Personal Data Protection Act 2010

Malindo Air’s Data Breach

I was asked to comment on Malindo Air’s latest data breach incident by South China Morning Post, Malaysian Reserves and Global Data Review.

Malindo Air, a subsidiary of low-cost airline Lion Air, has suffered a massive data breach, resulting in the information of millions of passengers – including passport details, home addresses and phone numbers – being leaked onto data exchange forums last month.

In South China Morning Post’s article title ” Malindo Air confirms data breach, exposing millions of passengers’ personal data“, it was reported-

Cyber law and technology lawyer Foong Cheng Leong said that companies in breach of Malaysia’s Personal Data Protection Act are not under any legal obligation to notify the authorities, the public, or the victim of the leak, although this lacuna is being reviewed.

There is no data breach notification rule in Malaysia under this Act. However, there is of course a moral obligation on the part of the company to notify the subject and the public,” said Foong.

Unfortunately in Malaysia these data breaches happen often, but if nobody knows about it nothing happens. During past breaches, there were some investigations but no prosecutions and no repercussions.

In the Malaysian Reserve’s article titled “Experts call for tougher law on data breach as Malindo Air becomes latest victim“, I said-

“There should be a data breach notification law. Data subjects have the right to know that their information has been compromised and take steps to secure the data,” Bar Council’s information technology and cyber laws committee deputy chairman Foong Cheng Leong told The Malaysian Reserve in an earlier report.

He added that the Personal Data Protection Commissioner had introduced a consultative paper to propose the mandatory disclosure, but the progress has been muted so far.

Currently, parties suffering from a data leak in Malaysia are not obliged to notify the authorities or the victims.

“In Europe, under the general data protection regulation, any companies including foreign firms with an office and/or serve the European region are required to lodge a report of any data breach within 72 hours.

“Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach,” Foong said.

Lastly, in Global Data Review’s article titled “Lion Air Group data breach affects more than 30 million customers“, it was reported-

Foong Cheng Leong, a partner at Foong Cheng Leong & Co in Kuala Lumpur, said Malindo Air may have fallen foul of the country’s Personal Data Protection Act. This can attract criminal sanctions: a fine up to 300,000 ringgit (€65,000) and prison sentences of up to two years.

In spite of this, Leong said enforcement may not be forthcoming. He said that the government has yet to make a prosecution under the law for a data breach in spite of “numerous high-profile data breaches” in Malaysia since the law came into force.

….

Leong said Malindo Air might be liable under other data protection laws in the region. “However, it is not known if the data protection authorities will take or have the power to take any action against Malindo Air”, he said.

Leong said that the issue has drawn attention to the absence of notification requirements in Malaysia’s data protection law.

Pay just RM150 for details of 200,000 people, RM350 for 10 million

I was interviewed by Free Malaysia Today on the issue of the unlawful sale of personal data in Malaysia which is an offence under the Personal Data Protection Act 2010 (PDPA), in particular, s. 130 of the PDPA.

A lawyer told FMT that the sale of personal data is not surprising.

Foong Cheng Leong, who chairs the Kuala Lumpur Bar’s information technology committee, said while the sale of data is common, it is no longer done as openly as before due to PDPA which came into force in 2013.

But he said enforcement has been poor.

Despite media reports on data breaches such as the leakage of millions of mobile phone numbers two years ago, no action has been taken, Foong said.

In 2017, mobile phone numbers, identification card numbers, home addresses, IMEI and SIM card data of 46.2 million customers of at least 12 Malaysian mobile phone operators were leaked online.

“We do not know why there has been no prosecution. Perhaps due to the difficulty of conducting a data leakage investigation, data may be held by numerous data processors and rogue employees may have accessed them without permission,” said Foong.

E-hailing firms must protect data

I was interviewed by The Star and Free Malaysia Today on an e-hailing firm’s new user requirement to submit “selfie” for verification purposes.

In The Star’s article titled “E-hailing firms must protect data“, it was reported-

Weak enforcement of the Personal Data Protection Act (PDPA) has made it vital for e-commerce firms and e-hailing providers to protect such information, according to the Bar Council.

