top of page
umjustech

Surveillance and Privacy in Malaysia


Surveillance and Privacy in Malaysia

Written by Surren Ramachandran, a second-year student of the Faculty of Law, University of Malaya, and a member of the Advocacy Bureau, UM JusTech.

Edited by Chelsea Ho.



Surveillance is an act of monitoring the behaviour and activities of the general public or a particular individual for the purpose of gathering information, mainlydone by the authorities.[1] It can be done throughmultiple ways such as using closed-circuit televisions (‘CCTVs’)and through other sophisticated electronic equipment. Technologies used in surveillance are constantly developing to the point where mind-blowing, seemingly impossible, technologies used in fictional works such as James Bondand Totally Spies are now available in the market — tracking devices, microchip implants, spy sunglasses, and facial recognition software.[2]


Nonetheless, surveillance is and always has been a sensitive matter as there lies a real possibility of privacy intrusion and data breach on individuals. While surveillance may aid enforcement agencies to safeguard national security, the overbearing issue of whether the methods of such surveillance are ethicalor legal still lingers. Article 5(1) of the Federal Constitution (‘FC’)[3] provides for a person’s liberty, and according to the obiter dictum of the Federal Court in the case of Sivarasa v Badan Peguam Malaysia & Anor,[4] the right to privacy is included thereinunder. On this note, the author believes that the closest law being enforced in Malaysia that purportedly upholds privacy rights is the Personal Data Protection Act 2010 (‘PDPA’).[5]


I. PERSONAL DATA PROTECTION ACT 2010 (‘PDPA’)


The PDPA serves to protect one’s personal data from being misused. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An ‘identifiable natural person’, in turn, is one who can be identified by reference to identifiers such as a name, identification number, location data, banking details, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[6]


Ostensibly, the PDPA may give off the impression as though it governs the subject of privacy, but it does not. Whilst ‘privacy’ and ‘personal data’ are often used interchangeably and can indeed be interlinked, a distinguishing line can be drawn between the two — as opposed to personal data as defined above, the right to privacy relates to the right to be left alone and to live free from intrusion. In this sense, the PDPA is narrow in its application as it deals with personal data privacy as opposed to privacy rights in general.


To better illustrate this distinction, the case of Lew Cher Phow @ Lew Cha Paw & 11 Ors v Pua Yong Yong & Anor concerning the right to privacy is discussed.[7] The appellants and respondents in this case were neighbours who did not get along with each other. The respondents then installed CCTVs in their compound with one of them pointed directly at the appellants’ home. The appellants contended that the respondents’ act is an intrusion of their family’s privacy and claimed compensation for, inter alia, mental anguish and intrusion of privacy. Justice Vernon Ong held that the respondents’ act of fixing a CCTV pointed directly at the appellants’ house amounted to an unwarranted violation of their right to privacy and ordered an injunction for the CCTVs to be removed. However, since the tort of privacy intrusion is not recognised in Malaysia, no compensation was granted. It must be highlighted that the PDPA is not involved in this case.


So, what is the position of the PDPA?


According to the PDPA, any video recordings taped and obtained from CCTV cameras, whether it be in public or private areas, are subject to the legislation.[8] In 2010, former Deputy Minister of Communications and Multimedia Dato’ Eddin Syazlee bin Shith promulgated that businesses and companies are not allowed to spread any videos or footages from CCTVs as ‘Any video recording, including from closed-circuit television (CCTV) cameras in public or private areas, is subjected to the Personal Data Protection Act’.[9] Notably, PDPA would only come into effect if the businesses are registered with the Personal Data Protection Department (‘PDPD’), and businesses governed thereinunder could land themselves in hot water should they publicly share their recordings.


