In early April, the world watched as Mark Zuckerberg, Facebook’s chief executive, appeared before the US Congress in Washington DC to answer questions regarding, amongst others, the misuse of Facebook user data harvested by Cambridge Analytica (CA). Despite certain mistaken assumptions that added fuel to the Facebook/CA fire, the furor caused individuals, organizations and agencies worldwide to consider the legality of such practices in their home jurisdictions. In Malaysia, the matter gave rise to this question: Is such collection of data unlawful?
In Malaysia, there is no legislation conferring a right to individual privacy. However, under the Personal Data Protection Act 2010 (PDPA), personal data is protected if it is data that is processed in respect of a commercial transaction that relates to a data subject and allows the data user to identify the data subject. Therefore, not all data collected is protected.
The Facebook/CA case, however, presents certain challenges. For example, if Facebook users were not told that the data collected through the app developed by Cambridge Analytica would be passed on to third parties to develop strategies, that could not reasonable be gleaned from the purpose of the app, it is arguable that a breach of the PDPA could have occurred. That said, is also unclear is whether the sale of the data to CA by Aleksandr Kogan after it had been processed could still sufficiently cloak the data with commercial qualities to bring it within the PDPA.
For more information about Malaysian data privacy and protection law, please contact your Ally Law lawyer.