After newest data leak, lawyers say time for Putrajaya to give up PDPA immunity
KUALA LUMPUR, March 8 — Continued breaches exposing Malaysians’ private information at government agencies meant the Personal Data Protection Act (PDPA) should be amended to finally make these accountable, said legal experts
In its current form, the PDPA only covers commercial entities and transactions, exempting both the federal and state governments from its rules and principles, including those requiring data users to properly secure personal information provided to them.
This exemption has stood out more with each new data breach involving government agencies and departments, especially amid the worsening threat of online scams in the country.
Last week, Malaysians discovered a vulnerability with the Inland Revenue Board’s MyTax portal that could expose a person’s personal details using only their MyKad number. The exploit has since been patched and the IRB has sought to assure taxpayers that their sensitive information was secure.
Before that, the auditor-general also flagged an incident in which the private data of over three million Malaysians had been exported from the government’s MySejahtera app, ostensibly by a “super admin” user.
While the Health Ministry has denied this data had been misappropriated, it revealed that the “super admin” user had downloaded the data to protect it from an intrusion attempt of the MySejahtera system.
According to lawyer Louis Liaw Vern Xien, the government should update the PDPA to make itself accountable for future breaches due to abuse or negligence that exposed Malaysians’ private information.
“Yes, at this juncture the PDPA does not apply to government bodies and therefore any misuse or negligence towards data use or storage such as data breaches cannot be pursued through the act. Victims of data breaches have no recourse through the Act.
“Although the government is in the process of amending the act, the exact effect of the amended act will not be known for sure until the amendments are passed,” Liaw said when contacted.
Another lawyer, Foong Cheng Leong, pointed out that those responsible for previous leaks and breaches in the government have yet to be identified, meaning it was possible they were still put in charge of such systems.
“There are very little details about it. We have not heard of anything being held personally responsible for the data leakage.
“Perhaps there should be new laws or regulations to make those who are responsible for taking care of our data be responsible for what has happened. A public inquiry or even a Royal Commission Inquiry should be done for the past data leakages,” he said when contacted.
The PDPA allows for fines of up to RM500,000 and custodial sentences of no more than three years’ imprisonment for various offences, ranging from the unauthorised collection of private information to the unlawful disclosure and transmission of the same.
Foong suggested that a provision also be included to allow users affected by data leaks by the government to seek compensation.
Proposed amendments to the PDPA to further curb personal data breaches is expected to be presented in Parliament before the end of this year.
Communications and Digital Minister Fahmi Fadzil said the Personal Data Protection Department (PDPD) was reviewing the amendments prepared during the previous administration, before these are extended to the Attorney-General’s Chambers.
Fahmi said among amendments being considered were the requirement for companies or data users to notify the PDPD upon the discovery of data breaches and increased penalties for violators.
Aside from the MyTax and MySejahtera incidents, other high-profile cases of suspected data leaks being traced back to the government include allegations that the details of over 22 million Malaysians had been stolen from the National Registration Department.
In November last year, claims emerged online that the Election Commission’s voter database had been compromised and the stolen information posted for sale online, while two months earlier, the government’s payroll system was breached, giving hackers access to millions of civil service payslips.
Since then, the Malaysian Bar has called a law to specifically safeguard privacy in Malaysia and protect the personal data of users regardless of whether commercial or government entities were doing the collection.
Until such laws and amendments were in place, both Liaw and Foong suggested that the government be conservative about any additional data it collected, or to minimise its data collection to only what was necessary.
Apps and services that collect user data such as MySejahtera should not be repurposed or widened beyond their original scope to avoid potential for leaks or abuse, they said.
Highlighting MySejahtera’s location data, Liaw pointed out that users had been compelled to provide this information due to the extraordinary nature of the Covid-19 pandemic that has since subsided and no longer justified the retention of this valuable data.
“One of the principles of data protection law is that there cannot be excessive collection of personal data and must only be collected if it is necessary. Thus, the government must think this before they start collecting personal data,” said Foong.