malaysia privacy law

How much information can be revealed with your IC number?

I was asked by Malaysiakini to comment on the availability of a person’s identity card number to other members of the public, particularly, by the Government to the members of the members of the public.

Open data convenient for public to access

In Malaysia, it is not difficult to obtain another person’s IC number as it is needed for various forms issued by the public and private sectors. It might even be on display on a company’s working pass for employees. Now, even despatch riders ask for an IC number to confirm the identity of the consignee.

Another lawyer, Foong Cheng Leong, said the government’s stand on the matter seems to be to allow free access to others’ data for certain purposes based on the personal data published on government websites.

“Take traffic summonses as an example, banks or potential second-hand car buyers can check if a vehicle has pending summonses,” he noted.

Foong, who is the former co-chairperson of the Bar Council Ad-Hoc Committee on Personal Data Protection (2013 to 2016), said many companies also rely on public information on these websites to work. For example, a lawyer can verify whether someone’s name and IC number are correct.

“Open data websites are convenient for the public and companies, they can get information without paperwork and without the hassle and cost of writing to the relevant departments, which usually takes some time. This may free up time for government agencies to do other work,” he said.

Multi-factor authentication for protection

Several experts have suggested that a multi-factor authentication system and accounts registration be implemented to better protect privacy.

Meanwhile, Foong said it is difficult to strike a balance between privacy and the right to information, but there should be some barriers such as registering an account with full details or paying a fee before getting access to data.

“The rule of thumb is that if one submits to do something of a public nature e.g. conduct business, sue in court, certainly his or her personal data should be made public to ensure transparency or to protect the public.

“This is so the person is traceable if they commit fraud,” he added.


I was interviewed by BFM Radio to talk about invasion of privacy in Malaysia and the podcast was published on 27 April 2016.

On March 21th, a six-person jury awarded Hulk Hogan, the stage name of retired professional wrestler Terry Bollea, $140 million in civil damages for a sex tape that gossip website Gawker published in 2012. In doing so, the jury believed that Hulk Hogan’s privacy was violated as the tape was made and distributed without his permission. How far can public interest encroach into privacy rights? Lawyer Foong Cheng Leong explains how such a case would play out in a Malaysian court.

Malaysia Personal Data Protection Act to come into force Jan 1

The Star Newspaper reported that the Malaysian Personal Data Protection Act 2010 will be in force on 1 January 2013.

However, at the time of publication of this blogpost, the date of enforcement has not been gazetted in the Government Gazette.

It’s alarming that the Deputy Minister has taken the view that consent to process personal data must be express and cannot be implied or assumed. It is certainly impractical to obtain express consent for all sorts of commercial transactions. For example, when someone visits an eCommerce website and transacts on the website, the website owner must obtain express consent for each personal data collected from the user. This may be some form of pop up or option for the user to click before he can proceed further. Imagine this popup and option appearing everytime new data is collected. Some data are collected in the background in order for the website to work. It’s disruptive to both the owner and user.

Another example is when data is passed to a service provider of the data user for the former to provide services to the data subject. Assuming express consent is required, the service provider will need to approach the data subject for consent. Data subject will have a lot of calls asking for consent!

I hope that the Commissioner will take a different approach ie by recognising implied consent.

BFM Podcast: Msia I Can Series: The Right To Your Privacy

This is my podcast from my live radio interview on BFM Radio Station.

As part of our series, Msia: I Can in collaboration with Loyar Burok to encourage awareness of rights amongst citizens, we will be examining the right to privacy. In a society with extremely communal tendencies, the right to privacy is rarely discussed. As adolescents we submit to the right of our parents to invade our lives, and as adults we submit to the authorities. Where should we draw the line? Foong Cheng Leong, privacy law expert joins us to explain our inherent right to keep our business to ourselves, and its limitations in Malaysia.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

Personal data still open to abuse


The Personal Data Protection Act (PDPA) offers some semblance of information privacy but it will not address other important aspects like non-commercial use of data or territorial or bodily privacy.

DATA protection law expert Prof Abu Bakar Munir waved a list that contained 600 names, identity card numbers, addresses, phone numbers of house owners, addresses of the property they own, the selling price, how much has already been paid, and details of the housing loans.

