Advisable for management bodies of high-rise residences to abide by act

I was asked by The Star to comment on whether the Personal Data Protection Act 2010 (PDPA) binds management bodies of high-rises from disclosing details about residents who contracted Covid-19. I said-

Bar Council Intellectual Property Committee co-chairperson Foong Cheng Leong said it was unclear if management bodies were involved in the processing of personal data for commercial purposes.

“There are different views to this. Nevertheless, there is no blanket exemption for JMBs and MCs.

“In light of this uncertainty, it’s advisable for them to comply with the PDPA.

“In any event, disclosure of information of residents with Covid-19 is highly discouraged as it could breach the PDPA and even amount to an invasion of privacy, ” he said.

There are views that management bodies collecting monthly maintenance fee to service the building providing is a form of a “commercial transaction” and thus the PDPA applies. The PDPA only applies to personal data in respect of a commercial transaction.

However, it is noted that the Strata Management Act 2013 empowers a management body to collect charges for the purpose of maintenance and management of the building. It is therefore arguable that they are merely exercising a legal duty and not conducting a “commercial transaction”.

Experts take dim view of Covid-19 ‘vaccine passport’ for Malaysians

I was asked by The Malay Mail to comment on the privacy aspect of a “vaccination passport”, a document (whether electronic or not) showing that a person had been vaccinated. I said-

According to privacy lawyer Foong Cheng Leong, there could be privacy concerns with such a passport, depending on what data is collected and shared by the governments.

“If it is standard information that is being shared when a person travels from country to country, that should be fine.

“However, a person’s medical information is sensitive personal data and the sharing of such information should be limited,” said Foong.

He suggested that for the purpose of combating Covid-19, the information shared should only be limited to matters related to Covid-19 and not a person’s health information in general


This question follows the recent judgement by the courts to hold Malaysiakini responsible for comments made by readers on its online portal. Lawyer Foong Cheng Leong helps us figure out whether individuals could also be held legally accountable.

Produced by: Kelvin Yee
Presented by: Sharmilla Ganesan, Lee Chwi Lynn


  1. Peguam Negara Malaysia v Mkini Dotcom Sdn Bhd & Anor (Setting aside ex parte leave order to allow contempt proceedings to commence against the Mkini Dotcom Sdn Bhd and its Chief Editor)
  2. Peguam Negara Malaysia v Mkini Dotcom Sdn Bhd & Anor (Majority)
  3. Peguam Negara Malaysia v Mkini Dotcom Sdn Bhd & Anor (Minority)

Malaysia’s First Action against Unknown Persons on Cyberspace

Every legal author’s dream is to have his or her writing quoted in a Court case. I am stoked that my book “Foong’s Malaysia Cyber, Electronic Evidence and Information Technology Law” was recently quoted by Justice Ong Chee Kwan in the High Court case of Zschimmer & Schwarz GmbH & Co KG Chemische Fabriken v Persons Unknown & Anor. His Lordship made reference to a section of my book regarding action against Persons Unknown. Many thanks to Lee Shih for taking the effort to have my book quoted.

In this case, the High Court granted an ex-parte proprietary injunction and Mareva injunction against “persons unknown” as the 1st defendant. The plaintiff was a victim of cross-border cyber fraud known as a “push payment fraud” where the victim is tricked over emails to make a payment for a legitimate transaction into a different bank account under the control of the fraudster. The plaintiff, a German company, was in communication with its South Korean counterparty. The fraudster, being Persons Unknown, deceived the plaintiff into paying into the 2nd defendant’s bank account the sum of EUR 123,014.65 (approximately close to RM 600,000.00) by infiltrated the email communications between the plaintiff and the South Korean counterparty. The plaintiff thought it was making a genuine payment to its South Korean counterparty for a commission payment. Instead, the fraudster had siphoned the Plaintiff’s monies away.

Justice Ong Chee Kwan delivered the first known decision on a persons unknown injunction. After going through a series of English cases against Persons Unknown, his Lordship held-

[40] It is not usually the case that a defendant is described as ‘Persons Unknown’. Nevertheless, the Court can grant interlocutory orders against the 1st Defendant — being Persons Unknown. In cases like the present which involve cyber fraud and fake email addresses, the fraudster or fraudsters are unknown. English case law have allowed for similar injunctive orders against ‘Persons Unknown’. There is nothing in our Rules of Court 2012 that would prevent the Writ of Summons and applications from being filed against Persons Unknown.


