When Businesses Use Your Photo Without Permission, Here’s What You Do

I was featured in Malaysian Digest’s article entitled “When Businesses Use Your Photo Without Permission, Here’s What You Do” on 24 January 2018 on what customers can do to protect their personal data. I said the following:-

Customers Need To Be Proactive To Protect Their Privacy

What then do we, as customers, can do to protect our privacy and what rights do we have as a civilian?

Foong Cheng Leong, founder of law firm Foong Cheng Leong & Co. and the Bar Council cyber law and information technology committee deputy chairperson, explained that when it comes to invasion of privacy, it depends on the scenario.

If it’s a photo taken in a public place with many other people like a group photo, it is unlikely an invasion of privacy nor it is anything unlawful.

“If the photo was a photo taken during the business transaction between the customer and the business, it could amount to a breach of Personal Data Protection Act 2010 or invasion of privacy. For example, a photo taken by a doctor of its patient during treatment.

“Also, if the photo belongs to the customer, it could amount to copyright infringement,” he said, while advising that it would be prudent to add a watermark to our photos.

And if we do find our photo being featured in advertisements without consent, we should write to the business asking them to remove it.

“They can also consider filing a complaint to the Personal Data Protection Commissioner for them to investigate the matter,” he advised.

When social media rants can land you in court

I was featured in The Star Newspaper’s article entitled “When social media rants can land you in court” on 5 January 2018 on the issue of reviewing a business online. I said the following:-

Meanwhile, Bar Council cyberlaw and information technology committee co-chairman Foong Cheng Leong told The Star that a person was free to post a review of a restaurant, on Facebook or elsewhere.

However, he said such a review should not be defamatory.

“Defamatory statements would mean the statement would expose the plaintiff to hatred, ridicule or contempt in the mind of a reasonable man, or would tend to lower the plaintiff in the estimation of right-thinking members of the public generally,” he said.

Nonetheless, Foong said sometimes it is hard to differentiate between what is defamatory or not.

“Generally, insults, negative reviews, or statements of opinion are fine. I can always say a restaurant food is terrible. It is fair comment.”

The interview by The Star Newspaper was a follow up of a decision by the High Court of Malaya in the case of Champ’s Express Heritage Sdn Bhd & Anor v Pak Loo Ke (Kuala Lumpur High Court Suit No. 23NCVC-94-12/2015). The High Court held that the Defendant had defamed the Plaintiffs when she published a posting on the 1st Plaintiff’s Champ’s Bistro, BSC. The Facebook posting had questioned the level of hygiene of the Plaintiffs’ food and also the 3rd Plaintiff, who is the founder of the 1st and 2nd Plaintiffs, among others. The same posting was made the Defendant’s Instagram account. The Defendant was a kitchen helper for 2 weeks before she published the alleged defamatory postings.

The Star Newspaper reported that the Plaintiff had succeeded in proving defamation, and the Defendant had failed in her defence of justification and fair comment.

Sugar Daddy and Sugar Babies Website – Is it illegal?

I was interviewed by The Star on the issue of legality of a local website that connects “sugar daddies” with “sugar babies”. In the article entitled “A raw nerve hit, but no laws broken“, I said the following:-

There is no law against couple matching services in Malaysia unless it is for prostitution or other illegal purposes, said Bar Council cyber law and information technology committee deputy chairman Foong Cheng Leong.

While the website’s service and users may be entering a moral grey area, Foong said “immoral doesn’t necessarily mean unlawful”.

“Payment for companionship is legal. This is unless the companionship falls under prohibited acts, which include prostitution and soliciting prostitution,” he said.

Foong was commenting on a Malaysia-based online dating platform which matches established, wealthy men or “sugar daddies” with women who are seeking financial support.

MCMC also said operating, providing and using an online service or application is not an offence under the Communications and Multimedia Act 1998.

“However, action can be taken if such a service is being used to disseminate illicit content such as obscenities, nudity, pornography and others,” it said.

