Criminal and Civil Liability of Data Breaches Under the Malaysian Law

Introduction

With the rapid growth and proliferation of the digital technology and the internet, the act of collecting, processing, storing and manipulating personal data has never been made easier. As the use of technology has become a part of the norm of the society, personal data are constantly transmitted and stored in various databases. As Perri[1] opined, “personal information has become the basic fuel on which modern business and government run.”

In Malaysia, the Personal Data Protection Act 2010 (“Act”) regulates the processing of personal data in commercial transactions and is placed under the purview of the Personal Data Protection Commissioner (“Commissioner”). The main responsibility of this Commissioner is to enforce and regulate the Act in Malaysia.

Definition of Personal Data

Pursuant to Section 4 of the Act, the term “personal data” refers to:

“any information in respect of commercial transactions, which—

(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.”

In short, any information in respect of any commercial transactions, such as name, home address, race, national ID number, occupation and gender which enables the identification of an individual would be considered as personal data, thence would attract the application of the Act.

Notwithstanding the above, it is also imperative to note the distinction between the term “personal data” and “sensitive personal data” as the latter strictly covers any personal data which relates to the physical or mental health or condition of the data subject, his/her political opinions, religious beliefs or other beliefs of similar nature.[2]

Key parties under the Act[3]

(Refer Chart 1 below)

The Personal Data Protection Principles

In essence, the application of the Act revolves around seven (7) fundamental principles, namely[4]:

(a) the General Principle;
(b) the Notice and Choice Principle;
(c) the Disclosure Principle;
(d) the Security Principle;
(e) the Retention Principle;
(f) the Data Integrity Principle; and
(g) the Access Principle.

In light of Section 5(1) of the Act, it is noted that only data user is required to comply with the seven principles listed above.

Whilst data processor may also be undertaking the role of processing personal data on behalf of the data user, data user must ensure the data processor provides sufficient guarantees and take reasonable steps to ensure the security of the processing of the personal data, as per the Security Principle.

Malaysia’s Recent Data Breaches and Macau Scams

In simple terms, data breach may be described as “the wrongful release of secure private and confidential information to an unauthorised environment.”[5] In 2017, a massive data breach of customers’ data along with personal information of 46.2 million mobile subscribers in Malaysia was leaked on the dark web.[6]

Lowyat.net was reported to have announced that an unscrupulous party has put up an advertisement to sell personal data belonging to many million of Malaysians due to a massive data leak of personal details of telecommunications service providers’ customers happened in 2014.[7] A suit was then subsequently filed against the Malaysia Communication and Multimedia Commission (“MCMC”) and Nuemera Sdn Bhd (a company appointed by MCMC in 2014 to manage its public cellular blocking service in February 2018) by the Parti Keadilan Rakyat’s strategic communications director, Encik Fahmi Fadzil for allegedly failing to protect the leakage of his personal data along with the 46.2 million subscribers[8] Unfortunately, no further details was disclosed by the MCMC.[9]

Further, the case has now been settled, however, the terms of settlement were not disclosed.[10] Noting the discovery of the data breach, the MCMC had also subsequently suspended the arrangement with Nuemera Sdn Bhd under the public cellular boking service agreement.[11]

Between January to October 2020, the Royal Malaysia Police had recorded 5,218 Macau Scam cases nationwide which resulted in an estimated losses of over RM256 million[12] where scammers would impersonate as an authority figure, such as bank or police officer, towards his/her potential victims.

Thence where such scammers are able to gain access to the personal data of his/her potential victims via data breaches or leakages as illustrated above, they would be able to convince their potential victims with ease and in turn increase the rate of success of such scam.[13]

Criminal Liability under the Act

Table 1 illustrates some of the examples which the Commissioner may enforce against the data user for its failure to comply with the Act.

Civil Liability under the Act

Albeit violation of the Act may attract criminal liability, as at the date of writing this article, the Commissioner has reiterated that there is currently no express right provided within the Act to aggrieved data subjects to pursue a civil claim against data users for breaches of the Act.[14] Nonetheless, aggrieved data subjects may also rely on the Tort of Negligence if they are able to furnish any evidence that their personal data was leaked by the data users following negligence on the data users’ part.

In Malaysia, it is commonly misunderstood that personal data privacy is alike to general privacy, thus where upon occurrence of breach of data subjects’ personal data, they might be able to rely on the grounds on common law of privacy.

