Malaysian Communications and Multimedia Commission and Privacy

Recently, tech blogger Keith Rozario created the website, a platform to allow people to check if they were affected by the data leakage of 46.2 million mobile phone subscribers. The website allowed users to key in their identity card number and the website will inform the users whether they are affected by the leakage. If they are affected, the website will yield a masked mobile number. Some users have complained that those masked numbers do not resemble their mobile numbers.

The Malaysian Communications and Multimedia Commission (MCMC), under s. 263 of the Communication and Multimedia Act 1998 (CMA), directed internet service providers to block the website on the ground that it had contravened s. 130 of the Personal Data Protection Act 2010 (PDPA).S. 263(2) of the CMA and s. 130 of the PDPA provide the following:

Section 263. General duty of licensees.

(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.

130 Unlawful collecting, etc., of personal data

(1) A person shall not knowingly or recklessly, without the consent of the data user-

(a) collect or disclose personal data that is held by the data user; or

(b) procure the disclosure to another person of personal data that is held by the data user.

(2) Subsection (1) shall not apply to a person who shows-

(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data-

(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or

(ii) was required or authorized by or under any law or by the order of a court;

(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;

(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or

(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.

(3) A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1) commits an offence.

(4) A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).

(5) A person who offers to sell personal data commits an offence if-

(a) he has collected the personal data in contravention of subsection (1); or

(b) he subsequently collects the personal data in contravention of subsection (1).

(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.

In the Personal Data Protection Commissioner Khalidah Mohd Darus’s media statement dated 17 November 2017, the Commissioner stated that was blocked because it had contained personal data which had been collected without the consent of the data user pursuant to s. 130 of the PDPA. The Commissioner then advised members of the public to be vigilant when sharing personal data with others, among others.

Unfortunately, Keith Rozario decided to close upon being blocked. It would be interesting if he had filed an action to challenge the blocking order. So far, there is no reported case on anyone challenging a “blocking order” by MCMC in Court.

There ought to be checks and balances against such blocking order. Under the s. 10A of the Sedition (Amendment) Bill 2015, the Public Prosecutor must make an application to a Sessions Court Judge to direct an officer authorised under the Communications and Multimedia Act 1998 to prevent access to any seditious publication. Likewise, s 263 of the CMA should be amended to reflect such checks and balances.

I was interviewed by The Star, on my personal capacity (not on behalf of Bar Council, as earlier reported by The Star), on this issue. In The Star’s article dated 18 November 2017 entitled “ only provides information, does not allow data download“, I was asked whether was in contravention of s. 130 of the PDPA. I replied:- did not breach Section 130 of the Personal Data Protection Act 2010 (PDPA), says the Bar Council cyber law and information technology committee.

The committee’s co-chairman Foong Cheng Leong said the website was merely a platform for users to check whether their personal data had been leaked or breached.

“Currently, the Malaysian Communications and Multimedia Commission (MCMC) is blocking the website for breaching Section 130 of the PDPA for unlawful collection of personal data.

“If the website allows people to download the personal data of others, then it will be a violation of PDPA.

“Therefore, the website did not violate the PDPA,” he said when contacted yesterday.

In The Star’s article dated 31 October 2017 entitled “M’sia sees biggest mobile data breach“, I added:-

“..assuming that the leak was after the enforcement of the Personal Data Protection Act 2010, there might have been a breach of the Act’s Security Principle by the data users.

The Security Principle requires data users to process personal data securely, but there is not much customers can do other than file a complaint with the Personal Data Protection Commissioner

There may be a recourse against the telecommunication companies for negligence i.e. failing to ensure that the subscribers’ personal data are adequately protected. In an article dated 20 November 2017 in The Other, I said:-

For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”

Currently, a company is now being investigated for causing the said personal data protection leakage.

On a separate issue, in The Star’s article dated 26 November 2017 entitled “Going full force to enforce Act“, the Personal Data Protection Commissioner stated that 3 companies have fined for contravening the PDPA.

