The issue of "private moments" being recorded and circulated, as seen in the "An Xin" (or similar) incident, highlights a crucial legal debate about the right to privacy in Malaysia. While privacy can be generally defined as the "right to be left alone" or the "right to a personal life," the current legal framework presents significant challenges for individuals whose privacy is violated.

In an age of ubiquitous cameras, personal data collection, and widespread use of smart devices and social media, personal privacy is increasingly under threat. Here is an overview of Malaysia's legal position on privacy and personal data:

Malaysia does not have a specific, general "Privacy Act." The existing legislation and case law offer only limited and segmented protection for privacy rights.

In the 2010 Federal Court case of Sivarasa Rasiah v Badan Peguam Malaysia & Anor, the court ruled that the right to personal liberty under Article 5(1) of the Federal Constitution includes the right to privacy.

However, the court did not provide detailed guidance on what constitutes an invasion of privacy.

Crucially, a private individual cannot directly sue another private party based on a breach of the Federal Constitution. Constitutional rights typically protect citizens from the state, not from each other. Therefore, a person whose privacy is invaded cannot use the Constitution alone to seek redress in court.

No established tort: Under the common law (principles derived from judicial decisions), invasion of privacy is generally not a recognised actionable wrong (tort) in Malaysia. This means a court typically won't allow a claim solely based on the infringement of privacy, making it very difficult for an affected party to win such a case.

    In the 2004 High Court case of Ultra Dimension Sdn Bhd v Kook Wei Kuan, the court held that invasion of privacy was not an actionable tort when a newspaper photographed children outside a kindergarten.

    Conversely, the 2010 High Court case of Lee Ewe Poh v Dr. Lim Teik Man & Anor was the first reported Malaysian case to acknowledge invasion of privacy as an actionable tort. In this case, a doctor took unauthorised photos of a patient's sensitive areas while she was under anaesthesia. However, this was a High Court decision, which is not binding on courts of equal or higher standing, and the core issue involved the sensitive, intimate nature of a woman's body during a medical procedure, limiting its scope as a general guide for all privacy infringements (especially those in public or semi-public spaces).

The Personal Data Protection Act 2010 (PDPA) is the primary piece of legislation governing data protection, but its scope is limited:

The PDPA only applies to the processing of personal data in the context of "commercial transactions."

"Personal data" includes information that can identify an individual, meaning that a video or photograph which makes a person identifiable may fall under this definition.

Commercial transaction is defined broadly to include any transaction of a commercial nature, whether or not a contract is involved. For example, if the "An Xin" incident happened in Malaysia, the act of using a paid service, like a taxi or e-hailing service, could potentially be interpreted as a commercial transaction, bringing the data involved (like the video) under the PDPA's jurisdiction.

If a person is recorded or their video is circulated without their consent after being collected through a commercial transaction, the party who acquired and/or disclosed the video (the data user) may have contravened the PDPA, particularly the disclosure principle.

Penalties for contravening the PDPA include a fine not exceeding RM300,000 or imprisonment for a term not exceeding two years, or both.

Similar to the Federal Constitution, the PDPA does not grant an individual the right to file a civil lawsuit or claim compensation against the offending party for a data breach.

An individual's recourse is to file a complaint with the Personal Data Protection Commissioner (PDPC), and they must rely on the enforcement authorities to take action against the party who leaked the data without consent.

While the Sivarasa case recognised a right to privacy under the Constitution, and the Lee Ewe Poh case offered a glimmer of hope for a common law tort of invasion of privacy, Malaysia's privacy protection remains insufficient to offer individuals a clear path to legal remedy for general privacy infringements (especially those not related to personal data in commercial transactions or intimate areas).

For the time being, the current legal framework in Malaysia leaves individuals vulnerable, and the law on privacy is far from "reassuring."