114A Evidence Act 1950

Bread & Kaya: Dear Attorney General Tommy Thomas, we need to speak about our Malaysia cyberlaw and IT laws reforms

By Foong Cheng Leong | Jun 22, 2018

– Act is clearly against the very fundamental principal of “innocent until proven guilty”
– Need law to curb creation of fake news, especially if created to stoke racial or religious sentiments

Repeal of 114A of Evidence Act 1950

WHEN s. 114A was introduced in the Parliament in 2012, a protest was held by netizens to urge the Government to repeal s. 114A. The #stop114A campaign was held and Malaysia had it first Internet Blackout Day to protest this section.

S. 114A provides for three circumstances where an Internet user is deemed to be a publisher of a content unless proven otherwise by him or her. The relevant section, namely s. 114A(1), states that “A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host , administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”.

In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content. So, for example, if someone creates a blog with your name, you are deemed to have published the articles there unless you prove otherwise. If you have a blog and someone posts a comment, you are deemed to have published it.

Subsection (2) provides a graver consequence. If a posting originates from your account with a network service provider, you are deemed to be the publisher unless the contrary is proved. In simple terms, if a posting originates from your TM Unifi account, you are deemed to be the publisher. In the following scenarios, you are deemed to be the publisher unless you prove the contrary:-

(1) You have a home network with a few house mates sharing one internet account. You are deemed to be the publisher even though one of your house mates posts something offensive online.
(2) You have wireless network at home but you did not secure your network. You are deemed to be the publisher even though someone “piggybacks” your network to post something offensive.
(3) You have a party at home and allows your friends to access your PC or wireless network. You are deemed to be the publisher even though it was a friend who posted something offensive.
(4) Someone use your phone or tablet to post something offensive. You are deemed to be the publisher.

As for subsection (3), you are presumed to have published a content if you have custody or control of any computer which the publication originates from. Here, you are deemed to be the publisher so long your computer was the device that had posted the content. If someone “tweetjacks” you or naughtily updates your Facebook with something offensive, you are deemed to be the publisher unless you prove otherwise.

Clearly, it is against our very fundamental principal of “innocent until proven guilty”.

Position of intermediaries (e.g. platform providers)

Currently, many platform providers are vulnerable to be sued or charged in Court for what their users do. For example, an online forum owner would be liable for publishing defamatory statements made by their users pursuant to s. 114A of the Evidence Act 1950. Online marketplace operators may also be sued because their users sold counterfeit products.

It would be ideal for the Government to induce new laws to protect such platform providers but also the punish errant platform providers. For example, a one-strike or three-strikes rule. Under such proposed one-strike rule, an aggrieved person may file a complaint against the platform provider to remove certain postings. If the platform providers remove such posting within a specific time, the platform provider should be absolved from liability. However, if it fails to do so, it will be liable for the acts of its users.

S. 43H of the Copyright Act 1987 is a good example on how to deal with intermediary’s liable in respect of copyright infringement.

In this regard, the Sedition (Amendment) Act 2015, which is not in operation yet, should be repealed. The said amendment creates, among others, liability on website operators such as online forums, online news portals, and even Facebook page/ group owners. [Read http://foongchengleong.com/2015/04/bread-kaya-how-the-new-sedition-act-affects-netizens/]

Specific laws to govern blocking of websites or other electronic platforms.

All blocking orders should be made public and their detailed reasons to block websites. Currently, there is no public list other than one independently maintained by Sinar Project and reasons given are usually one-liners (e.g. in breach of s. 233 of the Communications and Multimedia Act 1998).

However, there could be specific websites which need not be reviewed due to national security issue, among others. As we all know, blocked websites can still be accessed via other means.

Blocking orders should also be made by the Courts rather than the arbitrary decision of the Minister. The current s. 263 of the Communications and Multimedia Act 1998 is used by the Ministry of Communications and Multimedia to direct internet service providers to block platforms in order to prevent the commission or attempted commission of an offence under any written law of Malaysia. In the past however, we have seen websites being blocked due to political reasons e.g. medium.com and bersih.org.

The Anti-Fake News Act 2018 and Sedition (Amendment) Act 2015 have provisions for websites to be blocked by way of application to the Court. All these blocking order sections and s. 263 of the Communications and Multimedia Act 1998 should be replaced with one single law to govern blocking of electronic platforms.

The law should also allow any person such as users of the platforms to challenge any blocking orders. When the previous Government decided to block medium.com, as far as I know, the site owners did not file any challenge in Court to unblock their website. Many netizens were denied access to informative and educational content from medium.com. There were no specific laws allowing them to challenge the block. They were also unsure if they could meet the threshold to file an action for judicial review.

Specific channels to allow litigants to obtain information about wrongdoers

In the present case, a person who wishes to obtain information about another person, for example another Facebook user who had defamed or harasses him, would need to go through a long and expensive process to obtain such information. Normally these wrongdoers will use platforms provided by foreign companies to attack another user.

It would be ideal if a straight forward process be made to such person to obtain such information. For example, filing a request to the Government for it to request the same from the platform providers.

SS. 211 and 233 of the Communications and Multimedia Act 1998

S. 233 of the Communications and Multimedia Act 1998 (which is similar to s. 211) has been used by the previous administration against dissent. The Bar Council has called for the repeal of Section 233(1)(a) of the Communications and Multimedia Act 1998 as it is a serious encroachment on the freedom of speech and expression guaranteed by Article 10(1)(a) of our Federal Constitution. I concur with the Bar Council on this.

However, I suggest that new laws be introduced to stop contents which can cause hatred and disturbance about certain individuals or organisations. We cannot have people sending fake messages which can cause a riot, for example.

Anti Fake News Act 2018

Many calls have been made to repeal the Anti Fake News Act 2018, which came into operation weeks before the 14th General Election. One person has been sentenced and many have been investigated for spreading fake news. Prime Minister Dr Mahathir Mohamad has confirmed that this Act will be repealed.

Notwithstanding such calls to repeal the law, I am of the view that there should be laws to curb the creation of fake news especially those created to stoke racial or religious sentiments. Note that s. 233 of the Communications and Multimedia Act 1998 requires a communication to target a certain person. Fake news may not necessary be targeting a certain person. It could target a race and a place, for example.

Revamp of the Admissibility of Electronic Evidence

Currently, almost every document printed by a computer is admissible under s. 90A of the Evidence Act 1950. This section should be examined to define clearly on what admissible and not admissible.

The Court’s electronic system should also be upgraded to allow the admissible of all forms of electronic media such as songs, videos and animated files. Currently, lawyers have to burn those evidence in a CD to be filed in Court. This defeats the open justice system where all Court proceedings are accessible to the public.

