High Court of Malaya rules Inland Revenue Board not permitted to make blanket request for customers’ personal data

28 June 2022

Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors [2022] 4 CLJ 399

In Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors, the Director General of the Inland Revenue Board of Malaysia (“DGIR”) had, between November 2018 and November 2019, requested from Genting Malaysia Berhad (“GMB”) information relating to its customers who were members of GMB’s Genting Rewards Loyalty Programme, including personal data such as names, identification numbers and addresses, among other things. The DGIR stated that the information would assist the Inland Revenue Board of Malaysia enlarge its tax base, increase tax collections and reduce tax evasion, and that the disclosure of such information is permitted under section 81 of the Income Tax Act 1967 (“ITA”) and section 39 of the Personal Data Protection Act 2010 (“PDPA”).

GMB refused to accede to the DGIR’s request, and in the course of exchanges between GMB and the DGIR, the DGIR forwarded to GMB a letter by the Deputy Personal Data Protection Commissioner (“Deputy Commissioner”) to the DGIR containing the view that GMB may disclose the personal data to the DGIR on the basis of section 39(b)(ii) of the PDPA.

The dispute between GMB and the DGIR eventually led to GMB filing a judicial review application with the High Court of Malaya in February 2020 against the Personal Data Protection Commissioner (“Commissioner”), the Deputy Commissioner and the DGIR. The two main issues raised for determination in the judicial review proceedings before the High Court were:

  • whether the personal data requested by the DGIR fell within section 81 of the ITA; and 
  • whether the disclosure of the personal data to the DGIR under section 81 of the ITA would be in breach of the provisions of the PDPA.

The High Court ruled in favour of GMB and held, in brief, that: 

  • section 81 of the ITA does not allow the DGIR to make such blanket demands for personal data; and 
  • allowing such blanket disclosure of personal data would amount to a breach of the provisions of the PDPA and the right to privacy entrenched in the Federal Constitution.

In coming to its decision, the High Court found, among other things, that: 

  • the expression of a view, an opinion or a statement by the Commissioner can constitute a decision that is amenable for judicial review by the court; 
  • the blanket demand for disclosure of personal data made by the DGIR would amount to an infringement of the right to privacy entrenched under Article 5(1) of the Federal Constitution, which guarantees the fundamental liberties of every person; 
  • in order for an exemption under section 39 of the PDPA to apply, the strict test of necessity and proportionality must be satisfied (i.e. the DGIR must demonstrate that it would not be able to perform its function without the disclosure of personal data); 
  • in order for the DGIR to exercise its powers under section 81 of the ITA to have access to the personal data, the DGIR must demonstrate that there was reasonable suspicion that a specified/identifiable customer had violated a material provision of the ITA; 
  • the Commissioner and the Deputy Commissioner did not have the power to declare or guarantee that GMB would be protected from criminal prosecution under the provisions of the PDPA; 
  • additional requirements apply in respect of personal data that is also regulated by the personal data protection laws of other jurisdictions; 
  • to the extent of any conflict between the ITA and the PDPA, the PDPA prevails over the ITA as the PDPA is a specific and more recent legislation enacted for the protection of personal data and privacy; and 
  • regulatory authorities that are statutorily incorporated body corporates are still bound by the regulatory requirements under the PDPA.