PETALING JAYA: Weak enforcement of the Personal Data Protection Act (PDPA) has made it vital for e-commerce firms and e-hailing providers to protect such information, according to the Bar Council.
Its Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong said there had not been much news on the enforcement of the Act.
“There were cases of companies being fined, but high-profile cases such as the data breach involving telecommunications companies two years ago have yet to be resolved,’’ he said.
Welcoming the requirement of selfie verification on e-hailing passengers as an effective mechanism to protect the drivers, he said those concerned with data privacy breaches could not do much if they wanted to use the service.
“The onus will be on ride-sharing companies to protect their users’ personal data,” he said in an interview.
Foong’s comments were in light of the concerns over data privacy following a law introduced by the Transport Ministry in July last year, requiring passengers to submit their identity credentials upon registration with any e-hailing platform.
The Star reported on Sunday that e-hailing giant Grab has made it mandatory for passengers to submit a one-time selfie verification by July 12 in an effort to make its platform safer for both drivers and passengers.
However, the selfie verification is not an alternative to the ministry’s e-hailing regulations.
Passengers have expressed concern over possible breach and abuse of their personal data by a third party, although other e-hailing companies have been using selfies and photos of MyKad for verification before the regulation was announced.
Bar Council Personal Data Protection Committee chairman Deepak Pillai said one should always be concerned when submitting personal data online.
“They should be clear as to the organisation they are providing their personal data to, what the personal data can be used for and to whom it can be disclosed,” he said.
Pillai said such information should be provided upfront by the provider of the e-hailing services and definitely within their Privacy Notice, which is a mandatory requirement of the PDPA.
“In my own view, it is clear that the PDPA applies to all e-hailing service providers and the onus is on them to comply with the minimum security requirements set out in the Act and more.
“If there is a breach, they would be subject to complaints, investigations and penalties provided for under the Act,’’ he said.
Cybersecurity expert Fong Choong Fook said there were not many successful prosecutions on data management negligence in Malaysia.
“A good example was the telco data leak, where over 40 million phone records were exposed and traded under the dark web with no prosecution against the party at fault. That is why the general public is still sceptical about the execution of PDPA,” he said.