This article was downloaded by: [Kungliga Tekniska Hogskola]

On: 13 August 2015, At: 23:54

Publisher: Routledge
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered
office: 5 Howick Place, London, SW1P 1WG

Information & Communications

Technology Law
Publication details, including instructions for authors and
subscription information:
http://www.tandfonline.com/loi/cict20

Personal data protection law: The

Malaysian experience
Ida Madieha Azmi

Private Law Department , International Islamic University ,

Malaysia
Published online: 22 Oct 2007.

To cite this article: Ida Madieha Azmi (2007) Personal data protection law: The Malaysian
experience, Information & Communications Technology Law, 16:2, 125-135
To link to this article: http://dx.doi.org/10.1080/13600830701532001

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the
Content) contained in the publications on our platform. However, Taylor & Francis,
our agents, and our licensors make no representations or warranties whatsoever as to
the accuracy, completeness, or suitability for any purpose of the Content. Any opinions
and views expressed in this publication are the opinions and views of the authors,
and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content
should not be relied upon and should be independently verified with primary sources
of information. Taylor and Francis shall not be liable for any losses, actions, claims,
proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or
howsoever caused arising directly or indirectly in connection with, in relation to or arising
out of the use of the Content.
This article may be used for research, teaching, and private study purposes. Any
substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing,
systematic supply, or distribution in any form to anyone is expressly forbidden. Terms &
Conditions of access and use can be found at http://www.tandfonline.com/page/termsand-conditions

Information & Communications Technology Law,

Vol. 16, No. 2, June 2007

Personal Data Protection Law: The Malaysian Experience

IDA MADIEHA AZMI

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

Private Law Department, International Islamic University, Malaysia

ABSTRACT In 1998, the Malaysian government introduced a draft Data Protection Bill.
This Bill has never made it to Parliament due to heavy opposition from the communication
and multimedia industry. In a surprise move, the government abandoned the European
Union approach for a more industry friendly set of regulations. The exact nature of the
proposed draft bill is yet to be seen as, unlike its predecessor, the whole process of drafting
is being kept confidential. This article discusses the Malaysian initiative in introducing
specific data protection laws in the years following the archived draft Personal Data
Protection Bill. It is the hypothesis of this article that the lack of protection for data privacy
stems largely from the widespread lack of recognition of the right of privacy in general.
With regards to data protection, for example, some view the current sectoral approach to
data protection is adequate in providing the minimum security needed in the industry.
Others, however, view the sectoral approach as rather piecemeal and hardly sufficient to
provide the required security. As to the general rights of privacy, the non-recognition of a
general right of privacy is hardly surprising. In a country where individual freedom of
expression is effectively not guaranteed, the European-style notion that an individual
should be free from unnecessary intrusion and snooping from the state is a luxury. In a
country that professes to adhere to Islamic teaching as its major religion, this proposition
is entirely not acceptable. Leaving religious concerns aside, the truth is that many in the
industry feel that having a stringent data protection law would be detrimental to the
overall industrys needs and interests. Furthermore, other laws relevant to data privacy
exist, and they provide the minimum security required by the industry without unduly
inhibiting its growth.

Of rules and relaxation of rules

In 2000, the Malaysian government introduced a draft Personal Data Protection
Bill based on the European standards on data protection.1 This Bill never made
it to Parliament due to heavy opposition from the communication and
multimedia industry. In a surprise move, the Malaysian government redrafted
the Bill for further relaxation of rules.2 The exact nature of the redrafted bill is
yet to be seen as unlike its predecessor, the redrafted bill is being kept
confidential. This article discusses the Malaysian initiative to introduce specific
data protection laws in the years since the shelved first draft Personal Data
Protection Bill. It is the hypothesis of this article that the lack of protection for
data privacy stems largely from the widespread lack of recognition of the right
of privacy in general. With regards to data protection, for example, some are of
ISSN 1360-0834 print/ISSN 1469-8404 online/07/02012511 Taylor & Francis
DOI: 10.1080/13600830701532001

