An Open Letter to MCMC: What Does Privacy Mean to You?

Over the past week, Malaysians learned not through a public announcement, but through leaked information that the Malaysian Communications and Multimedia Commission (MCMC) had requested detailed mobile phone data from all major telcos in the country, including CelcomDigi, Maxis, U Mobile, TM, and YTL.

In its own official statement, MCMC confirmed that it had requested Mobile Phone Data from every major telco in Malaysia. They say the data is anonymised. They say it’s for official statistics, for network planning, for tourism, for policy-making.

Yesterday, the 5 telcos have also confirmed that they have complied with MCMC’s directive to submit Mobile Phone Data without Personally Identifiable Information.

But here’s my fundamental question to the MCMC:

What does privacy mean to you?

Because to most Malaysians — to most users — what just happened doesn’t feel like planning. It feels like surveillance. Quietly executed, vaguely explained, and worryingly broad.

This Isn’t Just “Data” — It’s a Map of Our Lives

Even if names and IC numbers are removed, usage patterns including cell tower location data still paints a vivid picture of individual behaviour.

You don’t need someone’s name when you can track:

• Where their phone sleeps at night (home),
• Where it wakes up in the morning (work),
• And how it moves hour by hour.

That’s not anonymised. That’s identity — reconstructed.

Call Logs? Internet Use? Why So Quiet?

You’ve said the data doesn’t include Personally Identifiable Information. But let’s be honest — you didn’t say it excludes call logs or Internet usage patterns either.

So let’s ask clearly:

• Are you collecting metadata like call time, duration, and frequency?
• Are you looking at data usage, browsing behaviour, or app patterns?
• How is this kind of granularity necessary for policymaking?

For the Ministry of Tourism (MOTAC), wouldn’t aggregate roaming stats, regional SIM activations, or tower handovers be enough?

Do we really need to trace where tourists go, when they call, and how they scroll?

Anonymised by Whom? Audited by Whom?

You’ve said telcos can either anonymise the data before sending it to you, or pass it on for you to process internally.

That raises more questions than it answers:

• What is the minimum standard for anonymisation?
• Who verifies that standard has been met?
• What encryption protocol is used to protect data in transit?
• Who’s accountable once the data lands inside MCMC’s systems?
• And what prevents re-identification when all the ingredients are still there?

Anonymity isn’t just a checkbox — it’s a technical, ethical, and legal challenge.

Did You Not Have This Before?

You’ve framed this as a move to improve “granular statistics.” That sounds useful. But it also sounds like a convenient answer.

So let me ask:

• What data did you rely on before this?
• If MCMC never had this kind of mobile device-level data before — how were broadband policies or tourism reports being generated all this time?
• If we were already planning with less data, is this level of intrusion actually necessary — or just more convenient?
• And if telcos already provide network KPIs — like signal strength, dropped call rates, and coverage gaps — how is this new dataset adding value beyond what they already submit?

PDPA and the Government Loophole

Under Section 45 of the Personal Data Protection Act (PDPA), government agencies may be exempt. That includes MCMC.

But let’s be clear:

Legal exemption is not the same as public accountability.

Just because you can request this data doesn’t mean you should. In fact, the lack of legal guardrails should mean even more transparency — not less.

You’re collecting more data than any private company ever could. And yet, you operate outside the laws that govern them.

That should worry everyone.

“Mutual Agreement” Isn’t Public Consent

You’ve said this initiative was discussed with telcos, the Department of Statistics Malaysia (DOSM), the Ministry of Tourism, and even the UN.

Great. But none of those parties represent the public.

There was no public consultation, no transparency report, no opportunity for users to opt-in or opt-out.

“Mutual agreement” behind closed doors is not the same as informed consent.

20 Questions Malaysians Deserve Answers To

You’ve said your intention is to support evidence-based policymaking. That’s a good goal.

But data collection of this scale demands clear answers. Here are 20:

1. What exact data are you collecting — and what are you not collecting?
2. Are call logs, Internet activity, or app usage part of this dataset?
3. Who determines whether the data is truly anonymised?
4. What’s the minimum technical standard telcos must meet to process the data themselves?
5. How is this different from what MNOs already submit in regular reports?
6. How long is the data retained — and what safeguards exist?
7. What encryption protocols are used for data in transit and storage?
8. What does “anonymised” mean when you still usage logs and location data?
9. Is there any risk of re-identification — and who’s responsible if it happens?
10. Who audits or oversees MCMC’s handling of this data?
11. What legal protections apply to users if the data is leaked or misused?
12. Will this become a routine data collection, or is it a one-off?
13. Why is such detailed data necessary for tourism policy?
14. Can you explain how this improves network planning in ways not already possible?
15. Why wasn’t the public notified before the data was requested?
16. Can users opt-out, or at least be informed when their data is used?
17. Is this linked to any third-party data processors or foreign consultants?
18. Will MCMC publish a full data transparency and privacy impact report?
19. Why should Malaysians trust that this won’t be misused — now or in the future?
20. What does privacy mean to MCMC?

This Isn’t About Paranoia — It’s About Trust

I’m not against data. I’m not against planning. I’m not even against public policy using technology.

But I am against invisible decisions made without public knowledge.

Privacy isn’t just about hiding something — it’s about having control over how you’re seen, tracked, and used. It’s about power. And right now, MCMC is holding all of it — with no meaningful oversight.

So here’s what I’m asking:

• Be honest about what you’re collecting.
• Justify why you need it — clearly and publicly.
• Put meaningful limits in place — and prove they work.

Until then, we’re not being paranoid.

We’re just paying attention.

Sincerely,

A Malaysian who cares very much about his privacy — and the privacy of his fellow countrymen.

[ IMAGE SOURCE ]