Malaysia’s Metadata Controversy: Surveillance in the Guise of Statistics

Malaysia’s recent directive to collect detailed phone metadata from all mobile users has reignited long-standing concerns about privacy, transparency, and state surveillance. Official reassurances have not quelled public unease, especially about the scope and granularity of the data being collected.

In April 2025, the Malaysian Communications and Multimedia Commission (MCMC) instructed all telcos to hand over user data for the first quarter of the year. This data includes call records (including IP calls), Internet usage statistics, and user location coordinates.

MCMC has defended the move, saying that the data will be fully anonymised and used strictly for statistical purposes. According to the commission, the goal is to better estimate broadband access at the district level, monitor mobile Internet penetration, and map tourism flows across regions. This implies that data from tourists and short-term visitors connected to local networks may be incidentally collected. The agency has made assurances that no names or personally identifiable information will be collected and that telcos can either anonymise the data themselves or pass it to MCMC for secure processing in accordance with the United Nations’ International Telecommunication Union guidelines.

Some critics, however, beg to differ. Former Minister Wee Ka Siong and other lawmakers have raised concerns that even anonymised data, particularly when it includes detailed location trails and usage patterns, can be reverse-engineered to re-identify individuals. Academic research has shown that mobility data can be de-anonymised when cross-referenced with other datasets. Once re-identified, this data not only represents numbers but also exposes behaviours, routines, and movements of specific individuals.

Perhaps more troubling is the opaque way the instruction was issued. Telcos received a letter from MCMC asking for all logs, Internet usage data, and precise location tracking without any public consultation or clarity on retention periods. The directive stipulated that failure to comply could result in penalties of up to six months’ imprisonment or a RM20,000 fine (US$4,700) under the Communications and Multimedia Act 1998. The heavy-handed enforcement, without legislative debate or oversight provisions, undermines transparency. It is especially concerning given that Malaysia’s Personal Data Protection Act explicitly excludes federal and state government agencies, meaning no legal data protection obligations apply to public sector data collection. While private companies must follow strict rules when handling personal data, government agencies are not legally bound by the same privacy obligations. Amid these concerns, MCMC deputy managing director Zurkarnain Yasin made it clear that opting out of data collection is not an option, stating that the directive had already received approval at the highest level.

Anonymised or not, data about one’s movements, online habits, and phone activity is intensely personal. Treating it as a state asset, without democratic safeguards, erodes public trust and sets a dangerous precedent.

This is not the first time MCMC has acted unilaterally. In 2024, it issued a directive requiring all Malaysian Internet providers to reroute users’ web searches through government-controlled servers, even when using services like Google or Cloudflare. The official reason was to strengthen enforcement against harmful or illegal websites. While this rule did not block virtual private networks directly, it did close off one of the easier ways people had used to get around website restrictions. The directive sparked a significant public and industry backlash, with critics warning of increased censorship and a lack of transparency. Following the outcry, the policy was eventually reversed. Still, it left behind a troubling precedent: one where Internet governance measures are implemented first and explained later.

Granted, collecting metadata can help governments improve infrastructure, target underserved communities, and monitor tourism flows. Such initiatives, however, should be accompanied by robust institutional safeguards. Some countries have adopted mobile data analytics for public planning but operate under regulated and transparent frameworks.

In South Korea, for example, anonymised mobile data is used in Smart Tourism programmes through formal partnerships with telecom providers, overseen by the Personal Information Protection Commission and subject to data protection laws. In Germany, metadata access is largely limited to intelligence operations and tightly regulated under the General Data Protection Regulation and federal court rulings. These examples contrast with Malaysia’s approach, where the recent directive lacks similar legal safeguards, oversight mechanisms, and public accountability.

If this initiative is truly meant to support evidence-based policy, the government should do more to demonstrate accountability. This includes publishing data-handling protocols, commissioning independent audits to verify anonymisation processes, and setting legal boundaries on data use, retention, and sharing. The public must also be informed, not just through statements but through structured transparency reports that explain who is using the data and to what ends. The government should also provide details about entities which have oversight responsibilities.

Ultimately, this episode reveals the fragile state of digital rights in Malaysia. Malaysians are not resisting progress; they are demanding informed consent and responsible governance. Anonymised or not, data about one’s movements, online habits, and phone activity is intensely personal. Treating it as a state asset, without democratic safeguards, erodes public trust and sets a dangerous precedent.

Data, when responsibly governed, can serve the public good. But when collected in silence and justified after the fact, it ceases to be a tool of development and begins to resemble a mechanism of control. If Malaysia wishes to move forward as a digitally empowered nation, it should recognise that the road to innovation must be paved with transparency, ethics, and the right to privacy, not surveillance disguised as statistics.

2025/208