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

126

I. M. Azmi

the opinion that the current sectoral approach to data protection is adequate in
providing the minimum security needed in the industry. Others, however, view
the sectoral approach as being rather piecemeal and hardly sufficient to
provide the required security.
As to the general right of privacy, the non-recognition of it as a fundamental
human right is hardly surprising. In a country where the individuals freedom of
expression is effectively not guaranteed, the ideal notion that an individual
should be free from unnecessary intrusion and snooping from the state is a
luxury. In a country that professes to adhere to Islamic teaching as its major
religion, this proposition is not entirely acceptable. Leaving religious concerns
aside, the truth is that many in the industry are of the view that having stringent
data protection law would be detrimental to the overall industrys needs and
interests. Furthermore, other laws relevant to data privacy exist and they
provide the minimum security required by the industry without unduly
inhibiting their growth.
This article will explore the following issues. Is there a need for personal data
protection in Malaysia? What would be the compelling factors behind the
introduction of such legislation? Would it be because of consumer needs, or
domestic or international trade? Since the archival of the proposed draft
Personal Data Protection Bill 2000, it has been announced that a new set of
rules will be introduced. The article will explore the form these new rules may
take (e.g., self-regulation, or simply a relaxation of rules) and what this would
entail. Are there any established industry practices that can sustain selfregulation? Is there enough respect for the general right of privacy in Malaysia?
Can one say that the sudden interest in informational privacy is a manifestation
of the broader public interest in the right of privacy? What about Islam? Is
right of privacy recognized in Islam? What are the kinds of privacy rights
discussed by Muslim scholars? Could Malaysia, as a Muslim state, instead turn
to Islam for support in its quest to provide an adequate framework of privacy
rights?
From 2000 to 2006
Several events that took place in the years 2000 2006 that unearthed enormous
dissatisfaction among the public on the lack of regulation on personal data.
Reports of sales of personal data hit the newspaper headlines and open debates
took place on the need to regulate situations involving violations of data
privacy. Allegation that data pertaining to students were being sold to private
institutions enraged many in the public.3 This was later followed with claims
that consumer details were being sold to irresponsible quarters resulting in
their being chased by property agents, salesman and telemarketers all eager to
make quick bucks from consumers.4 The enforcement of MyKAD, a multipurpose identification card, which was undertaken last year,5 further called into
question the security and privacy of an all-embedded card full of personal
information if it were to fall into the wrong hands. All these events informed
public consensus on the need to regulate the processing and use of personal
datasomething of which the government continuously assures the public.6
Another major uptake of all these events is whether industry standards are
being developed to ensure good working practices to alleviate consumer
concerns on data privacy.

Personal data protection law

127

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

Developing sound industry practices on data privacy

The core issue that confronts major industry in Malaysia is whether there is any
code of conduct binding the industry on data privacy. The establishment of
industry practices is important if Malaysia were to negotiate an agreement with
her European partners, laying down principles on the lines of the safe harbor
principles the European Union (EU) negotiated with the United States. To that
extent, one of the major codes of practice is that of the General Consumer Code of
Practice (or CCP) for the Communication and Multimedia Industry in Malaysia.
The CCP binds all licensed service providers and all non-licensed service
providers that are members of the Consumer Forum. The Code aims to regulate
the collection of consumer information. Paragraph 8.2 of the CCP defines
consumer as a person who receives, acquires, uses or subscribes to services
relating to communication and multimedia within the meaning of Communication and Multimedia Act 1998. To that extent, the Code restricts itself to personal
information collected from the consumer (i.e., the communication and multimedia
industry).7 The Code further outlines eight principles of data privacy applicable to
the industry. Data must be: fairly and lawfully collected; processed for limited
purposes; adequate, relevant and not excessive; accurate; not kept longer than
necessary; processed in accordance with the data subjects rights; secure; and not
transferred to any party without the prior consent of the consumer.
Concern about industry standards resulted in the Bank Negara, the main
regulator in Malaysia, adopting BASEL II Compliancea standard that is
compatible with the European Directive. The insurance and banking industries
(two main and related industries) followed suit by adopting BS 7799a security
standard that indirectly provides some form of relief against unauthorized use of
personal data. As much of the database developed by these two industries is
outsourced to local information and communication technology companies, these
companies, in turn, are forced to adopt the same standards. This includes the
adoption of Business Continuity Planning (BCP) for data parked in Internet data
centres. BCP provides a risk management procedure for security of data that
indirectly covers privacy. As these standards are EU-compliant, it is reasonable to
ask why the same rigorous standards should not also be imposed on other
industries.
Industry standards: Legal framework
The development of industry standards have to be understood from the
perspective of minimal legal regulation of data collection. In critical areas in
which the potential for consumer harm is greater, such as in banking, finance and
health services, legal provisions mandating confidentiality of data can be found.
The existing protection can be described as sectoral, with the existence of secrecy
and confidentiality provisions in various statutes, applicable to specific institutions, industries or applications. Among the statutes containing confidentiality
laws that may directly or indirectly impact consumers data privacy are the
following: the Communication and Multimedia Act 1998, the Telemedicine Act
1997, the Private Healthcare Facilities and Services Act 1998, the Banking and
Financial Instrument Act 1989, the Insurance Act 1996, the Offshore Banking Act
1990, the Offshore Insurance Act 1990, the Child Act 2001, the Employment
Information Act 1953 and the Payment Systems Act 2003.8

