Malaysian Bar releases feedback to Personal Data Protection Commissioner’s Proposal Papers

On behest of the Malaysian Bar Ad Hoc Committee for the Personal Data Protection Act, the Malaysian Bar has published the feedback by Ad Hoc Committee on Personal Data Protection to Personal Data Protection Commissioner’s following proposal papers.

1) Guideline on Compliance of Personal Data Protection Act 2010;
2) Guide on the Management of Employee Act Data under Personal Data Protection Act 2010;
3) Advisory Guideline related to Consent requirement under the Personal Data Protection Act 2010; and
4) Guide on Management of CCTV under Personal Data Protection Act 2010.

Download the feedback.

PDF    Send article as PDF   

Battle of the Satay Celup Restaurants


Ban Lee Siang restaurants – used with permission of sixthseal.com

Ban Lee Siang is a well known satay celup restaurant in Melaka. It consists of two adjoining shops operated by two different owners who are brothers. The shop was started by their other brother in 1987.

Although both restaurants are named “Ban Lee Siang”, they are both known as Restoran Makanan and Minuman Ban Lee Siang and Restoran Ban Lee Siang. The former was taken over by the Plaintiff in 1997 and the latter was started by the Defendant in 2004.

In 2012, the Plaintiff filed a lawsuit against the Defendant over the use of the name Ban Lee Siang. The Plaintiff alleged that he is the exclusive and registered proprietor whereas the Defendant is merely a licensee. The Plaintiff terminated the licence via a letter.


The Plaintiff’s registered trade mark

However, the Defendant alleged that he is a joint proprietor of the trade mark as he had purchased the business jointly with the Plaintiff and their mother.

The High Court held that:-

1. Based on the evidence provided, the trade mark BAN LEE SIANG was not only sold to the Plaintiff but also to the Defendant and their mother (paragraph 15);
2. The Defendant is a honest concurrent user (pursuant to s. 40(c) of the Trade Marks Act 1976 (TMA)) but also entitled to file an application under s. 20 of the TMA to be a joint proprietor (paragraph 16); and
3. Since the Plaintiff did not object to the use of the trade mark from the date of establishment of the Defendant’s restaurant until the date of the letter terminating the alleged licence, this shows that the Plaintiff had indeed allowed the use of the trade mark. Thus, following s. 40(c) and (dd) of the TMA, there is no trade mark infringement (paragraph 17).

Download: Chua Cheng Kiat b/s Kedai Makanan dan Minuman Ban Lee Siang v Chua Cheng Ho b/s Restoran Ban Lee Siang

PDF Creator    Send article as PDF   

Bread & Kaya: Liking a Facebook page and the law

Bread & Kaya: Liking a Facebook page and the law

Foong Cheng Leong
Aug 14, 2014

- ‘Liking’ a page doesn’t necessary mean you agree with it
– Using Sedition Act for what you ‘Like’ sets dangerous precedent

THE recent report that Malaysian police are investigating a Penang teenager under the Sedition Act 1948 for liking the ‘I love Israel’ Facebook page has raised more than a few eyebrows.

This leads to some interesting questions: What does liking a Facebook page mean? Does it mean liking the idea that is expressed by the Facebook page? In the above case, does this mean that the teenager actually loves Israel?

To answer this, we first refer to Facebook’s definition of ‘Like.

What’s the difference between liking a Page and liking a post from a friend?

Liking a Page means you’re connecting to that Page. Liking a post from a friend means you’re letting that friend know you like their post without leaving a comment.

When you connect to a Page, you’ll start to see stories from that Page in your News Feed. The Page will also appear on your profile, and you’ll appear on the Page as a person who likes that Page.

Further, in the US case of Bland v. Roberts, No. 12-1671 (4th Cir. Sept. 18, 2013, click here for the PDF), the Court held that:

On the most basic level, clicking on the ‘Like’ button literally causes to be published the statement that the User ‘Likes’ something, which is itself a substantive statement. In the context of a political campaign’s Facebook page, the meaning that the user approves of the candidacy whose page is being liked is unmistakable. That a user may use a single mouse click to produce that message that he Likes the page instead of typing the same message with several individual key strokes is of no constitutional significance.

