Data Privacy

BFM Podcast: LANDMARK #22: WHAT HAPPENS WHEN OUR PERSONAL DATA IS LEAKED

Late last year, it was reported that the private data of 46.2 million mobile phone subscribers were leaked sometime in the middle of 2014. All 14 telcos were affected in what is Malaysia’s biggest ever data breach. Explaining what this means for you and me is lawyer Foong Cheng Leong. He chairs the KL Bar’s Information Technology and Publications Committee.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

SayaKenaHack.com and Privacy

Recently, tech blogger Keith Rozario created the website SayaKenaHack.com, a platform to allow people to check if they were affected by the data leakage of 46.2 million mobile phone subscribers. The website allowed users to key in their identity card number and the website will inform the users whether they are affected by the leakage. If they are affected, the website will yield a masked mobile number. Some users have complained that those masked numbers do not resemble their mobile numbers.

The Malaysian Communications and Multimedia Commission (MCMC), under s. 263 of the Communication and Multimedia Act 1998 (CMA), directed internet service providers to block the website SayaKenaHack.com on the ground that it had contravened s. 130 of the Personal Data Protection Act 2010 (PDPA).S. 263(2) of the CMA and s. 130 of the PDPA provide the following:

Section 263. General duty of licensees.

(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.

130 Unlawful collecting, etc., of personal data

(1) A person shall not knowingly or recklessly, without the consent of the data user-

(a) collect or disclose personal data that is held by the data user; or

(b) procure the disclosure to another person of personal data that is held by the data user.

(2) Subsection (1) shall not apply to a person who shows-

(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data-

(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or

(ii) was required or authorized by or under any law or by the order of a court;

(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;

(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or

(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.

(3) A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1) commits an offence.

(4) A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).

(5) A person who offers to sell personal data commits an offence if-

(a) he has collected the personal data in contravention of subsection (1); or

(b) he subsequently collects the personal data in contravention of subsection (1).

(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.

In the Personal Data Protection Commissioner Khalidah Mohd Darus’s media statement dated 17 November 2017, the Commissioner stated that SayaKenaHack.com was blocked because it had contained personal data which had been collected without the consent of the data user pursuant to s. 130 of the PDPA. The Commissioner then advised members of the public to be vigilant when sharing personal data with others, among others.

Unfortunately, Keith Rozario decided to close SayaKenaHack.com upon being blocked. It would be interesting if he had filed an action to challenge the blocking order. So far, there is no reported case on anyone challenging a “blocking order” by MCMC in Court.

There ought to be checks and balances against such blocking order. Under the s. 10A of the Sedition (Amendment) Bill 2015, the Public Prosecutor must make an application to a Sessions Court Judge to direct an officer authorised under the Communications and Multimedia Act 1998 to prevent access to any seditious publication. Likewise, s 263 of the CMA should be amended to reflect such checks and balances.

I was interviewed by The Star, on my personal capacity (not on behalf of Bar Council, as earlier reported by The Star), on this issue. In The Star’s article dated 18 November 2017 entitled “SayaKenaHack.com only provides information, does not allow data download“, I was asked whether SayaKenaHack.com was in contravention of s. 130 of the PDPA. I replied:-

SayaKenaHack.com did not breach Section 130 of the Personal Data Protection Act 2010 (PDPA), says the Bar Council cyber law and information technology committee.

The committee’s co-chairman Foong Cheng Leong said the website was merely a platform for users to check whether their personal data had been leaked or breached.

“Currently, the Malaysian Communications and Multimedia Commission (MCMC) is blocking the website for breaching Section 130 of the PDPA for unlawful collection of personal data.

“If the website allows people to download the personal data of others, then it will be a violation of PDPA.

“Therefore, the website did not violate the PDPA,” he said when contacted yesterday.

In The Star’s article dated 31 October 2017 entitled “M’sia sees biggest mobile data breach“, I added:-

“..assuming that the leak was after the enforcement of the Personal Data Protection Act 2010, there might have been a breach of the Act’s Security Principle by the data users.