[Postscript] In addition, the Court’s file search system should also be updated. Currently it allows a user to conduct a file search for 30 minutes (per ticket) via its slow system. It loads page by page and one cannot download all the documents at one go. It should be revamped to allow a user to download the entire file with one single fee.

Laws to protect netizens

New laws should be introduced to criminalise cyberbullying, stalking and harassment. It is noted that this type of acts these days are not made directly against a person.

Government should also study the criminalisation of maintaining cybertroopers. Many organisations in the world including Governments use the services of cybertroopers to attack individuals. They would send threatening, harassing or annoying messages, posting private information of that individual and create fake content about that individual.

Lastly, what we need is meaningful and effectively consultation with the Government. The previous administration had basically shoved us with laws with little consultation. I remember when our #Stop114A team went to meet the then Deputy Minister of Law, V.K Liew, to hand in our petition to repeal s.114A, he said that the Bar Council needs professional advice. I trust that the new Government will make a wise choice in deciding the right people for the right job.


First published on Digital News Asia on 22 June 2018

Bread & Kaya: 2017 Cyberlaw cases Pt3 – sexual offences against children and computer crimes

By Foong Cheng Leong | Mar 30, 2018
– Sending death threats using someone else’s mobile phone is not OK
– 2018 will mark interesting year for cyber related cases including Uber driver suing Uber

THE first statute in Malaysia to use the term “social media” is part of the law designed to protect children against sexual offences and not any computer crimes related or media related law.

At the same time a bank officer got into hot soup for using their superior’s email account and password. Let’s go through these cases now.

Crime

Sexual Offences Against Children Act 2017

The Sexual Offences Against Children Act 2017 was introduced to address the seriousness of sexual offences committed against children in Malaysia. The ultimate object of the proposed Act is to provide for better protection for children against sexual offences and to safeguard the interest and well-being of children and to provide effective deterrence.

One of the laws introduced is the law against child grooming. S. 12 of the Act states that child grooming is an offence punishable with imprisonment of no more than 5 years and liable for whipping. The Act specifically stated that the following amounts to child grooming :-

(a) A communicates with Z, a child via social media by pretending to be a teenager and develops a love relationship with Z with the intention of using Z in the making of child pornography. A never meets Z. A is guilty of an offence under this section .

(b) A communicates with Z, a child via e-mail and befriends Z with the intention that A’s friends C and B could rape Z. A never meets Z. A is guilty of an offence under this section.

This law is also the first statute in Malaysia to use the words “social media”.

Last year, we were anticipating the amendments of the Communications and Multimedia Act 1998. However, the amendments never came. Nevertheless, numerous people were investigated under s. 233 of the Communications and Multimedia Act 1998. Notably, in the case of Mohd Fahmi Redza Bin Mohd Zarin Lawan Pendakwa Raya dan Satu Lagi Kes (Kuala Lumpur Criminal Application No. 44-103-08/2016), the accused was charged under s. 233 of the Communications and Multimedia Act 1998 for publishing an offensive Instagram posting using the username kuasasiswa. The accused filed an application to strike out the charge on the grounds that:-

– s. 233 of the Communications and Multimedia Act 1998 is unconstitutional and/or ultra vires in view of Article 5(1), 8 and 10(1)(a) of the Federal Constitution
– the charge against him acts as and/or has the characteristic of a censorship and therefore in contravention of the objectives of the CMA according to s. 3(3) of the CMA; and
– the charge against the accused is defective as it does not have the details of the parties that were offended by his acts.

The Public Prosecutor applied to have the matter heard before the Federal Court in respect of the issues on the constitutionality of s. 233 of the CMA (in accordance with ss. 30 and 84 of the Courts of Judicature Act 1964. Upon hearing the parties, the High Court referred the matter to the Federal Court for the latter to decide on the following question:-

Whether Section 233(1)(a) of the Multimedia and Communication Act (Act 588) is Inconsistent with Article 5(1), 8 and 10(1)(a) of the Federal Constitution?

However, the Federal Court dismissed the application for non-compliance of the Courts of Judicature Act 1964 (Federal Court Criminal Application No. 06-04-04/2017(W)).

In Nik Adib Bin Nik Mat v Public Prosecutor (Rayuan Jenayah No 42S(A)-39-7/16), the accused was charged under s.233(1)(a) of the Communications and Multimedia Act 1998 for sending indecent and false photos of cabinet leaders titled “Pesta Bogel” on Facebook. He was also charged under s. 5(1)(a) of the Film Censorship Act 2002 for possession of 883 pieces of pornographic videos in his laptop. The Session Court sentenced him to the maximum sentence of 1 year imprisonment for the first offence and another 1 year imprisonment for the second offence.

On appeal, the High Court Judge stated that “cyber offences are serious offences especially the offence at hand, as those offensive materials could be easily disseminated to the public at large within seconds at a touch of a button” and agreed with the Sessions Court Judge that public interest is of paramount importance and should supersede the interest of the accused.

However, the learned High Court Judge was of the view that personal interest of the accused should not be disregarded at all and thus, allowed the appeal against the sentence. The learned High Court Judge took into account the grounds submitted by the accused and held that the misdirection of Session Court on imposing maximum sentence for the first offence warrants the appellate intervention and a special consideration ought to be given so that he can mend his ways and “turn over a new leaf”.

The High Court substituted the original sentence with 1 week imprisonment and a fine of RM3,000 in default 3 months imprisonment for the first charge and for the second charge, a fine of RM10,000 in default 1 ½ years imprisonment.

In Pendakwa Raya v Dato’ Dr Ahmad Ramzi Bin Ahmad Zubir (Rayuan Jenayah No. T-09-15-01/2014), the Respondent was charged with criminal defamation after he had sent text messages containing death threats to various individuals using another person’s (SP5) mobile phone number via an online platform registered in the name of a colleague of the Respondent (SP16). The said online platform allows users to broadcast SMS to numerous mobile numbers via the Internet. The Respondent had changed the sender’s mobile phone to SP5’s mobile number. The Respondent’s convicted by the Sessions Court but his conviction was overturned by the High Court.

On appeal, the Court of Appeal restored the conviction. In the grounds of judgment, the Court of Appeal discussed on the method used to determine whether the SMS was sent by the Respondent. The investigation had showed that the internet protocol address that was used to send the SMS was registered to the Respondent’s internet account. The MAC Address found was the same MAC Address of the Respondent’s router. According to the evidence provided by Cyber Security Malaysia, a MAC Address is a unique number provided by the Internet Service Provider and in order to connect to the Internet, it must be done through a router.