This is a US case thus it is not applicable to us, and Facebook’s definition may not be relevant here. So far, we have no reported case in Malaysia of the legal implications of Liking a Facebook page.

To me, when a person Likes a certain page, it doesn’t necessary mean he or she ‘likes’ what the page represents. I may ‘Like’ a page to ‘get the stories from that Page in my News Feed.’ I sometimes Like a page to support a friend who started such page, but that does not mean I like his postings or expressions there. I’m sure many of us here use the Facebook ‘Like’ button differently.

To charge the teenager for sedition for Liking the ‘I Love Israel’ Facebook page is a dangerous precedent. Each Facebook user would have to be very careful on the Facebook page they Like. Those who are oblivious to current affairs would be most vulnerable.

Furthermore, the name of a Facebook page can be changed. Imagine if someone changes a Facebook page in open support of child pornography, and those who had previously Liked the page seem to suddenly like child pornography!

(Note: No approval is required to change the name of a Facebook Page with fewer than 200 members).


First published on Digital News Asia on 14 August 2014

Create PDF    Send article as PDF   

Unknown Caribbean company files for MH17 trademark

I was quoted by Digital News Asia in their article “Unknown Caribbean company files for MH17 trademark” published on 22 July 2014.



Unknown Caribbean company files for MH17 trademark
Gabey Goh
Jul 22, 2014

- Trademark applications filed for ‘MH17′ & ‘MH370′ for use in EU
– Case of companies or individuals using trademark register to take advantage of a tragedy

IN THE wake of the MH17 tragedy, reports have already surfaced about cybercriminals taking advantage with fake Facebook pages being created in the name of victims, for money.

Now it appears opportunism has reared its ugly head in another way – Digital News Asia (DNA) has learnt that claims have been filed to trademark the terms ‘MH17′ and ‘MH370.’

MH370 was the number of the Malaysian Airlines flight that inexplicably disappeared on March 8, remaining one of the aviation industry’s greatest mysteries. The Beijing-bound flight from Kuala Lumpur was carrying 12 crew members and 227 passengers, the majority of whom were China nationals. The search and rescue operation has yet to find remains of the craft.

Malaysia’s national carrier, already reeling from that disaster and a disappointing financial year, then experienced another disaster when Flight MH17 from Amsterdam to Kuala Lumpur was shot down over Ukrainian airspace on July 17, killing all 283 passengers and 15 crew on board.

Details of the ‘MH17′ filing, submitted on July 17 itself, were found on the European Trade Mark and Design Network website and the application under examination. The ‘MH370′ filing submitted on May 2 was found on the Justia Trademarks site, and according to the site, has yet to be assigned a case examiner.

According to available details, the same company, Seyefull Investments Limited which is incorporated in Belize City, filed both applications.

Belize City is the largest city in the Central American country of Belize and was once the capital of the former British Honduras. It is located at the mouth of the Belize River on the coast of the Caribbean.

The scope of usages listed within both applications is wide ranging: From conferences, exhibitions and competitions; to education and instruction, and entertainment services (namely, the provision of continuing programmes, segments, movies, and shows delivered by television, radio, satellite and the Internet).

DNA columnist and intellectual property lawyer Foong Cheng Leong (pic) noted that trademark rights are limited to the goods and services chosen by the proprietor.

“Here, the applicant is registering the mark MH17 for all sorts of products in the European Union. By being the registered proprietor, they have the rights over the mark [when it comes to] the registered goods and services in the European Union.

“They may stop people from using the mark or ask for payment in the European Union,” he added.

Asked whether these trademark claims were the groundwork for potential ‘trademark trolling’ efforts, Foong said that he would not be able to determine whether they are trademark trolls without a deep investigation into the entity in question.

‘Trademark troll’ is a pejorative term for any entity that attempts to register a trademark without intending to use it, and who then threatens to sue others who use that mark.

It is a different beast from a ‘patent troll,’ also called a patent assertion entity (PAE), a person or company who enforces patent rights against accused infringers in an attempt to collect licensing fees, but does not manufacture products or supply services based upon the patents in question, thus engaging in ‘economic rent-seeking.’

