wee choo keong

Wheeling & Dealing in MCMC? Part 11 – Violation of PDPA by MCS Providers

Short code
This is one of the examples of the Short Code “63365”.


Prior to the enactment of Personal Data Protection Act 2010 (PDPA), we hear a lot of the indiscriminate selling of personal data of customers by unscrupulous officers in telcos and companies, which keep customers profile in their data base.


When PDPA was enacted in 2010, which came into force on 15 November 2013, Malaysians would like to believe that the selling of customers data are things of the past. We all thought that PDPA will protect our privacy and that only accurate information is processed or stored by companies that we have contracts with.


Under the PDPA all information, which will enable any living individual to be identified is protected. The examples of the protected information are:


Name and address;

I/c No: ;

Condition of a person health;

Telephone No:;

E-mail address;


Images recorded in CCTV; and

Information in personal file.


For more information please read HERE.


Unfortunately, despite the PDPA is in full force after 15 November 2013, our personal data has been passed to third party without our knowledge and/or consent to a big extent. It seems that MCMC is pretending that it is not aware of this glaring violation of PDPA by these so-called Mobile Content Service (MCS) providers. Even a public listed company is also involved as an MCS provider. The profit must be lucrative for a public listed company to be interested in such a business.


Another example of the Short Code
Another example of the Short Code 26060.


All mobile phone subscribers at one time or another may have received unsolicited and irritating advertisements, promotions and etc via sms blast from “23336”, “23888”, “26060”, “23244”, “26026”, “26633”, “33083”,“33888”, “39333”, “32231”, “32276”, “32733”, “32968”, “32276”, “33336”, “33168”, “33668”, “36678”, “33310”, “33386”, “36388”, “36698”, “39668”, “32231”, “33884”, “33168”, “33138”, “33336”, “33138”, “32231”, “39968”, “39668”, “62002”, “62006”, “62100”, “62666”, “63001”, “63365”, “63633”, “63839”, “66399”, “66688”, “66399”, “66600”, “66628”,  “68833” and others.


The above 5 digit numbers are known as Short Codes in the telco industry. The 5 digit numbers enables the MCS providers to deliver theirs or their clients’ messages to mobile phone subscribers.


MCS providers are third party content providers. Therefore, under PDPA, the MCS providers were not supposed to have access to the data of mobile phone subscribers.


There are three types of Short Codes:


Level 2 or 2-Series Short Code used by the cellular network operators for its own branded MCS provider.


Level 3 or 3-Series Short Code assigned by telcos to MCS providers for premium services; and


Level 6 or 6 Series Short Code was allocated by telcos to MCS providers for corporate and bulk services.


When one received the advertisements or promotions from “23888” or “23244” or similar numbers, this means that the advert was sent out from one of the MCS providers from one particular telco.


If one received the advertisement from “33668”, “32733” or “39668” or other similar Short Codes, this means that the adverts/promotions were blast out by MCS providers of all telcos.


SMS from Short Code like “68833” are from companies likes banks to inform their customers of information on their transactions or promotions (e.g. payment due for credit card or loan or informing their customers of the services provided by the bank).


Short Codes “66600” has been used by Hong Leong Bank, “68833” by CIMB and “66628” by Maybank. Yours truly has been informed that these Short Codes were contracted to the banks by the MCS providers with huge fees.


Those sms from the banks are exempted in the PDPA because the customers are account holders who have contract with the bank during the opening of bank account.


In short, such adverts are known in the telco industry as sms blast. The three major telcos like MAXIS, DIGI and CELCOM have the total subscriber base of more than  20 million. With the press of a button anyone of them could blast out sms /adverts/promotions to many million people each time.


Are the sms blasts from the Short Codes like the 3-series like “39333” or “36388”, “39968” or “33336” and others were clear breach of PDPA?


Yours truly believes such sms blasts have without a doubt contravened PDPA as the MCS providers of telcos did not obtain the consent to process the data from the mobile phone subscribers. Further, the MCS providers have no contractual relationship with the phone subscribers.


There is a listed company which has been known to “get” the data of customers from certain telco’s data base.


The companies/MCS providers whose business is to provide SMS blast have to get a licence from MCMC to operate. After the PDPA has been enacted, MCMC should have cancelled all the licences of those companies that carry out activities as MCS providers and/or sms blast on behalf of companies.


The Short Codes activities are for the MCS providers to make easy money by pressing a button.


Yours truly has been informed that due to many complaints by members of the public to MCMC, MCMC has now limited the sms blast to twice a day by the MCS providers. Since the PDPA has come into force on 15 November 2013, there is no valid excuse for MCMC, which is a regulatory body, to close its eye over this glaring abuse by the MCS providers and/or the telco.


The PDPA prohibits anyone from processing our personal data without our consent. Hence, if you received sms blasts from any company whom you have no contractual relationship nor given your consent to use your data (I.e. telephone number) you should immediately lodge a complaint to MCMC and/or Personal Data Protection (JPDP) in Putrajaya, HERE.


Despite the enactment of the PDPA, MCMC has yet to terminate all the existing licences given to companies to process customers’ data without their express consent and thereafter blasting with unsolicited advertisements, promotions and etc. Rumour has it that a “special company” is lobbying very hard to get licences from MCMC to carry out more of such activities and even a Minister’s name has not been spared in the pursuit of the said licence.


Further the Government should also be looking into MyEG having access to data of vehicle owners from the police and JPJ based on the summons issued. In such summons contained in the website of MyEG which contains the particulars of the alleged offenders, his i/c number, address and other information pertaining to the alleged offender. This is a direct contravention of PDPA.


It is hoped that MCMC will switch its special appetite for giving contracts or projects to dormant companies to protecting the data of Malaysians, which have been processed by MCS providers for the predominant purpose of making profits at the expense of the mobile phone subscribers.

4 thoughts on “Wheeling & Dealing in MCMC? Part 11 – Violation of PDPA by MCS Providers

  1. I wonder which Minister’s name has been thrown around for marketing purposes.

    Why MCMC allowed these unscrupulous companies to operate as content provider strictly for profits at the expense of the people? The Minister of Information should instruct the Botak to cancel all the licenses of companies operating as content providers because it was a clear violation of the Personal Data Protection Act.

  2. Mr Wee, you stated that “The PDPA prohibits anyone from processing our personal data without our consent..” Does this apply to those videos which were viralled eg: video of an unfortunate accident victim? Remember the poor superbiker whose body was torn off in a road accident? And somebody recorded the aftermath and viralled the video?

    I feel want to elect you back to Parliament again to make laws.

    1. Dear AL

      Thank you for your comments. Please be informed that PDPA is concerned with personal data kept for commercial transactions like data kept by telcos, insurance companies, banks and etc. It does not matter whether it is contractual or not.

      The information must be processed by means of equipment operating automatically in response to instructions given for that purpose; recorded with the intention that it should be processed by such equipment; or recorded as part of, or with the intention that it should form a part of a relevant filing system.

      PDPA does not apply to information processed for the purpose of a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010. therefore, it doe snot cover the videos clips of events like accidents and etc.

      Have a pleasant day ahead.

      Thank you


Leave a Reply to Anonymous Cancel reply

Your email address will not be published.