Latest news with #PersonalDataProtectionAct2010
The Star
5 days ago
- The Star
‘Collection of metadata poses risks'
PETALING JAYA: Like puzzle pieces scattered across a table, bits of digital data may appear meaningless on their own. But with enough time, as well as location and behavioural clues, a recognisable picture can emerge. That is the concern raised by cybersecurity experts over a government initiative to collect anonymised mobile phone data. The Mobile Phone Data (MPD) programme, introduced by the Malaysian Communications and Multimedia Commission (MCMC), is intended to support public policy, particularly in tourism and infrastructure planning. Although authorities have emphasised that the data excludes names and identification numbers, experts warn that by combining the anonymous data with other metadata such as tower location, timestamps and user behaviour, it could still expose individuals to reidentification and cyber threats. According to AI Society president Dr Azree Shahrel Ahmad Nazri, even coarse location data such as cell tower logs can be used to build a person's detailed behavioural profile. 'From just a few days of movement data, researchers can predict who you are with over 90% accuracy,' he claimed when contacted. 'This is why metadata is not truly anonymous.' MCMC, in a media briefing last week, clarified that IMEI numbers and SIM card IDs were not among the data fields requested. However, Azree Shahrel cautioned that even without those identifiers, centralising metadata still poses significant cybersecurity risks. He also warned that such repositories could become high-value targets for hackers, cybercriminals or foreign actors. 'If breached, this data could form a detailed map of user routines, enabling highly targeted attacks or surveillance,' he said. He suggested that persistent identifiers, such as anonymised mobile numbers, be replaced with session-based tags, and that precise timestamps be aggregated to reduce the risk of tracking individuals. Universiti Malaysia Sarawak lecturer Chuah Kee Man echoed those concerns, pointing out that the MPD does not currently violate the Personal Data Protection Act 2010 (PDPA), as anonymised metadata and government agencies fall outside its scope. However, he argued that this legal blind spot still raises red flags. 'The collection is occurring without the public's explicit consent or even knowledge. 'And while it may not breach the PDPA directly, it creates ethical and legal issues surrounding the erosion of privacy rights,' he said. He warned that once data is stored at this scale, it could potentially be used for political profiling, social control or surveillance. 'The integrity of how this data is used relies entirely on those managing it – both now and in the future,' he said. He called for a shift in approach, including the principle of data minimisation, where only essential data is collected, and for the implementation of informed consent policies. 'If the government insists on collecting such data, it must demonstrate a clear need and adopt every possible measure to protect users,' he said. Cybersecurity specialist Fong Choong Fook said public concern about the MPD programme is not unfounded, especially given previous data breaches involving government-linked agencies. 'One of the most notable cases was in 2017, when the personal data of 46 million Malaysians was leaked after the MCMC outsourced work to a contractor. 'Incidents like these continue to shape public scepticism,' he said. The massive data breach in 2017, believed to affect almost the entire population of Malaysia, included lists of mobile phone numbers, identity card numbers, home addresses and SIM card data of 46.2 million customers from multiple mobile phone and mobile virtual network operators. 'Take note that the PDPA does not apply to MCMC. This means that if a data leak were to occur, MCMC would not be held liable,' he said, highlighting a gap in accountability. Fong urged the government to be transparent about the anonymisation process and to release a clear set of guidelines outlining how the data is managed, what safeguards are in place and how privacy is protected. 'There should be a publicly accessible framework, or at least a white paper that can be scrutinised by independent experts. 'We cannot continue operating in a black box,' he said.
New Straits Times
15-06-2025
- Politics
- New Straits Times
NST Leader: Of private data and public use
WHENEVER the government says it is collecting personal data, Malaysians get the jitters. Can't blame them. One thought that crosses the mind of some people is: is Big Brother keeping watch on us? The other and more common concern is about leakages, of which there have been far too many without any serious consequences to those who were responsible. Understandably, the recent announcement by Communications Minister Datuk Fahmi Fadzil that Putrajaya is collecting phone call data from telecommunication companies for policymaking brought back the old anxiety, especially when they learnt that discussions between the government and the telcos have been going on since 2023. Phone call data is itself a fear-generating phrase. Does it mean data on all calls one makes are collected? Early communication would have helped allay the people's fears, but transparency isn't Malaysia's strong point. Putrajaya has to work hard on it. The government must understand people's fears. Every day, people are bombarded with numerous anonymous calls and text messages. Neither the telcos nor our regulators seem to be able to put a stop to such an invasion into our private world. Some even know the names of the phone owners. How did they get access to the names and phone numbers? Can't blame the people for suspecting it to be an inside job. People do recognise the government's need to work with personal data to deliver their services efficiently and effectively in this highly digitalised world. But their concern is how the personal information is collected, stored and shared. Not just telcos collect personal data, but all manner of companies do that. The important thing is robust oversight by regulators. Making the non-compliant accountable is critical. Since 2017, only about 20 companies have been compounded or fined for personal data breaches under the Personal Data Protection Act 2010 (PDPA), some even for processing personal information without consent or permits. Thankfully, the amended PDPA that came into effect in January comes with a bigger bite. Data controllers and data processors face a fine of up to RM1 million or imprisonment of up to three years or both for non-compliance. As under the unamended act, gathering evidence remains a huge challenge as the lawbreakers delete the data once non-compliance is detected. Some have described the hunt for evidence as a cat-and-mouse game, only more vicious. So where does this leave the people whose personal data has been made public by unlawful means? The tort of invasion of privacy, which is a well-developed civil remedy in several common law countries, isn't recognised in Malaysian jurisprudence. A court or two appeared to have thought it was a recognised tort, but higher courts have overruled such judicial activism. Perhaps the answer lies in the statutory introduction of the tort. Some will argue that there is no need for one because the PDPA is there, but they forget that it doesn't address civil remedies. Until such time when invasion of privacy does become a recognised tort in Malaysia, either through the courts or statutory introduction, people must seek recourse through other torts such as breach of confidence or negligence.