Parenthetically, Section 509 of the Penal Code[10] makes it a criminal offence for someone to carry out an action intending to insult the modesty of any person, and such action is taken by the victim to be ‘intruding upon their privacy’. However, while there are mentions of ‘intrusion of privacy’ in this Act, its enforcement is mainly confined to actions such as sexual harassment.[11]


Well, it is now apparent that the PDPA affords individuals with some sort of protection in that recordings are prohibited from publicly spreaded by some businesses, but does the same apply to the authorities that conduct surveillance on its people?


II. POTENTIAL THREATS TO THE RIGHT TO PRIVACY


There are currently three surveillance methods enforced by authorities that pose threats to people’s privacy rights — artificial intelligence (‘AI’) based analytics video surveillance, electronic monitoring device (‘EMD’), and wiretapping.


A. Artificial Intelligence (‘AI’) Based Analytics Video Surveillance

In 2019, the state government of Penang launched a facial recognition system to ease the identification of criminals through CCTV cameras.[12] According to an article from Bernama with the screaming headline ‘Big Brother is watching’, the Kuala Lumpur City Hall (‘DBKL’) promulgated that 5,000 cameras with an AI system will be installed all around the city to expand and improve the management of the city’s integrated transportation. It was reported that AI technology would work towards crime prevention and effectively monitor traffic offenders.[13] Consequently, many Malaysians were concerned that Malaysia is gradually shifting into an authoritarian state as seen in dystopian films, with their privacy rights at stake. Yet, the effectiveness of the system is questioned.


In recent years, foreign countries have experienced some hiccups in the course of implementing said technology. In the United Kingdom (‘UK’), facial recognition software used by the Metropolitan Police Service has returned false positives in more than 98 per cent of cases, while the system has returned more than 2,400 false positives during a period of a year (2017-2018) for the South Wales Police.[14] A false positive in face detection arises when a pattern or object is recognised as a face when it in fact is not, or when an individual is mismatched for another person. Based on a research conducted by the National Institute of Standards and Technology (‘NIST’), certain demographic groups are more at risk of false positives compared to other groups, with Asian and African American faces having higher false-positive rates than Caucasian images.[15] This brings the issue of ethical concern which has been a major one in the free world, and parallels have been drawn to the surveillance system of Nazi-occupied Germany where racial surveillance was a key factor to control its population. According to NIST, false positives may also present concerns of privacy rights and civil liberties such as when matches result in additional questioning, surveillance, errors in benefit adjudication, or loss of liberty.[16] While enforcement agencies might view that the number of false positives is small compared to the large sample of people or crowds scanned, the author stresses that no innocent person should be subjected to unlawful detention or questioning just because an AI system mistakenly red-flagged them.


Notably, since the initial introduction of the system, its effectiveness which stands to be questioned has been undoubtedly improved with further tweaks and upgrades. As of April 2020, the best face identification algorithm has an error rate of just 0.08 per cent compared to 4.1 per cent for the leading algorithm in 2014.[17] To err is human but for an AI to make an error, the consequences could be unpredictable, hence devastating. A lot of manufacturers are working on the improvement of their AI systems, but critics and the wider audience do remain sceptical of it — while its effectiveness has enhanced vastly, the issue of privacy continues to be a major concern for all and the assurance that it would not be misused in discriminatory ways is not certain.


The author holds that the usage of such video surveillance in Malaysia would not only infringe on the privacy rights of the citizens but it might also create a certain degree of unfairness and uncertainty in the justice system. Only time would be the judge of its effectiveness.


B. Electronic Monitoring Device (‘EMD’)

The Royal Malaysian Police Force has since 2015 implemented electronic monitoring device (‘EMD’) to monitor the whereabouts and movements of accused persons released on bail, potentially preventing crimes from being committed.[18] The police say that EMD is vital for surveillance purposes as it helps them keep track of offenders. Principal assistant director of the Bukit Aman Anti-Vice, Gaming and Secret Societies Division (D7), Datuk Roslee Chik, in 2017 said that the tracking devices enable the police force to track and monitor those fitted with EMD at any time, from anywhere. The author supposes that such ability poses privacy threats as the cops would now be able to pry into personal conversations and activities.

