KUALA LUMPUR, April 3 — Following the Malaysian government’s plan for the continued usage of  MySejahtera, personal data protection advocates and lawyers say there is nothing wrong with data collection.

However, it is how this data will eventually be used that requires closer scrutiny.

Despite guarantees accorded under existing data protection law, tech policy practitioner Maryam Lee pointed out that citizens have no way of knowing if MySejahtera Privacy Policy is actually implemented.

“For example, this deletion policy for check-in data that are over 90 days… is there a way to check if our data has, in fact, been deleted as promised?

Advertisement

Ideally, she said, if the government recognises citizens as owners of their data, the latter could just simply erase whatever data at the click of a button.

“We don’t have any assurance, technical or otherwise, to ensure our data is deleted.

“For now, we have to depend on them to do it for us and we just have to take their word for it because there is no way to check,” she said, adding that users will always be at the mercy of whoever is handling their data for as long as there is little to no control over them.

Advertisement

Maryam is also a member of the IO Foundation (TIOF) — an international nonprofit advocating data-centric digital rights. — Picture by Yusof Mat Isa
Maryam is also a member of the IO Foundation (TIOF) — an international nonprofit advocating data-centric digital rights. — Picture by Yusof Mat Isa

Maryam, who is also a member of the IO Foundation (TIOF) — an international nonprofit advocating data-centric digital rights — also highlighted the legal conundrum that has arisen from the federal government’s recent assurance the data of its citizens was protected.

She cited the MySejahtera’s Privacy Policy where it explicitly states that the collection of one’s personal data was aligned with the Personal Data Protection Act (Act 709).

However, Maryam said if one were to peruse the PDPA, Section 3(1) of the Act explicitly states both the federal government and state governments are exempted from the law’s application.

“How can the government cite the PDPA to ensure data protection when they are not mandated by law to do so? This is too big of a loophole to be a minor oversight. 

“So even if we want to sue the government for failing to protect our data, the PDPA absolves them of any liability.

“Data collection is not the problem. We understand that the government needs data to make good decisions. It’s how the data will be used that deserves scrutiny,” she said.

Senior lawyers Bahari Yeow Tien Hong and Lim Zhi Jian of Gan Partnership explained that the conundrum Maryam brought up was not considered inconsistent since the government’s assurance may be based on the proposed procurement of the MySejahtera app.

“PDPA applies to any person who processes; and has control over or authorises the processing of any personal data in respect of commercial transactions. 

“In this context, what the government is saying that anyone processing our personal data (apart from the government themselves) must strictly comply with the Personal Data Protection Principles,” they said.

The lawyers, who are both experts at cyber security and intellectual property, pointed out that one of the underlying principles under the PDPA is that the processing of personal data requires the consent of the data subjects. 

They noted that consent may either be expressed, implied or through conduct.

A user scans a QR code via the MySejahtera app at a restaurant in Shah Alam March 31, 2022. — Picture by Miera Zulyana
A user scans a QR code via the MySejahtera app at a restaurant in Shah Alam March 31, 2022. — Picture by Miera Zulyana

In MySejahtera’s case, for example, the mere usage of the app may amount to us granting consent to the data user to process our personal data in accordance with the purpose as set out in the app.

At the same time, the purpose of collection and processing sensitive personal data through the app is clearly outlined and specific.

“In summary, the assurance given by the government in respect of the proposed procurement exercise on the sale of MySejahtera to a private company is that PDPA is sufficiently comprehensive to govern what the private company can and cannot do,” they said.

In other words, data subjects have sufficient remedy under the provisions of the PDPA in the event that the processing of sensitive data goes beyond the scope of the intended purpose and beyond what is necessary.

When asked about the exemptions provided under Section 3(1) which absolved the government of any liabilities for alleged failure to protect one’s data, both lawyers said that the PDPA’s provision does not apply to the state in respect of the app at the present time.

However, the lawyers said it is still within the rights of every person to initiate any action against others in law in the event of any abuse or wrongful conduct should the procurement exercise on the sale of MySejahtera materialise.

Who they are: Entomo Malaysia Sdn Bhd, Revolusi Asia Sdn Bhd and MYSJ Sdn Bhd

So who are the three main companies whose names have recently surfaced following news about the ownership of the national Covid-19 tracking app?

According to the Companies Commission of Malaysia (SSM), Entomo Malaysia Sdn Bhd started out as KPISoft Malaysia Sdn Bhd) which was incorporated in June 2005 until its name change in May 2020.

Its corporate information denotes its nature of business as one that provides data analysis for Key Performance Index (KPI) of their clients including the issuance of user licences for strategy and KPI manager modules.

As of March 3, there are only two directors — Yogaraj Thuraisingam and Rekha Mani — listed in Entomo Malaysia including a Dr Adissyam Xavier Suseimanikam who is the company secretary.

Entomo Pte Ltd from Singapore is the sole shareholder of the company according to SSM filings.

For Revolusi Asia, data obtained from SSM shows that the company was incorporated on September 17, 2020.

Its corporate information denotes its nature of business as providing management consultancy and information technology services.

As of December 12, 2021, there are only three directors — Naveen Pralhad Deshpande, Raveenderen Ramamoothie and Tan Sri Shahril Shamsuddin — listed in Revolusi Asia, with the previously mentioned Dr Adissyam listed as company secretary.

Raveenderen holds the majority of shares at 26.6 million in Revolusi Asia followed by Anuar Rozhan and Naveen as the remaining shareholders who both own 4.2 million shares.