The Commissioner added that mobile applications are not required to be registered under the PDPA. But the operators must comply with the PDPA since they process personal data in commercial transactions.

I was asked to comment on this issue. I said:- individual has a right under the PDPA to request a copy of the personal data processed by the data user.

“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.

“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.

Foong urges the public to always be aware of what companies will use their data for by reading the privacy policy.

“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.

Bread & Kaya: Malaysian cyberlaw updates in 2015

By Foong Cheng Leong | Apr 04, 2016

– New, complex cases emerged, and Parliament enacted new laws
– With the advent of the TPPA, we can expect more changes

IN 2015, industry regulator the Malaysian Communications and Multimedia Commission (MCMC) reported that 10 people were convicted of offences under Section 233 of the Communications and Multimedia Act 2010 for, among others, disseminating pornographic material. MCMC also ordered 1,074 pornography websites to be blocked.

There were important developments in Malaysian and global cyberlaws in 2015. New, complex cases emerged in our courts, and Parliament enacted new laws to combat ‘negativities’ created by social media.

Facebook, Twitter and Google

As usual, our most popular online platforms caused rifts and problems. Fortunately, Deputy Communications and Multimedia Minister Jailani Johari stated that MCMC has no plans to require Facebook or any social media users to register with MCMC.

This is because the cost involved and there is a risk that such database may be hacked (see Hansard dated 15.12.2015).

In Mohd Desa bin Ahmad & 1 lagi v Hazudin bin Hashim & 2 lagi (Malacca Sessions Court Civil Suit No: A51-02-01-2015), the Malacca Sessions Court struck off a defamation suit initiated by a couple against the Yang Dipertua Majlis Perbandaran Jasin, Jasin Municipal Council and the Malacca State Government.

The couple alleged that the Jasin Municipal Council had uploaded pictures of their premises being seized for allegedly failing to pay assessment tax on the Yang Dipertua Majlis Perbandaran Jasin’s Facebook page. The Facebook posting allegedly went viral.

The Sessions Court however struck out the plaintiffs’ suit on the grounds that the plaintiffs had failed to identify who in the Jasin Municipal Council had uploaded the pictures. The Jasin Municipal Council and the Malacca State Government are not individuals, hence they cannot upload the pictures, and the plaintiffs ought to have named the individuals who had uploaded the pictures.

In PP v Yuneswaran a/l Ramaraj (Criminal Appeal No: J-09-229-09/2014), the accused was charged under Section 9(5) of the Peaceful Assembly Act 2012 (PAA) for failing to give at least 10 days’ notice before the Black 505 Rally was scheduled to have been held, to the Officer in Charge of the Police District (OCPD) of Johor Baru Selatan.

The notice had only been submitted to the OCPD on the day of the rally and was signed by the accused, Yuneswaran.

The accused had denied he was an organiser within the meaning of Section 3 of the PAA as the assembly was organised by the Majlis Pimpinan Negeri Parti Keadilan Rakyat, Negeri Johor (PKR Negeri Johor), chaired by Chua Jui Meng, and he had only signed the form on behalf of Chua.

However, the Sessions Court Judge held that he falls within such definition as he had filled up and signed the notification and announced the upcoming assembly using his Twitter feed and Facebook page, both of which would serve to invite the members or public and likely cause them to attend the assembly.

In addition, the Court of Appeal held that Section 9(5) of the PAA is not unconstitutional (thus departing from the earlier Court of Appeal case of Nik Nazmi Nik Ahmad v PP [2014] 4 CLJ 944), and the sentence against Yuneswaran was upheld.

In Network Pet Products (M) Sdn Bhd v Royal Canin SAS & Anor (Civil Appeal No. W-02(NCC)-1454-06/2013), there was a contractual dispute between the parties.

