Personal Data Protection Act 2010

Data of Malaysians born between 1940 and 2004 allegedly being sold for over RM40,000

I was asked by The Star to comment on the recent news about an alleged data leak containing the information of 22.5 million Malaysians born between 1940 and 2004, purportedly stolen from the National Registration Department (NRD).

I said-

Lawyer Foong Cheng Leong said the lack of transparency on investigations related to data leaks in Malaysia has been frustrating.

“There needs to be an account of how the matter is being investigated and what steps are being taken to ensure that the data is secure.

“The information could serve as a deterrent to others and show that there will be consequences for those leaking private information,” he said in a phone interview.

Foong urged fresh investigations to be conducted by the relevant agencies, including the Department of Personal Data Protection (JPDP) to discover if the leak was genuine.

When contacted, JPDP declined to comment at this point.

Foong said the data from the alleged leak could be used by scammers to dupe victims.

“For example, they could pose as an authority figure and present information such as your MyKad number or address to gain your trust.

“They will use this to convince you to give out more details or perform financial transactions,” he said.

Government Says Not Liable For Damages Over MySejahtera Data Use

I was asked by CodeBlue, a health care news portal, to comment on the recent debacle about MySejahtera App, particularly, on the disclaimer of MySejahtera’s terms and conditions. The term states-

DISCLAIMER
Government of Malaysia shall not be liable for any loss or damage caused by the usage of any information obtained from this Application.

https://mysejahtera.malaysia.gov.my/penafian_en/

Here is an extract from the article-

Intellectual property (IP) and information technology (IT) lawyer Foong Cheng Leong said the MySejahtera disclaimer does not allow the government to disclaim liability for negligence.

“This clause has no legal effect for damages and losses due to negligence claims,” Foong told CodeBlue. “Data breach is a form of negligence.”

He explained that the MySejahtera disclaimer means that the government cannot be held liable for loss or damages in incidents that do not involve negligence, such as wrongly reporting Covid-19 cases.

When asked if the government could be held liable, despite its disclaimer, if a private company somehow manages to get access to MySejahtera users’ personal data and uses it for marketing purposes, Foong replied in the affirmative, but said a data breach must first be proven.

He also pointed out that MySejahtera’s privacy policy merely states how the government treats one’s personal data on the app, but omits specifying its data retention policy, security measures, or government contractors handling the app. The only retention period mentioned by the app’s privacy policy relates to check-in data, which is 90 days, but nothing for other user data like personal details and medical and health information like Covid-19 diagnostics, close contact status, and blood pressure and heart rate readings.

“The privacy policy is scarcely explained.”

….

Foong said although the government may claim that MySejahtera data protection is in compliance with PDPA requirements (which the government is not legally subject to), the lawyer said the law just sets out the basics.

“Under the PDPA, the privacy policy has to be in a certain format, for example, describe what is collected, the purposes of collection, whether it’s obligatory to collect and if so, consequences for not providing those obligatory data. But no requirement to state what kind of security is provided, what is the retention time etc.”

In the intellectual property section of the App Store review guidelines for app developers, Apple requires app developers to ensure that their app “only includes content that you created or that you have a licence to use.”

This includes avoiding use of protected “third-party material such as trademarks, copyrighted works, or patented ideas” in the app. “Apps should be submitted by the person or legal entity that owns or has licensed the intellectual property and other relevant rights.”

Foong said this does not indicate that the Malaysian government, which is described on Apple’s App Store as the MySejahtera developer, owns the app and its IP.

“The app and content are different,” the lawyer said, adding that MySejahtera content includes things like user data, images, write-ups, charts, or source codes of the app.

The other side of tech

I was asked by The Edge Malaysia to comment on the collection of personal data by the Malaysian Government, particularly, the data submitting by individuals in compliance with pandemic control related laws. I said-

Currently, the PDPA [Personal Data Protection Act 2010] does not apply to the government. This should be addressed, adds Foong Cheng Leong, a lawyer focusing on areas such as privacy and data protection laws.

“There should be a law governing how the government can process our information. Such a law should include the right to request the government to disclose what kind of personal data it has collected or is collecting,” says Foong.

“This request is, of course, subject to certain exemptions such as national security. The law should also make the government accountable for misuse of our information or negligent handling of our information.”

Other suggestions by the interviewees include data localisation laws, mandatory data breach notifications and laws that allow the public to request information from the government.

In addition, the following questions were posed to me but my answers were not featured in the article. I think it is beneficial for readers to know of the matters set out below.

1. Governments have been introducing contact tracing applications globally after the pandemic broke out. From location tracking to CCTV monitoring, these solutions are also putting people under surveillance more than ever. Concerns about data privacy and the surveillance state have already been present before — now, the pandemic has intensified this debate. What are your observations and thoughts about this? Should people be concerned?