Such notion is inaccurate as it is worth noting the Act only provides protection in relation to privacy of personal data as opposed to general privacy. In addition, the issue of lack of remedies available to the data subjects, upon breach or leakage of their personal data, is further exacerbated by the limitations provided within the Act. (Please refer to Part H below)

Limitations and Non-application of the Act

Notwithstanding the above, it is also crucial to note that this Act shall not be applicable to:

a) the Federal Government and State Governments;
b) any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia;
c) personal family and household affairs;
d) non-commercial transactions; and
e) credit reporting agencies.

In 2019, a study was conducted by Comparitech, a British technology website to see where governments are failing to protect privacy and/or are creating surveillance states.[15] Out of the 47 countries, Malaysia was ranked in the bottom five.[16]

As the government is currently the biggest collector and holder of personal data of Malaysians, by application of the Act, they would always be shielded and will never be held accountable should there be a leakage or breach of personal data on their part.[17]

Law on Personal Data Protection in the European Union

In 2018, the General Data Protection Regulation (“GDPR”) was adopted by members of the European Union with the aim to promote and enhance protection for data privacy.

One of the key differences between the GDPR and the Act is that the Article 3(2) of the GDPR provides the ability to extraterritorially cover personal data of the data subjects outside the European Union, thus securing the protection for data subjects’ personal data.

Additionally, Article 33 of the GDPR also provides an express obligation on data user to report or notify the personal data breach to the supervisory authority without undue delay and, where feasible not later than 72 hours after having become aware of it.

At the date of writing this article, the Commissioner has issued a Data Breach Notification Form (“DBNF”) for data user to submit to the Commissioner should such scenario arise.[18]

Regrettably, as there is currently no specific provision on compulsory notification by data user under the Act, utilization of the DBNF is still at the discretion of the data user.

(Further details regarding the comparison of the European Union and Malaysian laws on personal data protection will be discussed in a separate article)

Conclusion

All in all, despite the drawbacks highlighted above in relation to the Act, the Act does provide data subjects the protection of their personal data, albeit minimal, namely the consent requirement and the procedure for which sensitive personal data should be processed.

Further, in order to combat the rapid increase of data breaches and to regain the trust and confidence of the people of Malaysia, the government is also urged to take lead in reforming the Act to ensure its application with the digital advancement of technology.

In the meantime, data subjects may adopt several mitigation approaches to prevent a breach or leakage of their personal data, namely by changing their passwords from time to time or adopting different passwords for different websites.[19]

——————–

1. Perri (1998) The future of privacy volume 1: private life and public policy, London: Demos, pg 23 In: Rowland D, MacDonald E (2005) Information Technology Law, 3rd edn. London, Cavendish Publishing Limited, pg 300.
2. Section 4 of the Personal Data Protection Act 2010.
3. Section 4 of the Personal Data Protection Act 2010.
4. Section 5 of the Personal Data Protection Act 2010.
5. https://www.bbc.com/news/technology-41816953.
6. https://www.theedgemarkets.com/article/mcmcpolice-investigating-massive-personal-data-breachlowyatnet.
7. https://www.nst.com.my/news/crimecourts/2018/02/333027/mcmc-nuemera-sued-over-databreach-2014.
8. https://www.malaymail.com/news/malaysia/2019/10/14/report-mcmc-ends-contract-with-companyaftermassive-2017-phone-data-leak/1800249.
9. https://foongchengleong.com/tag/nuemera-msdn-bhd-v-malaysian-communications-andmultimedia-commission/.
10. Page 11 of the Malaysian Communications and Multimedia Commission’s Annual Report 2017.
11. https://www.nst.com.my/news/nation/2020/11/641653/macau-scams-msians-duped-out-rm256-million-year.
12. https://www.thestar.com.my/news/nation/2019/10/18/more-byte-needed-in-data-protection.
13. https://www.pdp.gov.my/jpdpv2/assets/2019/09/WhatYouNeedToKnow.pdf.
14. https://www.comparitech.com/blog/vpn-privacy/surveillance-states/.
15. https://www.comparitech.com/blog/vpn-privacy/surveillance-states/.
16. https://www.thestar.com.my/news/nation/2019/10/18/more-byte-needed-in-data-protection.
17. https://daftar.pdp.gov.my/p_dbn.
18. https://www.thestar.com.my/news/nation/2019/10/18/more-byte-needed-in-data-protection

Written by:

Lee Kin Hing (general@azmilaw.com)

Gabriel Yee Full Yek (Senior Associate) gabrielyee@azmilaw.com