The recent amendments to the Personal Data Protection Act 2010, implemented through the Personal Data Protection (Amendment) Act 2024 (the “Amendment Act”), brought about several additional legal obligations on the part of data controllers in Malaysia. One such key obligation that has stirred up many discussions among the Malaysian public would no doubt be the obligation for data controller to notify the Personal Data Protection Commissioner (“PDPC”), and possibly the data subjects, in the event of a personal data breach. When the Amendment Act was first published, it raised many questions. Are all personal data breaches required to be notified regardless of the scale and impact? How does one carry out a personal data breach notification? When should a personal data breach notification be carried out? What information should be provided in a personal data breach notification? Fortunately, the PDPC has issued a circular and guidelines on data breach notification on 25 February 2025 (the “Circular and Guidelines”) which shed some light to these questions. Our article aims to provide a summary of data controller’s obligation in handling a personal data breach, particularly concerning the procedures of undertaking a data breach notification as set out in the Circular and Guidelines.   1. What is a Personal Data Breach? To determine when would a data controller be required to carry out data breach notification, we first need to understand what constitutes a personal data breach. The term “personal data breach” is defined under the Personal Data Protection Act 2010 (the “PDPA”) as “any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data”. Most would associate a personal data breach with the action of an external party intending to cause harm, such as a malicious threat actor hacking into the IT system of a data controller to steal its information, including personal data stored by the data controller. The Circular and Guidelines made it clear however that given the broad definition of the term “personal data breach”, it would also cover breach caused internally by the personnel of the data controller, whether accidental or deliberate. As such, data controller needs to be mindful that personal data breach also extends to scenarios where a rogue employee steals personal data maintained by the company, or where a careless employee accidentally sent an email containing personal data of customers to a third party. Essentially, it can be said that as long as the personal data being processed by a data controller is accessible or has been accessed by a third party unintentionally, there is a personal data breach.   2. When is a Personal Data Breach Required to be Notified? Under the PDPA, data controller possesses two (2) data breach notification obligations – one to the PDPC and the other to the data subjects. The triggers for each of these data breach notification obligations differ, and data controllers should undertake separate considerations on whether both of the notification obligations would apply.   (i) Data breach notification to the PDPC In the event of a personal data breach, data controller should first assess whether there is a need to notify the incident to the PDPC. According to the Circular and Guidelines, the PDPC is only required to be notified of a personal data breach if it causes or is likely to cause “significant harm”. A personal data breach is considered to cause or is likely to cause “significant harm” if there is a risk that the compromised personal data: • may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property; • may be misused for illegal purposes; • consists of sensitive personal data; • consists of personal data and other personal information which, when combined, could potentially enable identity fraud; or • is of significant scale in that it would affect more than one thousand (1,000) data subjects. If any one of the five (5) scenarios above is met, a personal data breach is considered to be of significant harm, and the data controller should notify the PDPC accordingly.   (ii) Data breach notification to the data subjects Once a data controller has established the need to notify the PDPC of a personal data breach, it should then consider whether there is also a need to notify the affected data subjects of the breach. Similarly, data controller is only required to notify data subjects of a personal data breach if the breach results in or is likely to result in “significant harm” to the data subjects. A personal data breach is considered to result in or is likely to result in “significant harm” to the data subjects if there is a risk that the compromised personal data: • may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property of impacted data subjects; • may be misused for illegal purposes; • consists of sensitive personal data; or • consists of personal data and other personal information which, when combined, could potentially enable identity fraud towards the affected data subjects. If any of the four (4) scenarios above is met, a data controller will have to notify the affected data subjects of the personal data breach, in addition to notifying the PDPC.   3. What is the Timeframe to Carry Out Data Breach Notification? The Circular and Guidelines prescribe a fixed timeframe for the carrying out of data breach notification: (i) Data breach notification to the PDPC In the case of a data breach notification to the PDPC, it should be made within seventy-two (72) hours from the data controller having been informed of the breach or having detected an incident that entails personal data breach.   (ii) Data breach notification to the affected data subjects If data breach notification to data subjects is required, it has to be carried out within seven (7) days of the PDPC having been notified of the same personal data breach.   4. How to Carry Out a Data Breach Notification? Likewise, the Circular and Guidelines also prescribe the manner in which the data breach notification should be carried out.   (i) Data breach notification to the PDPC When notifying a personal data breach to the PDPC, data controller is required to adopt the notification form published by the PDPC on its official website and submit the completed form to the PDPC either in hard copy or through email to dbnpdp@pdp.gov.my. Completing the notification form is relatively straightforward, as it only requires the data controller to provide its basic information and some details about the personal data breach. What is tricky is that the data controller is also required to additionally submit the following information: a) Details of the personal data breach, including: • the date and time the personal data breach was detected by the data controller; • the type of personal data involved and the nature of the breach; • the method used to identify the breach and the suspected cause of the incident; • the number of affected data subjects; • the estimated number of affected data records; and • the personal data system affected, which resulted in the breach; b) the potential consequences arising from the personal data breach; c) the chronology of events leading to the loss of control over personal data; d) the measures taken or proposed to be taken by the data controller to address the personal data breach, including steps implemented or planned to mitigate the possible adverse effects of the breach; e) measures taken or proposed to be taken to address the affected data subjects; and f) the contact details of the data protection officer or any other relevant contract person from whom further information on the personal data breach may be obtained. Given that it may take time for a data controller to collate the additional information required as highlighted above, it is possible for the data controller to first submit only the notification form to the PDPC to meet the 72-hour timeline, and to provide the additionally required information subsequently in phases, as long as they are provided within thirty (30) days from the date of submission of the notification form.   (ii) Data breach notification to the affected data subjects In the case of notifying the affected data subjects of personal data breach, it is a requirement under the Circular and Guidelines that the data controllers provide direct and individual notifications to each of the affected data subjects. Essentially, every single one of the affected data subjects needs to receive individual notification directed at them to inform them of the personal data breach. Examples of methods through which data controllers can notify data subjects are email, SMS, direct messaging, and postal communication. If however, it is impractical or requires a disproportionate effort for the data controller to provide direct notification to each of the affected data subjects, such as in cases where it would result in excessive financial burden on the data controller due to the sheer number of data subjects, or where it would be difficult for the data controller to ascertain the contact details of the data subjects, the data controller can opt for public communication (through notification on the data controller’s website, publication of notice in printed media or social media) of data breach notification. The notification to the affected data subjects is required to contain, at a minimum, the following information concerning the personal data breach: • the details of the personal data breach that has occurred; • details of the potential consequences resulting from the personal data breach; • measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; • measures that the affected data subjects may take to eliminate or mitigate any potential adverse effects resulting from the data breach; and • the contact details of the data protection officer or other contact point from whom more information regarding the personal data breach can be obtained. Conclusion Data breach notification is certainly not as straightforward as most would have preferred it to be. We can certainly appreciate however the need for such extensive information to be furnished during data breach notification, given that personal data breach could have disastrous adverse impact on data subjects. Data controllers should take its data breach notification obligations seriously. Otherwise, in addition to negative publicity and financial penalty, the management of the data controllers may also be individually exposed to the possibility of jail term. Having a trusted legal adviser or a well-qualified data protection officer will certainly help data controllers with the compliance of these statutory obligations. At Halim Hong & Quek, our Technology Practice Group has extensive experience in data protection law and has advised clients across various industries on managing data breaches, including regulatory notifications, risk mitigation, and legal compliance. We are well-equipped to assist businesses in responding to data breaches efficiently while ensuring full compliance with the law. Should you require guidance on handling a personal data breach or strengthening your data protection framework, our team is ready to support you. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • The Future of Digital Assets and Blockchain in Malaysia: Key Developments for 2025 and Beyond • Key Impacts of the Online Safety Bill 2024 • The Symbiotic Relationship Between Cyber Insurance and Compliance in Navigating Data Breaches and Cyber Security Incidents

This country-specific Q&A provides an overview of Investing In laws and regulations applicable in Malaysia.  HHQ's corporate partners, Dato' Quek Ngee Meng and Noelle Low Pui Voon provide key insights into: •  Regulatory frameworks & investment structures: Key legislation governing foreign direct investment (FDI), sectoral restrictions, and compliance requirements for businesses entering the Malaysian market. •  Foreign Investment incentives & business opportunities: Malaysia’s economic outlook, tax incentives, and strategic sectors attracting global investors. •  Mergers & Acquisitions in Malaysia: Legal considerations, due diligence requirements, and transaction structuring for cross-border deals.   📖 Read the full guide here: https://www.legal500.com/guides/chapter/malaysia-investing-in/    Malaysia continues to be a strategic hub for investors, with a strong economic outlook, a business-friendly environment, and a well-regulated financial system. This guide serves as a comprehensive resource for foreign investors, corporations, and legal professionals navigating the Malaysian market. About the authors Dato' Quek Ngee MengManaging PartnerHalim Hong & Quekqueknm@hhq.com.my   Noelle Low Pui VoonPartnerHalim Hong & Queknoelle.low@hhq.com.my

The Online Safety Bill 2024 (the “Bill”) is set out to do exactly one thing – to enhance and promote online safety in Malaysia. In our earlier article titled “Key Impacts of the Online Safety Bill 2024”, we have discussed the key changes brought forth by the Bill. As highlighted in that article, one of the mechanisms under the Bill in ensuring the online safety in Malaysia is the introduction of an online harmful content reporting system. Once the Bill is in force, licensed applications service providers (“ASPs”) and licensed content applications service providers (“CASPs”) in Malaysia will be required to observe a statutory obligation to provide means for users of their services to report on any content on their services which the users believe to be harmful. Upon receiving any such report, the ASPs or CASPs will have to deal with the report strictly in accordance with the manners prescribed under the Bill, failing which may expose the ASPs and CASPs to statutory fine. In this article, we are going to examine the duties of the ASPs and the CASPs in maintaining and observing the online harmful content reporting mechanism as established under the Bill. . Online Harmful Content Reporting Mechanism   1. Receiving of Online Harmful Content Report When a user reports on a harmful content, the ASPs or CASPs will have to assess the report within the timeline prescribed under the Bill. If the subject matter of the report is assessed as not harmful, or the subject matter is or has already been the subject of another report, the newly received report will then be dismissed by the ASPs or CASPs. If however the subject matter of the report is determined to be potentially harmful, the ASPs or CASPs will then have to assess if the content being reported can be considered as priority harmful content or harmful content.   2. Assessment of Online Harmful Content Where the subject matter of a report is determined by an ASP or CASP to be priority harmful content, it will have to be immediately disabled or made inaccessible on the services operated by the ASP or CASP for a prescribed period of time. Otherwise, if it is only a “harmful content” instead of a “priority harmful content”, the ASP or CASP generally has the discretion on whether or not the content should be made inaccessible, likely based on the “extent” of harm that the ASP or CASP perceive such a content may bring. Likewise, if the ASP or CASP does decide to disable access to the harmful content, it will have to be for the period prescribed under the Bill. At present, the Bill has categorised “harmful content” and “priority harmful content” as follows:   (a) Harmful Content • Content on child sexual abuse material as provided for under section 4 of the Sexual Offences against Children Act 2017; • Content on financial fraud; • Obscene content including content that may give rise to a feeling of disgust due to lewd portrayal which may offend a person’s manner on decency and modesty; • Indecent content including content which is profane in nature, improper and against generally accepted behaviour or culture; • Content that may cause harassment, distress, fear or alarm by way of threatening, abusive or insulting words or communication or act; • Content that may incite violence or terrorism; • Content that may induce a child to cause harm to himself; • Content that may promote feelings of ill-will or hostility amongst the public at large or may disturb public tranquillity; and • Content that promotes the use or sale of dangerous drugs.   (b) Priority Harmful Content • Content on child sexual abuse material as provided for under section 4 of the Sexual Offences against Children Act 2017; • Content on financial fraud;   In the event an ASP or CASP does proceed to disable the access to a priority harmful content or harmful content for the period prescribed under the Bill, the ASP or CASP will have to reevaluate or reaffirm its decision pertaining to the disabled content during the period prescribed under the Bill. If pursuant to the re-evaluation the ASP or CASP maintains that the content is either a priority harmful content or harmful content, it will have to permanently disable the access to such content on its service. On the other hand, if the ASP or CASP determines that the content is neither a priority harmful content nor harmful content, the ASP or CASP will then have to resume the access to the content on its service.   3. Request for Inquiry The maker of the report or the maker of the content (as the case may be) who is aggrieved by the decision of an ASP or CASP can formally request that the relevant ASP or CASP inquire into its action. Essentially, in the face of such a request, an ASP or CASP will have to review its decision vis-à-vis an online harmful content to determine if it wishes to change its decision. At this stage, the outcome of the ASP or CASP will be final. If a user wishes to further challenge the decision of the ASP or CASP, it will have to report the matter to the Malaysian Communications and Multimedia Commission. For a flowchart illustration of the online harmful content reporting mechanism, please see below: . Assessing an Online Harmful Content Report As elaborated in the earlier section of this article, assessing whether or not a piece of content is a priority harmful content or harmful content may not be an entirely easy feat. While the Bill does provide listings of content to be considered harmful, ASPs and CASPs will still have to exercise their own discretion to assess whether a reported content falls within the listings of content prescribed under the Bill. Considering that the ASPs and CASPs are required to act on an online harmful content report swiftly and timely in accordance with the timeline prescribed under the Bill, it would be crucial for there to be a predetermined guiding principle or internal policy document that could aid the content moderating teams of the ASPs and CASPs in determining whether contents are harmful. The guiding principle or internal policy document should also set out the relevant timeframe that the content moderating teams should adhere to when dealing with an online harmful content report so that compliance with the Bill can be achieved.   If you would like to know more about the Online Safety Bill 2024, you may reach out to the partners at the Technology Practice Group of Halim Hong & Quek for further enquiries. The Technology Practice Group frequently work with software and tech companies on their compliance matters, deployment, projects and regulatory affairs. The team is well equipped with the skill set and expertise to assist on your next initiative. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • The Future of Digital Assets and Blockchain in Malaysia: Key Developments for 2025 and Beyond • Key Impacts of the Online Safety Bill 2024 • The Symbiotic Relationship Between Cyber Insurance and Compliance in Navigating Data Breaches and Cyber Security Incidents

As we enter 2025, a growing number of legal inquiries we receive concern the compliance requirements under the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024, particularly around personal data breach and cyber security incident notifications. In this evolving digital landscape, organizations and in-house legal teams must recognize a critical reality that the occurrence of a personal data breach or cyber security incident is no longer a question of “if” but “when.” Therefore, the real urgency now lies in ensuring preparedness to comply with these new mandatory notification obligations. In particular, the Personal Data Protection (Amendment) Act 2024 imposes a mandatory data breach notification requirement when a data controller has reason to believe that a personal data breach has occurred, and similarly, under the Cyber Security Act 2024, an NCII Entity must also submit a cybersecurity incident notification when it comes to its knowledge that a cybersecurity incident has or might have occurred. Non-compliance with these mandatory notification obligations carries severe penalties, including substantial fines and imprisonment, making it imperative for organizations to enhance their regulatory and compliance policies. To assist organizations in understanding these mandatory notification obligations under both the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024, we have published a number of legal articles and recorded legal podcasts that provide detailed explanation of the legal framework governing personal data breach and cybersecurity incident notifications, detailing the triggering mechanisms, notification processes, and the legal consequences of non-compliance. Therefore, in this article, we will shift our focus to an equally critical but often overlooked aspect of data breach and cyber security management, which is cyber insurance. . Cyber Insurance: A Critical Component of Cyber Risk Management Whenever an organization experiences a personal data breach or cybersecurity incident, one of the first questions we ask when assisting them with notification obligations is whether the company has cyber insurance coverage. While cyber insurance is a well-established concept globally, it is still relatively new in Malaysia. However, the introduction of breach notification obligations under both the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024 has increased its relevance, making it an essential component of modern risk management strategies. In this article, we aim to cover three key aspects: (i) what cyber insurance is, (ii) how cyber insurance is useful in the event of a personal data breach or cybersecurity incident, and (iii) three key takeaways to consider when evaluating a cyber insurance policy. . What is Cyber Insurance? Cyber insurance, also known as cyber liability insurance, is a specialized insurance policy designed to protect businesses and individuals from the financial and operational impact of cyber threats, data breaches, and other digital risks. A typical cyber insurance policy will cover a wide range of digital risks, including data breaches, ransomware attacks, business interruption due to cyber incidents, and liability arising from the loss of sensitive customer information. Depending on the type of cyber insurance, some policies will offer first-party coverage, which aims to cover expenses and losses incurred directly by the insured resulting from a cyber incident, whereas third-party coverage, on the other hand, addresses liabilities arising from claims made by external parties, such as clients, customers, or business partners, who suffer damages due to the organization's cyber incident. Common coverages typically included in cyber insurance policies are data breach response to cover the costs associated with responding to a data breach, business interruption to cover losses for lost revenue and profit caused by a cybersecurity incident, forensic investigations and incident response costs, and even other associated legal fees. . How Cyber Insurance Helps in a Data Breach or Cyber Security Incident Cyber insurance is an invaluable asset in the event of a personal data breach or cyber security incident, as outlined above. In the case of a personal data breach, the data controller is required to lodge a data breach notification under the Personal Data Protection (Amendment) Act 2024, as failure to comply may result in a fine of up to RM250,000 or imprisonment for up to 2 years, or both. Similarly, in the event of a cyber security incident, the NCII Entity is required to make cyber security incident notification under the Cyber Security Act 2024, and non-compliance can lead to a fine of up to RM500,000, imprisonment for up to 10 years, or both. Based on our experience with data breach notifications, organizations that have suffered a data breach and gone through a similar notification process can attest that it is both a complicated and costly undertaking. Notification goes beyond simply reporting the data breach, as it also requires the preparation and submission of additional independent reports, such as forensic investigation and compromise assessment reports. These reports often necessitate the involvement of external independent parties, including computer forensic experts and cybersecurity service providers, which adds significant costs to the notification process. Therefore, in many cases, it is only during the notification process that companies fully realize the substantial costs required to complete the entire procedure. These costs do not even account for the expenses related to data recovery and restoration, crisis management, or losses caused by business interruption. This is where cyber insurance becomes crucial, as in the event of a personal data breach or cybersecurity incident, all the associated costs, particularly those for notification, crisis management, forensic investigations, and business interruption losses, are typically covered by cyber insurance – these are expenses that organizations often fail to budget for and are frequently unexpected, placing a significant burden on the business. Hence, with the right cyber insurance in place, law firms and insurers can work closely with organizations to ensure seamless compliance and financial protection. . Three Key Takeaways When Evaluating a Cyber Insurance Policy When evaluating a cyber insurance policy, the most suitable option will ultimately depend on the specific needs of each organization. While this is not an exhaustive list, there are 3 key takeaways that organizations should consider when assessing a cyber insurance policy: . 1. Coverage Scope: First-Party vs. Third-Party Coverage The first and arguably most important consideration is the coverage scope, specifically whether the policy provides first-party coverage or third-party coverage. The key difference is that first-party coverage protects against direct losses incurred by the insured organization, such as expenses related to system recovery, business interruption, or ransomware payments. In contrast, third-party coverage addresses liabilities arising from claims made by clients, partners, or other external parties affected by a cyber incident. The choice between the two depends largely on the organization’s business model. If the business handles a large volume of sensitive client data, third-party coverage is crucial to protect against lawsuits and regulatory claims following a data breach. Conversely, if the primary concern is the operational impact of a cyber incident on internal systems, first-party coverage may be more relevant. . 2. Incident Response and Notification Support The second key takeaway is to assess the incident response and notification support included in the policy. A well-structured cyber insurance policy should cover forensic investigation costs for hiring cybersecurity experts to determine the origin, scope, and impact of the cyberattack. It should also provide legal support and cover compliance costs required to meet regulatory notification requirements. In addition, organizations should ensure that the policy includes coverage for data recovery and system restoration expenses, including any loss of income due to business interruption caused by the attack. Some policies may also extend to public relations expenses to help manage reputational damage following an incident. . 3. Policy Exclusions and Limitations Lastly, it is crucial to understand policy exclusions, which limit what is not covered under the cyber insurance policy. It is important to note that different cyber insurance policies may have different exclusions and limitations. Common exclusions typically include issues such as negligence, where the organization fails to implement basic cybersecurity measures, losses caused by intentional or malicious acts of employees within the organization, or cyberattacks that are considered acts of war, terrorism, or attributed to nation-state actors. Therefore, it is essential to understand the exclusions and limitations within the cyber insurance policy in order to decide which policy would work best for the organization. . Conclusion With the implementation of the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024, organizations must go beyond strengthening their regulatory and compliance frameworks. A well-drafted and comprehensive cyber insurance policy is equally critical. In the event of a personal data breach or cybersecurity incident, cyber insurance plays a pivotal role in mitigating financial and operational risks, covering various losses, including additional expenses incurred in the notification process. If your organisation requires further insights into data breach or cybersecurity incident notification requirements, please reach out to the Technology Practice Group. Our team has extensive experience in these areas and is well-versed in navigating the evolving regulatory landscape. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • The Future of Digital Assets and Blockchain in Malaysia: Key Developments for 2025 and Beyond • Key Impacts of the Online Safety Bill 2024 • Preparing for the Personal Data Protection (Amendment) Act 2024: A Three-Stage Implementation Plan

The digital assets and blockchain scene in 2024 has been notably positive, with more ups than downs and numerous headline-grabbing developments. Many of these were highlighted in our previous articles and podcast recordings on HHQ Legal Insight. As we look ahead to the outlook for Malaysia’s digital assets, blockchain, and cryptocurrency landscape in 2025 and beyond, it is worthwhile to revisit some of the key global developments from 2024 that will undoubtedly shape what lies ahead for Malaysia.   One of the most significant and potentially historic milestones in 2024 was the launch of Spot Bitcoin ETFs in the United States by the Securities and Exchange Commission in January 2024. This approval marked a pivotal point for the digital assets industry, as since its launch, Spot Bitcoin ETFs have experienced remarkable success, with billions of dollars in inflows. To put this into context, the inflows for Spot Bitcoin ETFs have significantly outpaced those of other asset class ETFs in their very first year. The Spot Bitcoin ETFs have quickly become one of the most successful and popular investment vehicles of 2024, and their approval and strong performance sent a clear global signal, reinforcing the growing acceptance of digital assets as institutional investments with increasing regulatory recognition and support.   Another pivotal event in 2024 was Bitcoin’s halving, which took place in April 2024. For context, Bitcoin has a capped maximum supply of 21 million coins, and its protocol ensures that no more Bitcoins can be produced once this limit is reached. Bitcoin halving is a scheduled event that reduces the mining reward for validating a Bitcoin block by 50%, occurring approximately every four years. Historically, miners received 50 BTC per block at Bitcoin’s inception. Following successive halving events, this reward decreased to 25 BTC in 2012, 12.5 BTC in 2016, 6.25 BTC in 2020, and most recently, 3.125 BTC after the April 2024 halving. Each halving is significant for Bitcoin’s ecosystem, as it reduces the rate at which new Bitcoins enter circulation, increasing the asset’s scarcity. This scarcity effect was compounded by the concurrent introduction of Spot Bitcoin ETFs, which spurred consistent institutional purchases of Bitcoin. Notably, halving events are also recognized as the start of new four-year market cycles – historically, these cycles have seen Bitcoin’s price reach new all-time highs following halving events. True to this pattern and supported by increased demand driven by Spot Bitcoin ETFs, Bitcoin achieved a new all-time high of over $108,000 in December 2024, marking the onset of a new bull market in digital assets.   Adding to this global momentum, the recent election of Donald Trump to a second term as President of the United States has sparked speculation about the potential creation of a Strategic Bitcoin Reserve by the U.S. government, akin to national gold reserves. If implemented, such a move would further validate Bitcoin and digital assets as legitimate investments, driving up demand as the U.S. acquires significant amounts of Bitcoin.   Globally, 2024 has marked significant advancements in the digital assets, blockchain, and cryptocurrency sectors. Closer to home, Malaysia stands on the cusp of transformative change, offering an opportunity to assess what lies ahead in 2025 and beyond. Drawing from our ongoing observations and engagements with market leaders and regulators, we anticipate 5 key developments that will shape Malaysia’s digital assets and blockchain landscape. Greater clarity in regulatory frameworks is expected to emerge, enabling the following transformations:   1. The Emergence of Stablecoins in Malaysia The adoption of stablecoins, particularly those denominated in Ringgit Malaysia, is expected to gain momentum with further regulatory clarity, as stablecoins play a pivotal role in the digital asset ecosystem as blockchain-based digital currencies. Unlike fiat currencies or electronic monies, they fulfill unique functions that traditional monetary systems cannot fully replace. Recent discussions and proposals regarding the launch of stablecoins in Malaysia highlight the growing demand for such assets, however, a comprehensive regulatory framework governing stablecoins has yet to be established. Stablecoins come in various forms—algorithmic, crypto-backed, commodity-backed, and fully fiat-backed—each with distinct operational mechanisms. With the increasing push for real-world asset (RWA) tokenization, the demand for regulatory clarity in this space is undeniable, and we trust that it is only a matter of time before clearer frameworks are introduced.   2. Legal Recognition of Cryptocurrencies and Digital Assets as Payment Instruments The potential legal recognition of cryptocurrencies and digital assets for payment purposes is another critical regulatory area to monitor. Beyond fiat currencies and electronic monies, there is a growing call for greater flexibility in recognizing cryptocurrencies and digital assets as legitimate payment instruments, as many companies are now considering launching tokens intended for use as payment tools within business ecosystems. However, unlike stablecoins, which are designed to maintain value stability, these tokens often fluctuate in value based on supply and demand. Therefore, as usage of these assets increases, it is without doubt that regulatory frameworks will need to be updated to properly address their functionality as payment instruments alongside fiat currencies and electronic monies.   3. Regulations for Real-World Asset Tokenization The Tokenization of RWA presents a significant opportunity for Malaysia, as virtually any tangible or intangible asset, such as intellectual property, real property, land, wine, watches, treasuries, or bonds, can be tokenized. This RWA tokenization mechanism holds immense potential, however, it also raises critical questions regarding the legal rights attached to tokenized assets and the frameworks required to protect the interests of token holders. Clear regulatory guidance will be essential, particularly on matters such as whether these tokens can generate yields or returns and how legal rights, such as land rights, can be incorporated into RWA tokens. As Malaysia advances toward embracing RWA tokenization, we anticipate the introduction of more comprehensive regulatory guidelines to address these complexities and support sustainable growth in this space.   4. Regulatory Clarity for Decentralized Finance Decentralized Finance (DeFi) represents a rapidly expanding market with significant potential to complement traditional financial systems. DeFi encompasses a wide range of applications, including lending platforms, peer-to-peer mechanisms, swapping services, and insurance solutions. As blockchain technology continues to advance, the growth of DeFi applications accelerates correspondingly. While DeFi innovation holds the potential to drive substantial advancements in financial services, certain segments such as insurance DeFi, lending DeFi, and peer-to-peer DeFi, which are among the most prevalent in the DeFi market face significant regulatory challenges. These activities often fall under regulated frameworks and typically require licenses to operate, however, due to the decentralized nature of DeFi, even companies willing to undergo the regulatory process to obtain licenses may not meet traditional requirements as DeFi operates fundamentally differently, relying on smart contracts and eliminating the need for intermediaries and trustees, which are integral components of conventional regulatory models. As a result, we foresee greater regulatory clarity in the area of DeFi to provide structure and security while fostering continued growth and innovation.   5. Increased Institutional Adoption of Blockchain Technology Finally, we anticipate greater institutional adoption of blockchain technology in Malaysia. Following global trends, local companies are increasingly exploring how blockchain can unlock value and new monetization opportunities. This development is expected to drive demand for blockchain expertise, which remains scarce. Companies are positioning themselves to address this talent gap, emphasizing the importance of nurturing expertise in this domain.   Conclusion Based on our close conversations with key stakeholders and matters actively handled by the Technology Practice Group, it is evident that there is growing demand for clearer regulatory frameworks in Malaysia’s digital assets and blockchain landscape. While regulatory development often lags behind innovation, particularly in a fast-evolving space like blockchain, we are pretty confident that 2025 and beyond will bring significant regulatory progress in the industry.   If your organization seeks to better understand stablecoins, payment instruments, RWA tokenization, decentralized finance, or blockchain technology adoption, the Technology Practice Group is highly experienced in these fields and their corresponding legal developments. Please feel free to reach out to us, and we would be delighted to assist. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my   Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Key Impacts of the Online Safety Bill 2024 • Due Diligence on Open-Source Software • Preparing for the Personal Data Protection (Amendment) Act 2024: A Three-Stage Implementation Plan

The Court of Appeal in the case of Sathish Kumar Ayyaswamy & Anor v Peeran Syed Mohamed Syed Mahaboob [2025] MLJU 33 addressed the appeal against the High Court's decision to strike out the Plaintiffs' Statement of Claim under Order 18 rule 19(1)(a) of the Rules of Court 2012. For ease of reference, parties will be referred to as they were in the High Court. The Appellants were the Plaintiffs whereas the Respondent was the Defendant. The appeal was filed by the Plaintiffs against the High Court's decision to strike out their defamation claim. The case revolved around alleged defamatory remarks made by the Defendant during a meeting. The appeal focused on whether the Statement of Claim disclosed a reasonable cause of action for defamation, emphasizing the requisite elements for defamation. • Background Facts The 1st Plaintiff is the Construction Manager of Poratha Corporation Sdn Bhd (“PCSB”). The 2nd Plaintiff is the Managing Director of PCSB. The Defendant was a former Director of ATB Sdn Bhd (“ATB”) and is also a Trading & Marketing Manager of Vitol Trading Malaysia Ltd (“VTML”). ATB appointed HQC Engineering Sdn Bhd (“HQC”) as its contractor for a project known as ATB PU at Tanjung Bin, Johor (“Project”). Subsequently, HQC appointed PCSB as its sub- contractor for the Project. ATB and PCSB entered into a Letter of Undertaking (“LOU”), pursuant to which ATB undertook to underwrite HQC’s payments to PCSB. On 25.11.2021, the Defendant went to PCSB’s site cabin and requested for a brief meeting with the 1st Plaintiff purportedly to discuss an alleged discrepancy pertaining to an outstanding payment for the Project. During the meeting, the Defendant allegedly used abusive and defamatory language, including words such as “bastard, big shot, periya pudinggi, f*ck, f*cker, your boss is a bastard” (“Impugned Words”) directed at both the Plaintiffs. The 1st Plaintiff claimed that the verbal abuse occurred in the presence of PCSB workers, potentially damaging their professional reputations. On 24.2.2022, the Plaintiffs filed a defamation suit against the Defendant, alleging that the Impugned Words uttered by the Defendant harmed their reputations. On 18.5.2022, the Defendant filed an application to strike out the Statement of Claim, arguing that it disclosed no reasonable cause of action. • High Court As On 31.5.2023, the High Court allowed the Defendant's application to strike out the Plaintiffs' claim on the grounds that it did not disclose a reasonable cause of action for defamation. The High Court held that profanity words such as “bastard, big shot, periya pudinggi, f*ck, f*cker, your boss is a bastard” uttered were not defamatory but merely abusive. The High Court also held that a mere statement in the Plaintiffs’ Statement of Claim that a group of employees overheard the Impugned Words without elaborating their identities explicitly is not sufficient to support the Plaintiffs’ averment that the element of publication to a third party is sustainable. Based on the reasons above, the High Court dismissed the defamation suit and struck out the Plaintiffs' claim. • Court of Appeal The Court of Appeal overturned the High Court's decision and held that on the face of the pleadings in the Statement of Claim, the Plaintiffs had pleaded the requisite facts to establish all the three elements necessary for a cause of action in defamation, namely the Impugned Words: (i) were defamatory; (ii) referred to the Plaintiffs; and (iii) were published to a third party. The Court of Appeal further held that whether the Impugned Words amount to defamation or not can only be determined through viva voce evidence during trial from the third parties who were there and heard the Impugned Words. The Plaintiffs are only required to show that there is a reasonable cause of action and even if it is not likely to succeed at trial, it is no ground for a claim to be struck out. • Conclusion Following the Court of Appeal’s decision, on 2.9.2024, the Defendant had obtained leave to appeal to the Federal Court. With leave to appeal to the Federal Court now granted, it remains interesting to see what will be the decision of the Federal Court in dealing with defamation, particularly slander. About the author Tey Siaw Ling Senior Associate Employment and Industrial Relations, Alternative Dispute Resolution Harold & Lam Partnership siawling@hlplawyers.com More of our articles that you should read: • Strata Living: Your Slice of the Pie • Is ESG Important in the Malaysian Construction Sector? • Investing in Malaysia’s Manufacturing Sector

