Social Media

Curb data leaks with heavier penalties

I was asked by The Star to comment on the leak of personal data of over 802,259 Malaysians allegedly siphoned from the MySPR Daftar website. The data is being sold on an online forum for US$2,000 (RM9,240), to be paid in bitcoin or monero cryptocurrency. The seller claimed that the Election Commission database includes selfies and MyKad photos (around 1.6 million photos with a file size of 67GB) that were provided for online voting registration on its MySPR Daftar website through the electronic Know Your Customer system. I said-

Bar Council co-chair of the intellectual property committee, Foong Cheng Leong, concurred, saying that such incidents have happened many times but nothing substantial has been done by the government to secure people’s data.

“Given the poor security measures by the government, the public should not volunteer so much information to them.

“The public must also demand an explanation from SPR and that it discloses full details of the investigation. Authorities have to re-look their security practices, including the online verification process,” said Foong.

Screen recruits for informants programme, ex-IGP tells Putrajaya

I was asked by FreeMalaysiaToday to comment on the Government programme called “Kita Demi Negara”, a national security programme which will recruit thousands of people to act as the home ministry’s “eyes and ears” on the ground. I said-

Lawyer Foong Cheng Leong said false or incorrect reports would not only waste government resources but also negatively affect innocent citizens.

“Obviously, there will be repercussions for submitting false or misleading information, but the effects on the victim of such abuse may be greater.”

He said the ministry must establish a detailed code of conduct for members to abide by.

PM’s Telegram account hacked

I was asked by FreeMalaysiaToday to comment about the effect of the hacking of the Prime Minister’s Telegram account. I said-

Commenting on the matter, lawyer Foong Cheng Leong said the biggest concern in such incidents was the spread of misinformation and the scale of damage it causes.

“If someone uses the account to spread fake news, people could screenshot it and make it go viral. That’s the main danger,” he told FMT.

However, he said it was unlikely that the government would use such platforms when disseminating confidential information.

Power of online petitions: Working collectively to inspire change

I was asked by The Star to comment on legal matters concerning online petitions. I said-

Fact or fiction?

However, it’s important to verify the validity of a petition before supporting it, as not all petitions are based on facts.

Foong Cheng Leong, Bar Council Information Technology and Cyber Laws Committee [former] deputy chairman, urges people to be more wary about the information presented in a petition before signing or sharing one online.

Like in any other online post, the text in petitions has to be carefully worded so that they do not defame or affect the livelihood of anyone adversely.

“Petitions can be defamatory. A petition usually starts with an introduction using background facts, which can be untrue,” he says.

According to Foong, online petitions are treated the same as website posts in the eyes of the law.

“Perhaps the slight difference is that the court is able to see how many people have reacted to the defamatory statements by looking at the petition numbers,” he adds.

Foong explains that online petitions have no effect on legal proceedings and that public opinion is not valid in court for ongoing cases.

“The court bases its decisions on facts and evidence, not on public opinion. Courts are cautious when dealing with public opinion as not to equate it with the public interest,” he says.


Is it past time for Malaysia to establish its own official petition platform? Foong says it will be a good start, as it will allow issues to be raised with the government.

“In the olden days, people started petitions in the hope that the mainstream media would report it so that the relevant people would become aware of the issue,” he adds.


In the meantime, Malaysians who want to create an online petition will still have to rely on third-party platforms.

Foong urges anyone wanting to post a petition to be careful about how they phrase their concerns.

“Like in any other online post, the text in petitions has to be carefully worded so that they do not defame or affect the livelihood of anyone adversely,” he says.


Talks on music rights and royalties have been a prevalent and controversial topic especially between artists and record labels. How can musicians protect their craft and work and be more empowered on the subject? To get a basic understanding on the issue, we speak to Foong Cheng Leong, Co-chair of the Intellectual Property Committee of the Bar Council to explore the framework of intellectual property and understand its role in the music industry.

Produced by: Daryl Ong, Haniff Baharudin
Presented by: Daryl Ong, Haniff Baharudin

Advisable for management bodies of high-rise residences to abide by act

I was asked by The Star to comment on whether the Personal Data Protection Act 2010 (PDPA) binds management bodies of high-rises from disclosing details about residents who contracted Covid-19. I said-

Bar Council Intellectual Property Committee co-chairperson Foong Cheng Leong said it was unclear if management bodies were involved in the processing of personal data for commercial purposes.

“There are different views to this. Nevertheless, there is no blanket exemption for JMBs and MCs.

“In light of this uncertainty, it’s advisable for them to comply with the PDPA.

“In any event, disclosure of information of residents with Covid-19 is highly discouraged as it could breach the PDPA and even amount to an invasion of privacy, ” he said.

There are views that management bodies collecting monthly maintenance fee to service the building providing is a form of a “commercial transaction” and thus the PDPA applies. The PDPA only applies to personal data in respect of a commercial transaction.

However, it is noted that the Strata Management Act 2013 empowers a management body to collect charges for the purpose of maintenance and management of the building. It is therefore arguable that they are merely exercising a legal duty and not conducting a “commercial transaction”.

Experts take dim view of Covid-19 ‘vaccine passport’ for Malaysians

I was asked by The Malay Mail to comment on the privacy aspect of a “vaccination passport”, a document (whether electronic or not) showing that a person had been vaccinated. I said-

According to privacy lawyer Foong Cheng Leong, there could be privacy concerns with such a passport, depending on what data is collected and shared by the governments.

“If it is standard information that is being shared when a person travels from country to country, that should be fine.

“However, a person’s medical information is sensitive personal data and the sharing of such information should be limited,” said Foong.