As for MYSJ Sdn Bhd, SSM data shows that the company was incorporated several days after Revolusi Asia was incorporated on September 23, 2020.

As of December 12, 2021, there are four directors — Anuar, Shahril, Tan Sri Liew Kee Sin and Tan Sri Megat Najmuddin Megat Khas — with the same Dr Adissyam as company secretary.

Two other names — Raveenderen and Datuk Heah Kok Boon — are appointed alternate directors as well.

At present, four shareholders are listed — Revolusi Asia, Hasrat Budi Sdn Bhd, P2 Asset Management Sdn Bhd, and an individual named Ganesan Shanmugam — in descending order of share ownership.

Based on Entomo’s international website, both Raveenderen and Naveen are founder and co-founder of the company’s regional headquarters based in Singapore, in which they are also listed as group chief executive and group chief operating officer respectively.

Shahril was previously oil-and-gas service provider Sapura Energy Bhd's group chief executive before his mandatory retirement on March 22, 2021.

Liew and Heah are property developer Eco World Development Group Berhad executive chairman and designated chief financial officer respectively, while Megat Najmuddin is currently a Sime Darby Plantation Bhd non-executive chairman. 

All three companies share the same registered address in Udarama Complex and same registered business address in Q Central located within Kuala Lumpur respectively.

Based on court documents, Revolusi entered into an agreement with Entomo Malaysia in September 2020, whereby the former would hold all the shares in MYSJ as Entomo Malaysia’s nominee.

Around October 2020, a deal between Entomo Malaysia and MYSJ was struck, with the latter agreeing to pay the former RM338.6 million for MySejahtera's Intellectual Property (IP) and its software licence.

The RM338.6 million payment was described as the aggregate fees for the transfer of IP of the app and the licensing fees for the software.

According to Bahari, IP is briefly defined as a personal or moveable property, and may be transferable by assignment, testamentary disposition, or by operation of law, as moveable property.

In the licencing agreement, like any other licencing agreement, parties are entitled to agree on the scope, obligations, duties, rights and liabilities etc of each party. 

Such terms do not affect the ownership of IP, the lawyer said.

The licence agreement

According to affidavits filed in court, the licence agreement states that KPISoft (now known as Entomo Malaysia) is the developer and owner of the proprietary software used to develop the MySejahtera app for the Malaysian government.

Under the licence agreement, MYSJ is granted a non-exclusive, non-transferable, non-sublicensable right and perpetual licence to use the KPISoft software to exclusively develop, own the application trademark for MySejahtera, and test and support the MySejahtera app.

The agreement was to last until December 31, 2025 — five years and three months from the signing date of the October 2020 deal.

It is also explicitly stated that MYSJ would only acquire a licence to the KPISoft software specifically for MySejahtera and does not acquire any other rights or ownership interests; whereby all rights, title, and interest to the KPISoft software, its trademarks, services unless expressly provided in the agreement will be retained by Entomo Malaysia.

Should we be alarmed?

In light of the current circumstances, Maryam said there is no other way than to stop using the MySejahtera app for check-ins if users wish not to disclose their personal data.

Ultimately, she said if the government fails to demonstrate they are trustworthy or provide avenues to hold them accountable, users would very likely move away from full compliance.

“Not only is there little trust in the government handling of our data, there is little purpose now for check-ins when we go into an endemic phase. 

“MySejahtera still has other uses such as vaccination certificates etc., but for check-ins specifically, I wouldn’t blame the citizens for not checking in anymore.

“Systems exist so that we can enjoy as much certainty and control as possible. When systems are broken by design, it doesn’t really inspire much confidence. 

“How would this breach of trust affect the government? We don’t know yet. We just know that they have a duty to protect us, and trust erodes every time they don’t fulfil that duty,” she said.

In the present day, Health Minister Khairy Jamaluddin had sought to allay public fears, explaining that the MySejahtera app used for Covid-19 contact tracing has never been sold to any private company.

Khairy had also reiterated that MySejahtera as a Covid-19 contract tracing mobile app and its data still belongs to the government, despite a previous deal on its intellectual property and software licence.

Bahari stressed the need for citizens to safeguard their personal data as the use of the MySejahtera app was inevitable on grounds of national health policy consideration and greater public interest.

“Based on the current circumstances, should we as users be alarmed? In my view, no.

“Of course there are many areas where improvements can be made, and the list will go on and on. If we ask ourselves whether we are free from privacy breaches in our society, I am sure many will say no.

“MySejahtera app, whether we like it or not and whoever owns it, is part and parcel of the steps in our fight against the pandemic,” Bahari said.

Citing the case of Toh See Wei v Teddric Jon Mohr & Anor (2017) 11 MLJ 67, Bahari said the High Court had opined that the right to privacy is a multi dimensional concept which referred to the specific right of an individual to control the collection, use and disclosure of personal information that is recognised both in the eye of law and in common parlance.

The court had further written that while Malaysians would express concern about their privacy if a comprehensive poll was to be taken, the younger generations were seen as increasingly willing to disclose private feelings, information and photographs daily through various media.

Bahari noted the court’s view that innovative technologies make personal data easily accessible and communicable and there was inherent conflict between right to privacy and data protection.

“In my view, the outbreak of the pandemic has changed many of our lives, including lifestyle and thinking. When it comes to combating the coronavirus, the responsibilities lie on the shoulders of each and every citizen. 

“One particular caveat which we need to reserve is that whoever the operator is, it must act within the realm of the law and they must fulfil their obligations as entrusted to them,” he said, adding that those who flaunt the law must face the consequences of their actions.