Claiming a stake in crisis

This is not the first time an attempt has been made to claim the intellectual property associated with a global event. Among the most notable was when a businessman named Moti Shniberg tried to trademark the term ‘September 11, 2001′ … on the day itself.

Shniberg said he had filed for the trademark for “charitable purposes,” but the US Patent and Trademark Office ultimately rejected the application. It was one of about two dozen reportedly filed trademarks related to the Sept 11, 2001 terrorist attacks in the United States.

Lawyers and trademark industry watchers DNA spoke to for this article noted that it is quite common for people to file trademarks based on words related to current affairs.

A trademark industry observer, who asked not to be named, said that such filings are “fairly common, but also fairly pointless” because they usually get rejected and lead to bad public relations for the people or company which filed the trademark, as well as for the trademark industry as a whole.

He said that the case in question was “another sign of companies or individuals taking advantage of tragedies using the trademark register.”

“I don’t know the reason for these, it’s probably opportunistic from what I can tell – the fact the MH17 one was filed on Thursday definitely suggests that.

“My guess would be it’s a shell company of some kind. The company’s other trademark is for ‘Mata Hara 308‘, which appears to be linked to this website which mentions MH370, and has the same image for its browser tab as the Seyefull website, so I think they’re linked.” he added.

Asked whether Malaysia Airlines (MAS) should be concerned about such moves, he pointed to another filing made by Aoan International Pty Ltd to register an Australian trademark for ‘MH370′ in March that is due to be accepted on July 30.

“However, it seems that Malaysia Airlines is concerned about this kind of thing because 10 days ago, [Malaysia Airlines] itself registered a trademark in Australia for ‘MH370′,” he said.

Additional checks also found that MAS had filed its own Community Trade Mark application for ‘MH17.’ However, this was made on July 21, a few days after the application made by Seyefull.

“I do not know why [Malaysia Airlines] filed, but it may have been alerted by the company’s application or is trying to block others from registering the mark,” said Foong.

A corporate lawyer who also declined to be named for this article said that to her knowledge, there are corporates and individuals “who more often than not, seize the opportunity to register certain names when they sense the potential in future commercial exploitation.”

“Apart from applications for registration of a trademark, another area is the registration of domain names. The name ‘everyone can fly’ and ‘airasia’ have been rampantly applied by different individuals from all over the world,” she said.

She noted that at first glance, the most obvious reason why one would want to register ‘MH370′ and ‘MH17′ now is probably due to the potential of these events being made into movies or books.

“However, one should also question whether they infringe the rights owned by MAS in applying to register such a mark in the first place.

“Usually, the Registrar would not allow registration should it feel that this infringes the existing rights of another party. MAS still retains the common law proprietary rights in the mark,” she added.

PDF Printer    Send article as PDF   

BFM Podcast: Revenge Porn

I was interviewed by BFM Radio to talk about revenge porn on 22 July 2014.



The availability of affordable smartphones and cheap mobile data are contributing to the rise of sextortion, the non-consensual publication online of explicit images, often by a former spouse or partner after a relationship turned sour. Does ownership of an image lie with the sender or receiver? And what legal framework is in place to address this growing concern?



Related Link: The Perils of “Revenge Porn” – Part 2

PDF Download    Send article as PDF   

Bread & Kaya: Cyberstalking, harassment … and road rage

Bread & Kaya: Cyberstalking, harassment … and road rage
Foong Cheng Leong
Jul 17, 2014

- No specific Malaysian law that criminalises stalking or harassment
– Singapore has enacted such laws, and Malaysia should follow suit

THE recent case of a blogger complaining that she had been harassed and stalked by a fan got me thinking about the law in Malaysia with regards to stalking and harassment.

I think this would depend on the acts of the stalker. There is no specific Malaysian law that criminalises stalking and harassment, but there are provisions of law that prohibit certain actions that border on stalking and harassment.