In this dispute however, the first defendant, being the brand owners of Royal Canin, filed a suit against the plaintiff for passing off and using the Royal Canin mark in a Facebook page opened by the plaintiff. The first defendant was successful and the High Court further directed the Facebook account to be deactivated.

The Court of Appeal overturned the High Court’s decision and held that there was no passing off. The Court of Appeal was of the view that the evidence disclosed showed that the first defendant was aware of the activation of the Facebook account from the start and had allowed it to continue.

In any event, the alleged confusion in the use of the Royal Canin mark simply did not exist. There was no confusion in the use of the mark in trade in the traditional sense of ‘passing off.’ The mark was used as denoting products belonging to RCSA. There was no attempt to pass off the first defendant’s products as the plaintiff’s products.

Interestingly, there was a dispute over the ownership of Facebook pages in the Singapore case of Lee Kien Meng v Cintamani Frank [2015] SGHC 109.

The plaintiff sought a declaration that he is the owner/sole administrator of the Men’s Fashion Week and Women’s Fashion Week Facebook pages. The Singapore High Court had reservations on declaring whether a Facebook page could be considered ‘property.’

Facebook Inc has control over the pages and has an unfettered right to remove Facebook pages. This control was strongly suggestive that the plaintiff did not own the Facebook pages above. If it did, it would not require the consent of Facebook Inc before it transferred the Facebook pages and Facebook Inc would not be able to remove the Facebook pages at its own discretion.

The case however did not discuss whether a Facebook page can be considered a transferable software licence.

Last year, I wrote that in Amber Court Management Corporation & Ors v Hong Gan Gui & Anor [2014] 1 LNS 1384, the management corporation of Amber Court Condominium and its council members sued two unit owners of the condominium for allegedly defaming them on Facebook.

The High Court struck out the case after finding that a management corporation has no powers to do so under the Strata Titles Act 1985 and common law. The case went up to Court of Appeal and the Court agreed with the High Court’s views and dismissed the appeal (see Amber Court Management Corporation & Ors v Hong Gan Gui & Anor W-02 [IM] [NCVC] 1840-10/2014).

Last year, I also reported that the Federal Court in Titular Roman Catholic Archbishop Of Kuala Lumpur v. Menteri Dalam Negeri & Ors [2014] 6 CLJ 541 did not endorse Internet research by Judges on their own motion.

Notwithstanding that, in Siti Nur Syahira Binti Abdullah & Ors v Kamri Bin Jini & Ors (Civil Appeal No. KCH-12B-13/11-2014), the learned High Court Judge stated that he “googled” for certain information (at page para 10 – “Based on what I have googled, the width of a Kancil is 1395 mm [1.4 metres]).

WhatsApp and Yahoo Chat

Instant messaging has taken on new importance in legal practice and the courts.

In Mok Yii Chek v. Sovo Sdn Bhd & Ors [2015] 1 LNS 448, the High Court finally addressed the admissibility of WhatsApp messages. The learned High Court Judge found that such messages are a document under Section 3 of the Evidence Act 1950 and admissible if agreed to by both parties.

Even if one party doesn’t agree, such a document can be admitted in Court if it meet certain criteria. Such criteria includes whether there is oral evidence that the messages were produced by the computer in the course of the ordinary use of the computer (see Para 24). In this case, a screenshot of the messages would be admissible.

In Ram Kumar a/l Gopal Ram and Anor v Ram Kailash a/l Gopal Ram (Civil Suit No: 22NCVC-317-06/2014), the Court dealt with WhatsApp conversations.

In this dispute between two brothers over a piece of property, the elder brother and his wife (plaintiffs) alleged that they had an arrangement where they would buy the property in the younger brother’s name (defendant). They sought a court order to declare that fact.

However, the defendant claims that the property was bought as a wedding gift for him. In a bid to strike out the case, the defendant tried to use the WhatsApp conversation between the defendant and his sister-in-law against the plaintiff to strike out the case.