At this juncture, the Government has represented that the information collected will only be for specific purposes eg risk assessment, contact tracing and compliance with the movement control order and other related rules and regulations. Such purposes are specifically stated in the privacy policy of the MySejahtera App at https://mysejahtera.malaysia.gov.my/privasi_en/. It even expressly declared that

The Personal Data collected will not be used for any purpose other than those mentioned above, unless if required in order to comply with any legal obligation”.

However, the Government stated that they may change the terms of privacy policy and any changes will be updated on that website. This is a cause for concern as the privacy policy may be changed to include other purposes. For example, the application may be update to, among others, track your movement which can be used to collaborate certain data. The traffic department may track if you are within a certain locality

2. At the same time, smart city solutions that use facial recognition CCTVs, smart policing, digital IDs are becoming more prevalent. Should we be concerned? What are the risks?

If it is managed in a proper manner and only for the purpose it is implemented, there should be little cause for concern. For example, if the CCTV is implemented for the purpose of prevention of crime, then any personal data collected should be for that purpose. Such personal data cannot be used for, among others, sold to third parties for targeted advertising, issuance of fines by local authorities etc.  

Personal profiling is also a cause of concern. Personal profiling can happen when one merges various data from other sources into one single dataset. For example, data collected from the traffic cams, social media profile, police reports, list of properties from the land office, and income tax information are all merged into one single data set by the Government and updated whenever there is new information. Quite clearly no one wants their personal life being intruded in this manner. Further, there is a cause for concern if there is a data leakage or misuse by third parties.

3. At the same time, we want more convenient services — enabled by technology — from the government, whom we also expect to protect us. How can we strike that balance? Is it possible? 

There can be no perfect balance. However, steps can be taken to strike this balance, and this include legislating how the Government should manage our information. Currently, the PDPA does not apply to the Government. There should be a law governing how the Government can process our information. Such law should include the right to request the Government to disclose what kind of personal data they have collected or are collecting. This request is, of course, subject to certain exemptions such as national security. The law should also make the Government accountable for misuse of our information by them or negligent handling of our information.

The Government should also hold regular consultations with the relevant stakeholders to see how citizen’s information should be processed and how it could also ease the business processes. Government must take into account of the business sectors’ needs as well. For example, a prudent lawyer would always ensure that the party that they are suing is the correct party. The National Registration Department should give leeway to lawyers to obtain such information quickly and with ease. However, the current procedure implemented by them is too stringent as they require, among others, the submission of the Court documents to prove that such information is required.

4. What can be done in Malaysia to prevent the overreach of surveillance technology? For instance, tightening the PDPA, being mindful of what technology providers we use etc. 

We should be concerned with the risk of data leakage or unauthorised disclosure especially out of Malaysia. For example, a surveillance device from a foreign country may be masqueraded as a mobile phone. The user’s data including his biometric information (e.g. fingerprint), personal photographs, other persons’ personal data may be all disclosed to these third parties.

Fortunately, many electronic devices imported or released to the country must obtain Malaysian Communications And Multimedia Commission’s approval. The Government will need to do a throughout examination of these devices before they can be made available to members of the public and trade.

Another law that we require is the data localisation laws. This means that certain personal data should only be stored in Malaysia and not transferred to another data server outside Malaysia. This could also pave way for more data centres in Malaysia.

5. What is your advice to Malaysians?

Malaysians must be vocal about how their personal data is processed, whether by the Government or by the private sector. They should voice out their concerns if one of these bodies are collecting unnecessary personal data. They should also push for laws to protect themselves instead of relying on the Personal Data Protection Commissioner to do the prosecution and investigation. Perhaps an ombudsman like the Consumer Tribunal should be introduced by the Government to allow Malaysians to file their complaints directly to the ombudsman and have the matter heard before the ombudsman. They should have the powers to call upon any witnesses and punish those who disobey.

How much information can be revealed with your IC number?

I was asked by Malaysiakini to comment on the availability of a person’s identity card number to other members of the public, particularly, by the Government to the members of the members of the public.

Open data convenient for public to access

In Malaysia, it is not difficult to obtain another person’s IC number as it is needed for various forms issued by the public and private sectors. It might even be on display on a company’s working pass for employees. Now, even despatch riders ask for an IC number to confirm the identity of the consignee.

Another lawyer, Foong Cheng Leong, said the government’s stand on the matter seems to be to allow free access to others’ data for certain purposes based on the personal data published on government websites.

“Take traffic summonses as an example, banks or potential second-hand car buyers can check if a vehicle has pending summonses,” he noted.

Foong, who is the former co-chairperson of the Bar Council Ad-Hoc Committee on Personal Data Protection (2013 to 2016), said many companies also rely on public information on these websites to work. For example, a lawyer can verify whether someone’s name and IC number are correct.

