Compoundable Offences under the Personal Data Protection Act 2010

Certain offences under the Personal Data Protection Act 2010 (PDPA) are compoundable as of 15 March 2016.

Under the Personal Data Protection (Compounding of Offences) Regulations 2016, the following offences are compoundable by making payment to the Commissioner of Personal Data Protection Malaysia:-

Offences under the PDPA

(1) Breach of any of the Personal Data Protection Principles (s. 5(2))
(2) Processing of personal data without the required registration under PDPA (this is only applicable to certain class of users) (s. 16(4))
(3) Processing of personal data after registration under the PDPA is revoked by the Personal Data Protection Commissioner (s. 18(4))
(4) Failure to surrender certificate of registration after revocation (s. 19(2))
(5) Failure to make a note on an expression of opinion which is considered as inaccurate, incomplete, misleading or not up-to-date by a person who made a data correction request and using that expression of opinion without the note being drawn to the attention of and being available for inspection by that person (s. 37(4))
(6) Failure to cease processing of personal data upon receipt of withdrawal of consent to process personal data (s. 38(4))
(7) Processing of sensitive personal data without explicit consent (s. 40(3))
(8) Failure to comply with an enforcement notice (s. 108(8))

Offences under the Personal Data Protection Regulations 2013

(1) Failure to obtain consent from a data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user (Reg 3(1))
(2) Failure to develop and implement a security policy or that the security policy implemented does not comply with the security standards set by the Commissioner. Failure to ensure that the security standard in the processing of personal data be complied with by any data processor (Reg 6)
(3) Failure to comply with the retention standards set out by the Commissioner (Reg 7)
(4) Failure to comply with the data integrity standards set out by the Commissioner (Reg 8)

Offences under the Personal Data Protection (Registration of Data User) Regulations 2013

(1) Failure to renew the data user certificate of registration and continues to process personal data after expiry of the certificate of registration (Reg. 5)
(2) Failure to notify the Commissioner in writing of any change to the particulars in the certificate of registration (Reg 6(5))
(3) Failure to display the certificate of registration and any amendment to the certificate, if any, at a conspicuous place at the principal place of business and a certified copy of the certificate for each branch, where applicable. (Reg 8(3))

BFM Podcast: CYBERSTALKING

I was interviewed by BFM Radio to talk about stalking and harassment laws in Malaysia in general on 10 January 2017.


Japan just recently introduced laws to ban cyberstalking after a musical artist there was stabbed by a fan. Malaysia, while having laws that deal with harassment, has yet to introduce laws on stalking. We hear from blogger Cindy on her experience with being stalked and lawyer Foong Cheng Leong on what laws we presently have to deal with it

Your browser does not support native audio, but you can download this MP3 to listen on your device.

BFM Podcast: LANDMARK #3: INSULTS

I was interviewed by BFM Radio to talk about online insults and the Communications and Multimedia Act 1998 on 18 July 2016.


Last month, a 76-year-old man was arrested by the police for allegedly posting an insulting picture in a Whatsapp group chat. The man, identified as Pa Ya in media reports, was arrested in Petaling Jaya, where he lives, and taken into custody for investigation, under Section 233 of the Communications and Multimedia Act 1998, in Johor. On this month’s episode of Landmark, a series examining how the law shapes society as vice versa, lawyer Foong Cheng Leong explains what constitutes an insult and when it is considered an offense.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

SPAD proposal to rename Uber, Grab raises eyebrows

I was quoted by The Malay Mail Online on the Land Public Transport Commission’s (SPAD) proposal to rename Uber and Grab in their article SPAD proposal to rename Uber, Grab raises eyebrows.

Lawyer Foong Cheng Leong told Malay Mail Online that while SPAD could rename both services, it would take more than just a directive from the transport regulator.

He said the move would require an amendment to the the Land Public Transport Act 2010 to bring the services under the purview of the legislation.

“Once they (Uber and Grab) are included in the Act, the government can dictate the names of the operators,” he said.

However, SPAD later denied reports that it may change the names of Uber and Grab as part of its plan to regulate ride-hailing services.

See also Bread & Kaya: Uber and GrabCar services legal in Malaysia?

