s263 Communications and Multimedia Act 1998

Bread & Kaya: Dear Attorney General Tommy Thomas, we need to speak about our Malaysia cyberlaw and IT laws reforms

By Foong Cheng Leong | Jun 22, 2018

– Act is clearly against the very fundamental principal of “innocent until proven guilty”
– Need law to curb creation of fake news, especially if created to stoke racial or religious sentiments

Repeal of 114A of Evidence Act 1950

WHEN s. 114A was introduced in the Parliament in 2012, a protest was held by netizens to urge the Government to repeal s. 114A. The #stop114A campaign was held and Malaysia had it first Internet Blackout Day to protest this section.

S. 114A provides for three circumstances where an Internet user is deemed to be a publisher of a content unless proven otherwise by him or her. The relevant section, namely s. 114A(1), states that “A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host , administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”.

In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content. So, for example, if someone creates a blog with your name, you are deemed to have published the articles there unless you prove otherwise. If you have a blog and someone posts a comment, you are deemed to have published it.

Subsection (2) provides a graver consequence. If a posting originates from your account with a network service provider, you are deemed to be the publisher unless the contrary is proved. In simple terms, if a posting originates from your TM Unifi account, you are deemed to be the publisher. In the following scenarios, you are deemed to be the publisher unless you prove the contrary:-

(1) You have a home network with a few house mates sharing one internet account. You are deemed to be the publisher even though one of your house mates posts something offensive online.
(2) You have wireless network at home but you did not secure your network. You are deemed to be the publisher even though someone “piggybacks” your network to post something offensive.
(3) You have a party at home and allows your friends to access your PC or wireless network. You are deemed to be the publisher even though it was a friend who posted something offensive.
(4) Someone use your phone or tablet to post something offensive. You are deemed to be the publisher.

As for subsection (3), you are presumed to have published a content if you have custody or control of any computer which the publication originates from. Here, you are deemed to be the publisher so long your computer was the device that had posted the content. If someone “tweetjacks” you or naughtily updates your Facebook with something offensive, you are deemed to be the publisher unless you prove otherwise.

Clearly, it is against our very fundamental principal of “innocent until proven guilty”.

Position of intermediaries (e.g. platform providers)

Currently, many platform providers are vulnerable to be sued or charged in Court for what their users do. For example, an online forum owner would be liable for publishing defamatory statements made by their users pursuant to s. 114A of the Evidence Act 1950. Online marketplace operators may also be sued because their users sold counterfeit products.

It would be ideal for the Government to induce new laws to protect such platform providers but also the punish errant platform providers. For example, a one-strike or three-strikes rule. Under such proposed one-strike rule, an aggrieved person may file a complaint against the platform provider to remove certain postings. If the platform providers remove such posting within a specific time, the platform provider should be absolved from liability. However, if it fails to do so, it will be liable for the acts of its users.

S. 43H of the Copyright Act 1987 is a good example on how to deal with intermediary’s liable in respect of copyright infringement.

In this regard, the Sedition (Amendment) Act 2015, which is not in operation yet, should be repealed. The said amendment creates, among others, liability on website operators such as online forums, online news portals, and even Facebook page/ group owners. [Read http://foongchengleong.com/2015/04/bread-kaya-how-the-new-sedition-act-affects-netizens/]

Specific laws to govern blocking of websites or other electronic platforms.

All blocking orders should be made public and their detailed reasons to block websites. Currently, there is no public list other than one independently maintained by Sinar Project and reasons given are usually one-liners (e.g. in breach of s. 233 of the Communications and Multimedia Act 1998).

However, there could be specific websites which need not be reviewed due to national security issue, among others. As we all know, blocked websites can still be accessed via other means.

Blocking orders should also be made by the Courts rather than the arbitrary decision of the Minister. The current s. 263 of the Communications and Multimedia Act 1998 is used by the Ministry of Communications and Multimedia to direct internet service providers to block platforms in order to prevent the commission or attempted commission of an offence under any written law of Malaysia. In the past however, we have seen websites being blocked due to political reasons e.g. medium.com and bersih.org.