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

128

I. M. Azmi

Of all the Acts mentioned above, it is only the Communication and Multimedia
Act 1998 that contains a clear prohibition of unlawful intentional interception and
disclosure of communication in order to protect the confidentiality of information
as contained in Section 234(1). In the context of online data privacy, it can be said
that Section 234(1) is capable of covering interception of various forms of Internet
communication including e-mail, e-commerce transactions and chat room
interactions. The provision does not differentiate between interception of
communication or electronic data while in transit or in storage. Therefore, it can
be said that a wide protection is accorded to information or data (including
consumers personal data) whether in transit or storage. The provision not only
makes interception an offence, but also the disclosure and use of communications
obtained through unlawful interception. Accordingly, the use of robotic software
or spiders for the purpose of acquiring data or information, interference with
e-mail servers and other types of manipulation of computer software to intercept
Internet communication could be covered by this section. The placement of
cookies and web buds equally can be considered as unauthorized access under
Section 5 of the Computer Crimes Act 1997.
The other Acts contain provisions that require the confidentiality of certain data
provided by clients. For example, Section 72 of the Digital Signature Act provides
for the obligation of secrecy by prohibiting the disclosure of any record, book,
register, correspondence, information, document or other materials obtained
under the Act, by a person who has access to the same, to a third party, except for
the purposes of the Act. The duty to keep medical information confidential could
be treated as an implied term of the contract for medical service. A breach of this
obligation can be viewed as a breach of trust under the Malaysian Medical
Councils Code of Professional Conduct; so it could be construed that any image
or information communicated, or used during, or resulting from telemedicine
interaction, which can be identified as being that of or about the patient, is to be
kept confidential and not to be disseminated to any researcher or other person
without the consent of the patient.9 Furthermore, Section 115 of the Private
Healthcare Facilities and Services Act 1998 makes it an obligation for every person
employed, retained or appointed for the purpose of the administration or
enforcement of the said Act to preserve the secrecy of all information that comes to
his or her knowledge in the course of their duties.
With regard to financial institutions, Section 97(1) of the Banking and Financial
Institutions Act 1989 (BAFIA) states that banks and financial institutions shall not
give, produce, divulge, reveal, publish or otherwise disclose, to any person, any
record, book, register, correspondence or other document whatsoever, or material
relating to the affairs or, in particular, the account, of any particular customer of
the institution. The Code of Good Banking Practice further endorses the duty to
keep customer information confidential. The Guidelines on Consumer Protection
on Electronic Fund Transfers (BNM/GP 11) issued under BAFIA provides for
privacy in relation to information relating to electronic fund transfers (EFT) (i.e.,
that all information relating to an EFT, affairs or an account of its customer shall
not be disclosed).10 With offshore banking information, the same kind of
obligation is expected of the bankers. Section 22 of the Offshore Banking Act
1990 imposes strict requirements for maintaining the secrecy of the identity of the
customer and his or her related affairs or offshore account.
Likewise, Section 73(1) of the Payment System Act 2003 provides for the
protection of any payment system users informational privacy by prohibiting any