[49] As stated above, there is nothing in our Rules of Court 2012 prohibiting the making of an order against Persons Unknown. In fact, Order 89 of the Rules of Court 2012 for summary proceedings for possession of land allows for a defendant reference to Persons Unknown.[See Fauziah Ismail & Ors v Lazim Kanan & Orang-Orang Yang Tidak Diketahui [2013] 7 CLJ 37 (CA); the commentary in Foong’s Malaysia Cyber, Electronic Evidence and Information Technology Law, para [8.098] to [8.100]].

The section referred by Justice Ong Chee Kwan can be seen below-

It is also interesting to note that his Lordship had referred to a case where substituted service was done vide email and WhatsApp messenger. This is also a case which we had acted for the Plaintiff against the defendant for trade mark infringement.

The case name is 30 Maple Sdn Bhd v Noor Farah Kamilah binti Che Ibrahim (Kuala Lumpur High Court Suit No: WA-22IP-50-12/2017). However, the significance of this case will soon be eclipsed by the new amendments to the Rules of Court 2012 which allows for electronic service.

Digital Edge: Techtalk: Rapid digitalisation — what happens to privacy?

I was asked by The Edge to comment about the the current state of Malaysia’s own Personal Data Protection Act 2010.

Sonia Ong of Wong & Partners, Maneesh Chandra, chief technology officer of Firmus Sdn Bhd and Vernon Chua, CEO of enterprise data analytics start-up Innergia Labs Sdn Bhd are also featured in this article. The full article can be viewed at The Digital Edge’s website.

1 The PDPA explained
The PDPA, in a nutshell, is meant to legislate protection around the collection, storage and usage of personal data collected by the private sector, according to lawyer Foong Cheng Leong. The public sector and, generally speaking, contractors operating on behalf of the government are exempt from the provisions of the PDPA.

“The laws require that any personally identifiable data, collected in the course of commercial transactions, be stored safely, along with additional requirements to be transparent about its use to individuals who provided the data in the first place.”

One key issue, however, has to do with a lack of clarity on what constitutes a “commercial transaction”, Foong says. While personal data collected in the course of completing a contractual agreement — for example, swiping a credit card or signing up for a broadband service — is protected under the PDPA, it is not certain what else, if anything, constitutes a commercial transaction in Malaysia.

“It is unclear, for example, in the case of a company that might be required to collect personal data, for security purposes, from individuals they don’t have a direct contractual or commercial relationship with. Right now, there isn’t much additional guidance from the Data Protection Commission, the body enacted by the PDPA to oversee administration and enforcement of the law.”

While the PDPA is meant to regulate what businesses are allowed to do with personal data, the law confers certain rights on so-called “data subjects”. This is a term used to denote anyone who is able to be identified from the personal data collected.

An individual, for example, is conferred the right to revoke consent from the “data user” — this being the entity that collected the personal data in the first place.

Failure by the data user to respect this request could attract fines, jail terms or both.


Source: screencap from Wong Yan Ke’s video

I was asked by BFM Radio to comment on whether it is an offence to film the police. This issue came about when UM graduate Wong Yan Ke was arrested for filming the arrest of his friend. He was arrested and later charged under s. 188 of the Penal Code.

S. 188 of the Penal Code provides the following-

188 Disobedience to an order duly promulgated by a public servant

Whoever, knowing that by an order promulgated public servant lawfully empowered to promulgate such order he is directed to abstain from a certain act, or to take certain order with certain property in his possession or under his management, disobeys such direction, shall, if such disobedience causes or tends to cause obstruction, annoyance or injury, or risk of obstruction, annoyance or injury, to any person lawfully employed, be punished with imprisonment for a term which may extend to one month or with fine which may extend to four hundred ringgit or with both; and if such disobedience causes or tends to cause danger to human life, health or safety, or causes or tends to cause a riot or affray, shall be punished with imprisonment for a term which may extend to six months or with fine which may extend to two thousand ringgit or with both.

Explanation – It is not necessary that the offender should intend to produce harm, or contemplate his disobedience as likely to produce harm. It is sufficient that he knows of the order which he disobeys, and that his disobedience produces, or is likely to produce, harm.


An order is promulgated by a public servant lawfully empowered to promulgate such order, directing that a religious procession shall not pass down a certain street. A knowingly disobeys the order, and thereby causes danger of riot. A has committed the offence defined in this section.

