top of page

Inward Facing Cameras in Public Transportation - What our PDPA said or Did Not Said

Recently, the husband of a famous singer in Hong Kong, who himself is also a singer, was caught snuggling and smooching with another woman in a taxi. For those who have been following the entertainment scene in Hong Kong, this story will ring a bell.

A video of their actions were captured in a camera mounted in the taxi where they are in and this video was apparently made available to a tabloid who went on to expose the said video in their publication.

This brings us to the question - Do we have our own regulations on inward facing cameras in taxis and other public transportation including ride sharing services?

A quick check on the websites of both the Personal Data Protection Commission (PDPC) and the Ministry of Transport (MOT) does not seems to indicate Malaysia has issued any guidelines on inward facing cameras in taxis and other public transportation including ride sharing services.

Back in 2014, PDPC issued a Proposal Paper seeking public consultation under the heading Guide on the Management of CCTV under the Personal Data Protection Act 2010 where it aims to provide guidelines for an individual or organisation in the management of CCTV under the PDPA. There were no guidelines issued subsequent to the Proposal Paper nor were there any guidelines issued in relation to the subject matter.

Prior to this recent episode, the Association of Taxi Industry Development, set up by taxi owners in Hong Kong, had in fact, back in May 2016 called on the Hong Kong government to make CCTV mandatory for taxis after a pilot scheme that ran for a month with cameras installed in 20 taxis was hailed a success. The association took advice from the Office of the Privacy Commissioner for Personal Data whereby drivers are required to notify passengers to the presence of such cameras, such as through a "prominent notice" in the vehicle or through a booking confirmation, ensure that the recordings are secure and viewing done in appropriate circumstances, such as at the request of the police. Privacy was already cited back then in May 2016 about this but apparently no regulation or assurance was proposed or implemented. 

Everyone was so caught up with the expose of the celebrity couple that a lot of questions were left unanswered such as:-

  1. was it a taxi or a ride hailing vehicle or a private vehicle?

  2. if it is a taxi, did the vehicle displayed a notice prominently to warn passengers that the taxi have video cameras?

  3. how did the tabloid have possession of the video? Did it hacked into the taxi system or the taxi driver released the video to the tabloid in exchange for monetary rewards?

Following the brouhaha, and it appears to be an afterthought, the Hong Kong Transport Department issued a statement to say that a guideline is now being drafted for the taxi sector regarding installing such devices in their vehicles because of privacy concerns.

Singapore was way ahead of Hong Kong in addressing this issue. Their Personal Data Protection Commission (PDPC) had in April 2018 issued advisory guidelines allowing taxis and ride sharing vehicles to install inward facing cameras with the condition that drivers are not allowed to upload videos on social media. Immediately in the following month, in May 2018, their Land Transport Authority (LTA) issued a guideline complementing the advisory guidelines issued by the PDPC, requiring taxis, private hire cars, and buses to seek LTA's approval before installing inward-facing video cameras in their vehicles.

The LTA guidelines were more detail and it sets out the following for the vehicle owners to adhere to:-

  1. These devices can be installed only at LTA-approved installation centres to ensure that the inward-facing cameras are installed according to the manufacturer's and LTA's requirements, and to prevent them from being tampered with,

  2. The recording devices have to be secured such that unauthorised people cannot get access to or download the data. For example, the memory card slot should be locked, and access to the micro USB port should be blocked,

  3. They also must be installed in a fixed position and cannot be rotated to capture comprising visual records of passengers, nor must they have any audio recording function to prevent recording of passengers' conversations,

  4. Footage taken by these cameras must also have a clearly indicated date and time stamp, the vehicle's licence plate number, so as to facilitate investigations should there be a misuse of recorded footage, 

  5. Drivers are required to notify passengers to the presence of such cameras, such as through a "prominent notice" in the vehicle or through a booking confirmation,

  6. Only government agencies and LTA-authorised "data controllers" such as taxi companies, will be allowed to access the recorded footage to support investigations and enforcement efforts, in cases such as fare evasion by commuters or alleged offences by the driver,

  7. Drivers are also required to carry out periodic checks to ensure that their cameras have not been tampered with. They must report any sign of tampering or non-compliance with LTA's guidelines to LTA immediately.

In the UK, CCTVs are already fitted in many taxis but is only mandatory under a small number of licensing authorities in the UK – about 3% last year and NOT nationwide. The Department for Transport in the UK has just recently launched a consultation to make it mandatory for taxis and minicab drivers in England and Wales to install CCTV in their vehicles. The push for action on the installation of CCTV in taxis and minicab was apparently driven by a spate of  abuse of passengers and drivers alike and fare evasion by passengers.

As for privacy issues, the Information Commissioner's Office defined that for the purpose of the installation and operation of in-vehicle CCTV, the "data controller" is the company, organisation or individual which has decided to have a CCTV system installed and operating within the vehicle. The data controller is ultimately responsible for how the images are stored and used and determines in what circumstances the images should be disclosed.  The data controller is responsible for complying with all relevant data protection legislation, as well as being legally responsible for the use of all images including any breaches of privacy and data protection legislation.

In Australia, it specifically states that security camera systems in a taxi are to be used in a manner that protects the privacy of drivers and the public. Any image produced from a security camera system shall not be reproduced in any form other than as authorised by Guidelines issued and the owner cannot use a recording made by a security camera system for a purpose other than an authorised purpose. The operator of a taxi must also cause any video recording made by a security camera system to be disposed of in accordance with sub-clause (2) within 30 days after the recording was made.

In summarising the above, there is obviously one glaring issue that are missing in the discussions on the installation of inward facing cameras and privacy issue in taxis and ride sharing vehicles. In the guidelines issued, the authorities in all the above countries assumed that the owners and drivers are aware and practice safe internet 'hygeine' in ensuring that data and images they recorded are not hacked by cyber criminals. If the CCTVs are installed by the taxi companies themselves, then it is presumed that these companies would have the necessary protection to ensure the data collected from their fleet of vehicles are safely stored. But what about those taxis which are individually owned and for car owners participating in those ride sharing platforms - does the authorities in these countries assumed these individuals to install the necessary firewalls and antivirus software in their personal network? Now that the case in HK has shown how lucrative an expose of a celebrity is to a tabloid - where click on to the tabloid shot through the roof - cyber criminals might zoom in and target the CCTVs of the taxis and other for hire vehicles.

In Malaysia, it is not known how prevalent or widespread are where owners of taxis or ride sharing vehicles have installed inward facing cameras in their vehicles. We believe the numbers could be quite staggering - reason being the owners are installing it for their own safety rather than capturing the videos of their passengers and selling it to 3rd parties.

Isn't it time for MCMC, the Personal Data Protection Commission and the Ministry of Transport to come together and look into reviewing the regulations on inward facing cameras in our public transportation? 


bottom of page