Seksyen 114a

Netizens v the Government

2012 saw the intensified battle between netizens and the authorities. The former desires protection of their right to freedom of expression and anonymity whereas the latter desires control and governance. Through this battle, the authorities introduced many new legislations to govern the use of internet.

In July 2012, the Malaysian Government enforced s. 114A of the Evidence Act 1950 (114A). Under 114A, a person is deemed to be a publisher of a content if it originates from his or her website, registered networks or data processing device of an internet user unless he or she proves the contrary. This new law sparked a massive online protest dubbed the Malaysia Internet Black Out Day or also the Stop114A. Protesters replaced their Facebook and Twitter profile picture with the Stop114A banner whereas website operators displayed the Stop114A banner on their websites. Within two days, the Stop114A Facebook gained 43,000 likes from 400 likes (currently 49,000). It is probably one of Malaysia’s most successful online campaigns.

On the business side, the Association of the Computer and Multimedia Industry of Malaysia (Pikom), who represents the information and communications technology (ICT) industry in Malaysia, backed calls for a review of 114A whereas the Federation of Malaysian Manufacturers (FMM) has expressed concerns over the recent inclusion of 114A and its impact on businesses.

Interestingly, the Malaysian Government passed the Cyber Centre and Cyber Cafe (Federal Territory of Kuala Lumpur) Rules 2012 and Consumer Protection (Electronic Trade Transactions) Regulations 2012. The former requires any person operating a cybercafé and cyber centre to maintain a customer entry record and a record of computer usage for each computer whereas the latter requires online business owners and operators to provide their full details, terms of conditions of sale, rectification of errors and maintenance of records.

Philippines netizens also protested against their newly introduced cyberlaw. In October 2012, Philippines passed the Cybercrime Prevention Act of 2012 with the aim to prevent cybersex, online child pornography, identity theft and spamming. However, under the new act, a person found guilty of libellous comments online, including comments made on social networks such as Facebook and Twitter or blogs, could be fined or jailed. In protest against the new law, anonymous activists hacked into government websites, journalists have held rallies and many Facebook users have replaced their profile picture with a black screen. Protesters say the new law could be used to target government critics and crack down on freedom of speech.

Japan netizens on the other hand had milder protest against a new law that makes Japan-based internet users who download copyright infringing files. Violators will face up to two years in prison or fines of up to two million yen. In July 2012, about 80 masked people, calling themselves allies of the global hacker group Anonymous, picked up litter in Tokyo Saturday as a sign of protest.

In early 2012, China required users of the popular microblogging platform, Weibo, to register their real names. Subsequently, later in the year, China legalized the deletion of posts or pages which are deemed to contain “illegal” information and required service providers to hand over such information to the authorities for punishment.

On a brighter note, the South Korean Constitutional Court ruled that a law requiring South Koreans to use their real names on Internet forums was unconstitutional. The Court said that the requirement amounts to prior censorship and violated citizens’ privacy.

In the United States, a handful of US states, including Illinois, California and Maryland, passed laws making it illegal for employers to ask for potential employees’ Facebook or other social media passwords.

A person who retweets a defamatory tweet is potentially liable for defamation. In the UK, Lord McAlpine (Robert Alistair McAlpine) a former politician who worked for Margaret Thatcher, announced his intention to pursue action against 10,000 Twitter users for defamation including those who had retweeted the defamatory tweets. In this case, Lord Alphine was linked by some social media users after BBC News reported that a senior politician was involved child sex abuse. Interestingly, these users may apologize to Lord McAlphine by completing a form downloadable from his solicitors’ website!

In the UK, it is an offence to publish the identity of victims of certain offences which include rape. Footballer Ched Evans was convicted by the Court for rape of a 19 years old woman. The woman’s name was circulated on social networking sites, including Twitter and Facebook, after Evans’ conviction. 9 people were fined after admitting to revealing online the identity of the woman.