While some may argue that those with EMD are criminals and that such a treatment is, therefore, justifiable, the author opines that they are humans too and privacy should be accorded to them, for everyone is innocent until proven guilty.

Looking at the wider picture, although EMD is useful in helping the police track the whereabouts of those on bail or under constant surveillance from fleeing the country, privacy is still an evident issue revolving around its usage.


C. Wiretapping

Another surveillance method that authorities may engage in is the interception of communication — ‘eavesdropping and wiretapping’. A public prosecutor is conferred with the power to authorise police officers to intercept any postal article,messages or conversation, and enter any premises to install any interception devices under Section 6(1) of the Security Offences (Special Measures) Act 2012 (‘SOSMA’).[19] And in cases where immediateaction is needed, the police (not below the rank of Superintendent of Police) may perform such interception without permission of the prosecutor as per Section 6(3) of the SOSMA.[20]


Evidently, prosecutors (and to a certain extent, the police) in Malaysia are given a very broad power in this matter, standing in stark contrast to the police in the UK where the Secretary of State can only issue a warrantfor such surveillance if the many parameters outlined in the Surveillance Code of Practice (‘COP’) were satisfied.[21] COP provides guidance on the appropriate and effective use of surveillance camera systems by relevant authorities whereby strict adherence must be observed. It outlines 12 guiding principles that should apply to all surveillance camera systems in public places, which draw together good practice and existing legal obligations to create a regulatory framework to enable operators of surveillance camera systems to make legitimate use of available technology.[22]


Now, looking back at the position in Malaysia, the arbitrariness practised herein would open the gates for abuse of power since prosecutors and police could act under their own discretion without prior approval from the judiciary. This abuse of surveillance power would ultimately lead to the creation of a totalitarian and authoritarian state. Last year, Beijing granted Hong Kong’s authorities covert surveillance powers which would enable them to use methods such as communication interception for national security;[23] in Xinjiang, the government was found to be collecting data on the Uyghur ethnic group using a mass surveillance system such as facial-recognitioncameras, wireless fidelity (‘Wi-Fi’)sniffers and banking records [24] — both believed to be crystal-clear examples of abuse ofsurveillance powers by the author.


D. Others

Meanwhile, in Singapore, the introduction of patrol robots compounded with strict surveillance methods has stoked fear of civil liberty intrusion among Singaporeans.[25] Furthermore, the Government in Parliament revealed that the Coronavirus disease (COVID-19) contact-tracing data collected from the app TraceTogether — assured to be used only for contact tracing — could be accessed by the police for criminal investigations, thereby invoking a severe public backlash[26] whichresulted in the government passing legislation to limit its use.[27]


In Malaysia, the PDPA does not apply to the government as per S3(1),[28] whereby it is stated that PDPA is not applicable to both the Federal and State government. Such a loophole may lead to data abuse akin to what happened in Singapore. Last year, there were some uproars about privacy and data concerns stemming from the data stored in the newly developed government-operated COVID-19 contact tracing application, MySejahtera.[29] Various parties were keen on working with the government to develop and expand the application as there is a wealth of data and information sitting therein, with more than 25 million registered users (and increasing),[30] it is essentially a gold mine for corporations to track leads and expand their target audiences!


On this note, Ministry of Health Director-General Dr Noor Hisham Abdullah had assured Malaysians that the MySejahtera app is being used responsibly. More recently, in the Senate, Minister of Health Khairy Jamaluddin has assured Malaysians that the MySejahtera application is fully owned by the government and that all data stored in its databases will strictly be used for the purposes of COVID-19 pandemic response.[31] It was revealed that the company operating the app has obtained the ISO270001 (ISMS) standard [32]— an internationally recognised specification for information security management systems, covering information security policy and management, physical and environmental security, communications security as well as personnel security. Therefore, Khairy hopes that his clarification regarding MySejahtera which has recorded more than 13 billion check-ins[33] since May 2020 would reassure the public to continue using the app without hesitation, as the Ministry of Health would always ensure that public data is not compromised.