Bread & Kaya: Cyberbullying, stalking and sexual harassment

Bread & Kaya: Cyberbullying, stalking and sexual harassment
By Foong Cheng Leong | Jun 28, 2016

– Current laws narrowly and vaguely defines harassment
– It is high time Malaysia legislates against it

In Mohd Ridzwan bin Abdul Razak v Asmah Binti HJ. Mohd Nor (Kuala Lumpur Civil Suit No. 23NCVC-102-12/2011), the Defendant alleged that the Plaintiff had sexually harassed her at their workplace.

The Defendant alleged that numerous vulgar and harassing words were uttered to her and they included the following:

– kalau nak cari jodoh cari yang beriman, solat, you kena solat istikarah .. . bila you solat istikarah, you akan mimpi you berjimak dengan orang tu! (If you’re looking for a partner, look for someone pious. You will need to pray. When you pray, you will dream of having sex with that person!)
– you ni asyik sakit kepala saja, you ni kena kahwin tau … you nak laki orang tak? (You’re always having a headache. You need to get married, you want someone’s husband?)
– you nak jadi wife I tak? I banyak duit tau. (You want to be my wife? I have a lot of money).

The Defendant filed a complaint against the Plaintiff to the company and a committee of inquiry was set up to investigate the complaint.

The committee found that there was insufficient evidence to warrant disciplinary action to be taken against the Plaintiff, but a strong administrative reprimand was given.

Aggrieved, the Plaintiff sued the Defendant for defamation and the Defendant counterclaimed for tort of sexual harassment.

The High Court dismissed the Plaintiff’s claim and allowed the Defendant’s counterclaim. She was awarded with RM100,000 in general damages and RM20,000 in aggravated and exemplary damages.

The Plaintiff appealed against the judgment to the Court of Appeal (Court of Appeal Civil Appeal No. W-02(NCVC)(W)-2524-10-2012).

The Court of Appeal dismissed the appeal and held that what the Plaintiff did amounts to the tort of intentionally causing nervous shock.

The Court of Appeal however fell short of declaring that there is tort of harassment in Malaysia.

Dissatisfied again, the Plaintiff filed an appeal with the Federal Court. Unfortunately for the Plaintiff again, the Federal Court (Federal Court Civil Appeal No 01(f)-13-06/2013 (W)) dismissed the appeal.

The Federal Court added:

[39] After mulling over the matter, we arrived at a decision to undertake some judicial activism exercise and decide that it is timely to import the tort of harassment into our legal and judicial system, with sexual harassment being part of it.

The introduction of the tort of harassment is a significant improvement to our laws. Victims of harassment and cyberbullying now have an easier avenue to obtain redress from our Courts.

In my earlier article Bread & Kaya: Cyberstalking, harassment … and road rage, published in July 2014, I said that we do not have specific laws to govern harassment, and hence it is difficult to determine whether an act amounts to harassment without a legal definition.

Section 233 of the Communications and Multimedia Act 1998 criminalises certain forms of harassment, but it must be an electronic communication which is obscene, indecent, false, menacing or offensive in character.

But as we can see, harassment comes in all sorts of forms.

Furthermore, there had have been complaints that industry regulator the Malaysian Communications and Multimedia Commission (MCMC) is selective in prosecuting cases. Not all complaints are acted upon.

Before the Federal Court decision, it was tougher to seek legal redress as there were no reported case laws holding that there is tort of harassment in Malaysia. When the Court of Appeal delivered the decision of Ridzwan, it equated an action for tort of harassment as tort of intentionally inflicting nervous shock.

Such equation is significant because the threshold to succeed in an action for nervous shock is high. A victim needs to prove that he or she suffered some form of psychiatric illness or injury. Normally, this would need to be proven by a doctor, and a victim may not see a doctor immediately.

Further, a victim of harassment does not necessarily suffer such a medical condition. Harassment normally causes distress, annoyance, humiliation or annoyance.

In Malcomson Nicholas Hugh Bertram v Mehta Naresh Kumar (2001] 3 SLR 379, the Singapore High Court defined harassment as the following:

For the purposes of this application I shall take the term harassment to mean a course of conduct by a person, whether by words or action, directly or through third parties, sufficiently repetitive in nature as would cause, and which he ought reasonably to know would cause, worry, emotional distress or annoyance to another person.

This is not intended to be an exhaustive definition of the term but rather one that sufficiently encompasses the facts of the present case in order to proceed with a consideration of the law.

It would be interesting to see how far the tort of harassment could help victims of stalking, harassment and cyberbullying.