One of his students had bought the list from a developer and passed it to him.

“The selling and buying of data is still very rampant here,” he told a public forum on privacy and personal data protection organised by the Centre for Independent Journalism.

Abu Bakar: ‘There is a need for banks to re-look their privacy policy and make sure it is in line with the data protection law, international practices and standards’
For a few ringgit more, data of those living in elite areas is also available.

You don’t have to look very far either to get your hands on people’s personal data. One local newspaper carries a blatant advertisement on data for sale in its classifieds almost daily.

The ad reads: “We have more than one million Malaysia updated e-mail & phone list to boost up your business. 10,000 e-mail list for RM200 & 1,000 phone list for RM200.” The ad carries the mobile numbers of a Mr Goh and a Mr Yap for those who are interested.

Two years ago, the going price for that 1,000 phone list in a similar ad was RM100.

And, says Sonya Liew, co-deputy chairperson of the Human Rights Committee of the Bar Council, if you pay a private investigating agency RM3,000 and give the full name of a person, the agency will be able to give you details of that person’s bank accounts, including the types, numbers, and balance in the accounts “down to the last sen”, plus his home address!

Under the Personal Data Protection Act (PDPA), which was passed and gazetted last June, selling a customer’s personal data or using it for commercial gain for a different purpose other than what it was collected for, without the person’s consent, is an offence.

This makes direct marketing a clear violation under the Act if it is done without the person’s consent.

Those convicted of committing the offence can be fined up to RM200,000 or jailed for up to two years or both.

Many should breathe a sigh of relief knowing that banks or companies would no longer be able to use their personal data to make unsolicited calls to sell insurance and other products and services.

But you have to be on the lookout for the fine print!

For example, a local bank here recently put up its client’s charter stating that it fully complies with regulations of the PDPA.

But there is a catch, as it goes on to add: “We will not use your personal information for our own marketing purposes IF you inform us that you object to this practice.” That, in effect, puts the onus back on the customer.

Universiti Malaya law lecturer Prof Abu Bakar, who has done research on banking and data protection, has found numerous cases where banks state in their privacy policy statement that a person’s personal data is the bank’s property and they are free to use, copy, publish or transmit the information at their discretion for any purpose.

These banks would state in fine print that a person’s data can be used by that bank or its related companies to research, launch, promote or market existing or other banking and financial services and products of the bank, related companies or selected parties, while some others state that they can give the information to third party vendors, advertisers, affiliates or relevant third parties, he says.

And how many people read the fine print when opening an account?

“It’s very unfair to customers. How can banks say that the customers’ data is their property and they can use, transfer or pass on the data for whatever purpose to third parties? That is not right and not in line with the data protection law,” he stresses.

“There is a need for banks to re-look their privacy policy and make sure it is in line with the data protection law, international practices and standards. The onus should really be on the bank.”

With the PDPA, when a person gets phone calls from people trying to sell him stuff, he can complain to the PDPA Commissioner stating that someone got hold of his data without his consent and it is causing him distress. It is then up to the Commissioner to investigate.

Unchecked abuse of data

But the problem right now is that a Commissioner has not been appointed yet, so the Act cannot be enforced and the sale and abuse of data continues unabated, unchecked and unpunished.

Prof Abu Bakar points out that the sale of data has serious ramifications.

“It’s a breach of privacy of the individual. If someone managed to get hold of a data list, he can always contact the individuals in the list for whatever purpose.”

There are other limiting aspects of the PDPA, one of which is that it applies only to “commercial transactions”. This means that if a person’s personal data such as intimate photos of himself, his marital status, home address, mobile number, etc., are disclosed, distributed and transferred for no commercial gain, he has no grounds under the PDPA to seek redress.

Prof Abu Bakar was instrumental in advising the government and helping them develop the PDPA. But even for him, the law falls short and he is “not quite satisfied” that the Act does not apply to non-commercial activities, that the Federal and state governments and their agencies are excluded, and that the yet-to-be appointed Commissioner would not be independent.

Under the Act, the Commissioner is answerable to the Information, Communication and Culture Minister.

“The problem with this is that the Commissioner may not be able to enforce the act effectively without fear or favour unlike in other countries. In other countries, the Commissioner is not accountable to the minister but is directly accountable to Parliament.”

