Recently, tech blogger Keith Rozario created the website SayaKenaHack.com, a platform to allow people to check if they were affected by the data leakage of 46.2 million mobile phone subscribers. The website allowed users to key in their identity card number and the website will inform the users whether they are affected by the leakage. If they are affected, the website will yield a masked mobile number. Some users have complained that those masked numbers do not resemble their mobile numbers.
The Malaysian Communications and Multimedia Commission (MCMC), under s. 263 of the Communication and Multimedia Act 1998 (CMA), directed internet service providers to block the website SayaKenaHack.com on the ground that it had contravened s. 130 of the Personal Data Protection Act 2010 (PDPA).S. 263(2) of the CMA and s. 130 of the PDPA provide the following:
Section 263. General duty of licensees.
(2) A licensee shall, upon written request by the Commission or any other authority, assist the Commission or other authority as far as reasonably necessary in preventing the commission or attempted commission of an offence under any written law of Malaysia or otherwise in enforcing the laws of Malaysia, including, but not limited to, the protection of the public revenue and preservation of national security.
130 Unlawful collecting, etc., of personal data
(1) A person shall not knowingly or recklessly, without the consent of the data user-
(a) collect or disclose personal data that is held by the data user; or
(b) procure the disclosure to another person of personal data that is held by the data user.
(2) Subsection (1) shall not apply to a person who shows-
(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data-
(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or
(ii) was required or authorized by or under any law or by the order of a court;
(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;
(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or
(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.
(3) A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1) commits an offence.
(4) A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).
(5) A person who offers to sell personal data commits an offence if-
(a) he has collected the personal data in contravention of subsection (1); or
(b) he subsequently collects the personal data in contravention of subsection (1).
(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.
In the Personal Data Protection Commissioner Khalidah Mohd Darus’s media statement dated 17 November 2017, the Commissioner stated that SayaKenaHack.com was blocked because it had contained personal data which had been collected without the consent of the data user pursuant to s. 130 of the PDPA. The Commissioner then advised members of the public to be vigilant when sharing personal data with others, among others.
Unfortunately, Keith Rozario decided to close SayaKenaHack.com upon being blocked. It would be interesting if he had filed an action to challenge the blocking order. So far, there is no reported case on anyone challenging a “blocking order” by MCMC in Court.
There ought to be checks and balances against such blocking order. Under the s. 10A of the Sedition (Amendment) Bill 2015, the Public Prosecutor must make an application to a Sessions Court Judge to direct an officer authorised under the Communications and Multimedia Act 1998 to prevent access to any seditious publication. Likewise, s 263 of the CMA should be amended to reflect such checks and balances.
I was interviewed by The Star, on my personal capacity (not on behalf of Bar Council, as earlier reported by The Star), on this issue. In The Star’s article dated 18 November 2017 entitled “SayaKenaHack.com only provides information, does not allow data download“, I was asked whether SayaKenaHack.com was in contravention of s. 130 of the PDPA. I replied:-
SayaKenaHack.com did not breach Section 130 of the Personal Data Protection Act 2010 (PDPA), says the Bar Council cyber law and information technology committee.
The committee’s co-chairman Foong Cheng Leong said the website was merely a platform for users to check whether their personal data had been leaked or breached.
“Currently, the Malaysian Communications and Multimedia Commission (MCMC) is blocking the website for breaching Section 130 of the PDPA for unlawful collection of personal data.
“If the website allows people to download the personal data of others, then it will be a violation of PDPA.
“Therefore, the website did not violate the PDPA,” he said when contacted yesterday.
In The Star’s article dated 31 October 2017 entitled “M’sia sees biggest mobile data breach“, I added:-
“..assuming that the leak was after the enforcement of the Personal Data Protection Act 2010, there might have been a breach of the Act’s Security Principle by the data users.
The Security Principle requires data users to process personal data securely, but there is not much customers can do other than file a complaint with the Personal Data Protection Commissioner
There may be a recourse against the telecommunication companies for negligence i.e. failing to ensure that the subscribers’ personal data are adequately protected. In an article dated 20 November 2017 in The Other, I said:-
For Malaysians looking for legal recourse in light of the mass data breach, Foong Cheng Leong, a lawyer specialising in cybersecurity law, says it is possible. “If they have the evidence to show that the telco was the source of leak and they had been negligent.”
Currently, a company is now being investigated for causing the said personal data protection leakage.
On a separate issue, in The Star’s article dated 26 November 2017 entitled “Going full force to enforce Act“, the Personal Data Protection Commissioner stated that 3 companies have fined for contravening the PDPA.
The Commissioner added that mobile applications are not required to be registered under the PDPA. But the operators must comply with the PDPA since they process personal data in commercial transactions.
I was asked to comment on this issue. I said:-
..an individual has a right under the PDPA to request a copy of the personal data processed by the data user.
“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.
“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.
“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.