On April 30, 2026, Kuala Lumpur City Hall (DBKL) and the Royal Malaysia Police (PDRM) announced that the capital's network of roughly 10,000 high-definition CCTV cameras now runs live facial recognition, geo-fencing, and behavioural analysis, with feeds pooled at the Kuala Lumpur Command and Control Centre (KLCCC) and shared directly between the two agencies. KL Mayor Datuk Seri Fadlun Mak Ujud put it plainly: "Once we scan a person's face, we can easily locate him if he is a crime suspect, as long as he is still in Kuala Lumpur." The build-out has cost about RM500 million (roughly US$126 million) since 2020. Facial data, the mayor said, is retained for 60 days.
This is one of the most consequential surveillance deployments in Southeast Asia this year. It deserves a clear-eyed assessment rather than reflexive alarm — and a clear-eyed assessment is precisely what should worry a government that believes in the open internet and proportionate rules.
The case for the cameras is real
Start with the strongest version of the official argument, because it is not trivial. Public safety is a legitimate state interest, and the cameras sit in public spaces where the expectation of privacy is genuinely lower. DBKL and PDRM report that real-time face matching and vehicle geo-fencing have made suspect tracking materially faster — police cite an improvement of roughly 50% in detection and investigation efficiency. The Rakyat Post, drawing on official figures, reported snatch theft in the city fell 57.6% across 2025 and that reported crime dropped by half. Communications Minister Hannah Yeoh argued there is "no issue of privacy intrusion, as the CCTV cameras are only installed in public areas."
If those crime figures hold up, they matter to the actual residents of a dense capital. A pro-innovation publication should not pretend that a city deploying modern tooling to cut violent street crime is doing something self-evidently wrong. The objection is not to cameras, or even to facial recognition as such. It is to the order of operations.
Malaysia built the system before it built the rules
Malaysia switched on biometric mass surveillance with no statute that specifically governs facial recognition, no independent review board, and no published mechanism for a misidentified person to find out, contest, or correct the record. That is not an oversight at the edges; it is the structure.
The country's main privacy law, the Personal Data Protection Act 2010 (Act 709), does not reach the people now running the cameras. Section 3 of the Act — confirmed on the Personal Data Protection Department's own site — states that it "does not apply to the Federal Government and the State Government." DBKL and PDRM are exactly the public bodies the Act carves out. So the single most important biometric processor in the country sits outside the only comprehensive data-protection regime the country has.
That gap is not closed by recent reform. The Personal Data Protection (Amendment) Act 2024, passed in July 2024 and rolled out in phases through 2025, was a genuine step forward: it reclassified biometric data as sensitive personal data, mandated 72-hour breach notification, created Data Protection Officer obligations, and raised penalties to RM1 million. But all of that binds private "data controllers." The government exemption survived the amendment untouched. The law now treats your fingerprint and faceprint as sensitive precisely when a private company holds them — and as unregulated when the state scans them off a lamppost.
Nor does soft law fill the hole. Malaysia's National Guidelines on AI Governance & Ethics, released by MOSTI on September 20, 2024, are explicitly a voluntary framework. Voluntary principles are useful for steering a market; they are not a substitute for binding limits on a 10,000-camera system that can follow a named individual across a city.
Function creep is the default, not the exception
The KLCCC's own portal describes the centre as "a data center that gathers all information and all movements that occur on the road," combining "video surveillance, data collection and digitization, data analysis and AI solutions." That is an honest description of an architecture built to do far more than catch snatch thieves. Behavioural analysis that flags "suspicious movements" is, by design, a tool for pre-emptive scrutiny of people who have done nothing — and the line between a snatch-theft suspect and a protester, a journalist's source, or a political opponent is drawn entirely by whoever controls the console. As EFF argued in its May 2026 guide on resisting surveillance abuses, the danger is normalization: a capability built for one stated purpose becomes the permanent baseline, available to whoever next holds power.
The 60-day retention figure illustrates the problem. It is a number announced by a mayor at a press conference, not a limit set by statute, audited by an independent body, or enforceable by a court. A promise that can be revised by the same official who made it is not a safeguard.
What proportionate governance would require
None of this requires Malaysia to rip out its cameras. It requires the rules to catch up to the hardware — ideally before, not after. A proportionate framework would, at minimum:
- Close the government exemption for biometric processing, so PDRM and DBKL face the same sensitive-data duties the 2024 amendment imposes on everyone else.
- Put retention, purpose, and access limits in law, not in a press statement — with face-match logs subject to independent audit.
- Create a redress path: notification thresholds, a route to contest a false match, and a regulator with the power to order deletion.
- Require published accuracy and bias testing, given the well-documented error rates of facial recognition on darker-skinned and female faces.
Malaysia has shown it can legislate quickly and well on data — the 2024 amendments prove it. The same legislative energy now needs to be pointed at the most powerful surveillance system the country has ever switched on. Innovation in public safety is welcome. Doing it inside a rights vacuum is not innovation; it is just risk, deferred.