According to Prof Abu Bakar, these Commissioners compile annual reports which are tabled in parliament and made available to the general public. Everyone can have access to the report, he says. “Basically, there is transparency.”

For Malaysia, he explains, under the PDPA, the Commissioner is not required to produce an annual report “but that doesn’t mean it can’t be done” and “ideally that should be the situation”.

As for the exclusion of the Federal and state governments from the Act, he believes Malaysia is the only country with a data protection act that excludes the public sector.

Some would argue that people should trust their government and the public sector not to sell or misuse their data.

“But can we trust the Government in this respect because they are the biggest collectors of data?

“Ideally, the act should cover everybody be it government or private entities,” Prof Abu Bakar insists.

The exclusion also raises interesting questions for the general public.

For example, if the police install CCTVs around Selangor and Kuala Lumpur to prevent snatch thefts and crimes and collect data from the CCTV for that purpose, what is to stop them from sharing this data with other state agencies like the Federal Territory Islamic Affairs Department and the Selangor Islamic Religious Department which could use the data to nab Muslim couples for vice, khalwat or other so-called immoral activities?

Being government agencies, the police and local religious authorities are not bound by the PDPA.

“I beg you not to blame me. I objected to this. I told the Government there should be no exemption and that the act should apply to federal, state governments, their agencies as well as charitable organisations,” Prof Abu Bakar told the public forum,

A discrepancy that is bound to crop up is the sharing of data between government departments and the private sector.

“We would have a situation where one party (private sector) will be governed by the Act and the other (public sector) that is not,” says Prof Abu Bakar.

He points out that some countries like Canada have a separate regime and regulations for the private and public sectors.

“It is acceptable to have a separate regime for private and public sectors which is on par with each other. But having a law that applies only to the private sector is not ideal and not in line with international norms.”

There are also serious implications when it comes to international trade, investments and agreements with other countries including the European Union, which is very particular about data protection.

The EU requires all its member states to have adequate Data Protection Laws. For trade with non-member countries, these countries must show they have adequate Data Protection Laws before the transfer of personal data is allowed. Prof Abu Bakar is thus concerned that the PDPA might not meet EU standards.

He believes the EU approaches the data adequacy requirement from two points procedural and substantive.

“For the procedural, the enforcement authority must be independent. But for ours, the Commissioner which is the enforcement authority is accountable to the minister, so we may fail on that ground.

“We may also fail when it comes to the substance because of the exemption given to federal and state governments and that the Act doesn’t apply to non-commercial activities,” he says, adding that these are his personal views.

He says there are two solutions to the problem.

One is to extend the scope of the law to cover the federal and state governments and agencies and the second is to have separate rules and regulations for the Government which is on par with the PDPA.

With the PDPA, there is a certain amount of protection for information privacy but when it comes to other aspects of privacy such as territorial privacy or bodily privacy, protection is sorely lacking.

The Bar Council’s Liew says the right to privacy is not expressly stated in the Federal Constitution and even judges themselves differ in opinion as to whether people have privacy protection.

“There is no specific legislation in the country that allows us to sue, for example, if our privacy is infringed in private areas like the bedroom or in our house,” she explains.

“If an individual comes with a video camera and starts to shoot me while I am in my toilet, and I find out but he’s not a data collector and is not doing it for a business, I can’t really sue him. There is no specific penal code to act on it.”

Similarly, if a voyeur films you in a public toilet or changing room and puts the video up on the Internet, even if you find out who he is, there is no direct act to deal with it.

And what if a neighbour puts a CCTV camera in front of his house but it also records who is going in and out of your house?

Citing the Lew Cher Phow case in Johor Baru, Liew says the court ruled that there is no such thing as privacy in Malaysia and that the CCTV camera was allowed.

Last year, Selangor Mentri Besar Tan Sri Khalid Ibrahim discovered a CCTV camera planted in his office. He would not be able to seek redress under the PDPA even if he knew who put the camera there unless he is able to show that the person made money or there was some commercial benefit in doing it.

As for bodily privacy, Liew stresses that the DNA Identification Act impinges on that.

“If I am suspected of stealing a toothpick, the police now have a right to swab my saliva for DNA.”

