Background
Malaysia’s data regulations and policies stretch back to the early days of the country’s digitalization journey. In 1996, the government unveiled the Multimedia Super Corridor (MSC) initiative. This, in turn, prompted the establishment of the Malaysia Digital Economy Corporation (MDEC) to support the MSC’s rollout, the passage of supporting legislation such as the Communications and Multimedia Act (CMA) 1998, and a commitment to cross-border data flows to facilitate domestic and international trade and investment.47
Since then, Putrajaya (the nation’s administrative capital) has rolled out numerous corollary programs to push forward the country’s digital transformation through the use of data and technology. These include the National Broadband Initiative (2010), Digital Malaysia (2011), National Policy on Science, Technology & Innovation (2013–2020), Big Data Analytics (2013), Open Data (2014), National Internet of Things Strategic Roadmap (2015–2025), National eCommerce Strategic Roadmap (2016–2020), Digital Free Trade Zone (2017), Industry4RWD: National Policy on Industry 4.0, and Malaysia Smart City Framework (2019–2025).
Malaysia’s approach to data has thus primarily been driven by economic and development impetuses. From the protection of individual user data to its treatment of Big Data, Putrajaya has anchored related policies and laws to advance the national digital economy. MyDIGITAL, the government’s latest initiative, is a reflection of this very objective. Through its action plan, the Malaysia Digital Economy Blueprint, data will form the basis upon which a refined people-private-public partnership will be conducted among the rakyat (people), business, and the government.
Importantly, both the government and stakeholders who were consulted on the Blueprint recognize that Malaysia’s data regime and digital transformation should be undergirded by a holistic regime of inclusivity (no one left behind from digitalization), ethics (the ethical use of data and digital tools), and trust (the assurance of privacy and cybersecurity in the growth of the digital economy). In that regard, the Blueprint is envisioned to complement both the 12th Malaysia Plan (2021–2025) and Shared Prosperity Vision 2030 (SPV 2030), as well as Malaysia’s commitment to the UN SDGs. All these documents outline the challenges of wealth and income disparities, technological adoption, and environmental preservation.48
These ideals are not new; rather, they are an extension of Malaysia’s earlier Vision 2020 introduced by the then prime minister Mahathir Mohamad in 1991.49 However, with the achievements of Vision 2020 having fallen short of the stated aims,50 there are risks that the country’s aspirations in a data-based environment could entrench and accentuate unresolved fault lines as much as they could help resolve them. Putrajaya is aware of at least some of these, yet there remain implementation gaps to be addressed, as discussed below.
Usage and Impact
Malaysia is betting big on data for two primary purposes: increasing economic prosperity and advancing public administration. This is evident in government policies such as the Blueprint, which charts a 10-year path till 2030 of three objectives, six overall thrusts, 22 strategies, 48 national initiatives, and 28 sectoral initiatives. It is also reflected in the many laws pertaining to commerce and trade, banking and finance, and entrepreneurship in the digital space. In the public sector, Putrajaya hosts a Public Sector Open Data Platform and is relying on its Big Data Analytics program to improve the delivery of government services.
Data for the digital economy
As with many countries in Southeast Asia, micro, small, and medium enterprises (MSMEs) form the backbone of Malaysia’s economy. Between 2016 and 2021, MSMEs accounted for 97.4 percent of all establishments in Malaysia, registering an average annual growth rate of 5.2 percent. Microenterprises formed the largest category of MSMEs during that time period, growing at an average rate of 5.6 percent every year.51 In 2021, this segment made up 78.6 percent (964,495 firms) of all MSMEs, with small businesses accounting for 19.8 percent (242,540 firms) and medium-sized enterprises comprising the balance of 1.6 percent (19,459 firms).52 In 2020, SMEs contributed 38.2 percent to GDP and employed 48 percent of the national workforce.53 Enabling these businesses to participate more efficiently in e-commerce and digital trade using data-based solutions is, therefore, a priority for the Malaysian government.