The Security Principle requires data users to process personal data securely, but there is not much customers can do other than file a complaint with the Personal Data Protection Commissioner

There may be a recourse against the telecommunication companies for negligence i.e. failing to ensure that the subscribers’ personal data are adequately protected. In an article dated 20 November 2017 in The Other, I said:-

For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”

Currently, a company is now being investigated for causing the said personal data protection leakage.

On a separate issue, in The Star’s article dated 26 November 2017 entitled “Going full force to enforce Act“, the Personal Data Protection Commissioner stated that 3 companies have fined for contravening the PDPA.

The Commissioner added that mobile applications are not required to be registered under the PDPA. But the operators must comply with the PDPA since they process personal data in commercial transactions.

I was asked to comment on this issue. I said:-

..an individual has a right under the PDPA to request a copy of the personal data processed by the data user.

“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.

“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.

Foong urges the public to always be aware of what companies will use their data for by reading the privacy policy.

“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.

CCTVs in cinema are legal, but…

I was quoted in an article entitled “CCTVs in cinema are legal, but…” the in Free Malaysia Today news portal on 21 March 2017. It was reported that Kuala Terengganu has finally had its first cinema in 20 years. However, CCTV cameras are installed in each of the cinema hall. The cameras will broadcast live the footage from the halls on a big screen placed at the cinema’s lobby.

The relevant extract from my statement is as follow:-

PETALING JAYA: If you’re a cinema owner and you’re subjecting your patrons to CCTV monitoring, you must get their consent before publicly displaying the footage.

Otherwise, you would run afoul of the Personal Data Protection Act (PDPA), said lawyer Foong Cheng Leong in a comment on Lotus Five Star’s decision to monitor activities in the viewing hall of its cinema in Kuala Terengganu.
He said the monitoring was legal but the public display of footage required the consent of those affected.
“As long as people who go to the cinema know that they will be recorded and the recording will be publicly displayed, and they show agreement to this condition by buying tickets, then it’s okay,” he told FMT.

He said the PDPA required a privacy notice to be published to tell moviegoers how the CCTV footage would be used.

Creepshotting

I was quoted in an article entitled “Cheap Shots” by Renyi Lim in ELLE Malaysia (March 2017). The article spoke about the practice of “creep shotting”, the act of taking picture of a person, generally a woman, without his or her knowledge or consent.

I said:-

Unfortunately, creepshotting is not against the law or an invasion of privacy,” explains Foong Cheng Leong, chairperson of the Kuala Lumpur Bar Information Technology Committee. “To be an invasion of privacy, there must be a reasonable expectation of privacy. A person cannot reasonably claim expectation if that person is in a public area, and pictures taken of that person involve parts of his or her body that can be seen by anyone in public, like their face or body.

Notwithstanding the above, creepshotting can be a criminal act if it falls under section 509 of the Penal Code. S 509 of the Penal Code states as follow:-

Whoever, intending to insult the modesty of any person, utters any word, makes any sound or gesture, or exhibits any object, intending that such word or sound shall be heard, or that such gesture or object shall be seen by such person, or intrudes upon the privacy of such person, shall be punished with imprisonment for a term which may extend to five years or with fine or with both.

But it is unlikely to be a criminal act if the shots were taken on a part of a person which can be seen by anyone e.g. a person’s face, body etc.

However, this would be different if that person is constantly harassing the victim e.g. stalking her day to day. If this happens, the victim can consider initiating an action for harassment.

Compoundable Offences under the Personal Data Protection Act 2010

Certain offences under the Personal Data Protection Act 2010 (PDPA) are compoundable as of 15 March 2016.

