- 7 months ago
- #considerthis
Recently, it was revealed that the Malaysian Communications and Multimedia Commission had directed mobile network operators to hand over personal mobile data, which MCMC says will be used for official statistical purposes. As digital citizens in an increasingly data-driven state, should we trust that our mobile data is being used responsibly—and do we even have a choice in the matter? On this episode of #ConsiderThis Melisa Idris speaks with Foong Cheng Leong, Deputy Chair of the Bar Council Committee on Intellectual Property.
Category
🗞
NewsTranscript
00:00hello and good evening i'm melissa idris welcome to consider this this is the show where we want
00:15you to consider and then reconsider what you know of the news of the day recently it was revealed
00:20that the malaysian communications and multimedia commission had directed mobile network operators
00:26to hand over personal mobile data which mcmc says will be used for official statistical purposes
00:35now as citizens as digital citizens in an increasingly data-driven state tonight on the
00:41show we ask should we trust that our mobile data is being used responsibly and do we even have a
00:48choice on in the matter well joining me on the show to explore this further is feng cheng leong who is
00:55the deputy chair of the bar councils committee on intellectual property thank you so much for
01:00joining me on the show today um mcmc says the data that they're collecting from network operators is
01:08anonymized and pseudonymized and i'm just wondering whether that exempts it from all the kind of data
01:16protection safeguards or is there still a legal threshold that must be met um in a in short does
01:24that mean is there a clear legal definition of what anonymized means in malaysian law uh there's no exact
01:32definition for anonymization uh the organization or pseudo anonymization uh what the law covers is that if
01:40it is personal data the personal data protection act would apply so there are certain set of
01:46obligations that the data controller has to comply with when they deal with personal data so but the
01:53pdpa does not apply to the government uh you know and for mcmc they have the power to request for
02:00information uh actually from anyone and in this case of course who are licensees they are required to
02:06provide information or documents that are required by mcmc um in in the present case i think the
02:13problem with us malaysian is that we are quite traumatized with the data bridges that we had for
02:20the past uh few years uh if i can recall correctly in 2017 we have a data bridge uh involving mcmc uh there
02:30was a bridge where a few million data mobile data information will leak on the internet um spill so much
02:39so at the time the minister of now current minister of communication uh yb fami pazir actually filed a
02:45lawsuit uh against mcmc and a few other people uh in that proceedings for the data bridge uh and the
02:54person who acted for uh yb was another yb as well currently yb will be shariza as well so that i did
03:02follow up on the case that time and i was i was following asking uh yb shariza i know what how is it
03:08how is it because it was probably the first time we had uh someone uh filing a lawsuit for data bridge
03:15at the time uh but unfortunately that case was withdrawn um i don't know what happened to it but i know
03:21the parties involved in the proceedings uh actually are still in a legal suit right now so it has been
03:29long ongoing uh lawsuit and and then not too far uh from from today it was uh another data leak
03:38involving mice etc in a few million uh personal data was leaked especially our sensitive data were leaked
03:46uh and unfortunately nothing happened thereafter or something happened but we were not told
03:51uh what happened uh and and there was another data leak but not involving government it was
03:57uh involving the airlines uh that resulted in prosecution in court that involved private entities
04:06so they were brought they were brought to court and being charged there and not and they paid a compound
04:12or paid a fine i'm not i can't recall uh but in respect of the government's liability and so far
04:19what we can see that that is a weakness okay okay can can you just help me clarify so you you said
04:26that the pdpa pdpa doesn't um apply to government is there a legal basis for this government directive does
04:35it fall within current laws that the government can request telcos provide um user data without uh user
04:44consent yes uh under the community communication and multimedia act 1998 they have the powers to request
04:53for information and documents that are relevant to their functions and their powers also in a way they
05:01have the powers to to ask for any information um but i think to be fair to the mcmc um these powers i mean
05:11this information they should have the power to request because they are in the position in making
05:17decisions and policies they cannot make policies out of vacuum uh they must have data to make information
05:24it's just that the methodology and the how how users and how the public you know is informed of that
05:32of that uh decision uh that has to be properly done so far is they we are we are not aware you know
05:40what happens there's this thing you know reported by a foreign news entity then we are then always
05:47then oh there's something going on right so so uh is there any obligation are telcos under any obligation
05:53to uh to uh inform users in terms of consent or in terms of transparency when they are responding to
06:00government directives like like this one so no uh there are no obligations for them to tell
06:06in fact if i've gone through some of their privacy policies or privacy statements of the telcos
06:11they actually did not say anything about uh providing uh users or notifying them not only request
06:18government requests um i recall uh helping out some for some uh freedom uh of information
06:27organization and some of the questions they asked whether the country uh practices transparency or um or
06:35privacy one of the question is asked does the telcos have put in a proper statement to say that in the
06:43event of any request government request you will be notified the same so malaysia no no okay all right
06:50do you do you think we should is that something that we we would you know should be looking at and
06:56is there anything in the the fact that this incident highlights to you about the gaps in our data