With such a reassurance, it is worth to ponder the question of whether one could pursue a tort action against the government should there be a data breach. The short answer to that is yes, under the tort of negligence. The author wishes to highlight, albeit regrettably, that the PDPA cannot be used against the government, and that the PDPA does not provide for a statutory civil right of action for breach of any of the provisions thereinunder. Nevertheless, an aggrieved individual could still pursue a civil action under common law or tort against another data user who misuses such personal data [34]— a tortious claim may be brought against the data user who leaked such personal data provided that the aggrieved individual furnishes the court with evidence showing that such leakage was caused by the data user negligently.[35]


In this regard, senior lawyer M. Visvanathan in an interview with The Vibes on the MySejahtera saga remarked that the public can take legal action against the government if they can prove that their privacy has indeed been breached, or if there is a chain of causation showing that they have suffered damages as a result of the exploits.[36] In response to the insurgence of unsolicited emails claiming to be from MySejahtera seeking personal details, Visvanathan commented that even if the government is not directly at fault for such scam tactics, it can still be held liable for negligence for the system should be foolproof — if tampered with and a breach occurs, the government has to be accountable for such breach as data leak may cause serious harm to the general public.



III. CCTVS IN THE WORKPLACE


In Malaysia, employers tend to have a mindset that they are entitled to absolute control over their employees and would implement surveillance not only ofr security reasons, but to also keep watch over the employees at all times.


In the state of California, United States of America (‘USA’), the installation of one-way mirrors (a reciprocal mirror that appears reflective on one side but see-through from the other) in restrooms or locker rooms has been made illegal. Similarly, in Connecticut, USA, it is illegal for employers to use video surveillance in areas designated for employees to rest and decompress, such as restrooms or lounges.[37]


Notably, there is no such legislation of the sort in Malaysia. However, according to guidelines issued by the PDPD,[38] the primary purpose of CCTV installation at the workplace is for ‘crime detection and prevention’, and hence it ‘cannot be misused for other purposes such as staff monitoring’.


Employers should realise that employees are humans too; they should be afforded privacy and not be placed under microscopic supervision at all times.



IV. CONCLUSION


It is undeniable that surveillance methods may help in fightingcrime and preserving national security.However, these technologies, if unregulated and abused, may be unconstitutional as it contravenes the fundamental rights of an individual under Articles 5 — liberty of a person — and 9 — freedom of movement — of the FC. The author concurs with the former Minister in the Prime Minister’s Department, the late Datuk Liew Vui Keong, who recognised the importance of striking a balance between the private interests of individuals and the interests of the State. To achieve such calibration, the author proposes for the police to work closely with experts in the industry to develop a set of guidelines on ways to conduct investigations in compliance with all codes of morals and standards while not infringing upon the privacy of the people; to conduct surveillance ethically and constitutionally.


Disclaimer: The opinions expressed in this article are those of the author and do not necessarily reflect the views of UM JusTech, and the institution it is affiliated with.