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

Personal data protection law

129

director or officer of any operator11 of a payment system or issuer,12 whether

during their tenure of office, or during their employment, or thereafter, from
giving, producing, divulging, revealing, publishing or otherwise disclosing to any
person, or making a record for any person of, any information or document
relating to the affairs or account of any participant of a payment system or user of
a payment instrument.
A similar position applies with regard to insurance information. Section 195
of the Insurance Act 1996 covers the confidentiality of customers information.
With regard to offshore insurance, such an obligation can be found in Section
25 of the Offshore Insurance Act 1990. A limited form of confidentiality of
childrens information is assured under the Childs Act 2001 in relation to trials
involving children. Section 15 of the Child Act, 2001A deals with restrictions on
media reporting and publication and is relevant in relation to the issue of the
protection of personal information, specifically of information relating to
children, in the circumstances provided for in the section. Employers also
record and maintain an enormous amount of employee information.
To preserve the secrecy and confidentiality of the information, Section 7(1) of
the Employment Information Act 1953 (EIA) requires any information collected
for the purpose of the EIA to be treated as confidential and restricted only to
official use.
From the foregoing discussion, it is clear that a specific statutory duty of
confidentiality has been imposed upon various critical industries such as the
banking and financial sector and the insurance and health sector. Notwithstanding the value of such provisions, their scope is very narrow and is sector-based.
They are therefore not the equivalent of the protection of the right to privacy as
promoted in comprehensive European laws on data protection. The provisions
found in Malaysian sectoral laws contain certain prohibitions on the disclosure
of information outside the framework in which the data is collected. The
standard of data protection adopted by these legal provisions can at best be
described as a minimalist approach. The approach to the protection of data
privacy as upheld in comprehensive laws on data protection such as those found
in certain European countries goes beyond that. They also equip the individual
with the power to control the use of his or her personal data, even to the extent
of allowing the individual to request the correction of their personal data if it has
not been properly maintained. The minimalist legal framework on data privacy
and the delay in passing a comprehensive law on the same would have to be
measured against the treatment of the broader right to privacy in Malaysia,
particularly from the constitutional perspective.
Is privacy a fundamental human right?
The Malaysian Constitution contains no specific provision concerning the right to
privacy. One related provision is Article 5, which upholds the individuals right to
liberty. Article 5 comes into play when the dispute borders on the right of an
accused person to be brought before a magistrate on the grounds of arrest stated
in the Article.13 To date there has not been any specific invocation of Article 5 for
the purpose of supporting the right to privacy. It thus remains to be seen whether
privacy could be classified as a fundamental liberty. Nor have the courts been
sympathetic to the right to privacy. In the first decided case on privacy, Ultra
Dimension Sdn. Bhd v. Kook We Kuan,14 Faiza Tamby Chik J categorically

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

130

I. M. Azmi

pronounced that the right to privacy is not recognized under Malaysian law.
In this case, a photograph of a group of kindergarten pupils had been published in
an advertisement in several local newspapers. In a claim that the supply of the
photograph to the newspaper amounted to a breach of privacy, the learned judge
had to explore whether invasion of privacy is a recognized tort of action under
Malaysian law. The judge referred to Kaye v. Robertson15 to uphold the view that
the right to privacy is not recognized under English common law and therefore
similarly not recognized in Malaysia.
In the absence of any legislative framework for the recognition of the broader
notion of privacy, or the narrower concept of personal data privacy, it would
appear that right to privacy has not received enough support in Malaysia. If
the reservation to the adoption of European standards of data protection is
based on the notion that such standards are not in the interest of or not
appropriate in Malaysia, the next question would be whether support can be
found in Islam. Being a Muslim-dominated country, the religious viewpoint
would carry a certain degree of influence upon the publican issue that will
be explored next.
Personal privacy and Islam
The genesis of privacy stems from the Maqasid al Shariah, from which personal
rights (haqq) are derived. According to the Maqasid, all individual rights are
God-given and by their nature not absolute. All bestowed rights have inbuilt
exceptions in order to arrive at a balance between the right of the individual and
the public interest. With regard to privacy, for example, several exceptions have
been extrapolated by Muslim scholarsfor example, witnesses are allowed to
give testimony for purposes of law enforcement and imposition of punishment,
even if this means intruding into anothers privacy. In the exercise of such rights,
the state is guided by two main functions: al amr, or the promotion of certain
positive conduct, and al nahy, or the prohibition of negative conduct. The
establishment of rules and institutions such as the institution of hisbah would be
as machinery to promote positive conduct. Essential to the prohibition of
negative conduct would be the creation of a list of offences such as outraging
modesty, spying, ghibah (revealing embarrassing details about others), disclosing matrimonial secrecy, defamation and trespass to property. Therefore, in
essence, the right of privacy comes in two normative frameworks: prohibition of
intrusion into others privacy, and instructions and guidance for keeping secrets.
Included in the first category is the prohibition against espionage, trespass and
eavesdropping. The second category includes keeping secrets of others in the
context of a marital relationship, personal sins and information imparted to
others in confidence.
Within this framework, personal privacy has been viewed by many Muslim
scholars as a fundamental human right.16 The emphasis on the recognition and
respect of personal privacy in the Quran, Sunnah and Islamic scholarship,
particularly with regards to territorial privacy, means that personal privacy is
sacrosanct in Islam. References to privacy have been elaborated upon at length by
the classical Muslim jurists who have debated them within the premise of akhlaq
and adab. Thus, the concept of privacy as known nowadays as the general right
to be left alone has already been considered from various facets by classical
Muslim scholars. There is, however, in Islam a major emphasis on territorial and

