, which is collected for commercial purposes, from being misused by third parties has been enacted, there are limits to how far the law can protect us especially when our data is collected for non-commercial purposes, which is unregulated and open to abuse.

Foong Cheng Leong, founder of law firm Foong Cheng Leong & Co., relayed that when you simply give out your IC number to anyone asking, you are liable to have more of your information to be collected and can be used for social engineering such as creating a complete profile about you.

“With a complete profile, one can use it to obtain certain things like services, access to bank accounts, mobile numbers, financial information, email, buildings and further information etc.

“One can also use that profile to obtain information of another person e.g. a person close to you, for example, your spouse’s personal information,” he said.

And when our personal data and identity gets stolen, it may not be easy to prove and it will depend on the circumstances.

“But one would have to go through a difficult process of being investigated. He may be arrested, remanded, have his computers and mobile devices ceased, privacy invaded etc.” he said.

Although he has not had any cases involving IC number, he has come across cases involving the misuse of identity.

“I had one case where the employee was charged in Court under the Computer Crimes Act 1997 for unauthorised modification of content.

“His office account and internet account were used to delete a database of his employer. Fortunately, we managed to prove that it was not him who did it,” he said.

Foong also said that cases of identity theft are not just a few in the country, as he shared the most well-known case which is the case of Adorna Properties Sdn Bhd v Boonsom Boonyanit.

“The land owner lost her land after it was fraudulently transferred to a third party and subsequently sold to a bona fide purchaser – see https://asklegal.my/p/boonsom-boonyanit-adorna-properties-indefeasible-title-national-land-code-1. Note that the position of this law has changed – see http://www.skrine.com/better-late-than-never,” he shared.

He said that the best way to protect our data is by ensuring that it is always secure and that we control the circulation of our data.

When Businesses Use Your Photo Without Permission, Here’s What You Do

I was featured in Malaysian Digest’s article entitled “When Businesses Use Your Photo Without Permission, Here’s What You Do” on 24 January 2018 on what customers can do to protect their personal data. I said the following:-

Customers Need To Be Proactive To Protect Their Privacy

What then do we, as customers, can do to protect our privacy and what rights do we have as a civilian?

Foong Cheng Leong, founder of law firm Foong Cheng Leong & Co. and the Bar Council cyber law and information technology committee deputy chairperson, explained that when it comes to invasion of privacy, it depends on the scenario.

If it’s a photo taken in a public place with many other people like a group photo, it is unlikely an invasion of privacy nor it is anything unlawful.

“If the photo was a photo taken during the business transaction between the customer and the business, it could amount to a breach of Personal Data Protection Act 2010 or invasion of privacy. For example, a photo taken by a doctor of its patient during treatment.

“Also, if the photo belongs to the customer, it could amount to copyright infringement,” he said, while advising that it would be prudent to add a watermark to our photos.

And if we do find our photo being featured in advertisements without consent, we should write to the business asking them to remove it.

“They can also consider filing a complaint to the Personal Data Protection Commissioner for them to investigate the matter,” he advised.

When social media rants can land you in court

I was featured in The Star Newspaper’s article entitled “When social media rants can land you in court” on 5 January 2018 on the issue of reviewing a business online. I said the following:-

Meanwhile, Bar Council cyberlaw and information technology committee co-chairman Foong Cheng Leong told The Star that a person was free to post a review of a restaurant, on Facebook or elsewhere.

However, he said such a review should not be defamatory.

“Defamatory statements would mean the statement would expose the plaintiff to hatred, ridicule or contempt in the mind of a reasonable man, or would tend to lower the plaintiff in the estimation of right-thinking members of the public generally,” he said.

Nonetheless, Foong said sometimes it is hard to differentiate between what is defamatory or not.

“Generally, insults, negative reviews, or statements of opinion are fine. I can always say a restaurant food is terrible. It is fair comment.”