Other enforcement agencies like the police may also pursue various actions under the relevant laws if there are elements of prostitution, extortion, blackmail and scams.

“Should consumers feel the app is inappropriate due to its content, they can reach out to the MCMC or the police. Investigations will be undertaken to assess if such contravene the existing laws.”

I was also interview by Digital New Asia on the same issue in their article “TheSugarBook – sweet endings or bitter disappointment?“. The relevant excerpts are as follow:-

One of the most-asked questions about TheSugarBook is whether or not such a service is legal.

“There is no law against couple matching services in Malaysia unless it is for prostitution or other illegal purposes,” says Foong Cheng Leong (pic, above), deputy chairperson of The Malaysian Bar’s Information Technology & Cyber Law Committee.

..

It must be pointed out that other popular dating apps such as Tinder or Grindr (a social networking app for LGBTQ people) could also have users who met on the app engaging in illegal activities outside of it. Many of these platforms do not enable users to report other users or have such strict regulations regarding user profiles as TheSugarBook does and it is quite usual for users to state on their profiles that they are only looking for casual sex.

According to Foong, such platforms should not be liable for what its users do outside the platform.

Though TheSugarBook does seem to be using discretion when it comes to ensuring no underage activity, none of these checks can actually guarantee that a user cannot lie their way through to a verified profile. A user could use someone else’s photo and enter their age as older, as they could on their Facebook profile, and a college student could very well be under 18.

However, being below 18 is not actually a legal requirement for registering a profile on a dating app in Malaysia. “Currently, there are no laws stipulating the minimum safety requirements of a couple matching platform,” says Foong.

“Assuming that a minor circumvents the age requirement and falsely pretends to be a person of 18 and above, I don’t think such platform would be doing anything illegal,” he continues.

BFM Podcast: LANDMARK #22: WHAT HAPPENS WHEN OUR PERSONAL DATA IS LEAKED

Late last year, it was reported that the private data of 46.2 million mobile phone subscribers were leaked sometime in the middle of 2014. All 14 telcos were affected in what is Malaysia’s biggest ever data breach. Explaining what this means for you and me is lawyer Foong Cheng Leong. He chairs the KL Bar’s Information Technology and Publications Committee.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

SayaKenaHack.com and Privacy

Recently, tech blogger Keith Rozario created the website SayaKenaHack.com, a platform to allow people to check if they were affected by the data leakage of 46.2 million mobile phone subscribers. The website allowed users to key in their identity card number and the website will inform the users whether they are affected by the leakage. If they are affected, the website will yield a masked mobile number. Some users have complained that those masked numbers do not resemble their mobile numbers.

The Malaysian Communications and Multimedia Commission (MCMC), under s. 263 of the Communication and Multimedia Act 1998 (CMA), directed internet service providers to block the website SayaKenaHack.com on the ground that it had contravened s. 130 of the Personal Data Protection Act 2010 (PDPA).S. 263(2) of the CMA and s. 130 of the PDPA provide the following:

Section 263. General duty of licensees.

(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.

130 Unlawful collecting, etc., of personal data

(1) A person shall not knowingly or recklessly, without the consent of the data user-

(a) collect or disclose personal data that is held by the data user; or

(b) procure the disclosure to another person of personal data that is held by the data user.

(2) Subsection (1) shall not apply to a person who shows-

(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data-

(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or

(ii) was required or authorized by or under any law or by the order of a court;

(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;

(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or

(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.

(3) A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1) commits an offence.

(4) A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).

(5) A person who offers to sell personal data commits an offence if-

(a) he has collected the personal data in contravention of subsection (1); or

(b) he subsequently collects the personal data in contravention of subsection (1).

(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.

In the Personal Data Protection Commissioner Khalidah Mohd Darus’s media statement dated 17 November 2017, the Commissioner stated that SayaKenaHack.com was blocked because it had contained personal data which had been collected without the consent of the data user pursuant to s. 130 of the PDPA. The Commissioner then advised members of the public to be vigilant when sharing personal data with others, among others.