Malaysiakini
11-06-2025
- Business
- Malaysiakini
Apples, oranges, lemons to cost 5% more
Good morning. Here's what you should know today. Key Highlights Apples, oranges, lemons to cost 5% more Appeals court hits pause on Yusoff v Anwar No opt-out for MCMC data gathering Apples, oranges, lemons to cost 5% more Apples, lemons, and most oranges - fruits that are almost entirely imported here - are going to cost 5 percent more come July. The reason? The government is expanding the sales and services tax (SST) to cover more "non-essential" goods and services, and imported fruits are on that list. Local fruits, however, will remain tax-free, as will a slew of other food staples. Other food items that will be taxed include salmon, cod, truffle mushrooms, and king crab. HIGHLIGHTS Appeals court hits pause on Yusoff v Anwar The Court of Appeal has granted a temporary stay of proceedings in the sexual assault civil suit brought against Prime Minister Anwar Ibrahim by Yusoff Rawther. This is pending a decision on Anwar's bid to get a full stay on the case. The trial was supposed to commence next week before Anwar got the temporary stay on Tuesday. HIGHLIGHTS No opt-out for MCMC data gathering There is no option for mobile users to opt out of an ongoing pilot project involving the collection of anonymised mobile phone data for official statistical purposes. The MCMC cited legal provisions that allow them to collect anonymised data for infrastructure improvement. They added that mobile phone data is not classified as personal data under the Personal Data Protection Act 2010, as it reportedly can't be used to identify or trace individuals, either directly or indirectly. HIGHLIGHTS Views that matter In case you missed it
New Straits Times
10-06-2025
- New Straits Times
Security guards have no authority to demand, scan MyKad
PUTRAJAYA: Security guards do not have the authority or right to request, hold or scan the identity card (MyKad) of the public, according to the National Registration Department (NRD). NRD in a statement to Bernama said only five categories of officers are allowed to do so under Regulation 7(1), National Registration Regulations 1990, namely NRD officers, police officers, customs officers, military personnel on duty, as well as civil servants authorised by the Director General of National Registration. "Any action by security guards to request or keep identity cards is against the law and action can be taken," it said. The NRD also stressed that the use of electronic devices to scan MyKad data is also not allowed, as it is subject to provisions under the Personal Data Protection Act 2010. "Any processing of personal data by private parties is subject to the Personal Data Protection Act 2010, which sets out guidelines and obligations to protect individual personal information," according to the NRD. Bernama contacted NRD to seek clarification on the issue, following a recent viral post on social media about a security guard at a premises who allegedly used an electronic device to scan MyKad. The security guard's action has sparked questions from the public about its legal validity. As a security measure, NRD advises the public not to hand over their identity cards to any unauthorised individual and to report any violations to the relevant authorities immediately. – Bernama
The Sun
10-06-2025
- The Sun
NRD: Security guards cannot hold or scan MyKad
PUTRAJAYA: Security guards do not have the authority or right to request, hold or scan the identity card (MyKad) of the public, according to the National Registration Department (NRD). NRD in a statement to Bernama said only five categories of officers are allowed to do so under Regulation 7(1), National Registration Regulations 1990, namely NRD officers, police officers, customs officers, military personnel on duty, as well as civil servants authorised by the Director General of National Registration. 'Any action by security guards to request or keep identity cards is against the law and action can be taken,' it said. The NRD also stressed that the use of electronic devices to scan MyKad data is also not allowed, as it is subject to provisions under the Personal Data Protection Act 2010. 'Any processing of personal data by private parties is subject to the Personal Data Protection Act 2010, which sets out guidelines and obligations to protect individual personal information,' according to the NRD. Bernama contacted NRD to seek clarification on the issue, following a recent viral post on social media about a security guard at a premises who allegedly used an electronic device to scan MyKad. The security guard's action has sparked questions from the public about its legal validity. As a security measure, NRD advises the public not to hand over their identity cards to any unauthorised individual and to report any violations to the relevant authorities immediately.