Its Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong said there had not been much news on the enforcement of the Act .

There were cases of companies being fined, but high-profile cases such as the data breach involving telecommunications companies two years ago have yet to be resolved,’’ he said.

Welcoming the requirement of selfie verification on e-hailing passengers as an effective mechanism to protect the drivers, he said those concerned with data privacy breaches could not do much if they wanted to use the service.

Foong’s comments were in light of the concerns over data privacy following a law introduced by the Transport Ministry in July last year, requiring passengers to submit their identity credentials upon registration with any e-hailing platform

While in Free Malaysia Today’s article titled “Password better than selfie for Grab driver safety, says consumer group“, it was reported-

Foong Cheng Leong, a lawyer, says the requirement does not run afoul of the Personal Data Protection Act 2010 as it involved obtaining the user’s consent.

“The use of Grab or any ride-hailing service is optional. Those who do not wish to submit their picture may opt not to use the service.”

In addition to the above, I would like to add that the submission of “selfie” can be a concern if there is a high risk that the data is misused. The selfie can be paired with other data for profiling purposes. Such data can be used for surveillance purpose, matching with other data, etc.

Perhaps such providers should announce how, in detail, personal data is protected, where exactly it will be stored, what measures are taken to ensure data is safe, and report whenever there is a data leakage or third party request. Most data users publish such information on their privacy policy. However, most data users publish very general information and the bare minimum, as required by the Notice & Choice Principle provided by the Personal Data Protection Act 2010.

Since it is mandatory for e-hailing users, the only choice available for users now is to not use such e-hailing services unless there is a change in policy. Users should consider filing a complaint to the Personal Data Protection Commissioner or Transport Ministry over the new rules.

Bread & Kaya: 2018 Malaysia Cyber-Law And IT Cases – Cyber-Defamation


By Foong Cheng Leong
April 26, 2019

  • In cyber-defamation cases, the High Court has granted damages between RM50K to RM100K
  • Court assumes that you have published something if it originates from your email, Facebook, etc

IN THIS second, of a four-part series, I will talk about the rise of cyber-defamation. The number of cyber-related tort cases filed in the Kuala Lumpur High Court in 2018 increased to 60 over from over 50 cases. Most of these cases were related to cyber-defamation.

The Court dealt with numerous defamatory online postings that went viral. In these cases, the High Court has granted damages between RM50,000 to RM100,000.

In Datuk May Phng @ Cho Mai Sum & 2 Ors v Tan Pei Pei [2018] 4 AMR 784, HC, the High Court was tasked to assess the damages to be granted to the Plaintiff against the Defendant for publishing defamatory statements in an email to at least four recipients.

It was not disputed that the said email has been circulated among the public via the internet to as many people as possible and the Defendant invited the recipients to read and spread its contents as widely as possible.

The Court held that the said e-mail was not an ordinary email directed to one person, but the said e-mail was written in the context to address the public, to have the said e-mail widely circulated among the public. Therefore, the Court was of the view that the said e-mail had been widely circulated and/or presumed to be so.

The Defendant’s attempt to prove that the e-mail was sent only to the four individuals named therein or five individuals as a whole as contemplated by the Plaintiffs does not change the scenario or fact that such publication in the internet via email is deemed to be wide circulation because the Defendant intended the wide circulation of the said e-mail based on her statements in the said e-mail where the Defendant requested the public to circulate the said e-mail.

The Court held that it is practically impossible to prove exactly to whom the said e-mail had been circulated, there is a presumption by law that such circulation over the internet is presumed to be wide publication and the onus is on the Defendant to prove the limited publication as alleged.

The High Court granted RM80,000 as general damages.

In Mohamed Hafiz Mohamed Nordin v Eric Paulsen and Another Appeal (Court of Appeal Civil Appeal No. W-02(NCVC)(W)-1668-08/2017), the Plaintiff filed an action against the Defendant for defamation arising from an article published on the internet via the website of Portal Islam & Melayu at www.ismaweb.net which went viral on social media.

The Plaintiff is the executive director of ‘Lawyers for Liberty’, a human rights lawyers’ non-governmental organisation, and a well-known human rights lawyer and activist in Malaysia.