To date, studies suggest that MSMEs have not gone much further than computerization; that is, while they have utilized some computing software to facilitate their operations, they have not integrated digital tools to scale productivity. For example, in a survey of over 2,000 SMEs representing all sectors and regions in Malaysia, 44 percent responded that they used cloud computing but mainly to store personal documents, pictures, and videos in software such as Dropbox rather than to drive process improvements. While 54 percent used some form of data analytics, 67 percent of that figure were referring to spreadsheet applications such as Excel. The 46 percent that did not use any data analytics for their business did not feel that it was necessary, or they were unfamiliar with how to collect and analyze data.54
At the heart of data usage for the digital economy must be a trusted, enforceable framework of policies and regulations as well as a secure, resilient information network. Malaysia’s Personal Data Protection Act 2010 (PDPA)—another outgrowth of the MSC—is the country’s cross-sectoral law to protect personal data in commercial transactions. Under this law, personal data protection extends to information such as an individual’s name, identity card or passport number, bank account numbers, and contact information. It includes “sensitive personal data” relating to an individual’s race, religion, health, political opinion, or record of actual or alleged offenses, as well as personally identifiable information that may be gleaned from an “expression of opinion” about the particular person.
Although the PDPA applies to all who process data as part of a commercial transaction, the Act mandates the registration of 13 classes of data users (or types of businesses) and applies to the life cycle of personal data processing, including control, recording, alteration, transfer, storage, erasure, and destruction.55 Given the various industry practices relating to how personal data is processed in different sectors, the Personal Data Protection Standard was issued in 2015 by the Personal Data Protection Commissioner as a minimum requirement comprising three standards related to security, retention, and data integrity.56 The Commissioner is also empowered to direct the formation of data user forums and related codes of practice for particular sectors in accordance with the PDPA. In 2017, four codes of practice were finalized and registered with the Commissioner for the banking and financial, utilities (electricity), insurance, and communications sectors.57 In 2021, two more codes of practice were published for private hospitals in the healthcare industry and the utilities (water) sector.58
The PDPA aims to connect the individual user back to the wider ICT-enabled ecosystem by protecting personal data in the conduct of business. Through its seven principles of data protection, the PDPA is also intended to enhance public confidence in information security and network integrity.59 Yet, gaps in the ambit of consent, as well as it not being mandatory to notify the authorities when a data breach occurs, undermine the potential strength of this legislation, particularly in light of the significant data incidents discussed below.
- General: Personal data should be adequate, relevant, and not excessive. To be processed only with consent and for a lawful purpose.
- Notice and choice: Written information should be provided for why the data is being processed, collected, or disclosed.
- Disclosure: Disclosure must be made for the stated purpose and with consent or advanced notice.
- Security: Personal data must be protected from misuse, loss, unauthorized access and destruction.
- Retention: Personal data should not be kept longer than necessary.
- Integrity: Personal data should be accurate, current, and verifiable.
- Access: The right to access personal data should be provided.
Seven Principles in Malaysia’s Personal Data Protection Act 2010, https://www.pdp.gov.my/jpdpv2/akta-709/personal-data-protection-act-2010/.
Stakeholder consultations reveal that while there is greater cognizance of the PDPA among more mature sectors like banking/finance and private healthcare, many of Malaysia’s MSMEs lack attention to good privacy or data protection practices. Hardening cyber defences or putting in place good data protection standards are not always top priorities for MSME entrants looking to reduce expenditure and capture market share.
Moreover, for cost, ease, and speed reasons, MSMEs lean heavily on informal channels to conduct and grow their businesses. A significant majority (71 percent) of SMEs surveyed in 2018 were found to rely on social media platforms like Facebook, Instagram, and WhatsApp for communication and marketing purposes.60 A similar survey in 2019 found that number to be higher at 77 percent, with 78.3 percent preferring to use Facebook; 61.5 percent, WhatsApp; and 54.3 percent, Instagram for online business.61 Unfortunately, business owners or agents sometimes solicit potential customers or add telephone numbers to WhatsApp chat groups for mass advertising without prior notification or consent.