Meanwhile back home, the Kota Kinabalu High Court overturned Rutinin Bin Suhaimin’s acquittal for posting an “annoying” comment on the Sultan of Perak’s website. Rutinin was charged under s. 233 of the Communications and Multimedia Act 1998. The Sessions Court had earlier acquitted him without calling for his defence because, among others, the prosecution failed to prove that Rutinin was the person who posted the insulting comment. The Court held that, although 114A of the Evidence Act 1950 is not applicable because the alleged offending act was committed before the enforcement date of 114A, the circumstantial evidence is sufficiently strong to conclude that the accused had used the internet account that was registered in his name at the material time.

The developments in 2012 show the involvement of the authorities in clamping down the notion of the Internet being the Wild, Wild West. However, such clap down must be monitored by netizens.

In December 2012, the International Telecommunication Union (ITU) brought together regulators from around the world to re-negotiate a decades-old communications treaty. Google and 1000 over organizations around the world claimed that some governments want to use the closed-door meeting to increase censorship and regulate the Internet and had started an online campaign.

At the end of the closed-door meeting, 89 countries including Malaysia signed the treaty, while 55 countries said they would not sign or that additional review was needed.

With the new technology, websites and novel functions, all Governments will have to step out their game to protect the rights of netizens and businesses. New laws must not be onerous but in the same time protect victims of cybercrimes and preserve the right of freedom of expression.



This article was supposed to be published in the Putik Lada of The Star Newspaper. It was also supposed to be the 2013 installation of my yearly social media update articles. Unfortunately, The Star Newspaper discontinued the Putik Lada column before my article could be published.

GE13 Candidates and 114A

Published on LoyarBurok on 16 April 2013.



I am no expert in election laws but GE13 Candidates should take note of this. If you are running a blog, I suggest you moderate or close the comments section until and after the 13th General Election.

The reason why I say so is because s.114A(1) of the Evidence Act 1950 and the Election Offences Act 1954. S. 114A(1) provide the following:

“A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host, administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”.
In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content unless you prove otherwise.

Also, if you have in any manner facilitated to publish or re-publish the publication, you are presumed to have published the content of the publication.

This means that website owners are deemed to be publishers of contents of a publication although the author of the publication is someone else.

Further, it is not possible for website owner to prove that he is not a publisher due to the wording of the section i.e. the words “in any manner facilitates to publish or re-publish the publication”. By providing a virtual platform, the website owners facilitate to publish or re-publish a publication.

In this regard, you will potentially commit an election offence if someone posts a comment which falls within the scope of corrupt practice. If found guilty of an election offence, the election of a candidate will be declared void (s. 32 of the Election Offences Act 1954).

What I have mentioned is not without basis. A similar scenario had happened after the 12th General Elections. In Kho Whai Phiaw v Chong Chieng Jen (Election Petition No.: 26-01-2008-I), an elector in the Bandar Kuching constituency presented an election petition to have Mr. Chong Chieng Jen’s (representative of the Democratic Action Party (DAP)) election declared void.

The elector sought to have Mr Chong’s election avoided on the ground that the latter had engaged in the corrupt practice of (i) undue influence and (ii) bribery, to procure his victory in the election. The elector alleged, among others, that a letter from one Mr Smith published on the comment section of Mr Chong’s blog site is said to contain certain threatening statement. The elector alleged that Mr Chong had exercised undue influence over the non-Muslim voters in the Bandar Kuching constituency through Mr Smith’s letter appearing on his blog site.

Fortunately for Mr Chong, the High Court held that Mr Smith’s letter was posted by one commentor by the name “Responsible Christian Voter” (‘RCV’). Mr. Smith was the author of the letter and it was RCV who published that letter through Mr Chong’s blog site. The Court held that Mr Chong is therefore not the publisher of the letter. The case is later upheld by the Federal Court. (see Kho Whai Phiaw v Chong Chieng Jen [2009] 3 CLJ 201)

But Mr Chong’s case is pre-114A case. If s. 114A applies, Mr Chong is considered as the publisher of the letter as his blogsite had facilitated the publication of the letter. Mr Chong could potentially commit an election offence if 114A applies. That is the effect of 114A. It creates liability on a virtual platform provider.