The Defendant is a member of the Pertubuhan Ikatan Muslimin Malaysia (Isma), a non-governmental organisation established in 1997. Isma’s main focus is Islamic propagation in the country.

The Plaintiff alleged that the Defendant had uttered a defamatory statement which was published in an article entitled “Jangan Biar Eric Paulsen bebas tanpa perbicaraan” on www.ismaweb.net.

The High Court found that the Plaintiff had failed to prove that the impugned statement was defamatory as he had failed to prove that his reputation has been adversely affected and tainted. The High Court also dismissed the Defendant’s defence of justification and fair comment.

On appeal, the Court of Appeal found that the impugned statement is derogatory, calculated to incite hatred and anger amongst the multi-religious groups and ethnicity in Malaysia.

The impugned statement not only described the Plaintiff as a fraudster, a liar who incites hatred of the Islamic religion, but also as a person funded and supported by foreign entities, such as the United States of America and the European Union.

In their natural and ordinary meaning, impugned statement meant and was understood to mean by reasonable and ordinary readers of the article that the Plaintiff is anti–Islam. Therefore, taking the bane and the antidote of the article published the defamatory statement had only one purpose, that is, to tarnish the plaintiff’s character and reputation.

The Court of Appeal granted damages of RM100,000.00.

In Mohd Khaidir Ahmad v. Mohd Iqbal Zainal Abidin [2018] 1 LNS 1150, the Court of Appeal upheld the High Court’s decision in finding the Defendant liable for defaming the Plaintiff on his Facebook page.

The Defendant had alleged that the Plaintiff, an Assistant District Officer of Temerloh, had abused his power and was corrupt, among others. One of the Facebook postings had an uploaded photograph of the Plaintiff, his son and car together with defamatory statements.

The Facebook postings attracted responses, negative ones at that, on his Facebook page. The allegation of abuse of power and corruption appeared to resonate with the netizens who posted their comments, generally agreeing with the same.

The Defendant denied that the words were defamatory of the Plaintiff, that they were fair comments and disclaimed responsibility for the negative comments by the netizens.

The Court of Appeal upheld the High Court’s decision in dismissing the Defendant’s defence and also upheld the damages of RM50,000 granted by the High Court. The Court of Appeal agreed with the High Court that the Defendant failed to prove that the Plaintiff had received bribes, and rejected the defence of qualified privilege as the postings were made without there being a duty to do so for they were done for his own interest, not that of the public.

Pre-action discovery – Finding out who defamed you

A pre-action discovery application is an action filed in Court against parties who are in possession of information of a wrongdoer. In usual cases, such an action is filed against a website operator, whose users had published defamatory comments, to divulge the identity of their user.

This is what had happened in the case of Kopitiam Asia Pacific Sdn Bhd v Modern Outlook Sdn Bhd[2018] MLJU 1450. The Plaintiff filed a pre-action discovery application against the three Defendants after it discovered a defamatory article relating to it on the websites connected to the Defendants. The Plaintiff stated that it intends to file an action for slander of goods against certain parties and required particulars of the said parties from the Defendants.

The 1st Defendant is a company dealing with activities related to payment and to up services via the internet portal industry. The 2nd Defendant is a company providing website registration services. The 3rd Defendant is the provider of the server where the website where the defamatory article was placed.

The 2nd Defendant did not object to the application subject to the information to be released being confined to only information in their possession and/or the release of the said information is within the ambit of law in particular the Personal Data Protection Act 2010.

The High Court granted the order against the 1st and 3rd Defendant as the Plaintiff had indeed stated the material facts pertaining to the intended proceedings which relates to a cause of action for slander of goods. They have also identified the persons against whom the order is sought and is likely to be a party in the subsequent proceedings in the High Court apart from specifying and describing the documents needed.

Other than a website operator, the High Court held that a domain name reseller can be compelled to divulge information of their customer.