Of equal, if not greater, concern is the fact that the PDPA does not presently apply to the federal and state governments; personal, family, and household affairs; data processed outside of Malaysia; non-commercial transactions; or credit reporting agencies.62 These exemptions are a point of contention, as discussed below.
On the international front, Malaysia’s participation in the TPP, first, then its signing of the CPTPP in 2018, demonstrates a continuing embrace of free trade as well as the enabling regulatory regimes for that. Although Putrajaya’s ratification of the CPTPP is still pending executive evaluation of the agreement, the government has committed to strengthen cross-border data transfer mechanisms and facilitate seamless data flows, as outlined in the Blueprint. The document, in fact, goes further in targeting all new trade agreements entered into by Malaysia to incorporate cross-border data protection elements by 2025. To accomplish this, some amendments will have to be made to local laws, including to the PDPA. While the PDPA does not preclude the transfer of personal data abroad if certain conditions are met, the Personal Data Protection Department (PDPD) is concerned about the risk of a breach occurring during transfer. In a 2020 review exercise of the PDPA, the Commissioner sought public input on issuing guidelines to implement cross-border data transfers safely and securely.63
The government has also affirmed its support for regional efforts to facilitate cross-border data flows; in particular, the ASEAN Framework on Digital Data Governance, the ASEAN Data Protection and Privacy Forum, and the ASEAN Model Contractual Clauses.64
Data for public policy
The very first thrust of the Blueprint is to modernize the public sector through the use of data and digital technologies. This effort is not new, rather it is a restatement of numerous other past and existing plans to achieve the same goal. In fact, as far back as 1999, a Public Sector Data Dictionary Committee was created to develop a dictionary containing both generic and application-specific data for use across all of government. By establishing guidelines about the elements, structures, and codes of data that should be captured, the dictionary sought to create a standard to be adopted by all agencies.
In 2011, the Malaysian Administrative Modernization and Management Planning Unit (MAMPU) implemented the Public Sector Data Center project, creating data center services for centralized ICT operationalization throughout the government. In 2014, a Public Sector Open Data Portal was introduced as a one-stop service center for citizens to search and download open government data sets. There are more than 12,000 data sets, including on elections, international trade, crime, education, and the environment, contributed by nearly 400 government departments and agencies. The Ministry of Health also offers official COVID-19 data in Malaysia on an open platform online. Daily and static data on cases, testing, contact tracing, vaccinations, and deaths are all available for analysis.
Despite these continuing initiatives, digital adoption rates in the public sector have remained low because of a lack of an accompanying shift in bureaucratic outlook. As the Blueprint acknowledges, “There is an urgent need to change the culture of the civil service and encourage embracing a digital-first mindset.”65 Consultations with informants revealed a continued preference for analogue or paper-based practices as well as a talent shortage in data analytics in government as stumbling blocks to digitalized public administration, at present. The Blueprint represents a more streamlined attempt to shift gears on the utilization of data for public services delivery.
Case Study
MyLake: A Data Repository for Lakes
In 2012, the Malaysian National Water Council established a data repository called MyLake for lakes in Malaysia. A project by the National Hydraulic Research Institute of Malaysia (NAHRIM), the data repository serves to benefit government stakeholders and research communities in Malaysia by storing ecological, spatial, and meta data on lakes as well as their ecosystem. The database operates on a server which allows for the sharing of big data among federal, state, and local agencies. However, the current version of MyLake only allows for one party to upload or download data at any one point in time, and data sharing is done in silos (one-to-one data integration between two parties, instead of sharing with the community on a platform). This poses a problem for data sharing, as the agencies are vulnerable to integration issues when one party does not have access to the most updated database from another party.
Experts from NAHRIM proposed a big data integration approach to improve MyLake; specifically, for MyLake to act as “a central data exchange offering a unified data access interface” which would allow all agencies to access the same database at the same time, preventing data inconsistency. With more accurate, consistent, and up-to-date data, MyLake would be able to serve stakeholders better in their strategic planning regarding water resource management and serve as a model for other big data integration projects in the government.