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

Personal data protection law

131

bodily privacy as direct injunctions from the Quran and Sunnah can be found on
these two areas of privacy.
As rightly observed by Hashim Kamali,17 evidence from the Quran and the
Sunnah tends to be thematic and addresses only certain aspects of the right of
privacy, such as the privacy of the home, the need to ask for permission prior to
entering a private dwelling, prohibition of espionage (al-tajassus) and what might
be seen as preliminaries to espionagenamely suspicion (al-zann) and exposing
the hidden weaknesses of others (satr al-awrat). This does not mean that privacy in
Islam is only restricted to those mentioned in the Quran and Sunnah. Hashim
Kamali is of the view that this right to privacy extends to other situations as well,
such as confidentiality of personal conversation and the right to privacy of a
deceased person. In fact, these examples may not be exhaustive. On this note,
Sarip Adul extended the category of information that could be regarded as
personal and confidential to also include personal information, marital
information, professional information, intellectual ideas and government information.18 As for intellectual ideas, this would include all the confidential information
recognized under the intellectual property regime.19
Territorial privacy
Territorial privacy is something that is highly emphasized in Islam, especially at
residential premises.20 It is a duty of guests not to enter someone elses home
without permission. Ayah 24:27 28 stresses that if permission is not given, or if
the owner of the house is not around, it is better for the guest to leave the house.
Ayah 49:5 further evinces that it would be better for a guest to wait until the
occupant of the house comes out and invites him or her in. It is also recommended
that the permission to enter premises only be requested three times, after which, if
not granted, it is advisable for the guest to return home.21 The sanctity of the home
environment entails that any form of unauthorized intrusion to solicit information
about the occupant would equally be reprimanded. The use of any form of devices
for surveillance of activities of another person within his or her private sphere
would definitely offend their right to absolute solitude in their private dwelling.
On this note, many scholars have drawn a distinction between private and public
premises, with the latter being open for others to walk in uninvited and without
prior permission.22
Freedom from surveillance
The right to be free from surveillance is another form of privacy. Classical Muslim
scholars discussed this right in the context of the right against espionage. Al
Ghazali, described espionage as the search for signs in order to know what is
otherwise not known and not permitted by the Shariah. Al Jundi elaborated
further by saying that espionage consists of search for information in order to
discover and expose about people what they consider to be private and
confidential, either by viewing or listening, while they are unaware, or searching
through their notes and documents without their permission. In their discussion
on espionage, there is a clear pre-occupation with the notion of intelligencegathering for the purpose of warfare. It may be equally compelling for Muslims to
stay away from surveillance for other, political, economic or even scientific,
reasons. Even more incriminating is the usage of devices for snooping and spying