07:03protection framework uh particularly when kind of state access is involved uh well there are again there
07:09are two two two school of thoughts uh one is if let's say if it's a really urgent matter which if
07:16you alert the user then the user may destroy something or not cause certain damage then it's
07:22where you do not tell them but when it comes to requests for information uh like a general information
07:28i think for statistic purposes or for research or study purposes probably there is a need to tell them for
07:35users to opt out i do not want to be part of the study uh but when it comes to data being anonymized
07:42then perhaps um again is is the weighing of the between the rights of the state uh the telcos and
07:51also the users the privacy of individuals unfortunately like malaysia our privacy rights are not really
07:57strong so we most of us would think that oh if government wants it okay just give oh no choice
08:02us to give but in certain countries where the privacy rights prevail they have can have a pushback
08:07they can tell the government i'm not giving you i i this is my right under the law to push out uh not
08:13pop out from any of your studies all right i'm just wondering are there any um legal provisions or
08:20guardrails in terms of how much data the government is allowed to see so when when we give our data to
08:28a telco and we sign the pdpa which doesn't apply to government are there any um parameters in which
08:35the government what what data the government can and cannot uh uh request for oh there's nothing in
08:44one thing is the laws get drafted by the government
08:48and and most of the time the person who drafted uh would be someone from that particular government agency
08:56so they would of course have to act in the best interest of the agency and then uh in the olden
09:02days the consultations are not that strong unlike today uh so most of the time uh this law will get
09:09passed just like that and bear and bear in mind like say communication multimedia act it was uh it was
09:15passed in 1998 in 1998 uh the privacy rights in malaysia is not that strong unlike this case nowadays we have
09:24cases involving invasion of privacy data breaches uh those days uh only a handful of people on
09:32internet but these days everybody's on internet so uh i think we have to relook into privacy rights
09:39when it comes to drafting of laws all right so you mentioned a bit earlier that if it were for other
09:45purposes apart from uh a government directive users should have the option to opt out but as i understand
09:53it for this one there's no option to opt out um are there mechanisms in malaysia to challenge such
10:00directives or any avenues for judicial review if data is found to be used improperly yes i think there's
10:08always avenue of uh of judicial review uh of course you need to fulfill the threshold of being an interested
10:15person uh to to file the judicial review um whether someone would do that uh in malaysia i think in
10:24respect of some if let's say they are very strong privacy bodies in malaysia uh they actually do incident
10:30other countries uh they actually have uh bodies that uh or organizations that are very privacy strong
10:36and if they find the government's overstepping their boundaries they will actually go to court and
10:40challenge challenge challenge it so yes possible uh but as i can see from uh most of our cases the courts are
10:50pretty much on the government side it is usually because of um the public policy overrides the personal
10:58interest all right so how would you assess our some malaysia's um uh level of kind of awareness of privacy
11:08rights and and how much we we uphold them in malaysia oh it's getting good better uh with the pdpa in
11:16force uh it's been 10 years since the pdpa so uh we are moving towards a better uh way better way of
11:25you know looking to privacy uh there are new laws that has been introduced like the amendments the penal
11:31code the online safety egg uh more a lot to do with you know helping uh malaysia's from preventing us
11:38from being harmed so one of the ways is being preventing being harmed for example is doxing
11:43for example uh permission being used uh more fully online so we are seeing that more and more coming
11:52in uh you know and stocking as well stocking also involves your personal data because they know where
11:58you are where you live who are your family members that again is your privacy rights so all these are
12:03actually interrelated so we are looking into uh more and more uh privacy related town laws uh in
12:12helping malaysians okay so your legal opinion are are you at all concerned from this um incident of
12:19the mcmc requesting data from the mobile network operators well personally is final issue because again
12:28mcmc should have the right to request for information documents if you know strictly for
12:35certain basis uh here they have really given their basis is for some tourism and so and so forth
12:41but the only thing is they did not inform i'll find it um but and also if they have informed you
12:50know make a public notification request is made this is the purpose yes they'll be very good uh telling us
12:56but because of our past trauma uh we find that you know this request is has you know it's problematic
13:05and you know what else can you do with the data i know for example i use the data based on the data
13:10they ask for example i base the data on a person of race and i use it uh for let's say um election purposes
13:19for very money for example i determine okay this uh segment of the race has a lot of them are in this
13:26place during this period uh what is my my my information that i want to uh target these people
13:34let's say people of the uh the chinese race in this area and then i do joe location targeted of uh of let's
13:43say uh of you know telling them also information i use very racial type of information to push to this
13:51segment of the industry at this place segment this location at this case because i have the data from
13:56the telco i know here is fully concentrated by the chinese and i will put information for the chinese
14:02only here so these are some of the worries what they can use the data for you know for purposes not
14:10uh for the for the goods of the country okay well thank you so much for kind of clarifying the um the
14:17legal basis for this and i appreciate your time feng cheng leong from the bar council's committee on
14:22intellectual property there we're going to take a quick break here and consider this we'll be back
14:25with more stay tuned
Comments