This, of course, is not tested in our Courts yet. One may argue that it is the blogsite provider (e.g. Google who owns Blogger.com) but this is only provided that such blog is hosted by such blogsite provider.

Nevertheless, as an abundance of caution, GE13 candidates should close their blog comments section to avoid such actions. Interestingly, Mr Chong’s blogsite has closed its comments section.

A Facebook Page is also another concern. It may be arguable to say postings made by users on a Facebook page is not published by the Facebook page administrator as it appears on a separate page. (Illustrated below).

However, Facebook comments appearing together with the postings by the Facebook administrator (illustrated below) is different. It is arguable that such comments are published by the Facebook page owner.

With this risk of having an election declared void, I hope that the new Parliament will relook into 114A when it convenes in the future.

It’s time to #stop114A.

PDPA: Businesses have responsibilities and burdens

I was invited to contribute to a monthly column in Digital News Asia which I named it as Bread & Kaya. The column will have legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

My first article “PDPA: Businesses have responsibilities and burdens” was published on 31 December 2012.



Dec 31, 2012

  • PDPA comes into force Jan 1, 2013, and companies have three months to comply
  • Many have waited, and now may not have enough time to processes in place
  • Bread & Kaya by Foong Cheng Leong

    WELCOME to the inaugural Bread & Kaya column! The term is a Malaysianized version for bread-and-butter. This column aims to be your bread-and-kaya serving of legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

    You may have read some of my articles in The Star’s Putik Lada column or in LoyarBurok. If this is the first time you’re reading my articles, “Hello.”

    Without a doubt, 2013 will be an interesting year for businesses. Many new laws and regulations will be introduced, and the Personal Data Protection Act 2010 (PDPA) is one of them.

    It was reported that the PDPA would come into force on Jan 1, 2013. Businesses have three months from the date of enforcement to comply with the Act. Similarly, Singapore will have its own Personal Data Protection Act 2012 coming into force on Jan 2, 2013.

    Notwithstanding the reported enforcement date of Jan 1, 2013, there is no official government gazette confirming this as I write this column. Thus, the PDPA would still not be in force until such a government gazette is published.

    What is the PDPA?

    The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.

    A person who processes personal data is called a data user. Companies processing individual customers or employees’ personal data must comply with the PDPA.

    Under the PDPA, a data user, in processing personal data, must comply with the following principles:

    (1) General Principle;
    (2) Notice and Choice Principle;
    (3) Disclosure Principle;
    (4) Security Principle;
    (5) Retention Principle;
    (6) Data Integrity Principle; and
    (7) Access Principle.

    Failure to abide by any of the above principles amounts to an offence. Upon conviction, the data user is liable to a fine not exceeding RM300, 000 or to imprisonment for a term not exceeding two (2) years or to both (S. 5(2) PDPA).

    [RM1 = US$0.33]

    Under these principles, the collection and use of personal data must be consented to by the data subject and steps must be taken to ensure that the data is stored securely. The processing of personal data cannot be excessive in relation to the purpose or related purpose of which the personal data is collected.

    Adequate notice must be given to data subjects that their personal data will be processed, used, and the purpose of the same. Such notice must be in writing and in the Malay and English languages. Personal data no longer in use has to be destroyed.

    Further, personal data cannot be transferred outside Malaysia unless such a place is specified by the Government, consented to by the data subject, or is necessary for the performance of a contract between the data user and the data subject.

    The PDPA only applies to personal data processed in relation to “commercial transactions.”

    What do you need to do?