A National Big Data Analytic Center (NBDAC) is also in the pipeline to ensure that administrative planning and decision-making processes are based on data analytics, in line with Putrajaya’s overall digital government initiative. The Blueprint makes clear that data usage should be maximized for improved, evidence-based policy analysis and development. By 2025, 50 percent of data must be machine-readable, with access to real-time and aggregated data through open Application Programming Interface (API) produced by the respective ministries and agencies.66
One of the targeted outcomes of the Blueprint is for Malaysia to improve its standing in open data global rankings. However, as some have cautioned, although rankings are a validation of progress and an incentive to improve efforts in certain areas, they can conversely have a detrimental effect on government policy and development given the different benchmarks, methodologies, and scoring employed in various lists.67 Any substantiation of headway made in Malaysia’s open data initiatives through global rankings would have to be closely scrutinized for its actual impact on the efficiency of public service.
By 2024, Malaysians and permanent residents will have a National Digital Identity (NDID) to supplement their current chip-based identity cards. Through biometric technology, the NDID will function as a form of digital identification and self-authentication for conducting online transactions. In a 2020 public consultation conducted by the Malaysian Communications and Multimedia Commission (MCMC) as the lead developing agency of the NDID framework, over 35,000 respondents, from individuals, government agencies, and private organizations, made clear that their top three areas of concern related to the implementation of the NDID were data privacy, security of transactions, and platform reliability. This was notwithstanding the fact that 97 percent of respondents thought the program would be beneficial (60 percent voted “very beneficial” and 37 percent chose “moderately beneficial”) and 94 percent were interested to use the NDID in transactions with both the public and private sectors.68 The NDID program will purportedly be equipped with privacy- and security-by-design features. However, as it stands, Malaysia’s data protection regime is insufficiently robust to enforce those assurances.
Challenges and Prospects
The converging opinion among stakeholders is that although Malaysia is a regional frontrunner in its data protection regime, the country’s laws and regulations need to evolve to reflect a more complex digital landscape.69 The gap between Malaysia’s governance capacity and the country’s aspirations could stymie its ambitions for a complete digital transformation by undermining trust in both the online and offline spaces.
This risk is underscored by several realities: significant data breaches without commensurate penalty or recourse, existing gaps in the PDPA, as well as the inclusion or exclusion of vulnerable communities in Malaysia’s data-driven and digitalization agenda.
Data breaches and lack of recourse
In 2014, a massive data breach of 46.2 million mobile numbers registered with several Malaysian telecommunications companies resulted in a leak of customer details and SIM card information, including unique International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers. The leak was only uncovered three years later when the data appeared for sale in a popular online forum. The information also included three medical databases totaling well over 80,000 records containing personal information.70
In 2019, a major media and entertainment company suffered a data breach of its subscribers’ identity card details containing personal and sensitive information. It was the second breach in 18 months, with the first compromising the records of 60,000 subscribers. Data from that breach was sold for RM4,500 (about USD1,000) for 10,000 records.71
In 2021, the data of four million Malaysians grouped by year of birth from 1979 to 1998 was stolen from the National Registration Department (NRD) through the Inland Revenue Board’s (IRB) website and listed for sale at 0.2 Bitcoin.72 Both the minister of home affairs, who oversees the NRD, and the IRB denied that data from their agencies had been compromised. However, the IRB, along with other government agencies, is a client of the myIDENTITY shared platform or API through which data from the NRD is shared.
In May 2022, a local tech portal flagged that the same perpetrators allegedly behind the NRD leak had announced the sale of the personal data of another 22.5 million Malaysians, this time those born between 1940 and 2004. This database, as large as 160GB and containing information such as full names, identity card numbers, addresses, and photographs, was offered at USD10,000 in Bitcoin. The sellers claimed to have obtained the data from the same myIDENTITY portal as before and posted the personal data of the minister of home affairs, Hamzah Zainudin, to make a point. Once again, the minister denied there had been a breach of the NRD’s database, and although the minister of defense acknowledged the concerns of many over the report, he insisted that the leak would not jeopardize national security.