UM graduate Wong Yan Ke was charged in court today, after he livestreamed a police raid on a house in Selangor last week, and disobeyed a police officer’s order to stop. We speak with Foong Cheng Leong about whether the public has the right to record the police.

Produced by: Kelvin Yee
Presented by: Lee Chwi Lynn, Hezril Asyraaf

Maintaining privacy and control

I was asked by The Star to comment on the National Digital ID (NDID) Framework which is currently under the development of the Malaysian Communications and Multimedia (MCMC). The NDID will would ease the public in the process of verification and authentication of their identities for performing digital transactions based on based on biometric features such as fingerprints, face recognition and demographic information such as names and others [Source: Identiti Digital Nasional (ID Digital Nasional)].

Based on a survey conducted by MCMC on the development of a framework for digital ID, participants have identified the 5 areas where NDID can be used-

  • Electronic healthcare records: Patients will be able to access their healthcare records online, including reviewing doctor visits and current prescriptions. They will also be able to share their records with other parties.
  • Government assistance: Citizens will be able to check their eligibility and register for government assistance programmes online. Less paperwork and documentation will be required, and the payment will be automatically banked into their accounts upon identity verification.
  • Government services: A more efficient and integrated e-government system will allow citizens to access various services, including business registration, e-voting and apply for driving licences.
  • Financial institutions: Authentication will be made seamless, allowing users to open bank accounts and perform various transactions such as applying for loans through their phones.
  • Telecommunications sector: A digital ID will eliminate repetitive verification for updating personal details, change of SIM card and when a person forgets the password to an account.

In the article, I said-

Privacy laws have to be improved to assure the public that the best measures are being taken to keep the user’s personal data associated with the digital ID safe, said Bar Council Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong. He pointed out that the Federal and state governments are not subject to the Personal Data Protection Act (PDPA) 2010. This meant users cannot take action if their personal data was compromised when using a government service.

“Also, any breach of the PDPA is subject to the discretion of the [Personal Data Protection] Commissioner to take action. There is no express provision in the PDPA stating that a victim can go to court to sue through his or her own lawyer,” he added.

To help reassure the public, Foong also wanted the government to consider allowing civil societies such as privacy rights groups and the Bar Council to participate in the development, maintenance and operation of the digital ID.

The experts also felt that it’s only right to make the digital ID optional.

Madihah said it would be best to have all citizens signed up, but in reality, it could be an issue for those without proper Internet connection or are tech illiterate.

“For a start it’s good enough to have a portion of the public sign up first, before enrolling more people,” she suggested.

Foong also agreed, saying that the government should opt for a slower adoption process, adding that more should be made known about the digital ID first.

“We should have the right to know what information will be
included and have the right to ask for details to be deleted. Further, we should also have the right to correct and update the information. Basically the rights provided by our PDPA should also be reflected in the digital ID,” he said.

In addition to the above, perhaps the Government should also consider introducing a digital ID framework for businesses. This is because many businesses in Malaysia use Government platforms to conduct businesses and many of these platforms require separate and some times tedious registration. For example, law firms are required to register themselves with the judiciary in order to use the e-filing system. A separate registration is also required for an account with the Companies Commission of Malaysia and the Intellectual Property Corporation of Malaysia. A digital ID framework would reduce the verification process by the Government and also submission of physical or identical documents.

Foong’s Malaysia Cyber, Electronic Evidence and Information Technology Law

I am happy to announce that my book “Foong’s Malaysia Cyber, Electronic Evidence and Information Technology Law” is available for pre-order. This is my third book. It started off with a compendium of cases but subsequently evolved into a textbook. It took me about a year to restructure the contents into a textbook.

This book was inspired by the case of PP v Loh Guo Shi [2016] 1 SMC 190. My learned friend, Lim Chi Chau and I represented the accused when he was charged under s. 5 of the Computer Crimes Act 1997. He was accused of deleting his employers’ database. 

When the case came to us, there was no reported case under Computer Crimes Act 1997 nor any local textbooks that could help us in defending his case. All I had was the book Electronic Evidence by Stephen Mason. This book was recommended by Justice Tan Sri Dato’ Mohamad Ariff Yusof (as then he was) when I had a trial before him. 

