The Constitution of Malaysia does not specifically recognize the right to privacy, but does provide for several related rights, including freedom of assembly, speech and movement.[1825] Historically, the government has circumscribed all of these rights by law or practice; increasingly so in the name of anti-terrorism.
The most controversial of these laws remains the Internal Security Act(ISA), which was originally enacted in the 1960's in response to Communist insurgency. The ISA allows police to enter and search without a warrant the homes of persons suspected of threatening national security; they may also seize evidence. The lack of independent judicial oversight is the most poignant criticism of the ISA; judicial reviews of arrests under the ISA are limited to questions of procedure: at no point are authorities required either to produce evidence or detailed charges. Police regularly use the ISA to search homes and offices, seize books and papers, monitor conversations, and take persons into custody. Persons arrested under the ISA can be held for up to two years without being charged. The government does not disclose the number of people so held, but civil rights groups still estimate it is in the hundreds. Most of these are allegedly connected to Islamic terrorist groups, but the use of the phraseology 'terrorist threat' or 'terrorist' has increased markedly since September 11, 2001, and is now used to describe a litany of individuals or actions that previously would not have been classified. Many alleged terrorists are coincidentally connected to political opposition parties.[1826] Minister Dr. Rais Yatim, of the Prime Minister's Department Datuk Seri, has argued that a broad legal definition of 'terrorism' is necessary in order to effectively combat terrorist threats and has noted that the United States has adopted a similar stance with the passage of the USA PATRIOT Act.[1827]
Prior to September 11, 2001, there had been much public pressure - both from inside and outside the country - to repeal the ISA in favor of a more constrained security law, but the government has taken no action to date and is now unlikely to do so anytime soon.[1828] Minister Yatim has stated that laws like the ISA[1829] are even more relevant post-September 11, and that "submission to idealistic rights was not realistic...in safeguarding domestic integrity and security." The Prime Minister responded to criticism of the ISA by stating that "if someone commits an act that violates the human rights of the majority, then he...will lose his basic rights."[1830]
Other laws with implications for privacy include the Communications and Multimedia Act (CMA), the Anti-Corruption Act, the Companies Act, the Computer Crimes Act (CCA), modeled after the United Kingdom's Computer Misuse Act of 1990, and the Penal Code.[1831] The Communications and Multimedia Act prohibits unlawful interception of communications, establishes rules for searches of computers, mandates access to encryption keys, and authorizes police to intercept communications without a warrant if a public prosecutor believes a communication is likely to contain information relevant to an investigation.[1832] In practice the provisions of the CMA restricting telecommunications interception appear to be regularly ignored or overridden by other statutes, including the ISA and the CCA.[1833] There are regular reports of illegal wiretapping, including of the former Deputy Premier, Anwar Ibrahim, in 1998. Later that same year, police detained four people under the ISA on suspicion of spreading rumors of disturbances in Kuala Lumpur. Inspector General of Police Tan Sri Abdul Rahim Noorsaid told the media then that the suspects were detained after police tracked their activities on the Internet with the assistance of Internet service provider Mimos Berhad.[1834] The provider later claimed that it did not monitor the activities of its subscribers.[1835]
A provision of the Anti-Corruption Act empowers the Attorney General to authorize the interception of mail and the wiretapping of telephones in corruption investigations. The Companies Actgrants the Registrar of Companies broad powers to block or disband organizations deemed prejudicial to national security or the national interest. This authority has been used to prevent international human rights organizations from establishing domestic operations. The Computer Crime Act allows police to inspect and seize without a warrant a suspect's computer equipment. Suspects are also required to turn over all encryption keys for any encrypted data on their equipment.[1836] In July 2001, the Chief Inspector of the technology crime investigation team (a unit under the Royal Malaysian Police) called for updates to the CCA, claiming that it was outdated and that even more sweeping powers are required.[1837] In the same vein, Prime Minister Datuk Seri Dr Mahathir Mohamad has stressed the need for greater security measures to tackle "the rising number of cybercrime incidents and the increased use of the Internet for misinformation."[1838] In January 2001, following a high profile hack into the Parliament's web site, it was reported that the government may extend the ISA to hackers of government web sites.
Section 509 of the Penal Code provides criminal penalties for insulting "the modesty of any person" or "intruding upon the privacy of [any] person" by uttering any word, sound or gesture, or exhibiting any object, intending that such word or sound shall be heard, or that such gesture or object shall be seen by such person.