For example:

- Hacking into someone’s computer or mobile device or online account, or installing any trojan or tracking device is a crime under the Computer Crimes Act 1997;
– Sending messages threatening to harm a person – depending on the content, this may amount to a criminal offence under the Communications and Multimedia Act 1998 or Section 503 of the Penal Code (criminal intimidation); and
– Breaking into someone’s home amounts to trespass (installing a closed-circuit TV as in the Nasha Aziz case).

There are many forms of stalking and harassment. I’ve heard of cases where a person would call someone numerous times a day – and in some such cases, keeping silent or even make heavy breathing sounds.

Other cases include following a person from time to time; loitering outside a person’s home (which is a public venue, for example a road); downloading someone’s picture off Facebook and publishing it on blogs or online forums with degrading messages; and even frequently posting annoying or insulting comments on a person’s Facebook page, blog or Instagram account.

A police report would be useful to ward off these people but not all reports will be acted on. Sometimes no threat is made, and there’s ‘only’ persistent annoyance.

One blogger showed me some persistent emails from an alleged stalker, who also contacted the blogger through phone calls and SMS.

However, the nature of the contact was not a threat but merely invitations to go out, despite the fact that the blogger had expressly asked him to stop contacting her. Such contact would stop for a short period, but return thereafter.

One email from the alleged stalker was just a reproduction of chat messages between the alleged stalker and his friend.

A police report was made but the police could not take any action as there was no threat involved.

In such cases, I think that the police should take proactive action by contacting the alleged stalker and warning him against pursuing the matter further. A lawyer’s letter of demand may be useful too.

If all else fails, a restraining order may be obtained from the courts.

The victims are not only women. Vancouver teacher Lee David Clayworth was ‘cyberstalked’ by his Malaysian ex-girlfriend. She posted nude pictures of him and labelled him all sorts of names, according to a CNET report.

A warrant of arrest was issued in Malaysia against his ex-girlfriend but she had reportedly left the country.

Many victims suffer in silence. They try to ignore their stalkers and hope that they go away. Sometimes this works, sometimes it does not.

Our Parliament should introduce a new law to criminalise stalking and harassment. Singapore recently introduced the Protection from Harassment Bill 2014. This new law will provide protection from harassment and anti-social behaviour, such as stalking, through a range of civil remedies and criminal sanctions.

It’s time for our Parliament to look into this before it’s too late.

Regarding the recent Kuantan road rage case, I was asked whether doxing or document tracing by netizens amounts to harassment.

From what I read, some netizens had posted her name, company name and pictures on the Internet, created Facebook pages about her, and also created all sorts of memes featuring her. Some even started bombarding her mobile phone with SMSes and left numerous comments on her company’s Facebook page.

As mentioned, we have no specific law to govern harassment, thus it is difficult to determine whether such acts amount to harassment without a legal definition here.

In my personal opinion, I think there is nothing wrong in exposing the identity of the driver to the public. The lady had posted her own personal information online, thus there is no expectation of privacy with respect to that posted information.

The Personal Data Protection Act 2010 only applies to commercial transactions. But the extraction of her personal information through her licence plate number may be an issue if someone had unlawfully extracted it from a company’s database.

Some messages that were posted may also be subject to the Communications and Multimedia Act 1998 provisions on criminal defamation. Tracking her home address and taking photographs of it may be considered a form of harassment.

She also has rights (that is, copyright) to the pictures that she has taken (selfies especially), but she will not have rights to her modelling pictures if those were taken by a photographer – in that case, the photographer usually has rights to the photographs.



First published on Digital News Asia on 17 July 2014.

Free PDF    Send article as PDF   

[No. 5/2014] Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

The Malaysia Personal Data Protection Commissioner (Commissioner) has published a proposal paper entitled, “Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010”.

This proposal paper aims to provide guidelines for an individual or organization in the management of CCTV under Personal Data Protection Act 2010 (PDPA). Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline.

I am of the view that this Proposal Paper is not clear as to what kind of CCTV recording is subject to the PDPA. At the last paragraph of page 2, it states that an individual’s image is subject to PDPA when it is involved in a commercial transaction such as for promotion or sale of products and services either by contract or otherwise. Does this mean that all CCTV recordings at business premises and commercial areas such as banks, shopping centres and supermarkets as well as in offices and airports are subject to the PDPA? If so, how would a data user obtain the “recordable consent” (as required by the Personal Data Protection Regulations 2013) from the individuals who are captured through the CCTV?