The common form of online harassment and cyberbullying nowadays is to set a mob of netizens against a person, or what is known as cyber-lynching.

Many have become victims of such cyber-lynching, and they may not have a legal redress as the attacks are not done by a single person – they could be shared by thousands of people and acted upon by numerous vigilante netizens independently.

Victims would have a hard time finding the perpetrators, and the legal costs would be prohibitive.

It is high time for Malaysia to legislate against harassment.


First published on Digital News Asia on 28 June 2016.

Event: ASEAN IT Security Conference 2016

I will be speaking at at ASEAN IT Security Conference 2016 on the topic “Dealing with Computer Crimes Within the Organisation: A Case Study on Computer Crimes Act 1997“.


Details about the event

Cyber security is headline news almost constantly because hacks, data theft and high profile breaches are now a part of daily life and almost impossible to avoid. In 2016, a number of new laws will be enacted in the US, Europe and Asia that all have important, and potentially financially punitive, ramifications for Asian-based organizations.

However the C-Suite are not fully conversant with correct strategy by which cyber security investments should be made. This is not a business ROI that can be expected. Cyber-warfare and cyber security investments are akin to military spending. We have to do in the hope that we never use the tools.

This is anathema to many business investments, however the consequences of not taking this approach could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organization.

At this conference series, IDC and its partners will share some of the new people, process and technology strategies that the C-Suite should consider to be better prepared for future incidents, and whilst absolute security cannot be guaranteed, making your organization a hard target to breach may well be the solution for the future.

Based on the IDC IT Security MaturityScape, IDC will share how some of the best-in-class organizations globally think about managing their IT Security teams, from board-level reporting to IT operational management.

This holistic view will help the C-Suite, and those that report in to the C-Suite to more eloquently articulate the issues, challenges and requirements that will be critical to ensure that future attack surface is minimized, and suitable crisis management plans and responses are in place.

Attend this event to learn more about how to deflect the latest attacks and what more you can do to deliver a more secure environment to your business.

Speakers

David Rajoo
Director, Systems Engineering, Symantec Malaysia

Foong Cheng Leong
Advocate and Solicitor, Foong Cheng Leong & Co

Javenn Ng
DPtech Lead & Business Development Director, DPtech

Jayan Arunasalam
Head of Technology & Innovation, Tune Protect Group Berhad

Marcus Lai
Vice President, International Business, DPtech

Peter Leong
Head, Regional IT – Asia, PETRONAS Lubricants International Sdn. Bhd.

Simon Piff
Associate Vice President, Enterprise Infrastructure & Head of IT Security Research, IDC Asia/Pacific

Thillai Raj T. Ramanathan
Chief Technology Officer, MIMOS Berhad

For more information, please visit here.

LegalHack Series: How to download files from the Malaysian Court Online File Search System

One of the weaknesses of our Court’s efiling system is the online file search system. A user has to pay RM12 (for High Court and above) or RM6 (for Subordinate Courts) to be able to do an online file search for a maximum period of 30 minutes. The time runs upon opening a file on the website (at main page, under Public Services menu).

However, one cannot download a file from the website but one can only view it. The viewing function allows one to view one page at a time and also print one page at a time. Each page takes some time to load and 30 minutes is not sufficient.

This is baffling. Why can’t they put a function to allow users to download the entire file? This is what you get when you roll out a system without proper consultation with the end users.

In any event, to overcome this problem, I found a solution. Here are the steps:-

1. Download the free software PDF24 and install it on your PC.
2. Open the file you intend to download on the Online File Search System (login to the system first).

3. Choose PDF24 as the printer.

4. Every page will be printed as a separate file on PDF24. To merge them, click on the Merge button on top. All the pages will be merged into one file!

5. Save the file.
6. Repeat step 2 to 5 above for other files.

* Tip – Close the file on the search system to stop the timer.

BFM Podcast: WEB OF EXPLOITATION

I was interviewed BFM Radio on the issue of sexual grooming and sex offenders registry and the podcast was published on 8 June 2016.


Your browser does not support native audio, but you can download this MP3 to listen on your device.

The rise of pedophilia and other sex offences recently have put in the spotlight predatory behaviour both on and offline. Today we look at how the lack of proper regulation is one source of the challenge. We also explore ways to combat online sexual predators.

This report is by Wan Irdina.

1 2 3 4 25  Scroll to top