Unfortunately, Keith Rozario decided to close SayaKenaHack.com upon being blocked. It would be interesting if he had filed an action to challenge the blocking order. So far, there is no reported case on anyone challenging a “blocking order” by MCMC in Court.

There ought to be checks and balances against such blocking order. Under the s. 10A of the Sedition (Amendment) Bill 2015, the Public Prosecutor must make an application to a Sessions Court Judge to direct an officer authorised under the Communications and Multimedia Act 1998 to prevent access to any seditious publication. Likewise, s 263 of the CMA should be amended to reflect such checks and balances.

I was interviewed by The Star, on my personal capacity (not on behalf of Bar Council, as earlier reported by The Star), on this issue. In The Star’s article dated 18 November 2017 entitled “SayaKenaHack.com only provides information, does not allow data download“, I was asked whether SayaKenaHack.com was in contravention of s. 130 of the PDPA. I replied:-

SayaKenaHack.com did not breach Section 130 of the Personal Data Protection Act 2010 (PDPA), says the Bar Council cyber law and information technology committee.

The committee’s co-chairman Foong Cheng Leong said the website was merely a platform for users to check whether their personal data had been leaked or breached.

“Currently, the Malaysian Communications and Multimedia Commission (MCMC) is blocking the website for breaching Section 130 of the PDPA for unlawful collection of personal data.

“If the website allows people to download the personal data of others, then it will be a violation of PDPA.

“Therefore, the website did not violate the PDPA,” he said when contacted yesterday.

In The Star’s article dated 31 October 2017 entitled “M’sia sees biggest mobile data breach“, I added:-

“..assuming that the leak was after the enforcement of the Personal Data Protection Act 2010, there might have been a breach of the Act’s Security Principle by the data users.

The Security Principle requires data users to process personal data securely, but there is not much customers can do other than file a complaint with the Personal Data Protection Commissioner

There may be a recourse against the telecommunication companies for negligence i.e. failing to ensure that the subscribers’ personal data are adequately protected. In an article dated 20 November 2017 in The Other, I said:-

For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”

Currently, a company is now being investigated for causing the said personal data protection leakage.

On a separate issue, in The Star’s article dated 26 November 2017 entitled “Going full force to enforce Act“, the Personal Data Protection Commissioner stated that 3 companies have fined for contravening the PDPA.

The Commissioner added that mobile applications are not required to be registered under the PDPA. But the operators must comply with the PDPA since they process personal data in commercial transactions.

I was asked to comment on this issue. I said:-

..an individual has a right under the PDPA to request a copy of the personal data processed by the data user.

“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.

“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.

Foong urges the public to always be aware of what companies will use their data for by reading the privacy policy.

“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.

Withholding Tax Exemption on Payment to Non Residents For Technical Advice, Assistance, etc

The Minister of Finance has granted withholding tax exemption (WHT) on payments to non-residents that fall within Section 4A(i) and (ii) of the Income Tax Act in respect of offshore services via the Income Tax (Exemption) (No. 9) Order 2017.

In effect this reverts to the previous position, such that intellectual property services (such as trade mark, industrial designs and patent registrations) provided and performed from 6 September 2017 by a foreign intellectual property agent outside of Malaysia will be exempt from WHT.

Seminar on GET WIRED! Updates on Tech Laws and Cyber Security (24 Aug 2017)

The Bar Council Information Technology and Cyber Laws Committee is organising a seminar focusing on the important aspects of information technology (“IT”) and cyber law on 24 August 2017.

In this seminar, I will speak on the topic of “Practical Steps in Tracing a Person Online“. I will speak on keyword search investigation, and discovery orders and cases relating to discovery orders against data processors.

The other topics would be “Search and Seizures of Computers — Advising Clients” by Ravin Vello, “Wrap n Snap: Technology IP Mash-up” by Suaran Singh and “Overview of Malaysian Cyber Laws and Latest Updates” by Deepak Pillai.