“Open data websites are convenient for the public and companies, they can get information without paperwork and without the hassle and cost of writing to the relevant departments, which usually takes some time. This may free up time for government agencies to do other work,” he said.

Multi-factor authentication for protection

Several experts have suggested that a multi-factor authentication system and accounts registration be implemented to better protect privacy.

Meanwhile, Foong said it is difficult to strike a balance between privacy and the right to information, but there should be some barriers such as registering an account with full details or paying a fee before getting access to data.

“The rule of thumb is that if one submits to do something of a public nature e.g. conduct business, sue in court, certainly his or her personal data should be made public to ensure transparency or to protect the public.

“This is so the person is traceable if they commit fraud,” he added.

Advisable for management bodies of high-rise residences to abide by act

I was asked by The Star to comment on whether the Personal Data Protection Act 2010 (PDPA) binds management bodies of high-rises from disclosing details about residents who contracted Covid-19. I said-

Bar Council Intellectual Property Committee co-chairperson Foong Cheng Leong said it was unclear if management bodies were involved in the processing of personal data for commercial purposes.

“There are different views to this. Nevertheless, there is no blanket exemption for JMBs and MCs.

“In light of this uncertainty, it’s advisable for them to comply with the PDPA.

“In any event, disclosure of information of residents with Covid-19 is highly discouraged as it could breach the PDPA and even amount to an invasion of privacy, ” he said.

There are views that management bodies collecting monthly maintenance fee to service the building providing is a form of a “commercial transaction” and thus the PDPA applies. The PDPA only applies to personal data in respect of a commercial transaction.

However, it is noted that the Strata Management Act 2013 empowers a management body to collect charges for the purpose of maintenance and management of the building. It is therefore arguable that they are merely exercising a legal duty and not conducting a “commercial transaction”.

Digital Edge: Techtalk: Rapid digitalisation — what happens to privacy?

I was asked by The Edge to comment about the the current state of Malaysia’s own Personal Data Protection Act 2010.

Sonia Ong of Wong & Partners, Maneesh Chandra, chief technology officer of Firmus Sdn Bhd and Vernon Chua, CEO of enterprise data analytics start-up Innergia Labs Sdn Bhd are also featured in this article. The full article can be viewed at The Digital Edge’s website.

1 The PDPA explained
The PDPA, in a nutshell, is meant to legislate protection around the collection, storage and usage of personal data collected by the private sector, according to lawyer Foong Cheng Leong. The public sector and, generally speaking, contractors operating on behalf of the government are exempt from the provisions of the PDPA.

“The laws require that any personally identifiable data, collected in the course of commercial transactions, be stored safely, along with additional requirements to be transparent about its use to individuals who provided the data in the first place.”

One key issue, however, has to do with a lack of clarity on what constitutes a “commercial transaction”, Foong says. While personal data collected in the course of completing a contractual agreement — for example, swiping a credit card or signing up for a broadband service — is protected under the PDPA, it is not certain what else, if anything, constitutes a commercial transaction in Malaysia.

“It is unclear, for example, in the case of a company that might be required to collect personal data, for security purposes, from individuals they don’t have a direct contractual or commercial relationship with. Right now, there isn’t much additional guidance from the Data Protection Commission, the body enacted by the PDPA to oversee administration and enforcement of the law.”

While the PDPA is meant to regulate what businesses are allowed to do with personal data, the law confers certain rights on so-called “data subjects”. This is a term used to denote anyone who is able to be identified from the personal data collected.

An individual, for example, is conferred the right to revoke consent from the “data user” — this being the entity that collected the personal data in the first place.

Failure by the data user to respect this request could attract fines, jail terms or both.

Department of Personal Data Protection’s Advisory on the collection, processing and storage of personal data by business premises during the Conditional Movement Control Order period

The Department of Personal Data Protection has issued an advisory on the collection, processing and storage of personal data by business premises during the Conditional Movement Control Order period (“Advisory“).

According to the Advisory, businesses are only permitted to record minimal information – name, contact number, as well as dates and times of visit – for the purpose of contract tracing. The recordal can be made manually or digitally. It cannot be used for other purposes such as marketing.

The information must be processed for six (6) months after the expiry of the Conditional Movement Control Order (to be announced by the Government of Malaysia). It must be destroyed or disposed permanently thereafter.

Appendix A of the Advisory provides a sample notice for businesses to adopt in their data collection forms. The notice states that the collection of the details is required under the Prevention and Control of Infectious Diseases Act 1988. Although the Act does not specifically provide for the collection of personal data, s. 31 of the Act gives power to the Minister to make regulations. Reg. 13 of the Prevention and Control of Infectious Diseases (Measures within the Infected Local Areas) (No. 6) Regulations 2020 provides that an authorised officer may request for any information relating to the prevention and control of infectious disease from any person or body of persons. The act of requiring the collection of personal data may be granted by the implied powers under s. 40 of the Interpretation Act 1948 and 1967.