Companies are increasingly held accountable for the ethical and sustainable practices of their supply chains. As Environmental, Social and Governance (ESG) considerations become central to business operations, due diligence in supply chain management is not only a corporate responsibility but also a legal and strategic necessity. The urgency of robust supply chain management has been underscored by recent allegations of labour exploitation in Malaysia’s electronics sector, emphasizing the critical need for businesses to prioritize ESG compliance.   ESG compliance involves meeting regulations and standards governing environmental stewardship, social responsibility and governance practices. Compliance ensures transparency, mitigating risk and preventing issues like greenwashing and social washing.   Due Diligence in Supply Chain Management Supply chain due diligence involves the process of identifying, preventing, mitigating and addressing adverse ESG impacts linked to a company’s operations, supply chain or business relationships. Beyond risk management, it demonstrates a company’s commitment to ethical practices, environmental preservation and protecting workers’ rights across its value chain. In Malaysia, challenges such as labour exploitation, environmental degradation and weak governance in supply chains have become critical concerns. Companies that fail to perform adequate due diligence may expose themselves to legal penalties, reputational damage and even disruptions to their business operations. International scrutiny, such as bans on products linked to labour violations, can result in costly recalls, diminished investor confidence and loss of market opportunities.   Malaysia Legal Framework & Guideline in Supporting ESG Due Diligence in Supply Chain Management Malaysia’s legal landscape and guidelines provides a foundation for businesses to embed ESG due diligence practices within their supply chains. The key laws and regulations include:   1. Employment Act 1955 (Revised 1981) (Act 265) Act 265 is the cornerstone piece of labour legislation that outlines the minimum standards and protections for employees. It regulates the relationship between employers and employees, ensuring fair treatment, equitable compensation and protection of workers’ rights. The Act prescribes legal standards for employment contracts, working hours, leave entitlements and termination procedures. The Act is the foundation for protecting workers' rights and ensuring ethical practices in supply chains, making it a critical aspect of ESG compliance in Malaysia.   2. Anti-Trafficking in Persons and Anti-Smuggling of Migrants Act 2007 (Act 670) Act 670 (ATIPSOM) aimed at combating human trafficking and migrant smuggling. It imposes stringent penalties for violations and mandates protective measures for victims. For companies, compliance with ATIPSOM is essential for ESG due diligence in supply chain management, ensuring prevention of exploitation, the protection of workers' rights and the promotion of ethical business operations and practices.   3. Employees’ Minimum Standards of Housing, Accommodations and Amenities Act 1990 (Act 446) The latest amendment to Act 446 that took effect on 1 June 2020 mandates that workers are provided with adequate housing and essential amenities that complies with the minimum standards required under the Act emphasizing the importance of maintaining their dignity and well-being. It aims to safeguard worker welfare and uphold ethical practices in employment. Companies are required to ensure that workers are afforded safe, healthy and decent living and working conditions. A safe and healthy workplace environment is equally vital to prevent work-related accidents, injuries and illnesses, aligning with ESG principles and responsible business conduct.   4. Occupational Safety and Health Act 1994 (Act 514) Act 514 (OSHA) provides the legal framework for workplace safety and health standards, mandating employers to maintain safe working environments, conduct risk assessments and provide training to mitigate occupational hazards. The 2024 amendments to OSHA introduce additional obligations and safeguards aimed at further enhancing workplace safety and compliance. For a detailed overview of these amendments, please refer to our article: Overview of Key Amendments to Occupational Safety and Health Act 1994.   5. National Wages Consultative Council Act 2011 (Act 732) This Act governs the establishment, implementation and enforcement of minimum wages across various sectors. It empowers the council to regulate and periodically review minimum wage levels, ensuring fair compensation for workers and addressing income disparities within the workforce. By prioritizing wage compliance in supply chain due diligence, companies can demonstrate their commitment to social responsibility and governance, while contributing to sustainable economic development.   6.Passports Act 1966 (Revised 1974) (Act 150) The Act governs the issuance, possession and handling of passports and travel documents. While primarily focused on immigration and travel, it holds significant relevance for ESG compliance and supply chain management by addressing issues such as passport retention—a common indicator of forced labour and worker exploitation. Under the Act, ccompanies are prohibited from retaining the workers’ passports. Withholding such personal documentation, thereby restricting workers' access or creating a perception that they cannot leave their employment without risking the loss of their passports, constitutes a violation. Adherence to this legislation is essential for ensuring ethical labour practices and preventing exploitation within supply chains.   7. Environmental Quality Act 1974 (Act 127) Act 127 (EQA) establishes the legal framework for environmental compliance across Malaysia. It is supplemented by subsidiary legislation, including environmental orders, rules and regulations, which provide comprehensive provisions governing specific environmental areas such as air quality, noise pollution, waste management and water resources. The 2024 amendments to Act 127 entail more stringent measures to control environmental pollution, such as stricter penalties and expanded enforcement powers of the relevant authorities. Adherence to the EQA and its subsidiary legislation is therefore essential for ensuring compliance with environmental standards and promoting sustainable practices.   8. Simplified ESG Disclosure Guide (SEDG) SEDG is an initiative by Capital Markets Malaysia (CMM), an affiliate of the Securities Commission Malaysia (SC), designed to assist small and medium-sized enterprises (SMEs) in meeting ESG disclosure requirement. By consolidating commonly required ESG disclosures, SEDG provides a streamlined framework to enhance data transparency and availability, facilitating alignment with global standards. By adopting the SEDG, Malaysian SMEs can improve the availability and transparency of ESG data, thereby strengthening their positions within global supply chains and contributing to sustainable economic development. The guide also serves as a valuable resource for larger corporations seeking to assess and enhance ESG compliance within their supply chains, ensuring alignment with international standards and local requirements.   Global Trends in Supply Chain Due Diligence and Their Implications for Malaysia There has been a growing focus on human rights abuses by corporations within their supply chains, including issues like forced labour, human trafficking and modern slavery. These problems have been found in various industries. Companies must also align with international guidelines such as: -   1. European Union’s Corporate Sustainability Due Diligence Directive (CSDDD) This CSDDD imposes stringent obligations on companies operating within or trading with the EU. These obligations include identifying, preventing, and mitigating adverse ESG impacts throughout supply chains. Malaysian companies which exporting to the EU must ensure compliance with these requirements to maintain market access, uphold business continuity and avoid potential sanctions.   2. German Supply Chain Due Diligence Act (LkSG) This legislation mandates companies in Germany to conduct robust due diligence across their supply chains to addresses various human rights risks. These risks are defined as situations where there is a significant likelihood, based on factual evidence, of violating specific prohibitions outlined by the Act. Organizations are obligated to monitor and address such violations not only within their own operations but also in the operations of their direct suppliers and customers. This obligation extends to all stages of the supply chain, from the extraction of raw materials to the delivery of goods, whether these activities occur within Germany or abroad. For Malaysian companies, this means adhering to stricter ESG standards to maintain their business relationships with EU-based companies. Comprehensive due diligence must be undertaken to ensure that labour practices, environmental sustainability, and governance standards align with EU requirements. Non-compliance may lead to termination of contracts with EU partners, as European procurers are likely to favour suppliers who present minimal ESG risks.   Conclusion As ESG considerations increasingly shape the global business landscape, Malaysia has taken proactive steps to establish a robust framework that supports due diligence in supply chain management. Through a combination of legal mandates and practical resources like SEDG, businesses are empowered to meet the evolving expectations of stakeholders, align with international standards, and promote ethical and sustainable practices. Effective due diligence not only helps companies comply with regulatory requirements but also enhances their competitiveness within global supply chains, mitigates reputational risks, and fosters trust with stakeholders. Prioritizing ESG compliance and embedding due diligence into their supply chain strategies will enable Malaysian businesses to contribute to a sustainable and equitable future while securing long-term value and global market relevance.   About the author Janice Ooi Jia MingSenior AssociateESG Practice GroupHalim Hong & Quekjmooi@hhq.com.my More of our articles that you should read: • Strata Living: Your Slice of the Pie • Is ESG Important in the Malaysian Construction Sector? • Investing in Malaysia’s Manufacturing Sector

Acquiring of land involves a complex process that differs substantially from purchasing a residential or commercial property. The complexities arise from factors such as the nature of the land, its intended use and regulatory requirements that must be satisfied before ownership transfer.     The purpose of acquiring land is a key factor in shaping the terms of a sale and purchase agreement (“SPA”). Purchasers may seek land for various reasons, including the construction of residential, commercial, or industrial properties, land banking, long-term investment, potential resale, or for operational purposes, such as setting up factories, warehouses, or other essential infrastructure that supports the purchaser's business objectives.   Each of these purposes requires tailored considerations and obligations within the SPA to meet the purchaser’s specific needs, as well as to establish the necessary conditions precedent, and the overall timeline for completion.   Condition precedent is an event or condition that must be satisfied before the SPA become effective or before any obligations are required from either party involved, these conditions ensure adherence to legal, regulatory, and practical requirements.    Here are some conditions precedent you might find in a SPA:    1. Restriction in interest (Sekatan Kepentingan) Restriction in interest is defined under Section 5 of the National Land Code (Revised-2020) (“NLC”). It refers to the limitations imposed by the State Authority on dealings involving the land. If a land title is subject to restrictions in interest, prior written consent from the State Authority shall be obtained before proceeding with any transactions. Typical consent include consent to transfer the land, consent to charge the land, and/or consent to lease the land.    2. Acquisition by a non-citizen or a foreign company Section 433B of the NLC provides that a non-citizen or a foreign company may acquire land only after obtaining prior approval from the State Authority. The approval may be granted subject to the payment of a prescribed levy. The non-citizen or foreign company is required to pay the levy within the stipulated timeframe. State Authority shall not exempt the payment of the levy unless in accordance with the direction of the National Land Council.   3. Economic Planning Unit (EPU) Approval EPU Approval may be required for certain property acquisitions pursuant to the EPU’s Guideline on the Acquisition of Properties (effective 1 March 2014) (“Guideline”). The transaction subject to EPU Approval are direct acquisition of property valued at RM20 million and above, resulting in the dilution of the ownership of property held by Bumiputera interest and/or Government agency and indirect acquisition of property by other than Bumiputera interest through the acquisition of shares, resulting in a change of control of the company owned by Bumiputera interest and/or Government agency, having property more than 50 percent of its total assets, and the said property is valued at more than RM20 million.   4. Estate Land Borad approval Section 214A (1) of the NLC provides that no estate land can be transferred, conveyed or disposed of in any manner whatsoever unless approval for such transfer, conveyance or disposal is first obtained from the Estate Land Board. Estate land is defined as any agricultural land held under one or more than one title the area or the aggregate area of which is not less than 40 hectares and the alienated lands constituting such area are contiguous.   5. Change of land use or conditions If the land is intended for a use different from what is endorsed on the land title, the developer or landowner must obtain approval to convert the land use category or amend the express conditions to align with the purchaser’s intended purpose.   6. Surrender and re-alienation Surrender and re-alienation is a land development mechanism that enables the changes of conditions, restrictions, and land categories. This land exercise can be carried out simultaneously with land subdivision or amalgamation, allowing for the restructuring of land use or conditions to meet development requirements.   7. Consent from the interested party If the land is charged, assigned, or caveated by a financial institution or any third party having an interest in a land, prior written consent from the caveator or relevant party is required. This consent is required for submitting certain applications to the authorities or for the commencement of the SPA.   8. Withdrawal of existing approval, development order and termination of services of the consultants and contractors To withdraw all and any existing approvals and applications submitted to the authorities related to the land, to terminate the services of, settling all fees, expenses and claims of the consultants, contractors and/or subcontractors in relation to the land, to deliver to the purchaser the relevant letters of withdrawal of the existing applications and orders in relation to the land and relevant letters of discharge of the said consultants, contractors and/or subcontractors.   9. State and Condition of the Land To ensure the land is free of tenants, squatters, or unauthorized occupants or structures and that it is delivered with the infrastructure aligned with the intended purpose of the acquisition.   Conclusion Acquiring land, especially for development purposes, often requires careful analysis, thorough consideration, and meticulous negotiation. Conditions precedent can be a strategy for acquirers to ensure that certain conditions must be met before the transaction can proceed. It is therefore advisable for each party to engage their own legal advisors to navigate the complexities of the acquisition, the drafting of the agreement, and all related legal aspects. This approach ensures that both parties gain a comprehensive understanding of the benefits and potential challenges, and that all agreed-upon terms are precisely and accurately captured in the SPA. About the author Lim Yoke WahPartnerReal EstateHalim Hong & Quekyokewah@hhq.com.my More of our articles that you should read: • Strata Living: Your Slice of the Pie • Is ESG Important in the Malaysian Construction Sector? • Investing in Malaysia’s Manufacturing Sector

Introduction In Malaysia, the 2 key legislations which provide framework in addressing complaints on sexual harassment in the context of workplace are:- •Employment Act 1955 (“EA 1955”) •Anti-Sexual Harassment Act 2022 (“ASHA 2022”) Pursuant to Section 2 of EA 1955, "sexual harassment" is defined to mean any unwanted conduct of a sexual nature, whether verbal, non-verbal, visual, gestural or physical, directed at a person which is offensive or humiliating or is a threat to his well-being, arising out of and in the course of his employment. On the other hand, the definition of sexual harassment in ASHA 2022 is similar to that as defined in EA 1955, albeit in much broader sense as ASHA 2022 does not limit itself to the context of workplace. While both aim to protect victims and penalize harassers, each presents different procedures and remedies. Understanding the distinctions between these two legal frameworks can help individuals or victims decide which avenue could best achieve their desired outcome. • (A) Under the Employment Act 1955 The EA 1955 makes it mandatory for employers to inquire into, investigate and make findings on all sexual harassment complaints involving their employees. In this regard, the mechanism under the EA 1955 can largely be viewed as employer-led investigation. The framework under the EA 1955 lays down the procedures to handle sexual harassment complaints, and implications for failure to comply with the statutory provisions. An employer may refuse to inquire further into the complaint by giving reasons in writing for the refusal within 30 days of the complaint, if- •The complaint had previously been inquired into but was not proven; or •The complaint is frivolous, vexatious, or is not made in good faith. If, upon inquiry, the employer concludes that there is merit to the complaint and is satisfied that sexual harassment has been proven, the employer may implement any of the following disciplinary actions, whichever is most appropriate in the given circumstance:- •Dismissing the employee without notice; •Downgrading the employee; or •Imposing any other lesser punishment as the employer deems just and fit, and where the punishment of suspension without wages is imposed, it shall not exceed a period of 2 weeks. A complainant dissatisfied with the refusal of the employer to inquire into the complaint may refer the matter to the Director General of Labour (‘DGL’) whereupon the DGL may:- •Direct the employer to conduct an inquiry if the DGL is of the opinion that the matter ought to be inquired into; or •Agree with the employer’s decision not to conduct the inquiry and no further action will be taken. The DGL can intervene and assume the role of inquiring into a complaint and make a finding if the employer neglects, fails or refuses to act. Failure on part of the employer to comply with obligations under the EA 1955 constitutes an offence which, upon conviction, may result in a fine up to RM50,000.00. A key characteristic of the Employment Act route is its relative informality and speed. Investigations often mirror a domestic inquiry, allowing the employer to resolve the matter internally. Much of the process remains within company walls to preserve workplace harmony, and it could avoid unnecessary attention or public scrutiny for both parties. However, if the perpetrator/harasser holds a senior or managerial position, there may be a real risk of imbalance in power dynamic which would compromise the investigation’s objectivity, leading to a bias outcome. Therefore, the procedures under the Employment Act can be an effective choice if:- •Swift redress within the organization is desirable; •There is no risk of bias, or imbalance in power dynamic which could compromise the investigation process’ or •The victim will be sufficiently content with internal disciplinary action to be taken against perpetrator/harasser if the complaint is proven. • (B) Anti-Sexual Harassment Act 2022 The ASHA 2022 establishes an independent Tribunal to hear complaints, creating a structured and impartial forum that helps mitigate the risk of bias sometimes seen in employer-led investigations particularly where power imbalances exist. Under ASHA 2022, the victim or complainant of sexual harassment must initiate the proceeding at the Tribunal, thereby playing a more active role in establishing the complaint, presenting the relevant evidence, and testifying in trial before the Tribunal. While representation by lawyer is generally limited, it is typically allowed if the case involves complex legal issues. Once the complaint is lodged, the Tribunal will set a hearing date and aims to deliver a decision within 60 days from the first day of hearing. Each Tribunal sitting consists of 3 panel members, at least 1 of whom is female, and hearings are closed to the public, reflecting ASHA 2022’s commitment to privacy and confidentiality. The Tribunal’s proceedings go beyond the conventional internal disciplinary approach, allowing for wider remedies which the Tribunal is empowered to grant, such as:- •A formal statement of apology to be issued by the perpetrator, in the manner as sought by the victim and as granted by the Tribunal; •Monetary compensation or damages up to RM250,000.00 to be paid by the perpetrator to the victim; •An order compelling either party to attend any programme as the Tribunal thinks necessary; or •Any ancillary or consequential order or relief which the Tribunal deems fit and just to give effect to the Award. A Tribunal Award must be complied with within 30 days from the date of the Award, failing which will constitute an offence and is punishable with a fine, imprisonment, or both. • (C) Choosing the Most Suitable Self-Help Avenue Deciding which avenue better suits the victim’s circumstances depends on several considerations as follows:- •Desired Remedies: EA 1955 centers on disciplinary actions be taken by a company, whereas the Tribunal of ASHA 2022 can award a wider range of remedies as explained above. •Nature of the Harassment: If the harasser holds a position of power or there is a significant risk of bias in an employer-led investigation, pursuing a case under ASHA 2022 may provide a more impartial and independent process. •Time & Cost Considerations: Internal inquiries can often be completed quickly if management is responsive and cooperative. On the other hand, proceedings under ASHA 2022 are likely to be slower and could involve legal fees when service of legal practitioners is engaged. •Workplace Impact: Internal proceedings are generally less disruptive, especially if the parties continue working together. External proceedings, while impartial, may strain workplace relationships more significantly. • Conclusion EA1955 and ASHA 2022 each provide distinct mechanisms for addressing workplace harassment. Choosing the right approach depends on the victim's specific needs, workplace dynamics, and desired outcomes. Ultimately, a respectful and harassment-free workplace is a right every employee deserves. By understanding the key differences in terms of scope and operation between these 2 legal frameworks, affected parties can make informed decisions that uphold justice, protect workplace dignity and well-being. About the authors Chau Yen Shen Principal Associate Dispute Resolution & Employment Halim Hong & Quek yschau@hhq.com.my More of our articles that you should read: • Strata Living: Your Slice of the Pie • Is ESG Important in the Malaysian Construction Sector? • Investing in Malaysia’s Manufacturing Sector

Intisari Mulia Engineering Sdn Bhd v TUV SUD (Malaysia) Sdn Bhd [W-02(C)(A)-538-04/2023]   Introduction Adjudication has been introduced as a mechanism to promptly resolve payment disputes in the construction industry. However, to initiate such a proceeding, certain legal requirements must be met, including the existence of a contract made in writing which is related to construction works. This case explains this requirement in detail, providing readers insights into the types of disputes that can be resolved through adjudication.   Parties The Respondent (TUV) is a sub-contractor engaged by the Appellant (Intisari) in two projects. Under the arrangement between the parties, which is not governed by a written contract, Intisari was to claim TUV’s work done from the Main Contractors, namely Aker Solutions Malaysia Sdn Bhd and Air Products Malaysia Sdn Bhd with 95% of the claimed amount remitted to the TUV, while Intisari would retain 5% as its commission.   Facts Intisari breached the payment arrangement agreed by the parties. When a payment dispute arose, TUV initiated an adjudication proceeding under the Construction Industry Payment and Adjudication Act 2012 (“CIPAA 2012”) against Intisari. The claim, which was based on documents such as purchase orders, invoices and correspondences, was allowed by the Learned Adjudicator. The High Court subsequently allowed TUV’s application to enforce the Adjudication Decision and dismissed Intisari’s application to set aside the Adjudication Decision, which led to the present appeal. It is not disputed between the parties that there is no formal written contract entered between the parties. This was also acknowledged by the Learned Adjudicator and the High Court Judge. It is TUV’s position that there was exchange of correspondence, purchase order, invoices and partial payment between TUV and Intisari, all of which falls within Section 2 of CIPAA 2012   Issue The main issue before the Court of Appeal was whether the Learned Adjudicator had jurisdiction to adjudicate the claim in the absence of a written construction contract between the parties.   Decision The Court of Appeal answered the issue in the negative, and allowed the appeal. The Court held that to initiate an adjudication proceeding, the claimant must be able to prove (1) the existence of a construction contract made in writing; and (2) that the construction contract must relate to construction work carried out wholly or partly within Malaysia. First element: As to what amounts to a construction contract made in writing, the court aligned with the wide interpretation adopted by various precedents, both locally and in other common law jurisdictions, which includes written documents that can demonstrate the existence of a construction contract between the parties. Accordingly, the purchase orders, invoices, and correspondences (“Documents”) in the present case were deemed to constitute a construction contract made in writing. Second element: However, the Documents must be strictly interpreted to ensure they relate to construction work as described under Section 4 of the CIPAA 2012. Upon perusal of the Documents, the Court of Appeal reached the conclusion that TUV had not adduced any evidence to show that the outstanding sums claimed in the Payment Claim against Intisari are based on a construction contract which relate to construction work(s) within the meaning of Section 4 of CIPAA 2012. Since the Document in the present case merely states what is being supplied but does not reveal and/or describe the nature of the work or reference the construction work for which the supplies are made, it was deemed not to relate to construction work. As TUV has failed to discharge the burden of proving that the Documents, though may be considered as construction contract in writing, relate to construction work(s), the Court found that TUV had improperly procured the Adjudication Decision and the Learned Adjudicator had acted in excess of his jurisdiction.   Conclusion Whilst a liberal approach has been taken by the judges in interpreting whether a document may be considered a construction contract made in writing, it is important for the unpaid party to ensure that the relevant document (which purportedly forms the contract between the parties) clearly states the nature of the work, which must relate to construction works. About the authors Felicia Lai Wai KimSenior AssociateAdjudication, Construction & Engineering DisputesHarold & Lam Partnershipfelicia@hlplawyers.com   Leong Yu JingPupil-in-ChambersConstruction & EnergyHarold & Lam Partnership More of our articles that you should read: • Strata Living: Your Slice of the Pie • Is ESG Important in the Malaysian Construction Sector? • Investing in Malaysia’s Manufacturing Sector

The Passing of the Online Safety Bill 2024 The Malaysian Parliament passed the Online Safety Bill 2024 (the “Bill”) in December 2024. The Bill is an effort of the Malaysian government in combatting against the proliferation of online harmful content. In this generation where Web 2.0 largely dominates the lives of many, it is important for the government to start paying attention to not just physical safety, but also online safety, and the Bill is set out to do just that. . When will the Online Safety Bill 2024 become law? As mentioned earlier, the Bill was only recently passed in December 2024. It has to be presented for Royal Assent before it can be gazetted and come into force on a date to be appointed by the Minister of Communications. As at the date of this article, we are still awaiting further information. . Who will this affect? The Bill, when it comes into effect, will set to affect three (3) groups of people: (i) Applications Service Providers – refers to persons who provide services by means of (but not solely) one or more network services (generally those who provide internet access services, messaging services); (ii) Content Applications Service Providers – refers to persons who provide services which provide content by means of (but not solely) one or more network services (generally those who provide terrestrial radio broadcasting, subscription broadcasting, satellite broadcasting); (iii) Network Service Providers – refers to persons who provide services for carrying communications by means of guided and/or unguided electromagnetic radiation (generally those who provide cellular mobile services, bandwidth services, broadcasting distribution services). The Applications Service Providers and the Content Applications Service Providers are the most affected by the Bill. As readers will see in the following sections in this article, the Bill primarily imposes obligations and requirements on the ASPs and the CASPs, with minimal obligation on the part of NSPs. This is understandably so given that ASPs and CASPs are typically the ones that operate and maintain social media and applications that us netizens spend most of our free time on. . Obligations and requirements under the Bill The Bill seeks to introduce a series of requirements and obligations on the part of the ASPs and CASPs, with the aim of better regulating the online safety of users of the applications and/or services operated and maintained by the ASPs and CASPs. Without going into details, we are setting out here in this article the obligations and requirements that we find to be most crucial:   1. Mechanism for reporting and handling harmful content The first on the ranking has got to be the harmful content reporting mechanism that the Bill seeks to introduce. As fellow users of social media, most of us are definitely familiar with the “Report” button (sometimes in the form of a red exclamation mark “!” or “flag” symbol”) on the applications that we use. The feature essentially allows users to report a user generated content and flag it to the platform operator or service provider for their attention. The reason for reporting is usually because the content features false information, nudity or sexual activity, violence inducing elements, or generally matters that could cause users or the public at large to feel uncomfortable, harassed or unsafe. Following the receipt of a report, the ASPs and CASPs are required to review the report and respond based on the manners prescribed under the Bill. Local social media platform operators or service providers will now have no choice but to incorporate this content reporting mechanism in their applications. Essentially, users of applications and social media will now have the power to regulate the conducts of the online communities that they are in, putting safety into the hands of the users. We will be covering in a separate article the detailed working of the harmful content reporting mechanism sought to be introduced by the Bill. . 2. Publication of User Guidelines Similarly, many online platforms, websites, applications and social media would have a document setting out the terms and conditions that users are bound by while using the applications or services. The document may go by the name “Terms of Service” or “Terms of Use”. The Bill seeks to make it compulsory for ASPs and CASPs to prepare and publish on their services user guidelines which essentially will contain the provisions found in an online terms and conditions. In addition, the user guidelines will also need to incorporate a description of measures implemented by the ASPs and CASPs in mitigating risk of exposure to harmful content. Similar to the user guidelines, the Bill would also require the ASPs and CASPs to prepare an Online Safety Plan, detailing how their obligations under the Bill are being complied with. The form and minimum information required in the Online Safety Plan will be prescribed later, presumably through a regulation or guideline to be published by the relevant regulators. . 3. Self-manage online safety Once the Bill comes into force, it will also be mandatory for ASPs and CASPs to implement tools or settings on their services for users to be able to manage their online safety themselves. While this requirement may sound rather ambiguous, the Bill does make it clear that at the minimum the users must be able to prevent or limit other users from identifying, locating or communicating with them. . 4. Introduction of mechanism for user assistance The Bill is also seeking to make it compulsory for ASPs and CASPs to introduce mechanism on their services for user assistance. Essentially, the services operated by the ASPs and CASPs will soon need to have features that allow users to raise concerns and obtain more information with respect to online safety, as well as to make enquiries. . 5. NSPs to Restrict Access to Harmful Content It can be said that the NSPs will only have to be really concerned with one requirement under the Bill – the obligation to restrict the relevant parts of their network services to make harmful content permanently inaccessible to all users of their network services. The Bill seeks to empower the Malaysian Communication and Multimedia Commission to instruct NSPs to disable access on their network services to any content online that is determined to be harmful.   How can the ASPs, CASPs and NSPs prepare for the Bill? The Bill is rather clear in terms of the requirements that it seeks to impose on the relevant service providers in Malaysia. In order for the ASPs, CASPs and NSPs to prepare for the imminent coming into force of the Bill, the following steps are recommended: (a) Understanding the requirements of the Bill – It would be crucial for the affected service providers to undertake a thorough examination of the Bill to assess the requirements that are applicable to them. As mentioned earlier, most of the requirements under the Bill are applicable to ASPs and CASPs. Some of these requirements would require the ASPs and CASPs to make changes to their services on a technical and operational level, and hence early preparation would be key. (b) Conducting gap analysis – Having identified the requirements under the Bill that are applicable to the ASPs and CASPs, a gap analysis will be helpful to ascertain which of these requirements are not being met. The existing services offered by the ASPs and CASPs may already have some online safety mechanisms sought to be made compulsory through the Bill, but they may not yet be at the standards that the Bill is expecting them to be. (c) Change implementation for compliance with the Bill – The last step of preparation is obviously to implement the relevant changes to the services of the ASPs and CASPs to bring them in conformity with the requirements under the Bill. It is advisable that the IT team / developers, compliance team and legal team of the ASPs and CASPs to work together while implementing the new changes to ensure that they are compliant with the Bill.   If you are an Applications Service Provider, Content Applications Service Provider or a Network Service Provider and would like to know more about the Online Safety Bill 2024, please do not hesitate to contact the partners from our Technology Practice Group (contact details below) for more information. Our Technology Practice Group frequently works with online service providers and platform operators, including on compliance with local laws, and will definitely be able to assist you with your undertaking. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • Dissecting IP-Related Clauses in IT Contracts • Due Diligence on Open-Source Software • Preparing for the Personal Data Protection (Amendment) Act 2024: A Three-Stage Implementation Plan