Since September 11, 2001, the Malaysian government has made money laundering detection and enforcement a priority and has enlisted regional and international cooperation. The government recently concluded an agreement to exchange financial intelligence information with several countries, including Australia and the United States,[1839] and facilitate data and intelligence exchange with the Anti-Money Laundering Act to.[1840]
Under the Constitution, freedom of assembly may be limited in the interest of security and public order. The government regularly monitors public assemblies through the issuance of permits under the Police Act. While the decision to grant permits theoretically rests with district police chiefs, in practice senior police officials and political leaders influence grants and denials. In July 2001, the government ceased issuing permits for all political meetings throughout the country.[1841] This significantly impeded the ability of opposition parties, particularly the Islamic party, to communicate with their supporters and to fundraise. In October 2002, police prevented a public protest of the government's refusal to release six persons detained under the ISA, despite the Federal Court's ruling that the detentions were unlawful.
The Constitution provides that freedom of speech and of the press may be restricted by legislation "in the interest of security (or) public order."[1842] In practice, the law is frequently used to restrict or intimidate dissenting political speech. All newspapers and magazines must be licensed by the government and the Sedition Act prohibits public comment on issues defined as sensitive, such as racial and religious matters. In January 2003, an independent news web site, Malaysiakini.com, published an anonymous letter critical of the government and was subsequently raided by police. The police seized about twenty computers containing potentially sensitive information, including the addresses of letter writers who had requested confidentiality.[1843] It appears that the government's 1999 pledge to not regulate content on the Internet was a hollow one.
The government places some restrictions on academic freedom, particularly regarding the expression of unapproved political views, and the government enforced restrictions on teachers and students who expressed dissenting views. In March 2002, the government began to require that all civil servants sign a pledge of loyalty to the government, and in May it required that university faculty and students sign the same pledge. Opposition leaders and human rights activists claimed that this was intended to restrain political activity among civil servants, academics, and students.[1844] Earlier, in August 2001, the Malaysian Bar Council had ruled that body searches by school authorities to look for tattoos on students were a gross violation of privacy and should only be conducted if a student is suspected of having committed an offense. The searches had been mostly carried out on students in religious and residential schools who were believed to have been targeted by occult groups.[1845]
Malaysians generally have the right to travel, live, and work where they please, however the government restricts these rights in some circumstances. The eastern states of Sabah and Sarawak have the right to control immigration and to require citizens from peninsular Malaysia and foreigners to present passports or national identity cards for entry. The adoption of a national identity smart card makes tracking citizens easier.
Since 1999, Malaysia begun gradually phasing in a multi-purpose national ID smart card. The card, known as 'MyKad', incorporates both photo identification and fingerprint biometric technology and is designed with six main functions: identification, driver's license, passport information (although a passport is still required for travel), health information (blood type, allergies, chronic diseases, etc.), and an e-cash function.[1846] There are plans for adding additional applications for ATM access and digital signatures for e-commerce transactions.[1847]
The Malaysian government originally proposed placing the religious affiliation of all citizens on the cards, but complaints from the country's non-Muslim ethnic groups prompted the government to limit identification to Muslims only. In January 1999, it was announced that Islamic religious authorities in the capital, Kuala Lumpur, would be equipped with portable card readers in order to instantly verify the vows of Muslim couples found in "close proximity". In his 2002 budget speech, the Prime Minister proposed adding marital status and voting constituency information to the cards for the benefit of religious authorities and to minimize electoral fraud, respectively. Both proposals were sharply criticized by opposition Member of Parliament Teresa Kok as being an unnecessary invasion of privacy.[1848] The anonymity of balloting is already a matter of concern for privacy advocates, even without MyKad. Traditional ballots are marked with a serial number that can be matched against a voter's name. While there is no evidence that the government has ever tracked individual votes, some opposition leaders allege that the potential to do so has had a chilling effect on some voters, particularly civil servants.
With so much personal information stored on the MyKad, even proponents of the card have acknowledged inherent privacy risks: "[h]aving the smart card will probably increase theft...because the attraction is there. There is a lot of personal information stored [on the card], including buying patterns which would attract (card cloning) syndicates," according to industry analyst Jafizwaty Ishahak. Recently, the National Registration Department (NRD) admitted that the practice of surrendering identity cards to security guards before entering certain premises may need to be changed because of privacy concerns.[1849] The Consumers Association of Penang has argued that the cards make individuals' personal and confidential information too vulnerable and has recommended that the proposed Personal Data Protection Act address these risks specifically.[1850] The Federation of Malaysian Consumers Associations criticized the government for not implementing clear guidelines or consulting with the public on how MyKad is to be used, by whom and for what purpose. The Federation also challenged the security of the system, contending that the storage of personal information in a centralized database makes it vulnerable to tampering and sabotage.