Click on image to enlarge

You may register for the event at here

LegalHack Series: How to download files from the Malaysian e-Court File System (Phase 2)

[Edited on 13 December 2017]

In 2016, I posted an article entitled “LegalHack Series: How to download files from the Malaysian Court Online File Search System” (“LegalHack Case Search No. 1“). With the introduction of the new e-Court system (Phase 2), the said search method is no longer usable.

Instead of introducing a new and effective way for users to conduct file search, the new system followed the old method. A user is still required to pay a fee (RM8 and RM12 for a file search in the Subordinate Courts and High Court respectively) and the user is only given 30 minutes to do the search. It is baffling why the Court could not roll out a one-off fee to allow users to download every file instead of forcing them to view them online (ie on their browser). User will have to print the page one by one if they want to have a copy on their computer. This is fine if the document does not have many pages. However, there are a few good features introduced on this new system. For example, the timer will stop if you are loading a page, and Court issued documents (e.g. letters) can also be viewed.

For larger files (20 pages and above), it would be more time efficient to download the entire document rather than printing it one by one. Under the old efiling system, I could download a large amount of files within 30 minutes using the LegalHack Case Search No .1. Nevertheless, it is still possible to download files using Phase 2 but it is slightly more complicated.

I found one possible way (which requires no scripting or complicated software) to do so (click images below to enlarge).

The steps are as follow:-


Step 1: Purchase a Token at https://ecourtservices.kehakiman.gov.my/.


Step 2: Go to the File Search Page. Enter the token code and suit number thereafter.


Step 3: At the Case Information page, click on Document Listing.


Step 4: Choose the file you want and open it. Instead of loading the page one by one and allowing the timer to run, obtain the Serial Number (S/N) of the file at the bottom of each page.


Step 5: Once you obtain the Serial Number, go to the “Pengesahan Dokumen” page at the eCourt website. Enter the Serial Number and click on “Sahkan”. If the Serial Number is correct, you will be able to view the file without a running timer.


Step 6: Each page of the file will load when you scroll to that page. You will need to ensure that every page is full loaded before you do the next step otherwise you will have an empty page.


Step 7: Once all the pages are loaded, right click on the page and click on “Save As”. Save the entire page into a folder of your choice.


Step 8: Then go to the folder “Pengesahan Dokumen_files” and find the file “Viewer.html”. Copy and paste the file “Viewer.html” to another folder.


Step 9: Open the Viewer.html file using your Chrome browser. The file you open now will only show some buttons on the top left side and the content of the file in PNG format.


Step 10: Instead of downloading the PNG files one by one and merging them into a single file, you can save them all into one PDF file by printing the page into PDF (Ctrl + P). Choose “Save as PDF” or any PDF maker of your choice (e.g PDF24 or doPDF). Under More Settings, choose Paper Size A1 and Margins: Default. By saving it in this manner, you will have a nicely formatted PDF file. If the file is not properly formatted, you can change the Paper Size and Margins to get the right fit.

Tips:
1. Save all the files you need before converting them to PDF.
2. You may need a slightly powerful computer to convert the files into PDF as some files that you download may be very large. I had a 2 Gigabyte file from a 400 page affidavit. However, you can breakdown the conversion of the files by setting the system to print 50 or less pages per print.

Known Bugs:-
1. The eCourt system timer may reset to 0 while doing a file search. You will have to email the eCourt Helpdesk for assistance otherwise you will should purchase another token.
2. If there are two or more cases which have the same suit number (e.g. in Kuala Lumpur and Selangor Court), you will be automatically directed to one case and you have no option to choose another case.

Bread & Kaya: Are WhatsApp admins going to jail?

Bread & Kaya: Are WhatsApp admins going to jail?

By Foong Cheng Leong | May 02, 2017

– Two key elements in s. 233 are not fulfilled by a group chat admin
– To use s. 114A to attach liability on a group chat admin is stretching s. it too far

I REFER to the recent news reports stating that the Honourable Deputy Communications and Multimedia Minister Jailani Johari announced that group chat admins can be held accountable under the Communications and Multimedia Act 1998 (CMA) if they fail to stop the spread of false news to its members.