    If you are processing employees or individuals customers’ personal data, you are advised to, among others:-

  • Access how the PDPA affects your organization;
  • Prepare a privacy notice, in Malay and English, to be issued to potential and current employees or customers;
  • Prepare a Personal Data Policy to govern the processing and handling of personal data by employees;
  • Prepare a Retention Policy for employees or customers’ personal data and audit the personal data of previous employees or customers in order to dispose personal data that are no longer in use;
  • Establish a data access procedure for employees or customers to access their personal data;
  • Ensure that the storage of the employees and customers’ personal data is secure;
  • Ensure that personal data is only disclosed for the purpose in which the personal data is collected and not disclosed to unrelated parties;
  • Ensure that the relevant personnel such as Human Resource or customer relationship staff are adequately trained in data protection laws and practice;
  • Review data collection forms so that personal data is not collected excessively; and
  • Ensure that personal data are transferred overseas lawfully.
  • Consent

    The word consent is not defined in the PDPA. However, in early December 2012, Deputy Minister of Information, Communications and Culture Datuk Joseph Salang announced that “whenever consent is required for data processing, it’ll have to be given expressly rather than impliedly or be assumed.”

    This would mean that there must be some sort of active communication between the parties. For example, if a company wishes to obtain more information about an individual, the former would need to get the individuals’ express consent by contacting the individual.

    In this regard, all companies will need to ensure that all possible purposes for processing the personal data are set out before the collection of the data. Additional procedures may need to be established to ensure consent is captured.

    Express consent can be gained in a variety of ways — for example by filling in a form, ticking a box on a website, over the phone and face-to-face.

    Although express consent seems to give individuals added protection, this is not necessarily true. Malaysia’s restricted view on the definition of consent will have an impact on businesses and individuals. Additional cost will be incurred in establishing new procedures and practices such as new forms, storage, impact analysis and compliance exercises. Individuals may also be swamped with requests for consent from time to time, although the individual would ultimately consent.

    Companies will need to wait for individuals’ express consent before they can roll out new projects.

    To give an example on how the PDPA will affect business:

    Company X wishes to roll out a new security system to enter the office. The system utilizes the employees’ personal data as unique identifiers. In view of the express consent requirement, Company X will need to get the employees’ express consent to use employees’ personal data. If certain employees refuse to do so, such system cannot be fully utilized.

    In the event that a data subject disputes that express consent had been given, the data user will need to show that express consent had been given. Assuming that we adopt the implied consent regime, it is arguable that a data subject had implied consent to processing of personal data if the data subject uses the data user’s services.

    However, with express consent, evidence must be provided and this may be difficult, especially in electronic transactions.

    In such a case, Section 114A of the Evidence Act 1950 may be helpful to data users as it puts a presumption of publication by a person if his or her name appears on a particular content. The affected individual will need to prove that he did give express consent. This may be costly, highly bureaucratic and time consuming.

    Closing

    The PDPA is supposed to bring an end to unsolicited communication, but it will cause drastic changes to Malaysian businesses.

    Much valuable commercial data will be lost due to the PDPA. It is noted that many Malaysian industries had taken the wait-and-see approach. This is alarming considering that three months to comply with the PDPA will probably be not enough.

    The Personal Data Protection Department recently issued Malaysian Personal Data Protection Department’s Public Consultation No. 2/2012 entitled “Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees” which sets out the class of data users that is required to register with the Commission. [Click here to download].

    The release of such consultation paper is commendable. I hope that the Commission or the Personal Data Protection Department will issue more of these consultation papers and guidelines on the interpretation of the PDPA.

    Grave repercussions for internet users

    Published on LoyarBurok on 24 April 2012.

    Dissecting the presumption of fact relating to publication in the controversial new Bill.

    The Evidence (Amendment) (No. 2) Bill 2012 was one of the bills rushed and passed by the Parliament recently. Minister in the Prime Minister’s Department, Datuk Seri Mohamed Nazri Aziz, when winding up the Evidence (Amendment) Bill 2012, said the use of pseudonyms or anonymity by any party to do cyber crimes had made it difficult for the action to be taken against them. Hence, the Evidence Act 1950 must be amended to address the issue of Internet anonymity.