The Anti-Fake News Act 2018 and Sedition (Amendment) Act 2015 have provisions for websites to be blocked by way of application to the Court. All these blocking order sections and s. 263 of the Communications and Multimedia Act 1998 should be replaced with one single law to govern blocking of electronic platforms.

The law should also allow any person such as users of the platforms to challenge any blocking orders. When the previous Government decided to block medium.com, as far as I know, the site owners did not file any challenge in Court to unblock their website. Many netizens were denied access to informative and educational content from medium.com. There were no specific laws allowing them to challenge the block. They were also unsure if they could meet the threshold to file an action for judicial review.

Specific channels to allow litigants to obtain information about wrongdoers

In the present case, a person who wishes to obtain information about another person, for example another Facebook user who had defamed or harasses him, would need to go through a long and expensive process to obtain such information. Normally these wrongdoers will use platforms provided by foreign companies to attack another user.

It would be ideal if a straight forward process be made to such person to obtain such information. For example, filing a request to the Government for it to request the same from the platform providers.

SS. 211 and 233 of the Communications and Multimedia Act 1998

S. 233 of the Communications and Multimedia Act 1998 (which is similar to s. 211) has been used by the previous administration against dissent. The Bar Council has called for the repeal of Section 233(1)(a) of the Communications and Multimedia Act 1998 as it is a serious encroachment on the freedom of speech and expression guaranteed by Article 10(1)(a) of our Federal Constitution. I concur with the Bar Council on this.

However, I suggest that new laws be introduced to stop contents which can cause hatred and disturbance about certain individuals or organisations. We cannot have people sending fake messages which can cause a riot, for example.

Anti Fake News Act 2018

Many calls have been made to repeal the Anti Fake News Act 2018, which came into operation weeks before the 14th General Election. One person has been sentenced and many have been investigated for spreading fake news. Prime Minister Dr Mahathir Mohamad has confirmed that this Act will be repealed.

Notwithstanding such calls to repeal the law, I am of the view that there should be laws to curb the creation of fake news especially those created to stoke racial or religious sentiments. Note that s. 233 of the Communications and Multimedia Act 1998 requires a communication to target a certain person. Fake news may not necessary be targeting a certain person. It could target a race and a place, for example.

Revamp of the Admissibility of Electronic Evidence

Currently, almost every document printed by a computer is admissible under s. 90A of the Evidence Act 1950. This section should be examined to define clearly on what admissible and not admissible.

The Court’s electronic system should also be upgraded to allow the admissible of all forms of electronic media such as songs, videos and animated files. Currently, lawyers have to burn those evidence in a CD to be filed in Court. This defeats the open justice system where all Court proceedings are accessible to the public.

[Postscript] In addition, the Court’s file search system should also be updated. Currently it allows a user to conduct a file search for 30 minutes (per ticket) via its slow system. It loads page by page and one cannot download all the documents at one go. It should be revamped to allow a user to download the entire file with one single fee.

Laws to protect netizens

New laws should be introduced to criminalise cyberbullying, stalking and harassment. It is noted that this type of acts these days are not made directly against a person.

Government should also study the criminalisation of maintaining cybertroopers. Many organisations in the world including Governments use the services of cybertroopers to attack individuals. They would send threatening, harassing or annoying messages, posting private information of that individual and create fake content about that individual.

Lastly, what we need is meaningful and effectively consultation with the Government. The previous administration had basically shoved us with laws with little consultation. I remember when our #Stop114A team went to meet the then Deputy Minister of Law, V.K Liew, to hand in our petition to repeal s.114A, he said that the Bar Council needs professional advice. I trust that the new Government will make a wise choice in deciding the right people for the right job.


First published on Digital News Asia on 22 June 2018

SayaKenaHack.com and Privacy

Recently, tech blogger Keith Rozario created the website SayaKenaHack.com, a platform to allow people to check if they were affected by the data leakage of 46.2 million mobile phone subscribers. The website allowed users to key in their identity card number and the website will inform the users whether they are affected by the leakage. If they are affected, the website will yield a masked mobile number. Some users have complained that those masked numbers do not resemble their mobile numbers.