As we enter 2025, one of the most highly anticipated pieces of legislation being closely monitored by in-house counsels and regulatory departments is undoubtedly the implementation of the Personal Data Protection (Amendment) Act 2024. The Personal Data Protection (Amendment) Act 2024 is poised to bring significant legal and regulatory changes to data privacy, building upon the framework established by the Personal Data Protection Act 2010 when it was first introduced. . Staged Implementation of the Personal Data Protection (Amendment) Act 2024 The Personal Data Protection (Amendment) Act 2024 has officially come into operation in 2025, but its implementation will not occur all at once. Instead, it will be rolled out in three stages, commencing on 1 January 2025, followed by 1 April 2025, and lastly on 1 June 2025. It is important to note that these three stages of implementation are not equal in terms of their seriousness and impact. The amendments introduced in the first stage are relatively modest and are unlikely to impose substantial changes on organizations. However, the second and third stages will usher in more significant amendments, demanding heightened attention and thorough preparation, particularly as the implementation progresses. This article aims to provide a broad overview of what will transpire at each stage of implementation, including key takeaways on how to prepare for these changes. . First Implementation Stage: 1 January 2025 By 1 January 2025, Sections 7, 11, 13, and 14 of the Personal Data Protection (Amendment) Act 2024 will come into operation. To provide a broad overview without delving into every detail, the amendments in the first stage primarily concern minor adjustments, such as amending the national language in Subsection 16(3) of the Personal Data Protection Act 2010 by substituting the word “Pendaftar” with “Pesuruhjaya”, amending Section 67 of the Personal Data Protection Act 2010 by deleting the words “, after consulting the Minister,”, and amending Subsection 136(1) of the Personal Data Protection Act 2010 by inserting “(aa) by way of electronic means;”. These changes are relatively minor and are not expected to significantly impact organizations, and it is safe to say that the first implementation stage primarily involves administrative updates and preparatory measures. . Second Implementation Stage: 1 April 2025 The second implementation stage, set to take effect on 1 April 2025, will have broader implications as Sections 2, 3, 4, 5, 8, 10, and 12 of the Personal Data Protection (Amendment) Act 2024 come into operation. . Without covering every amendment in detail, here are 5 key takeaways that warrant particular attention: 1. Change from “Data User” to “Data Controller” Under the Personal Data Protection Act 2010, a “data user” is defined as a person who processes any personal data or has control over or authorizes the processing of any personal data. In the Personal Data Protection (Amendment) Act 2024, this term “data user” will be replaced with “data controller,” aligning more closely with terminology used in other jurisdictions such as the EU, UK, and Singapore, and organizations should update their PDP notices, contracts, and other documentations to reflect this change. . 2. Introduction of Biometric Data Biometric data, defined as personal data resulting from technical processing relating to the physical, physiological, or behavioral characteristics of a person, will be introduced under the Personal Data Protection (Amendment) Act 2024 as a type of “sensitive personal data”. With advancements in technology and the increasing use of biometric data in AI applications, this inclusion of “biometric data” under the purview of the Personal Data Protection Act 2010 is timely and reflects the growing importance of protecting such sensitive information. . 3. Expanded Legal Obligations for Data Processors Under the Personal Data Protection Act 2010, the key legal obligations rested primarily on data controllers, without imposing direct legal obligations on data processors, and this has been a point of criticism, as many data users outsource data processing to processors for reasons such as cost-efficiency, scalability, and specialized expertise. However, without direct legal obligations, data processors may neglect adequate safeguards, and ensuring compliance and accountability became problematic. The Personal Data Protection (Amendment) Act 2024 now extends the Security Principle to data processors, requiring that data processors must also provide sufficient guarantees in respect of the technical and organizational security measures under Security Principle to protect personal data from loss, misuse, unauthorized access, or destruction. . 4. Heavier Penalties for Non-Compliance Under the Personal Data Protection (Amendment) Act 2024, penalties for non-compliance with the seven personal data protection principles, (i) the general principle, (ii) the notice and choice principle, (iii) the disclosure principle, (iv) the security principle, (v) the retention principle, (vi) the data integrity principle, and (vii) the access principle have been significantly increased. Previously, upon conviction, a data controller found liable faced penalties of a fine of up to RM300,000, imprisonment of up to two years, or both. However, the Personal Data Protection (Amendment) Act 2024 has raised these penalties substantially to a fine of up to RM1,000,000, imprisonment of up to three years, or both, reflecting the heightened emphasis on compliance and accountability under the revised framework.   5. Removal of the Whitelist Regime for Cross-Border Transfers The Personal Data Protection (Amendment) Act 2024 eliminates the whitelist regime for cross-border data transfers and introduces a more pragmatic approach, as a data controller may now transfer personal data to a country outside Malaysia if the destination country satisfies one of two conditions: (i) it has a data protection law substantially similar to Malaysia, or (ii) it provides an adequate level of protection for the processing of personal data, equivalent to the standards under Malaysian law. This change simplifies the regulatory landscape by removing ambiguities associated with the previous whitelist regime, and it provides greater flexibility and clarity for data controllers when determining the legality of cross-border data transfers. . Third Implementation Stage: 1 June 2025 The Third Implementation Stage, set for 1 June 2025, focuses specifically on Sections 6 and 9 of the Personal Data Protection (Amendment) Act 2024. Although it only concerns these two sections, this stage will have the most substantial impact on organizations, as it introduces 3 new concepts that will significantly affect both operational and regulatory processes.   1. Appointment of Data Protection Officer (“DPO”) The first concept is the appointment of a DPO. Under the Personal Data Protection (Amendment) Act 2024, a data controller is required to appoint one or more DPOs who are accountable to the data controller for compliance with the law. Similarly, if the processing of personal data is carried out by a data processor on behalf of the data controller, the data processor must also appoint a DPO who is accountable to them for compliance purposes. Unlike merely designating a contact person in the Personal Data Protection Notice, the appointment of a DPO carries significant responsibility, and the law clearly indicates that the DPO will be held accountable for ensuring compliance with data privacy laws. At present, there are numerous concerns regarding the appointment of a DPO, such as questions about the minimum expertise and qualifications required, whether the DPO must be ordinarily resident in Malaysia, whether the role can be outsourced, or if a shared DPO can be appointed across multiple entities within the same group. These are valid and important questions that remain to be clarified, and as of now, the public consultation paper on the appointment of DPOs and other relevant amendments has already been circulated, and we anticipate that further clarification will be issued before the provisions come into force. . 2. Mandatory Data Breach Notification The second concept pertains to the data breach notification requirements. Under the Personal Data Protection (Amendment) Act 2024, if a data controller has reason to believe that a personal data breach has occurred, they are required to notify the Commissioner. Furthermore, if the breach is likely to cause significant harm to the data subject, the data controller must also notify the affected individual. Non-compliance with these data breach notification requirements carries serious consequences, including fines of up to RM250,000, imprisonment for up to two years, or both. Based on the personal data breach notification exercises we have conducted on behalf of organizations that have suffered personal data breaches, we have observed a common issue that many organizations lack internal policies or procedures detailing the steps to take in the event of a breach. Typically, when a data breach is discovered, there is often a chaotic response, with companies scrambling to determine what actions to take, and this reactive approach is akin to trying to find a fire extinguisher after the fire has already started. Therefore, especially with the mandatory data breach notification requirement now in place, companies should ensure they have a clear data breach policy or protocol, enabling them to respond quickly and appropriately when a data breach occurs. . 3. Right to Data Portability The third concept introduces the right to data portability. Under the Personal Data Protection (Amendment) Act 2024, a data subject may request the data controller to transmit their personal data to another data controller of their choice. This request must be made in writing via electronic means, and the transmission is subject to technical feasibility and compliance with the data format. The right to data portability aligns with global data privacy trends that empower individuals by granting them more control over who processes their personal data and how it is processed. As data subjects can now more easily transfer their data between data controllers, this reduces barriers to switching services. Therefore, moving forward, organizations will need to focus on addressing the challenges associated with data portability, particularly regarding technical feasibility, data format compatibility, and ensuring smooth data transfer processes. . Conclusion At the time of writing, there are approximately six months remaining for organizations to prepare for the implementation of the Personal Data Protection (Amendment) Act 2024. This six-month window should not be taken for granted. As an initial step, companies should begin reviewing and revising their PDP Notices and privacy policies or handbooks to ensure compliance with the latest amendments. Most importantly, for organizations that do not yet have these documents in place, now is the ideal time to start drafting them to ensure full compliance with all legal obligations under the data privacy law. . If your organization needs help with crafting a protocol for the handling of personal data requests from data subjects, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Dissecting IP-Related Clauses in IT Contracts • Due Diligence on Open-Source Software • Understand the Differences Between Cyber Security Incident Notification and Personal Data Breach Notification: A Strategic Guide for 2025

  Introduction In recent years, Malaysia has become one of Southeast Asia’s most compelling destinations for foreign direct investment (FDI). Its well-developed infrastructure, pro-business policies, and strategic location at the heart of the Association of Southeast Asian Nations (ASEAN) have positioned the country as a magnet for global investors. Within the broader Malaysian economy, the manufacturing sector has consistently taken centre stage, supported by government incentives and robust demand for Malaysian-made goods. This article explores the opportunities and considerations for foreign investors looking to establish a manufacturing footprint in Malaysia. From understanding the latest FDI landscape to navigating local regulations, shareholding restrictions, and compliance matters, this guide aims to empower investors with the knowledge they need to make informed decisions.   1. Overview of Foreign Direct Investment (FDI) in Malaysia FDI represents a crucial pillar of Malaysia’s economic development. Over the decades, the government has adopted a series of measures designed to attract and retain foreign capital, particularly in high-value industries. Key Trends and Statistics According to the Malaysian Investment Development Authority (MIDA), FDI inflows into Malaysia have shown steady growth in recent years. While the global economic landscape has been subject to fluctuations due to factors like pandemic recovery and shifting trade policies, Malaysia’s diversification strategy has enabled it to maintain a relatively positive trajectory. Traditionally, the manufacturing sector receives a significant portion of FDI. Since 2021, this sector continued to account for a large share of approved investments. The electrical and electronics (E&E) industry stands out for attracting notable foreign interest, but other sectors such as petrochemicals, aerospace components, and pharmaceutical equipment manufacturing are also gaining momentum. Government Initiatives Malaysia offers various tax holidays, grants, and allowances aimed at attracting high-impact industries. For example, the Pioneer Status and Investment Tax Allowance are accessible to companies setting up operations in key manufacturing segments. The government, through MIDA and other agencies, regularly simplifies procedures to expedite approvals for permits and licenses, ensuring that investors face minimal red tape.   2. Key Drivers for Investing in Malaysia While FDI can be attributed to multiple factors, there are several standout reasons why global companies consistently choose Malaysia. Malaysia’s regulatory framework for foreign investors is generally welcoming. Successive administrations and supportive government policies have maintained a stable and predictable policy environment, focusing on nurturing high-value industries and facilitating technology transfer. A well-developed infrastructure often became vital consideration for manufacturers. The country boasts modern road networks, international airports, seaports, and reliable utilities. Dedicated industrial parks throughout Peninsular Malaysia, Sabah, and Sarawak offer purpose-built facilities that reduce set-up time and cost for manufacturers. Located in the heart of Southeast Asia, Malaysia provides convenient access to the broader ASEAN market, home to over 600 million consumers. Its proximity to major global shipping lanes makes it an ideal export hub. Ongoing trade tensions and supplychain recalibrations have prompted many multinationals to diversify their manufacturing bases away from traditional hubs. Malaysia has benefitted from this shift, attracting companies seeking an alternative or supplemental production location. Malaysia’s multicultural and diverse population is fluent in multiple languages, including English, Mandarin, Tamil, and Malay. This cultural diversity facilitates better communication with global stakeholders and eases the on-ground establishment of foreign ventures.   3. Shareholding Rules and Regulatory Framework Malaysia broadly encourages foreign participation in its manufacturing sector, with an emphasis on attracting high-value and innovative industries. As such, foreign investors can typically hold up to 100% equity in manufacturing companies, particularly those classified as “promoted” or priority sectors. While the manufacturing sector broadly permits full foreign ownership, certain service-oriented segments may impose a maximum foreign shareholding threshold. For instance, healthcare services (e.g., private hospitals) restricting foreigner to hold not more than 70% equity and logistic services to public was being restricted to not more than 50% equity. Investors keen on these industries are advised to consult local legal experts to navigate specific limitations, which may vary depending on federal or state regulations.   4. Manufacturing License Requirements Upon setting up of a company and entering into Sale and Purchase Agreement or Tenancy/Lease Agreement for land or factory premises, obtaining a manufacturing license from MIDA is a critical step. Specific conditions under the Industrial Coordination Act 1975 (ICA) apply. The ICA requires manufacturing companies with shareholders’ funds of RM2.5 million and above or engaging 75 or more full-time paid employees to apply for a manufacturing licence approved by the Ministry of Investment, Trade and Industry (MITI).  It is very important to know that even companies that do not meet these criteria must apply for an exemption. On the other hand, the manufacturing company shall comply to the guidelines for approval of industrial projects in Malaysia based on the following criteria: • Projects must have Capital Investment Per Employee (CIPE) of at least RM140,000.00; and • Total full-time workforce of the company must comprise at least 80% Malaysians. Employment of foreign workers including outsourced workers is subjected to current policies; and • Total number of managerial, technical and supervisory levels (MTS) is at least 25% of total employment or having a value added (VA) of at least 40%.   5. Other Essential Licenses and Approvals Beyond the manufacturing license, various other approvals may be mandatory, depending on a company’s activities and scale of operations. The company shall apply for a business license from the local city council before commencing business operations. Besides that, under the Environmental Quality Act 1974, projects likely to have significant environmental impacts require an Environmental Impact Assessment (EIA) from the Department of Environment (DOE). Investors must demonstrate an awareness of environmental regulations. This includes adopting pollution control measures, waste management systems, and energy-efficient practices, especially for high-impact industries like chemicals or heavy manufacturing. Examples include large-scale petrochemical plants or heavy industries with substantial waste output. Companies are encouraged to conduct a preliminary site assessment prior to the site selection. A preliminary site assessment evaluates the suitability of the proposed site for the intended manufacturing activity. It identifies potential environmental issues and determines whether a detailed EIA is required. Robust safety protocols and compliance with the Department of Occupational Safety and Health (DOSH) standards are prerequisites. Companies are also required to obtain relevant approvals including but not limited to the registration of factories and certificated machinery with DOSH. Any use of industrial machines or boilers necessitates registration with DOSH. Safety inspections at  factory site or manufacturing plants will be carriedout by DOSH officers to ensure compliance with national occupational safety standards and minimize workplace hazards. On the other hand, Fire and Rescue Department (BOMBA) Clearance or a no-objection letter is vital before occupying of the factory or premises, this approval certifies that buildings and facilities meet fire safety standards. This step is crucial not just for legal compliance but also for protecting the well-being of workers and safeguarding assets. Compliance is the cornerstone of sustainable business operations in Malaysia. While Malaysia’s regulatory system is relatively transparent and business-friendly, it requires consistent adherence to rules, including tax filings, corporate governance, labour laws and intellectual property protection. By diligently meeting these obligations, investors can fortify their reputation and minimize operational disruptions.   Conclusion Malaysia’s manufacturing sector offers foreign investors a compelling blend of economic opportunity, strategic location, and governmental support. Its track record for attracting FDI attests to the country’s commitment to nurturing a globally competitive manufacturing ecosystem. From obtaining the necessary licenses to ensuring consistent legal and regulatory compliance, a well-planned entry strategy will pave the way for long-term success in this dynamic market. About the author Kelvin Chee Wei JiaSenior AssociateBRIDGEHalim Hong & Quekkelvin.chee@hhq.com.my More of our articles that you should read: • The Role of Stakeholder Solicitors Withholding Stakeholding Monies Under the Housing Development Act 1966 • Legal Interpretation in Strata Management: A Focus on AGM Postponements • Stranded in Strata: How Unpaid Maintenance Fees Impact Tenants under the Strata Management Act 2013 (SMA)

Understanding the Concept Strata title is a legal concept that divides a property into individual units and common areas. In the context of Malaysian property, it is particularly prevalent in high-rise developments such as condominiums, apartments, townhouses, and serviced residences. Strata Law in Malaysia governs strata properties, with the main legislation surrounding it being the Strata Management Act (SMA) 2013.   How Does Strata Title Work? Individual Ownership: Each unit within a strata development is individually owned. This means that you, as a unit owner, have exclusive rights to your specific unit, including its interior and any attached private spaces like balconies or car parks. Shared Ownership: While you own your individual unit, you also collectively own the common areas of the development. These shared spaces, such as swimming pools, gyms, gardens, and communal lobbies, are maintained and managed for the benefit of all unit owners. Management Corporation: A management corporation is established to oversee the administration of the strata development. This body corporate is responsible for enforcing the bylaws, collecting maintenance fees, and ensuring the upkeep of the common areas.   Benefits of Strata Title Ownership Clear Ownership Rights Strata title offers a clear legal framework, ensuring each unit owner has a well-defined ownership interest. This legal certainty safeguards property rights, preventing disputes and enabling easy transfer or sale of strata units, making them a liquid asset.   Convenience and Amenities Strata developments often offer a modern lifestyle with a wide range of amenities such as swimming pools, gyms, and recreational facilities. The management corporation handles the maintenance of common areas, reducing the burden on individual unit owners. Additionally, strata developments often have security measures in place, providing a safe and secure living environment.   Security Many strata developments prioritize security with 24-hour security personnel monitoring the premises and CCTV cameras installed in common areas. Controlled access systems further enhance security and privacy.   Community Living Strata living fosters a strong sense of community, allowing residents to connect with neighbours, share experiences, and celebrate together. Hopefully, this supportive community environment can provide assistance and support during challenging times, enhancing the overall quality of life for residents.   Responsibilities of Strata Title Owners Maintenance Fees As a strata title owner, you are expected to contribute financially towards the upkeep of common areas. These fees, collected by the management corporation, are essential for: • Routine Maintenance: Regular cleaning, gardening, and minor repairs. • Security Services: Hiring security guards or installing security systems. • Facility Maintenance: Upkeep of swimming pools, gyms and other amenities. • Insurance Premiums: Covering insurance costs for the common property. • Sinking Fund Contributions: Accumulating funds for future major repairs or renovations.   Adherence to Bylaws Bylaws are the rules and regulations governing the strata development. Adhering to these bylaws is crucial for maintaining a harmonious living environment. Common bylaws include: • Noise Regulations: Restrictions on noise levels, especially during specific hours. • Pet Policies: Guidelines regarding pet ownership, including breed restrictions and pet etiquette. • Parking Regulations: Rules for parking vehicles, including designated parking spaces and visitor parking. • Waste Disposal: Guidelines for proper waste disposal and recycling. • Rental Restrictions: Rules regarding renting out units, including tenant screening and lease agreements.   Participation in Management Corporation Meetings Active participation in management corporation meetings is essential for: • Decision-Making: Voting on important decisions, such as approving the annual budget and major repair projects. • Transparency: Staying informed about the financial health of the development and any ongoing issues. • Accountability: Holding the management corporation accountable for its actions. • Community Building: Fostering a sense of community and collaboration among residents.   Insurance As a strata title owner, you are responsible for insuring your individual unit against potential risks like fire, theft, and natural disasters. Additionally, the management corporation typically maintains insurance coverage for the common property, which protects the shared areas and assets of the development.   Key Considerations for Strata Title Owners Developer's Role The developer plays a crucial role in the establishment of a strata development. Their responsibilities include: • Obtaining Strata Title: Securing individual strata titles for each unit. • Building and Construction: Ensuring the development adheres to building codes and regulations. • Establishing the Management Corporation: Setting up the initial management committee. • Creating Bylaws: Developing the bylaws that govern the development. • Handing Over the Development: Transferring the development to the management corporation upon completion.   Legal Implications Strata title ownership comes with various legal implications. It is essential to understand: • Ownership Rights and Responsibilities: Clarifying your rights and obligations as a unit owner. • Bylaws and Regulations: Ensuring compliance with the development's rules and regulations. • Dispute Resolution: Understanding the procedures for resolving disputes with other unit owners or the management corporation. • Insurance Requirements: Determining the necessary insurance coverage for your unit and any additional property. • Tax Implications: Understanding any tax implications associated with owning strata property.   Financial Implications In addition to regular maintenance fees, strata title owners may be required to contribute to: • Sinking Fund: This fund is used to finance future major repairs and renovations, such as repainting the building or replacing major equipment. • Special Levies: These are additional fees levied to cover unexpected expenses, such as natural disasters or emergency repairs. • Legal Fees: Costs associated with legal proceedings, such as disputes or legal advice.   By understanding the complexities of strata title ownership, you can effectively exercise your rights, fulfil your obligations, and enjoy the benefits of living in a well-managed strata development. About the author Pan Yan TengSenior AssociateConstruction & EnergyHarold & Lam Partnershipyanteng@hlplawyers.com  More of our articles that you should read: • Is ESG Important in the Malaysian Construction Sector? • Who Has Property in the Mazda Cars? • Banking Secrecy: Disclosure Limits & Effective Consents

In Malaysia, the construction industry is increasingly embracing Environmental, Social, and Governance (“ESG”) principles as part of a broader commitment to sustainability and economic development. As one of the cornerstones of the nation’s economy, integrating ESG into construction practices is essential for ensuring long-term growth, competitiveness, and alignment with national sustainability goals. The Construction Industry Development Board (“CIDB”) has underscored the importance of ESG integration, emphasizing that the sector’s future success depends on its ability to adapt to these principles. CIDB’s CEO, Datuk Mohd Zaid Zakaria, pointed out during the International Construction Transformation Conference (“ICTC”) that the construction industry accounts for about 6% of the global GDP and is responsible for a significant portion of the world's carbon emissions, climate change, and energy use. With the sector’s high environmental impact, the need for sustainable construction practices has never been more urgent.   “Environmental” Responsibility In Malaysia, rapid urbanization and ongoing infrastructure development create considerable environmental challenges. To address these issues, the construction industry must adopt sustainable building practices and initiatives aimed at reducing its environmental footprint. One of the key initiatives supporting this transition is the Green Building Index (“GBI”), which offers guidelines for constructing energy-efficient buildings with minimal environmental impact. There are growing numbers of green buildings and green development projects across the country incorporating sustainable materials, eco-friendly designs, and energy-efficient technologies into their projects which reduces carbon footprints and enhances overall operational efficiency. Amongst others includes:-   Alongside these efforts, the Malaysian government has introduced various programs such as Net Energy Metering, MyHIJAU, and the Sustainable and Responsible Investment (“SRI”) Sukuk Framework to support the transition towards a carbon-neutral economy while managing the costs associated with these initiatives.   “Social” Responsibility and Labor Welfare The International Labour Organisation (ILO) reported that construction contributes to a large share of fatal occupational accidents globally. Given these challenges, it is crucial for Malaysian construction companies to address worker welfare by prioritizing safety, fair wages, and health standards through strict safety protocols and comprehensive training programs. By doing so, companies not only protect their workforce but also enhance productivity and create a safer working environment. Social responsibility in construction also extends beyond workers to the broader community. Through the creation of jobs, the enhancement of public infrastructure, and active community development, construction firms can contribute to societal well-being. These socially responsible practices not only foster positive relationships with local communities but also strengthen the industry’s social license to operate, ensuring long-term success and stability.   “Governance” Ensuring Transparency and Accountability Good governance is another cornerstone of ESG, particularly in the context of Malaysia’s construction industry. To overcome challenges related to corruption, lack of oversight, and poor regulatory compliance, construction companies must adopt strong governance frameworks that emphasize integrity, transparency, and accountability in their operations. This includes implementing anti-corruption measures, transparent financial reporting, and clear decision-making processes. Effective governance also extends to ensuring that suppliers and contractors comply with ethical material sourcing and labour practices. Monitoring these practices is crucial for maintaining ESG standards and avoiding legal and financial risks. The CIDB has advocated for the importance of governance in driving sector growth, urging companies to improve transparency and adhere to ethical standards. By establishing robust governance systems, construction companies can reduce operational inefficiencies, mitigate risks, and build greater investor confidence. As global ESG standards evolve, Malaysian construction firms that adopt strong governance practices are better positioned to align with international sustainability regulations and attract ESG-focused investors. The Malaysian government has supported these efforts by offering incentives for green building projects, tax breaks for sustainable initiatives, and regulatory frameworks that promote environmentally friendly construction practices. These efforts help the sector remain competitive, resilient, and aligned with the country’s broader sustainability objectives.   Conclusion The ESG principles is critical to the future of Malaysia’s construction industry. By prioritizing environmental sustainability, improving labour welfare, and adhering to strong governance practices, the sector can achieve long-term growth while contributing to the nation’s economic and sustainability goals. ESG principles not only help construction firms reduce risks and enhance their competitiveness but also ensure that they operate in a socially responsible and ethical manner. As the construction industry continues to play a key role in the development of Malaysia’s infrastructure and economy, embracing ESG will be crucial in creating a more resilient, responsible, and sustainable future for the nation and its people. About the author Hee Sue AnnSenior AssociateReal EstateHalim Hong & Queksahee@hhq.com.my More of our articles that you should read: • The Role of Stakeholder Solicitors Withholding Stakeholding Monies Under the Housing Development Act 1966 • Legal Interpretation in Strata Management: A Focus on AGM Postponements • Stranded in Strata: How Unpaid Maintenance Fees Impact Tenants under the Strata Management Act 2013 (SMA)

In Malaysia, stakeholder solicitors play a crucial role in property transactions, particularly under the statutory sale and purchase agreement of Schedule G and Schedule H of the Housing Development (Control & Licensing) Regulations 1989 ("Statutory SPA"). Although the stakeholder solicitors are often the solicitors representing either the developers or the purchasers as opposed to an independent third party, they should remain neutral in their duties as stakeholder solicitors in holding the stakeholding funds on behalf of both parties. They should only release the funds only when specific conditions outlined in the SPA have been met to ensure legal compliance and impartiality. This principle was clarified by Lord Edmund-Davies in Sorrell v Finch [1976] 2 All ER 371 and Lord Denning MR in Burt v Claude Cousins & Co Ltd [1971] 2 Q.B. 426, both of whom emphasised that a solicitor holding stakeholding monies does not act as an agent for either party but as a trustee, holding the funds impartially for both parties. However, questions often arise regarding the circumstances under which stakeholder solicitors may withhold or release such funds, particularly in disputes concerning defect repairs. Such issues underline the solicitor’s duty to navigate the delicate balance between contractual obligations, legal precedents, and professional ethics. . The Essence of Stakeholding and Fiduciary Duties s.22E of the Housing Development (Control And Licensing) Act 1966 (“HDA”) imposes specific duties on stakeholder solicitors, particularly regarding the handling of such funds, which typically constitute 5% of the purchase price in SPA. Under Section 22E, any solicitor who knowingly releases stakeholding monies to a housing developer or another party in violation of the SPA is committing an offence, punishable by a fine, imprisonment, or both. . Circumstances for Withholding Stakeholder Funds Solicitors holding stakeholding monies may withhold such funds under the following circumstances: 1. Adherence to the Stakeholding Terms Under Rule 14.10(3) of the Bar Council's Rules and Rulings, stakeholder solicitors must strictly adhere to the terms of the stakeholding arrangement. Stakeholder funds may not be released utilised, applied or otherwise dealt with by such Solicitor unless the conditions specified in the SPA are met, or express written consent is obtained from all relevant parties. . 2. Specific Provisions in the SPA Under the Statutory SPA, stakeholder solicitors are required to withhold 5% of the purchase price—2.5% to be paid at the expiry of the period of eight (8) months after the purchaser takes vacant possession, and balance 2.5% at the expiry of the period of twenty-four (24) months after taking vacant possession, aimed to address potential defects during the defect liability period (“DLP”). If the purchaser serves written notice to the developer within these periods requesting defect rectification, the solicitor must withhold the sum until the stakeholder solicitors received a developer’s architect certificate certifying that the defects have been repaired. If no notice is served during the respective periods, the relevant sums shall amounts may be released after the respective periods. The cases of Toh Theam Hock v Kemajuan Perwira Management Corporation Sdn Bhd [1988] 1 MLJ 116 (SC) and Tay Hup Lian v Histyle Sdn Bhd & Anor [2010] 9 MLJ 569 (HC) underscore the solicitor’s duty to hold stakeholding monies in trust and release them only when conditions are met. Specifically, in Toh Theam Hock, the manner in which stakeholder solicitors are to dispose of them was defined as contingent upon the terms under which the funds are held, affirming that a solicitor holding stakeholding monies may withhold or release the funds based on the SPA terms. Tay Hup Lian further emphasised that a solicitor holding stakeholding monies is duty-bound to hold retention sums impartially, pending fulfilment of conditions under the relevant SPA clause. Once these conditions are satisfied, as in Tay Hup Lian, the solicitor is authorised to release the retention sum. Similarly in Datuk M Kayveas, the Federal Court stressed that stakeholder solicitors do so in a trustee capacity, not as part of a contract. These cases establish that stakeholder solicitors must follow the SPA terms and release the funds only when the conditions for release are fulfilled, with any breach of these terms constituting a breach of trust. In Embassy Court Sdn Bhd v Yip Kum Fook & Ors [2014] 10 CLJ 295, the High Court emphasised that stakeholder solicitors cannot release them without the consensus of all parties and confirmation that SPA conditions are met. The High Court, following Datuk M Kayveas, reiterated that under clause 29 or 30 of the SPA, since the required notices have been given and acknowledged, the solicitor holding stakeholding monies cannot release them without the consent of both the plaintiff and the purchaser. Thus, the unauthorised release of stakeholding monies constitutes a violation of Section 22E, subjecting the solicitor to penalties. . Disputes Over Defect Repair Works Disputes frequently arise concerning defect rectifications during the DLP. Under Clause 30(2) of Schedule H and Clause 27(2) of Schedule G, purchasers are entitled to recover repair costs from the retention sum if the developer fails to address defects within the timeline specified in the statutory sale and purchase agreement, provided that the purchasers have complied with the requirements under the respective clauses. It is also worth highlighting that the purchasers must have carried out the repair works and paid for the  repair costs. In Ang Ban Giap v Worldwide Holdings Bhd & Anor [2019] 8 MLJ 669, the High Court held that purchasers must substantiate their claims with completed rectification works, not merely provide quotations, as quotations alone are insufficient to make a valid claim under Clause 25(2) of the SPA. The words "recover" and "deduct" in Clause 25(2) clearly indicate that the purchaser must complete the rectification works before being entitled to recover and deduct the cost of repairing and making good the defects from the sum held by the solicitor. The court, in giving effect to the plain and ordinary meaning of Clause 25(2), found that the purchaser could only claim the stakeholder sum upon providing proof of the actual costs incurred for the remedial works. The solicitor holding stakeholding monies may file an affidavit with the court to seek relief by interpleader in cases where there is a dispute over the stakeholder sum between the developer and the purchaser. If the court deems it appropriate, interpleader proceedings will be initiated, relieving the solicitor of liability while the court exercises its discretion to determine whether the stakeholder sum should be withheld or released to the purchaser. However, in Tetuan Fong Yap & Gan v HSB Development Sdn Bhd & Anor [2016] MLJU 1478, the dispute between the developer and purchaser over the stakeholder sum led the purchaser to appeal the court’s decision. The High Court ruled that the matter should be resolved through a separate civil suit, as the dispute was not suitable for interpleader proceedings. In such disputes, the court may direct that competing claims to the stakeholder sum be resolved through a civil suit. . Conclusion The role of stakeholder solicitors under the HDA is crucial in maintaining trust and safeguarding the interests of developers and purchasers. By adhering to statutory provisions, judicial precedents, and fiduciary obligations, solicitors ensure compliance and mitigate disputes. Their position as custodians of stakeholding monies reinforces the importance of impartiality and strict adherence to the law. About the authors Lim Jus TinePartnerReal EstateHalim Hong & Quekjustine.lim@hhq.com.my . Lim Ting MeiAssociateReal EstateHalim Hong & Quektm.lim@hhq.com.my More of our articles that you should read: • Developers’ Liability for Latent Defects Beyond the Defect Liability Period • Legal Interpretation in Strata Management: A Focus on AGM Postponements • Stranded in Strata: How Unpaid Maintenance Fees Impact Tenants under the Strata Management Act 2013 (SMA)

Case Summary: Badan Pengurusan Bersama Tropicana Bay Residence @ Penang World City v Mutiara Metropolis Sdn Bhd & Ors [2024] MLJU 1948   Introduction The issue of defects is not uncommon in construction disputes. More often than not, the extent of the liability of the developer / contractor for defects which appear after the expiry of the defect liability period remains a heavily contested issue at court. The present case offers valuable insight into this issue, providing some clarity on the applicable legal principles. . Parties The Plaintiff is the joint management body of Tropicana Bay Residence (hereinafter referred to as “the Project”). The 1st Defendant is the developer of the Project, while the 2nd and 3rd Defendants are the subcontractors engaged in the Project. . Facts There were severe leakages arising from the failure of the waterproofing system throughout the common properties of the Project, i.e at the common areas and roof of the TNB sub-station. Consequently, on behalf of the homeowners, the Plaintiff brought an action against the 1st Defendant for breach of contract and negligence, and against the 2nd and 3rd Defendants for negligence. . Issues The issues are (1) whether there has been a breach of contract on the part of the 1st Defendant, (2) whether there has been negligence on the part of the 1st Defendant, and (3) whether there has been negligence on the part of the 2nd and 3rd Defendants. . Decision Issue 1 and 2 are answered in the affirmative while issue 3 is answered in the negative.   Regarding Issue 1, the express terms of the contract that have been breached are Clause 13 and Clause 29 of the Sale and Purchase Agreement, which, in essence, require the 1st Defendant to ensure that the construction is completed in accordance with the approved plans, and also to repair and rectify any defects. In addition to these express terms, it is important to note that the Court also found that the 1st Defendant had breached the three implied terms in construction contracts, namely (1) to supply good and proper materials, (2) to build in a good and workmanlike manner, and (3) to ensure the property is reasonably fit for human habitation.   It is worthwhile to also note that the 1st Defendant’s argument that the expiration of the Defect Liability Period (“DLP”) and issuance of Certificate of Making Good Defects (“CMGD”) operate as a shield was rejected as the Court found that these did not preclude the Plaintiff from its right to sue for defects that are not reasonably detectable or discoverable during DLP (water leakage in this case, which took time to manifest). The Court further explained that the DLP has two divisible obligations: (a) If defects are discovered during the DLP, then contractually the developer is liable to repair the defects and pay for the repairs. (b) In the event of defects appearing after the DLP, the developer may still be liable to pay for the repairs even if he is no longer required to repair the same. In such instance, liability to pay for the repairs would depend on whether the defects are attributable to his poor workmanship or use of substandard materials. . ConclusionThe present case underscores the principle that developers and contractors cannot evade liability for construction latent defects that manifest after the expiry of the DLP, particularly when such defects arise from poor workmanship or the use of substandard materials. This judgment is also welcoming as it reaffirms the extent of the responsibility and accountability of developers and contractors in the construction industry to deliver properties which are fit for habitation and constructed in a workmanlike manner, in accordance with their contractual obligation. About the authors Lim Ren WeiAssociateConstruction & EnergyHarold & Lam Partnershiprenwei@hlplawyers.com . Leong Yu JingPupil-in-ChambersConstruction & EnergyHarold & Lam Partnership More of our articles that you should read: • Legal Interpretation in Strata Management: A Focus on AGM Postponements • Can an Adjudication Decision, After Having Been Enforced Pursuant to Section 28 CIPAA 2012, Be Stayed Pursuant to Section 16(1)(b) CIPAA 2012? • Stranded in Strata: How Unpaid Maintenance Fees Impact Tenants under the Strata Management Act 2013 (SMA)