In Pendakwaraya v Charles Sugumar a/l M. Karunnanithi (Mahkamah Majistret Kota Bharu Kes Tangkap No: MKB (A) 83-43-02/2016), the accused was charged under s. s. 424 of the Penal Code for dishonestly concealing money of a scam victim in his bank account knowing that the said money does not belong to him. The victim had befriended a person by the name of Alfred Hammon from UK through Facebook. Alfred Hammon then made the victim transfer money to the accused’s bank account on the pretence that he needed the money to cash his cheque of US$3 million. Alfred Hammon promised that he will return the money together with interest. However, after transferring RM36,300 the victim realised that she was scammed.

The accused claimed that he is not part of the scam. The accused claimed that when he was working as a tour driver, he was requested by his customer to receive money on the customer’s behalf. The accused claimed that he did it to give his customer the best service so that he can attract more customers. He said that he was informed by the customer that the customer’s friend had to transfer money to him so that the customer can continue his tour in Malaysia. The accused said that he did not gain any remuneration or commission from that assistance.

The Magistrate acquitted the accused as the Magistrate found that, among others, the accused’s evidence is consistent and is a credible witness. The Magistrate agree that the accused was made a scapegoat by the customer who took advantage of his goodness and sincerity in giving the best service as a tour driver.

Computer Crimes Act

In Rose Hanida Binti Long lwn Pendakwa Raya (Kuala Lumpur High Court Criminal Appeal No. 42K–(115–124)-09/2016), the appellant was charged under the Computer Crimes Act 1997 (unauthorised access to computer material with intent to facilitate the commission of an offence involving fraud or dishonesty or which causes injury) and s. 420 of the Penal Code (for cheating) for making false claims to his employer, a bank, by using his superior’s account and password to without his superior’s knowledge. She was initially sentenced by the Sessions Court with 4 years of imprisonment and fine of RM260,000 in default of 15 months jail. She appealed the sentence but withdrew it later. Notwithstanding that it had been withdrawn, the High Court Judge exercised his revisionary powers and enhanced the sentence to 6 years and fine of RM260,000 in default of 15 months jail due to the seriousness of the offence.

In Kangaie Agilan Jammany lwn PP [2017] 1 LNS 1640, the accused was charged under s. 5(1) of the Computer Crimes Act 1997 for making modification of the contents of Air Asia’s flight booking system without authorisation. The accused had allegedly used the function “move flight function” in those unauthorised transactions to change, among others, the flight details and customers’ emails for the purpose of notification. The said function is a critical function to allow authorised staff to make changes so that no charges are made to customers.

The accused was given an ID ‘6954’ and password to access Air Asia flight booking system but he had limited access to it. Thus, one of the witnesses, SP4, had given his ID and password to the accused after the accused had requested for it on the ground that the latter is unable to access to the system using his own ID. SP4 did not know that the accused had misused his account. The accused had then used the said account to help his family members and friends to get cheaper flight tickets, among others. Air Asia alleged that it had lost about RM229,100.42 due to the accused’s actions.

In the system log, it was found that the accused had changed the flight schedule and also that there were a few customer email notifications which involved the agent code 6954 which had made the flight changes. Further, there was an incident whereby SP4 was asked by the accused to provide his new password after it had been changed.

The Sessions Court found the accused guilty and had applied the statutory presumption under s. 114A of the Evidence Act 1950 after the accused could not rebut the evidence that the agent code 6954 belongs and used by him.

Under 114A of the Evidence Act 1950, a person is deemed to be a publisher of a content if it originates from his or her website, registered networks or data processing device of an internet user unless he or she proves the contrary. In 2014, this new law sparked a massive online protest dubbed the Malaysia Internet Blackout Day or also the Stop114A.

On appeal, the High Court concurred with the Sessions Court Judge. The High Court Judge also held that s. 114A of the Evidence Act 1950 applies retrospectively notwithstanding that the offence was committed prior to the enforcement of s. 114A as the presumption did not alter the original subject matter and even includes the same subject matter that did not prejudice the accused before and after. In other words, without using such presumption, the Prosecution would still have to prove that the Accused was the person who used his ID and password to access the employer’s system had committed an offence to change the flight schedule without authorisation. On the contrary also by applying the presumption of the law, the Prosecution will still have to prove that the accused alone has a specific ID and password to access the system.

Closing

2018 will mark another interesting year for cyber related cases. In late 2017 and early 2018, the following cases have been filed:-

– A Uber driver sued Uber Malaysia Sdn Bhd for non payment of his fees. The interesting question in this case would be whether Uber Malaysia Sdn Bhd is liable to pay such fees or one of Uber’s foreign entities.
– In the Intellectual Property Court of Kuala Lumpur, a brand owner had filed a law suit for trade mark infringement against a web hosting company for hosting a website that sold counterfeit products. The interesting question in this case is whether a webhoster is liable for what their subscribers do.
– In the same Court, a brand owner had also filed a law suit for trade mark infringement against online marketplace operator for using the brand owner’s registered trade mark and allowing their users to sell unauthorised products. The interesting question in this case is whether an online marketplace operator is liable for what their users do on their platform and in particular case, for selling unauthorised products.
– The same Court also granted an application to serve a Writ and Statement of Claim via email and WhatsApp messenger after it could not locate the Defendant at her last known address. Traditionally, when a Defendant cannot be located, Plaintiff would normally ask the Court to allow a notice relating to the lawsuit to be published in the newspaper, among others. We will see more and more substituted service applications to be served electronically.
PKR communications director Fahmi Fadzil filed a civil suit against the Malaysian Communications and Multimedia Commission and Nuemera (M) Sdn Bhd for allegedly failed to protect his personal data which resulted in the leakages of his personal data together with personal information of 46.2 million mobile subscribers. This was one of Malaysians’ biggest data leak.

Finally, the recent introduction this month of the Anti-Fake News Bill 2018 is too important for me to leave till next year to comment!

The word “fake news” is defined as any news, information, data and reports, which is or are wholly or partly false, whether in the form of features, visuals or audio recordings or in any other form capable of suggesting words or ideas.

The law applies to fake news concerning Malaysia or the person affected by the commission of the offence is a Malaysian citizen. Any person who, by any means, knowingly creates, offers, publishes, prints, distributes, circulates or disseminates any fake news or publication containing fake news commits an offence and shall, on conviction, be liable to a fine not exceeding RM500,000 or to imprisonment for a term not exceeding 10 years or to both.

The Court may also order the accused to make an apology. Interestingly, the new law allows civil action to be initiated by a person affected by the fake news publication for an order for the removal of such publication. I will write further on this new law on a separate article. [Postscript: The Anti Fake News Act 2018 is now in force effective from 11 April 2018]


First published on Digital News Asia on 30 March 2018

Bread & Kaya: Are WhatsApp admins going to jail?

Bread & Kaya: Are WhatsApp admins going to jail?

