top of page

IRB's Powers To Request Personal Data Disclosure: Genting Malaysia Bhd v Pesuruhjaya Perlindugan Data Peribadi & Ors [2022] 4 CLJ 399

Genting Malaysia Bhd (Genting) as part of its business, carried out a loyalty programme entitled “Genting Rewards Loyalty Programme” (Loyalty Programme). Customers who joined the Loyalty Programme were required to provide certain personal data to Genting. The Inland Revenue Board (Revenue) requested for information relating to the name, Malaysian IC number, passport number, company registration number and address of the Loyalty Programme members in the years 2016 and 2017.

In other words, the Revenue was asking for the personal data of the Genting’s customers on the premise that such information would assist the Revenue to enlarge its tax base and increase tax collection. The Revenue relied on Section 81 of the Income Tax Act 1967 (ITA) and Section 39 of the Personal Data Protection Act 2010 (PDPA) to support its request.

Genting responded to the Revenue and clarified that it was a company registered under the Companies Commission of Malaysia and not an association, society or club registered under the Registrar of Societies. Further, Genting added that it did not collect any membership fees. Notwithstanding Genting’s explanation, the Revenue insisted on being provided with essentially Genting’s customers’ entire database to which Genting continued to resist.

Faced with this impasse, the Revenue procured a letter from the Deputy Commissioner of Personal Data Protection (Deputy Commissioner) dated 8.11.2019 (Letter). The Letter contained the Deputy Commissioner’s stance that Genting may disclose its customers’ personal data to the Revenue and in doing so Genting would not contravene the disclosure principle provided in the PDPA. Genting disagreed with the Deputy Commissioner’s position and commenced judicial review proceedings seeking to, among others, quash the contained in the Letter.

A central question in this case is whether the protection provided to data subjects under the personal data protection principles of the PDPA would withstand the power of the Revenue under Section 81 of the ITA – which empowers the Revenue to request for information from organisations when conducting audit on taxpayers.

PDPA Principles

Under the PDPA, data users are required to comply with the 7 Personal Data Protection Principles when processing personal data, including the Disclosure Principle (Section 8 of the PDPA).

The general rule provides that data users are not allowed to disclose the personal data of individuals to third parties without first obtaining their consent to disclose such information. However, this general rule is subject to the exceptions provided under Section 39(b) and Section 45(2)(a)(iii) of the PDPA which provide that disclosure of the personal data of individuals is allowed without their consent if the disclosure is:

(1)Necessary for the purpose of prevention or detection of crime, or for the purpose of investigations.

(2)Required or authorised by or under any law (Section 81 of the ITA).

(3)For the purposes of assessment or collection of any tax or duty or any other imposition of a similar nature.

The Revenue sought to rely on the above exceptions to justify their blanket disclosure for information.

Issues Raised

There were two main issues up for determination in the judicial review proceedings before the High Court:

(1)Whether the personal data requested by the Revenue falls within the scope of Section 81 of the ITA.

(2)Whether the disclosure of the personal data to the Revenue under Section 81 of the ITA would be in breach of the provisions of the PDPA.

Findings Of The High Court

The High Court ruled in favour of Genting and concluded that Section 81 of the ITA does not allow the Revenue to make such blanket disclosure of personal data. Allowing such disclosure would amount to a breach of the provisions of the PDPA.

The High Court held, inter alia, that:

  • The expression of a view, an opinion or statement by the Deputy Commissioner may constitute a decision that is amenable for judicial review by the court.

  • The Revenue cannot demand the disclosure of Genting’s customers’ personal data unless and until the Revenue obtains the consent of Genting’s customers.

  •  Such disclosure of a customer’s personal data will only be warranted if the Revenue can demonstrate that there is reasonable suspicion that any specific, identified and/or identifiable customer had not complied with any material provisions of the ITA relating to the assessment or collection of tax.

  • For an exemption under Section 39 of the PDPA to apply, the strict test of necessity and proportionality must be satisfied. The Revenue must demonstrate that it would not be able to perform its function without the disclosure of personal data.

  • The Revenue cannot demand such disclosure unless and until they obtain a court order authorising the demand made for the disclosure of personal data.

  • The Revenue had not shown any specific investigations or due cause for the request for personal data. Instead, the Revenue was asking for a blanket disclosure and was attempting to conduct a fishing expedition without meeting the requisite standards of necessity and proportionality to justify an infringement of the right to privacy which is protected under Article 5(1) of the Federal Constitution.

  • The Deputy Commissioner did not have the power to declare or guarantee that the Applicant would be protected from criminal prosecution under the provisions of the PDPA.

  • To the extent of any conflict between the ITA and the PDPA, the PDPA prevails over the ITA as the PDPA is a specific and more recent legislation enacted for the protection of personal data and privacy.


The decision of this case is significant as the High Court has set limitations to the Revenue’s power under Section 81 of the ITA. It is not a wide and unfettered power. These limitations include the requirements mentioned above that must be fulfilled by the Revenue when making such requests for disclosure as well as the fact that the Revenue can only request for the personal data of specific and/or identifiable customers.

15 November 2023


bottom of page