On October 1, 2024, the Court of Appeal of Malaysia deliberated on Pesuruhjaya Bangunan Kawasan Pentadbiran Majlis Bandaraya Pulau Pinang v Perbadanan Pengurusan Mar Vista Resort (Civil Appeal No.: P-01(A)-194-04/2023). The case posed a pivotal legal question: Is the Commissioner of Buildings (COB) empowered under the provisions of the Strata Management Act 2013 (SMA 2013) to allow an adjournment of a strata scheme’s Annual General Meeting (AGM)? This issue arises from a broader challenge faced by local authorities across Peninsular Malaysia, as all strata schemes are bound to conduct AGMs within the time frame stipulated in the Second Schedule of the SMA 2013. The central argument revolves around Section 1(7) of the SMA 2013, which permits the State Authority to "suspend the operation of this Act or any provision of this Act". According to counsel for the COB, this power lies exclusively with the State Authority and cannot be delegated to the COB. The statutory provision makes it clear that the State Authority must independently assess public and purchaser interests before exercising this suspension power. . High Court Ruling The High Court found that the COB, as the State Authority’s delegate under Section 4(1), holds administrative powers under the SMA 2013, including matters related to the holding of AGMs. The High Court further concluded that Section 1(7) implicitly conferred authority upon the COB to adjourn the AGM. To support this decision, the High Court relied on the case of Perbadanan Pengurusan Anjung Hijau v. Pesuruhjaya Bangunan Dewan Bandaraya Kuala Lumpur (“Anjung Hijau”), interpreting Section 1(7) of the SMA 2013 as empowering the COB to allow an adjournment of AGMs. . Court of Appeal Ruling The Court of Appeal overturned the High Court's decision, noting that the High Court’s ruling in Anjung Hijau had already been overturned by the Court of Appeal on November 9, 2017. The Court of Appeal also referenced previous ruling, such as Ang Ming Lee & Ors v. Menteri Kesejahteraan Bandar, Perumahan dan Kerajaan Tempatan & Anor and Other Appeals, and reaffirmed that the power to suspend must be exercised directly by the State Authority as the State Authority shall form the opinion that the suspension of the operation of the SMA 2013 in any local authority area or area “will not be contrary to public interests and the interest of the purchasers”. The Court also stressed the protective provisions of the SMA 2013, designed to safeguard purchasers, proprietors, and parcel owners, emphasizing the AGM's role in ensuring transparency and accountability. . Importance of AGMs AGMs, as outlined in Paragraph 10(1) of the Second Schedule of the SMA 2013, serve as critical platforms for reviewing management accounts, electing committee members, and addressing operational matters. These meetings empower stakeholders to monitor the management corporation’s adherence to statutory duties, including financial accountability under Sections 60-62 of the SMA 2013. . Implications for Strata Governance This judgment underscores the importance of maintaining a strict statutory interpretation to uphold public and purchaser interests. The decision reinforces the principle that key powers under social legislation, such as the SMA 2013, must remain with designated authorities to ensure proper accountability and compliance. . If you require assistance with organizing AGMs, please feel free to contact the firm’s Real Estate Office. The lawyers in the Real Estate Office have extensive experience in assisting clients with their legal needs, particularly in compliance with the Strata Management Act 2013, and will be able to help. About the author Goh Li FeiPartnerReal EstateHalim Hong & Queklfgoh@hhq.com.my More of our articles that you should read: • Who Has Property in the Mazda Cars? • Overview of Key Amendments to Occupational Safety and Health Act 1994 • Centralised Air-Conditioning Facilities: Its Classification as “Common Property” Within The Legislative Frameworks

Excel Champ Automobile Sdn Bhd v Bermaz Motor Trading Sdn Bhd & Anor [2020] 7 MLJ 23   The First Defendant company (D1) distributes Mazda cars and has entered into a ‘vehicles sales dealer agreement’ with the Plaintiff company (“Dealership Agreement”). The Dealership Agreement allows Plaintiff to sell Mazda cars. The Second Defendant (Bank) is a licensed bank which has provided a facility to the Plaintiff (“Facility”). The repayment of the Facilities by the Plaintiff is secured by two debentures created by the Plaintiff in favour of the Bank (“Debentures”). The Debentures provide for, among others, floating charges to be created over all assets of the Plaintiff (“Floating charges”). All the cars had been purchased by the Plaintiff from D1 with funds from the Facility but D1 had not been paid by the Plaintiff for the cars. The bank officer visited the showroom and found that none of the cars were at the showroom. The Bank then wrote a letter to the Plaintiff but the Plaintiff did not reply. Consequently, the Bank lodged a police report because the cars had been removed from the showroom without the Bank’s consent. This case concerns an interpleader filed by the Plaintiff and raised the following questions: - (a) Whether D1 or the Bank was entitled to the Mazda cars? (b) Whether the Court should exercise its discretion to deprive the Plaintiff of costs of the court proceeding and order the Plaintiff to pay costs to D1 and the Bank? . High Court Rulings 1. The High Court refers to Section 19 and 20 of the Sales of Goods Act 1957 (“SGA”), which read as follow: - “Property passes when intended to pass 19. (1) Where there is a contract for the sale of specific or ascertained goods the property in them is transferred to the buyer at such time as the parties to the contract intend it to be transferred. (2) For the purpose of ascertaining the intention of the parties regard shall be had to the terms of the contract, the conduct of the parties and the circumstances of the case. (3) Unless a different intention appears the rules contained in sections 20 to 24 are rules for ascertaining the intention of the parties as to the time at which the property in the goods is to pass to the buyer.   Specific goods in a deliverable state 20. Where there is an unconditional contract for the sale of specific goods in a deliverable state the property in the goods passes to the buyer when the contract is made, and it is immaterial whether the time of payment of the price, or the time of delivery of the goods, or both, is postponed.”   Whether Dealership Agreement provides for the D1 to retain property in the cars until the D1 has been paid for the cars? 2. According to Section 19(1) of SGA, when property in the cars is transferred from D1 to the Plaintiff depends on the intention of the Plaintiff and D1. To ascertain such intention, Section 19(2) of SGA provides that ‘regard shall be had to the terms of the contract, the conduct of the parties and the circumstances of the case’. 3. In BSNC Leasing Sdn Bhd v Sabah Shipyard Sdn Bhd & Ors [2000] 2 MLJ, the Court of Appeal had explained the effect of Section 19 and 20 of SGA.   “…In a contract for the sale for specific or ascertained goods, property in them passes from the seller to the buyer according to the intention of the parties. That intention is to be gathered from the terms of the contract, the conduct of the parties and all the circumstances of the case. In the absence of a contrary intention, property in specific goods passes to the buyer at the time the contract is made. And it matters not whether the parties have postponed either payment for, or the delivery of, the goods…. … Here, Wing Teik and Sabah Shipyard did not express any intention as to when property in the turbine (which comes within the category of ‘specific goods’) will pass from the one to the other. Neither is there any form of conduct or circumstances from which such intention is to be deduced. The rule expressed in s 20 of the Sale of Goods Act 1957 therefore applies with full force. Accordingly, the property in the turbine passed from Wing Teik to Sabah Shipyard when the contract was made. … (Emphasis added.)”   4. The High Court went on to analyse the clauses in the Dealership Agreement to find out whether it was the parties’ intention for D1 to retain property in the cars until all the obligations have been met. After construing the Dealership Agreement, the High Court held that there were no clauses that expressly or by necessary implication, that D1 shall retain property in the cars until and unless D1 is paid in full for the cars by the Plaintiff.  5. Hence, Section 19(3) and 20 of SGA apply here. The property in the cars have been passed from D1 to the Plaintiff when the Dealership Agreement was concluded. .  Whether the Cars fall within the ambit of Floating Charges? 6. It is not disputed that when a company creates a debenture over the company’s assets, the debenture holder is a secured creditor of the company. Hence, in this case, the bank is the secured creditor of D1.  7. The salient clauses in the Debentures are as follow: -  SECTION 2.01 DEFINITIONS ‘Charged Assets’ means all the Borrower’s stock of motor vehicles financed by the Financier, both present and future including but not limited to the said vehicles rights title interest that may now or hereafter be charged or otherwise secured in favour of the Financier by and under or pursuant to this Debenture and the proceeds of the security constituted by or pursuant to this Debenture and reference to the ‘Charged Assets’ includes reference to each and every part thereof;   SECTION 5.01 FLOATING CHARGE As a continuing security for the discharge of all obligations and liabilities and the payment of all principal moneys interest and all other charges costs and expenses owing and incurred by the Borrower to the Financier in connection with the Facility and/or under this Debenture, the Borrower as beneficial owner hereby charges to the Financier by way of a first floating charge on all the Charged Assets of whatever description now or hereafter belonging to the Borrower financed by the Financier under the Facility including the Motor Vehicles referred to in Section 3.01 hereof …   SECTION 5.05 CONTINUING SECURITY The security herein created is expressly agreed and declared by the Borrower to be and shall be a continuing security for all moneys whatsoever now or hereafter from time to time owing to the Financier by the Borrower …   8. After analysing the clauses in the Debentures, the High Court ruled that: (i) The Plaintiff owns the property in the cars. The cars would fall within the definition of ‘Charged Assets’ in the Debentures; and The cars were acquired by the Plaintiff after the execution and registration of the Floating Charges with the Registrar of Companies (ROC). Nonetheless, the cars would form part of the charged assets which ‘hereafter’ belonged to the Plaintiff under Section 5.01 of the Debentures. Furthermore, the Floating Charges are a ‘continuing security’ pursuant to the section 5.05 of the Debentures and would include the cars which had been purchased by the Plaintiff after the execution and registration of the Floating Charges with ROC. 9. As the Mazda cars fall within the wide purview of the Floating Charges, the bank is entitled to the cars. . Whether the Court should exercise its discretion to deprive the Plaintiff of costs of the court proceedings and order the Plaintiff to pay costs to D1 and the Bank? 10. The High Court held that Court has wide discretion to award costs for interpleader proceedings under Order 17 rule 8 of the Rules of Court 2012. 11. In the present case, the High Court Judge exercised its discretion under Order 17 rule 8 of the Rules of Court 2012 to order the Plaintiff to pay costs to both D1 and the Bank. The discretion is exercised based on the following exceptional circumstances: - (i) the Plaintiff had breached the Dealership Agreement by not paying D1 for the sale of the cars; (ii) the Plaintiff had not only defaulted on the Facility but had also removed the cars from the showroom without the Bank’s consent. The Plaintiff did not even have the candour to reply to the Bank’s letter. Lastly, the Bank’s police report had been lodged against the Plaintiff; (iii) D1 and the Bank are blameless in this case; and (iv) The Plaintiff’s above breaches had caused loss to D1 and the Bank. . Key Takeaway In the absence of any clause which expressly withhold the transfer of property to the buyer until all obligations have been fulfilled, the property is deemed to have transferred from the seller to buyer when the contract was made, notwithstanding the payments have not been fully paid and/or that the goods have yet to be delivered to the buyer. About the author Jessica Wong Yi SingSenior AssociateDispute ResolutionHarold & Lam Partnershipjessica@hlplawyers.com More of our articles that you should read: • A Pathway to Sustainable Energy through Net Energy Metering (NEM) • Is It True That Only Leasehold Properties Would Require State Authority’s Consent? • Banking Secrecy: Disclosure Limits & Effective Consents

Introduction During the review and finalisation of any IT contracts, the intellectual property (IP) clauses are often the subjects of focus by the contracting parties. This is understandably so, given that IP rights can be said to be the cornerstone of most IT contracts. In the context of an IT contract, the relevant IP rights would be the IP rights in the software or computer system to be delivered to the customers. Hence, IP-related clauses can have an impact on the right to use a particular software as well as affect the ability of a customer to own the entirety or a part of the deliverables from the vendor. In this article, we attempt to dissect the IP-related clauses in an IT contract, with the objective of helping companies, whether you are the customer or the service provider, to better understand the nuances of these IP clauses.   Ownership of Intellectual Property Rights From our experience, we often hear customers expressing interest to own the IP rights in the deliverables. From the customer’s perspective, it makes perfect sense that since they are already paying for the deliverables, they should rightfully have ownership over the subject matter of what is paid for. A complete ownership of the IP rights in the deliverables is however more often than not impossible (unless the contract is one for the development of a new software and even then, there may be a caveat to IP ownership depending on the method of development), as the service providers are usually offering only a licence to their software or providing software-as-a-service. Relinquishing their ownership in the underlying software will disrupt the entire business model of the service providers and affect the service providers’ ability to continue granting licence to the very same software to its other paying customers. As such, it is important for the service providers to first explain to the customers the term of its delivery of services, helping the customers to understand that they will be granted a licence to use the underlying software instead of having an ownership over the deliverables. If there are customisation to the software pursuant to the customers’ request or requirement, then perhaps carve-outs can be introduced in the IT contract to distinguish foreground IPs and background IPs, and for the customers to have ownership over the foreground IPs generated pursuant to the customisation work requested by the customers.   Licensing of Intellectual Property Rights As explained above, in most IT contracts, the IP rights in the underlying software to be delivered to the customers are subject to a licence to use, granted by the service providers (or the software principals, through End User Licence Agreements or EULAs) to the customers. It is thus important for in-house legal reviewing the contracts to ensure that the licensing terms align with the customers’ / companies’ intended usage of the software or deliverables. Some software deliverables are subject to annual licence subscription requiring the customers to pay for the licensing fees on annual basis, failing which the subscription can be terminated or suspended despite the duration of the IT contract still being intact. The licence may also be subject to certain authorised use limitations such as restriction on the number of active users or maximum processing capacity in a month or a year. It is also very common for the licence to be limited to the entity that subscribes to the software only, without extending to its other related companies although the customers may have originally intended for the software deliverables to be for group-wide usage. In-house legal should work with the end users within the organisation to ensure that the licensing terms of the deliverables are well-suited for the end users’ requirement or intended usage.   Warranties on Intellectual Property The customers’ ability to use and continue using the software or deliverables is essential, be it through ownership over the IP rights in the software deliverables or a licence to use thereof. As such, IT contracts will almost without fail require the service providers to offer warranties in relation to the service providers’ rights or authorities to grant licence to the software deliverables, or warranties that the software deliverables do not infringe upon third parties’ IP rights. In our experience, service providers are typically in a comfortable position to offer these warranties in relation to IPs. Some of the more reputable software principals or providers may have even conducted IP clearances or searches in the countries that they are operating in to ensure that their offerings indeed do not infringe upon third party. Where the service providers are only reselling the software however, they may not be in a position to give warranties on non-infringement of third parties’ IP rights and may require the customers to rely directly on the warranties offered by the software principals under the applicable EULAs.   Indemnity on Intellectual Property An IP indemnity goes pretty much hand-in-hand with the IP warranties expounded above. Service providers are usually expected to indemnify the customers for any damages that the customers may suffer due to IP infringement claim from third parties resulting from or caused by the software deliverables being infringing on third parties’ IP rights. Such infringement claim can adversely affect the customers’ rights to continued usage of the software deliverables and thus it is well within expectation that customers should be indemnified as such. Similarly, while service providers normally do not object to offering IP indemnity, it may be conditional upon the customers agreeing to undertake a few obligations themselves. We have commonly seen service providers requiring customers to (i) provide due notice of the IP infringement claim as soon as the claim comes to the knowledge of the customers; (ii) giving up and relinquishing control of the defence of the infringement claim to the service providers; (iii) undertake not to engage the claimant or plaintiff in negotiating or agreeing upon a settlement of the claim; and (iv) rendering assistance to the service providers in defending the claim. Additionally, some service providers may also impose exceptions to IP indemnities where under certain circumstances, the service providers will not have an obligation to indemnify. Some of these exceptions may include where the subject matter of the IP infringement claim is the portion of the software deliverables customised based on the customers’ requirements, where the alleged infringement is caused by the customers’ failure to update the software according to the service providers’ directions or where the customers had used the software deliverables in contravention of the applicable manuals or terms of use.   Intellectual Property Escrow Lastly, some customers may also require an escrow clause to be present in the IT contract, to subject the source code of the software deliverables to an escrow. The purpose of the escrow is to offer a fail-safe, allowing customers access to the underlying source code of the software deliverables in certain events that will trigger a release of the source code. These events will normally entail the software principals or service providers ceasing their business operations, or where the version of the software has been made obsolescence. When there is an escrow release triggering event, the customers will need to have the rights to use and modify the source code of the software so released, so that they can continue to maintain the software on their own. A software escrow is essential when the software deliverable is mission-critical to the customers’ business operation.   Conclusion IP-related clauses in an IT contract require careful drafting and structuring. Depending on the business requirement of a customer, as well as the commercialisation model of a service provider, the way the IP-related clauses will be presented can differ drastically from contract to contract. Ideally, the lawyers handling the review and finalisation of these IT contracts should be well-versed in both IT contract drafting and IP laws in order to ensure that the commercial interests of both the customers and the service providers are well protected.   Whether you are a service provider looking to onboard a new customer, or you are looking to outsource certain IT services to an external service provider, the Technology Practice Group at Halim Hong & Quek has the relevant expertise to assist. The Technology Practice Group frequently represent service providers and customers alike in their IT projects, and will certainly be able to address the legal needs in this aspect. If you have any enquiries, please feel free to reach out to the partners at the Technology Practice Group. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • Due Diligence on Open-Source Software • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • New Data Breach Notification Requirements under the Personal Data Protection (Amendment) Act 2024: 5 Key Takeaways for Compliance

Introduction The Net Energy Metering (NEM) program was introduced in Malaysia in 2016 following ASEAN countries’ commitment to increase renewable energy through the ASEAN Plan of Action for Energy Cooperation which was entering the phase 4 for the period between 2016 and 2025 (“APAEC”). Under the APAEC, ASEAN aims to collectively increase its total installed capacity of renewable energy to 23% by the year 2025. To achieve this goal, each ASEAN member, including Malaysia, has allocated necessary financing to reduce energy consumption and intensity, developed several outcome-based strategies as well as implemented policies to encourage the development of renewable energy and increase energy efficiency. One of the initiatives by Malaysia towards this objective was the introduction of NEM. . What is NEM? In the implementation of NEM, the energy produced from the solar PV system installed will be consumed first and any excess energy will be exported to the grid and to be offset against kWh from the energy provided by the distribution licensee (namely Tenaga Nasional Berhad) to the electricity consumer during the applicable billing period. The NEM program has been updated from time to time since its inception where we now have NEM 3.0 which will be operational until 31 December 2024. The NEM is one of the many initiatives introduced to encourage the adoption of renewable energy, particularly solar power. This article aims to provide an overview of the program and how the program contributes to enhancing environmental, social and governance practices in Malaysia. . Evolution of NEM Initially launched in 2016, the scheme has been renewed several times. This evolution reflects Malaysia's commitment to increasing renewable energy uptake and reducing carbon emissions. From the introduction of NEM 2.0 in 2019 which allowed for a “one-to-one’ offset basis, it was followed by NEM 3.0 with additional quotas and incentives. Effective 1 January 2019, the NEM 2.0 was improved by adopting the true net energy metering concept and this will allow excess solar PV generated energy to be exported back to the grid on a “one-on-one” offset basis. This means that every 1kWh exported to the grid will be offset against 1kWh consumed from the grid. . Participating in NEM The NEM program was executed by the Ministry of Energy and Natural Resources and regulated by the Energy Commission with Sustainable Energy Development Authority (SEDA) Malaysia as the implementing agency. The NEM 3.0 is in effect from 2021 to 31 December 2024 with total quota allocation up to 1550 MW. The total allocation of 1550 MW is divided within 3 categories of users, namely, 350 MW for the NEM Rakyat program, 100 MW under NEM GoMEn Program for government ministries and agencies and 1100 MW under NOVA program. . How to Apply for NEM Applying for NEM involves several steps, which are designed to ensure that the process is accessible and efficient for all potential participants. The first step is to determine one’s eligibility. The consumer must be a registered TNB consumer or a person applying to be a consumer of TNB and that he/she has never installed solar PV units under the previous NEM initiatives. For the NEM Rakyat category, the consumer must be in occupation of private dwelling premises without carrying out any form of business while consumer under NEM GoMEn must be a government ministry or department or statutory body whether at the federal, state or district level. The consumer must ascertain his solar PV capacity limit and quota allocation limit to their respective categories. The quota allocation limit for NEM Rakyat program has been increased to 350MW following the Government’s approval of the release of additional 100MW quota for the NEM Rakyat program in line with the introduction of the Solar for Rakyat Incentive Scheme (SOLARIS) by the Ministry of Energy Transition and Water Transformation on 27 March 2024. After determining one’s eligibility, the consumer is required to appoint a registered solar PV service provider. There is a list of registered solar PV service provider provided in the SEDA website which contains profiles of the service providers. The consumer will need to submit application for NEM Assessment Study (NEMAS) if the applied capacity limit exceeds 72 kW. Once approval is obtained or where approval is not required, the consumer would need to submit application for the NEM through the online e-NEM portal. Upon approval of NEM application, the consumer must get the solar PV installed within 3 months from the approval. The existing meter will be changed to bi-directional meter to measure the electricity generated and consumed. During the installation process, there will be testing and commissioning followed by the signing of NEM contract before commencement of billing under the NEM scheme. The NEM contract is a standard power purchase agreement between the consumer and TNB as the distribution licensee which would include salient terms such as: （a）The tenure of the contract is 10 years only and once the tenure is up, the solar PV installation shall be strictly for self-consumption only and no off-set will be allowed for any excess energy exported. （b）consumer declaration that the renewable energy system complies technical guidelines and prevailing statutory requirements; （c）representations and warranties of the consumers, particularly the warranty by the consumer that he/she will not allocate the excess energy generated by the renewable energy system to other resident; （d）termination by the consumer, circumstances at where TNB will not accept the export of the excess energy; （e）the obligation to upkeep and maintain the installation, non-transferable and no setting off of credit amount etc. . Points for Consideration and Suggestions for NEM initiatives While NEM offers numerous benefits, there are also some areas for further consideration that need to be addressed to ensure its long-term success. （i）Costs The upfront cost of installing solar PV systems can be a barrier for some consumers. A typical solar system for residential use could cost anywhere from RM15,000 onwards, depending on the type of house and roof size, type and material, the size of the solar PV system and the type of solar panels. Although there are incentives and financing options available, the initial investment remains a significant consideration. Therefore, it is always advisable to get few quotations from solar PV service providers in order to get the cost and quality that would meet the consumer’s needs. . （ii）Regulatory Challenges Navigating some of the requirements in the guidelines for NEM installation, one would observe some potential regulatory challenges such as to ensure all installations meet the technical and safety requirements set by the Energy Commission and other relevant authorities. Therefore, potential consumers who intend to participate in the NEM program should have some basic knowledge of the requirements imposed by the Energy Commission and other authorities regarding the application and installation process of the NEM. For consumers who are regulatory bodies, they are required to obtain all necessary licenses and approvals including a generating license from the Energy Commission for installations exceeding 72 kW. For consumers who are tenants, they would need to obtain a written approval of the landowner of the premises. A clear guideline with simplified regulatory processes can help reduce barriers for potential consumers, coupled with increasing public awareness of the processes would drive greater adoption of the NEM initiative. . Enhancing ESG Practices through NEM NEM plays a significant role in enhancing ESG practices in Malaysia by promoting environmental sustainability, social responsibility, and good governance. By reducing reliance on fossil fuels and promoting renewable energy, NEM contributes to environmental sustainability. This aligns with global efforts to combat climate change and reduce carbon footprints. NEM also encourages community participation in renewable energy initiatives where NEM Rakyat empowers residential consumers to contribute to sustainable energy goals. Its implementation too represents a collaboration between government agencies, private sector and consumers, thus promoting good governance and accountability in the energy sector. . Conclusion Net Energy Metering is a transformative initiative that supports Malaysia's transition to sustainable energy. By enhancing and further improvement of the scheme, NEM can play a crucial role in promoting renewable energy, reducing carbon emissions, and enhancing ESG practices. It is encouraging to see increasing number of residential consumers participating in the NEM initiative, judging by the release of additional quotas for 2 times in a row since the beginning of NEM 3.0 in 2021 and with the latest addition of 50 MW in September 2024 and again an addition of 50 MW in November 2024 totaling 450 MW quota currently. Similarly, there is also an additional 300 MW to the quota under NEM Nova totaling 1400 MW quota currently. Malaysia will continue to advance its renewable energy goals. We hope that the NEM initiative will remain a key component of its sustainable energy strategy. About the author Tan Poh YeeSenior AssociateESG Practice GroupHalim Hong & Quekpohyee.tan@hhq.com.my More of our articles that you should read: • Combating Greenwashing: The Launch of the National Sustainable Reporting Framework (NSRF) • The Salary Ceiling for Contributions Has Now Increased to RM6,000 • Overview of Key Amendments to Occupational Safety and Health Act 1994

Ever since the Personal Data Protection (Amendment) Act 2024 was officially gazetted on 17 October 2024, one of the most frequently asked questions we received centers around the new data breach notification obligations introduced under the amended law. Given the substantial impact these new data breach notification obligations have on compliance operations, organizations will need to implement new processes, update policies, and ensure their compliance frameworks are robust enough to manage these obligations effectively. In this article, we will explore 5 key takeaways on the data breach notification requirement, offering insights designed to assist general counsels, data protection officers, compliance officers, and in-house lawyers in preparing for and responding to these changes.   1. Understanding ‘Personal Data Breach’ To fully grasp the data breach notification requirements, organizations must first appreciate the definition of a personal data breach.  The Personal Data Protection (Amendment) Act 2024 defines a personal data breach as “any breach of personal data, loss of personal data, misuse of personal data, or unauthorized access to personal data.” This broad definition is intentional, covering a wide array of scenarios where data may be compromised. Given the breadth of the definition for personal data breach, organizations should evaluate their data breach and incident response protocols to account for this broad definition and ensure that personal data breaches are appropriately identified, classified, and escalated within their risk management frameworks. . 2. Obligation to Notify the Personal Data Protection Commissioner Under the Personal Data Protection (Amendment) Act 2024, if a data controller (a term which replaces the previous “data user”) has reason to believe a personal data breach has occurred, it is required to notify the Personal Data Protection Commissioner “as soon as practicable.” At the time of writing, while there is currently no detailed guidance on the specific timeframe or required information for such data breach notifications, it may be helpful to consider recent legislative trends for guidance. For instance, under the Cyber Security Act 2024, NCII entities must notify immediately upon becoming aware of a cyber security incident, followed by additional reports by the six hours and fourteen days timeframes, detailing information on the incident’s severity, method of discovery, particulars of the threat actors involved, response actions taken, and impacts. We trust that it is reasonable to expect that the data breach notification guidelines under the Personal Data Protection (Amendment) Act 2024 may take cues from similar standards and frameworks, and we should be expecting proper regulations to be issued in due course. . 3. Obligation to Notify the Data Subject Unlike the Cyber Security Act 2024, which mandates upward notification to authorities only, the Personal Data Protection (Amendment) Act 2024 also mandates notifying data subjects directly if the personal data breach causes or is likely to cause significant harm to the data subjects. Although detailed specifics on the required timeframe and content of these notifications have yet to be provided, organizations should take this obligation very seriously for two practical reasons. First, data breaches often affect substantial volumes of personal data, creating logistical challenges and the need for robust protocols to ensure affected individuals are notified promptly and accurately. Coordinating this process demands that organizations prepare effective notification mechanisms to address a potentially large number of affected data subjects. Second, notifying data subjects directly introduces public relations and investor relations considerations. When a personal data breach occurs, how an organization responds will likely have lasting impacts on its reputation and the trust it commands. Beyond the personal data breach itself, stakeholders, including customers, investors and partners will assess the organization’s crisis management approach. The way organizations respond to and manage a personal data breach—not just the fact that a breach occurred—will likely become a defining factor in shaping public trust and brand integrity. . 4. Consequences of Non-Compliance with Data Breach Notification Requirements The consequences of non-compliance under the Personal Data Protection (Amendment) Act 2024 are substantial. Failure to comply with the data breach notification requirement can result in serious penalties, including a fine of up to RM250,000, imprisonment of up to two years, or both, upon conviction. These penalties underscore the critical importance of prompt and proper notification in the event of a personal data breach. Hence, organizations should view this as a compliance imperative, as both financial and reputational risks are at stake. . 5. Proactive Measures: What Organisations Should Do Moving Forward As we approach 2025, a proactive approach to data protection will be crucial. In-house legal teams and compliance departments should prioritise updating policies, enhancing internal protocols, revising handbooks, and conducting organisation-wide training to align with these new requirements introduced in the Personal Data Protection (Amendment) Act 2024. Malaysia’s regulatory landscape is placing an increasing emphasis on corporate governance and data protection compliance. Given the significant penalties, including imprisonment, for non-compliance, organisations must ensure their data breach response frameworks are robust. A strategic step forward would be to engage legal professionals skilled in data protection law to assist with compliance gap analyses, privacy handbook updates, and training sessions for directors and relevant teams. By doing so, organisations can mitigate the risk of penalties and enhance their preparedness to handle potential breaches with confidence. . Conclusion The data breach notification requirements introduced under the Personal Data Protection (Amendment) Act 2024 signify a pivotal shift in Malaysia’s data protection landscape, reflecting global best practices and the importance of transparency in managing personal data. With comprehensive strategies and proactive planning, organizations can navigate this regulatory shift with confidence, safeguarding both their compliance standing and the trust of their stakeholders.   If your organisation needs help with crafting a protocol for the handling of personal data requests from data subjects, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Malaysia’s Cyber Security Legal Landscape: Mandatory Compliance or Severe Penalties • Due Diligence on Open-Source Software • Understand the Differences Between Cyber Security Incident Notification and Personal Data Breach Notification: A Strategic Guide for 2025

A. Introduction  Effective 1st June 2024, the Occupational Safety and Health Act 1994 (“OSHA” / “Act”) effectively incorporates and enforces the amendments under the Occupational Safety and Health (Amendment) Act 2022 (“OSHA Amendment Act 2022”). These amendments underscore a heightened focus on proactive risk management and the importance of addressing potential hazards to safeguard the well-being of all stakeholders. Previously, the Act only applies to limited industries. Post the amendments, the Act is now widened to include all kinds of workplaces and industries, except for domestic employment, armed forces, and specific shipping ordinances that govern work on board ships. . B. Highlights 1. New duties and obligations on Employers / Principals Under the new S18A, principals are now responsible to ensure the safety and health of contractors, subcontractors, and their workers operating under the principal’s direction. S18B(1) now obligates every employer, self-employed person or principal to conduct risk assessments to evaluate potential hazard or risk that may be posed to any persons at the workplace. In the same connection, employers or principals are then required under S18B(2) to implement risk control and measures to eliminate or mitigate the safety and health related risks. Further, S29A mandates every employer, with 5 or more employees, to appoint an employee to act as an occupational safety and health coordinator for the purpose of coordinating occupational safety and health issues at the workplace. Employers also have a new duty imposed by S31A of the Act to ensure certain classes of employees (as would be directed by Minister’s order published in the gazette) to attend and complete occupational safety and health training course. . 2. Protection of Employees in Imminently Dangerous Situations For the first time, S26A grants a legal right to employees to remove themselves from dangerous work environment, (i) if they have reasonable justification to believe that there is an imminent danger at the place or the work itself, and (ii) if the employee failed to take any action to remove the said danger. Employees who exercise their rights under this new S26A are to be protected against undue consequences and shall not be discriminated against. “Imminent danger” is defined under the same section as ‘a serious risk of death or serious bodily injury to any person that is caused by any plant, substance, condition, activity, process, practice, procedure or place of work hazard’. In addition, Fourth Schedule has also been newly introduced into the Act to outline situations that constitute ‘serious bodily injury’. . 3. Heavier Penalties for Non-Compliance Overall, penalties for non-compliance have been significantly increased, signalling the government’s commitment to establishing a strong deterrent against violation of occupational safety and health provisions of the Act. Detailed comparison of penalties before and after amendments (effective 1.6.2024):- Section Types of Offences Previous Penalty Current Penalty 19 Failure of an employer to comply with duties under SS15, 16, 17, 18, 18A & 18B ·     ≤ RM50,000 fine ·     ≤ 2 yrs imprisonment ·     Or both ·     ≤ RM500,000 fine ·     ≤ 2 yrs imprisonment ·     Or both 23 Failure of any designer, supplier or manufacturer to comply with duties under SS20 & 21 ·     ≤ RM20,000 fine ·     ≤ 2 yrs imprisonment ·     Or both ·     ≤ RM200,000 fine ·     ≤ 2 yrs imprisonment ·     Or both 24(2) Failure of employee to comply with general duties at work under S24(1) ·     ≤ RM1,000 fine ·     ≤ 3 months imprisonment ·     Or both ·     ≤ RM2,000 fine ·     ≤ 3 months imprisonment ·     Or both 27(3) Discrimination against employees by employer or trade union ·     ≤ RM10,000 fine ·     ≤ 1 yr imprisonment ·     Or both ·     ≤ RM100,000 fine ·     ≤ 1 yr imprisonment ·     Or both 29(5) Failure of occupier of workplace to comply with duties under S29 ·     ≤ RM5,000 fine ·     ≤ 6 months imprisonment ·     Or both ·     ≤ RM50,000 fine ·     ≤ 6 months imprisonment ·     Or both 29A(5) Failure of employer to appoint an occupational safety and health coordinator (when there are 5 or more employees) under S29A(1) Nil ·     ≤ RM50,000 fine ·     ≤ 6 months imprisonment ·     Or both 30(4) Failure of employer to establish a safety and health committee (when there are 40 or more employees) ·     ≤ RM50,000 fine ·     ≤ 6 months imprisonment ·     Or both ·     ≤ RM100,000 fine ·     ≤ 1 yr imprisonment ·     Or both 31A(4) Failure of an employer to ensure attendance of selected employees to complete occupational safety and health training courses under S31A(2) Nil ·     ≤ RM50,000 fine ·     ≤ 6 months imprisonment ·     Or both 31B(2) Any person who is not competent to carry out activities under Fifth Schedule, or unqualified to conduct training course Nil ≤ RM100,000 fine 35(3) Failure to comply with Director General’s order under S35(1) that prohibits the use of any plant or substance likely to affect safety and health of persons Nil ·     ≤ RM500,000 fine ·     ≤ 2 yrs imprisonment ·     Or both 49(2) Failure of an employer or principal to comply with the improvement or prohibition notice under S48 ·     ≤ RM50,000 fine ·     ≤ 5 yrs imprisonment ·     Or both *Continuing offence RM500 fine per day ·     ≤ RM500,000 fine ·     ≤ 2 yrs imprisonment ·     Or both *Continuing offence RM2,000 fine per day 51 General penalty: Any person who contravenes any provision of the OSHA where no penalty is specifically provided ·     ≤ RM10,000 fine ·     ≤ 1 yr imprisonment ·     Or both *Continuing offence RM1,000 fine per day ·     ≤ RM100,000 fine ·     ≤ 1 yr imprisonment ·     Or both *Continuing offence RM2,000 fine per day 67(3) Breach of duty of confidentiality ·     ≤ RM20,000 fine ·     ≤ 2 yrs imprisonment ·     Or both ·     ≤ RM100,000 fine ·     ≤ 2 yrs imprisonment ·     Or both    4. Extension of liability to directors and officers of company Under the revamped S52, the liability for OSHA-related offences committed by company, limited liability partnership, firm, society or other body of persons (collectively or separately referred to as “entity”), is now extended to the director, compliance officer, partner, manager, secretary, or other officers of any such entity. This includes individual who purports to act in the capacity of any such entity, and those who in any manner or extent responsible for the management of any affairs of any such entity. Individuals as specified above can now be held jointly and severally liable for such an offence, despite committed by the entity. . C. Conclusion The OSHA Amendment Act 2022 represents a significant advancement in workplace safety and health legislation in Malaysia. Collectively, the amendments introduced to the OSHA reflect a comprehensive shift in Malaysia's commitment to enhancing workplace safety and aim to establish a safer, more accountable work environment across industries nationwide. These amendments are most welcomed, however, it is imperative for employers to promptly adapt to these changes to ensure compliance with the new standards and provisions to safeguard the well-being of all stakeholders. About the authors Chau Yen ShenPrincipal AssociateDispute ResolutionHalim Hong & Quekyschau@hhq.com.my . Esther Lee Zhi QianAssociateDispute ResolutionHalim Hong & Quekesther.lee@hhq.com.my More of our articles that you should read: • Operation of Car Parks within Strata Property: Clarifying Proprietor and Management Rights • Recent Developments in Malaysia’s Personal Data Protection Act • Estate Wins Suit Over Medical Negligence in Tragic Vertigo Case