132

I. M. Azmi

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

such as hidden cameras, bugging or tracking devices, wire tapping and other
devices of such nature.23
The explicit prohibition on espionage can be found in Ayah 49:12 whereby
certain types of espionage are described as sinful acts and equated to the eating of
the flesh of a deceased Muslim brother. Another manifestation of the prohibition is
the solicitation and collection of information about a person by unlawful means by
listening devices, tracing his or her whereabouts and activities or even opening
personal letters. As noted by Hashim Kamali, the essence of espionage according
to al Qurtubi is to search for what is hidden to you. The proscription of espionage
covers both the positive aspect, such as surveillance for evidence gathering for
criminal cases, and the negative aspect, such as the revealing of others private
secrets.
Privacy of communications
Private correspondence should likewise be free from prying eyes.24 The Prophet is
reported to have warned Muslims not to pry into private correspondence,
cautioning them of the dire consequence of the fire of hell. The duty to keep the
content of private correspondence confidential not only falls upon the agency
responsible for delivering the messages, but also upon the recipient. In the opinion
of Hashim Kamali, in the instance of any violation of such trust by a third party,
the person responsible can be held liable to a penal sanction or financial
compensation on the authority of the legal maxim harm may neither be inflicted
nor reciprocated.25
Bodily privacy
Even more offensive is the disclosure of the weaknesses of another fellow Muslim.
The general prohibition against the disclosure of the awrat of a Muslim is the
revelation of the weaknesses of others. The duty to keep personal information
confidential not only applies between friends, but also between others in a close
relationship that creates an environment of trust, such as that between husband
and wife. As put by Hashim Kamali, the prohibition against divulging matters
pertaining to a marital relationship is designed to protect the sanctity of marital
life against corrupt and indulgent expatiation that is demeaning and contrary to
murua and magnamity.26 The duty to keep personal information confidential does
not end with the death of a person; the dignity of a person remains sacrosanct and
is even more so with his or her demise.
Personal data privacy and Islam
The above brief elucidation of the concept of privacy in Islam seems to cover all
four aspects of the right to privacy, viz: informational privacy, bodily privacy,
privacy of communications and territorial privacy.27 In relation to personal
privacy, the concern for the dignity and honor of a Muslim seems to take priority
above others.28 It is no wonder that most of the discussion on privacy takes place
within the context of ethics and morality. What has not been explored in depth is
the position on online personal data privacy. In this respect, the closest analogy to
what has been extrapolated by Hashim Kamali is the right to expect the strictest
confidence in relation to personal correspondence and the right of a Muslim to

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

Personal data protection law

133

stop others from revealing embarrassing details about another fellow Muslim. In
this context, the online usage of personal data in commercial context hardly results
in blemishing the dignity and honor of a person. However, the manner in which
consumer data is mined on the Internet through a number of privacy intrusive
technologies (PITs) with or without the consumers knowledge and consent may
give rise to a number of concerns. The use of intrusive mechanisms to collate data
offends the general expectation to be free from surveillance, as has been
emphasized by Muslim scholars.
How entrenched is the right of personal data privacy in Islam? The types of
personal information that should be treated with respect in terms of privacy have
been classified by Sarip Adul in his work on the position of secret and confidential
information in Islam. Adul clarifies the fact that personal information privacy
could be classified into two aspects: the internal and external. The internal aspect
covers information that relates to the private life of a person including not only
their physical structure and photograph, but also any information that relates to
them in their private capacity.29 The external aspect, on the other hand, covers
information pertaining to a persons dwelling, private conversation and private
correspondence. Personal privacy, thus, covers both a persons private and public
life. In recognition of their freedom, a person is free to conduct their own affairs
without interference from outsiders as guaranteed in the Quran in Surah al
Taubah: 105, Surah Fussilat: 40 and Surah Saba: 11. All conduct of a person
deserves the highest respect in terms of privacy and secrecy. Any attempt to
collect information on their activities would amount to spying (tajassus)a
conduct forbidden in Islam.30 Sarip Aduls discussion on the types of personal
information requiring the duty of confidentiality is the closest to the notion of
personal data protection as understood in the European sense. This is especially so
with regard to the notion that a person has the full right to determine when, how
and in what manner his or her personal information can be collected and
processed by others.
Of competing interestsConsumer concerns, domestic trade and e-commerce:
Reconciling the irreconcilable
Recognition of and respect for the right to privacy is already entrenched in Islamic
scholarship. The assertion of this right in the Universal Islamic Declaration of
Human Rights31 is but an endorsement of this fact. Most Muslim scholars readily
accept the right to privacy as a basic human right; though the implementation of
this right differs from one Muslim country to another. The usage and, in some
instances, abuse of personal data occurs at various levels in Malaysia, not only in
the private sector, but also by the public sector. Data matching is routinely carried
out by governmental agencies and industries. From rampant mobile spamming
and phishing,32 to the use of smartcard technology in Mykad by the
government,33 one could not but conclude that that data processing cuts across
a wide range of activities from governmental to private sector use of data,
including educational institutions.
In a survey conducted in 2005 in Klang Valley,34 the majority of the respondents
reported that the types of personal information routinely solicited for online
transactions are names (79.8%), e-mail addresses (74.5%), home addresses (64.7%),
credit card numbers (68.7%), date of expiry of credit card (56.1%) and bank
account numbers (58.5%). The result is highly unsurprising as these are the