Under the Personal Data Protection (Compounding of Offences) Regulations 2016, the following offences are compoundable by making payment to the Commissioner of Personal Data Protection Malaysia:-

Offences under the PDPA

(1) Breach of any of the Personal Data Protection Principles (s. 5(2))
(2) Processing of personal data without the required registration under PDPA (this is only applicable to certain class of users) (s. 16(4))
(3) Processing of personal data after registration under the PDPA is revoked by the Personal Data Protection Commissioner (s. 18(4))
(4) Failure to surrender certificate of registration after revocation (s. 19(2))
(5) Failure to make a note on an expression of opinion which is considered as inaccurate, incomplete, misleading or not up-to-date by a person who made a data correction request and using that expression of opinion without the note being drawn to the attention of and being available for inspection by that person (s. 37(4))
(6) Failure to cease processing of personal data upon receipt of withdrawal of consent to process personal data (s. 38(4))
(7) Processing of sensitive personal data without explicit consent (s. 40(3))
(8) Failure to comply with an enforcement notice (s. 108(8))

Offences under the Personal Data Protection Regulations 2013

(1) Failure to obtain consent from a data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user (Reg 3(1))
(2) Failure to develop and implement a security policy or that the security policy implemented does not comply with the security standards set by the Commissioner. Failure to ensure that the security standard in the processing of personal data be complied with by any data processor (Reg 6)
(3) Failure to comply with the retention standards set out by the Commissioner (Reg 7)
(4) Failure to comply with the data integrity standards set out by the Commissioner (Reg 8)

Offences under the Personal Data Protection (Registration of Data User) Regulations 2013

(1) Failure to renew the data user certificate of registration and continues to process personal data after expiry of the certificate of registration (Reg. 5)
(2) Failure to notify the Commissioner in writing of any change to the particulars in the certificate of registration (Reg 6(5))
(3) Failure to display the certificate of registration and any amendment to the certificate, if any, at a conspicuous place at the principal place of business and a certified copy of the certificate for each branch, where applicable. (Reg 8(3))

BFM Podcast: WEB OF EXPLOITATION

I was interviewed BFM Radio on the issue of sexual grooming and sex offenders registry and the podcast was published on 8 June 2016.


Your browser does not support native audio, but you can download this MP3 to listen on your device.

The rise of pedophilia and other sex offences recently have put in the spotlight predatory behaviour both on and offline. Today we look at how the lack of proper regulation is one source of the challenge. We also explore ways to combat online sexual predators.

This report is by Wan Irdina.

BFM Podcast: WHAT HAPPENS WHEN YOUR SEX TAPE IS PUBLISHED?

I was interviewed by BFM Radio to talk about invasion of privacy in Malaysia and the podcast was published on 27 April 2016.



On March 21th, a six-person jury awarded Hulk Hogan, the stage name of retired professional wrestler Terry Bollea, $140 million in civil damages for a sex tape that gossip website Gawker published in 2012. In doing so, the jury believed that Hulk Hogan’s privacy was violated as the tape was made and distributed without his permission. How far can public interest encroach into privacy rights? Lawyer Foong Cheng Leong explains how such a case would play out in a Malaysian court.

BFM Podcast: APPLE VERSUS THE FBI

I was interviewed by BFM Radio to talk about US Government’s request to compel Apple Inc to assist in the access of a suspected terrorist’s iPhone on 24 February 2016.


On February 16, Apple published a message on its website, outlining to its customers that they would not be complying with a request from the U.S. government. The request was for Apple to unlock the iPhone encryption of Syed Rizwan Farook, one of two perpetrators of a mass shooting in San Bernardino last year. Explaining what’s at stake in the current debate between Apple and the U.S. Government is Foong Cheng Leong, chairman of the KL Bar Information Technology Committee, and a member of the Bar Council Intellectual Property Committee.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

Personal Data Protection Commissioner publishes the Personal Data Protection Standard 2015

On 23 December 2015, the Personal Data Protection Commissioner (“Commissioner”) published the Personal Data Protection Standard 2015 after consulting members of the public. The Standard sets out the minimum standards to process personal data and it is applicable to anyone who processes or has control or authorises the processing of any personal data relating to commercial transactions. Broadly, it sets out the security standards (electronic and non-electronic processing), retention standards and integrity standards.

For more information, please refer to the Personal Data Protection Standard 2015 (in Malay language only). The English language will be released by the Commissioner in due course.

[Edited: 6/1/2018] The Personal Data Protection Standards 2015 can be downloaded here.

1 2 3 8  Scroll to top