Introduction In a residential strata setting, the operation and management of car parks, especially when used commercially, raise questions about individual rights versus collective welfare. In this article, Lum Man Chan and Goh Li Fei will discuss the grounds of judgment released by the Court of Appeal in Target Term Sdn Bhd v. Waldorf and Windsor Management Corporation, which sheds light on these issues, particularly on whether car park accessory parcels should remain private property or be reclassified as common property. The COA’s analysis in this case provides insights into how management corporations (“MC”) can balance private ownership rights and community welfare within the framework of Malaysian strata law. . Background Facts Target Term Sdn Bhd (“Target Term”) acquired from the developer, 420 car park lots as accessory parcels alongside two (2) apartment units within a residential strata development. It is not disputed that Target Term and the developer of this property are related companies. The saga begins when the Management Corporation imposed maintenance fees on Target Term for the upkeep of these car parks, which led to Target Term filing a suit to challenge these charges. In response, the Management Corporation counterclaimed, seeking to nullify the purchase and have the car parks classified as common property. The Management Corporation argued that the developer’s sale of the car parks violated Sections 34(2) and 69 of the Strata Titles Act 1985 (“STA 1985”), which prevent accessory parcels from being independently “dealt with” apart from their associated main parcels. . Court of Appeal’s Analysis of Key Issues The COA examined various legal precedents to resolve whether Target Term’s ownership and intended use of the car parks conflicted with the STA 1985 and whether the MC could reclassify these parcels as common property. . Car Parks Reverted to Common Property In its analysis, the COA referenced the case of Ideal Advantage Sdn Bhd v. Perbadanan Pengurusan Palm Spring @ Damansara [2020] 4 MLJ 93, where the accessory car park parcels could be classified as common property. In Ideal Advantage, the developer’s sale of car parks separately from their primary residential parcels was held to have violated sections 34(2) and 69 of the STA 1985. Additionally, the development order required that these car parks serve the residential property rather than being independently sold. The Court determined that by violating the development order and the STA 1985, the accessory car parks in Ideal Advantage should revert to common property, thus falling under the MC’s authority. > The Innab Salil Case: “Dealing” and the Licensing of Accessory Parcels The COA also referred to the case of Innab Salil v. Verve Suites Mont’ Kiara Management Corporation [2020] 10 CLJ 285, where the Federal Court discussed the concept of “dealing” under Sections 34(2) and 69 of STA 1985. The Innab Salil case clarified that “dealing” does not extend to short-term rental licenses, which are considered licenses to use rather than tenancies. The COA highlighted that Innab Salil established a precedent that licensing for short-term use did not constitute prohibited “dealing” and was therefore within the rights of the proprietor to grant licenses for temporary occupation of the commercial carparks on the accessory parcels to carpark customers. .  Validity of the Sales and Purchase Agreement (SPA) and Proprietor’s Rights Taking into account these precedents, the COA found that Target Term’s SPA with the developer was legally compliant. Since there was no breach of the development order in Target Term’s case, the COA concluded that the SPA was neither illegal nor void, affirming that Target Term’s ownership of the car parks. By safeguarding Target Term’s title, the COA reinforced that private ownership rights under strata title law must be respected unless there is clear evidence of statutory contravention. . Importance of Formal Maintenance Fee Resolutions An additional point raised by the COA was the importance of procedural compliance in determining maintenance fees. The COA underscored that the Management Corporation should pass a formal resolution in a general meeting to determine the maintenance fees in proportion to the share units held by the respective proprietors, ensuring transparency and accountability. By passing such resolutions, the Management Corporation can fairly distribute maintenance obligations among all parcel owners, including those who own accessory parcels. This ruling serves as a reminder for management corporations to adopt organized procedures in imposing fees, rather than relying on informal or arbitrary practices that may lead to disputes. . Key Takeaways The Target Term case offers a clearer understanding of the application of “dealing” under STA 1985 as it pertains to accessory parcels like car parks within residential strata developments. While the COA upheld the private ownership rights of accessory parcel owners, it is essential to recognize that management corporations retain significant regulatory authority as they may enact by-laws that protect community welfare, potentially including by-laws regulating the commercial use of car parks within a residential property. In conclusion, the decision in Target Term reinforces that accessory parcels in strata developments are protected as private property under Malaysian law, even when a large number of accessory parcels are attached to a single parcel. At the same time, it highlights that management corporations can play an active role in managing the residential environment through well-considered by-laws. While proprietors have rights over accessory parcels, these rights are balanced against the community’s collective interests, ensuring a harmonious environment for all residents in a strata development. About the authors Lum Man ChanPartnerDispute ResolutionHalim Hong & Quekmanchan@hhq.com.my . Goh Li FeiPartnerReal EstateHalim Hong & Queklfgoh@hhq.com.my More of our articles that you should read: • Is It True That Only Leasehold Properties Would Require State Authority’s Consent? • Centralised Air-Conditioning Facilities: Its Classification as “Common Property” Within The Legislative Frameworks • Clarifying Developer Voting Rights in Management Corporation Meetings

The Employees' Social Security Act 1969 (SOCSO Act) and the Employment Insurance System Act 2017 (EIS Act) have undergone significant amendments to raise the salary ceiling used for employee contributions and benefits. . Amendments in 2022 In 2022, the salary cap was increased from RM4,000 to RM5,000. . Amendments in 2024 Effective October 1, 2024, the salary ceiling was raised further to RM6,000 per month under the Employee’s Social Security (Amendment) Act 2024 and the Employment Insurance System (Amendment) Act 2024. This increase broadens the range of workers covered under the SOCSO and EIS schemes, ensuring enhanced social security protection, particularly in cases of workplace injuries, illnesses, or job loss. . Contribution Rates The updated mandatory employer contributions are as follows: 1. SOCSO: Between RM1.70 and RM17.50 per employee, per month; and 2. EIS: Between RM0.20 and RM2.00 per employee, per month. . Impact on Employers While the increase per employee may seem minor, it still imposes new financial and compliance responsibilities on employers. Employers must update their payroll systems accordingly to reflect these changes. Non-compliance with these requirements can lead to severe penalties, including imprisonment of up to two years, fines up to RM10,000, or both, as stipulated in Section 94 of the EIS Act and Section 16 of the SOCSO Act. . Conclusion These amendments aim to provide greater social protection by increasing the range of employees eligible for benefits. Employers must proactively adjust their systems and ensure compliance to avoid legal repercussions while enhancing workforce welfare. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Damia Amani binti Shaiful BahriAssociateDispute ResolutionHarold & Lam Partnershipdamia@hlplawyers.com More of our articles that you should read: • Banking Secrecy: Disclosure Limits & Effective Consents • Case Update: Can a Non-Paying Party Be Wound Up Pursuant to an Adjudication Decision Under CIPAA 2012? • Medical Negligence Claims – What Can You Sue For?

The Personal Data Protection Act (PDPA) was enacted in Malaysia on June 2, 2010, and officially came into effect on November 15, 2013. This legislation established Malaysia as the first country in the Association of Southeast Asian Nations (ASEAN) to enact comprehensive privacy laws. In recognizing the rapid expansion of the digital economy, Malaysia acknowledged and understood the imperative need for robust safeguards to foster growth while simultaneously protecting citizens' rights to privacy. Since its enactment, Malaysia has made significant strides in enhancing its data protection framework. The recent amendments to the PDPA, introduced in August 2024, represent a proactive effort to further strengthen personal data protection. These changes are designed not only to align with international standards but also to respond effectively to the dynamic and evolving digital landscape. As businesses navigate these important updates, understanding the implications of the amended PDPA is crucial for ensuring compliance and developing strategic plans. By prioritizing data protection, organizations can build consumer trust with customers, mitigate risks, and position themselves competitively in a landscape that increasingly values privacy and security. . Overview of the Amendments The amendments to the PDPA signify a significant update and substantial enhancement to the existing regulations, reflecting Malaysia's commitment to safeguarding personal data amid growing concerns over privacy and security. Here are the key changes: . 1. Replacement of “Data Users” with “Data Controllers” The amended PDPA replaces all references to “Data Users” with “Data Controllers.” Under the PDPA, “Data Users” refers to “a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data but does not include a Data Processor.” This amendment aligns the terminology with international data protection frameworks, such as the European Union General Data Protection Regulation (GDPR), underscoring Malaysia's commitment to global standards in data protection. While this amendment primarily serves to streamline terminology, it is predominantly cosmetic and will not materially alter the obligations of “Data Users,” now referred to as “Data Controllers,” under the PDPA. Businesses must now adopt the term “Data Controllers” in their practices. . 2. Increased Accountability for Data Processors A significant shift in the amendments is the heightened accountability imposed on “Data Processors”. Under the PDPA, “Data Processors” refers to “any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of their own purposes”. The amended PDPA now imposes direct legal obligations on them to comply with security requirements outlined in the Security Principle under Section 9. “Data Processors” must now implement practical steps to protect personal data from loss, misuse, modification, unauthorized or accidental access, disclosure, alteration, or destruction. The amendments introduce direct penalties for non-compliance, with fines of up to RM1,000,000 and/or imprisonment for up to three years. This change enhances accountability within the data protection framework. Key compliance measures now require “Data Processors” to implement necessary security protocols, including maintaining detailed records of data processing activities and developing a security policy that meets the minimum standards prescribed by the Commissioner through the Personal Data Protection Standard 2015 (PDP Standard), as mandated by the Personal Data Protection Regulations 2013. . 3. Appointment of Data Protection Officers The amendments introduce a mandatory requirement for both “Data Controllers” and “Data Processors” to appoint one or more Data Protection Officers (DPOs). This new obligation signifies a proactive approach to data protection, placing responsibility on organizations to monitor their adherence to the PDPA. DPOs must be registered with the Personal Data Protection Commissioner (Commissioner) and serve as the primary contact point for data protection matters between the organization and the Commissioner. This obligation is limited to certain organizations engaged in large-scale processing of personal data, emphasizing the focus on entities that handle substantial volumes of sensitive information. The DPOs must be ordinarily resident in Malaysia and can be appointed internally or externally. While the amendments do not specify penalties for non-compliance with DPO appointment, further guidance will be provided in upcoming Appointment of Data Protection Officer Guidelines (DPO Guidelines). Organizations should review their data protection policies to ensure that the DPO’s role and authority are clearly defined, enabling effective compliance and accountability. . 4. Increased Penalties for Breaches of Personal Data Protection Principles The recent amendments propose significant changes to the penalties for breaches of personal data protection principles outlined in Section 5 of the PDPA. These principles, known as the Personal Data Protection Principles (PDP Principles), are crucial for guiding “Data Controllers” in processing personal data. Currently, breaches can result in a maximum penalty of RM300,000 or imprisonment for up to two years. However, the Amendment Bill raises these penalties to a maximum fine of RM1,000,000 and/or imprisonment for up to three years, reflecting a stronger commitment to enforcing compliance. Although the increased penalties do not mandate specific compliance actions, they indicate a shift toward stricter enforcement. Businesses should seize this opportunity to review their practices and conduct audits to ensure they demonstrate comprehensive compliance with the PDPA. . 5. New Mandatory Personal Data Breach Notification Regime The amendments introduce a critical requirement for mandatory notification of personal data breaches by “Data Controllers”. Previously voluntary, the Amendment Bill now mandates that “Data Controllers” promptly notify both the Personal Data Protection Commissioner and affected data subjects in the event of a breach of personal data. A "personal data breach" encompasses any loss, misuse, or unauthorized access to personal data. If a “Data Controllers” believes a personal data breach has occurred, he must inform the Commissioner as soon as practicable. If the breach is likely to cause significant harm to data subjects, they must notify affected individuals without undue delay. Non-compliance could result in penalties, including fines of up to RM250,000 and/or imprisonment for up to two years. While the Bill outlines the necessity for timely notifications, it does not define "significant harm." Further guidance on the notification process, including applicable thresholds and timeframes, will be detailed in the forthcoming Data Breach Notification Guidelines (DBN PCP). . 6. Data Subject’s Right to Data Portability The amendments introduce a new right for data subjects: the right to data portability. This allows individuals to request that a “Data Controller” transmit their personal data directly to another “Data Controller” of their choice, provided the transfer is technically feasible and the data formats are compatible. For instance, this enables data subjects to request the direct transmission of their personal data from one healthcare provider to another. To exercise this right, individuals must provide written notice through electronic means, and “Data Controllers” are obligated to complete the transmission within a specified timeframe. However, this right is not absolute; it is contingent on technical feasibility and compatibility of data formats. Notably, the amendments do not outline penalties for “Data Controllers” who fail to comply. Further guidance on the implementation of the right to data portability will be detailed in the forthcoming Data Portability Guidelines (Data Portability PCP). . 7. Removal of the White-list Regime for Cross-border Data Transfers The amendments also propose the removal of the white-list regime, previously established under Section 129, which has not been utilized since the PDPA's inception. This regime required “Data Users” to transfer personal data only to jurisdictions specified by the Minister based on the Commissioner’s recommendations. The new provisions allow “Data Controllers” to transfer personal data to any country, provided that the recipient's laws are substantially similar to the PDPA or offer an adequate level of protection. While this shift empowers organizations to assess data protection laws abroad, it may pose challenges, particularly for smaller entities that may need to engage external legal experts for compliance. The absence of a centralized adequacy mechanism could lead to inconsistent evaluations among “Data Controllers”, complicating cross-border data flows. To assist with these changes, the Commissioner is developing the Cross-Border Data Transfers Guidelines to clarify necessary steps for compliant outbound transfers. . 8. Exclusion of Deceased Individuals as Data Subjects: The amendments refine the definition of “data subject” by explicitly excluding deceased individuals. . 9. Recognition of Biometric Data as Sensitive Personal Data: The PDP Bill expands the definition of “sensitive personal data” under the PDPA to include “biometric data.” This type of data is defined as any personal data resulting from technical processing related to an individual’s physiological or behavioral characteristics, such as fingerprints, facial recognition, or voice patterns. By categorizing biometric data as sensitive, the amendments impose stricter consent and security requirements due to the inherent risks associated with its misuse. Previously, the PDPA recognized four types of sensitive personal data, including information about physical health, political opinions, and religious beliefs. The addition of biometric data emphasizes the need for heightened vigilance in its handling, especially as its use in sectors like security and healthcare continues to rise. Examples now explicitly recognized include retinal analysis, keystroke dynamics, gaze analysis and handwritten signature analysis, reflecting the need for heightened vigilance in its handling and processing. . Implications for Businesses These amendments present both challenges and opportunities for businesses operating in Malaysia. Companies must take proactive steps to ensure compliance with the new regulations. Here are some considerations for organizations: · Review and Revise Policies: Businesses should revisit their privacy policies and data handling procedures to align with the new consent and accountability requirements, updating internal documentation and training staff accordingly. . · Investment in Data Security: To comply with increased accountability, companies should invest in robust data security measures. This includes implementing advanced technological solutions to protect personal data and regular audits to assess compliance with the amended PDPA. . · Enhancing Consumer Trust: By adopting transparent data practices and prioritizing data protection, businesses can build trust with consumers. Demonstrating a commitment to safeguarding personal data can serve as a competitive advantage in an increasingly privacy-conscious market. . · Legal and Compliance Consultations: Engaging legal professionals or data protection experts will be vital for navigating the complexities of the amended PDPA. These experts can provide guidance on compliance strategies and help organizations prepare for potential audits or investigations. . Conclusion The recent amendments to Malaysia’s Personal Data Protection Act mark a significant advancement in the country’s efforts to enhance personal data protection. As businesses adapt to these changes, staying informed and proactive will be essential to ensure compliance and protect consumer rights. With the growing global emphasis on data privacy, Malaysia's updated PDPA positions the nation as a proactive player in the realm of data protection, fostering a more secure environment for both consumers and businesses alike. About the Authors Low Khye YenPartnerBanking & Finance, Real Estate,Trust, Wills & ProbateHalim Hong & Quekkylow@hhq.com.my More of our articles that you should read: • Case Summary: Asia Pacific Higher Learning Sdn Bhd v Stamford College (Malacca) Sdn Bhd [2024] MLJU 1712 • (Section 30 CIPAA 2012) Overview of Authorities on Direct Payment from Principal • Essential Tips for Drafting an Arbitration Clause

INTRODUCTION In the recent case of Asia Pacific Higher Learning Sdn Bhd ((Registered Owner and Licensee of the Higher Learning Institution Lincoln University College) v Stamford College (Malacca) Sdn Bhd [2024] MLJU 1712, the Court of Appeal had to decide a critical issue regarding the enforceability of an arbitration clause in a commercial agreement between two private higher learning institutions. The case revolved around a collaboration agreement in which Stamford College was to conduct undergraduate programs on behalf of Lincoln University College, operated by Asia Pacific Higher Learning. When disputes arose, Stamford College sued Asia Pacific for breach of contract and other tortious claims, leading to a legal argument over whether the matter should be resolved by way of litigation or arbitration. This case serves as a key example of how courts approach ambiguities in arbitration clauses.  . BRIEF BACKGROUND FACTS AND FINDINGS OF THE HIGH COURT The disputes arose from a collaboration agreement between the two parties, both are registered private higher learning institutions under the Malaysian Ministry of Higher Education. Asia Pacific Higher Learning Sdn Bhd (the Appellant) (“Asia Pacific”), which operates Lincoln University College, entered into a Memorandum of Agreement (“MOA”) on 13.11.2011 with Stamford College (Malacca) Sdn Bhd (the Respondent) (“Stamford College”). Under this MOA, Stamford College was to conduct several undergraduate programs of Lincoln University College at Stamford's premises in Melaka. However, disagreements and disputes later arose regarding the management and execution of these programs, leading Asia Pacific to terminate the MOA. Thereafter, Stamford College filed a suit against Asia Pacific in the Shah Alam High Court, alleging breach of contract, fraudulent misrepresentation, deceit, and negligent misstatement. Thereafter, Asia Pacific filed an application for Stay pending Arbitration pursuant to Section 10 of the Arbitration Act 2005, as per the dispute resolution clause as set out at Clause 36 in the MOA. Clause 36 of the MOA states as below:   “(36) Settlement of Disputes (a)          Any dispute under this Agreement between the parties to this Agreement shall be settled by a single arbitrator mutually as agreed by the parties to this Agreement or under the courts of Malaysia. (b)           A dispute under this Agreement shall include any dispute of difference between the parties thereto regarding any matter or thing whatsoever herein contained, or the operation or construction thereof or any matter, or thing in any way connected with this Agreement, or the rights, duties or liabilities of either party under or in connection with this Agreement.”   The Judicial Commissioner in the High Court rejected Asia Pacific’s stay application on the basis that the arbitration clause is inoperative. It was held that litigation, rather than arbitration, was the appropriate forum for resolving the dispute. It was also held by the Judicial Commissioner that the Courts possessed the jurisdiction and authority to determine the validity of the arbitration agreement and that the matter must be litigated due to the substantial public policy implications and the welfare of the affected students. Dissatisfied with the Judicial Commissioner’s decision, Asia Pacific appealed to the Court of Appeal.   . FINDINGS OF THE COURT OF APPEAL The Court of Appeal unanimously dismissed the appeal, maintaining the High Court's decision to refuse a stay of proceedings for arbitration. In making the decision, the Court of Appeal had to consider 2 main issues as follows:   Operativity of the Arbitration Clause In essence, Asia Pacific argued that the court proceeding ought to be stayed pursuant to Section 10 of the Arbitration Act 2005, as there is an arbitration clause in the MOA. It contended that the court should adopt a "prima facie" approach and defer to the arbitral tribunal to determine the validity of the arbitration agreement. Stamford College, on the other hand, argued that the stay application ought to be dismissed as the arbitration agreement at Clause 6 was unclear and inoperative. The Court of Appeal noted a conflict in judicial precedents regarding the standard of review the courts should apply in stay applications, i.e. between a prima facie review and a full merits review of the facts of the disputes. However, the Court of Appeal upheld the High Court’s decision, agreeing that the arbitration clause was ambiguous as the clause provided the option to resolve disputes either by arbitration or litigation, which did not create a mandatory obligation on the parties to arbitrate. Thus, the Court of Appeal found that there was no basis to enforce the arbitration clause, and Asia Pacific's application for a stay was dismissed.   Arbitrability of the Dispute As the Court of Appeal had already determined that the arbitration clause was inoperative, the Court recognised that addressing the issue of whether the disputes were arbitrable was technically unnecessary. However, for the sake of completeness, the Court of Appeal decided to briefly examine the matter. It was observed that the disputes between the parties were based on breach of contract and tortious claims such as fraudulent misrepresentation, which are typically arbitrable, depending on the scope of the arbitration clause. The Court of Appeal concluded that, assuming the arbitration agreement was valid, the disputes between the parties were arbitrable based on the broad wording of the arbitration clause in the MOA, which included matters "in any way connected" to the MOA. Furthermore, in support of its position, Stamford College relied on Section 4 of the Arbitration Act 2005 which states that any dispute which the parties have agreed to submit to arbitration under an arbitration agreement may be determined by arbitration unless the arbitration agreement is contrary to public policy or the subject matter of the dispute is not capable of settlement by arbitration under the laws of Malaysia. It was argued by Stamford College that the disputes between the parties involved public interest because it concerned students who were left stranded without degrees. While acknowledging the significance of the affected students' situation, the Court of Appeal concluded that the issue did not directly impact the enforceability of the arbitration clause.   COMMENTARY This case highlights the importance of drafting clear and unequivocal arbitration clauses in commercial agreements. The ambiguity in the arbitration clause, which gave the parties an option to arbitrate or litigate, may lead to unnecessary complications on the operativity of the arbitration agreement. It reinforces the principle that courts will not compel arbitration unless the parties have clearly and unequivocally agreed to submit the disputes to be resolved by way of arbitration. In conclusion, this case highlights the importance for institutions and companies entering into complex agreements to ensure that dispute resolution mechanisms, especially arbitration clauses, are clearly defined and enforceable to avoid disputes over the proper forum for resolving conflicts. About the author Ooi Hui YingSenior AssociateArbitration, Construction &Engineering DisputesHarold & Lam Partnershiphuiying@hlplawyers.com More of our articles that you should read: • High Court clarifies Item 22(1) of the First Schedule of the Stamp Act 1949 and the Stamp Duty (Remission) (No. 2) Order 2012 • Can an Adjudication Decision, After Having Been Enforced Pursuant to Section 28 CIPAA 2012, Be Stayed Pursuant to Section 16(1)(b) CIPAA 2012? • Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test”

Background Facts: A Family Business in Conflict This case concerns the dispute among the shareholders of SNE Marketing Sdn Bhd (“the Company”), a multi-level marketing company engaged in selling food and nutritional supplements bearing the SNE trademarks. In the High Court, one Low Ean Nee (“the Respondent”) who holds 50% of the Company’s shares, commenced oppression action against the 3 Appellants who collectively holds the remaining 50% shares pursuant to section 346 of the Companies Act 2016. The High Court rejected all complaints of oppression, dismissing the action. Notably, the Respondent before commencing the oppression action, issued a statutory notice to seek leave to initiate a derivative action on behalf of the company under S 348(2) of the Companies Act 2016 (“CA 2016”), alleging that the Appellants were in breach of their fiduciary duties. Despite the notice, the Respondent filed the oppression action instead. On appeal, the Court of Appeal upheld the rejection of 7 complaints but reversed the High Court’s decision on 1 complaint of oppression which concerned the assignment of the Company’s trademarks to one SNE Global Sdn Bhd (a company co-founded by the 1st Appellant) for a nominal consideration of RM10.00. The trademarks represented valuable intellectual property that contributed significantly to the company's success. The Respondent was not informed of this transaction, and no resolution from the board of directors authorized this assignment. The Appellants were accordingly found liable for oppression which entails a buy-out order of the Respondent’s shares.     Issue: Whether the Complaint is Actionable by way of Oppression Action under S 346 of the CA 2016 or Derivative Action under S 347 of the Companies Act 2016. Appellant’s Argument The Appellant’s argument is rather straightforward. The oppression action brought by the Respondent is flawed because the act of the First Appellant amounts to a misappropriation of company’s assets in breach of a director’s fiduciary duties and is therefore a corporate wrong that ought to be actionable under derivative action.    Respondent’s Argument The Respondent argued that the grievance suffered is appropriately actionable through an oppression action. There ought not be a bright-line test to determine whether a shareholder’s complaint is actionable by way of oppression action or derivative action. It should be on case-to-case basis depending on facts of the case. The complaint can be containing both corporate wrong and personal wrong. This is because the Respondent seek for personal relief and suffered injury distinct from the other shareholders. Further, it was argued that the Appellants’ interest no longer aligns with the Respondent, leaving her in a non-operational and unprofitable company. Under a derivative action, the Respondent will not be properly remedied because the damages will be paid back into a company that remains under the control of the Appellants even if her action is successful.   Federal Court's Decision The Federal Court allowed the appeal and reversed the Court of Appeal’s finding of oppression. Based on the facts, the loss is suffered by the Company and therefore the correct recourse is a statutory derivative action to be brought by any shareholder. The Court acknowledged the challenges in distinguishing between personal grievances and wrongs to the company, particularly in cases where the wrongdoing affects both the Company and the shareholders. The integral difference between oppression action and derivative action lies in the nature of the claim. An oppression claim under S 346 CA 2016 is a personal claim made by the minority shareholder who suffers a distinct and personal loss. On the other hand, a derivative action is brought on behalf of the company by shareholder in representative capacity.   The question to be asked when deciding on which is the appropriate action to pursue is: against whom has the alleged harm been caused. The court outlined a legal test to determine whether a shareholder's complaint is actionable by way of oppression or as a derivative action: - (A) The nature of the harm: Is the harm personal to the shareholder, or is it a corporate harm that affects all shareholders equally? (i) If it is to one or more shareholders, then the oppression action is proper. (ii) If the harm is to the company alone, a derivative action is the appropriate cause of action. (B) The cause of action (i) If the cause of action is vested in the company, then it is the company itself that should take action. (ii) If, on the other hand, it is vested in the shareholder, then he must take action. Essentially, if the harm is done to the company, the plaintiff is the company, and a derivative action is appropriate. If the harm is personal to a shareholder, then an oppression action may be more appropriate. The strict delineation is to prevent the shareholders from bringing oppression action for situations where there is no unfair conduct affecting their interest as shareholders.  The oppression remedies are broader than those available in statutory derivative action. The oppression remedy will not be available where a minority shareholder wishes to leave and sell their shares, or to take control of or break up the company. The following criteria was laid down by the Court to ascertain whether a shareholder’s complaint is actionable under S 346 or S 347 of the CA 2016:- (i) What is the act or omission that one or more of the shareholders complain of? In short, identify the act, series of acts or omissions; (ii) Can the act(s) or omission(s) be characterised as being: (a) oppressive to; (b) in disregard of the interests of; (c) unfairly discriminatory against; or (d) otherwise prejudicial to one or more of the shareholders? (iii) Does the cause of action vest in the shareholder or in the company? (iv) Who has suffered loss or damage from the wrong done – the shareholder in his capacity as a shareholder, or the company? (v) Is the loss suffered by the shareholder as plaintiff separate and distinct to the plaintiff in his capacity as a shareholder, or is it a loss suffered by all the shareholders?   In conclusion, the decision in Low Cheng Teik v. Low Ean Nee serves as a significant precedent for future shareholder disputes in Malaysia. By clarifying the distinction between oppression actions and derivative actions, the Federal Court has provided a roadmap for minority shareholders seeking redress. About the Authors Lum Man ChanPartnerDispute ResolutionHalim Hong & Quekmanchan@hhq.com.my . Esther Lee Zhi QianAssociateDispute ResolutionHalim Hong & Quekesther.lee@hhq.com.my More of our articles that you should read: • Are Oppression Claims Arbitrable? • Centralised Air-Conditioning Facilities: Its Classification as “Common Property” Within The Legislative Frameworks • Can a Fixed Term Contract Employee Be Deemed as a Permanent Employee?