By Foong Cheng Leong | May 02, 2017

– Two key elements in s. 233 are not fulfilled by a group chat admin
– To use s. 114A to attach liability on a group chat admin is stretching s. it too far

I REFER to the recent news reports stating that the Honourable Deputy Communications and Multimedia Minister Jailani Johari announced that group chat admins can be held accountable under the Communications and Multimedia Act 1998 (CMA) if they fail to stop the spread of false news to its members.

With due respect to the Honourable Deputy Ministry, the CMA, in particular s. 233 of the CMA, does not attach any liability to an admin of a group chat admin for spreading “false news”.

For ease of reference, I reproduce s. 233 of the Act:-

233 Improper use of network facilities or network service, etc

(1) A person who-

(a) by means of any network facilities or network service or applications service knowingly-

(ii) initiates the transmission of,

any comment, request, suggestion or other communication which is obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person; or

(b) initiates a communication using any applications service, whether continuously, repeatedly or otherwise, during which communication may or may not ensue, with or without disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any number or electronic address,

commits an offence.

(2) A person who knowingly-

(a) by means of a network service or applications service provides any obscene communication for commercial purposes to any person; or

(b) permits a network service or applications service under the person’s control to be used for an activity described in paragraph (a),

commits an offence.

(3) A person who commits an offence under this section shall, on conviction, be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding one year or to both and shall also be liable to a further fine of one thousand ringgit for every day during which the offence is continued after conviction.

The offence under s. 233(1) of the CMA is committed by a person who uses any network facilities or network service or applications service knowingly makes, creates or solicits and initiates the transmission of an offensive communication with intent to annoy, abuse, threaten or harass another person. Two key elements in s. 233 are not fulfilled by a group chat admin namely “knowingly make or initiates the offensive communication” and “with intent to annoy, abuse, threaten or harass another person”.

As for s. 233(2), liability is only attached to a person who knowingly provide or permits an applications service to provide any obscene communication for commercial purposes. This is also not applicable to the present case.

It is noted that s. 114A of the Evidence Act 1950 provides for three circumstances where an Internet user is deemed to be a publisher of a content unless proven otherwise by him or her. The relevant section, namely s. 114A(1), states that “A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host , administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”.

In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content.

To use s. 114A to attach liability on a group chat admin is stretching s. 114A too far. It must be highlighted that s. 114A was introduced to “provide for the presumption of fact in publication in order to facilitate the identification and proving of the identity of an anonymous person involved in publication through the internet” (Explanatory Statement of Evidence (Amendment) (No. 2) Bill 2012). Common sense would dictate that a group chat admin is not a publisher of their member’s messages.

In fact, in the Delhi High Court case of Ashish Bhalla vs Suresh Chawdhury & Ors, the Court held that:-

Similarly, I am unable to understand as to how the Administrator of a Group can be held liable for defamation even if any, by the statements made by a member of the Group. To make an Administrator of an online platform liable for defamation would be like making the manufacturer of the newsprint on which defamatory statements are published liable for defamation. When an online platform is created, the creator thereof cannot expect any of the members thereof to indulge in defamation and defamatory statements made by any member of the group cannot make the Administrator liable therefor. It is not as if without the Administrator‟s approval of each of the statements, the statements cannot be posted by any of the members of the Group on the said platform

Perhaps the Honourable Deputy Minister should clarify which section in the CMA attaches liability to a group chat admin to avoid further confusion and panic to group chat admins.


First published on Digital News Asia on 2 May 2017.

Bread & Kaya: Tracing someone online

Bread & Kaya: Tracing someone online
Nov 17, 2014

– Getting the IP address is one way, but may not always be possible
– On issue of defamation, Section 114A has been applied retrospectively

ONE of the most difficult issues to deal with in cybercrime or cyber-bullying cases is finding the perpetrator online. My years of blogging have brought me some experience in dealing with this issue, especially when dealing with ‘trolls.’

I am glad to say that it is not impossible. Some guesswork is needed. Normally, such a perpetrator is someone you know, although he or she may or may not be close to you. Sometimes, however, it would be just a stranger.

There was one case where the perpetrator was found to be a friend’s spouse whom the victim had only met a few times. Strangely, there was no animosity between these parties.

In one case which I was personally involved, I made a guess on the possible perpetrator and worked from there. Eventually, the person confessed after being confronted.

Getting the Internet Protocol (IP) address of the perpetrator is one of the conventional ways to track someone down. Internet service providers (ISPs) assign unique IP address to each user account. However, IP addresses may not be retrievable if the person is on a proxy server.

Another problem is the jurisdictional issue. Many servers storing such IP addresses may be located overseas and owned by foreign entities. One may have to initiate legal action overseas to get such data, and many of these service providers do not release their user information easily due to data protection laws or their strict privacy practices.

In the recent case of Tong Seak Kan & Anor v Loke Ah Kin & Anor [2014] 6 CLJ 904, the Plaintiffs initiated an action for cyberspace defamation against the 1st Defendant.

In tracing the perpetrator, who had posted defamatory statements on two Google Blogspot websites, the Plaintiffs filed an action called a John Doe action in the Superior Court of California. In compliance with the Court order, Google traced the blogs to two IP addresses which were revealed by Telekom Malaysia Bhd to be IP addresses belonging to the 1st Defendant’s account.

In the same case, the High Court had held that the controversial Section 114A (2) of the Evidence Act 1950 applied retrospectively.

S. 114A (2) provides that the burden of proof lies on the subscriber of an ISP to prove that a certain statement was not published by him or her. The 1st Defendant failed to convince the Court that s. 114A (2) does not apply because the defamatory statements were published before the enforcement date of s. 114A(2).

This retrospective stand however was not followed in the case of PP v Rutinin Bin Suhaimin [2013] 2 CLJ 427 as the High Court held that s. 114A does not apply retrospectively.

Perhaps the distinguishing factor between these cases is that the first case involved a civil dispute whereas the latter is a criminal prosecution.

Readers may recall that the #Stop114A campaign was initiated to get this law repealed. I am proud to say that Digital News Asia (DNA) was one of the organisers and participants in shutting down its website for one day. The campaign attracted the attention of Prime Minister Najib Razak but unfortunately, the law remained.

Going back to the case, the Court held that the 1st Defendant had failed to prove that he was not the publisher of the content. The 1st Defendant is now liable for a payment of RM600,000 (US$180,000) as damages to the Plaintiffs.

Not all tracing of a perpetrator requires an IP address. In Datuk Seri Anwar Bin Ibrahim v Wan Muhammad Azri Bin Wan Deris [2014] 3 MLRH 21, Opposition leader Anwar Ibrahim (pic) sued Wan Muhammad Azri Bin Wan Deris, allegedly a well-known blogger called Papagomo, for defamation.

In proving the identity of Papagomo, instead of tracing the IP address of Papagomo, the Court relied on the statement of a person who had met Papagomo in person before. The former also took a picture with Papagomo and this picture was tendered in Court.