My personal view of the use of CCTV and PDPA is that it is not subject to the PDPA if it is used for security purposes and not be used for commercial transaction purposes (e.g. to be sold). It would be impracticable for the data user to obtain the “recordable consent” and provide a Privacy Notice, which is mandated to be in writing, fulfill eight (8) requirements, and in two (2) language, to the individual.

If the Commissioner is keen to apply PDPA on CCTV recordings, it should make some adjustments to the application of the seven (7) principles. For example, no recordable consent is required, no requirement to fully comply with the Notice and Choice Principle but merely provide a notice to say CCTV is in operation etc.

Further view of this Proposal Paper will be address in the Malaysian Bar Council’s Ad Hoc Committee for Personal Data Protection.

Download: Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

PDF    Send article as PDF   

BFM Podcast: The Right to be Forgotten

I was interviewed by BFMRadio to talk about privacy laws and the right to be forgotten on 28 May 2014.


If your browser does not support native audio, but you can download this MP3 to listen on your device.

In what could be a landmark case for internet privacy, the European Court of Justice ruled that Google must delete “inadequate, irrelevant or no longer relevant” data from its results when a member of the public requests it. Privacy rights lawyer Foong Cheng Leong joins our resident social media experts Ng Juan Hann from WAGO to explore the implication of the right to be forgotten and whether it contradicts the right to freedom of expression.

PDF Creator    Send article as PDF   

Leveraging Big Data

I was quoted in the May 2014 issue of Personal Money.


Leveraging Big Data
Personal Finance
Written by Emily Chow and Sarah Voon of The Edge Malaysia
Friday, 16 May 2014 00:00

UPLOADING photos on Facebook; making an ATM transaction; operating a machine in a factory; making a call from a handphone. On the surface, these activities do not seem to have much in common. But they all contribute to the accruement of big data.

Everything and anything that is, and has ever been, linked up to the digital realm constitute big data. Big data analysis is what many businesses are doing today to enhance their business process.

“Big data isn’t so much the content or amount of the data, but [data on] who is contributing towards it and how often,” says Queenie Wong, head of data management at SAS Institute in Malaysia. The international company is a leader in business analytics software and services, and helps organisations turn large amounts of collected data into information they can use.

“[Companies] have been capturing this information, but it’s expensive to store. Most of the time, you just store and archive it. But with the new trend of big data analytics, how do you capture it [in a meaningful way] to get ahead of the competition and differentiate yourself?”

According to Wong, big data analysis has existed for some time and is being used especially by banks and telecommunications companies. The term was coined and came under the spotlight relatively recently, and businesses are starting to use it in making decisions and maintaining customer relationships.

“When you deal with consumers in today’s business world, it’s not about high value anymore. As a business, I don’t want you to spend thousands or millions of dollars [per transaction]; I’d want you to spend multiple [transactions worth] hundreds of dollars, that add up to more than the [initial] thousand that you might have spent,” she says, emphasising customer loyalty. “It’s easy to acquire customers, but it’s difficult to keep them and make them happy.”

Big data analysis helps in target marketing: Gone are the days of cold-calling and salesmen going door to door to sell their products. Today, a company can anticipate a customer’s need by studying his previous purchases or activities.

“For example, when a bank calls you offering loans and insurance, it isn’t a targeted offer because they don’t know if you’re an existing customer or not, or whether you own any other product in particular,” Wong explains.

“It’s just an outbound call, making it is expensive, and it’s only effective if it gets to the right person [who needs a loan]. The company also wants to make sure that within the first minute of the conversation, the customer wants to hear what it has to say.

“But with big data, we can comprehend the way customers use your service,” she continues. “If you are at a car sales online portal, the bank would want to give you relevant information on car loans [on the website itself]. Say, a customer uses an app on a mobile phone service to buy a train ticket. The information is captured when the ticket is purchased, so the next natural thing to do is to offer hotel stays, which the customer will appreciate. Big data is about anticipating the customer’s next move. It might not be of high value, but it’s very targeted.”

