Data protection must improve for Malaysia’s e-commerce

data breach

E-commerce and e-hailing companies in Malaysia must do more to strengthen data protection standards, the country’s Bar Council has said.

The need to bolster data privacy is, in part, due to inadequate enforcement of the nation’s Personal Data Protection Act (PDPA), according to Malaysia’s Information Technology and Cyber Laws Committee deputy chair, Foong Cheng Leong.

“There were cases of companies being fined, but high-profile cases such as the data breach involving telecommunications companies two years ago have yet to be resolved,’’ Foong Cheng Leong said.

While praising measures brought in to protect driver safety within e-hailing companies, such as the requirement to provide selfie verification, Leong conceded that users of the service left themselves open to abuses of data privacy.

In order to use Grab Taxi services, Malaysia’s citizens must send a one-time selfie verification by July 12th as part of a bid to increase passenger and driver safety. Users of the service have raised concerns over the increased potential for a data breach, or the abuse of personal data through a third party.

Bar Council Personal Data Protection Committee, Deepak Pillai underlined how data privacy must be at the top of users’ minds each time personal data is submitted online.

“They should be clear about the organisation they are providing their personal data to, what the personal data can be used for and to whom it can potentially become disclosed,” he said.

“In my own view, it is clear that the PDPA applies to all e-hailing service providers and the onus is on them to comply with the minimum security requirements set out in the Act and more.

“If there is a breach, they would be subject to complaints, investigations and penalties provided for under the Act,’’ he added.

In response to the news, cyber security specialist Fong Choong Fook highlighted how successful prosecutions for poor data management are in short supply in Malaysia.

“A good example was the telco data leak, where over 40 million phone records were exposed and traded under the dark web with no prosecution against the party at fault. That is why the general public is still sceptical about the execution of PDPA,” he said.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.