The vulnerability of APIs was spotlighted again more recently when users of Malaysia’s COVID-19 contact-tracing application, MySejahtera, complained about receiving unsolicited and even prank messages, heightening suspicions of a system or data breach. The Ministry of Health assured the public that there had been no leaks in the MySejahtera database and that there had instead been an abuse of the API.73
Lawsuits may, of course, be filed in the event of such breaches. However, the damage brought about by a leak of personal information may have already been done and the outcomes of such legal action may not always be commensurate with the harm caused or grant sufficient redress to the victims. In the case of the 2014 telco breach, above, a suit was filed against the Malaysian Communications and Multimedia Commission and a private company. The case was settled, but the terms of the settlement were not disclosed, even though the incident was one of Malaysia’s biggest data leaks.74
Gaps in the PDPA 2010
All these cases involving both the private and public sectors, as well as the questions raised about the rollout of the NDID, accentuate the current shortcomings of the PDPA. Under the present iteration of the law, the PDPA excludes the federal and state governments—an anomaly that was perhaps justified originally, but is increasingly difficult to defend given the outsized and still growing role of government in collecting personal data for a range of reasons. The PDPA also applies to only commercial activities, so that any harm incurred from data shared for non-commercial transactions or with credit reporting agencies (which are exempted from the scope of the PDPA) could undermine the intended safeguards of the law. The pending implementation of the NDID bears out these concerns, as does the potential expansion of MySejahtera beyond COVID-19-specific use.
The purpose and reach of the NDID mean that it will be used by both the government and private sectors to verify and authenticate identities for online transactions. The PDPA would not extend to cases where the NDID would be used for non-commercial activities—for example, in furtherance of corporate social responsibility or the provision of financial support—even though these undertakings would still require the processing of individuals’ personal data. Additionally, the NDID’s linking of various databases containing personal information to be shared among public and private entities blurs the applicability of the PDPA and its protections. The absence of a mandatory breach notification in the PDPA also raises serious questions about the consequences of a compromise to these connected databases.75
Malaysia’s MySejahtera app, developed in response to COVID-19, has 38 million registered users and its database is one of the largest in the world. Given the previous indication by the minister of health, Khairy Jamaluddin, that the ministry could expand the use of the app to store personal medical records as proposed by the Malaysian Medical Association, the question of amending the PDPA to apply to the government has become even more pressing.
The PDPD is, itself, very much aware of these gaps. Prompted by the then minister of communications and multimedia, Gobind Singh Deo, the PDPD initiated a public consultation in 2020 to strengthen the enforcement and implementation of the PDPA in light of “growing cases of data breaches involving the multi-type of data users from different sectors.”76 There was also a recognition that the government needed to ensure the PDPA was in line with other personal data protection developments regionally, as well as in the European Union, to promote e-commerce and the digital economy. The PDPD’s consultation sheet tabled 22 points for consideration on issues ranging from data portability and data transfer to privacy-by-design, applying the PDPA to government, and imposing mandatory data breach notification. Workshops were also held with industry professionals, academics, and government stakeholders. While there has been no express movement since this stage of consultation, review of the PDPA is expected to be completed by the 2025 timeline outlined in the Blueprint.77
If a 2019 IPSOS survey on data privacy is any measure, Malaysians will welcome a stronger PDPA, even if those polled were more trusting of companies’ and the government’s use of personal data (48 percent) than the global average (36 percent). Two-thirds of Malaysians (66 percent) surveyed felt that measures to reassure consumers about sharing personal data were impactful, especially when the risks involved were clearly understood and when the products/services met the person’s needs.78
Inclusion
To its credit, the Blueprint dedicates a whole pillar (Thrust 5) to creating an “inclusive digital society.” One of the strategies outlined to achieve this is to establish a centralized database on vulnerable groups to measure digital inclusion or exclusion levels in the country and to bridge that digital divide. The Blueprint identifies vulnerable groups as the B40 (or Bottom 40 percent income group earners), women, and people with disabilities.