Examples of big data a bank would examine include customers’ ATM transactions and banking details. For a telecommunications company, it would be the way customers use their phones.

Unfortunately, this flood of information can be overwhelming, so companies need to know how to make use of it.

“Every time I make a call, send a message or access broadband, this information is being captured by the telco,” Wong says. “It’s a big dump of information, so businesses need to know what is relevant to them. Data will be used differently based on the maturity level of the companies.”
Such data can also add value to customer interactions.

“Banks have been analysing customer behaviour through credit cards [usage] and are able to detect fraud by notifying customers [of charges made] through text message,” adds Wong.

“But they can do more than this. If you’re travelling overseas and charge something to your card, data will be captured [regarding] your location. Instead of just sending customers a message verifying that they have just charged their card, banks can bring added value by telling them what promotions are [available] nearby if they use their credit cards there.”

Ballooning industry

As big data analysis grows in popularity, or even by necessity, it is predicted that businesses will direct significantly larger sums of resources towards big data analytic tools and solutions. According to the International Data Corporation (IDC) Predictions 2014 report, worldwide spending in this area is likely to increase by 30% this year, exceeding US$14 billion.

“The potential of deriving valuable insights and real-time decision-making from this data avalanche will drive massive investments and create new data-centred analytics and content services,” says the report. In Malaysia, the big data market is expected to reach US$24.2 million (RM46 million) this year.

“Malaysia is moving towards capturing more data — it is starting to recognise the people, process and technology,” observes Wong. “We see an increase in customers asking us to analyse and digest information. Big data isn’t a big bang thing; it is a journey for a business’ internal growth.”

For leading banks in the region, which may already have insight into what customers want through cross-channel banking transactional behaviour analysis, big data allows for increased targeting precision by extending their view of customer behaviour.

“This includes website activity, social engagement, contact centre voice interactions, and location data,” says Donald MacDonald, head of group customer analytics and decisioning at OCBC Bank Singapore.

“New technologies also enable us to react to this data faster than before — in some cases, in real-time — so we can directly engage customers with messages based on where they are and what they are doing right now.”

Apart from customer service and consumer sentiment, OCBC uses big data analytics in marketing analytics, fraud detection, credit quality optimisation and financial forecasting. The bank has spent over S$100 million (RM259 million) on data analytics since 2004, with investments on integrating data from multiple sources to one source, and on tools for analysis.

“Through the use of data analytics, we are able to significantly raise the quantity and targeting sophistication of our marketing activity. We can directly quantify the success of our marketing campaigns by monitoring customers’ individual behaviour to understand who responded to our offers, and then attribute a financial result to each contact,” shares MacDonald.

“Two major [big data] trends we’re focusing on now are speed to insight and contextual awareness.”

Speed to insight refers to the bank leveraging on “data-in-motion”, or data captured when direct interaction occurs with a customer. As this data is put into the bank’s system, its analytical engine updates the bank’s existing knowledge of the customer, and is able to recommend the most relevant products or services in real-time.

“Contextual awareness refers to leveraging additional information on the customers’ current circumstances to improve the relevance of our communications,” MacDonald says. For instance, OCBC could use big data to locate where a customer is, and then recommend merchants based on his preference as well as current location.

“Another example is leveraging voice logs within our contact centre to identify factors such as the increasing frustration of a customer on the line, which might be missed by a staff member,” he continues. “These factors enrich our existing view of the customer… ensuring that our sales and service offers are more targeted and relevant to each individual’s current situation.”

CIMB Group is another bank that leverages on big data initiatives to increase customer satisfaction, and appeal to their needs and lifestyle. The bank, for example, links customers’ Facebook data with its internal data to provide targeted offers to credit and debit cardholders.

“As a result, we discovered that there is an 80% correlation between merchants that customers ‘like’ on Facebook and our existing transaction data of merchants with whom they charge their cards,” says Iswaraan Suppiah, group chief information and operations officer, CIMB Group.