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

134

I. M. Azmi

common details required to enter into an online transaction. What cannot be

explained is the solicitation of other personal information that is not related to
the online transaction (depending on what type of goods purchased) such as
religion, race, marital status, gender and health. Some of this information is
regarded as sensitive personal data according to European standards.35
Thus, not surprisingly, in the opinion of many, having European standards on
the protection of personal data would result in the imposition of standards that are
too stringent. The sentiments expressed during the open consultation on the
Personal Data Protection Bill 2000 reflect the industrys uneasiness about having
rigid standards on the collection and processing of personal data.36 As far as the
public is concerned, there has been concern over the misuse of personal data.
However, it is the view of those in authority that the importance of respecting
the individuals right to privacy cannot justify a strong personal data regime.
This accounts for the delay in passing specific legislation on personal data
protection.
Is this entirely unacceptable? If B2B and B2C commerce flourishes in Malaysia
in spite of the absence of a strong data protection law, one may legitimately
question whether introducing a European-based standard is really necessary after
all. On the other hand, if Malaysia seriously aspires to become a hub for
e-commerce, such a stand is no longer acceptable. Recent public exposure and
debate on the open sale of personal data has made it clear that some serious
consideration must be given to the issue of regulating data flows. Otherwise,
consumer trust in e-commerce will wane and in the long run Malaysian business
will suffer.
Notes
1 For a deeper analysis of the proposed Bill, see Abu Bakar Munir & Siti Hajar Mohd Yasin (2002)
Privacy and Data Protection (Kuala Lumpur, Sweet & Maxwell Asia).
2 See Azmi, I. M. (2002) E-commerce and privacy issues: An analysis of the Personal Data Protection
Bill, International Review of Law Computers and Technology, 16(3), pp. 317 330; also appearing in
Computer and Telecommunications Law Review, 8(8) (2002), pp. 206 212.
3 Student list sold, The Star, 6 August 2005. See also: Ministry denies UPU link in sale of student list,
The Star, 11 August 2005.
4 Database firms selling name lists, The Star, 10 August 2005; Your info on sale, The Star, 9 August
2005.
5 The card, carrying photographic identification and fingerprint biometric technology, is designed
with several functions in mind: identification, drivers license, passport information (although a
passport is still required for travel), health information (blood type, allergies, chronic diseases, etc.)
and e-cash.
6 Cyber privacy law on the Net: Statement by the Energy Communications and Multimedia Minister
Datuk Amar Leo Moggie, The Sun, 18 November 2000; Data Protection Law to balance private,
public interests: Statement by the Energy Communications and Multimedia Minister Datuk Amar
Leo Moggie, The Star, 29 November 2001; New cyber law to strengthen protection of personal data,
Business Times, 14 May 2004; Statement by the Deputy Energy, Water and Communications Minister
Datuk Shaziman Anu Mansor. See also: Personal data transfer to be regulated from next year:
Statement by the Minister in the Prime Ministers Department Datuk Seri Dr Rais Yatim, New Straits
Times, 10 October 2003.
7 This is apparent from the definition of personal information in Paragraph 8.7: [I]nformation
collected by the Service Provider from the customer and that which identifies the customer.
8 This part would be based on a report prepared by Shatirah Abu Bakar, submitted for the IRPA
Research on E Commerce and Consumer in Malaysia.
9 Section 5(2)(d) of the Telemedicine Act 1997.
10 Under paragraph 33 of BNM/GP 11.