Sabah Development Bank Berhad v TYL Land Development Sdn Bhd (Court of Appeal) (Civil Appeal No: W-02(A)-743-04/2022) . This case discusses the following 3 novel questions: (1) Whether the secured creditor (Appellant) can amend the Secured Creditor’s Valuation (Security), withdraw or amend the Secured Creditor’s Claimed Sum (Unsecured Debt Portion) pursuant to sections 524(1)(a), (b) and (2) of the Companies Act 2016 (“CA”) and paragraphs 13 and 15 of Schedule C to the Insolvency Act 1967 (“IA”) read with section 4(1) of the Civil Law Act 1956 (“CLA”) and section 42 of IA, where: (a) The secured creditor had filed proofs of debt (“PODs”) in the company’s liquidation and the PODs had stated: (i) the secured creditor’s valuation of the security which is an asset of the company charged in favour of the secured creditor (“Security”); and (ii) the secured creditor’s claim in the liquidation of a certain sum as an unsecured debt from the company to the secured creditor; (b) the company’s liquidator had accepted the PODs; (c) the secured creditor had applied to the winding up court to replace the company’s liquidator; (d) the secured creditor had voted in a creditors’ meeting regarding the replacement of the company’s liquidator; and (e) the secured creditor had opposed an application by a company’s unsecured creditor to replace the company’s liquidator? . (2) Does rule 126 of the Companies (Winding-Up) Rules 1972 (“CWUR”) bar the secured creditor from: (a) amending the Secured Creditor’s Valuation (Security); and (b) withdrawing or amending the Secured Creditor’s Claimed Sum (Unsecured Debt Portion)? . (3) Due to the facts stated above, does the equitable estoppel doctrine bar the secured creditor from amending the Secured Creditor’s Valuation (Security), withdrawing or amending the Secured Creditor’s Claimed Sum (Unsecured Debt Portion)? In this regard, can a case law doctrine of equitable estoppel override section 524(1)(a) and (2) of CA read with paragraphs 13 and 15 of IA? . The Court of Appeal allowed the Appeal and in the main, held as follows: (1) The secured creditor (Appellant) can amend the Secured Creditor’s Valuation (Security), withdraw or amend the Secured Creditor’s Claimed Sum (Unsecured Debt Portion) under section 524(1)(a), (b) and (2) of CA read with paragraphs 13 and 15 of IA; (2) The secured creditor did not and is not deemed to have surrendered the Security, and thus, rule 126 of CWUR cannot be invoked; (3) The secured creditor had inadvertently filed the 4 PODs, and the expungement application was not an afterthought; and (4) The doctrine of estoppel cannot bar the effect of section under section 524(1)(a), (b) and (2) of CA read with paragraphs 13 and 15 of IA. The equitable doctrine is invoked to achieve justice. If estoppel is applied, there will be injustice to the secured creditor because the extent of the secured creditor’s interest will be unjustly reduced. . Summary of the Grounds of Judgment by Wong Kian Kheong, JCA Background Facts The Appellant/ secured creditor (“Bank”) had granted term loans, bridging loans and credit facilities (“Credit Facilities”) to the Respondent company. The repayment of the Credit Facilities was secured by way of Debentures, and a charge over a piece of land. On 3.1.2019, the High Court ordered the winding up of the Respondent where the Official Receiver (“OR”) was appointed as the liquidator. As a holder of the Debentures, the Bank appointed a receiver and manager (“R&M”). Thereafter, the Bank’s then solicitors filed 4 PODs with the OR. The PODs did not demarcate which part of the Bank’s debt was secured and which portion thereof was unsecured. On 17.1.2020, the OR sent an email to the Bank’s then solicitors informing the Bank, among others, that as the Bank’s debt is a secured debt by way of the Security, the OR will reject the 4 PODs filed. Nevertheless, if the Bank wants to proceed with the filing of the POD, the Bank will have to surrender the Security. The Bank’s then solicitors responded that the Bank will maintain the 4 PODs as filed. In the response, the Bank explained, among others, that the Bank is a secured creditor and holder of the Debentures. The Bank will not surrender the Security at the moment, and will only do so when the Security is realised. The OR therefore accepted the Bank’s 3 PODs as follows: (a) the value of the Bank’s Security was accepted at RM13million; and (b) the Bank was ranked as unsecured creditor of the Respondent for a sum of RM23,600,758.57. On 12.2.2020, during a creditors’ meeting, the Bank (via proxies) voted as an unsecured creditor of the Respondent for a sum of RM23,600,758.57. On 4.9.2020, the Winding Up Court appointed Datuk Ooi Woon Chee and Mr Tam Kok Meng (“Liquidators”) as private liquidators of the Respondent to replace the OR. Following the appointment of the Liquidators, on 14.4.2021, the Liquidators’ solicitors wrote to the Bank to demand the Bank to remove the R&M since the Bank had given up its Security and would prove the whole debt in liquidation. At around the same time, the Bank was informed by the R&M that the R&M received a proposal from a third party to acquire the Project and the charged land at a price of RM44,823,072.44. On 19.4.2021, the R&M responded to the Liquidators’ letter and informed the Liquidators, among others, that: (a) the Bank never had the intention to surrender its Security; (b) it was expressly stated in the 4 PODs that the Bank was a secured creditor of the Respondent; (c) the Bank’s vote at the creditors’ meeting was premised only on the unsecured portion of the debt; (d) the Bank has now ascertained that the current realizable value of its Security had exceeded RM13 million and hence, would apply to withdraw its 4 PODs. On 20.4.2021, the Bank’s solicitors also responded to the Liquidators, stating that the Bank never had the intention to surrender its Security, and applied to the Liquidators to expunge its 4 PODs. By letter dated 7.5.2021, the Liquidators rejected the Bank’s expungement application. In view of the Liquidator’s dismissal, the Bank filed an application to expunge its 4 PODs at the Winding Up Court. The Winding Up Court dismissed the Bank’s application. Hence, the Bank filed the appeal to the Court of Appeal. . Effect of section 524 of CA The Court of Appeal recognised that section 524 of CA is a new provision which is not provided in the previous Companies Act 1965. Having considered the relevant sections, the Court held that the effect of section 524(1) of CA read with section 4(1) of CLA, section 42 of IA, and paragraphs 13 and 15 of IA, as follows: (a) section 524(1) of CA confers the following 4 powers on a company’s secured creditor: (i) to “realise a property subject to a charge, if entitled to do so”; (ii) by virtue of section 524(1)(b) of CA, the secured creditor can: (aa) value the security; and (bb) claim in the winding up as an unsecured creditor for the balance due from the company to the secured creditor, if any; and (iii) to surrender the security to the liquidator for the general benefit of the creditors and claim in the winding up as an unsecured creditor for the whole debt. The secured creditor’s 4 powers above are subject to section 524(8) to (10) of CA, as follows: (a) the company’s liquidator may serve a written notice on the secured creditor: (i) to elect within 21 days which one of the 3 paragraphs in section 524(1)(a) to (c) of CA the secured creditor wishes to exercise; and (ii) if the secured creditor elects to exercise the power conferred by section 524(1)(b) or (c) of CA, the secured creditor is required to exercise that power within 21 days; (b) if the secured creditor fails to comply with the liquidator’s written notice, the secured creditor: (i) is deemed to have surrendered the security to the liquidator under section 524(1)(c) of CA; and (ii) may claim in liquidation as an unsecured creditor for the whole debt; and (c) in the event of a surrender of security under section 524(1)(c) or (9) of CA and before the liquidator realises the security, the secured creditor may apply to the liquidator or the winding up court to: (i) withdraw the surrender and rely on the security; or (ii) submit a new claim under section 524 of CA. The Court further noted that pursuant to section 524(2) of CA, even if the secured creditor had previously exercised its rights under section 524(1)(b) and/or (c) of CA, the secured creditor may still exercise its power to sell security under section 524(1)(a) of CA thereafter. . Effect of Rule 126 of CWUR As regards the interpretation and effect of Rule 126 of CWUR, the Court of Appeal opined as follows: (a) if a secured creditor votes in the company’s liquidation with regard to the secured creditor’s “whole debt”, the secured creditor “shall be deemed to have surrendered” the security; (b) but there is nothing in rule 126 of CWUR which provides that if a secured creditor votes in the winding up matters of the company only regarding the unsecured portion of the debt, the secured creditor “shall be deemed to have surrendered” the security; (c) even if a secured creditor has voted in the company’s liquidation with regard to the secured creditor’s entire debt, the secured creditor’s security is not deemed to have been surrendered if: (i) the secured creditor applies to the winding up court and satisfies the winding up court that the secured creditor’s omission to value the security was due to inadvertence; or (ii) upon an application to the winding up court, the court is satisfied that the secured creditor had mistakenly filed a POD. . Findings of the Court of Appeal Having considered the proper effect of section 524 of CA and rule 126 of CWUR, the Court went on to make the following findings: Bank has not surrendered security The Court found that the Bank had not elected to surrender the land as security pursuant to section 524(1)(c) of CA on the following basis: (a) If the bank had intended to surrender the security, the Bank would not have appointed the R&M; and (b) The Bank had maintained in their letters / emails that they had the intention to realise the land as security for the Credit Facilities. Bank can revalue security and withdraw 4 PODs The Court held that pursuant to section 524(1)(a) and (2) of CA, the Bank had the power to revalue the land for the purpose of its realization, and to withdraw the 4 PODs. Rule 126 of CWUR not applicable A company’s secured creditor shall only be deemed to have surrendered the security if the secured creditor votes in the company’s liquidation with regard to the secured creditor’s “whole debt”. Since the Bank did not vote with regard to the entire debt, there could not be any room for the invocation of Rule 126 of CWUR. Bank had inadvertently filed 4 PODs Based on the Bank’s email/letter where the Bank had explained that the filing of the 4 PODs was premised on an earlier valuation, the Court was of the view that the Court ought to accept the Bank’s explanation that the 4 PODs had been mistakenly filed. In addition, the Court held that the expungement application was not an afterthought. Bank is not estopped from withdrawing 4 PODs The Court held that the doctrine of estoppel which is premised on case law, cannot bar the effect of sections 524(1)(a), (b) and (2) of CA. In addition, the Court was of the view that injustice would be caused to the Bank if the Bank is barred from revaluing the land and to withdraw the 4 PODs. . Comments The Court of Appeal’s decision in this case clarifies the powers and rights of a secured creditor under section 524 of CA, particularly in relation to their rights to amend valuations and claims (debts) in liquidation. Whilst section 524 of CA confers the right to a secured creditor to withdraw a proof of debt filed subsequently (depending on the facts of the case), and/or to amend its valuation of its security, this case still serves as a reminder to secured creditors to take extra care when making its election under section 524(1) of CA to ensure that it has not and is not deemed to have surrendered its security. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Amy Hiew Kar YiPartnerCorporate Disputes, Construction,Projects & EnergyHarold & Lam Partnershipamy@hlplawyers.com More of our articles that you should read: • Estate Wins Suit Over Medical Negligence in Tragic Vertigo Case • Enforcement of Companies (Amendment) Act 2024 • Can a Fixed Term Contract Employee Be Deemed as a Permanent Employee?

Introduction The Construction Industry Payment and Adjudication Act 2012 (Act 746) (“CIPAA”) introduced Section 30 which is a recourse and remedy available to the successful claimant in an adjudication claim who has obtained an Adjudication Decision in its favour against the respondent. The winning party may then seek direct payment of the adjudicated amount from the principal of the losing party in the Adjudication Decision.    Section 30 – Direct payment from principal (1) If a party against whom an adjudication decision was made fails to make payment of the adjudicated amount, the party who obtained the adjudication decision in his favour may make a written request for payment of the adjudicated amount direct from the principal of the party against whom the adjudication decision is made.  . (2) Upon receipt of the written request under subsection (1), the principal shall serve a notice in writing on the party against whom the adjudication decision was made to show proof of payment and to state that direct payment would be made after the expiry of ten working days of the service of the notice.  . (3) In the absence of proof of payment requested under subsection (2), the principal shall pay the adjudicated amount to the party who obtained the adjudication decision in his favour.  . (4) The principal may recover the amount paid under subsection (3) as a debt or set off the same from any money due or payable by the principal to the party against whom the adjudication decision was made.  . (5) This section shall only be invoked if money is due or payable by the principal to the party against whom the adjudication decision was made at the time of the receipt of the request under subsection (1).     .                                                                                                    (Emphasis added)   The High Court in the case of Bumimetro Construction Sdn Bhd v Mayland Universal Sdn Bhd and another appeal [2017] MLJU 2245; [2017] CLJU 1959 (HC) held that the objective of CIPAA is to facilitate regular and timely payment in respect of construction contracts, provide a mechanism for speedy dispute resolution through adjudication and to provide remedies for the recovery of payment in the construction industry. The remedies provided for in Section 30 of CIPAA whereby the winning party in an Adjudication Decision may require the principal of the losing party in the Adjudication Decision to make direct payment shows that Parliament intended an Adjudication Decision to have immediate bite and not just a mere bark.   Overview of Cases/ Authorities (A) Conditions and Requirements to Invoke Section 30 of CIPAA The High Court in the case of Murni Environmental Engineering Sdn Bhd v Eminent Ventures Sdn Bhd & Anor and other suits [2016] MLJU 691 (HC) held that:   (i) Section 30 of CIPAA does not require there to be a contractual relationship, but only that there is a principal. (ii) The fact that the principal has no knowledge of the adjudication claim or is not a party to the adjudication proceedings is not relevant. (iii) All that is required under section 30 of CIPAA is for there to be a request by the winning party (subcontractor) to the principal (employer) for payment of the adjudicated sum. (iv) The principal shall then serve a notice to the losing party (main contractor) on proof of payment and to state direct payment would be made after the expiry of 10 working days of service of notice and in the absence of proof of payment, the principal shall pay the adjudicated sum to the winning party. . In the case of B Cor Geotechnics Sdn Bhd v Panzana Enterprise Sdn Bhd [2019] MLJU 1030; [2019] CLJU 1393 (HC), the High Court held that:   (i) There is no prerequisite for a contractual relationship to exist between the winning/ successful party in an adjudication and the principal of the party against whom the adjudication decision was made, in order to rely on the remedy under Section 30 of CIPAA. (ii) It is also not a prerequisite to an action under Section 30 of CIPAA that the winning/ successful party must have applied to enforce an adjudication decision under Section 28 of CIPAA. (iii) All that is required to “set the wheels in motion” for an action under Section 30 of CIPAA is a written request by the winning/ successful party in an adjudication to the principal for payment of the adjudicated sum as provided under Section 30(1) of CIPAA. . The High Court in the case of Glocal Tech Engineering Sdn Bhd v Panzana Enterprise Sdn Bhd [2021] MLJU 474; [2021] CLJU 429 (HC) followed the legal principles enunciated in Murni Engineering (supra) and B Cor Geotechnics (supra), and laid out the following conditions which must be fulfilled before the winning party in an adjudication decision can invoke the remedy in Section 30 of CIPAA:   (i) There must be an adjudication decision whereby the winning party is entitled to an adjudicated amount which is to be paid by the losing party; (ii) The losing party has failed to pay the adjudicated amount to the winning party; (iii) The winning party has made a written request to the principal for the adjudicated amount to be paid directly to the winning party; (iv) The principal did not serve a written notice to the losing party to show proof that the losing party has paid the adjudicated amount to the winning party or having served such notice, the losing party has failed to furnish the proof of payment and in any event, the principal did not pay the adjudicated amount directly to the winning party; AND (v) There is money due or payable by the principal to the losing party at the time when the principal receives the written request for payment from the winning party. .  (B) “Principal”   Section 4 of CIPAA defines a “principal” as a “party who has contracted with and is liable to make payment to another party where that other party has in turn contracted with and is liable to make payment to a further person in a chain of construction contracts”. Typically, a principal is the employer or main contractor in a chain of construction contracts for the Project: Peck Chew Piling (M) Sdn Bhd v Panzana Enterprise Sdn Bhd [2022] MLJU 390; [2022] CLJU 428 (HC) On 19.12.2019, the applicant/ winning party (sub-subcontractor) in this case obtained an adjudication decision in its favour against the losing party (subcontractor). In 2017, the respondent/ principal (main contractor) in this case was appointed as the main contractor for a highway project. The principal (main contractor) then appointed the losing party (subcontractor) to carry out one of the work packages for the project. The losing party (subcontractor) engaged the winning party (sub-subcontractor) to provide rental services of equipment associated with the project. The High Court held that the respondent (main contractor) is a “principal” as it is indisputable that the respondent/ principal (main contractor) contracted with the losing party (subcontractor), and is liable to make payment to the losing party (subcontractor). The losing party (subcontractor) is then liable to make payment to the winning party (sub-subcontractor), being a “further person” in the chain of construction contracts for the project. The respondent/ principal (main contractor) also contended that it is not a “principal” as it had terminated the employment of the losing party (subcontractor) on 15.4.2019, before the receipt of the written notice from the winning party (sub-subcontractor) under Section 30 of CIPAA. The High Court ruled that the termination does not affect the respondent’s (main contractor) position as a “principal”. The High Court explained that if Parliament had intended to confine the applicability of Section 30 of CIPAA to only existing or surviving contracts, it could have easily provided express words to that effect in the statute.   (C) “Adjudicated Amount” Section 30 of CIPAA provides that the winning party who obtained the adjudication decision in his favour may request for the payment of the “adjudicated amount” directly from the principal. However, CIPAA does not expressly define what constitutes “adjudicated amount” under Section 30. The Courts have consistently ruled that the phrase “adjudicated amount” under Section 30 of CIPAA includes the interest and costs awarded in an adjudication decision:   Pali PTP Sdn Bhd v Bond M&E Sdn Bhd [2023] 6 MLJ 176; [2023] 9 CLJ 740 (CA) The Court of Appeal held that the term “adjudicated amount” in Section 30 of CIPAA would include both interest and costs, aside from the principal claim sum awarded in the adjudication decision. The Court of Appeal opined that in the absence of definition of the phrase “adjudicated amount” in CIPAA, a purposive construction or interpretation of the phrase includes interest and costs, in furtherance of the purpose and object of the statute to protect and/or safeguard the rights particularly of the small contractors and/or subcontractors. If the phrase “adjudicated amount” does not include interest and costs, the winning party (subcontractor) in this case would need to seek recovery twice, (i) once against the principal (employer) for the principal claim sum awarded and (ii) then against the losing party (main contractor) separately for interest and costs only.   Zedelta Sdn Bhd v Mayland Supreme Sdn Bhd [2023] 10 MLJ 95; [2023] 3 CLJ 977 (HC) The High Court ruled that the term “adjudicated amount” in Section 30 of CIPAA includes both the interest and costs awarded in the adjudication decision. The Court allowed interest on the adjudicated sum at the rate of 5% per annum. However, it is to be calculated from the date of the decision of the Court until full settlement.   TCS Construction Sdn Bhd v KTCC Mall Sdn Bhd and another case [2024] MLJU 522; [2024] CLJU 508 (HC) The High Court followed the interpretation adopted by the Court of Appeal in Pali PTP (supra) which held that “adjudicated amount” includes interest and costs.   (D) “Due or Payable” The High Court in HSL Ground Engineering Sdn Bhd v Civil Tech Resources Sdn Bhd and another case [2021] 8 MLJ 347; [2024] CLJU 508 (HC) held that:   (i) The winning party may seek for direct payment from a principal in respect of any money due or payable. (ii) Therefore, it is not limited to the unpaid money due pursuant to progress certificates issued by the principal to the losing party, but any other money payable by the principal to the losing party as at the date the principal received the written request pursuant to Section 30(1) of CIPAA from the winning party. (iii) Ordinarily, money payable will include any uncertified progress claims and release of retention money.   The High Court in MKP Builders Sdn Bhd v Turnpike Synergy Sdn Bhd [2021] MLJU 1502; [2021] CLJU 1238 (HC) followed the principles enunciated in the case of HSL Ground Engineering (supra) and clarified that:   (i) Accrual of the debt crystallizes the obligation or liability to pay. There must be accrual of the debt before money pursuant thereto is either payable or due. (ii) Interim and final payment debt for typical construction contracts accrue when the interim and final certificate are issued (otherwise on the expiry of the prescribed time for certification stipulated in the construction contract if the certificate has been withheld). However, if there is no certification mechanism stipulated in the construction contract, then it accrues on the receipt of the invoice. Upon such accrual, the money is payable. (iii) Money will only be due after the expiry of the date of payment on the certificate stipulated in the construction contract. However, if there is no certification mechanism stipulated in the construction contract, then only after 30 days from the receipt of the invoice as provided in Section 36 of CIPAA. (iv) Retention money is similarly payable upon the issuance of the relevant certificate such as the certificate of practical completion and/or certificate of making good defects as prescribed in the construction contract and only due after the expiry of the date of payment on the relevant certificates. (v) In the event a construction contract is prematurely terminated, the debt accrues forthwith upon the occurrence of the termination and the money is accordingly both due and payable.   (E)       Burden of Proof The burden of proof is on the principal to prove that there is no money due or payable by the principal to the losing party. A bare assertion (assertion not supported with documentary evidence) from the principal that there is no money “due” or “payable” is insufficient. This could lead the Court to draw an adverse inference against the principal that there are indeed sums due or payable. The High Court in the case of Chong Lek Engineering Works Sdn Bhd v PFCE Integrated Plant and Project Sdn Bhd and another case [2020] MLJU; [2020] CLJU 2251 (HC) held that if the winning party (subcontractor) to an adjudication decision proves the following 3 conditions :   (i) The losing party (main contractor) failed to pay the adjudicated amount to the winning party; (ii) The winning party made a written request pursuant to Section 30(1) of CIPAA to the principal (employer) to pay the adjudicated amount directly to the winning party; and (iii) The principal did not comply with the winning party’s request and did not pay the adjudicated amount directly to the winning party,   the evidential burden concerning the condition in Section 30(5) of CIPAA i.e. there is a sum of money due or payable from the principal to the losing party at the time of the principal’s receipt of the winning party’s written request, shifts to the principal. This is due to the application of Section 106 of the Evidence Act 1950 which stipulates that “When any fact is especially within the knowledge of any person, the burden of proving that fact is upon him”. Whether any sum of money is “due” or “payable” from the principal to the losing party at the time of the principal’s receipt of the winning party’s written request, will be “especially within the knowledge” of the principal. Accordingly, if the principal denies that no amount of money is “due” or “payable” from the principal to the losing party, the principal has the evidential burden to “prove” such a denial. About the Authors Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my . Xean ChewPupil-in-ChambersDispute ResolutionHalim Hong & Quekxean.chew@hhq.com.my More of our articles that you should read: • Banking Secrecy: Disclosure Limits & Effective Consents • (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment • Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

It is almost certain that most proprietary or in-house developed software nowadays would contain elements or modules that are open source. Open-source software, or commonly known as “OSS”, refers to software with source code that anyone can inspect, modify, enhance and use. It is very similar to software that has been licensed to end users for usage, save that the software licence comes with access to the source code of the software for modification, more often than not without charge. The incorporation of OSS during a software development lifecycle has become something of a commonplace, primarily because of the cost saving that it brings to an organisation, and not forgetting that it is just that much quicker and easier to incorporate a set of ready source code as compared to writing everything from scratch. If you are thinking that OSS sounds a little too good to be true, well, you are not entirely wrong. Just like any other software, OSSs are made available under their respective licensing terms and conditions. Some of these OSSs are made available free for use entirely, but would actually require the deployer of the OSS to disclose the source code of the end product incorporating the OSS to the open-source community – also known as a “copyleft licence”. Due to the nature of copyleft licences, companies trying to commercialise their own software that contains OSS(s) under copyleft licences might have difficulty in doing so, especially when their software is meant to be distributed to others without charge. Failure to comply with the copyleft licence would often give rise to a right for the relevant open-source community to claim monetary compensation as royalty or licence fee for the use of the OSS. To avoid the pitfall of copyleft licences, it is important for general counsels to work closely with the internal software development team to conduct due diligence on the OSSs used by the developers to verify if any of them are under a copyleft licence. Likewise, in a software acquisition exercise or when contemplating the acquisition or investment in a software company, it is important for the legal team to conduct thorough due diligence on the provenance of the target software or the software owned by the target company. We have put forth below a quick guide on how to conduct due diligence on the OSSs incorporated in a software. 1. Exhaustive Listing of OSSs Used in the Software Development The first step is naturally to request for an exhaustive listing of the OSSs used by the developers or the company in developing its in-house software. Chances are, the listing may actually contain not just the OSSs incorporated, but also the “OSS development tool” used by the developers. Typically, an OSS development tool should not have any copyleft element that could affect the rights to distribute the software end products. The legal team reviewing the listing will have to take note of the distinction and filter off the non-OSS entries in the listing. . 2. Reviewing the Applicable Open-Source Licence Having just the listing of the OSSs itself is meaningless if the legal team does not have visibility to the licensing terms and conditions of the OSSs. The good news is, most, if not all of the licensing terms of OSSs are published online, simply because the OSS packages are commonly distributed online by the community. The legal team should then conduct its own independent online verification to locate the licensing terms applicable to the relevant OSS and to review the same to assess whether the terms would require the deployers or users incorporating the OSS to similarly distribute the software end products via the same open-source terms or copyleft licence. A strict copyleft licence will demand the disclosure of the source code of the entirety of the software end product. Some copyleft licence may take a more laxed approach in demanding only the component or portion of the software integrated with the OSS to be disclosed. . 3. Determining the Next Step While finding a copyleft licence in a software is usually a red flag, there are ways that a company can mitigate the impact. Assuming that the copyleft licence only requires a limited portion or component of the software end product that is actually integrated with the OSS to be disclosed, companies may opt to do so if the ability to commercialise the software as a whole can still be preserved. Otherwise, the terms of a copyleft licence would normally allow the deployer or developer a way out of strict compliance with the copyleft requirement – to pay a licence fee or royalty for the use of the OSS. If none of the above is commercially viable, then the next available step for the company to take is naturally to source for an alternative OSS with less stringent licensing terms. . Navigating the usage of OSS can be daunting, especially for legal team that is less familiar with software or technology parlance. It would be crucial for companies to work with legal advisers who are well versed in the industry to avoid any potential pitfalls that can be costly to the operation of the company. A competent legal team should even be able to help the company to manoeuvre the complex restrictions and requirements of OSS to maximise the commercial objectives of the company. The Technology Practice Group at Halim Hong & Quek frequently assists clients with due diligence on software products incorporated with OSS, as well as advising clients on the impact of incorporating certain OSS under certain licensing terms. Please feel free to reach out to the team should you have any enquiry in this regard. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • Responding to Cyber Security Incidents: The Strategic Guide for In-House Counsels Under Malaysia’s Cyber Security Act 2024 • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

1. Banking Secrecy The Financial Services Act 2013 (FSA) and the Islamic Financial Services Act 2013 (IFSA) introduced a modernized regulatory framework governing Malaysia’s financial institutions, consolidating previous laws like the Banking and Financial Institutions Act 1989 and the Islamic Banking Act 1983. A core component of the FSA and IFSA is the protection of customer data, with strict provisions against unauthorized disclosure, as set out in Section 133(1) of the FSA and Section 145(1) of the IFSA. These sections prohibit anyone with access to customer information from disclosing it without proper authorization, with severe penalties for violations, including fines and imprisonment. Despite this, certain exceptions exist, allowing for disclosures under specific conditions set by Bank Negara Malaysia (BNM) as provided in Schedule 11 of the FSA and Section 134 of the FSA. . 2. Permitted Disclosures under Schedule 11 of the FSA Schedule 11 of the FSA provides a comprehensive list of exceptions under which customer information may be disclosed without breaching banking secrecy laws. One key provision allows financial institutions to disclose customer information when written permission is provided by the customer or their legal representative. This could be the executor or administrator in cases involving a deceased customer, or any other legal personal representative if the customer is incapacitated.   Disclosures are also permitted for legal and administrative purposes, such as applications for a Faraid certificate or letters of administration in relation to a deceased customer’s estate. Similarly, customer information may be disclosed in cases of bankruptcy or winding up processes, both within Malaysia and internationally. Information can also be shared in connection with legal proceedings, whether criminal or civil. For instance, disclosure may be necessary when financial institutions are involved in disputes over customer funds or when complying with a garnishee order. In these situations, the information may be disclosed to all parties required for the purpose of the proceedings. Another important exception under Schedule 11 involves disclosures made in response to orders from enforcement agencies regulatory and supervisory purposes. For example, institutions may share information with entities such as the Securities Commission, the Inland Revenue Board of Malaysia, or relevant authorities abroad to facilitate compliance with both domestic and international legal requirements.   Even with these exceptions, financial institutions are required to ensure that disclosures are made prudently and only to the extent necessary. . 3. Policy Document on Management of Customer Information and Permitted Disclosures In 2023, BNM issued the Policy Document on Management of Customer Information and Permitted Disclosures (MCIPD) to provide further clarity and detailed guidance on handling customer information. The MCIPD is divided into three parts. Part A offers an overview, while Part B (Policy Requirements) applies to all financial service providers (FSPs), which is defined to include licensed banks, insurers, and takaful operators, approved / registered operators of payment instruments, among others. The definition also extends to their directors and officers.   One significant introduction of the MCIPD is its detailed conditions to the permitted disclosures under Schedule 11 of the FSA, specifically stated in Part C (Specific Requirements on Permitted Disclosure), on how financial institutions should manage disclosures. This means that, even when disclosures are allowed under Schedule 11 of the FSA, they must still adhere to the guidelines set out by the MCIPD. Part C of the MCIPD applies specifically to financial institutions as defined under Section 131 of the FSA, Section 143 of IFSA and Section 3(1) of the Development Financial Institutions Act (DFIA).   The MCIPD provides a comprehensive definition of "customer information" as any data related to a customer, regardless of its form. Additionally, it outlines what constitutes a breach of customer information, encompassing any instance where customer data is compromised through theft, loss, misuse, unauthorized access, modification, or disclosure. This broad definition ensures that even if a FSP cannot immediately identify the specific customers affected by a breach, the incident must still be investigated and reported to the BNM. The FSP is required to assess the breach's nature and sensitivity and estimate the number of impacted customers. This approach guarantees that no breach goes unaddressed, even when the full extent of the compromised data is difficult to ascertain.   Another significant aspect of the MCIPD is its focus on unauthorized access within organizations. It specifies that if customer information is accessed by employees who do not require it for their roles, it constitutes a breach. The document mandates that each job function within a FSP must have a clearly defined role profile detailing access rights to customer information. Access controls must be rigorous, with necessary adjustments made when staff roles change or when employees leave.   4. Is Your Customer Consent Sufficient? On the other hand, Part C of the MCIPD introduces stringent requirements for obtaining and managing customer consent, effective 1 January 2024. Financial institutions must ensure that consent meets four key conditions: specificity, voluntariness, explicitness, and revocability. a) Specific Consent forms must be clear and specific, with plain language used and legal jargon avoided. Financial institutions must clearly identify the recipients of the information, such as “business partners for promoting financial products,” and detail the purpose and types of information being shared. Vague terms like “as the financial institution deems fit” must be avoided. . b) Voluntary Consent must be given freely, without any form of coercion. Separate consent requests for different purposes should be given to the customers, such as marketing or service provision, to allow customers to choose each option independently. For instance, pre-ticked boxes should be avoided and instead, an active opt-in approach should be applied. . c) Explicit and Deliberate Consent must be obtained through explicit and deliberate actions. Financial institution is required to provide clear options for customers to either consent to or decline data sharing. For example, passive methods, such as pre-ticked boxes or assuming consent through inaction, are not permitted. . d) Revocable Customers must be given the right to withdraw their consent at any time, and financial institution must facilitate this process, by clearly informing customers of their right to revoke consent and ensuring that any disclosures based on withdrawn consent are stopped as soon as possible, ideally within 7 days. It is also crucial to maintain comprehensive records of the consent process and any revocations to ensure compliance.   5. Insights from Cases In My Home Budget Hotel Sdn Bhd v CIMB Bank Bhd [2021] MLJU 2780 (HC), the Plaintiff, a CIMB Bank customer, sued the bank’s Assistant Manager for disclosing bank statements to the claimant's solicitors without consent. The disclosure was made under subpoena to ascertain whether the Plaintiff's account had sufficient funds for issued cheques. The Court ruled that while confidentiality under the FSA, the Bankers’ Books Evidence Act 1949 (BBEA), and the Personal Data Protection Act (PDPA) is crucial, it must be balanced with the court’s need for evidence. The Assistant Manager’s duty of secrecy was found to be outweighed by the requirement to provide evidence under Section 132 of the Evidence Act 1950. Similarly, Protasco Bhd v. Tey Por Yee & Anor and Other Appeals [2021] 6 MLJ 1 (FC) illustrates that despite the importance of banking secrecy, it is not absolute. The Federal Court affirmed that banking documents relevant to legal proceedings can be disclosed, as Section 7 of the BBEA allows direct inspection of banking records without the procedural constraints of Order 24 of the Rules of Court 2012 (ROC). This ruling highlights that legal transparency may sometimes take precedence over confidentiality.   In contrast, OCBC Bank (M) Bhd v Prolink Marketing Sdn Bhd [2023] 2 MLJ 851 (COA) upholds the protection of customer confidentiality. The court ruled that OCBC Bank was prohibited from disclosing information about the respondent’s financial facilities without proper authorization, adhering to Section 133(4) of the FSA 2013. This case emphasizes the importance of maintaining confidentiality even when third-party inquiries arise, especially when these inquiries do not fall within any of the categories set out under Schedule 11 of the FSA and/or Part C of the MCIPD.   Finally, the case of National Feedlot Corporation Sdn Bhd & Ors v. Public Bank Bhd [2023] 10 CLJ 430 (COA) serves as a critical illustration of the consequences arising from unauthorized access to customer information. The plaintiffs alleged that their confidential banking information was improperly disclosed by a bank employee, leading to a legal battle over the breach of confidentiality. The central issue revolved around a clerk, Johari, who used an authorized officer’s user ID to print the plaintiffs' Customer Profile and Banking Statements (CP-BS) from his computer. It was determined that Johari’s unauthorized use of the officer's computer facilitated the breach, resulting in the Court of Appeal overturning the High Court's judgment and ruling in favor of the plaintiffs. The bank was found liable for breaching its duty of confidentiality, and the plaintiffs were awarded nominal damages along with RM500,000 in costs.   The case highlights the consequences of unauthorized access to customer information, a line discussed earlier in this article which mandate that customer information be accessed solely by employees with a legitimate need based on their job roles under the MCIPD provisions. The case also emphasizes the necessity for financial institutions and their staffs to remain vigilant and compliant with MCIPD provisions. For financial institutions, this means implementing strict and stringent access controls and ensuring staff awareness of their responsibilities regarding customer data. For employees, it is crucial to understand and adhere to these access guidelines to avoid unintentional breaches.   6. Conclusion It is crucial for financial institutions and their employees to be fully aware of their rights and obligations under the laws and regulations. The National Feedlot Corporation case is particularly notable for reinforcing common law principles as established in Tournier v. National Provincial and Union Bank of England [1924] 1 KB 461 that outlined an implied duty of confidentiality within the banker-customer relationship, setting a precedent that is still relevant today. Financial institutions shall enforce strict policies and provide comprehensive trainings to their employees to ensure compliance with the MCIPD and FSA/IFSA provisions, while employees must clearly understand their roles and responsibilities in managing and disclosing customer information. Such vigilance in adherence to regulatory requirement is crucial in maintaining trust relationship between clients and bankers, and in safeguarding the integrity of the financial system. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Noelle Low Pui VoonPartnerReal Estate andBanking & FinanceHalim Hong & Queknoelle.low@hhq.com.my More of our articles that you should read: • Are Oppression Claims Arbitrable? • Estate Wins Suit Over Medical Negligence in Tragic Vertigo Case • Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