The interview by The Star Newspaper was a follow up of a decision by the High Court of Malaya in the case of Champ’s Express Heritage Sdn Bhd & Anor v Pak Loo Ke (Kuala Lumpur High Court Suit No. 23NCVC-94-12/2015). The High Court held that the Defendant had defamed the Plaintiffs when she published a posting on the 1st Plaintiff’s Champ’s Bistro, BSC. The Facebook posting had questioned the level of hygiene of the Plaintiffs’ food and also the 3rd Plaintiff, who is the founder of the 1st and 2nd Plaintiffs, among others. The same posting was made the Defendant’s Instagram account. The Defendant was a kitchen helper for 2 weeks before she published the alleged defamatory postings.

The Star Newspaper reported that the Plaintiff had succeeded in proving defamation, and the Defendant had failed in her defence of justification and fair comment.

Sugar Daddy and Sugar Babies Website – Is it illegal?

I was interviewed by The Star on the issue of legality of a local website that connects “sugar daddies” with “sugar babies”. In the article entitled “A raw nerve hit, but no laws broken“, I said the following:-

There is no law against couple matching services in Malaysia unless it is for prostitution or other illegal purposes, said Bar Council cyber law and information technology committee deputy chairman Foong Cheng Leong.

While the website’s service and users may be entering a moral grey area, Foong said “immoral doesn’t necessarily mean unlawful”.

“Payment for companionship is legal. This is unless the companionship falls under prohibited acts, which include prostitution and soliciting prostitution,” he said.

Foong was commenting on a Malaysia-based online dating platform which matches established, wealthy men or “sugar daddies” with women who are seeking financial support.

MCMC also said operating, providing and using an online service or application is not an offence under the Communications and Multimedia Act 1998.

“However, action can be taken if such a service is being used to disseminate illicit content such as obscenities, nudity, pornography and others,” it said.

Other enforcement agencies like the police may also pursue various actions under the relevant laws if there are elements of prostitution, extortion, blackmail and scams.

“Should consumers feel the app is inappropriate due to its content, they can reach out to the MCMC or the police. Investigations will be undertaken to assess if such contravene the existing laws.”

I was also interview by Digital New Asia on the same issue in their article “TheSugarBook – sweet endings or bitter disappointment?“. The relevant excerpts are as follow:-

One of the most-asked questions about TheSugarBook is whether or not such a service is legal.

“There is no law against couple matching services in Malaysia unless it is for prostitution or other illegal purposes,” says Foong Cheng Leong (pic, above), deputy chairperson of The Malaysian Bar’s Information Technology & Cyber Law Committee.

..

It must be pointed out that other popular dating apps such as Tinder or Grindr (a social networking app for LGBTQ people) could also have users who met on the app engaging in illegal activities outside of it. Many of these platforms do not enable users to report other users or have such strict regulations regarding user profiles as TheSugarBook does and it is quite usual for users to state on their profiles that they are only looking for casual sex.

According to Foong, such platforms should not be liable for what its users do outside the platform.

Though TheSugarBook does seem to be using discretion when it comes to ensuring no underage activity, none of these checks can actually guarantee that a user cannot lie their way through to a verified profile. A user could use someone else’s photo and enter their age as older, as they could on their Facebook profile, and a college student could very well be under 18.

However, being below 18 is not actually a legal requirement for registering a profile on a dating app in Malaysia. “Currently, there are no laws stipulating the minimum safety requirements of a couple matching platform,” says Foong.

“Assuming that a minor circumvents the age requirement and falsely pretends to be a person of 18 and above, I don’t think such platform would be doing anything illegal,” he continues.

BFM Podcast: LANDMARK #22: WHAT HAPPENS WHEN OUR PERSONAL DATA IS LEAKED

Late last year, it was reported that the private data of 46.2 million mobile phone subscribers were leaked sometime in the middle of 2014. All 14 telcos were affected in what is Malaysia’s biggest ever data breach. Explaining what this means for you and me is lawyer Foong Cheng Leong. He chairs the KL Bar’s Information Technology and Publications Committee.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

SayaKenaHack.com and Privacy

Recently, tech blogger Keith Rozario created the website SayaKenaHack.com, a platform to allow people to check if they were affected by the data leakage of 46.2 million mobile phone subscribers. The website allowed users to key in their identity card number and the website will inform the users whether they are affected by the leakage. If they are affected, the website will yield a masked mobile number. Some users have complained that those masked numbers do not resemble their mobile numbers.