The idea is to provide these constituents with opportunities to become digital entrepreneurs in order to uplift their socioeconomic status and to earn a livelihood with dignity. The Blueprint’s target is to integrate 875,000 MSMEs into e-commerce by 2025. Women-owned MSMEs currently constitute only one-fifth of total MSMEs and of this figure, 97 percent are in the services sector.79
In 2017, the number of persons with disabilities registered at the Department of Social Welfare totaled under half a million people. Slightly over a third (35.2 percent) were physically disabled, while those listed as having learning disabilities and visual impairment constituted 34.8 percent and 8.9 percent of the total, respectively.80
Although the Blueprint does not go into detail about the kinds of training or counseling opportunities that will be offered to these vulnerable groups, the PDPD and the Personal Data Protection Commissioner already actively conduct road shows and state-by-state training about the provisions of the PDPA. Larger resources invested in awareness-raising among these and other vulnerable groups about their data rights will be key as increased protections are sought under the PDPA. Of importance will be explaining the essence of concepts such as “privacy” or “data subjects”, which generally have a presumed legal baseline, whether as defined in the EU’s GDPR or in the PDPA, but that may be unfamiliar in a rural, community-based setting in Malaysia. These terms, along with their import, also resonate very differently in English than in colloquial dialects.
The government’s efforts at inclusion, notwithstanding, there is almost never any mention of Malaysia’s indigenous population (orang asal or orang asli, meaning “original people”) in reports or policies on the country’s digital agenda. The Blueprint does not explicitly include them in the list of vulnerable groups.
In the national census, orang asal and orang asli are collectively grouped as Bumiputera (“sons of the soil”) along with the country’s dominant ethnic group, the Malays.81 Disaggregated, however, they represent 14 percent of Malaysia’s 32 million population—a not insignificant segment of society. Yet, unfortunately, as with many other indigenous communities elsewhere, they face considerable challenges in preserving and defending their ancestral lands and ways of life. In 2019, Google Earth worked together with Jaringan Orang Asal SeMalaysia (JOAS), an umbrella network of 21 community-based NGOs focused on indigenous peoples’ issues in the country, to release a nationwide mapping initiative of orang asal communities in peninsular and east Malaysia. JOAS met with these villagers and trained them to use Google’s tools for this mapping exercise, and to retell their stories in order to raise awareness about their plight.82
The digital economic goals of Malaysia’s Blueprint may not be the ideal or even preferred vision of progress for everyone. As such, the ethical and inclusive professions in the country’s policies should account for these different perspectives if the ultimate objective of data collection and usage is to uphold equity, human dignity, and empowerment, instead of entrenching marginalization.
But data is not the sole preserve of the state and there are civic initiatives like Sinar Project, which uses open technology and open data to help improve governance and policy analysis, as well as to encourage greater public participation in national affairs. Sinar Project provides a platform for collaborative open data on elected representatives and politicians, local government issues, and legislative tracking. Interestingly, one of its projects aimed at political and government transparency was built on open data standards originally deployed for a similar initiative in Kenya.83
Conclusion
Malaysia’s data governance regime is pump-primed to advance the economy and trade in an international digital ecosystem. While the country has enjoyed an early mover advantage through its legal and policy regimes, Putrajaya also recognizes that those frameworks have to be updated for the country to adapt to evolving, and in some cases differing, trends on data governance.
The Blueprint is a big step in this direction with its recognition of ethics, inclusion, and sustainability. The review of the PDPA, if pushed through, will also nudge Malaysia closer toward its goal of easing e-commerce and digital trade more securely. Effective implementation will hinge on enduring political commitment and sufficient resources dedicated to executing reforms.
