Articles

The government is collecting biometric data at an unprecedented scale. Credit: Unsplash/Chuttersnap

Is Malaysia Building Surveillance Faster Than It Can Govern?

17 July 2026/6 Minutes of Reading

Introduction

 

Malaysia has introduced two flagship policies within months of each other, and both quietly rely on the same foundation: government-held identity data.

 

Firstly, Dewan Bandaraya Kuala Lumpur’s (Kuala Lumpur City Hall – DBKL) Kuala Lumpur City Command Centre (KLCCC) now operates roughly 10,000 AI-enabled CCTVs across the capital with facial recognition, geo-fencing and behavioural analytics.

 

Secondly, the Malaysian Communications and Multimedia Commission (MCMC) rolls out a social media restriction for users under 16, in accordance with the Children’s Protection Code and Risk Mitigation Code of the Online Safety Act 2025. The mandate requires platforms to verify age through eKYC, which typically relies on documents like MyKad or passport, or integrates with MyDigital ID.

 

The government has implemented both policies to address societal harms such as street crimes and children’s exposure to harmful content. Interestingly, both share the same identity infrastructure for data storage.

 

This infrastructure convergence requires more public attention because Malaysia has a track record of data leakages involving such infrastructure.

 

A leak in the Inland Revenue Board’s MyIdentity API exposed four million records that were later sold online for approximately RM35,000, while a separate breach in the same year exposed 22.5 million of Jabatan Pendaftaran Negara’s (National Registration Department’s) records.

 

Meanwhile, in December 2024, several malicious actors claimed to be selling the MyKad data of 17 million Malaysians on the dark web. This data is fundamentally the same type of biometric information used in the eKYC verification selfies and facial data collected for the aforementioned city surveillance network and social media restriction.

 

Adding both policies to the same identity infrastructure adds volume and new functions to a system beset by breaches and exposure. That risk is further amplified as systems built in Malaysia for one purpose tend to infringe on others once in place.

 

DBKL has noted that the scope of its surveillance system is far more extensive than crime prevention. This is consistent with growing research about the prevalence of “function creep”, whereby a system or technology expands beyond its original purposes. Meanwhile, the social media restriction mandate demands a parallel process of data collection through official documents with no tiered safeguards.

 

The two policies underscore an existing problem: Malaysia is expanding its monitoring infrastructure faster than it could govern. The analysis below examines each policy, unpacks the unintended consequences and highlights where governance gaps exist.

 

Camera Surveillance Network

 

The expansion of KLCCC’s mandate from crime prevention to traffic management, flood monitoring, municipal enforcement and crowd control was not subject to parliamentary debate, public consultation, or a legislative framework for data governance.

 

This reflects a broader pattern where executive discretion determines the boundaries of surveillance systems, with oversight arriving only after expansion.

 

In April 2026, DBKL confirmed that it had installed 10,000 surveillance cameras equipped with high-resolution facial recognition across Kuala Lumpur, an investment that carried the price tag of around RM500m since its initiation in 2020. The Kuala Lumpur police chief stated that the network drove a 50% increase in overall enforcement efficiency and slashed snatch thefts by 57.6% year-on-year.

 

Nevertheless, the statistics behind these figures remain unreleased and under police purview; they also came from the police’s spokesperson rather than an independent audit.

 

DBKL has also made the following statements: 1) that collected footage is stored for 60 days; 2) that facial recognition can locate a scanned individual anywhere in the city and; 3) that police are mirroring the system in their own headquarters (i.e. accessing the footage directly). While DBKL has added that the cameras are installed in public spaces – in response to queries about privacy concerns – this answer only addresses the geographical aspect of where the footage is captured, not what happens to it afterward.

 

There is currently no public framework governing how facial recognition data is accessed, what happens to it beyond 60 days or whether an independent body is conducting oversight. Meanwhile, DBKL is also in talks with the Ministry of Transport to extend the system into traffic enforcement, adding new data categories and agencies to an already opaque structure.

 

As it currently stands, the cameras are concentrated at major roads, intersections, commercial centres, and tourist hotspots such as KLCC and Bukit Bintang. These are affluent areas and not lower-income neighbourhoods, affirming past research that found that placement tends to align with an area’s income and racial composition rather than crime rates.

 

Unfortunately, the government has not published data about camera density in each neighbourhood. There is also no independent body that audits how decisions regarding coverage are made or reviewed. Hence, it is not possible to confirm whether camera distribution and concentration come at the expense of lower-income areas, as the placement is left entirely to DBKL’s own discretion.

