Monthly Archives: August 2021

Virtual Conference on Corporate and Commercial Law (6 to 10 Sept 2021)

I will be speaking in the 4th session on the topic “Digital/Electronic Signature Legislation and Developments” together with Satish Ramachandran and Azrul Abdul Hamid on 7 September 2021. In this session, we will share the history and current development of digital or electronic signature in Malaysia.

Do check out the other sessions by the other speakers!

To register, please visit this link.

The other side of tech

I was asked by The Edge Malaysia to comment on the collection of personal data by the Malaysian Government, particularly, the data submitting by individuals in compliance with pandemic control related laws. I said-

Currently, the PDPA [Personal Data Protection Act 2010] does not apply to the government. This should be addressed, adds Foong Cheng Leong, a lawyer focusing on areas such as privacy and data protection laws.

“There should be a law governing how the government can process our information. Such a law should include the right to request the government to disclose what kind of personal data it has collected or is collecting,” says Foong.

“This request is, of course, subject to certain exemptions such as national security. The law should also make the government accountable for misuse of our information or negligent handling of our information.”

Other suggestions by the interviewees include data localisation laws, mandatory data breach notifications and laws that allow the public to request information from the government.

In addition, the following questions were posed to me but my answers were not featured in the article. I think it is beneficial for readers to know of the matters set out below.

1. Governments have been introducing contact tracing applications globally after the pandemic broke out. From location tracking to CCTV monitoring, these solutions are also putting people under surveillance more than ever. Concerns about data privacy and the surveillance state have already been present before — now, the pandemic has intensified this debate. What are your observations and thoughts about this? Should people be concerned?

At this juncture, the Government has represented that the information collected will only be for specific purposes eg risk assessment, contact tracing and compliance with the movement control order and other related rules and regulations. Such purposes are specifically stated in the privacy policy of the MySejahtera App at https://mysejahtera.malaysia.gov.my/privasi_en/. It even expressly declared that

The Personal Data collected will not be used for any purpose other than those mentioned above, unless if required in order to comply with any legal obligation”.

However, the Government stated that they may change the terms of privacy policy and any changes will be updated on that website. This is a cause for concern as the privacy policy may be changed to include other purposes. For example, the application may be update to, among others, track your movement which can be used to collaborate certain data. The traffic department may track if you are within a certain locality

2. At the same time, smart city solutions that use facial recognition CCTVs, smart policing, digital IDs are becoming more prevalent. Should we be concerned? What are the risks?

If it is managed in a proper manner and only for the purpose it is implemented, there should be little cause for concern. For example, if the CCTV is implemented for the purpose of prevention of crime, then any personal data collected should be for that purpose. Such personal data cannot be used for, among others, sold to third parties for targeted advertising, issuance of fines by local authorities etc.  

Personal profiling is also a cause of concern. Personal profiling can happen when one merges various data from other sources into one single dataset. For example, data collected from the traffic cams, social media profile, police reports, list of properties from the land office, and income tax information are all merged into one single data set by the Government and updated whenever there is new information. Quite clearly no one wants their personal life being intruded in this manner. Further, there is a cause for concern if there is a data leakage or misuse by third parties.

3. At the same time, we want more convenient services — enabled by technology — from the government, whom we also expect to protect us. How can we strike that balance? Is it possible? 

There can be no perfect balance. However, steps can be taken to strike this balance, and this include legislating how the Government should manage our information. Currently, the PDPA does not apply to the Government. There should be a law governing how the Government can process our information. Such law should include the right to request the Government to disclose what kind of personal data they have collected or are collecting. This request is, of course, subject to certain exemptions such as national security. The law should also make the Government accountable for misuse of our information by them or negligent handling of our information.

The Government should also hold regular consultations with the relevant stakeholders to see how citizen’s information should be processed and how it could also ease the business processes. Government must take into account of the business sectors’ needs as well. For example, a prudent lawyer would always ensure that the party that they are suing is the correct party. The National Registration Department should give leeway to lawyers to obtain such information quickly and with ease. However, the current procedure implemented by them is too stringent as they require, among others, the submission of the Court documents to prove that such information is required.

4. What can be done in Malaysia to prevent the overreach of surveillance technology? For instance, tightening the PDPA, being mindful of what technology providers we use etc. 

We should be concerned with the risk of data leakage or unauthorised disclosure especially out of Malaysia. For example, a surveillance device from a foreign country may be masqueraded as a mobile phone. The user’s data including his biometric information (e.g. fingerprint), personal photographs, other persons’ personal data may be all disclosed to these third parties.

Fortunately, many electronic devices imported or released to the country must obtain Malaysian Communications And Multimedia Commission’s approval. The Government will need to do a throughout examination of these devices before they can be made available to members of the public and trade.

Another law that we require is the data localisation laws. This means that certain personal data should only be stored in Malaysia and not transferred to another data server outside Malaysia. This could also pave way for more data centres in Malaysia.

5. What is your advice to Malaysians?

Malaysians must be vocal about how their personal data is processed, whether by the Government or by the private sector. They should voice out their concerns if one of these bodies are collecting unnecessary personal data. They should also push for laws to protect themselves instead of relying on the Personal Data Protection Commissioner to do the prosecution and investigation. Perhaps an ombudsman like the Consumer Tribunal should be introduced by the Government to allow Malaysians to file their complaints directly to the ombudsman and have the matter heard before the ombudsman. They should have the powers to call upon any witnesses and punish those who disobey.

How much information can be revealed with your IC number?

I was asked by Malaysiakini to comment on the availability of a person’s identity card number to other members of the public, particularly, by the Government to the members of the members of the public.

Open data convenient for public to access

In Malaysia, it is not difficult to obtain another person’s IC number as it is needed for various forms issued by the public and private sectors. It might even be on display on a company’s working pass for employees. Now, even despatch riders ask for an IC number to confirm the identity of the consignee.

Another lawyer, Foong Cheng Leong, said the government’s stand on the matter seems to be to allow free access to others’ data for certain purposes based on the personal data published on government websites.

“Take traffic summonses as an example, banks or potential second-hand car buyers can check if a vehicle has pending summonses,” he noted.

Foong, who is the former co-chairperson of the Bar Council Ad-Hoc Committee on Personal Data Protection (2013 to 2016), said many companies also rely on public information on these websites to work. For example, a lawyer can verify whether someone’s name and IC number are correct.

“Open data websites are convenient for the public and companies, they can get information without paperwork and without the hassle and cost of writing to the relevant departments, which usually takes some time. This may free up time for government agencies to do other work,” he said.

Multi-factor authentication for protection

Several experts have suggested that a multi-factor authentication system and accounts registration be implemented to better protect privacy.

Meanwhile, Foong said it is difficult to strike a balance between privacy and the right to information, but there should be some barriers such as registering an account with full details or paying a fee before getting access to data.

“The rule of thumb is that if one submits to do something of a public nature e.g. conduct business, sue in court, certainly his or her personal data should be made public to ensure transparency or to protect the public.

“This is so the person is traceable if they commit fraud,” he added.

 Scroll to top