However, in the longer-term, two questions loom for policymakers: whether Malaysia will simply be a compliant adherent to global standards on data governance—adopting and adapting laws where necessary; or whether it will play a more proactive role in reframing those parameters as principles and approaches are being contested on the international stage. The 2020 PDPA consultation paper references other jurisdictions for comparison and consideration of review. But in carving a more equitable economic future for the country through digital tools, Malaysia could reflect on whether a fresh paradigm might instead be warranted—one in which the perspectives of long-marginalized and vulnerable communities might be meaningfully represented (not just subsumed)—and what alternative proposals or standards might be called for to realize that vision.
Selected Legal Instruments Related to Data Protection in Indonesia
- Cybersecurity
Financial Services 2013 - Cybersecurity
Direct Sales and Anti-Pyramid Scheme Act 1993 - Cybersecurity
Official Secrets Act 1972 - Data Protection
Personal Protection Data Act (PDPA) 2010 - Data Protection
Public Consultation Paper No. 01/2020 – Review of the PDPA - Data Protection
Computer Crime Act 1997 - Data Protection
Digital Signature Act 1997 (DSA 1997) - Data Protection
Registration of Business Act 1956 - Data Protection
Companies Act 2016 (CA 2016) - Data Protection
Communications and Multimedia Act 1998 - E-Commerce/Trade
Electronic Commerce Act 2006 (ECA 2006) - E-Commerce/Trade
Consumer Protection Act 1999 - E-Commerce/Trade
Guidelines for Foreign Participation in Distributive Trade Services In Malaysia (Amendment) 2020 - E-Commerce/Trade
Consumer Protection (Electronic Trade Transactions) Regulations 2012 (CP Regulations 2012) - E-Commerce/Trade
Contracts Act 1950 - E-Commerce/Trade
Financial Services Act 2013 and Islamic Financial Services Act 2013 - E-Commerce/Trade
Electronic Government Activities Act 2007 - E-Commerce/Trade
Guidelines on Taxation of Electronic Commerce Transactions (E-commerce Taxation Guidelines) - E-Commerce/Trade
Sales Good Act 1957 - E-Commerce/Trade
Trade Descriptions Act 2011 - E-Commerce/Trade
Price Control and Anti-Profiteering Act 2011
Endnotes
47 The MSC drew inspiration from Silicon Valley and was set up as a special economic zone to catalyze development through IT for Malaysia. What was envisioned for the MSC was a “global ‘test-bed’” for new interactions between the public and private sectors, a networked ecosystem of ICT and IT-enabled industries that would “set global standards in flagship applications,” and facilitate a “world-leading” and “harmonized global framework of cyberlaws.” See, Mahathir bin Mohamad, “The Opening of Multimedia Asia on Multimedia Super Corridor,” transcript of speech delivered at Putra World Trade Centre, Kuala Lumpur, August 1, 1996; “Multimedia Super Corridor (MSC),” MIDA, August 26, 2021; Mohd. Salleh Masduki, “The Multimedia Super Corridor: A Model for Fostering Economic Growth and Development using IT,” World Trade Organization Information Technology Symposium, Geneva, July 16, 1999.
48 Malaysia Digital Economy Blueprint, (Putrajaya, Malaysia: Economic Planning Unit, 2020), 10.
49 Mahathir Mohamed, “The Way Forward – Vision,” Malaysian Business Council, 1991.
50 Cindy Yeap, “Vision 2020: Mission Unrealized,” The Edge Markets, January 12, 2021.
51 “Profile of MSMEs in 2016-2021,” SME Corporation Malaysia.
52 “Profile of MSMEs in 2016-2021,” SME Corporation Malaysia. For a definition of each category within MSMEs, please see: “SME Definitions,” SME Corporation Malaysia; “Guideline for SME Definition,” SME Corporation Malaysia.
53 “Small and Medium Enterprises (SMEs) Performance 2020,” Department of Statistics Malaysia Official Portal, July 28, 2021.
54 “Escaping the Consumerism Trap: Overcoming the Digitalisation Chasm of Malaysian SMEs,” Huawei, December 30, 2018.
55 The 13 classes of commercial data users are in the following sectors: communications, banking and finance, insurance, healthcare, tourism and hospitality, transportation, education, direct selling, professional services, real estate, utilities, pawn brokerage, and money lending.
