Mcmc Data Retention Plan Sparks Privacy Concerns

---

 


 The Institute of Strategic Analysis and Policy Research (Insap) recently convened a closed-door roundtable on Aug 12, 2025, with civil society organisations (CSOs), policy experts, and advocacy groups.
The roundtable was to discuss the MCMC’s Public Consultation Paper on Retention, Preservation, and Disclosure of Communications Data for Investigation Purposes.
The public consultation, first announced on July 25, 2025, and later extended to Aug 18, 2025, seeks feedback on the proposed framework that will govern how communications data is stored, preserved, and disclosed to law enforcement.
While the aim of enabling timely investigations and protecting public safety is important, our roundtable found that the proposal in its current form risks granting overly broad and unchecked surveillance powers without the necessary legal and operational safeguards.
Broad scope
ADSOne of the most pressing concerns is the broad scope of application and disproportionate burden on businesses.
The proposal covers not only licensed telecommunications operators but also non-licensee entities such as SIM card dealers, technology vendors, social media platforms, cloud providers, and device manufacturers.
Such wide coverage could normalise undisclosed data collection across a much broader set of actors than is operationally necessary, potentially bypassing safeguards and placing disproportionate compliance costs on businesses, particularly small and medium enterprises (SMEs).
Insap recommends a risk-based and proportionate scope, where obligations should apply only to entities that create, store, transmit, or have operational control over communications data relevant for investigations.
Explicitly stated requirements and exemptions should be provided for smaller providers or those without routine access to such data.
Excessive retention periods
The proposed minimum retention period of 12–18 months, renewable indefinitely in 90-day increments, is excessive compared to international best practice.
The European Court of Justice has ruled that blanket data retention without clear offence definitions or judicial authorisation violates fundamental privacy rights.
A statutory sunset clause should require periodic review of retention rules every two years, with public impact assessments before any extensions.
Insufficient privacy safeguards
The proposed framework, as drafted, does not require judicial approval for access to retained data, nor does it define the specific offences that justify such access.
ADSThis omission is especially concerning given that the government is exempt from the Personal Data Protection Act (PDPA), leaving citizens without legal recourse in the event of misuse.
In this regard, Insap calls for:
Judicial authorisation for all high-sensitivity data access, including fine-grained location histories and identifiers linked to journalists, lawyers, or activists;
Independent oversight through a dedicated audit body empowered to review all data access requests and publish annual transparency reports; and
Clear definitions of “national interest” and “threat” to prevent political targeting or overreach.
Preservation and disclosure procedures
While we support the inclusion of Preservation and Disclosure Notices, these tools must be subject to strict limits and detailed standard operating procedures (SOPs).
Notices should clearly state the legal basis, the specific data sought, the format for provision, and secure transmission methods.
Affected individuals should be notified wherever legally permissible, and service providers should be allowed to recover reasonable costs for complex or resource-intensive requests.
Annual public reports should summarise the number and types of notices issued without revealing personal information.
Transparency and consultation process
The consultation process itself has raised concerns. Only excerpts of the proposal, rather than the full legislative text, were shared with stakeholders, and the initial consultation window was just two weeks.
These factors cast doubt on whether public feedback will meaningfully influence the final framework.
Future consultations on such impactful regulations should:
Release the full draft legislation for review;
Allow a minimum 60-day response period; and
Commit to publishing a summary of stakeholder feedback and how it was addressed.
Recommendations
Insap believes any data retention policy must strike a careful balance between investigative needs and the protection of fundamental rights. Our roundtable produced the following key recommendations:
Limit retention strictly to specific, clearly defined serious crimes with a published list of qualifying offences
Require judicial authorisation for all access to retained data
Establish an independent oversight body with auditing powers
Incorporate international best practices from the EU, UK, and Australia, including a Right to be Forgotten provision
Ensure public transparency by publishing annual usage logs and access statistics
Update the PDPA to apply to government agencies, closing a critical accountability gap
Avoid duplication of investigative powers already available under the Criminal Procedure Code and Cybersecurity Act
Provide scaled compliance obligations to avoid overburdening SMEs
Risk of normalising mass surveillance
If implemented without substantial revision, the proposed framework risks embedding a system of mass surveillance into Malaysia’s communications infrastructure, undermining privacy, freedom of expression, and public trust in digital services.
This is not a call to weaken law enforcement. It is a call to modernise investigative powers responsibly, ensuring that every request for data meets the test of necessity, proportionality, and due process.
Safeguarding public safety and protecting constitutional rights are not opposing goals as they are mutually reinforcing pillars of a democratic society.
Insap urges MCMC to reconsider its approach, engage in genuine public consultation with full legislative transparency, and adopt robust safeguards that align with both Malaysia’s legal principles and global human rights standards. - Mkini
Insap is a think tank established by MCA dedicated to developing sound public policy solutions and strategic insights for the nation’s future.
The views expressed here are those of the author/contributor and do not necessarily represent the views of MMKtT.

---