As the year draws to a close, legal, compliance, and regulatory teams are deep in preparations, strategy setting, and budgeting for 2025. In Malaysia, 2025 brings a series of significant regulatory shifts with the introduction of new compliance obligations, which will affect not only business operations externally but, more importantly, reshape internal processes within in-house legal departments. Among these changes are two critical developments: the cyber security incident notification and personal data breach notification under the Cyber Security Act 2024 and the Personal Data Protection (Amendment) Act 2024. Both Cyber Security Act 2024 and Personal Data Protection (Amendment) Act 2024 have been gazetted and came into force this year. For in-house legal departments, understanding the differences between cyber security incident notifications and personal data breach notifications will be crucial in ensuring compliance and readiness moving forward. However, many organizations are still grappling with understanding the distinctions between these two types of notifications—raising questions about which companies will be impacted and how they should respond. This article aims to clarify these differences and provide practical insights to help general counsels and legal teams align their compliance frameworks for 2025. We will explore 6 key aspects that will allow companies to better understand the nuances of cyber security incident notification and personal data breach notification and tailor their internal processes accordingly.   1. Are Cyber Security Incident Notification and Personal Data Breach Notification the Same? At first glance, the two notifications may seem interchangeable, often lumped together under the broad term “data breaches.” However, they are distinct obligations governed by different legislations, with separate procedural and substantive requirements. ● Cyber Security Incident Notification: This requirement stems from the Cyber Security Act 2024, which was gazetted and came into force on 26 June 2024. It specifically addresses threats or disruptions to national critical information infrastructure (“NCII”). ● Personal Data Breach Notification: This obligation arises under the Personal Data Protection (Amendment) Act 2024, which came into effect on 17 October 2024. It mainly pertains to the compromise, loss, or mishandling of personal data. These notifications address different issues governed by separate laws, with varying compliance requirements, thresholds, and procedures. For general counsels and legal teams, understanding these foundational differences is critical, as the company’s internal response strategy will need to align accordingly. . 2. Who Will Be Impacted by These Notifications? One of the most important aspects to understand is which companies will be subject to these notification obligations: ● Cyber Security Incident Notification: Contrary to what some may assume, the Cyber Security Act 2024 does not impose blanket cyber security incident notification obligations on all companies. Instead, the cyber security incident notification obligation applies only to organizations designated as NCII entities Under the Cyber Security Act 2024, NCII Leads are responsible for identifying and designating companies that operate or own NCII as NCII entities. While no companies have officially been designated as NCII entities at the time of writing, we understand that some companies have already received informal notifications that they may be subject to future designation. Companies must stay alert to their status, as being designated as an NCII entity will trigger cyber security incident notification obligations. ● Personal Data Breach Notification: In contrast, the Personal Data Protection (Amendment) Act 2024 introduces broader applicability. The obligation applies to all “data controllers”, it is a new term replacing the previous concept of "data users." A data controller is defined as an individual or organization who processes any personal data or has control over or authorizes the processing of any personal data. Given this broad definition, many companies will likely fall under the scope of the amended PDPA and will need to comply with personal data breach notification requirements. / 3. What Constitutes a Cyber Security Incident or a Personal Data Breach? ● Cyber Security Incident Notification: The Cyber Security Act 2024 defines a cyber security incident as: “An act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cybersecurity of that computer or computer system or another computer or computer system.” The key terms to note here are "jeopardize" and "adversely affects." These words help determine the level of materiality and seriousness that will qualify an event as a cyber security incident. Simply put, the act or activity must be serious enough to jeopardize or adversely affect the cyber security of the system in question for it to meet the legal definition and necessitates a notification. However, while the law does not provide detailed guidance on the exact threshold of jeopardy or adverse effect, a strict reading of the definition suggests that the activity must meet a certain level of seriousness to fall within the scope of the definition and trigger the notification requirement. A reasonable interpretation may indicate that minor attempts at unauthorized access to the IT environment, if detected, prevented, and flagged by routine firewall operations, might not trigger the obligation to notify. In contrast, any successful bypass of the firewall by threat actors—particularly if it jeopardizes or adversely affects cybersecurity—should trigger the notification requirement, regardless of whether the threat is subsequently neutralized, whether the critical IT environment is accessed, or whether disruptions occur. As the regulatory landscape evolves, future regulations or guidelines may offer clearer benchmarks on the level of seriousness or materiality required to qualify as a reportable cybersecurity incident. ● Personal Data Breach Notification: The Personal Data Protection (Amendment) Act 2024 does not provide a specific definition for "personal data breach." However, we can draw parallels from other jurisdictions for reference: ◦ EU’s General Data Protection Regulation (“GDPR”): A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” ◦ Singapore’s Personal Data Protection Act 2012: A data breach includes “the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data, or the loss of any storage medium on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.” While Malaysia has yet to issue detailed guidance on the scope of personal data breaches, it is reasonable to expect alignment with these international standards. Further guidance is anticipated from the relevant regulators to clarify the scope of personal data breach notifications. . 4. What Actions Should Companies Take When Notification Obligations Are Triggered? ● Cyber Security Incident Notification: As explained in our recent article (Responding to Cyber Security Incidents: The Strategic Guide for In-House Counsels Under Malaysia’s Cyber Security Act 2024 - HHQ), the Cyber Security Act 2024 requires NCII Entities to act swiftly when a cyber security incident occurs. The process involves three key steps:   Step 1: Immediate Notification Upon Discovery Once the NCII Entity becomes aware that a cyber security incident has occurred or may have occurred, an authorised person must immediately notify the relevant authorities via electronic means. This first immediate official notification should be sent via email to cert@nc4.gov.my. Step 2: Submission of Initial Information within 6 Hours Within 6 hours of the NCII Entity becoming aware of the cyber security incident, the authorised person must submit information on the cyber security incident, including the type and description of the cyber security incident, and the severity of the cyber security incident. Step 3: Supplementary Information within 14 Days Within 14 days after the initial six-hour notification, the authorised person shall to the fullest extent practicable submit the following supplementary information, including the estimated number of host affected by the cyber security incident, the particulars of the cyber security threat actor, and the artifacts related to the cyber security incident.   ● Personal Data Breach Notification: For personal data breaches, the Personal Data Protection (Amendment) Act 2024 introduces a two-tier notification process:   Tier 1: Notifying the Commissioner: If a data controller has reason to believe that a personal data breach has occurred, the data controller shall, as soon as practicable, notify the Commissioner. Tier 2: Notifying Affected Data Subject: Where the personal data breach causes or likely to cause any significant harm to the data subject, the data controller shall notify the personal data breach to the data subject. While the Personal Data Protection (Amendment) Act 2024 does not yet provide specific timelines for these notifications, we expect further guidance to be issued. Should Malaysia adopt an approach similar to Singapore's Personal Data Protection Act 2012, organisations may be required to notify the Commissioner within three calendar days. . 5. Does an Incident Require Compliance with Both Notification Obligations? A critical question for legal departments is whether a single event can trigger both cyber security incident and personal data breach notification obligations. The answer is yes, depending on the extent of the compromise or breach. In the event of a hack or cyber attack that results in both a cyber security incident and a personal data breach, organisations classified as NCII Entities and data controllers will need to comply with both notification obligations. Given the complexities of responding to such incidents, it is vital for companies to develop clear implementation roadmaps and establish compliance frameworks that outline roles, responsibilities, policies, and procedures. A structured approach will ensure swift and effective responses when incidents arise . 6. What Are the Penalties for Non-Compliance?  The penalties for failing to comply with these notification obligations are severe. ● Cyber Security Act 2024: NCII Entities that do not comply with the cyber security incident notification requirements may face fines of up to RM500,000, imprisonment of up to 10 years, or both. ● Personal Data Protection (Amendment) Act 2024: Data controllers who fail to notify either the Commissioner or affected data subject may be fined up to RM250,000, imprisoned for up to 2 years, or both. Given these severe penalties, companies must treat these obligations with utmost seriousness to avoid both financial and reputational risks. . Conclusion and Upcoming Event: Preparing for 2025 As companies prepare for 2025, understanding and implementing compliance measures for both cyber security incident notification and personal data breach notification will be critical. Failure to comply can result in severe financial and legal consequences, but with a structured plan in place, organisations can effectively navigate these new requirements. To support this, we are pleased to announce that Halim Hong & Quek will be co-organising a Cyber Security Incident Simulation Summit in collaboration with S-RM this November. This event will provide practical insights into managing and responding to cyber security incidents effectively under the legal framework of the Cyber Security Act 2024. By understanding the nuances between cyber security incident notification and personal data breach notification, general counsels and compliance teams will be better positioned to navigate the regulatory challenges of 2025. Now is the time to act, align strategies, and ensure your compliance frameworks are ready for the new regulatory era ahead. For tailored advice and assistance in navigating this new cyber security framework, our Technology Practice Group is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Telco Tower Acquisitions and Investments: Issues to Pay Attention to During Due Diligence • Top 10 FAQs on Licensing for Cyber Security Service Providers Under the Cyber Security Act 2024 • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services

One of the most impactful legislative developments in Malaysia this year is undoubtedly the Cyber Security Act 2024. With its official implementation on 26 August 2024, the cyber security regulatory framework has transitioned from being merely a buzzword to a crucial area of compliance that organizations must prioritize. This new regulatory layer introduces additional challenges for in-house legal departments, which require immediate and strategic attention.   While many general counsels and in-house legal teams are aware that the Cyber Security Act 2024 imposes stringent cyber security incident notification obligations on National Critical Information Infrastructure (“NCII”) entities, there remains some uncertainties regarding the precise steps to take when managing and responding to a cyber security incident. Therefore, the aim of this article is straightforward, which is to provide a practical and actionable guide for general counsels and in-house lawyers, outlining exactly how to act and respond in the event of a cyber security incident.   When Does the Cybersecurity Incident Notification Obligation Arise? Before exploring the practical steps, it is essential to establish the circumstances under which the cyber security incident notification obligation arises and to understand what qualifies as a cyber security incident   Under the Cyber Security Act 2024, the cyber security notification obligation arises under two scenarios: 1. When it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII has occurred; or 2. When it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII might have occurred.   It is crucial to emphasize that in both cases—whether the cyber security incident has occurred or is merely suspected—the Cyber Security Act 2024 imposes a duty to notify. This reflects the proactive stance of the law in ensuring timely responses to potential cyber security incidents before it escalates further.   What Exactly Constitutes a Cyber Security Incident? One of the most common questions that follows is: What exactly constitutes a cyber security incident? This is a crucial consideration, as it determines when the cyber security notification obligation is triggered.   The Cyber Security Act 2024 defines a cyber security incident as, "an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cybersecurity of that computer or computer system or another computer or computer system."   The key terms to note here are "jeopardize" and "adversely affects." These words help determine the level of materiality and seriousness that will qualify an event as a cyber security incident. Simply put, the act or activity must be serious enough to jeopardize or adversely affect the cyber security of the system in question for it to meet the legal definition and necessitates a notification.   However, while the law does not provide detailed guidance on the exact threshold of jeopardy or adverse effect, a strict reading of the definition suggests that the activity must meet a certain level of seriousness to fall within the scope of the definition and trigger the notification requirement. A reasonable interpretation may indicate that minor attempts at unauthorized access to the IT environment, if detected, prevented, and flagged by routine firewall operations, might not trigger the obligation to notify. In contrast, any successful bypass of the firewall by threat actors—particularly if it jeopardizes or adversely affects cybersecurity—should trigger the notification requirement, regardless of whether the threat is subsequently neutralized, whether the critical IT environment is accessed, or whether disruptions occur. As the regulatory landscape evolves, future regulations or guidelines may offer clearer benchmarks on the level of seriousness or materiality required to qualify as a reportable cybersecurity incident.   3-Step Practical Steps for General Counsels in the Event of a Cybersecurity Incident With a clear understanding of when the notification obligation will be triggered and what constitutes a cyber security incident, we now present a three-step guide for general counsels and in-house lawyers to follow in the event of such an incident.   Step 1: Immediate Notification Upon Discovery Once the NCII Entity becomes aware that a cyber security incident has occurred or may have occurred, an authorised person must immediately notify the relevant authorities via electronic means. This first immediate official notification should be sent via email to cert@nc4.gov.my.   It is important to highlight that only an authorised person of the NCII Entity may issue the notification. But who qualifies as an authorised person? According to the Cyber Security Act 2024, an NCII Entity has 21 days from its designation as an NCII Entity to appoint and submit the details of three authorised persons. These individuals must include:   • One management-level individual that is responsible for overseeing cyber security strategy, risk management, threat detection, and incident response and recovery. • Two operational-level individuals that are tasked with handling responses to cyber security incidents.   This means that in the event of a cyber security incident, one of these three authorised persons must promptly notify the authorities as soon as the incident is discovered.   Step 2: Submission of Initial Information within 6 Hours Within 6 hours of the NCII Entity becoming aware of the cyber security incident, the authorised person must submit the following particulars of information:   i. The particulars of the authorised person; ii. The particulars of the NCII Entity, the NCII sector and the NCII lead to which it relates; and iii. Information on the cyber security incident, including the type and description of the cyber security incident, the severity of the cyber security incident, the data and time of the occurrence of the cyber security incident is known, and the method of discovery of the cyber security incident.   Step 3: Supplementary Information within 14 Days Within 14 days after the initial six-hour notification, the authorised person shall to the fullest extent practicable submit the following supplementary information:   i. the particulars of the national critical information infrastructure affected by the cyber security incident ii. the estimated number of host affected by the cyber security incident; iii. the particulars of the cyber security threat actor; iv. the artifacts related to the cyber security incident; v. the information on any incident relating to, and the manner in which such incident relates to, the cyber security incident; vi. the particulars of the tactics, techniques and procedures of the cyber security incident vii. the impact of the cyber security incident on the national critical information infrastructure or any computer or interconnected computer system; and viii. the action taken.   Seriousness of the Cyber Security Incident Notification Obligation NCII Entities must approach the cyber security incident notification obligation with utmost seriousness, as non-compliance carries severe penalties. Upon conviction, entities may face fines of up to RM500,000, imprisonment for up to 10 years, or both.   However, compliance with the notification requirement is more than a mere formality. The submission of the notification and incident report has far-reaching implications, as authorities could also scrutinize these reports to assess the NCII Entity’s overall compliance with the Cyber Security Act 2024, including adherence to the prescribed code of practice and best practice guidelines for managing cyber security, and a poorly prepared or mishandled incident report can expose the NCII Entity to deeper regulatory scrutiny, potentially uncovering additional compliance breaches beyond the initial incident. Therefore, these incident reports are not merely procedural requirements, but they carry significant legal and regulatory weight.   Given the complexity and importance of these obligations, NCII Entities are advised to work closely with external counsel familiar with cyber security law, particularly during a cyber security incident. Experienced external counsel can provide critical guidance, ensure the company navigates the notification process correctly, and safeguard the NCII Entity from potential legal and regulatory risks.   For tailored advice and assistance in navigating this new cyber security framework, our Technology Practice Group is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology, Media & Telecommunications (“TMT”), TMT Disputesnicole.shieh@hhq.com.my More of our Tech articles that you should read: • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers • Exploring Bitcoin Halving and its Significance • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services

In recent years, Environmental, Social, and Governance (ESG) principles have gained significant traction globally, and Malaysia is no exception. As businesses and investors increasingly recognize the importance of sustainable practices, Malaysia has taken proactive steps to integrate ESG considerations into its corporate and financial sectors. This commitment is evident in the introduction of the National Sustainable Reporting Framework (NSRF) in 2024, a key initiative designed to enhance transparency and combat greenwashing.   The National Sustainable Reporting Framework (NSRF) marks a pivotal step in the fight against greenwashing in Malaysia. This new framework introduces comprehensive measures designed to enhance the reliability of sustainability disclosures, ensuring that companies are held accountable for their environmental claims. Here’s how the NSRF aims to make a difference:-   1. Standardized Sustainability Reporting  At the core of the NSRF is the adoption of the IFRS Sustainability Disclosure Standards (S1 and S2) established by the International Sustainability Standards Board (ISSB). This standardization ensures that companies disclose sustainability information in a consistent, comparable, and reliable manner. By creating a uniform reporting framework, the NSRF makes it more difficult for businesses to exaggerate or fabricate their environmental claims. . 2. External Assurance Requirements To further bolster trust in sustainability reports, the NSRF mandates independent verification of claims. Starting in 2027, companies will need to have their greenhouse gas (GHG) emissions, particularly Scope 1 and Scope 2, independently verified. This external assurance enhances the credibility of disclosed data, significantly reducing the likelihood of greenwashing and ensuring that companies are held accountable for their environmental impacts. . 3. Focus on Climate-related Disclosures The NSRF emphasizes the importance of climate-related disclosures, encouraging companies to prioritize the most significant risks and opportunities within their business segments. This focus ensures that sustainability efforts reported by companies align with their actual operations and impacts, minimizing the risk of selective reporting that highlights only favorable information. . 4. Phased Adoption and Capacity Building Recognizing the challenges companies may face in adjusting to new reporting requirements, the NSRF adopts a phased approach to implementation. This gradual rollout provides businesses with the necessary time to align their operations and reporting processes. Additionally, the NSRF offers resources such as PACE (Policy, Assumptions, Calculators, and Education) to assist companies in making accurate and transparent disclosures, further discouraging greenwashing practices. . Conclusion By mandating transparency, accountability, and external verification, the NSRF establishes a framework where sustainability reports are rooted in genuine actions rather than mere marketing rhetoric. This comprehensive approach positions the NSRF as a vital tool in combating greenwashing and promoting authentic corporate sustainability efforts. As businesses embrace these new standards, the path toward a more sustainable future becomes increasingly credible and achievable.   Stay informed about how these developments unfold and their implications for sustainable practices in the corporate world! About the author Sharifa Nurliliyana binti Abd KarimSenior AssociateBanking & Finance and Real EstateHalim Hong & Queksharifa@hhq.com.my More of our articles that you should read: • Can a Fixed Term Contract Employee Be Deemed as a Permanent Employee? • Centralised Air-Conditioning Facilities: Its Classification as “Common Property” Within The Legislative Frameworks • Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only

Ever since the nationwide 5G rollout that the Malaysian government was actively executing, there has been a general uptick of activities in the telecommunication tower industry. In order for there to be nationwide coverage of 5G network, more telecommunication towers are required to be erected across the countries. The increase in demand for telecommunication towers attracted investments into the industry, which prompted both the consolidation of many smaller telco tower operators, and the acquisition of telco tower assets and companies by institutional investors.   In this article, we are going to take a look at the top four (4) potential issues to take note of for investors looking to invest in the Malaysian telco industry.   1. Valid and Subsisting Network Facilities Provider Licence  Telco tower operators in Malaysia are required to secure a network facilities provider (“NFP”) licence with the Malaysian Communications and Multimedia Commission before they can own and operate any telco towers. Each NFP licence is typically valid for five (5) years, and is renewable subject to the payment of renewal fees. It is thus important for any investors to verify that the target company’s NFP licence is still valid and subsisting, and that all the conditions stated thereunder are being complied with and observed by the target company. Some of the conditions being imposed under an NFP licence are foreign and Bumiputera shareholding requirement, contributions to the Universal Service Provision fund, payment of annual licence fees, limitations on the type of facilities approved, and so on so forth. . 2. Having the Appropriate Permit for Each Towers In Malaysia, the erection of any telco towers is subject to the issuance of building permit by the relevant municipal or local authorities. Essentially, the telco operator is supposed to have applied and received a building permit for the erection of each and every telco tower at their respective sites before doing so. Any telco towers that has been erected illegally may expose the company to financial penalty by the local authorities or worse, be subject to a demolishing notice. The application for a building permit with the municipal or local authorities can be a tedious and slow process, which is why many telco operators tend to erect the telco towers while the application process is still underway. Before undertaking any investment in a telco tower company, it is crucial to verify the number of telco tower sites that are operating without any permits and assess the likelihood of permits being issued for these sites in the future, so that appropriate conditions or risk mitigations can be put in place in the transaction documents to protect the interests of the investors. . 3. Thorough Review of the Site Tenancy Agreements  The sites on which the telco towers are being erected are usually being occupied by the telco tower companies under tenancy or lease agreements with the land or property owners. During legal due diligence, it is also important for the investors to ensure that each of the telco tower sites is being occupied with a valid and subsisting tenancy or lease agreement. From time to time, some land owners might actually include a rental “step up” mechanism in the tenancy or lease agreement to allow a fixed percentage of rental increment every 3 to 5 years. It is thus imperative that investors take this into consideration when calculating the tower cash flow of the telco tower portfolio of a target company. . 4. Thorough Review of the Tower Licence Agreements Telco towers are usually licensed to telco operators or network service providers (“NSPs”) in order for them to install their network equipment on the tower structures. The licences are typically firmed up under licence agreements or access agreements, which would allow the telco tower company to collect monthly licence fees from the licensee. Due to space constraint, each telco tower can typically host up to three (3) or four (4) sets of network equipment, from different telco operators or NSPs. The industry practice is for there to be a licence fee “step down” mechanism whenever there is an increase in the number of collocators on the same tower, resulting in there being fluctuations in the receivables by the telco tower company for each tower. Likewise, the fluctuations in the tower licence fees will directly impact the target company’s tower cash flow and careful assessment of the number of equipment on each tower is required. .   Acquisition or investment into an existing telco tower portfolio or company can be expensive depending on the size of the telco tower portfolio. We cannot stress enough the importance of a thorough legal due diligence on the target company or portfolio to be acquired. Risks and irregularities need to be identified and flagged accordingly during the due diligence process so that effective deal structuring and appropriate risk mitigation can be done to protect the interests of the investors or purchasers.   The Technology Practice Group at HHQ frequently work with companies from the telco industries with matters ranging from regulatory compliance to commercial transactions. We are certainly equipped with the necessary skillsets and industry knowledge to assist you in your telco related matters. Please do not hesitate to reach out to the partners and heads of the Technology Practice Group for more enquiries. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • 8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk? • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

Identifying High-Risk AI Systems: A Step-by-Step Guide for General Counsels In our previous article, “8 Prohibited AI Practices Under the EU AI Act You Must Know: Are YourAI Systems at Risk?”, we provided an in-depth discussion on the types of AI practices that will beprohibited under the EU AI Act, which is set to be implemented on 2 February 2025. We were alsoprivileged to be invited by BFM to further explore some of these prohibited AI practices, and if you are interested, you can listen to the full discussion here: Click Here   Building on our previous discussion of prohibited AI practices, this article will now explore anothercritical element of the EU AI Act, which is high-risk AI systems. The EU AI Act adopts a risk-basedapproach to regulating AI, classifying AI systems into several tiers: prohibited AI practices, highriskAI systems, and General-Purpose AI Models, with lower or minimal risk. Unlike prohibited AI  systems, which are outright banned, high-risk AI systems are even more relevant to most organizations, as they are often embedded within various AI applications.   Given the complexity and extensive regulatory requirements associated with high-risk AI systems,this article aims to provide general counsels with a practical guide on how to conduct an internalassessment of whether your AI systems fall under the high-risk category. Once classified as highrisk, there are specific obligations that organizations need to fulfill, depending on whether they act as providers, deployers, importers, or distributors of these AI systems. . Step 1: Is the AI System Covered by the Union Harmonization Legislation? The first step in assessing whether an AI system is considered high-risk is to verify if it falls withinthe scope of the Union harmonisation legislation listed in Annex I of the EU AI Act. This legislationcovers specific product categories, and AI systems that are either (i) one of these products or (ii)intended to be used as a safety component in these products which are subject to stricter regulatory oversight. 1. Machinery 2. Toys 3. Watercraft 4. Lifts 5. Explosives 6. Radio equipment 7. Pressure equipment 8. Cableways 9. Personal protective equipment 10. Gas appliances 11. Medical devices 12. Civil aviation 13. Vehicles 14. Marine equipment 15. Rail systems . Step 2: Assess the Need for Third-Party Conformity Assessment If your AI system is either a product or a safety component in one of the products listed above, the next key question is whether that product is required to undergo a third-party conformity assessment before being placed on the market, as mandated by EU harmonisation legislation. If the answer is yes, then the AI system is automatically classified as a high-risk AI system. If the AI system is not a product listed in Annex I or does not serve as a safety component for such products, or if the product does not require a third-party conformity assessment, your assessment does not end there, and you should move to step 3. . Step 3: Review Annex III for Additional High-Risk AI Systems Even if the AI system does not meet the criteria from Steps 1 and 2, it may still be categorized ashigh-risk if it falls under one of the AI systems listed in Annex III of the EU AI Act.Annex III outlines 8 types of high-risk AI systems: 1. Biometrics AI Systems – These include biometric AI systems that are not prohibited. It encompasses: (i) remote biometric identification systems (excluding biometric AI systems used solely for biometric verification and authentication purposes, such as unlocking devices or granting access to premises); (ii) AI systems used for biometric categorisation according to sensitive attributes or characteristics; or (iii) emotion recognition AI systems. . 2. Critical Infrastructure AI Systems – These are AI systems intended for use as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating, or electricity. Critical infrastructure AI systems are considered high-risk because their failure or malfunction may endanger the life and health of individuals on a large scale and lead to significant disruptions in the normal conduct of social and economic activities. Examples of safety components of such critical infrastructure may include systems for monitoring water pressure or fire alarm control systems in cloud computing centres. . 3. Education and Vocational Training AI Systems – These AI systems are intended to: (i) determine access or admission to education or vocational training institutions; (ii) evaluate learning outcomes; (iii) assess the level of education an individual will receive or be able to access; or (iv) monitor and detect prohibited behaviour of students during tests. These are categorised as high-risk AI systems because they may influence the educational and professional trajectory of a person’s life, affecting their ability to secure a livelihood. When improperly designed or used, such systems can be particularly intrusive and may violate the right to education and training. . 4. Employment AI Systems – This includes AI systems used: (i) in the recruitment process, such as targeted job advertisements, job application filtering, and candidate evaluation; or (ii) to make work-related evaluations that affect employment relationships, such as promotion, termination, task allocation, or performance assessment. These systems are considered high-risk because they can significantly impact future career prospects, livelihoods, and workers’ rights. . 5. Private and Public Service and Benefit Access AI Systems – This includes AI systems intended to: (i) evaluate the eligibility of individuals for public assistance benefits and services; (ii) assess a person’s creditworthiness; (iii) perform risk assessment and pricing for life and health insurance; or (iv) evaluate and classify emergency calls or establish priorities in dispatching emergency first-response services. These systems are classified as high-risk because they are often used by individuals in vulnerable positions, dependent on these benefits and services. . 6. Law Enforcement AI Systems – These AI systems are intended for: (i) assessing the risk of a person becoming a victim of criminal offenses; (ii) being used as polygraph tools; (iii) evaluating the reliability of evidence during investigations or prosecutions; (iv) assessing the risk of a person committing or re-committing a crime, based on factors other than personal profiling, such as personality traits or past criminal behaviour; or (v) profiling individuals in the detection, investigation, or prosecution of criminal offenses. These systems are high-risk because they may unjustly single out individuals in a discriminatory or otherwise incorrect manner. Furthermore, their use could undermine important procedural rights, such as the right to an effective remedy, a fair trial, the right of defence, and the presumption of innocence. . 7. Immigration AI Systems – These AI systems are used in migration, asylum, and border control management for: (i) polygraphs or similar tools; (ii) assessing risks, such as security risks, irregular migration risks, or health risks of individuals; (iii) assisting authorities in examining applications for asylum, visas, or residence permits, including eligibility assessments and evaluating the reliability of evidence; or (iv) detecting, recognising, or identifying individuals in migration or border management processes, excluding travel document verification. These systems are classified as high-risk because they affect individuals in particularly vulnerable situations who depend on the decisions of competent public authorities. The accuracy, non-discriminatory nature, and transparency of these AI systems are especially crucial to ensure respect for the fundamental rights of affected persons, including free movement, non-discrimination, privacy, international protection, and good administration. . 8. Administration of Justice and Democratic AI Systems – This includes AI systems intended for: (i) use by or on behalf of judicial authorities to research and interpret facts and law, and apply the law to those facts, or for similar use in alternative dispute resolution; or (ii) influencing the outcome of elections or referenda, or the voting behaviour of individuals exercising their right to vote. These systems are high-risk because of their potential impact on the fundamental processes of justice and democracy.   If your AI system falls into one of these categories, it is automatically classified as high-risk. However, this does not conclude the assessment. You should proceed to step 4, where it is essential to evaluate whether the rebuttal assumption is applicable. . Step 4: Assessing the Impact on Health, Safety, and Fundamental Rights The 8 types of AI systems referred to in Annex III are generally categorized as high-risk. However,this presumption can be rebutted if the AI systems do not pose a significant risk of harm tothe health, safety, or fundamental rights of individuals, including not materially influencing decision-making outcomes. The following four exceptions provide a basis for rebuttal: 1. The AI system is intended to perform a narrow procedural task, such as transforming unstructured data into structured data, classifying incoming documents into categories, or detecting duplicates among a large number of applications 2. The AI system is intended to improve the result of a previously completed human activity, such as AI systems intended to improve the language used in previously drafted documents, for example, improving professional tone, academic style, or aligning text with certain brand messaging. 3. The AI system is intended to detect decision-making patterns from prior decision-making instances and is not meant to replace or influence the previously completed human assessment, without proper human review. 4. The AI system is intended to perform preparatory tasks for assessments relevant to the use cases listed in Annex III, such as smart solutions for file handling, which may include various functions like indexing, searching, text and speech processing, or linking data to other data sources. If the AI systems referenced in Annex III can demonstrate that they do not pose a significant risk of harm to health, safety, or fundamental rights—specifically, that they do not materially influence decision-making outcomes—by satisfying the aforementioned exceptions, they will not be classified as high-risk AI systems. Conversely, if these AI systems fail to meet the criteria for rebuttal, they will be considered highrisk. . Flowchart for Simplifying the Internal Assessment Process We understand that determining whether an AI system is classified as high-risk under the EU AIAct is a complex undertaking that necessitates a structured and methodical approach. Therefore,to aid general counsels in conducting a preliminary internal self-assessment of their AI systems,we have developed a visual flowchart below. This flowchart below serves as a practical internal guide for evaluating whether an AI system fallsinto the high-risk category – while this tool is beneficial for initial assessments, it is important tonote that it may not encompass the full depth of a comprehensive legal audit. Core Requirements for High-Risk AI Systems Once an AI system is classified as “high-risk” under the EU AI Act, such AI systems must complywith seven core requirements specified in the legislation. These requirements encompass criticalareas such as: (i) risk management systems (ii) data governance (iii) technical documentation (iv) record keeping (v) transparency (vi) human oversight (vii) accuracy, robustness, and cybersecurity Given the length of this article, we will delve into each of these seven core requirements and thecorresponding legal obligations for various stakeholders within the AI value chain—whether youare a provider, deployer, distributor, manufacturer, or importer of a high-risk AI system—in subsequent articles. Understanding these distinct compliance measures is essential for ensuring that your organization meets its obligations under the EU AI Act.   Implementation Timeline and Penalties The EU AI Act officially came into force on 1 August 2024; however, its implementation will occurin stages. As outlined in our previous article, the enforcement of prohibited AI practices will commence on 2 February 2025, while the requirements for high-risk AI systems will take effect on 2 August 2026. This extended timeline for high-risk AI systems reflects the significant obligationsthat organizations will need to meet. It is important to recognize that non-compliance with these high-risk AI systems can result insubstantial penalties, including fines of up to €15 million or 3% of global revenue. Therefore, organizations must prepare adequately to ensure compliance and mitigate risks associated with these new regulations. The Technology Practice Group at Halim Hong & Quek is well-versed in technology law, includingthe EU AI Act, and we are currently providing training to multinational corporations in Malaysia onthis subject. Should you require assistance or wish to schedule a more detailed discussion to ensure compliance, please let us know. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Jerrine Gan Jia LynnPupil-in-ChambersTechnology Practice Groupjerrine.gan@hhq.com.my More of our Tech articles that you should read: • 8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk? • EU AI Act: The Essential Guide to Copyright Compliance for General-Purpose AI Models • We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels

