IT may be hard to believe, but Malaysia was once at the forefront of enacting legislation to face an increasingly digital world.

We were among the first countries in the world to criminalise hacking, which had previously been seen as a cool rite of passage for coders or part of a countercultural revolution, despite the havoc that had been wrecked across government and telco networks across the world.

But with the Computer Crimes Act 1997, we made the act of gaining unauthorised access to a computer or network a criminal act. This was followed by a raft of other “cyberlaws” in the wake of the Multimedia Super Corridor (MSC) initiative, all to enable us to stride boldly into this new world.

That was last century. Our record since then has been spotty. As has the MSC, to be honest – many initiatives sputtered because we had not addressed the thorny issue of data privacy: who owns the data, what limitations will there be when such data is shared, who is in charge – all these questions needed to be answered.

In 2010, decades after it was first proposed, we finally had legislation that addressed data privacy: The Personal Data Protection Act (PDPA).

Unfortunately, it is a very limited piece of legislation compared with similar laws in other countries. Even when it was in draft stage before being tabled in Parliament, many people – civil advocates, lawyers, Opposition politicians, and jaded and cynical technology journalists like yours truly – noted that the Act lacked both scope and teeth.

It is right there in the preamble: “An Act to regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto”.

Only commercial transactions. It doesn’t cover what the government can or cannot do, in terms of collecting data on individuals and using such data. If there is any doubt, this is spelled out in Section 3. (1): “This Act shall not apply to the Federal Government and state governments”.

One can always argue that governments and law enforcement agencies need this free pass when it comes to crime and national security.

True enough, but that is why data protection laws in other countries spell out which agencies can get personal data, and under what circumstances. Indeed, in many jurisdictions, such use would still require a court order.

Our PDPA has no such provisions.

As for the “teeth” bit, data protection laws in other countries also contain “mandatory disclosure” clauses: Companies – whether banks or telcos – are required by law to inform their customers when their data has been hacked or leaked.

They can’t just keep quiet about it and hope the press doesn’t find out, or someone doesn’t point it out on social media – which is currently the case in Malaysia.

Given current concerns on coronavirus-fuelled contact-tracing apps and data privacy, it is high time the government consider amending the PDPA – we may not be at the forefront any longer, but we needn’t lag so far behind either.