Malaysian telcos, MCMC promise shared mobile data is anonymised

Details: John Tanner; Category: Regulation; 09 June 2025; 8448 views

Malaysian telcos and the Malaysian Communications and Multimedia Commission’s (MCMC) have promised mobile users that their personal data and privacy won’t be compromised following a news report that telcos were ordered by the MCMC to hand over mobile network usage records for the first three months of 2025.

The statements from CelcomDigi, Maxis, U Mobile and YTL Communications came after the South China Morning Post reported on Friday that the Malaysian Communications and Multimedia Commission’s (MCMC) sent a letter to telcos in April ordering them to send data such as “Call records, IP call records, location, latitude and longitude”.

The request was reportedly for the MCMC’s Mobile Phone Data (MPD) project, which has been running since 2024 and uses telco data to generate granular statistics that can be used to make policy decisions for the ICT and tourism sectors.

The report cited two anonymous industry sources, one of whom said they had asked the MCMC about transparency and accountability for using the data, given that the request was not made public. The report also raised privacy concerns over the order in the broader context of increasing cyberattacks and personal data leaks in Malaysia in recent years, as well as the government's recent move to licence social media sites.

The MCMC responded to the report with a public statement on Friday that didn’t verify the alleged request specifically, but did say that all data collected from telcos for the MPD project “is anonymised and contains no personally identifiable information (PII)”, and that the data is only used to generate statistics.

The MCMC statement added that telcos have the option of processing the MPD data in-house or letting the MCMC do it. In either case, the data is anonymised before the regulator receives it.

The MCMC also noted that the MPD project is being conducted in collaboration with the International Telecommunication Union (ITU) and the UN Committee of Experts on Big Data and Data Science. It added that the project mirrors similar initiatives in countries such as Indonesia and Brazil.

In separate statements on Sunday, CelcomDigi, Maxis, U Mobile and YTL affirmed their commitment to user privacy and safeguarding customer data as required under the Communications and Multimedia Act, the Personal Data Protection Act and other applicable regulations.

CelcomDigi said it will process requested data “within our own secure environments and provide a limited sample on relevant fields comprising anonymised and aggregated output to the Commission.”

Maxis said that “there is no access to, processing of, or sharing of personally identifiable information at any stage” when submitting MPD data, all of which is anonymised by Maxis and processed in an aggregated manner within a secure environment.”

U Mobile said all data shared “is strictly anonymised, aggregated, and handled in compliance with all applicable data protection laws and regulations”, and that “at no point” is PII shared or processed.

YTL Communications said it “has taken rigorous steps to anonymise all data prior to submission. No personally identifiable information has been shared, and customer privacy remains our highest priority.”