In Nik Elin Zurina Binti Nik Abdul Rashid v Mesra.net Sdn Bhd (Kuala Lumpur High Court Suit No. WA-24NCvC-179-02/2018) (Unreported), the Plaintiff sought a pre-action discovery order against the Defendant, who was a reseller of Mynic Berhad, the sole administrator for web addresses that end with .my in Malaysia. The Defendant had assisted in the registration of the domain name Menara.my and the Plaintiff claims that Menara.my had defamed her through a few articles. The Plaintiff wanted the Defendant to divulge the identity of the owner, operator and registrant of the domain name.

The High Court allowed the Plaintiff’s application and ordered the Defendant to divulge the identity of the owner of the website.

Interlocutory injunction – Stopping a person immediately

An interlocutory injunction is an order restraining a person from doing an act pending the disposal of the matter in trial. A trial date is usually fixed a few months after a legal suit is filed. If a person wants a tortfeasor to stop publishing further defamatory statements immediately pending the disposal of the matter in trial, he can file such an application with the Court.

Any person who does not adhere to a Court order can be cited for contempt. In Maria Faridah Atienza v. Hadijah Mohamaed Mokhtar & Anor [2018] 3 CLJ 655, the High Court fined the 1st Defendant RM30,000 and sentenced the 1st Defendant to prison for two weeks after she had failed to pay the fine. The Defendant breached the Court’s injunctive order restraining her from making or publishing any statement against the Plaintiff. She had done so by publishing certain statements on her Instagram account.

In Dato’ Sri Mohd Najib Bin Tun Haji Abdul Razak v Tony Pua Kiam Wee (Kuala Lumpur High Court Suit No. WA-23CY-17-04/2017), the Plaintiff, the former Prime Minister of Malaysia, sued the Defendant, a member of Parliament of Malaysia, for defamation. The Defendant had allegedly uttered and published defamatory statements on a live video which was published as a post entitled “BN Govt abandons all Bills to give precedence to PAS RUU355 Private Member’s Bills” on his Facebook account. 

The Facebook post went viral with 82,434 video views. The Defendant has 310,256 Facebook followers. The Plaintiff also filed an application was interlocutory injunction to stop the Defendant from uttering or publishing the defamatory statement.

The High Court granted the said application and held that the Defendant did not deny that he had published those alleged statements, and such statements are indeed defamatory.

On appeal, the Court of Appeal in Tony Pua Kiam Wee v Dato’ Sri Mohd Najib Bin Tun Haji Abdul Razak [2018] 3 CLJ 522 upheld the High Court’s decision.

[Edit: 29 April 2019 – Leave to appeal to the Federal Court (Civil Appeal No. 08(i)-107-03/2018(W)) has been granted for the following questions-

(i) Whether the test for an interim injunction in defamation proceedings laid down in The News Straits Times Press (M) Bhd v Airasia Bhd [1987] 1 MLJ 36 is good law given the freedom of expression guaranteed by Article 10(1)(a), Federal Constitution?

(ii) Whether in light of Article 10(1)(a), Federal Constitution, an application for an interim injunction in defamation proceedings to restrain the further publication of impugned statements must be dismissed where the defendant has:

(a) pleaded and particularized the defences of justification and fair comment on matters of public interest in his Defence; and/or

(b) stated, on oath, his belief as to the truth of the impugned statement, and his ability and willingness to justify the impugned statement?

(iii) Whether the fact that the Speaker of the House of Representatives had ex facie exercised powers under the Standing Orders of the Dewan Rakyat, precludes the entitlement of a plaintiff to establish at trial, the fact that the exercise of such powers was not bona fide, in private law proceedings that refer to such exercise of power?

(iv) Whether a court is entitled in private Jaw proceedings to treat the fact of the Attorney General not having commenced prosecution under Article 145(3), Federal Constitution and/or the explanation for such decision as exonerating the impugned conduct, and such as to allow the court to further conclude by way of judicial notice under section 56, Evidence Act 1950 that no wrongdoing was committed?

Electronic evidence

Presumption of publication – Court assumes that you’ve published it

In Thong King Chai v. Ho Khar Fun [2018] 1 LNS 374, the Plaintiff sued the Defendant for defaming him via email and a closed Facebook Group.