She says that while Malaysia now has fixed rights for information, there is a need to look at fixed rights for territorial and bodily privacy especially when government agencies are excluded from the Act.

The case of Mazlinda Ishak, a GRO who was detained during a raid on a club in 2003 is a case in point. She needed to ease herself but was refused permission by the authorities and told to urinate in the truck.

When her friends used a shawl to shield her while she eased herself, a Rela officer rushed in, pulled the shawl away and took photos of her.

This is a clear case of invasion of privacy. Although she went to court and won damages for the wrongdoing, there is no specific act to seek redress.

“We really need the Privacy Act to tie up loose ends,” says Liew.

For Prof Abu Bakar, with the PDPA at least one aspect of privacy, that is informational privacy, is covered.

“Having something is better than nothing,” he says.

Source: The Star

What happened to Teoh Beng Hock’s Right to Privacy?

First published on LoyarBurok

This is perhaps one of the many issues raised in the Teoh Beng Hock Royal Commission Report (“TBHRCI”) that did not receive wide attention. I have read a few commentaries on TBHRCI but I did not see anyone raising the issue of privacy in the interrogation of Mr Teoh Beng Hock (“TBH”). But as an advocate of privacy rights in Malaysia, I thought it would be pertinent for me to raise this.

When I first read the TBHRCI, the first thing that caught my eyes is that the investigators of the Malaysian Anti-Corruption Agency (“MACC”) had forced TBH to reveal his password to his personal email.

I was shocked. Isn’t TBH merely a “witness”? How can a witness be forced to give his password to investigators? What happened to his right to privacy? (On the right to privacy in Malaysia, please read my earlier article here.)

The background to this invasion can be seen in paragraph 42 of the TBHRCI where the Commission stated the following:-

[42] Another important aspect of this “interview” is that both these officers extracted from TBH the password to his private email account, a matter which vexed TBH very much, causing him great concern and distress. We will discuss this later in this report.


Later at paragraph 48 of the TBHRCI,

[48] TBH, according to Lee, complained that MACC officers had taken away his mobile phone and laptop. He also lamented that he should not have disclosed to the officers his password to his email account….


We all know that password to our personal email is sacred. Our personal email may contain all sorts of private information such as banking, financial or health information, private conversations and even intimate photographs. It may not only contain one’s private information but also private information of others. Allowing another person to have our password is akin to giving that person keys to our private life. What people do in the private lives is none of our business.

Further, many internet users use the same password for various accounts. One password can be used to access many account to avoid memorizing many passwords.

However, request for password to private email is not new. Recently, Malaysian Blogger Hanief complained that the Malaysian Communication and Multimedia Commission compelled him to reveal the passwords to his email, Facebook account and Blogger account when he was investigated for publishing a defamatory blog posting. In his own defence, Hanief stated that the defamatory article is available on his blog and there is no reason for him to reveal his passwords.

In view of the TBHRCI, such practice must be carefully exercised. In paragraph 155, the Commission criticized the interrogators’ action:-

[155] Another aspect of this interrogation of concern was the ability of Arman and Ashraf to extract from TBH his password to his private email account. To many of us, this may be equivalent to disclosing our pin number of our ATM card. At least in the case of an ATM card, the extractor may be allowed to withdraw a limited amount of our money at any one time before such unauthorised access is reported. But in the case of an email account, all our personal information and data would be exposed immediately and permanently. This is a gross violation of a person’s right. TBH would have been very disturbed over this and his disappointment and regret in divulging his password to Arman and Ashraf was further mirrored in his conversation with Lee.

[156] We are of the view that this regret and concern of TBH over these matters remained festering with him. An indication of this could be seen from his behavior when his statement was being recorded by Nadzri. This was further reflected in his being silent and being deep in thought when he met Tan Boon Wah near the toilet. Instead of being excited and surprised to see a fellow in a similar distressful situation, he maintained a distance and was virtually silent.


In fact, the TBHRCI has attributed TBH’s “suicide” to this invasion of privacy. In paragraph 220, the Commission stated that:

[220] Another factor which had serious implications on TBH was the surrendering of his laptop to the officers of the MACC, and worse than this was being forced to divulge to the MACC officers the password to his email account. As this held the key to many things private, TBH must have felt that his privacy was violated under duress, and the secrets to his life were in the open. This was a gross violation of TBH’s person right, which would have compounded his anxiety and worry.