There are other unconventional methods to identify a person online. I have heard of a private investigator entering a person’s home without knowledge to gain access to the computer of that person.

Many people do not password-protect their home computers and leave their email and other online accounts still logged into. This allows the private investigator to easily access a person’s emails and other online accounts without any technical skills.

One method that I always use is to find something unique in the content posted by the perpetrator. For example, I recently concluded that a website was held by a cyber-squatter by doing a Google search on certain sentences that appeared on the website. The cyber-squatter’s website looked like a legitimate website, but the search revealed that the same facade had been employed by the cyber-squatter on several websites using well-known brand names.

If there are images involved, a Google Image search would be useful to find whether other websites are hosting the same image.

It is of utmost importance that one must have reliable evidence to prove the identity of a perpetrator before suing or charging them. The person doing such investigation should be knowledgeable enough to conduct the investigation, know the rules of producing evidence and testifying in Court, and to thwart all challenges by the perpetrator’s lawyers.

Failure to do so would result in the case being dismissed or in a worst scenario, an innocent person being charged or sued in Court.


First published on Digital News Asia on 17 November 2014.

Netizens v the Government

2012 saw the intensified battle between netizens and the authorities. The former desires protection of their right to freedom of expression and anonymity whereas the latter desires control and governance. Through this battle, the authorities introduced many new legislations to govern the use of internet.

In July 2012, the Malaysian Government enforced s. 114A of the Evidence Act 1950 (114A). Under 114A, a person is deemed to be a publisher of a content if it originates from his or her website, registered networks or data processing device of an internet user unless he or she proves the contrary. This new law sparked a massive online protest dubbed the Malaysia Internet Black Out Day or also the Stop114A. Protesters replaced their Facebook and Twitter profile picture with the Stop114A banner whereas website operators displayed the Stop114A banner on their websites. Within two days, the Stop114A Facebook gained 43,000 likes from 400 likes (currently 49,000). It is probably one of Malaysia’s most successful online campaigns.

On the business side, the Association of the Computer and Multimedia Industry of Malaysia (Pikom), who represents the information and communications technology (ICT) industry in Malaysia, backed calls for a review of 114A whereas the Federation of Malaysian Manufacturers (FMM) has expressed concerns over the recent inclusion of 114A and its impact on businesses.

Interestingly, the Malaysian Government passed the Cyber Centre and Cyber Cafe (Federal Territory of Kuala Lumpur) Rules 2012 and Consumer Protection (Electronic Trade Transactions) Regulations 2012. The former requires any person operating a cybercafé and cyber centre to maintain a customer entry record and a record of computer usage for each computer whereas the latter requires online business owners and operators to provide their full details, terms of conditions of sale, rectification of errors and maintenance of records.

Philippines netizens also protested against their newly introduced cyberlaw. In October 2012, Philippines passed the Cybercrime Prevention Act of 2012 with the aim to prevent cybersex, online child pornography, identity theft and spamming. However, under the new act, a person found guilty of libellous comments online, including comments made on social networks such as Facebook and Twitter or blogs, could be fined or jailed. In protest against the new law, anonymous activists hacked into government websites, journalists have held rallies and many Facebook users have replaced their profile picture with a black screen. Protesters say the new law could be used to target government critics and crack down on freedom of speech.

Japan netizens on the other hand had milder protest against a new law that makes Japan-based internet users who download copyright infringing files. Violators will face up to two years in prison or fines of up to two million yen. In July 2012, about 80 masked people, calling themselves allies of the global hacker group Anonymous, picked up litter in Tokyo Saturday as a sign of protest.

In early 2012, China required users of the popular microblogging platform, Weibo, to register their real names. Subsequently, later in the year, China legalized the deletion of posts or pages which are deemed to contain “illegal” information and required service providers to hand over such information to the authorities for punishment.

On a brighter note, the South Korean Constitutional Court ruled that a law requiring South Koreans to use their real names on Internet forums was unconstitutional. The Court said that the requirement amounts to prior censorship and violated citizens’ privacy.

In the United States, a handful of US states, including Illinois, California and Maryland, passed laws making it illegal for employers to ask for potential employees’ Facebook or other social media passwords.

A person who retweets a defamatory tweet is potentially liable for defamation. In the UK, Lord McAlpine (Robert Alistair McAlpine) a former politician who worked for Margaret Thatcher, announced his intention to pursue action against 10,000 Twitter users for defamation including those who had retweeted the defamatory tweets. In this case, Lord Alphine was linked by some social media users after BBC News reported that a senior politician was involved child sex abuse. Interestingly, these users may apologize to Lord McAlphine by completing a form downloadable from his solicitors’ website!

In the UK, it is an offence to publish the identity of victims of certain offences which include rape. Footballer Ched Evans was convicted by the Court for rape of a 19 years old woman. The woman’s name was circulated on social networking sites, including Twitter and Facebook, after Evans’ conviction. 9 people were fined after admitting to revealing online the identity of the woman.

Meanwhile back home, the Kota Kinabalu High Court overturned Rutinin Bin Suhaimin’s acquittal for posting an “annoying” comment on the Sultan of Perak’s website. Rutinin was charged under s. 233 of the Communications and Multimedia Act 1998. The Sessions Court had earlier acquitted him without calling for his defence because, among others, the prosecution failed to prove that Rutinin was the person who posted the insulting comment. The Court held that, although 114A of the Evidence Act 1950 is not applicable because the alleged offending act was committed before the enforcement date of 114A, the circumstantial evidence is sufficiently strong to conclude that the accused had used the internet account that was registered in his name at the material time.

The developments in 2012 show the involvement of the authorities in clamping down the notion of the Internet being the Wild, Wild West. However, such clap down must be monitored by netizens.

In December 2012, the International Telecommunication Union (ITU) brought together regulators from around the world to re-negotiate a decades-old communications treaty. Google and 1000 over organizations around the world claimed that some governments want to use the closed-door meeting to increase censorship and regulate the Internet and had started an online campaign.

At the end of the closed-door meeting, 89 countries including Malaysia signed the treaty, while 55 countries said they would not sign or that additional review was needed.

With the new technology, websites and novel functions, all Governments will have to step out their game to protect the rights of netizens and businesses. New laws must not be onerous but in the same time protect victims of cybercrimes and preserve the right of freedom of expression.



This article was supposed to be published in the Putik Lada of The Star Newspaper. It was also supposed to be the 2013 installation of my yearly social media update articles. Unfortunately, The Star Newspaper discontinued the Putik Lada column before my article could be published.

GE13 Candidates and 114A

Published on LoyarBurok on 16 April 2013.



I am no expert in election laws but GE13 Candidates should take note of this. If you are running a blog, I suggest you moderate or close the comments section until and after the 13th General Election.