    The amendments introduced s. 114A into the Evidence Act 1950 to provide for the presumption of fact in publication in order to facilitate the identification and proving of the identity of an anonymous person involved in publication through the internet. In simple words, s. 114A introduces 3 circumstances where an Internet user is deemed to be a publisher of a content unless proven otherwise by him or her.

    Although it is stated that the amendment is to cover anonymous persons on the internet, the effect of the amendment is quite wide. You see, we, especially social media network users, generally do not use our real names on the Internet. We use nicknames and pseudonyms. Our home addresses do not appear on our account. We sometimes use fictional characters or even digitalized images of ourselves as our profile picture. All these are done to protect our own privacy. So, if none of my personal details appear on my account, does this mean I am anonymous? If someone’s identity cannot be directly ascertained from his account, I would think that he would be anonymous.

    The new s. 114A(1) states that “A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host , administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”. In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content. So, for example, if someone creates a blog with your name, you are deemed to have published the articles there unless you prove otherwise. If you have a blog and someone posts a comment, you are deemed to have published it. If you have a Facebook page and an user posts something on your wall, you are deemed to have published it!

    Subsection (2) provides a graver consequence. If a posting originates from your account with a network service provider, you are deemed to be the publisher unless the contrary is proved. In simple terms, if a posting originates from your TM Unifi account, you are deemed to be the publisher. In the following scenarios, you are deemed to be the publisher unless you prove the contrary:-

    (1) You have a home network with a few house mates sharing one internet account. You are deemed to be the publisher even though one of your house mates posts something offensive online.
    (2) You have wireless network at home but you did not secure your network. You are deemed to be the publisher even though someone “piggybacks” your network to post something offensive.
    (3) You have a party at home and allows your friends to access your PC or wireless network.You are deemed to be the publisher even though it was a friend who posted something offensive.
    (4) Someone use your phone or tablet to post something offensive. You are deemed to be the publisher.

    As for subsection (3), you are presumed to have published a content if you have custory or control of any computer which the publication originates from. Here, you are deemed to be the publisher so long your computer was the device that had posted the content. So if someone “tweetjacks” you or naughtily updates your Facebook with something offensive, you are deemed to be the publisher unless you prove otherwise.

    Admittedly, the amendments certainly saves a lot of the investigator’s time. It is very difficult to trace someone on the Internet. It will make prosecution for, among others, defamation, offences under the Communication and Multimedia Act 1998 and Computer Crimes Act 1997 and, election offences much easier. But it is not impossible to trace someone. There are many cases where perpetrators are caught and charged.

    I do not see the logic to deem someone to be a publisher. If an investigator is unable to trace the anonymous internet user, then why should the innocent Internet user take the rap? The onus of proof should always be on the prosecuting side. In the English case of Applause Store Productions Limited & Anor v Grant Raphael [2008] EWHC 1781 (QB), the claimants were awarded £22,000 in damages against Raphael, an old school friend, who had created a false personal profile of the claimants on Facebook. The claimants convinced the Court that Raphael was the person who created the fake profile even though he claimed that he had a party at his house and someone in that party created the account.

    In summary, the new amendments force an innocent party to show that he is not the publisher. Victims of stolen identity or hacking would have a lot more problems to fix. Since computers can be easily manipulated and identity theft is quite rampant, it is dangerous to put the onus on internet users. An internet user will need to give an alibi that it wasn’t him. He needs to prove that he has no access to the computer at that time of publication and he needs to produce call witnesses to support his alibi.

    Clearly, it is against our very fundamental principal of “innocent until proven guilty”. With general election looming, I fear this amendment will be used oppressively. Fortunately, the amendment is not in force yet. I strongly hope that the government will relook into this amendment.

     

     Scroll to top