PETALING JAYA: A recent directive by the Malaysian Communications and Multimedia Commission (MCMC) for telecommunications companies to share phone data has raised concerns over digital privacy, legal safeguards and potential misuse.
While MCMC insists that the data is fully anonymised and used solely for national statistics, experts argue that the move raises serious legal and ethical questions.
Technology, media, telecoms and data protection legal adviser Deepak Pillai said the key issues lie in how the data is anonymised and who handles that process.
“If the data is permanently anonymised before it is sent to MCMC, then it would not be considered personal data under the Personal Data Protection Act (PDPA) 2010.
“MCMC has stated that mobile operators may either anonymise the data themselves or provide raw data for MCMC to anonymise. The specifics of this process are important.”
He warned of the risk of re-identifying anonymised data.
“It is unclear whether MCMC has access to information that could be used to re-identify individuals.
“If the data can be used, alone or with other datasets, to identify someone, it falls under the PDPA and must be treated accordingly.”
ALSO READ: Govt collecting phone data to boost network coverage
He highlighted a major legal loophole, namely that the PDPA does not apply to federal or state government bodies.
“Phone data is generally treated as personal data under the PDPA. But government agencies are not legally bound by the same data protection rules because the PDPA does not apply to them,” he said.
He also noted that statutory bodies are not exempt from data protection obligations, especially when handling personal data in a commercial context.
He pointed to shortcomings in the Data Sharing Act 2025, which focuses on sharing public sector data but lacks clear standards for collecting, storing or disposing it.
He recommended extending legal protections to cover public sector data handling and establishing an independent data protection authority to oversee government and private-sector practices.
International Islamic University Malaysia Ahmad Ibrahim Kulliyyah of Laws senior lecturer Assoc Prof Dr Mahyuddin Daud echoed similar concerns.
He said Malaysia lacks a clear legal definition of mass surveillance and proper oversight of how anonymised data is collected and used, even when it falls outside current privacy laws.
“While anonymised data may seem harmless, advances in data analytics make it increasingly possible to re-identify individuals.
“Modern analytics and the combination of datasets could heighten this risk. Laws and safeguards need to keep up.”
He emphasised that there is a need for transparency in how such programmes are introduced and managed.
“People lose trust when policies are unclear and top-down. We need public engagement, clear explanations and independent checks on how data is anonymised.
“Even if data is used for policymaking, it must respect fundamental rights. Privacy is a constitutional right and should not be sacrificed for development.”
He called for such initiatives to undergo parliamentary scrutiny and public consultation.
“Parliamentary oversight ensures that large-scale data collection, especially when it affects rights such as privacy or freedom of movement, is debated transparently.
“It also allows elected representatives to assess whether such measures are truly necessary and balanced.
“Public consultation allows experts to review and strengthen technical aspects, such as how data is anonymised or stored. This helps prevent missteps and builds public trust.”
In response to public concern, MCMC clarified on Saturday that no personal data was accessed or shared, adding that phone data is fully anonymised and used solely to generate national statistics for policymaking.
Its deputy managing director Datuk Zurkarnain Mohd Yasin on Monday said the data received is not considered personal as it cannot be used to identify or trace individuals.