However, the Court held that the WhatsApp conversation was insufficient to show that the plaintiffs’ case was plain and obvious unsustainable.

In Alliance Bank Malaysia Berhad v. Amrou Bakour [2015] 1 LNS 666, the High Court Judge refused to grant a further adjournment on the ground that the defendant is uncontactable.

The Judge stated it is highly improbable that the defendant’s lawyer could not contact the defendant in this electronic age when communication can be effected instantaneously by telephone, facsimile, email, short message system (SMS), WhatsApp and other modes of electronic communications.

In Rina Simanjuntak v PP (Criminal Appeal NO: P-05-256-09/2014), a Yahoo Messenger Chat log saved the life of Rina Simanjuntak who had been sentenced to death by the High Court for drug trafficking.

The Court of Appeal held that the High Court ought to have considered the Yahoo Messenger Chat between her and one Dr Jossy, who was her boyfriend and had sent her to India to collect samples of children’s clothes.

The Yahoo Messenger Chat was sufficient to prove that Rina was an innocent carrier and she had no knowledge that she had been carrying drugs.

Our local court cases also revealed that Malaysian youth had been influenced through social media to join the Islamic State (ISIS) as fighters.

In Pendakwa Raya v Mohd Syafrein Rasid [2015] 1 LNS 943, the accused was charged under Section 130J of the Penal Code for attempting to support the Islamic State and attempted to be a member of the same.

It was revealed in this case that the accused was influenced by what he saw about the war in Syria on Facebook. He even joined a few WhatsApp groups which had members sharing information about the Islamic State and their movement in Syria.

He then decided to travel out from Malaysia to join the Islamic State but was caught at the Immigration counter at the Kuala Lumpur International Airport. He pleaded guilty and was sentenced to two years’ imprisonment.

New cyberlaws and amendments

The Malaysian Government has introduced the Sedition (Amendment) Bill 2015 which, among others, creates liability on website operators such as online forums, online news portals, and even Facebook page/ group owners.

The new Section 10(5) of the Sedition Act 1948 compels a person who knowingly has in his possession, power or control a prohibited publication by electronic means, to remove or cause to be removed, such publication – failing which, he shall be liable to a fine not exceeding RM500,000 (US$137,000) or imprisonment not exceeding three years, or both.

As per the new Section 10(1), a Sessions Court Judge, on the application by the Public Prosecutor, can make an order to prohibit the making or circulation of certain sedition publications (that are likely to lead to bodily injury, damage to property, promote feelings of ill will, etc.).

Any person making or circulating the prohibited publication shall remove or caused to be removed that publication, or be prohibited from accessing any electronic device. Any person who fails to do so shall be guilty to a fine not exceeding RM500,000 or to imprisonment not exceeding three years, or both.

There is also news that the Communications and Multimedia Act 1998 will be amended but the details of the amendments are still vague.

However, the new amendments have also been rumoured to include harsher sentences and restrictions on social media users in posting comments or opinions online.

The Bar Council has called for the repeal of Section 233(1)(a) of the Communications and Multimedia Act 1998 as it is a serious encroachment on the freedom of speech and expression guaranteed by Article 10(1)(a) of our Federal Constitution.

Before the dispute on the legality of the sale of vaping products started, the Malaysian Government introduced a new law to prohibit the sale of tobacco products (Reg 10 Control of Tobacco Product (Amendment) Regulations 2015).

Any person who does so shall be liable to a fine not exceeding RM10,000 or imprisonment for a term not exceeding two years, or both. Any person who is thinking of launching a startup to sell and deliver cigarettes online can now bin that idea.

Online harassment

Last year I wrote about the passing of the Singapore Protection from Harassment Act 2014. Prominent blogger Xiaxue was the first or one of the first persons who took advantage of this new law by putting in an order against the operators of the satirical Facebook page SMRT (Feedback).