The TBHRCI provided recommendation for the MACC to implement due to TBH’s case. Unfortunate, there is no specific recommendation by the Commission on such practice. The best we could rely on is the recommendation for powers of search.

However, search on a premise is very different from a search on a person’s private email and also electronic data. A search on a house may not reveal as many information as a search on a person’s personal computer. It is opening a whole new can of worms. In the Canadian case of R v Cole, 2011 ONCA 218, it was held that “searching a computer that is used for personal purposes is potentially among the most invasive of searches”.

There are many things that one would not want the world to see and it includes details belonging to others. For example, in Edison Chen’s case, the intimate photographs of his partners were spread around the internet after he had his laptop sent for service. These photographs now can be considered to have entered public domain and no amount of work can remove them from the public domain.

In view of the aforesaid, special attention must be given to search on electronic data. A party granting such search must carefully weight the individual reasonable right to privacy and public interest. If there are other means of obtaining information, such search should not be conducted.

If the owner specifically requests that certain portion of the computer be restricted, such request must be considered.

Also, whether there can be search to electronic data should be left to the Courts. In R v. IRC, Ex P Rossminster [1980] AC 952, Lord Wilberforce stated that:-

The courts have the duty to supervise, I would say critically, even jealously, the legality of any purported exercise of these powers. They are the guardians of the citizens’ right to privacy. But they must do this in the context of the times, ie, of increasing Parliamentary intervention, and of the modern power of judicial review.


Perhaps an exception can be given if is a real and present belief that failure to act will result in the destruction or loss.

Guidelines and standard operating procedures on electronic data search should be issued. Officers must be educated on the right to privacy of all Malaysians. No forceful entry should be made by them. Information wrongly obtained through this practice must be deemed inadmissible in Court.

On the other hand, private sectors, who hold our personal information, should play a role in protecting all Malaysian’s privacy. For example, internet or web hosting service providers should restrict the access of personal information of customers by any Government authorities or other individuals.

I must state that nothing in this article prohibits the access of electronic data. There are circumstances that should justify the access to one’s electronic data. As an extreme example, the police should be allowed to access private emails of a kidnapper, who they reasonably believe based on credible information, which has information of the whereabouts of his victim.

TBH’s case reveals the sad stage of our right to privacy. Every Malaysian, including those in power or given power, should be concerned with how their own privacy is being treated.

I am sure TBH would still be distressed if the MACC interrogators still have access to his private email – if only he is still alive today

Lew Cher Phow @ Lew Cha Paw & Ors v Pua Yong Yong & Anor

First published on 10 March 2010

(Johor Bahru High Court Suit No. MT4-22-510-2007)

In this case, the Plaintiffs and the Defendants were neighbours. The High Court had dismissed an application by the Plaintiffs who applied for an order for interlocutory injunction to restrain the Defendants from installing any CCTV cameras at the Defendants’ house which faced the Plaintiffs’ house as well as also for an order to compel the Defendants to remove their CCTV cameras that were installed facing the Plaintiffs’ house.

The Plaintiffs alleged that the act of the Defendants installing the CCTV cameras had intruded their livelihood and daily activities. The Defendants on the other hand alleged that the CCTV cameras were for security reasons as their house had been intruded before and also that the CCTV cameras only showed the Plaintiffs’ house as background.

The grounds given by the High Court in dismissing the Plaintiffs’ application are, among others, as follows:

(a) there is no evidence to show that the CCTV cameras intruded the livelihood and daily activities of the Plaintiffs. Further, there is no evidence in the Plaintiffs’ affidavit to show that the CCTV cameras recorded the Plaintiffs’ activities.

(b) the Defendants are entitled to install CCTV cameras for security and safety purposes.

(c) if the interlocutory injunction is granted this will bring a legal implication to the general public especially when CCTV cameras are installed at residential and commercial premises to protect the safety of the general public.

(d) there is no right of privacy in Malaysia thus the Plaintiffs do not have the right to institute an action against invasion of privacy rights.

 Scroll to top