The reason why I say so is because s.114A(1) of the Evidence Act 1950 and the Election Offences Act 1954. S. 114A(1) provide the following:

“A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host, administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”.
In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content unless you prove otherwise.

Also, if you have in any manner facilitated to publish or re-publish the publication, you are presumed to have published the content of the publication.

This means that website owners are deemed to be publishers of contents of a publication although the author of the publication is someone else.

Further, it is not possible for website owner to prove that he is not a publisher due to the wording of the section i.e. the words “in any manner facilitates to publish or re-publish the publication”. By providing a virtual platform, the website owners facilitate to publish or re-publish a publication.

In this regard, you will potentially commit an election offence if someone posts a comment which falls within the scope of corrupt practice. If found guilty of an election offence, the election of a candidate will be declared void (s. 32 of the Election Offences Act 1954).

What I have mentioned is not without basis. A similar scenario had happened after the 12th General Elections. In Kho Whai Phiaw v Chong Chieng Jen (Election Petition No.: 26-01-2008-I), an elector in the Bandar Kuching constituency presented an election petition to have Mr. Chong Chieng Jen’s (representative of the Democratic Action Party (DAP)) election declared void.

The elector sought to have Mr Chong’s election avoided on the ground that the latter had engaged in the corrupt practice of (i) undue influence and (ii) bribery, to procure his victory in the election. The elector alleged, among others, that a letter from one Mr Smith published on the comment section of Mr Chong’s blog site is said to contain certain threatening statement. The elector alleged that Mr Chong had exercised undue influence over the non-Muslim voters in the Bandar Kuching constituency through Mr Smith’s letter appearing on his blog site.

Fortunately for Mr Chong, the High Court held that Mr Smith’s letter was posted by one commentor by the name “Responsible Christian Voter” (‘RCV’). Mr. Smith was the author of the letter and it was RCV who published that letter through Mr Chong’s blog site. The Court held that Mr Chong is therefore not the publisher of the letter. The case is later upheld by the Federal Court. (see Kho Whai Phiaw v Chong Chieng Jen [2009] 3 CLJ 201)

But Mr Chong’s case is pre-114A case. If s. 114A applies, Mr Chong is considered as the publisher of the letter as his blogsite had facilitated the publication of the letter. Mr Chong could potentially commit an election offence if 114A applies. That is the effect of 114A. It creates liability on a virtual platform provider.

This, of course, is not tested in our Courts yet. One may argue that it is the blogsite provider (e.g. Google who owns Blogger.com) but this is only provided that such blog is hosted by such blogsite provider.

Nevertheless, as an abundance of caution, GE13 candidates should close their blog comments section to avoid such actions. Interestingly, Mr Chong’s blogsite has closed its comments section.

A Facebook Page is also another concern. It may be arguable to say postings made by users on a Facebook page is not published by the Facebook page administrator as it appears on a separate page. (Illustrated below).

However, Facebook comments appearing together with the postings by the Facebook administrator (illustrated below) is different. It is arguable that such comments are published by the Facebook page owner.

With this risk of having an election declared void, I hope that the new Parliament will relook into 114A when it convenes in the future.

It’s time to #stop114A.

Bread & Kaya: Looks can be deceiving!

My 3rd issue of Bread and Kaya was published by Digital News Asia on 7 March 2013.

Bread & Kaya: Looks can be deceiving!

– Under Malaysian laws, what amounts to obscene, indecent, false, menacing or offensive in character is quite wide
– Sessions Court decisions perhaps the reasons why Section 114A of the Evidence Act 1950 was introduced

Bread & Kaya by Foong Cheng Leong

A COUPLE of weeks ago, I received a message with the title “Looks can be deceiving!” on my blog’s Facebook page, from an unknown user.

In the message, the user claimed that a certain celebrity was having an affair with another celebrity. Unknown to the user, I happen to know former and I alerted that celebrity.

A day after that, the user deleted her account! Fortunately, I saved a screenshot of the message.

Coincidentally, I found that someone had searched for the celebrity’s name on the day the message was sent and landed on my blog. My blog captured the transaction, together with the Internet Protocol (IP) address, time-stamp and other details. It was the only transaction searching for the celebrity’s name.

There was also a record to show that the user clicked on the link to my blog’s Facebook page. From this, there is a possibility that the author had found my blog using the celebrity’s name (and my blog appears on the first page of search results) and decided to send me that message.

A query on the IP address shows that the user resides in Malaysia and is thus subject to the laws of Malaysia. The celebrity may file an action in court to obtain the user account details of the IP address if she wishes to. Alternatively, she may make a police report against that person.

The lesson of the story is: If you want to do naughty things online, remember to mask your tracks (e.g. by using proxies); otherwise the law will come knocking on your door. Internet trolls have been living amongst us and many still roam the streets of cyberspace.

This brings me to the topic of this article: Section 233 of the Communications and Multimedia Act 1998.

Section 233 makes it an offence to post any content which is obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person.

Anyone who does so is liable to a fine not exceeding RM50,000 or to imprisonment for a term not exceeding one year, or both, and shall also be liable to a further fine of RM1,000 for every day during which the offence is continued after conviction. It’s a widely used tool by law enforcers to nab Internet trolls.

[RM1 = US$0.32]

What amounts to obscene, indecent, false, menacing or offensive in character is quite wide. Making prank emergency calls (PP v Sow Kuen Chun; Criminal Case No. 63- 01- 2008); and insulting the Sultan (PP v Muslim bin Ahmad; [2013] 1 AMR 436); offensive comments (Nor Hisham Bin Osman v PP; Criminal Case No: MTJ(2)44-14-2010)), and (PP v Rutinin Bin Suhaimin (Criminal Case No. K42-60-2010)) are examples where people were charged under Section 233.

[Click links above to download case files]

PP v Muslim bin Ahmad and PP v Rutinin Bin Suhaimin are both recently decided cases and they relate to the Perak constitutional crisis. Both men had allegedly posted offensive comments towards the Sultan of Perak after Barisan Nasional took over the state of Perak. Both men alleged that they did not post the comments, notwithstanding that the IP addresses point to them.

Muslim bin Ahmad was acquitted by the Sessions Court and Rutinin bin Suhaimin was discharged by the Sessions Court without his defense being called. The prosecution had apparently failed to show that the persons who posted the offensive comments were the accused.

I am told that the impact of the said Sessions Court decisions was one of the reasons why Section 114A of the Evidence Act 1950 was introduced – that is, to facilitate the prosecution in proving the identity of the maker.

To recap, under Section 114A, a person is deemed to be a publisher of a content if it originates from his or her website, registered networks or data processing device of an Internet user unless he or she proves the contrary.