Any business who fails to comply with the Advisory and is found guilty under the Personal Data Protection Act 2010 may be subject to a fine of not more than RM300,000 or jail of not more than two years, or to both. However, it is noted that Advisory has no force in law under the Personal Data Protection Act 2010.

Prior to the publication of the Advisory, I was asked by The Star to comment on the introduction of an advisory to regulate the processing of personal data by business premises.

In the article “Experts: Safeguards needed for contact tracing info“, I said-

Bar Council Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong said this included keeping the data secure, not disclosing it to third parties without consent, and within the purpose of which the data is collected.

Processing personal data in ways that were not compliant with the PDPA could lead to a fine of not more than RM300,000 or jailtime of not more than two years, or both.

However, there is a lack of awareness on personal data protection among Malaysians, said Fong.

“I don’t think many people are fully aware of their rights as stated in the PDPA. The custodians who are collecting or holding people’s personal information also have to be aware of their responsibilities and liabilities, ” he said.

Further, in article Advisory on protecting contact tracing information approved, I said-

Experts welcomed the decision to introduce an advisory to help protect contact tracing info given by visitors to various establishments.

“It’s good to have a standard approach for businesses that process personal data. It also removes any uncertainty, ” said Foong Cheng Leong, the Bar Council Information Technology and Cyber Laws Committee deputy chairman.

He hoped that the advisory would introduce standard operating procedures that are suitable for both small medium enterprises (SMEs) and large businesses.

“It should not be too onerous on businesses especially for small outfits with fewer employees, ” he said, suggesting that the government encourage larger businesses like shopping malls to use a designated online platform to register visitors, as it could help to prevent the misuse of personal data.

“The data should only be maintained by a specific department with the sole purpose of aiding the Health Ministry with contact tracing.”

Don’t misuse private info in Covid-19 apps, Putrajaya urged

I was quoted by FreeMalaysiaToday regarding the collection of data by the Government through from people using official mobile application aimed at efforts to curb Covid-19. I said-

A lawyer specialising in privacy laws has urged the government to regulate the collection of data from people using official apps for mobile phones aimed at efforts to curb Covid-19.

Putrajaya should review existing laws on data collection, and should set out the steps taken to protect private information provided by users, says lawyer Foong Cheng Leong.

It was necessary to make sure that the information is used only to deal with infectious diseases “and not for other purposes like political campaigning or police investigations for other crimes,” he said.

Punishments should be set out for those who misuse the data, and there should be provisions to guarantee redress for those harmed by the abuse of the data.

Yesterday the health minister launched the MySejahtera app which allows users to perform health self-assessments, monitor their health and enables the health ministry to also monitor the user’s health.

Two other apps, to trace contacts of infected people, are also being developed separately.

Foong said public health and safety should take precedence during a pandemic. However, there was a need to review existing laws to regulate data collection.

“Any laws passed should take into account the rights of the data subject,” he said.

Public Consultation Paper No 01/2020 – Review of Personal Data Protection Act 2010 (Act 709) [14 – 28 February 2020]

Personal Data Protection Commissioner has issued the above consultation paper on 14 February 2020 to obtain feedback on the proposed amendments to the Personal Data Protection Act 2010.

Notably, the Commissioner is intending to introduce a data breach notification requirement, civil action against data user, right of data user to make first direct marketing call and exemption of business contact from the Act.

I am very much interested in the amendment to include right to initiate civil action a data user. The introduction of the same would be a boost to data privacy litigation in Malaysia.

Currently, there is no remedy for an aggrieved data subject for non-compliance of the Personal Data Protection Act 2010 other than filing a complaint to the Commissioner. There is no provision similar to s. 13 of the United Kingdom Data Protection Act 1998 (now repealed by the United Kingdom Data Protection Act 2018), ss. 167 to 168 of the United Kingdom Data Protection Act 2018) and s. 32 of the Singapore Personal Data Protection Act 2010.

An aggrieved data subject can still pursue civil litigation under the common law. However, this would depend on the circumstances of the case. Invasion of privacy is one possible action but the law is not settled whether invasion of privacy is an actionable tort. The other possible action would be a breach of confidence. These two (2) torts have similar basic requirement i.e. that the information must be private or possesses the necessary quality of confidence. Not all personal information will have or has such elements, especially, when the data subject had published them themselves e.g on their social media page. The proposed civil action under the Personal Data Protection Act 2010 will cover the gap especially matters concerning misuse of personal data which are not or no longer confidential or private.

Deadline to file a response to the consultation has been extended to 10 March 2020.

1 2 3 7  Scroll to top