Fortunately, when I read the documents provided by the prosecution, I saw flaws in the prosecution’s case. One of them was the issue of Internet Protocol (IP) address. I looked at the year of the alleged offence and I realised that the accused was using a Telekom streamyx account. In that year, a streamyx account can be accessed anywhere so long a person has the login and password. During the trial, we got the witness from Telekom Malaysia Berhad to agree with us. There was no evidence that the accused had log on to his account during the time of offence. Further, by reading the log files provided by the prosecution, we discovered that there was a break in the chain of evidence.

The learned Magistrate, Puan Aminahtul Mardiah, acquitted the accused without calling his defence. The High Court had also dismissed the prosecutor’s appeal. The details of this case are also reported in this book. 

I would like to believe that we freed an innocent man by using knowledge beyond the law. By writing this book, I hope to help those who face the same or similar predicament as us. 


As technology evolves at lightning speed and digitalisation spreads across businesses and people’s lives, a new perspective and a new approach is needed to tackle the issues that come along with emerging technologies. It is natural to expect more and more cases relating to cyberlaw and information technology to be filled in court and even more so to expect digital evidence to be tendered in court.

Foong’s Malaysia Cyber, Electronic Evidence and Information Technology Law is the only book on cyberlaw and electronic evidence in Malaysia. Carrying more than 200 local cases and some selected foreign cases with commentaries, this publication looks at areas that have evolved in the digital sense such as civil issues like defamation, privacy and copyright. Current and very much relevant issues such as instant messages, social media postings, admissibility of electronic evidence in industrial relation disputes and digital asset cases are also discussed. Chapters have been devoted to legal practice and technology, the digital economy, electronic signature and electronic commerce.

This illuminating text provides valuable guidance in emerging areas of law. Its structure is held together by a carefully crafted set of headings to ensure that the text is easily accessible. The inclusion of references to many previously unreported cases, including some decisions of the Sessions Court, certainly lends depth to the analysis and discussion in this book.

This practical title is useful for litigators who are involved in matters concerning electronic evidence, information technology and cyberlaw and will be a valuable guide through its carefully structured commentary and insightful analysis.


  1. Civil Matters
  2. Cybercrime
  3. Admissibility of Computer-Generated Documents
  4. Presumption of Fact in Publication
  5. Instant Messages, Social Media Postings & Other Electronic Evidence
  6. Electronic Evidence in Industrial Relation Disputes
  7. Electronic Evidence in Family Disputes
  8. Discovery
  9. “.MY” Domain Names
  10. Legal Practice and Technology
  11. Digital Economy
  12. Electronic Commercial Transactions
  13. Electronic and Digital Signatures
  14. Digital Assets
  15. E-Commerce

You may purchase the book at Sweet & Maxwell’s website or any selected book stores.


I was asked by BFM Radio to comment on the requirement under the Perbadanan Kemajuan Filem Nasional Malaysia Act 1981 (FINAS Act) which requires, among others, those who produce or distribute films to be registered with Perbadanan Kemajuan Filem (FINAS).

This issue came about when Dato’ Saifuddin Abdullah, Minister of the Communications and Multimedia was asked in Parliament if the definition of “film” in the FINAS Act covers TikTok or IG TV videos which are distributed through social media. The definition of “film” in the FINAS Act is as such-

“films” includes feature films, short films, short subject films, trailers, documentaries, advertising filmlets and any recording on material of any kind, including video tapes and video discs, of moving images, accompanied or unaccompanied by sound, for viewing by the public or any class of the public;

s. 2 of the FINAS Act

However, according to the Hansard, the Minister did not give a direct answer but instead, informed Parliament that he will leave it to the relevant authority.

Dato’ Saifuddin Abdullah later clarified that social media users do not need to apply for a license from FINAS to produce or publish videos and that the Ministry is looking to amend the laws under the Ministry.

Is it necessary for you to have a FINAS license to create personal content on social media? We speak to lawyer Foong Cheng Leong and filmmaker Jared Lee to understand how this will impact the industry and social media usage of Malaysians.

Produced by: Kelvin Yee, Adeline Choong
Presented by: Kelvin Yee, Hezril Asyraaf


Malaysiakini and its editor-in-chief are being cited for contempt of court over several readers’ comments on an article. We reach out to Foong Cheng Leong to find out what the law says about holding media portals accountable over comments made by readers.

Produced by: Tasha Fusil
Presented by: Lee Chwi Lynn

1 2 3 4 5 35  Scroll to top