 

Social Media Restriction Mandate for Under-16

 

The social media restriction mandate relies on the same government-held identity infrastructure, which lacks independent oversight as well as auditing and automatically forces users to provide details from their MyKad, passport, or MyDigital ID with no tiered safeguards.

 

Under the Child Protection Code and Risk Mitigation Code, which took effect on 1 June 2026 and are part of the Online Safety Act 2025, licensed platforms with a substantial Malaysian user base – reportedly including Facebook, Instagram, TikTok and YouTube – must verify that new and existing users are 16 or older. This creates a compliance chain that channels sensitive identity data from individuals to private platforms, third-party vendors and government systems, with each link representing a potential point of failure.

 

The absence of tiered safeguards is particularly concerning, given that a viable alternative has already been demonstrated. Australia uses a tiered approach, as mandated by its legislative body. The method focuses on behavioural signals first, followed by privacy-preserving age estimation, with hard identity documents used only as a last resort.

 

Malaysia’s Codes have no equivalent, treating government-issued identities as equally viable options and leaving the invasiveness of the checks to individual platforms. This gap is compounded by the fact that the government bodies verifying this data are exempt from Section 3(1) of the Personal Data Protection Act (PDPA). It means that government databases carry no liability even if a platform’s handling of the data is scrutinised.

 

The lack of tiered safeguards also distributes risk unevenly. Families without easy access to formal documentation and children going through age verification for the first time face the bulk of the compliance burden. This burden extends to elderly and rural users who may be digitally illiterate and less equipped for an app-based eKYC process, with no accommodation in the Codes beyond an undefined grace period.

 

On the other hand, CSOs have warned that children pushed off mainstream platforms do not stop using social media and instead relocate to spaces with less oversight. This phenomenon has been observed in Australia, where downloads of alternative applications, such as Lemon8 and Yope, increased by 251% after it instituted its own ban.

 

This serves as a reference point to what Malaysia could expect, while highlighting that just restricting access rarely eliminates the underlying exposure.

 

Governance Gaps

 

The governance gaps that affect both policies can be understood in several dimensions: legal oversight, data protection and accountability.

 

On legal oversight, neither policy has faced meaningful parliamentary or judicial scrutiny.

 

KLCCC’s camera network was expanded through internal DBKL administrative decisions rather than a legislative mandate defining its scope. The social media restriction mandate was introduced through regulatory codes under the Online Safety Act 2025 rather than new laws, bypassing the parliamentary process of being tabled, debated and voted on.

 

In both cases, the executive branch has exercised broad discretion without clear legal boundaries.

 

On data protection, the PDPA states plainly that the Act “shall not apply to the Federal Government and State Governments”. This means that KLCCC’s camera network and the social media eKYC infrastructure operate entirely outside the country’s data protection framework.

 

Legal scholars have noted that: 1) personal data does not become less sensitive when a government department holds it and; 2) excluding the public sector limits the law’s effectiveness. Malaysia’s exemption has no safeguards for its government-issued identity documents, meaning the government collects and stores identity data at scale while remaining legally immune from the obligations it imposes on the private sector.

 

On accountability, there is a lack of independent oversight with the authority to investigate complaints, audit data usage or impose sanctions for misuse.

 

This means that citizens whose biometric data is captured by the CCTV network or social media users whose identity documents are submitted to platforms have no clear avenue to challenge how that data is used.

 

The National Cyber Security Agency (NACSA) has investigated breaches but never publicly confirmed the findings—these breaches are handled internally with no external scrutiny. Meanwhile, victims have no recourse through the PDPA because the Act does not apply to government bodies, meaning affected individuals cannot seek compensation for misuse of their own data.

 

Conclusion

 

These systems are not temporary. The infrastructure built today through KLCCC and the social media restriction mandate will outlast the problems it was designed to address. Cameras will continue capturing footage, facial recognition databases will grow, and identity documents will keep being collected and stored, becoming permanent fixtures of Malaysia’s governance architecture.

 

Currently, there is still no public framework governing how long data is retained, who can access it or under what conditions it can be shared with other agencies. The documented breaches from 2022 to 2024 show the vulnerability of the existing infrastructure and that the state has been unable to protect the identity data entrusted to it.

 

Expanding collection without addressing these vulnerabilities does not enhance security but compounds the risk. Without reforms, the patterns of the past four years will continue, and the governance gap will widen with each new policy.

 

The views expressed are those of the authors and do not necessarily reflect those of STRAT.O.SPHERE CONSULTING PTE LTD.

 

This article is published under Creative Commons Licence. Republications minimally require: 1) credit authors and their institutions, and; 2) credit to STRAT.O.SPHERE CONSULTING PTE LTD and include a link back to either our home page or the article’s URL.