This new law sparked a massive online protest dubbed the Malaysia Internet Black Out Day or also the Stop114A.

However, the High Court subsequently overturned said Sessions Court decisions. Rutinin Bin Suhaimin’s defense was called. Interestingly, the learned High Court judge was of the view that calling the Sultan of Perak names has the tendency to cause annoyance or abuse to any person, thus falling within the ambit of Section 233.

Muslim Bin Ahmad was handed a fine of RM10,000 for each charge and six months’ imprisonment. He pleaded for a “binding over order” (released on probation).

However, the learned High Court Judge warned that a binding over order “would send the wrong message to would be offenders and the public at large that offensively uncontrolled and virulent comments can be indiscriminately posted on the Internet without any or serious repercussions. And that is not a message that this court would like to send out.”

Surprisingly, Section 114A of the Evidence Act 1950 was never relied on by the Courts. In fact, the High Court in PP v Rutinin Bin Suhaimin said that 114A is not applicable because the postings were made before the enforcement date of 114A (July 31, 2012).

This ruling is interesting as it may be a defense for website owners who can argue that 114A does not apply to posting made by their users prior to July 31, 2012.

Nevertheless, these laws and cases serve as a reminder that the Internet is not a ‘wild, wild west.’ Netizens need to be accountable for what they say. Further abuse by netizens attracts further legislations by Government.

Unfortunately, website owners now face the brunt of 114A due to the actions of their users. Their pleas for the repeal or amendment of 114A are still unanswered.

Bread & Kaya: Attention e-commerce businesses: Fraud, the law and you

My Bread & Kaya’s second column was published on Digital News Asia on 29 January 2013.


Attention e-commerce businesses: Fraud, the law and you
Jan 29, 2013

– A new law to protect users of online trading portals goes into effect July 1
– While it may cost them a bit, operators of such businesses will have to comply

Bread & Kaya by Foong Cheng Leong

E-COMMERCE is booming in Malaysia. Euromonitor International estimated that Internet retailing in Malaysia reached RM842 million (US$268.3 million) in 2011; Goldman Sachs forecasts that e-commerce in Malaysia is projected to hit RM3.4 billion (US$1.1 billion) this year with a 30% year-on-year growth.

Notwithstanding such growth, online fraud is rampant in Malaysia. If you scour our online auction or listing websites, you’ll find many dodgy sellers and buyers selling or offering to buy products and services.

But the long arm of the law recently caught Mohd Yunus Jan Muhammad for approaching six victims who had advertised to sell their gadgets through an Internet trading portal, by posing as a customer and setting up appointments. At these meetings, he would grab the merchandise and flee. He was sentenced to one year’s jail. The Court also fined and imposed a whipping on Mohd Yunud.

Sometime in 2011, the Ministry of Domestic Trade, Co-operatives and Consumerism proposed that the Electronic Commerce Act 2006, an act that regulates online commercial transactions, be amended to regulate the online market place industry. I am told that consultation was held with the industry and I understand that some industry players had taken steps to lobby against the amendment.

In April 2012, its minister Datuk Seri Ismail Sabri Yaakob announced that the amendment would ensure that electronic transactions could be done in a safer and secured environment.

The law came about in the form of the Consumer Protection (Electronic Trade Transactions) Regulations 2012 (“Regulation“), a regulation under the Consumer Protection Act 1999.

The Regulation will be in force on July 1, 2013. Under this Regulation, an online marketplace operator is required to, among others, provide their full details, terms of conditions of sale, rectification of errors and maintenance of records.

The new law applies to two (2) types of persons namely:

– A person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace (“Online Business Owner“). “Online marketplace” means a website where goods or services are marketed by third parties for the purpose of trade. This may include your typical blog shops and sellers with accounts with eBay, Lelong and Mudah online stores.

– A person who provides an online marketplace (“>Online Marketplace Operator“). This may include group buying websites operators such as GroupOn, auction and listing websites such as eBay, Lelong and Mudah, and online shopping websites where third party products as sold such as Zalora.

Online business owners

Under the Regulation, Online Business Owners shall disclose on the website where the business is conducted and the following information, failing which the operator commits an offence.

  1. The name of the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace, or the name of the business, or the name of the company.
  2. The registration number of the business or company, if applicable.
  3. The e-mail address and telephone number, or address of the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace.
  4. A description of the main characteristics of the goods or services.
  5. The full price of the goods or services including transportation costs, taxes and any other costs.
  6. The method of payment.
  7. The terms and conditions.
  8. The estimated time of delivery of the goods or services to the buyer.

Any person who discloses or provides the above information that he knows or has reason to believe is false or misleading, commits an offence.

Online Business Owners shall also:

  • – provide the appropriate means to enable the buyer to rectify any errors prior to the confirmation of the order made by the buyer; and
  • – shall acknowledge receipt of the order to the buyer without undue delay.

The order and the acknowledgement of receipt shall be deemed to have been received by the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace and the buyer, respectively, when the person and the buyer are able to access to such order and the acknowledgement of receipt.

The Online Marketplace Operator shall take reasonable steps to keep and maintain a record of the names, telephone numbers and the address of the person who supplies goods or services in the online marketplace, for a period of two years, failing which an offence is committed.

In addition to the terms and conditions, Online Business Owners and Online Marketplace Operators must comply with the Notice and Choice Principal provided by Personal Data Protection Act 2010 by inserting a privacy notice, in the National and English languages, on their website before the collection of any personal data.

Extra costs for businesses

Although this law seeks to protect consumers from unscrupulous traders, the introduction of this new law increases the startup costs and cost of operation of an e-commerce business.

Engaging lawyers to draft terms and conditions for e-commerce businesses can be expensive. But it is something any e-commerce business should invest in to protect themselves and their users.

The new law doesn’t specify in detail how the terms and conditions should be. Therefore, one can have a very simple set of terms and conditions.

Alternatively, one may opt to adopt the terms and conditions of other e-commerce businesses provided that one is well versed in drafting and amending agreements. But one should take note that every set of terms and conditions is customized for specific businesses.

It would be ideal if we have affordable online services to draft terms and conditions and privacy policies for SMEs (small and medium enterprises) like SnapTerms, which allows start-up companies the opportunity to customize their website’s terms and conditions without having to pay the fees typically associated with having the documents drafted by a lawyer.

But one must bear in mind that SnapTerms is a service provided by people who are well versed in the laws of their country and perhaps not Malaysia.

To digress a little, e-commerce businesses should also protect their intellectual property such as their trademarks, copyright and patents. These rights are registerable and one can protect these rights in Malaysia by filing them with the Intellectual Property Corporation of Malaysia or MyIPO.

Other than that, it is pertinent to protect your brand from being taken in well-known social media websites like Facebook and Twitter. You can use Knowem to check for the use of your brand, product, personal name or username instantly on over 550 popular and emerging social media websites.

