Government Says Not Liable For Damages Over MySejahtera Data Use

MySejahtera’s disclaimer states that the Malaysian government “shall not be liable for any loss or damage caused by the usage of any information obtained from this Application.”

KUALA LUMPUR, April 14 – The government has disclaimed legal responsibility for any loss or damages caused by the usage of any information obtained from the MySejahtera mobile application.

The disclaimer on MySejahtera’s official website reads: “Government of Malaysia shall not be liable for any loss or damage caused by the usage of any information obtained from this Application.”

MySejahtera’s privacy policy simply states that personal data collected by the Covid-19 app – which includes one’s name, IC number, address, phone number, check-in location data, and health risk status from answering health assessments on the Covid-19 app – “will be kept confidential in accordance with this Privacy Policy in accordance with any applicable laws which may take effect from time to time.”

Yet, the privacy policy does not state which agency or government contractor has access to different types of personal data collected on MySejahtera, how personal information is processed, where data is stored (in a “highly secured server” that is not named), or the duration of time for the storage of data before it is deleted (only for check-ins to premises). Data collected by MySejahtera includes health and medical information like Covid-19 vaccination history, Covid-19 test results, and symptoms, blood pressure, heart rate, and body temperature readings entered on the app’s health assessment tool.

MySejahtera’s privacy policy also does not cite a specific law that protects the confidentiality of personal data collected by MySejahtera, nor does it state exactly when “applicable laws” would be enforced in relation to MySejahtera data protection.

France’s Covid-19 app, TousAntiCovid, on the other hand, is governed by a specific regulatory framework relating to the processing of data taken after advice from France’s CNIL, an independent administrative authority on data protection, according to the app’s privacy policy. Complaints can be filed to CNIL if TousAntiCovid users believe processing of their data does not comply with data protection rules.

Processing of personal data on TousAntiCovid is also regulated by the European Union’s (EU) General Data Protection Regulation (GDPR), described as the “toughest privacy and security law in the world.”

In Malaysia, federal and state governments are specifically exempted from application of the Personal Data Protection Act (PDPA) 2010.

Intellectual property (IP) and information technology (IT) lawyer Foong Cheng Leong said the MySejahtera disclaimer does not allow the government to disclaim liability for negligence.

“This clause has no legal effect for damages and losses due to negligence claims,” Foong told CodeBlue. “Data breach is a form of negligence.” 

He explained that the MySejahtera disclaimer means that the government cannot be held liable for loss or damages in incidents that do not involve negligence, such as wrongly reporting Covid-19 cases.

When asked if the government could be held liable, despite its disclaimer, if a private company somehow manages to get access to MySejahtera users’ personal data and uses it for marketing purposes, Foong replied in the affirmative, but said a data breach must first be proven.

He also pointed out that MySejahtera’s privacy policy merely states how the government treats one’s personal data on the app, but omits specifying its data retention policy, security measures, or government contractors handling the app. The only retention period mentioned by the app’s privacy policy relates to check-in data, which is 90 days, but nothing for other user data like personal details and medical and health information like Covid-19 diagnostics, close contact status, and blood pressure and heart rate readings.

“The privacy policy is scarcely explained.”

Unlike the Malaysian government that stores data on MySejahtera users’ check-ins for three months, which is primarily used for contact tracing, the French government only keeps proximity history data on TousAntiCovid users who were in close contact with another Covid-19 positive user for a maximum of 15 days from their issue.

Foong said although the government may claim that MySejahtera data protection is in compliance with PDPA requirements (which the government is not legally subject to), the lawyer said the law just sets out the basics. 

“Under the PDPA, the privacy policy has to be in a certain format, for example, describe what is collected, the purposes of collection, whether it’s obligatory to collect and if so, consequences for not providing those obligatory data. But no requirement to state what kind of security is provided, what is the retention time etc.”

The privacy policy for France’s TousAntiCovid, on the other hand, states the retention time for different types of data collected by the Covid-19 app. The French government also specifies the servers that process personal data on TousAntiCovid, as well as how different kinds of personal data in the app is processed.

France also specifies the rights of users to delete data on TousAntiCovid, and to erase data present on the central server by unsubscribing and uninstalling the app. MySejahtera’s privacy policy does not state any user rights, or whether uninstalling the app means that all personal data of the user (not just check-in data) will be automatically purged from the server.

Apple’s App Store states that the information on MySejahtera’s privacy practices “has not been verified by Apple.”

In the intellectual property section of the App Store review guidelines for app developers, Apple requires app developers to ensure that their app “only includes content that you created or that you have a licence to use.”  

This includes avoiding use of protected “third-party material such as trademarks, copyrighted works, or patented ideas” in the app. “Apps should be submitted by the person or legal entity that owns or has licensed the intellectual property and other relevant rights.”

Foong said this does not indicate that the Malaysian government, which is described on Apple’s App Store as the MySejahtera developer, owns the app and its IP.

“The app and content are different,” the lawyer said, adding that MySejahtera content includes things like user data, images, write-ups, charts, or source codes of the app.

Google did not respond to CodeBlue’s requests for clarification about how the MySejahtera app was placed on its Play Store, while Apple directed CodeBlue to information on its App Store review guidelines, developer identity verification, app privacy details on the App Store, and how apps from Apple handle one’s data

Health Minister Khairy Jamaluddin previously cited the Medical Act 1971 as a law under which use and management of MySejahtera data is subject to. However, the Medical Act only relates to the “registration and practice of medical practitioners”, without any provisions on the management of personal medical or health information, whether in electronic or written form. Management of a patient’s medical information is also not specified in the Prevention and Control of Infectious Diseases Act 1988 (Act 342).

You may also like