Users can access personal information on their cards at government kiosks and offices, after biometric authentication of their fingerprint. Access to personal information by others is hierarchical or compartmentalized. For example, only certain medical officers have access to sensitive health information. However, access to some personal information held in the MyKad system seems to be available, remotely via a network, to a wide range of third parties, including hotels, restaurants and ticket agents. Determining who has access to what information and for what purpose remains opaque for individual Malaysians.
MyKad is currently optional, but it automatically replaces other forms of expired identification and is quickly becoming a de facto requirement to access certain government and private-sector services. In December 1998, the government began requiring cyber cafés to obtain name, address, and identity card information from patrons, however it lifted this requirement in March 1999.[1851] In some cases there may be penalties for not carrying the card. In 1998, the government announced that persons not carrying identification cards risk being detained by immigration authorities.[1852] It is the government's intention that all of Malaysia's population over the age of twelve will be registered in the MyKad system by 2005. Those under the age of twelve are encouraged to apply for a junior version of the MyKad, which differs only in its lack of a photograph and thumbprint biometric.
Prime Minister Dr Mahathir Mohamad has characterized data protection principles as a burden on business and an impediment to effective policing. However, e-commerce concerns and the desire to comply with the adequacy provisions of the European Union Data Protection Directive, have led the Malaysian Ministry of Energy, Communications and Multimedia (MECM) to begin drafting a new personal data protection bill.[1853] In a recent keynote address during the Jagat Cyber Law Seminar Series, held at Kuala Lumpur, the Minister of MECM urged public sector agencies take a proactive stand in embracing international data protection principles, saying that compliance would build consumer confidence and enhance the image and reputation of Malaysian public agencies and corporations. Additionally, the minister said businesses must be able to assure users that personal information collected on the Internet would be adequately protected and that individual privacy rights would not be infringed.
The Personal Data Protection Act was supposed to be enacted by March 2002,[1854] but has been delayed according to the government, by numerous requests for exemptions by business.[1855] The proposed law sets out nine data protection principles governing the collection, use, disclosure, accuracy, retention, access to and security of personal data. If enacted, it will establish a government-appointed data protection commissioner with the power to: monitor and enforce compliance; promote public awareness of the law; encourage trade bodies to prepare industry codes of practice; and cooperate with counterparts in foreign countries.[1856] Proposed penalties for violating the law will include punitive fines of up to MYR250,000 (~USD65,790) and imprisonment for up to four years. Civil damages for data subjects (including compensation for injury to feelings) are also contemplated.[1857]
Part III of the draft bill provides for the establishment of a tribunal to assist in the exercise of performance of the Commissioner's powers and functions in the public interest. While the detailed operation of the tribunal will be left to regulation, it is presumed it would function as an appellate body.
Although its ramifications and effects are far-reaching, legal observers have emphasized that the proposed bill does not attempt to prohibit the collection, holding, processing or use of personal data; nor does it deal with access to any information collected. In other words, the proposed law is not a law relating to privacy or freedom of information.[1858]
Malaysia announced plans in November 2001 to provide data protection and Internet law training for its judges, public prosecutors and police officers in anticipation of the enactment of the data protection bill.[1859] The Prime Minister's Department said training for the judiciary and law enforcement would "better equip them to deal with computer-related crimes."[1860]
Malaysia is a signatory to the Universal Declaration of Human Rights, but the legislation that created the National Human Rights Commission (Suhakam), also restricts the application of the Declaration to those "fundamental liberties provided for" in the Constitution and to those provisions consistent with the Constitution. In 1999 prior to Suhakam's creation, opposition leaders and non-governmental organizations, including the Bar Council, criticized the definition of human rights as too narrow.
However, following former Suhakam Chairman Musa Hitam's October 2001 statement that human rights would need to take a back seat in the fight against terrorism, the Commission has assumed a lower profile in carrying out its mission and has not often publicly challenged the government on sensitive subjects. The new Chairman of the Commission, former Attorney General Abu Talib, appears to favor a low-key, behind-the-scenes approach to promoting human rights.[1861]