Closing

The introduction of laws to track and record Internet transactions is nothing new. Last year, Section 114A of the Evidence Act 1950 and Cyber Centre and Cyber Cafe (Federal Territory of Kuala Lumpur) Rules 2012 were introduced to track and record such transactions.

These laws will not be the last. I foresee that many more such laws will be introduced in the near future.

Download:
Consumer Protection (Electronic Trade Transactions) Regulations 2012

PDPA: Businesses have responsibilities and burdens

I was invited to contribute to a monthly column in Digital News Asia which I named it as Bread & Kaya. The column will have legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

My first article “PDPA: Businesses have responsibilities and burdens” was published on 31 December 2012.



Dec 31, 2012

  • PDPA comes into force Jan 1, 2013, and companies have three months to comply
  • Many have waited, and now may not have enough time to processes in place
  • Bread & Kaya by Foong Cheng Leong

    WELCOME to the inaugural Bread & Kaya column! The term is a Malaysianized version for bread-and-butter. This column aims to be your bread-and-kaya serving of legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

    You may have read some of my articles in The Star’s Putik Lada column or in LoyarBurok. If this is the first time you’re reading my articles, “Hello.”

    Without a doubt, 2013 will be an interesting year for businesses. Many new laws and regulations will be introduced, and the Personal Data Protection Act 2010 (PDPA) is one of them.

    It was reported that the PDPA would come into force on Jan 1, 2013. Businesses have three months from the date of enforcement to comply with the Act. Similarly, Singapore will have its own Personal Data Protection Act 2012 coming into force on Jan 2, 2013.

    Notwithstanding the reported enforcement date of Jan 1, 2013, there is no official government gazette confirming this as I write this column. Thus, the PDPA would still not be in force until such a government gazette is published.

    What is the PDPA?

    The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.

    A person who processes personal data is called a data user. Companies processing individual customers or employees’ personal data must comply with the PDPA.

    Under the PDPA, a data user, in processing personal data, must comply with the following principles:

    (1) General Principle;
    (2) Notice and Choice Principle;
    (3) Disclosure Principle;
    (4) Security Principle;
    (5) Retention Principle;
    (6) Data Integrity Principle; and
    (7) Access Principle.

    Failure to abide by any of the above principles amounts to an offence. Upon conviction, the data user is liable to a fine not exceeding RM300, 000 or to imprisonment for a term not exceeding two (2) years or to both (S. 5(2) PDPA).

    [RM1 = US$0.33]

    Under these principles, the collection and use of personal data must be consented to by the data subject and steps must be taken to ensure that the data is stored securely. The processing of personal data cannot be excessive in relation to the purpose or related purpose of which the personal data is collected.

    Adequate notice must be given to data subjects that their personal data will be processed, used, and the purpose of the same. Such notice must be in writing and in the Malay and English languages. Personal data no longer in use has to be destroyed.

    Further, personal data cannot be transferred outside Malaysia unless such a place is specified by the Government, consented to by the data subject, or is necessary for the performance of a contract between the data user and the data subject.

    The PDPA only applies to personal data processed in relation to “commercial transactions.”

    What do you need to do?

    If you are processing employees or individuals customers’ personal data, you are advised to, among others:-

  • Access how the PDPA affects your organization;
  • Prepare a privacy notice, in Malay and English, to be issued to potential and current employees or customers;
  • Prepare a Personal Data Policy to govern the processing and handling of personal data by employees;
  • Prepare a Retention Policy for employees or customers’ personal data and audit the personal data of previous employees or customers in order to dispose personal data that are no longer in use;
  • Establish a data access procedure for employees or customers to access their personal data;
  • Ensure that the storage of the employees and customers’ personal data is secure;
  • Ensure that personal data is only disclosed for the purpose in which the personal data is collected and not disclosed to unrelated parties;
  • Ensure that the relevant personnel such as Human Resource or customer relationship staff are adequately trained in data protection laws and practice;
  • Review data collection forms so that personal data is not collected excessively; and
  • Ensure that personal data are transferred overseas lawfully.
  • Consent

    The word consent is not defined in the PDPA. However, in early December 2012, Deputy Minister of Information, Communications and Culture Datuk Joseph Salang announced that “whenever consent is required for data processing, it’ll have to be given expressly rather than impliedly or be assumed.”

    This would mean that there must be some sort of active communication between the parties. For example, if a company wishes to obtain more information about an individual, the former would need to get the individuals’ express consent by contacting the individual.

    In this regard, all companies will need to ensure that all possible purposes for processing the personal data are set out before the collection of the data. Additional procedures may need to be established to ensure consent is captured.

    Express consent can be gained in a variety of ways — for example by filling in a form, ticking a box on a website, over the phone and face-to-face.

    Although express consent seems to give individuals added protection, this is not necessarily true. Malaysia’s restricted view on the definition of consent will have an impact on businesses and individuals. Additional cost will be incurred in establishing new procedures and practices such as new forms, storage, impact analysis and compliance exercises. Individuals may also be swamped with requests for consent from time to time, although the individual would ultimately consent.

    Companies will need to wait for individuals’ express consent before they can roll out new projects.

    To give an example on how the PDPA will affect business:

    Company X wishes to roll out a new security system to enter the office. The system utilizes the employees’ personal data as unique identifiers. In view of the express consent requirement, Company X will need to get the employees’ express consent to use employees’ personal data. If certain employees refuse to do so, such system cannot be fully utilized.

    In the event that a data subject disputes that express consent had been given, the data user will need to show that express consent had been given. Assuming that we adopt the implied consent regime, it is arguable that a data subject had implied consent to processing of personal data if the data subject uses the data user’s services.

    However, with express consent, evidence must be provided and this may be difficult, especially in electronic transactions.

    In such a case, Section 114A of the Evidence Act 1950 may be helpful to data users as it puts a presumption of publication by a person if his or her name appears on a particular content. The affected individual will need to prove that he did give express consent. This may be costly, highly bureaucratic and time consuming.

    Closing

    The PDPA is supposed to bring an end to unsolicited communication, but it will cause drastic changes to Malaysian businesses.

    Much valuable commercial data will be lost due to the PDPA. It is noted that many Malaysian industries had taken the wait-and-see approach. This is alarming considering that three months to comply with the PDPA will probably be not enough.

    The Personal Data Protection Department recently issued Malaysian Personal Data Protection Department’s Public Consultation No. 2/2012 entitled “Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees” which sets out the class of data users that is required to register with the Commission. [Click here to download].

    The release of such consultation paper is commendable. I hope that the Commission or the Personal Data Protection Department will issue more of these consultation papers and guidelines on the interpretation of the PDPA.

    1 2  Scroll to top