With due respect to the Honourable Deputy Ministry, the CMA, in particular s. 233 of the CMA, does not attach any liability to an admin of a group chat admin for spreading “false news”.

For ease of reference, I reproduce s. 233 of the Act:-

233 Improper use of network facilities or network service, etc

(1) A person who-

(a) by means of any network facilities or network service or applications service knowingly-

(ii) initiates the transmission of,

any comment, request, suggestion or other communication which is obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person; or

(b) initiates a communication using any applications service, whether continuously, repeatedly or otherwise, during which communication may or may not ensue, with or without disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any number or electronic address,

commits an offence.

(2) A person who knowingly-

(a) by means of a network service or applications service provides any obscene communication for commercial purposes to any person; or

(b) permits a network service or applications service under the person’s control to be used for an activity described in paragraph (a),

commits an offence.

(3) A person who commits an offence under this section shall, on conviction, be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding one year or to both and shall also be liable to a further fine of one thousand ringgit for every day during which the offence is continued after conviction.

The offence under s. 233(1) of the CMA is committed by a person who uses any network facilities or network service or applications service knowingly makes, creates or solicits and initiates the transmission of an offensive communication with intent to annoy, abuse, threaten or harass another person. Two key elements in s. 233 are not fulfilled by a group chat admin namely “knowingly make or initiates the offensive communication” and “with intent to annoy, abuse, threaten or harass another person”.

As for s. 233(2), liability is only attached to a person who knowingly provide or permits an applications service to provide any obscene communication for commercial purposes. This is also not applicable to the present case.

It is noted that s. 114A of the Evidence Act 1950 provides for three circumstances where an Internet user is deemed to be a publisher of a content unless proven otherwise by him or her. The relevant section, namely s. 114A(1), states that “A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host , administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”.

In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content.

To use s. 114A to attach liability on a group chat admin is stretching s. 114A too far. It must be highlighted that s. 114A was introduced to “provide for the presumption of fact in publication in order to facilitate the identification and proving of the identity of an anonymous person involved in publication through the internet” (Explanatory Statement of Evidence (Amendment) (No. 2) Bill 2012). Common sense would dictate that a group chat admin is not a publisher of their member’s messages.

In fact, in the Delhi High Court case of Ashish Bhalla vs Suresh Chawdhury & Ors, the Court held that:-

Similarly, I am unable to understand as to how the Administrator of a Group can be held liable for defamation even if any, by the statements made by a member of the Group. To make an Administrator of an online platform liable for defamation would be like making the manufacturer of the newsprint on which defamatory statements are published liable for defamation. When an online platform is created, the creator thereof cannot expect any of the members thereof to indulge in defamation and defamatory statements made by any member of the group cannot make the Administrator liable therefor. It is not as if without the Administrator‟s approval of each of the statements, the statements cannot be posted by any of the members of the Group on the said platform

Perhaps the Honourable Deputy Minister should clarify which section in the CMA attaches liability to a group chat admin to avoid further confusion and panic to group chat admins.


First published on Digital News Asia on 2 May 2017.

BFM Podcast: LANDMARK #4: FACEBOOK

Subsequent to my update on the Malaysian 2016 cyberlaw cases, I was interviewed by BFM Radio to talk about general laws applicable to social media in Malaysia on 13 April 2017. I also covered the rules applicable to your digital data after your death and how to manage them in preparation of your death.


Who owns the pictures you post on Facebook? Can comments you post on Facebook be used against you in court, even after it is deleted? How is defamation defined on social media? On this episode of Landmark, a series exploring how the law shapes society and vice versa, lawyer Foong Cheng Leong talks us through recent rulings involving the social media platform and explains where the law currently stands when it comes to Facebook.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

1 2 3 4 5 28  Scroll to top