The Singapore Government tried to invoke the new law to protect itself from harassment but the Court held that the protection is not available to the Government (Ting Choon Meng v Attorney-General and another appeal [2015] SGHC 315).

Sadly, the Malaysian Government has not introduced such laws to protect individuals from harassment. It is noted that Section 233 of the CMA does provide some form of protection from harassment, but it is limited to electronic harassment which is obscene, indecent, false, menacing or offensive in character.

I later found out the Singapore anti-harassment law was ‘inspired’ by the online harassment against the son of prominent Malaysian bloggers Timothy Tiah and Audrey Ooi (Fourfeetnine).

In Ooi’s blog, she quoted the Singapore Minister of Law as stating: “In another case, cyberbullies targeted the baby of a blogger. The blogger had given birth prematurely because there was a life-threatening condition during the pregnancy. Cyberbullies called her baby an ‘alien’. They said the baby should be euthanised. This was really quite sickening behaviour. It comes from basic bullying instincts of some, unchecked by any notion of civil conduct, and aided by anonymity.”

It is unfortunate that our Government had not introduced any new law to address this problem, notwithstanding that such harassment is happening to fellow Malaysians.

Nevertheless, the Court of Appeal did recognise sexual harassment as an actionable tort – that means one can file a civil suit against the harasser instead of filing a report with the authorities such as the police or MCMC.

In Mohd. Ridzwan Bin Abdul Razak v Asmah Binti Hj. Mohd. Nor [2015] 4 CLJ 295, the Court of Appeal held that sexual harassment falls within the category of tort of intentionally causing/ inflicting nervous shock.

With this case, it is arguable that harassment may be actionable in Court if it fulfils the element of tort of intentionally causing/ inflicting nervous shock.

Ride-sharing, other developments

The year 2015 finally saw the battle between app-based transportation network companies such as Uber and local taxis arriving in Malaysia.

On Aug 7 2015, Malaysia’s Land Public Transport Commission (SPAD) announced on its Facebook page that it had seized 12 cars alleged to have been providing public vehicle services without a licence, under Uber and GrabCar.

Local taxi drivers had also taken matters on their own hands by ‘arresting’ Uber and GrabCar drivers in the Kuala Lumpur City Centre (KLCC) area.

While the battle is still on going in Malaysia, the Singaporean Government introduced a new law called the Third-Party Taxi Booking Service Providers Act 2015.

The Act is designed for a ‘light-touch approach’ and imposes only the basic requirements necessary to protect commuter interests and safety, but at the same time it aims to preserve the fundamental tenets of Singapore’s taxi regulatory policies (see Third-Party Taxi Booking Service Providers Act 2015 Comes Into Force On 1 September 2015 by Drew & Napier, PDF).

In the lead-up to the Bersih 4 demonstration [which called for the resignation of Prime Minister Najib Razak as well as institutional reforms – ED], the websites and were ordered to be blocked by MCMC on the grounds that they “violate national laws.”

Although the blocking order, purportedly under Section 263(2) of the Communications and Multimedia Act 1998, had been made for some time, activists and the media started to question MCMC’s moves. No actual offence needs to be committed but an attempt is sufficient to enable MCMC to act against a website.

Nevertheless, the block against was subsequently lifted after its operator issued a letter of demand to MCMC to lift the block.

Nevertheless, I am made to understand that the amendment to CMA will include express powers to block certain websites.

In closing …

With the advent of the Trans-Pacific Partnership, we can expect more changes to our laws. The Trans-Pacific Partnership Agreement (TPPA), of which Malaysia is a signatory, will require signatories to amend their laws to comply with the provisions of the TPPA.

The TPPA includes a specific section on electronic commerce (e-commerce). For example, a signatory to the TPPA shall not deny the legal validity of a signature solely on the basis that the signature is in electronic form.

There are also provisions to deal with personal information, online consumer protection and electronic spam.

First published on Digital News Asia on 4 April 2016.

 Scroll to top