12 hours ago
Metadata directive sparks concern on public consent
PETALING JAYA : The Malaysian Bar has voiced concern over the legal framework and safeguards surrounding the mobile phone data programme, warning that the directive issued to network operators to hand over metadata to the government may raise questions about consent, accountability and oversight.
In a statement yesterday, Malaysian Bar president Mohamad Ezri Abdul Wahab said the Bar acknowledged the federal government's efforts to improve transparency in the programme and noted the ongoing legislative reforms aimed at strengthening data protection.
However, he stressed that the measures are insufficient to address the growing public unease over the scope and nature of data being collected by the Malaysian Communications and Multimedia Commission (MCMC) and Statistics Department.
'The concerns are whether such collection, in the absence of opt-out options or prior public consultation, is consistent with democratic and constitutional principles.'
The programme, approved by the Cabinet in April 2023 as part of Projek Data Raya Nasional, directs mobile network operators to disclose phone data, including mobile call records from the first quarter of 2025.
The Bar said the directive, issued in April this year, may have also included a warning that non-compliance could result in penalties under the Communications and Multimedia Act (CMA), including a fine of up to RM20,000 or imprisonment.
Meanwhile, the MCMC has insisted that data collected is anonymised and aggregated, but the Bar argues that it falls outside the scope of the Personal Data Protection Act.
'Anonymisation is not infallible. In the absence of a clear opt-out mechanism, and with the possibility of auxiliary data being available,
re-identification risks cannot be dismissed.'
The Bar acknowledged MCMC's explanation that data collection is legal under Section 73 of the CMA, and supported by sections of the Data Sharing Act 2025. However, the Bar argued that legality does not automatically equate to legitimacy in the eyes of the public.
The concerns are compounded by recent history. The Bar cited
high-profile cases in the last three years that had shaken public confidence in the government's ability to protect personal data
'In 2022, it was alleged that personal data from the National Registration Department, which belongs to 22.5 million Malaysians, were extracted and sold online.
'In 2024, another leak reportedly involved 17 million MyKad records being circulated on the dark web, and more recently, cyberattacks targeting Socso and Prasarana Malaysia Berhad allegedly exposed sensitive internal information.
'The pattern of repeated leaks, perceived opaque investigations and the absence of visible enforcement has entrenched public distrust. The programme, launched without prior public consultation, only deepens those fears.'
The Bar stated recommendations to address such trust deficit, one of them being to seek full disclosure and transparency of data-sharing to the public.
'MCMC and the network operators should publicly disclose the specific standards, methodologies and safeguards applied to ensure effective anonymisation and aggregation of mobile phone data.'
