Wheeling & Dealing in MCMC? Part 11 – Violation of PDPA by MCS Providers

« Short code

























Prior to the enactment of Personal Data Protection Act 2010 (PDPA), we hear a lot of the indiscriminate selling of personal data of customers by unscrupulous officers in telcos and companies, which keep customers profile in their data base.


When PDPA was enacted in 2010, which came into force on 15 November 2013, Malaysians would like to believe that the selling of customers data are things of the past. We all thought that PDPA will protect our privacy and that only accurate information is processed or stored by companies that we have contracts with.


Under the PDPA all information, which will enable any living individual to be identified is protected. The examples of the protected information are:


Name and address;

I/c No: ;

Condition of a person health;

Telephone No:;

E-mail address;


Images recorded in CCTV; and

Information in personal file.


For more information please read HERE.


Unfortunately, despite the PDPA is in full force after 15 November 2013, our personal data has been passed to third party without our knowledge and/or consent to a big extent. It seems that MCMC is pretending that it is not aware of this glaring violation of PDPA by these so-called Mobile Content Service (MCS) providers. Even a public listed company is also involved as an MCS provider. The profit must be lucrative for a public listed company to be interested in such a business.


Another example of the Short Code


All mobile phone subscribers at one time or another may have received unsolicited and irritating advertisements, promotions and etc via sms blast from “23336”,“23888”, “26060”, “23244”, “26026”, “26633”, “33083”,“33888”,“39333”, “32231”, “32276”, “32733”, “32968”, “32276”, “33336”,“33168”, “33668”, “36678”, “33310”, “33386”, “36388”, “36698”,“39668”, “32231”, “33884”, “33168”, “33138”, “33336”, “33138”,“32231”, “39968”, “39668”, “62002”, “62006”, “62100”, “62666”,“63001”, “63365”, “63633”, “63839”, “66399”, “66688”, “66399”, “66600”, “66628”,  “68833” and others.


The above 5 digit numbers are known as Short Codes in the telco industry. The 5 digit numbers enables the MCS providers to deliver theirs or their clients’ messages to mobile phone subscribers.


MCS providers are third party content providers. Therefore, under PDPA, the MCS providers were not supposed to have access to the data of mobile phone subscribers.


There are three types of Short Codes:


Level 2 or 2-Series Short Code used by the cellular network operators for its own branded MCS provider.


Level 3 or 3-Series Short Code assigned by telcos to MCS providers for premium services; and


Level 6 or 6 Series Short Code was allocated by telcos to MCS providers for corporate and bulk services.


When one received the advertisements or promotions from “23888” or “23244”or similar numbers, this means that the advert was sent out from one of the MCS providers from one particular telco.


If one received the advertisement from “33668”, “32733” or “39668” or other similar Short Codes, this means that the adverts/promotions were blast out by MCS providers of all telcos.


SMS from Short Code like “68833” are from companies likes banks to inform their customers of information on their transactions or promotions (e.g. payment due for credit card or loan or informing their customers of the services provided by the bank).


Short Codes “66600” has been used by Hong Leong Bank, “68833” by CIMB and“66628” by Maybank. Yours truly has been informed that these Short Codes were contracted to the banks by the MCS providers with huge fees.


Those sms from the banks are exempted in the PDPA because the customers are account holders who have contract with the bank during the opening of bank account.


In short, such adverts are known in the telco industry as sms blast. The three major telcos like MAXIS, DIGI and CELCOM have the total subscriber base of more than  20 million. With the press of a button anyone of them could blast out sms /adverts/promotions to many million people each time.


Are the sms blasts from the Short Codes like the 3-series like “39333” or“36388”, “39968” or “33336” and others were clear breach of PDPA?


Yours truly believes such sms blasts have without a doubt contravened PDPA as the MCS providers of telcos did not obtain the consent to process the data from the mobile phone subscribers. Further, the MCS providers have no contractual relationship with the phone subscribers.


There is a listed company which has been known to “get” the data of customers from certain telco’s data base.


The companies/MCS providers whose business is to provide SMS blast have to get a licence from MCMC to operate. After the PDPA has been enacted, MCMC should have cancelled all the licences of those companies that carry out activities as MCS providers and/or sms blast on behalf of companies.


The Short Codes activities are for the MCS providers to make easy money by pressing a button.


Yours truly has been informed that due to many complaints by members of the public to MCMC, MCMC has now limited the sms blast to twice a day by the MCS providers. Since the PDPA has come into force on 15 November 2013, there is no valid excuse for MCMC, which is a regulatory body, to close its eye over this glaring abuse by the MCS providers and/or the telco.


The PDPA prohibits anyone from processing our personal data without our consent. Hence, if you received sms blasts from any company whom you have no contractual relationship nor given your consent to use your data (I.e. telephone number) you should immediately lodge a complaint to MCMC and/or Personal Data Protection (JPDP) in Putrajaya, HERE.


Despite the enactment of the PDPA, MCMC has yet to terminate all the existing licences given to companies to process customers’ data without their express consent and thereafter blasting with unsolicited advertisements, promotions and etc. Rumour has it that a “special company” is lobbying very hard to get licences from MCMC to carry out more of such activities and even a Minister’s name has not been spared in the pursuit of the said licence.


Further the Government should also be looking into MyEG having access to data of vehicle owners from the police and JPJ based on the summons issued. In such summons contained in the website of MyEG which contains the particulars of the alleged offenders, his i/c number, address and other information pertaining to the alleged offender. This is a direct contravention of PDPA.


It is hoped that MCMC will switch its special appetite for giving contracts or projects to dormant companies to protecting the data of Malaysians, which have been processed by MCS providers for the predominant purpose of making profits at the expense of the mobile phone subscribers.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.