56 “Personal Data Protection Standard 2015,” The Personal Data Protection Commissioner Malaysia, January 2015.
57 “Malaysia – Data Protection Overview,” DataGuidance, May 27, 2022.
58 Kherk Ying Chew, Sonia Ong and Chun Hau Ng, “Malaysia: Personal Data Protection Department issues new guidelines, circulars and codes of practice,” Global Compliance News, March 21, 2022.
59 “Personal Data Protection Law in Malaysia,” Ministry of Communications and Multimedia Malaysia, Act 709.
60 “Escaping the Consumerism Trap: Overcoming the Digitalisation Chasm of Malaysian SMEs,” Huawei, 20.
61 SME Corp. Malaysia, “Technology, Innovation, and Digitalisation,” in SME Insights 2019/20, 231.
62 “Personal Data Protection Law in Malaysia,” Ministry of Communications and Multimedia Malaysia; “Malaysia – Data Protection Overview,” DataGuidance.
63 “Personal Data Protection Law in Malaysia,” Ministry of Communications and Multimedia Malaysia.
64 “Malaysia komited bantu ASEAN selamatkan aliran data, keselamatan siber,” [Malaysia is committed to helping ASEAN secure data flow, cyber security], Sinar Harian, January 21, 2021.
65 Malaysia Digital Economy Blueprint, (Putrajaya, Malaysia: Economic Planning Unit, 2020), 44.
66 Ibid., 48-49.
67 See, e.g., Anneke Zuiderwijk, Ali Pirannejad, and Iryna Susha, “Comparing open data benchmarks: Which metrics and methodologies determine countries’ positions in the ranking lists?,” Telematics and Informatics 62, (September 2021): 101634.
68 Malaysian Communications and Multimedia Commission, National Digital Identity (ID) Framework for Malaysia: Public Consultation Report, (PricewaterhouseCoopers, August 2020) 15-17.
69 Stakeholder consultation; “Malaysia’s Digital Economy: A New Driver of Development,” World Bank Group, September 2018.
70 Vijandren, “46.2 Million Malaysian Mobile Phone Numbers Leaked from 2014 Data Breach,” Lowyat.net, October 30, 2017.
71 Arjuna Chandran Shankar, “Astro suffers data breach exposing customers’ MyKad data,” The Edge Markets, August 22, 2019.
72 Chief Chapree, “PDRM Begins to Investigate JPN Database Leak as LHDN Refutes Seller’s Claim,” Lowyat.net, September 28, 2021.
73 Aidila Razak (@aidilarazak), Twitter post, October 19, 2021, 11:56 PM.
74 Foong Cheng Leong, “Bread & Kaya: 2018 Malaysia Cyber-law and IT Cases – Fake news, private information & instant messaging,” DNA, April 19, 2019.
75 Adlin Abdul Majid and Lau Wai Kei, “Malaysia: National Digital Identity program and data protection considerations,” DataGuidance, October 2020.
76 Personal Data Protection Department, “Review of Personal Data Protection Act 2010,” Public Consultation Paper No. 01/2020, Act 709, February 14-28, 2020.
77 Malaysia Digital Economy Blueprint, (Putrajaya, Malaysia: Economic Planning Unit, 2020), 82.
78 IPSOS, “Global Citizens & Data Privacy: With Malaysian Perspective,” press release, February 14, 2019.
79 “MSME Finance Gap,” SME Finance Forum, accessed June 3, 2022; “Govt Spent RM2.3 Bil on Women Entrepreneurs in 2018,” SME Corporation Malaysia, January 30, 2019.
80 “Social Statistics Bulletin Malaysia 2018,” Department of Statistics Malaysia Official Portal, November 29, 2019.
81 “Launching of Report on the Key Findings Population and Housing Census of Malaysia 2020,” Department of Statistics Malaysia Official Portal, February 14, 2022.
82 Map showing location of Orang Asal, Google Earth.
83 “Anti-Corruption and Transparency,” Sinar Project, April 21, 2022.