[1] Manahan, T, & Wood, D. M. (2018). Surveillance Studies: A Reader. Oxford, England: Oxford University Press. [2] Parker, G. (2016, Jun 15). 10 James Bond-like surveillance gadgets that actually exist. Money Inc. Retrieved from <https://moneyinc.com/surveillance-gadgets>. Site accessed on 1 Mar 2022. [3] Federal Constitution (Malaysia) art 5(1). [4] Sivarasa Rasiah v Badan Peguam Malaysia & Anor [2010] 3 CLJ 507. [5] Personal Data Protection Act 2010 (Act 709) (Malaysia). [6] Law Insider. (n.d.). Personal Data definition. Law Insider. Retrieved from <https://www.lawinsider.com/dictionary/personal-data>. Site accessed on 2 Mar 2022. [7] Lew Cher Phow @ Lew Cha Paw & Ors v Pua Yong Yong & Anor [2011] MLJU 1195. [8] Shahnaz Fazlie Shahrizal. (2019, Jul 23). CCTV recording subject to Personal Data Protection Act 2010. New Straits Times. Retrieved from <https://www.nst.com.my/news/nation/2019/07/506561/cctv-recording-subject-personal-data- protection-act-2010>. Site accessed on 16 Nov 2021. [9] See footnote 8 above. [10] Penal Code (Act 574) (Malaysia) s 509. [11] Devaraj, P. (n.d.). Excuse me, but I think you are so cute! Aliran. Retrieved from <https://m.aliran.com/archives/monthly/2002/3g.html>. Site accessed on 2 Mar 2022. [12] Sharon, A. (2019, Jan 3). Malaysian set to implement facial recognition system to combat crime. OpenGov Asia. Retrieved from <https://opengovasia.com/malaysia-set-to-implement-facial-recognition-system-to-combat-crime/>. Site accessed on 16 Nov 2021. [13] Bernama. (2021,Oct 15). Big Brother is watching - 5,000 CCTV cameras in KL soon. Free Malaysia Today. Retrieved from <https://www.freemalaysiatoday.com/category/nation/2021/10/15/big-brother-is- watching-5000-cctv-cameras-in-kl-soon/>. Site accessed on 16 Nov 2021. [14] See footnote 12 above. [15] Meyer, C. (2020. May 1). Facial recognition error rates vary by demographic. ASIS International. Retrieved from < https://www.asisonline.org/security-management-magazine/articles/2020/05/facial-recognition-error-rates-vary-by-demographic/>. Site accessed on 3 Mar 2022. [16] NIST. (2020, Jan 15). Facial recognition technology (Part III): Ensuring commercial transparency & accuracy. NIST. Retrieved from <https://www.nist.gov/speech-testimony/facial-recognition-technology-part-iii-ensuring-commercial-transparency-accuracy>. Site accessed on 3 Mar 2022. [17] Crumpler, W. (2020, Apr 14). How accurate are facial recognition systems – and why does it matter?. Centre for Strategic & International Studies. Retrieved from <https://www.csis.org/blogs/technology-policy-blog/how-accurate-are-facial-recognition-systems-%E2%80%93-and-why-does-it-matter>. Site accessed on 4 Mar 2022. [18] Bernama. (2016, Feb 4). No escape from EMD. The Sun Daily. Retrieved from <https://www.thesundaily.my/archive/1709140-GSARCH351693>. Site accessed on 5 Mar 2022. [19] Security Offences (Special Measures) Act 2012 (Act 747) (Malaysia) s 6(1). [20] See footnote 19 above. [21] Home Office. (n.d.). Surveillance Camera Code of Practice. Home Office. Retrieved from <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1035067/Surveillance_Camera_CoP_Accessible_PDF.pdf>. Site accessed on 20 Mar 2022. [22] The 12 guiding principles that are outlined in COP are: 1. Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need. 2. The user of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified. 3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints. 4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used. 5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them. 6. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged. 7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes. 8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards. 9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use. 10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published. 11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value. 