DECEMBER 7 — The implementation of the National Digital ID (IDN), which will utilise biometric data such as fingerprints, facial recognition, or iris scans to verify one’s identity online and access various digital services, aims to provide security and convenience. However, it also raises concerns about the privacy and security of biometric data, as well as the ethical and social implications of its use.
Biometric data is personal data that pertains to the unique characteristics of individuals. It cannot be easily changed or revoked and can reveal sensitive information such as health, ethnicity, or religion. Therefore, it requires a high level of protection and regulation to prevent its misuse or abuse.
This raise the concern of security and privacy especially the IDN will have to access to the biometric data of every Malaysian citizen and permanent resident aged five years and above, linking it to their MyKad numbers.
Despite the assurance given that the IDN will also comply with relevant laws and regulations, such as the Personal Data Protection Act 2010 (PDPA) and the Income Tax Act 1967, the current PDPA may not be sufficient to address the specific challenges and risks posed by biometric data, as it does not explicitly define or regulate biometric data as a special category of personal data. The PDPA also does not provide adequate safeguards or remedies for users in case of data breaches, violations, or disputes. Moreover, the PDPA does not apply to the federal and state governments, which may have access to the IDN platform for various purposes, such as law enforcement, national security, or public interest.
Therefore, there is a need for a comprehensive and robust legal framework that specifically governs the collection, use, storage, and sharing of biometric data in Malaysia, ensuring the privacy and security of users’ biometric data. Such a framework should also include clear and transparent policies and procedures for the IDN platform, as well as effective mechanisms for oversight, accountability, and enforcement.
There is also a need for an enhancement of the existing PDPA and the empowerment of relevant authorities to deal with the issues and challenges arising from the use of biometric data. The PDPA should be amended to include biometric data as a special category of personal data and to provide stronger protection and rights for users. The PDPA should also be extended to cover the federal and state governments, as well as public agencies that may process biometric data. The PDPA should also provide clear and consistent guidelines and standards for the use of biometric data by different sectors and industries.
Furthermore, the PDPA should empower the Personal Data Protection Commissioner (PDPC) and other authorities, such as the police, the MCMC, and the Consumer Tribunal, to track and enforce against the misuse or abuse of biometric data, such as identity theft, cyberattacks, hacks, scams, financial fraud, or digital fraud. The PDPA should also provide adequate sanctions and penalties for offenders, as well as remedies and compensation for victims.
Besides the legal and technical aspects of biometric data, there are also transparency, social, and ethical issues that need to be addressed. The use of biometric data may have implications for the trust, confidence, and acceptance of users and the public towards the IDN platform and biometric technologies. The use of biometric data may also have implications for the inclusion, participation, and empowerment of users and the public in the digital economy and society.
Therefore, there is a need for a transparent and participatory process that involves users and the public in the design, development, and implementation of the IDN platform and biometric technologies.
In other countries, the use of biometric data has been subject to various legal challenges and disputes, especially where it infringes the privacy and security of personal data. For example, in the United States, several states have enacted biometric privacy laws that regulate the use of biometric data by private entities and provide a private right of action for any aggrieved person. One of the cases is the Facebook BIPA class action lawsuit, where Facebook was accused of violating the Illinois Biometric Information Privacy Act (BIPA) by collecting and storing the facial recognition data of its users without their consent. Facebook agreed to a US$650 million (RM3 billion) settlement in 2020, one of the largest consumer privacy settlements in US history.
Although the IDN is a promising initiative that aims to enhance the digital identity and services for Malaysians, but it also poses significant challenges and risks for the privacy and security of biometric data. Therefore, there is a need for a comprehensive and robust legal framework, an enhancement and empowerment of the existing authorities, and a transparent and participatory process that addresses the issues and concerns of biometric data. Only then can the IDN achieve its full potential and benefits while respecting and protecting the rights and interests of users and the public.
We urge the government to hold dialogue and consultation with stakeholders and experts, such as civil society, academia, industry, and media, to address the social and ethical issues and challenges of biometric data, such as discrimination, bias, or consent.
We also hope that the government will take into account the views and suggestions of legal experts, stakeholders, and civil society, and that it will implement the IDN in a responsible and ethical manner.
* Commentary by MCA Youth Legal Bureau Deputy Chief and MCA Johor Youth Chief Heng Zhi Li.
** This is the personal opinion of the writer or publication and does not necessarily represent the views of Malay Mail.