“Additionally, we have noted that banks in other countries are using big data techniques to reduce fraud incidents, or even use social network analysis to determine the creditworthiness of borrowers.”

According to CIMB, big data can also grow revenues faster by better matching its offers to customers’ needs.

“[This is] to the extent of designing better products and services that are directly relevant to various customer segments. Instead of using a traditional marketing campaign targeted at hundreds of thousands of customers and getting a 2% conversion rate, we can now target 30,000 customers and get a 50% conversion rate,” says Iswaraan.

“By using big data to really get to know and understand our customers, we can cut down on unnecessary ‘marketing’ and have real conversations about real customer challenges that will lead to benefits on both sides.”

Privacy protection and consumer rights

From a social perspective, big data could also benefit the public sector when used by the government, albeit allowing surveillance with an Orwellian touch. Authorities worldwide have been using such information in policy design and logistics planning, and to monitor crime and public security.

In Malaysia, however, data collected by companies cannot be sold or shared with a third party without the subject’s consent, as stated in the Personal Data Protection Act 2010 (PDPA).

Other laws such as the Communications and Multimedia Act 1998, the Computer Crimes Act 1997, and the Penal Code also ensure that collected data must only be used for the original purpose it was lawfully obtained for. This means customers should have willingly imparted their data to companies, with their knowledge.

“It’s fine for a person to use big data for business marketing research purposes, provided the data was acquired lawfully,” says Foong Cheng Leong, a lawyer at Foong Cheong Leong & Co, who specialises in cyberdata cases.

“There are many cases where data is purchased without the knowledge of the subjects within the data,” says Foong. In this case, the subject may exercise his right and file a complaint against the company or person that has been selling the information. Complaints can be made with the Personal Data Protection Commissioner.

“The information includes personal data, such as your name, identity card number, email address, images, your address, and so on, [used] in a commercial transaction,” he says, adding that this is all covered under the PDPA.

However, before a subject exercises his right, he should always read the privacy notices or policies provided by businesses explaining how they will use his data, Foong advises. A company is obliged to disclose how it uses personal data in a privacy notice or policy. This is also to enable the consumer to make informed decisions when sharing information requested by the company.

“With PDPA in force, consumers have a say in how their data is to be treated. They can even control the amount of data being flown out of a company.”

According to Foong, however, there are some cases of companies disclosing certain information necessary to deliver their services to the subject. For example, a telecommunications company may pass its customer’s data to a subcontractor. “[This is in the event] that the subcontractor needs to perform certain services. However, before a company [shares the data, it will make sure that the customer’s] personal data will be kept securely.”

This should also be disclosed to subjects during the time of data collection. Anything beyond what is stipulated in the initial privacy policy that is shared to subcontractors or other third-party services is considered illegal.

Foong says the only way to secure one’s personal data is to only use trusted service providers. Apart from that, he also advises that one should maintain a separate email to sign up for goods or services.

“Make sure you have strong passwords, and do not reuse passwords for different platforms. Phishing is common nowadays. Any email that goes into your junk or spam folders should be read with caution. It is unlikely to be true. Fake calls from unknown parties are also common. Many such callers ask for personal details on the pretext that someone is misusing your data.”

Otherwise, Foong believes that there should not be much to worry about. If users continue to take precautionary measures to protect their data privacy, they should not fear sharing their information online.

However, as an urban population moves towards a technologically driven lifestyle, rapidly expanding digital footprints are inevitable. From SAS Institute’s perspective, a company that chooses to use big data and its analytics has to make it relevant to its customers.

“If you want to use big data and big data analytics, whatever you give back to your customer must be relevant,” Wong says.

“Companies are very cautious with the kind of information they have and I think now with guidelines from Bank Negara Malaysia and the Malaysian Communications and Multimedia Commission, there are clear lines on what you can and cannot do. [Sometimes] there is a grey area, because that has to do with the company’s obligation to the customer and the public. The company then has to decide how they want to address that.”

This article was first published in the May 2014 issue of Personal Money — a personal finance magazine published by The Edge Communications.

Create PDF    Send article as PDF   
1 2 3 19  Scroll to top