PETALING JAYA: The proposed anti-bullying portal must put children’s privacy and safety at the forefront, or risk exposing them to further harm, a cyber law expert cautioned.
International Islamic University Malaysia scholar Dr Sonny Zulhuda said children could not be expected to protect themselves online, especially from intangible harms such as privacy breaches.
“Children by nature cannot be expected to take care of themselves, especially against harms that are not physical or tangible in nature. Privacy threats are typically intangible.
“Letting children handle the privacy and security of their own data is always tricky.”
Sonny stressed that the responsibility must lie with parents, the government and industry players.
“There is no choice – all must be children-oriented when providing online portals or other digital solutions.
“The systems must be privacy-strict and children-oriented by default,” he said.
While the portal could give victims a new channel to speak up, its usability would ultimately determine its success, particularly for younger children and those in rural areas.
“Any system intended for children must be built with privacy and security protections by design.
“There must be features, whether through text or pictures, that can clearly communicate why the system is beneficial.
“It should also encourage parental or adult supervision.
“Above all, the portal must be simple, friendly and easy for children to use.”
On the legal front, Sonny noted several hurdles.
He said although the Child Act 2001, the new Online Safety Act 2025 and the Personal Data Protection Act (PDPA) 2010 provide useful frameworks, applying them to a government-run portal was not straightforward.
“The PDPA does not apply to the government, which creates a unique challenge. Still, its principles remain useful – consent must be freely given, specific, informed and unambiguous.
“The question is: Can minors provide such consent when they may not fully understand the consequences?”
He pointed out that using the portal would require children to allow their personal data to be processed, raising doubts about whether their consent could be valid.
This, he said, must be clarified in the portal’s terms of use.
Sonny also drew an important distinction.
“If the portal is operated directly by the government, for example, by a ministry or its departments, then the PDPA does not apply.
But if it is run by another entity, such as a company, statutory body or organisation, then the PDPA would most likely apply.
“In that case, clear privacy notices, comprehensive data protection terms and safeguards like consent, data minimisation and data security are required.”
To mitigate risks, Sonny proposed safeguards, including mandatory adult accompaniment, privacy-by-design principles and regular risk assessments.
He also cautioned against misuse through false or malicious complaints.
“This will have to go through several layers of evaluation, from the data given, the consistency of the narration as well as other supporting information.
“Children’s information would most likely need to be corroborated with additional evidence.” – By HARITH KAMAL