12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date. [23] AFP. (2020, Jul 7). Beijing grants Hong Kong police sweeping security surveillance powers. Free Malaysia Today. Retrieved from <https://www.freemalaysiatoday.com/category/world/2020/07/07/beijing-grants- hong-kong-police-sweeping-security-surveillance-powers/>. Site accessed on 16 Nov 2021. [24] AFP. (2019, May 2). Xinjiang surveillance app targets legal, everyday behaviour. Free Malaysia Today. Retrieved from <https://www.freemalaysiatoday.com/category/world/2019/05/02/xinjiang-surveillance-app-targets-legal- everyday-behaviour/>. Site accessed on 16 Nov 2021. [25] AFP. (2021, Oct 6). Singapore patrol robots stoke fears of surveillance state. Free Malaysia Today. Retrieved from <https://www.freemalaysiatoday.com/category/world/2021/10/06/singapore-patrol-robots-stoke-fears-of- surveillance-state/>. Site accessed on 16 Nov 2021. [26] Chee, K. (2021, Feb 2). Vivian Balakrishnan says he 'deeply regrets' mistake on TraceTogether data.The Straits Times. Retrieved from <https://www.straitstimes.com/singapore/vivian-balakrishnan-says-he-deeply-regrets-mistake-on-tracetogether-data-first-realised-it>. Site accessed on 6 Mar 2022. [27] Tarabay, J. (2021, Feb 1). Governments tap Covid data for other uses, risking backlash. The Star. Retrieved from <https://www.thestar.com.my/tech/tech-news/2021/02/01/governments-tap-covid-data-for-other-uses-risking-backlash>. Site accessed on 6 Mar 2022. [28] See footnote 5 above, s 3(1). [29] Ainaa Aiman. (2020, Aug 19). Making MySejahtera compulsory raises privacy, connectivity concerns, say experts. Free Malaysia Today. Retrieved from <https://www.freemalaysiatoday.com/category/nation/2020/08/19/making-mysejahtera-compulsory-raises-privacy-connectivity-concerns-say-experts/>. Site accessed on 6 Mar 2022. [30] The Edge Markets. (2021, Jun 30). Tech: Can MySejahtera be turned into a super app, and should it? Ministry of Communications and Multimedia Malaysia. Retrieved from <https://www.kkmm.gov.my/en/public/news/19338-tech-can-mysejahtera-be-turned-into-a-super-app-and-should-it>. Site accessed on 6 Mar 2022. [31]Syafiqah Salim. (2022, Mar 31). Info, data in MySejahtera app fully owned by govt, says Khairy. The Edge Markets. Retrieved from <https://www.theedgemarkets.com/article/all-data-and-information-obtained-result-use-mysejahtera-sole-property-government-%E2%80%94-khairy>. Site accessed on 14 Apr 2022. [32]See footnote 31 above. [33]See footnote 31 above. [34] Shanti Kandiah. (2021, Nov 5). The privacy, data protection and cybersecurity law review: Malaysia. The Law Reviews. Retrieved from <https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law-review/malaysia#:~:text=The%20PDPA%20does%20not%20provide,misused%20the%20individual's%20personal%20data.>. Site accessed on 21 Apr 2022. [35] Sivanantham, D. L. & Tan, A. H. V. (2022, Jan 4). Malaysia: Malaysian Personal Data Protection Act 2010: Does it apply to government agencies?. Mondaq. Retrieved from <https://www.mondaq.com/data-protection/1147340/malaysian-personal-data-protection-act-2010-does-it-apply-to-government-agencies>. Site accessed on 21 Apr 2022. [36] Amar Shah Mohsen. (2021, Oct 21). Public can sue if there is bona fide MySejahtera data breach: Expert. TheVibes.Com. Retrieved from <https://www.thevibes.com/articles/news/45140/public-can-sue-if-there-is-bona-fide-mysejahtera-data-breach-expert>. Site accessed on 21 Apr 2022. [37] Davis, A. (2020, Jan 24). Workplace video surveillance policy. Kisi. Retrieved from <https://www.getkisi.com/blog/workplace-video-surveillance-policy>. Site accessed on 18 Jan 2022. [38] Malaysian Communications and Multimedia Commission (SKMM). (2008). Video Surveillance in Public Spces. Malaysian Communications and Multimedia Commission (SKMM). Retrieved from <https://www.mcmc.gov.my/skmmgovmy/media/General/pdf/Video_Surveillance_Public_Spaces_compressed.pdf>. Site accessed on 6 Mar 2022.


98 views0 comments

Comments


bottom of page