KUALA LUMPUR, April 14 – The government has disclaimed legal responsibility for any loss or damages caused by the usage of any information obtained from the MySejahtera mobile application.
The disclaimer on MySejahtera’s official website reads: “Government of Malaysia shall not be liable for any loss or damage caused by the usage of any information obtained from this Application.”
Processing of personal data on TousAntiCovid is also regulated by the European Union’s (EU) General Data Protection Regulation (GDPR), described as the “toughest privacy and security law in the world.”
In Malaysia, federal and state governments are specifically exempted from application of the Personal Data Protection Act (PDPA) 2010.
Intellectual property (IP) and information technology (IT) lawyer Foong Cheng Leong said the MySejahtera disclaimer does not allow the government to disclaim liability for negligence.
“This clause has no legal effect for damages and losses due to negligence claims,” Foong told CodeBlue. “Data breach is a form of negligence.”
He explained that the MySejahtera disclaimer means that the government cannot be held liable for loss or damages in incidents that do not involve negligence, such as wrongly reporting Covid-19 cases.
When asked if the government could be held liable, despite its disclaimer, if a private company somehow manages to get access to MySejahtera users’ personal data and uses it for marketing purposes, Foong replied in the affirmative, but said a data breach must first be proven.
Unlike the Malaysian government that stores data on MySejahtera users’ check-ins for three months, which is primarily used for contact tracing, the French government only keeps proximity history data on TousAntiCovid users who were in close contact with another Covid-19 positive user for a maximum of 15 days from their issue.
Foong said although the government may claim that MySejahtera data protection is in compliance with PDPA requirements (which the government is not legally subject to), the lawyer said the law just sets out the basics.
Apple’s App Store states that the information on MySejahtera’s privacy practices “has not been verified by Apple.”
In the intellectual property section of the App Store review guidelines for app developers, Apple requires app developers to ensure that their app “only includes content that you created or that you have a licence to use.”
This includes avoiding use of protected “third-party material such as trademarks, copyrighted works, or patented ideas” in the app. “Apps should be submitted by the person or legal entity that owns or has licensed the intellectual property and other relevant rights.”
Foong said this does not indicate that the Malaysian government, which is described on Apple’s App Store as the MySejahtera developer, owns the app and its IP.
“The app and content are different,” the lawyer said, adding that MySejahtera content includes things like user data, images, write-ups, charts, or source codes of the app.
Google did not respond to CodeBlue’s requests for clarification about how the MySejahtera app was placed on its Play Store, while Apple directed CodeBlue to information on its App Store review guidelines, developer identity verification, app privacy details on the App Store, and how apps from Apple handle one’s data.
Health Minister Khairy Jamaluddin previously cited the Medical Act 1971 as a law under which use and management of MySejahtera data is subject to. However, the Medical Act only relates to the “registration and practice of medical practitioners”, without any provisions on the management of personal medical or health information, whether in electronic or written form. Management of a patient’s medical information is also not specified in the Prevention and Control of Infectious Diseases Act 1988 (Act 342).