The Malaysian Communications and Multimedia Commission (MCMC), under s. 263 of the Communication and Multimedia Act 1998 (CMA), directed internet service providers to block the website SayaKenaHack.com on the ground that it had contravened s. 130 of the Personal Data Protection Act 2010 (PDPA).S. 263(2) of the CMA and s. 130 of the PDPA provide the following:

Section 263. General duty of licensees.

(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.

130 Unlawful collecting, etc., of personal data

(1) A person shall not knowingly or recklessly, without the consent of the data user-

(a) collect or disclose personal data that is held by the data user; or

(b) procure the disclosure to another person of personal data that is held by the data user.

(2) Subsection (1) shall not apply to a person who shows-

(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data-

(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or

(ii) was required or authorized by or under any law or by the order of a court;

(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;

(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or

(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.

(3) A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1) commits an offence.

(4) A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).

(5) A person who offers to sell personal data commits an offence if-

(a) he has collected the personal data in contravention of subsection (1); or

(b) he subsequently collects the personal data in contravention of subsection (1).

(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.

In the Personal Data Protection Commissioner Khalidah Mohd Darus’s media statement dated 17 November 2017, the Commissioner stated that SayaKenaHack.com was blocked because it had contained personal data which had been collected without the consent of the data user pursuant to s. 130 of the PDPA. The Commissioner then advised members of the public to be vigilant when sharing personal data with others, among others.

Unfortunately, Keith Rozario decided to close SayaKenaHack.com upon being blocked. It would be interesting if he had filed an action to challenge the blocking order. So far, there is no reported case on anyone challenging a “blocking order” by MCMC in Court.

There ought to be checks and balances against such blocking order. Under the s. 10A of the Sedition (Amendment) Bill 2015, the Public Prosecutor must make an application to a Sessions Court Judge to direct an officer authorised under the Communications and Multimedia Act 1998 to prevent access to any seditious publication. Likewise, s 263 of the CMA should be amended to reflect such checks and balances.

I was interviewed by The Star, on my personal capacity (not on behalf of Bar Council, as earlier reported by The Star), on this issue. In The Star’s article dated 18 November 2017 entitled “SayaKenaHack.com only provides information, does not allow data download“, I was asked whether SayaKenaHack.com was in contravention of s. 130 of the PDPA. I replied:-

SayaKenaHack.com did not breach Section 130 of the Personal Data Protection Act 2010 (PDPA), says the Bar Council cyber law and information technology committee.

The committee’s co-chairman Foong Cheng Leong said the website was merely a platform for users to check whether their personal data had been leaked or breached.

“Currently, the Malaysian Communications and Multimedia Commission (MCMC) is blocking the website for breaching Section 130 of the PDPA for unlawful collection of personal data.

“If the website allows people to download the personal data of others, then it will be a violation of PDPA.

“Therefore, the website did not violate the PDPA,” he said when contacted yesterday.

In The Star’s article dated 31 October 2017 entitled “M’sia sees biggest mobile data breach“, I added:-

“..assuming that the leak was after the enforcement of the Personal Data Protection Act 2010, there might have been a breach of the Act’s Security Principle by the data users.

The Security Principle requires data users to process personal data securely, but there is not much customers can do other than file a complaint with the Personal Data Protection Commissioner

There may be a recourse against the telecommunication companies for negligence i.e. failing to ensure that the subscribers’ personal data are adequately protected. In an article dated 20 November 2017 in The Other, I said:-

For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”

Currently, a company is now being investigated for causing the said personal data protection leakage.

On a separate issue, in The Star’s article dated 26 November 2017 entitled “Going full force to enforce Act“, the Personal Data Protection Commissioner stated that 3 companies have fined for contravening the PDPA.

The Commissioner added that mobile applications are not required to be registered under the PDPA. But the operators must comply with the PDPA since they process personal data in commercial transactions.

I was asked to comment on this issue. I said:-

..an individual has a right under the PDPA to request a copy of the personal data processed by the data user.

“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.

“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.

Foong urges the public to always be aware of what companies will use their data for by reading the privacy policy.

“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.

 Scroll to top