He suggested that for the purpose of combating Covid-19, the information shared should only be limited to matters related to Covid-19 and not a person’s health information in general


This question follows the recent judgement by the courts to hold Malaysiakini responsible for comments made by readers on its online portal. Lawyer Foong Cheng Leong helps us figure out whether individuals could also be held legally accountable.

Produced by: Kelvin Yee
Presented by: Sharmilla Ganesan, Lee Chwi Lynn


  1. Peguam Negara Malaysia v Mkini Dotcom Sdn Bhd & Anor (Setting aside ex parte leave order to allow contempt proceedings to commence against the Mkini Dotcom Sdn Bhd and its Chief Editor)
  2. Peguam Negara Malaysia v Mkini Dotcom Sdn Bhd & Anor (Majority)
  3. Peguam Negara Malaysia v Mkini Dotcom Sdn Bhd & Anor (Minority)

Malaysia’s First Action against Unknown Persons on Cyberspace

Every legal author’s dream is to have his or her writing quoted in a Court case. I am stoked that my book “Foong’s Malaysia Cyber, Electronic Evidence and Information Technology Law” was recently quoted by Justice Ong Chee Kwan in the High Court case of Zschimmer & Schwarz GmbH & Co KG Chemische Fabriken v Persons Unknown & Anor. His Lordship made reference to a section of my book regarding action against Persons Unknown. Many thanks to Lee Shih for taking the effort to have my book quoted.

In this case, the High Court granted an ex-parte proprietary injunction and Mareva injunction against “persons unknown” as the 1st defendant. The plaintiff was a victim of cross-border cyber fraud known as a “push payment fraud” where the victim is tricked over emails to make a payment for a legitimate transaction into a different bank account under the control of the fraudster. The plaintiff, a German company, was in communication with its South Korean counterparty. The fraudster, being Persons Unknown, deceived the plaintiff into paying into the 2nd defendant’s bank account the sum of EUR 123,014.65 (approximately close to RM 600,000.00) by infiltrated the email communications between the plaintiff and the South Korean counterparty. The plaintiff thought it was making a genuine payment to its South Korean counterparty for a commission payment. Instead, the fraudster had siphoned the Plaintiff’s monies away.

Justice Ong Chee Kwan delivered the first known decision on a persons unknown injunction. After going through a series of English cases against Persons Unknown, his Lordship held-

[40] It is not usually the case that a defendant is described as ‘Persons Unknown’. Nevertheless, the Court can grant interlocutory orders against the 1st Defendant — being Persons Unknown. In cases like the present which involve cyber fraud and fake email addresses, the fraudster or fraudsters are unknown. English case law have allowed for similar injunctive orders against ‘Persons Unknown’. There is nothing in our Rules of Court 2012 that would prevent the Writ of Summons and applications from being filed against Persons Unknown.


[49] As stated above, there is nothing in our Rules of Court 2012 prohibiting the making of an order against Persons Unknown. In fact, Order 89 of the Rules of Court 2012 for summary proceedings for possession of land allows for a defendant reference to Persons Unknown.[See Fauziah Ismail & Ors v Lazim Kanan & Orang-Orang Yang Tidak Diketahui [2013] 7 CLJ 37 (CA); the commentary in Foong’s Malaysia Cyber, Electronic Evidence and Information Technology Law, para [8.098] to [8.100]].

The section referred by Justice Ong Chee Kwan can be seen below-

It is also interesting to note that his Lordship had referred to a case where substituted service was done vide email and WhatsApp messenger. This is also a case which we had acted for the Plaintiff against the defendant for trade mark infringement.

The case name is 30 Maple Sdn Bhd v Noor Farah Kamilah binti Che Ibrahim (Kuala Lumpur High Court Suit No: WA-22IP-50-12/2017). However, the significance of this case will soon be eclipsed by the new amendments to the Rules of Court 2012 which allows for electronic service.

Digital Edge: Techtalk: Rapid digitalisation — what happens to privacy?

I was asked by The Edge to comment about the the current state of Malaysia’s own Personal Data Protection Act 2010.

Sonia Ong of Wong & Partners, Maneesh Chandra, chief technology officer of Firmus Sdn Bhd and Vernon Chua, CEO of enterprise data analytics start-up Innergia Labs Sdn Bhd are also featured in this article. The full article can be viewed at The Digital Edge’s website.

1 The PDPA explained
The PDPA, in a nutshell, is meant to legislate protection around the collection, storage and usage of personal data collected by the private sector, according to lawyer Foong Cheng Leong. The public sector and, generally speaking, contractors operating on behalf of the government are exempt from the provisions of the PDPA.

“The laws require that any personally identifiable data, collected in the course of commercial transactions, be stored safely, along with additional requirements to be transparent about its use to individuals who provided the data in the first place.”

One key issue, however, has to do with a lack of clarity on what constitutes a “commercial transaction”, Foong says. While personal data collected in the course of completing a contractual agreement — for example, swiping a credit card or signing up for a broadband service — is protected under the PDPA, it is not certain what else, if anything, constitutes a commercial transaction in Malaysia.

“It is unclear, for example, in the case of a company that might be required to collect personal data, for security purposes, from individuals they don’t have a direct contractual or commercial relationship with. Right now, there isn’t much additional guidance from the Data Protection Commission, the body enacted by the PDPA to oversee administration and enforcement of the law.”

While the PDPA is meant to regulate what businesses are allowed to do with personal data, the law confers certain rights on so-called “data subjects”. This is a term used to denote anyone who is able to be identified from the personal data collected.

An individual, for example, is conferred the right to revoke consent from the “data user” — this being the entity that collected the personal data in the first place.

Failure by the data user to respect this request could attract fines, jail terms or both.

1 2 3 14  Scroll to top