The Malaysian Communications and Multimedia Commission (MCMC), under s. 263 of the Communication and Multimedia Act 1998 (CMA), directed internet service providers to block the website SayaKenaHack.com on the ground that it had contravened s. 130 of the Personal Data Protection Act 2010 (PDPA).S. 263(2) of the CMA and s. 130 of the PDPA provide the following:

Section 263. General duty of licensees.

(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.

130 Unlawful collecting, etc., of personal data

(1) A person shall not knowingly or recklessly, without the consent of the data user-

(a) collect or disclose personal data that is held by the data user; or

(b) procure the disclosure to another person of personal data that is held by the data user.

(2) Subsection (1) shall not apply to a person who shows-

(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data-

(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or

(ii) was required or authorized by or under any law or by the order of a court;

(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;

(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or

(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.

(3) A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1) commits an offence.

(4) A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).

(5) A person who offers to sell personal data commits an offence if-

(a) he has collected the personal data in contravention of subsection (1); or

(b) he subsequently collects the personal data in contravention of subsection (1).

(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.

In the Personal Data Protection Commissioner Khalidah Mohd Darus’s media statement dated 17 November 2017, the Commissioner stated that SayaKenaHack.com was blocked because it had contained personal data which had been collected without the consent of the data user pursuant to s. 130 of the PDPA. The Commissioner then advised members of the public to be vigilant when sharing personal data with others, among others.

Unfortunately, Keith Rozario decided to close SayaKenaHack.com upon being blocked. It would be interesting if he had filed an action to challenge the blocking order. So far, there is no reported case on anyone challenging a “blocking order” by MCMC in Court.

There ought to be checks and balances against such blocking order. Under the s. 10A of the Sedition (Amendment) Bill 2015, the Public Prosecutor must make an application to a Sessions Court Judge to direct an officer authorised under the Communications and Multimedia Act 1998 to prevent access to any seditious publication. Likewise, s 263 of the CMA should be amended to reflect such checks and balances.

I was interviewed by The Star, on my personal capacity (not on behalf of Bar Council, as earlier reported by The Star), on this issue. In The Star’s article dated 18 November 2017 entitled “SayaKenaHack.com only provides information, does not allow data download“, I was asked whether SayaKenaHack.com was in contravention of s. 130 of the PDPA. I replied:-

SayaKenaHack.com did not breach Section 130 of the Personal Data Protection Act 2010 (PDPA), says the Bar Council cyber law and information technology committee.

The committee’s co-chairman Foong Cheng Leong said the website was merely a platform for users to check whether their personal data had been leaked or breached.

“Currently, the Malaysian Communications and Multimedia Commission (MCMC) is blocking the website for breaching Section 130 of the PDPA for unlawful collection of personal data.

“If the website allows people to download the personal data of others, then it will be a violation of PDPA.

“Therefore, the website did not violate the PDPA,” he said when contacted yesterday.

In The Star’s article dated 31 October 2017 entitled “M’sia sees biggest mobile data breach“, I added:-

“..assuming that the leak was after the enforcement of the Personal Data Protection Act 2010, there might have been a breach of the Act’s Security Principle by the data users.

The Security Principle requires data users to process personal data securely, but there is not much customers can do other than file a complaint with the Personal Data Protection Commissioner

There may be a recourse against the telecommunication companies for negligence i.e. failing to ensure that the subscribers’ personal data are adequately protected. In an article dated 20 November 2017 in The Other, I said:-

For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”

Currently, a company is now being investigated for causing the said personal data protection leakage.

On a separate issue, in The Star’s article dated 26 November 2017 entitled “Going full force to enforce Act“, the Personal Data Protection Commissioner stated that 3 companies have fined for contravening the PDPA.

The Commissioner added that mobile applications are not required to be registered under the PDPA. But the operators must comply with the PDPA since they process personal data in commercial transactions.

I was asked to comment on this issue. I said:-

..an individual has a right under the PDPA to request a copy of the personal data processed by the data user.

“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.

“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.

Foong urges the public to always be aware of what companies will use their data for by reading the privacy policy.

“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.

1 2 3 27  Scroll to top