Downloaded by [Kungliga Tekniska Hogskola] at 23:54 13 August 2015

Personal data protection law

135

11 Section 2 of the Act defines an operator as any person acting alone or under an arrangement with
another person, responsible for the rules, procedures and operations of a payment system but
excludes such person as may be prescribed by the Central Bank.
12 Section 2 of the Act defines an issuer as any person , acting alone or under an arrangement with
another person, who undertakes to be responsible for the payment obligation in respect of a
payment instrument resulting from the user being issued with or using the payment instrument.
13 Bari, A. & Shuib, F. S. (2004) Constitution of Malaysia: Text and Commentary (Kuala Lumpur, Pearson
Prentice Hall), p. 15.
14 [2004] 5 CLJ 285.
15 [1991] FSR 62.
16 Kamali, H. (2007) The Right to Life, Security, Privacy and Ownership in Islam (Cambridge, Islamic Texts
Society); Mahmood, T. (ed.) (1993) Human Rights in Islamic Law (New Delhi, Institute of Objective
Studies).
17 All reference to Hashim Kamalis work is from his forthcoming publication, The Right to Life,
Security, Privacy and Ownership in Islam (see Note 16 above). For a shorter elucidation on the right of
privacy in Islam, see Kamali, M. H. (1999) The Dignity of Man: The Islamic Perspective (Kuala Lumpur,
Ilmiah/London, Islamic Foundation).
18 See Adul, S. (1998) Kitman al Sirr Wa Ifshauhu fil Fiqh al Islami (Amman, Dar al Nafais).
19 Adul, Kitman al Sirr Wa Ifshauhu fil Fiqh al Islami: see the discussion on pp. 70 79.
20 For a more detailed exposition of territorial privacy, see al Dama, M. R. (1985) Himayah al Hayah al
Khassah fi al Shariah al Islamiyyah (Cairo, Dar al Salam).
21 See also al Dama, Himayah al Hayah al Khassah fi al Shariah al Islamiyyah, p. 29.
22 Kamali, The Dignity of Man.
23 Kamali, The Dignity of Man.
24 See al Dama, Himayah al Hayah al Khassah fi al Shariah al Islamiyyah, p. 115.
25 Kamali, The Dignity of Man.
26 Kamali, The Dignity of Man.
27 See Munir & Hajar, Privacy and Data Protection, p. 2. Under the Charter of Fundamental Rights of the
European Union, four types of privacy right can be discerned: informational, territorial, personal
privacy and communications, and surveillance privacy (see [2000] O.J. C346/1).
28 Thus, the abhorrence in the practice of backbiting and insulting another Muslim brother (see
Mahmood, Human Rights in Islamic Law).
29 See Adul, Kitman al Sirr Wa Ifshauhu fil Fiqh al Islami.
30 See Surah al Baqarah: 189; al Nur: 27; Surah al Hujrat: 21.
31 19 September 1981. See Article XXII of the Declaration.
32 Phishing has been reported to be on the increase by a recent study of the National ICT Security and
Emergency Response Centre (NISER). In 2005, 80% of a total of 149 reports on fraudulent activities
were phishing activities, where e-mail users were duped into giving out personal information such
as passwords and credit card details, social security details and bank account numbers (see New
Straits Times, Tech & U section, 20 March 2006).
33 The new identity card utilizes a smartcard system that stores personal details of a person such as
driving license, immigration, health details and also functions as a credit card.
34 Research conducted under an IRPA Grant 2004 2005. The researchers are Associate Prof Dr Kamal
Halili, Dr Sariza, Safinaz Hussein, Zinatul Ashiqin and myself.
35 The types of information considered to be sensitive personal data in Europe are: racial or ethnic
origins; political opinions; membership of political association; religious beliefs or affiliations;
philosophical beliefs; membership of a professional or trade association; membership of a trade
union; sexual preference or practices; criminal record; and individual health information.
36 The archived proposed Bill already contained a wide range of exceptions. During the consultation,
many industries requested more industry-specific exemptions citing that duties under the existing
sector-based legislation are sufficient to reduce disclosure of confidential information (see my earlier
writing on this: Azmi, E-commerce and privacy issues).