Koo Chin Nam & Co.Koo Chin Nam & Co.

Law Firm in Kuala Lumpur, Malaysia

You are here: Home / Articles / The Casino, the Taxman, and the Right to Privacy

by

The Casino, the Taxman, and the Right to Privacy

A True Case of Data, Power, and the Limits of the Law

It began not with a knock, but with a letter.

On 23 November 2018, the Inland Revenue Board of Malaysia (LHDN) sent Genting Malaysia Berhad an official request. It asked for something precious—not money, but data. Names, IC numbers, addresses, even information on casino winnings and losses. Genting’s entire customer database, especially those who had transacted over RM1 million.

The Revenue was fishing. But it wasn’t clear if they were allowed to cast that net.

Chapter One: The Quiet Giant

Genting Malaysia Berhad—a name synonymous with leisure, hotels, and gaming—operates one of the most iconic resorts in Southeast Asia. Every year, millions flock to its mountaintop casino. Each customer who joined the Genting Rewards Loyalty Programme signed up voluntarily, sharing private data: names, passport numbers, addresses, and more. In return, they received perks. But never did they imagine that their personal data would one day be demanded by the tax authorities.

Genting refused.

Their reply was polite but firm: “We are not a club. We do not collect membership fees. And we cannot share this data—it is protected under the Personal Data Protection Act 2010 (PDPA).”

But LHDN pushed back. Again. And again.

Chapter Two: Letters and Leverage

In the months that followed, more letters arrived. Then came emails. Then came threats—subtle ones. LHDN hinted that Genting’s refusal could be criminal. Section 81 of the Income Tax Act 1967 (ITA), they claimed, gave them broad powers to demand any information from any person. And under section 39(b)(ii) of the PDPA, such disclosures were allowed if authorised under any law.

But Genting didn’t budge. Behind the scenes, their lawyers were growing alarmed.

If they gave in, they might face civil suits—or worse, criminal prosecution under the PDPA.

If they refused, they risked action under the ITA.

They were trapped in a legal pincer.

Chapter Three: The Twist

Then came the turning point.

On 12 November 2019, Genting received an email from LHDN. It enclosed a letter from the Deputy Commissioner of the Personal Data Protection Department. The letter stated that Genting “may disclose” the personal data under section 39(b)(ii) of the PDPA, because LHDN was acting under section 81 of the ITA.

The letter changed everything.

Genting saw it for what it was: not a neutral clarification, but a green light for LHDN to proceed with its data demand. They believed the Data Commissioner had abdicated their duty—to protect privacy—and sided with the tax authority instead.

And so, Genting filed a judicial review.

Chapter Four: Into the Courts

The High Court agreed with Genting.

Justice Noorin Badaruddin ruled that both the PDPA and the ITA must be interpreted harmoniously, and not in a way that guts privacy protections. She held that:

  • The PDPA protects customer data unless there is a clear legal obligation for disclosure.
  • LHDN’s sweeping demand for all customer data was a fishing expedition.
  • A mere letter from the Data Commissioner cannot shield Genting from liability or override legal obligations.
  • Any such interpretation would undermine the constitutional right to privacy under Article 5(1) of the Federal Constitution.

In a landmark rebuke, the court declared that Genting had the right to say no. Data, even in the hands of corporations, deserved protection.

Chapter Five: The Final Card

But the story didn’t end there.

LHDN appealed. The Court of Appeal overturned the High Court’s decision, holding that the judicial review was filed out of time. The Federal Court agreed. Genting’s challenge failed—not on substance, but on timing.

In March 2025, the apex court dismissed Genting’s leave application. The clock had run out.

Reflections from the Edge

This case reveals a chilling truth: the balance between state power and individual privacy is a knife’s edge.

The High Court’s reasoning remains a vital guide for the future:

  • Data disclosure is not automatic just because another law authorizes it. Statutory interpretation requires that specific protections under PDPA prevail over general obligations under the ITA, following the principle of generalia specialibus non derogant.
  • Consent is conditional, and only meaningful if informed, lawful, and not coerced.
  • Regulators must act within their scope—they cannot confer immunity from prosecution or dictate legal interpretations beyond their mandate.

Legal Takeaways

The court considered and clarified the application of several key provisions:

⚖️ Personal Data Protection Act 2010

  • Section 39(b)(ii) – Disclosure may be made where authorised under any law. The court stressed this is discretionary, not mandatory.
  • Section 8 – The “Disclosure Principle” prohibits release of personal data unless conditions are met.
  • Section 45(2)(a)(iii) – Exemptions only apply where data is processed for the purpose of tax assessment. That was not the case here.

⚖️ Income Tax Act 1967

  • Section 81 – Gives DGIR powers to obtain information in relation to tax matters. But not a license for broad, non-targeted data collection.
  • Section 120(1)(a) – Penalizes refusal to provide information—but only where the request is valid under the law.

⚖️ Federal Constitution

  • Article 5(1) – Protects the right to personal liberty, including the right to privacy (per Sivarasa Rasiah and Muhamad Juzaili).

⚖️ Key Case Authorities

  • Malaysian Bar v. Ketua Pengarah Hasil Dalam Negeri – Bar Council successfully challenged DGIR’s blanket data request. Court held that the ITA cannot override specific confidentiality protections.
  • Wee Choo Keong v. Ketua Pengarah Perkhidmatan Awam – Even administrative letters may constitute decisions amenable to judicial review.
  • PP v. Dato’ Seri Anwar Ibrahim (No 3) – A direction can be couched as a request, yet still carry the force of a decision if there is pressure to comply.

Closing Thoughts

The Genting case is a warning—and a lesson. As our world grows more data-driven, corporations, regulators, and the public must remember this:

Privacy is not a luxury. It is a right. And in the hands of the wrong authority, data can become a weapon.

Let us not gamble with the trust that customers place in us. For in the game of law, some bets are too costly to make.

Important Notice.

This article was prepared to provide educational information for our readers. Please do not treat it as a substitute for legal advice from a qualified lawyer.

In case of queries pertaining to PDPA, please get in touch.

This case was prepared based on the reported cases of Genting Malaysia Berhad v Pesuruhjaya Perlindungan Data Peribadi & Ors [2021] MLRHU and Genting Malaysia Berhad v. Director General Of Inland Revenue (LHDN) [2025] MLRAU 97.

Filed Under: Uncategorized