In determining whether the statements were published, the High Court applied the presumption of publication under s. 114A of the Evidence Act 1950. The High Court held that pursuant to s. 114A, the presumption of fact is that the email was published by the Defendant as it had originated from his email address. Similarly, there is also a presumption of fact that the Facebook posting was published by the Defendant through his Facebook account.

The High Court also applied the presumption of fact raising a prima facie inference that postcards and telegrams, in the ordinary course of events, have been published to third parties unless the Defendant proves otherwise (as held in the case of Matchplan (M) Sdn Bhd & Anor v. William D Sinrich & Anor [2004] 2 MLJ 424). Applying the decision in Matchplan to the internet age of publication by email and Facebook, the High Court found that the email and the Facebook posting were published to the persons named in the email’s address list and cc list and also to the persons who had access to the Facebook Group. The Defendant did not provide any evidence to rebut this presumption of fact.

However, the High Court dismissed the action on the ground that the statements were not capable of bearing defamatory meaning and are in fact not defamatory of the Plaintiff. Even if the statements are defamatory of the Plaintiff, the Defendant would be able to rely on the defence of justification and/or the defence of fair comment.

Admissibility of Screenshots

In Norazlanshah Bin Hazal v Mohd Dziehan Bin Mustapha (Kuala Lumpur High Court Suit No. WA-23CY-14-03/2017), the Plaintiff sued the Defendant for defaming him on Facebook.

The Defendant disputed the authenticity of the screenshots which contained the alleged defamatory Facebook posting. However, the learned Judicial Commissioner refused to admit the screenshots as evidence as no evidence was led as to the maker of the contents of these screenshots and none were called to testify, no testimony as to how the screenshots were produced although there as admission that the documents were computer generated and no attempt to admit those screenshots under s. 90A of the Evidence Act 1950.

Part 3 which focuses on cyber-crime cases and other cyber offences will be published on May 3.

First published on Digital News Asia on 26 April 2019

BFM Podcast: PROTECTING OUR PRIVACY

Gobind Singh Deo, Minister of Communications and Multimedia will consider reviewing the 9 year old Personal Data Protection Act (PDPA) at the “Impact of EU-GDPR in Malaysia and Non-EU Countries”conference.

The act was formulated back in 2010 and since, there has been a lot of development in the area of privacy and data protection.

We speak to Foong Cheng Leong, who’s part of the Malaysian Bar committee on data protection.

Presented by: Lyn Mak, Sharidz Abdullah and Julian Ng


Your browser does not support native audio, but you can download this MP3 to listen on your device.


‘Hunt’ for critics of monarchy: So what does the law say about ‘doxing’?

I was interviewed by the Malay Mail regarding the issue of “doxing”.

“Doxing” or “doxxing”, in my opinion, is the act of harvesting and publication of personal information of a person on the Internet often with the intention to, among others, annoy, harass, humiliate, insult, threaten, intimidate, or punish the identified individual. Such personal information may be publicly available or private information. They include full name, identity card number, pictures, home or work address, contact number and email.

The act of doxing may be as a result of the act of the victim himself. Often the victim was recorded acting negatively (such as video of a road rage) and such record had gone viral on the Internet.

The act of doxing will usually result with emotional distress to the victim as the victim will be subject to annoy, harass, humiliate, insult, threaten or intimidate by that person or other person(s) being influenced to do the same. In some cases, victims of doxing have lost their job, moved out from their place or residence, change their contact details or even assaulted.

Currently, there is no specific law in Malaysia to govern doxing. In the Malay Mail article, I said-

Lawyers polled by Malay Mail conceded that doxing on its own is not a criminal offence, although it could fall under Section 233 of the Communications and Multimedia Act 1998 that handles improper use of network facilities or network service.

However, lawyer Foong Cheng Leong said this is only true if there had been publication of a comment which is obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person.

“Invasion of privacy is also possible but the information leaked must be something of a private nature — not those in the public domain like full name, identification card number and address.

“Tort of harassment is also possible but that must be something of a repeated act of harassment by the same person,” said the chairman of the Kuala Lumpur Bar Information Technology and Publication Committee.

The Malay Mail

Also read Bread & Kaya: Cyberstalking, harassment … and road rage

1 2 3 6  Scroll to top