With the enforcement of the Cyber Security Act 2024, one of the key concerns is the licensing requirements for cyber security service providers. According to the latest information published by the National Cyber Security Agency (“NACSA”), licensing applications for cyber security service providers will officially commence on 1 October 2024, which is just around the corner. Despite the urgency and tight deadlines, confusion persists in the market about who needs to apply for a license, what is actually defined as cyber security service, and the consequences of non-compliance. Therefore, this article seeks to address the top 10 most frequently asked concerns regarding the cyber security service provider licensing requirement. 1. When Can Cyber Security Service Providers Apply for a License, and Is There a Grace Period? The first question on the minds of many in the industry is when exactly they can apply for the license and whether there is a grace period for obtaining one. The licensing application will formally begin on 1 October 2024, and there will indeed be a three-month grace period ending on 31 December 2024. During this grace period until 31 December 2024, cyber security service providers may continue to operate without a license. However, once the grace period lapses on 1 January 2025, it will be unlawful to offer cyber security services without the necessary licensing in place. 2. Who Needs to Apply for the Cyber Security Service Provider License? The next question is: “Who exactly needs to apply for a cyber security service provider license?” The Cyber Security Act 2024 is unequivocally clear on this matter—any company that intends to (i) provide any cyber security service or (ii) advertise itself as a cyber security service provider is required to obtain a cyber security service provider license. This straightforward provision ensures that there is no ambiguity and leaves little room for interpretation—whether you are actively delivering cyber security services or merely advertising that you are providing cyber security services, a license will be mandatory. 3. What Exactly Constitutes a "Cyber Security Service"? A natural follow-up question is what exactly constitutes a "cyber security service." The term “cyber security service” can be broad, and therefore, the Cyber Security Act 2024 narrows down the focus, making it clear that the cyber security service license is applicable only to two specific types of services: 1. Managed Security Operation Centre Monitoring Services, and 2. Penetration Testing Services. Managed Security Operation Centre Monitoring Service Managed security operation centre monitoring service refers to the monitoring of cyber security levels to identify or detect cyber security threats, determine the necessary measures to respond to or recover from any cyber security incidents, and prevent such incidents from occurring in the future. Penetration Testing Service Penetration testing service involves assessing, testing, or evaluating the level of cyber security. It includes the following activities: Determining cyber security vulnerabilities and demonstrating how these vulnerabilities may be exploited; Testing the organization’s ability to identify and respond to cyber security incidents through simulated attempts to penetrate its cyber security defenses; Identifying and measuring cyber security vulnerabilities, preparing appropriate mitigation procedures to eliminate or reduce these vulnerabilities to an acceptable level of risk; orUtilizing social engineering techniques to assess the level of an organization’s vulnerability to cyber security threats. In essence, any company that provides either managed security operation centre monitoring services or penetration testing services, as described above, will need to obtain a cyber security service provider license. 4. Can a Cyber Security Service Provider Offer Both Services? Do They Need Separate Licenses? The fourth question often posed is whether a cyber security service provider can offer both managed security operation centre monitoring services and penetration testing services, and whether separate licenses are required for each. The answer is yes. A cyber security service provider can concurrently offer both managed security operation centre monitoring services and penetration testing services, and only one license is necessary for both services. However, if the initial application covers only one type of cyber security service—say, managed security operation centre monitoring services—then the company would need to apply for another license if it later intends to offer penetration testing services. Hence, if a company plans to provide both types of services, it is advisable to apply for both in the same license to avoid unnecessary complications down the line. 5. Do Subcontractors or Third-Party Providers to the Main Contractor Require an Independent License? A common scenario in the cyber security sector involves service providers fulfilling their contractual obligations through subcontractors or third parties. This raises a critical question: Do subcontractors or third parties providing cyber security services on behalf of a main contractor also need to be licensed? The answer is yes. If a subcontractor or third-party provider delivers cyber security services on behalf of a main contractor, they are required to obtain an independent license. This requirement ensures that all entities directly involved in the provision of cybersecurity services are appropriately regulated, maintaining the integrity and security standards envisioned by the Act. 6. Is a License Required if the Cyber Security Service is Only Provided to Related Companies? Another area of concern is whether a company providing cyber security services exclusively to its related companies is required to obtain a license. The answer depends on the nature of the service provision. If the company offers cyber security services solely to its related companies, such as its holding company, subsidiaries, or fellow subsidiaries under the same holding company, it is not required to obtain a license. However, if the company intends to extend its services beyond this intra-group structure to other companies, a license becomes mandatory. Typically, the term "related company" refers to companies within the same corporate group, including the holding company, any subsidiary, or a subsidiary of the holding company. 7. Is a License Required if the Cyber Security Service is Only Provided to Overseas Companies? The next question is whether a cyber security service provider needs a license if it only provides services to companies located outside Malaysia. The licensing requirement hinges on the location of the service recipients. If the cybersecurity service provider exclusively serves companies located overseas, there is no need to apply for a license. However, if the service provider offers cyber security services to companies located both overseas and within Malaysia, a license will be required. 8. Do Foreign Cyber Security Service Providers Require a License if They Have Already Obtained a License from a Different Jurisdiction? Another frequently asked question is whether foreign companies that have already obtained a cybersecurity license from another jurisdiction need to apply for a Malaysian license. The simple answer is yes—if a foreign company intends to provide cyber security services to companies in Malaysia, it must obtain a local license, regardless of whether it already holds a license in another jurisdiction. However, there is an exception: If the foreign company provides cyber security services solely to its related company registered in Malaysia, it would not require a separate license, as it is only serving its intra-group counterpart. 9. How Will Companies Know if a Cyber Security Service Provider is Licensed? To facilitate transparency and compliance, NACSA will publish a list of licensed cyber security service providers on its licensing portal once the approval process is completed. This list will serve as a reference for companies seeking to engage legitimate and authorized service providers. It is advisable for companies to verify the licensing status of their potential cyber security partners to mitigate any risks associated with engaging unlicensed providers. 10. What are the Consequences of Non-Compliance for Providing Cyber Security Services Without a License? The consequences of non-compliance with the licensing requirements under the Cyber Security Act 2024 are severe. Any person found providing cybersecurity services without the required license may, upon conviction, be liable to a fine not exceeding RM500,000, imprisonment for a term not exceeding 10 years, or both. Such stringent penalties highlight the critical importance of adhering to the licensing requirements and should serve as a wake-up call for all cyber security service providers to ensure compliance. Conclusion The message is clear and loud that all cyber security service providers must comply with the Cyber Security Act 2024 and its licensing requirements. With the application process set to begin on 1 October 2024 and a three-month grace period provided, it is imperative that all cyber security service providers familiarize themselves with the application procedures. For those who require assistance with the application process or have questions about the new regulatory landscape, our Technology Practice Group is ready to provide the necessary support and guidance to ensure compliance. Please do not hesitate to reach out to us should you require assistance with the application process or need further advice on compliance with the Cyber Security Act 2024. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • 8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk? • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

Starting from 26 August 2024, the highly anticipated Cyber Security Act 2024 (“Act”), along with four other key regulations, officially comes into force, marking the beginning of a new era in Malaysia's cybersecurity legal landscape. This significant legislative development sets the stage for a strengthened regulatory framework aimed at protecting critical national infrastructure and enhancing the resilience of Malaysia's cyberspace. This article provides a comprehensive overview for general counsels, outlining the key elements of the new legal regime, with a particular focus on the designation of National Critical Information Infrastructure (“NCII”) sectors and the roles and responsibilities of NCII Leads and NCII Entities under the Act, alongside the licensing requirements for cyber security service providers.   Key Regulations in Force Alongside the Cyber Security Act 2024 First and foremost, it is important to recognize the four key regulations that were enacted simultaneously with the Act on 6 August 2024: 1. Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024: Defines the mandatory timelines for conducting cyber security risk assessments and audits, ensuring that organizations remain vigilant and proactive in identifying and mitigating cyber risks. 2. Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024: Establishes the requirements for obtaining a license to operate as a cyber security service provider in Malaysia, aiming to standardize the quality of cyber security services provided. 3. Cyber Security (Compounding of Offences) Regulations 2024: Outlines the process and conditions under which certain cyber security related offenses may be compounded, providing a mechanism for resolving infractions without resorting to lengthy legal proceedings. 4. Cyber Security (Notification of Cyber Security Incident) Regulations 2024: Stipulates the mandatory reporting requirements for cyber security incidents, ensuring that authorities are promptly informed of any threats or breaches, enabling a coordinated response to mitigate damage.   What is the Cyber Security Act 2024 About? When we provide legal training to our clients on the Act, one of the most frequently asked questions is, “What is the Cyber Security Act 2024 about?” At its core, the Act and its accompanying regulations are designed to govern four key aspects of Malaysia's cybersecurity framework: 1. Establishment and Governance of 11 NCII Sectors: The Act identifies 11 sectors designated as NCII sectors, which are critical to the nation’s security and economic stability. 2. Obligations of NCII Leads: The Act outlines the specific duties and responsibilities for NCII Leads—those entities designated to oversee cybersecurity measures within the NCII sectors. 3. Obligations of NCII Entities: It also specifies the obligations for individual NCII Entities, which are organizations that own or operate NCII. 4. Licensing Requirements for Cyber Security Service Providers: Lastly, the Act introduces a licensing regime for cybersecurity service providers to ensure a high standard of cyber security practices and compliance.   The sections that follow will provide a deeper analysis of each of these four aspects.   What is NCII and What are the 11 NCII Sectors? The concept of NCII is central to the Act, and NCII is defined as “a computer or computer system which, if disrupted or destroyed, would have a detrimental impact on the delivery of any service essential to the security, defense, foreign relations, economy, public health, public safety, or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out their functions effectively.” In simpler terms, NCII refers to the backbone of the nation’s essential services—those computer systems and networks that, if disrupted, could severely impact the country's safety, economy, and government operations. Protecting these critical infrastructures from cyber threats is paramount to ensuring Malaysia’s national security and public welfare. The 11 NCII sectors designated under the Act are as follows: 1. Government 2. Banking and Finance 3. Transportation 4. Defense and National Security 5. Information, Communication, and Digital 6. Healthcare Services 7. Water, Sewerage, and Waste Management 8. Energy 9. Agriculture and Plantation 10. Trade, Industry, and Economy 11. Science, Technology, and Innovation These sectors represent the foundational pillars upon which the nation's security and stability depend. By designating these sectors as NCII, the Act seeks to ensure that adequate measures are in place to safeguard critical infrastructure against cyber threats.   Appointment of NCII Leads Upon understanding the scope of the 11 NCII sectors, the Act empowers the Minister to appoint any government entity or person as the NCII Lead for each of the designated sectors. The Act allows the Minister to appoint more than one NCII Lead for each sector, providing flexibility to address the diverse needs and complexities inherent within each sector. The names of the appointed NCII Leads will be published on the official website of the National Cyber Security Agency, ensuring transparency and public awareness.   Key Responsibilities of NCII Leads The Act outlines five key responsibilities for NCII Leads, focusing on the effective management and security of NCII within their designated sectors: 1. Designate NCII Entities: The NCII Lead is responsible for designating companies that own or operate NCII within their sector as NCII Entities. This designation ensures that entities critical to the sector's functioning are identified and subject to the regulatory requirements under the Act. 2. Prepare Code of Practice: Each NCII Lead is responsible for preparing a Code of Practice, which must be endorsed by the Chief Executive. This Code of Practice will outline the necessary measures, standards, and processes required to secure the NCII within their sector. 3. Prepare and Maintain Best Practice Guidelines: In addition to the Code of Practice, NCII Leads are tasked with preparing and maintaining best practice guidelines related to cybersecurity management. 4. Monitor and Ensure Compliance: The NCII Lead is also responsible for monitoring and ensuring that the actions required of and duties imposed on the NCII Entities are carried out. This role includes oversight of compliance with the Code of Practice and any other relevant regulations, ensuring that NCII Entities meet their obligations under the Act. 5. Report Cybersecurity Threats and Incidents: Finally, the NCII Lead must prepare and submit a report to the Chief Executive on any cybersecurity threats or incidents that have affected the NCII within their sector. This responsibility is crucial for maintaining an up-to-date understanding of the threat landscape and ensuring that the government remains informed and can respond effectively to potential risks.   Legal Obligations for NCII Entities The legal obligations imposed by the Act on NCII Entities are critical for ensuring compliance and avoiding severe penalties. This section is particularly relevant to companies that own or operate NCII, as non-compliance with these obligations can result in significant fines and imprisonment. The Act outlines five broad key obligations for NCII Entities, which are discussed below. 1. Duty to Provide Information Relating to NCII: NCII Entities have a duty to provide information concerning their NCII, which is further divided into three categories: • Request for Information: The NCII Lead may request information regarding the NCII owned or operated by the NCII Entity, and the NCII Entity must comply with this request. • Provision of Additional NCII Information: If an NCII Entity procures or gains control over additional NCII, it must automatically provide relevant information to the NCII Lead. • Notification of Material Changes: Any material change to the design, configuration, security, or operation of the NCII must also be automatically reported to the NCII Lead. Failure to comply with these duties could result in a fine of up to one hundred thousand ringgit or imprisonment for a term not exceeding two years, or both. . 2. Duty to Implement the Code of Practice: NCII Entities must implement the measures, standards, and processes specified in the Code of Practice. However, they may opt for alternative measures if they can demonstrate that these provide an equal or higher level of protection to the NCII. Non-compliance with this obligation can result in a fine of up to five hundred thousand ringgit or imprisonment for a term not exceeding ten years, or both. . 3. Duty to Conduct Cybersecurity Risk Assessment and Audit: NCII Entities are required to conduct a cybersecurity risk assessment in accordance with the Code of Practice at least once a year and an audit at least once every two years. The results of these assessments and audits must be submitted to the Chief Executive. Failure to conduct these assessments or submit the reports can lead to a fine of up to two hundred thousand ringgit or imprisonment for a term not exceeding three years, or both. . 4. Duty to Notify Cyber Security Incidents: In the event of a cybersecurity incident, the NCII Entity must provide an initial notification within six hours, detailing information such as the description of the cybersecurity incident, the severity of the cybersecurity incident, and the method of discovery. A full report must be submitted within 14 days, including details such as the number of hosts affected, information on the cybersecurity threat actor, and the incident's impact. Non-compliance is severe, with penalties of up to five hundred thousand ringgit or imprisonment for a term not exceeding ten years, or both. . 5. Cybersecurity Incident Response Directive: Upon receiving a notification of a cybersecurity incident from an NCII Entity, the Chief Executive will investigate and may issue a directive on necessary measures to respond to or recover from the incident. The term "directive" underscores the importance of compliance. Failure to adhere to these directives may result in a fine of up to two hundred thousand ringgit or imprisonment for a term not exceeding three years, or both.   Licensing Requirements for Cybersecurity Service Providers The Cyber Security Act 2024 introduces stringent licensing requirements for cybersecurity service providers. Under the Act, it is explicitly stated that no person shall provide any cybersecurity service, advertise, or in any way hold themselves out as a provider of such services unless they hold a valid license to do so. The Act categorizes cybersecurity services into two (2) main types: 1. Managed Security Operation Centre (SOC) Monitoring Services: These are services that monitor the level of cyber security for the purpose of identifying or detecting cybersecurity threats to a computer or computer system, or determining the measures necessary to respond to or recover from any cybersecurity incident. 2. Penetration Testing Services: These services involve assessing, testing, or evaluating the level of cybersecurity of a computer or computer system by searching for vulnerabilities and compromising the cyber security defenses of the computer or computer system. Non-compliance with the licensing requirement is a serious offense under the Act, punishable by a fine not exceeding five hundred thousand ringgit, imprisonment for a term not exceeding ten years, or both.   Conclusion The implementation of the Cyber Security Act 2024, along with the four accompanying regulations, marks a transformative moment in Malaysia's cybersecurity framework. General counsels must stay informed and vigilant about these changes, ensuring that their organizations not only comply with the new requirements but also proactively protect their critical infrastructure from emerging threats in an increasingly digital world.   If your organisation has been designated as an NCII Lead or NCII Entity, and you would like us to assist you on the compliance with your obligations under the Cyber Security Act 2024, please do not hesitate to reach out to the partners at our Technology Practice Group, the contact details of which can be found below. The team is well-versed with technology and cyber security, and will certainly be able to assist in your endeavour. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • 8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk? • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

On 2 August 2024, the EU AI Act officially came into force, marking a significant milestone in the regulation of artificial intelligence within the European Union.   In our article, “We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels” we provided a broad overview of this crucial AI legislation. Given the extensive scope of the EU AI Act , it is both impractical and insufficient to cover its entirety in a single article. Therefore, we intend to break down the EU AI Act into more manageable topics, offering in-depth analysis through a series of subsequent articles. Our latest publication, “EU AI Act: The Essential Guide to Copyright Compliance for General-Purpose AI Models” delves into copyright compliance specifically related to the training of general-purpose AI models.   In this article, we aim to address another crucial aspect of the EU AI Act: the prohibition of certain AI practices. This topic is extremely important as it concerns AI practices that are strictly prohibited under the EU AI Act, and non-compliance carries severe penalties. The impact of these prohibitions extends to all companies currently developing AI systems, including those established or operating outside the EU, due to the extra-territorial effect of the EU AI Act – as long as the AI systems are intended to be placed, used, or deployed in the EU market, companies must ensure compliance with these prohibitions to avoid significant risks.   The 8 Categories of Prohibited AI Practices Effective 2 February 2025, the EU AI Act will prohibit 8 broad categories of AI practices. This prohibition will extend beyond EU borders, impacting international AI system providers, including those based in Malaysia seeking to enter the EU market. Understanding these prohibitions is essential for compliance and strategic planning. The 8 categories of prohibited AI practices under the EU AI Act are:   1. Manipulative AI Systems The EU AI Act prohibits manipulative AI systems, which are defined as AI systems that employ subliminal, manipulative, or deceptive techniques to distort and impair a person’s ability to make an informed decision, thereby leading them to make choices that could cause significant harm.   The EU AI Act views AI systems that are designed to materially distort human behaviour and cause harm to physical, psychological, or financial interests as dangerous and subject to prohibition. This includes AI systems that use subliminal elements such as audio, image, or video stimuli imperceptible to individuals, or other manipulative techniques that undermine or impair a person’s autonomy, decision-making, or free choice in ways that are not consciously recognized. Even if individuals are aware, they may still be deceived or unable to control or resist these techniques.   2. Exploitative AI Systems The EU AI Act also prohibits exploitative AI systems. Although there are some overlapping similarities with manipulative AI systems, exploitative AI systems specifically target the vulnerabilities of individuals or groups due to their age, disability, or specific social or economic situations, materially distorting their behaviour in a manner likely to cause significant harm. This includes exploiting the vulnerabilities of individuals in extreme poverty, or those belonging to ethnic or religious minorities. The EU AI Act takes the prohibition of both manipulative and exploitative AI systems seriously, as any AI-enabled practice resulting in significant harm is prohibited, regardless of the provider's intention.   3. Social Scoring AI Systems Social scoring AI systems, which are becoming increasingly common in many countries, are prohibited under the EU AI Act. These systems evaluate or classify individuals or groups based on their social behaviour or personality characteristics, with the resulting social score leading to detrimental or unfavourable treatment in social contexts that are either unrelated to the context in which the data was originally generated or collected, or unjustified or disproportionate to the social behaviour or its gravity.   The EU AI Act considers AI systems that provide social scoring of individuals as potentially leading to discriminatory outcomes and exclusion of certain groups. Social scores obtained from such AI systems may result in detrimental or unfavourable treatment in contexts unrelated to the original data collection or may be disproportionate or unjustified relative to the gravity of the social behaviour. As a result, AI systems involving such unacceptable scoring practices are prohibited.   4. Risk Assessment Profiling AI Systems Risk assessment profiling AI systems, which make risk assessments of individuals to predict the risk of committing a criminal offense based solely on profiling or assessing their personality traits and characteristics, are also prohibited under the EU AI Act. However, this prohibition does not apply to AI systems used to support the human assessment of a person’s involvement in criminal activity, which is already based on objective and verifiable facts directly linked to the criminal activity.   In line with the presumption of innocence, the EU AI Act stipulates that a person should not be judged on AI-predicted behaviour based solely on their profiling, personality traits, or characteristics without a reasonable suspicion based on objective, verifiable facts and without human assessment. Therefore, risk assessments carried out to assess the likelihood of offending or predict potential criminal activity solely on profiling should be prohibited.   5. Facial Recognition Databases AI Systems Facial recognition database AI systems are another common AI tools that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage. The use of such systems is prohibited by the EU AI Act because this practice contributes to the feeling of mass surveillance and can lead to severe violations of fundamental rights, including the right to privacy.   6. Emotion Inference AI Systems Emotion inference AI systems, which infer the emotions of a person in workplace and educational institutions, are also prohibited under the EU AI Act, except for medical or safety reasons.   The EU AI Act views AI systems identifying or inferring emotions or intentions based on biometric data as potentially discriminatory and intrusive to individual rights and freedoms. In contexts such as the workplace or education, where there is an inherent power imbalance, such systems could result in unfair or harmful treatment. Therefore, the use of AI systems intended to detect emotional states in these settings is prohibited, unless marketed solely for medical or safety purposes.   7. Biometric Categorisation AI Systems Biometric categorisation AI systems that categorise individuals based on biometric data to infer attributes such as race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation are also prohibited. However, this prohibition does not cover the lawful labelling or filtering of biometric datasets, such as sorting images according to hair or eye colour for law enforcement purposes.   8. Real-time Biometric Identification AI Systems A real-time remote biometric identification system refers to an AI system that identifies individuals without their active involvement, typically at a distance, by comparing a person’s biometric data with biometric data contained in a reference database. The use of 'real-time' remote biometric identification systems in publicly accessible spaces for law enforcement purposes is prohibited unless it is strictly necessary for one of the following objectives: (i) Searching for specific victims of abduction, trafficking, or sexual exploitation, as well as searching for missing persons; (ii) Preventing threats to life or physical safety, or preventing a terrorist attack; or (iii) Localizing or identifying a person suspected of having committed a criminal offense.   The EU AI Act views the use of AI systems for 'real-time' remote biometric identification in publicly accessible spaces for law enforcement purposes as particularly intrusive to the rights and freedoms of the concerned individuals. It may affect the private lives of a large portion of the population, evoke a feeling of constant surveillance, and indirectly dissuade the exercise of the freedom of assembly and other fundamental rights.   The Penalty for Non-Compliance Non-compliance with the prohibited AI practices under the EU AI Act carries severe penalties. Companies found in violation could face administrative fines of up to EUR 35 million or 7% of their total worldwide annual turnover for the previous financial year, whichever is higher.   3 Strategic Actions for General Counsels in Light of the EU AI Act As the enforcement of prohibited AI practices under the EU AI Act approaches on 2 February 2025, general counsels must take decisive actions to ensure compliance and mitigate risk. The following three key steps are essential:   1. Acquire In-Depth Knowledge of Prohibited AI Practices General counsels must thoroughly understand the eight categories of AI practices prohibited by the EU AI Act. This knowledge is critical for effective risk management and ensuring compliance. Familiarity with these prohibited practices will enable early identification of potential issues and facilitate proactive risk mitigation.   2. Conduct a Comprehensive Internal Audit of AI Systems Initiate a detailed internal audit by collaborating with key business units, particularly product development and technology departments. This audit should assess all AI systems and models in development, their intended use cases, and potential impacts. It is crucial to evaluate not only the intended purposes but also the possible effects of these AI systems to identify any practices that may fall within the prohibited categories.   3. Develop a Proactive Compliance Strategy Should the audit uncover any AI activities that fall under the prohibited categories, especially those targeting the EU market, general counsels should swiftly formulate a compliance strategy. Possible actions include limiting distribution to non-EU markets, modifying product functionalities, or ceasing the development of certain AI solutions.   While the EU AI Act presents new compliance challenges, its phased implementation provides an opportunity to prepare. Immediate focus should be on understanding and addressing prohibited AI practices.   The Technology Practice Group at Halim Hong & Quek is well-versed in technology law, including the EU AI Act, and we are currently providing training to multinational corporations in Malaysia on this subject. Should you require assistance or wish to schedule a more detailed discussion to ensure compliance, please let us know. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Jerrine Gan Jia LynnPupil-in-ChambersTechnology Practice Groupjerrine.gan@hhq.com.my More of our Tech articles that you should read: • EU AI Act: The Essential Guide to Copyright Compliance for General-Purpose AI Models • We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels • AI-Generated Work and Copyright Law: A Comparative Analysis of US and EU Perspectives

The European Union's Artificial Intelligence Act (“EU AI Act”), which officially came into force on 1 August 2024, marks a significant advancement in artificial intelligence (“AI”) regulation within the European Union (“EU”). This landmark legislation establishes a comprehensive regulatory and legal framework for AI, setting clear compliance requirements for AI providers, deployers, importers, distributors, and manufacturers that place their AI within the EU market. Among the key issues addressed by the EU AI Act is the preservation of copyright in copyrighted materials, particularly against unauthorised usage by general-purpose AI (“GPAI”) model providers.   GPAI models, as the name suggests, are AI models that can be used for a wide range of tasks and are capable of being integrated into a variety of downstream systems or applications. The development and training of GPAI models rely on extensive datasets - often gathered through scraping of text and data online, which would undoubtedly include copyrighted works. This poses challenges for artists, authors, and creators, as their intellectual property might be used without proper authorisation or adequate compensation. The EU AI Act now introduces guidelines to safeguard rightsholders’ intellectual property rights and ensure transparency, balancing technological advancement with recognition for original works.   In this article, we will examine the key measures brought forth through the EU AI Act on preservation of copyright, particularly in the deployment of GPAI model, and to explore the implications of these new regulations. Malaysian companies looking to provide their own GPAI models should definitely pay attention to these regulations, taking into account the extraterritorial nature of the EU AI Act, as well as the possibility of similar regulations being adopted by the Malaysian government in the future.   1. Express Consent from Rightsholders The development and training of GPAI models, especially large generative AI models, often involve using extensive datasets that may include text, images, videos, and other types of data. Under EU’s copyright-related Directives, publicly accessible content (such as those published online) are generally allowed for text and data mining purposes, unless the rightsholders opt out of, or reserve the rights to the mining of their published text and data. The EU AI Act has now made it clear that providers of GPAI models will have to observe the reservation of rights to text and data mining by the relevant rightsholders and obtain their authorisations accordingly should the providers wish to mine the text and data of these rightsholders. To some extent, this has provided a welcome clarity on whether copyright owners can stop AI companies from using their copyrighted work (which has been disseminated online) for AI model training. . 2. Copyright Policy Implementation In addition, providers of GPAI models are mandated under the EU AI Act to implement and maintain comprehensive policies to ensure compliance with EU copyright laws. This includes identifying and respecting any rights reservations expressed by copyright holders. Effectively, this means that it is not sufficient for a provider of GPAI models to merely have knowledge of EU copyright laws, but it is also required to craft and put in place operational policies which demonstrates that its business operation complies with the applicable EU copyright laws. . 3. Transparency and Data Disclosure To enhance transparency, GPAI model providers are required under the EU AI Act to draw up and publicly share a detailed summary of the text and data used in training their AI models. This summary must be comprehensive, specifying key data collections or sets utilised during the training process. The objective is to provide an avenue through which copyright holders are to determine if their works are being used and to effectively exercise and enforce their rights. To avoid unintentional divulging of confidential information and/or trade secrets, companies should be careful in preparing the summary, striking a balance between providing sufficient description of the nature and source of the data used, while avoiding disclosing sensitive or proprietary information. . 4. Conclusion The EU AI Act has extraterritorial reach, meaning its regulations apply to all GPAI model providers entering the EU market, regardless of their origin. Providers must comply with these obligations when placing a GPAI model on the EU market, regardless of where the copyright-related activities underpinning the model’s training occur. For providers based outside the EU, such as in Malaysia, adherence to the EU AI Act’s obligations is essential for accessing the EU market, including securing permissions for copyrighted content and providing detailed transparency reports. . Given the sweeping effect of the EU AI Act, it is assuring to know that companies, particularly providers of GPAI models, are given a 12-month grace period until 2 August 2025 to take the necessary actions to comply with the obligations imposed under the EU AI Act. Companies should make full use of this grace period to consult their legal counsels on the wider implications of the EU AI Act, and to allow effective collaboration between its external legal counsels and its in-house legal and compliance teams in anticipation of compliance with the requirements of the EU AI Act.   For more information on or assistance with compliance with the EU AI Act, please feel free to reach out to the firm’s Technology Practice Group. Our experienced lawyers are ready to support you in navigating the AI regulations and ensuring compliance. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Winn Wong Huang WeeSenior AssociateTechnology Practice GroupTechnology, Media & Telecommunications (“TMT”), Intellectual Propertywinn.wong@hhq.com.my More of our Tech articles that you should read: • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services • Navigating Cyber Security and Data Breaches – Handling Breach Notifications

Introduction Arbitration has become a preferred method for resolving disputes across various industries, offering a private and efficient alternative to litigation. One of the key attractions of arbitration is its flexibility, allowing parties to tailor the process to meet their specific needs. However, this flexibility can be a double-edged sword if the arbitration agreement is not carefully drafted. A defective arbitration clause can lead to significant delays, increased costs, and complications that undermine the very benefits that arbitration is intended to provide. The effectiveness of arbitration largely hinges on the precision and clarity of the arbitration clauses. A well-crafted arbitration agreement can help parties navigate potential disputes smoothly, avoiding unnecessary legal battles and ensuring that the arbitration process unfolds as intended. Conversely, a poorly drafted clause can result in unintended consequences, such as disputes over the validity, scope, or interpretation of the arbitration agreement itself. Below are some practical tips to guide you in drafting an arbitration clause: 1) Define the Scope of Arbitration Clearly A fundamental aspect of any arbitration agreement is the clarity with which it defines the scope of disputes subject to arbitration. It is essential to specify the types of disputes that the arbitration clause will cover, whether they relate to contractual disagreements or any other matters pertinent to the parties. To ensure comprehensive coverage, it is advisable to draft the clause in broad terms, capturing the full range of potential disputes. A commonly used wording, such as “all and any disputes and/or differences arising out of or in connection with this contract shall be referred to arbitration,” can be effective in encompassing a wide array of issues, thereby minimizing the risk of ambiguity or exclusion. 2) Choosing the Appropriate Arbitration Rules When drafting an arbitration agreement, one of the most crucial decisions is whether to adopt the rules of an established arbitral institution (such as the AIAC, which is commonly adopted in Malaysia) to govern the arbitration process. The advantage of this choice is that, for a fee, the institution plays a central role in administering the dispute, offering a well-established and predictable procedure through its rules. 3) Seat of Arbitration Choosing the seat of arbitration is an important decision, as it determines the procedural law that governs the arbitration and can impact the enforceability of the award. The seat may also influence the availability of interim measures and other procedural aspects. 4) Consider Applicable Law The arbitration clause should specify the governing law that applies to the arbitration agreement. This choice sets the legal framework within which the arbitrators will make their decisions. 5) Language Additionally, it is essential to specify the language(s) of the arbitration as this will be the language used in pleadings, submissions, and hearings.  Choosing the language that the parties frequently use in their communications can save translation and interpretation expenses. 6) Number and Method of Arbitrator Appointment The number of arbitrators and the method of their appointment should be clearly defined in the arbitration clause. Depending on the complexity and value of the dispute, parties may opt for a single arbitrator or a panel of three arbitrators. The appointment process should also be outlined, whether it involves mutual agreement between the parties and/or appointment by an appointing authority. 7) Multi-Tier Dispute Resolution Clause The parties to an arbitration may decide if they want to try a non-binding process such as mediation before taking their disputes to arbitration i.e. by incorporating a multi-tier dispute resolution clause. A multi-tier dispute resolution clause typically outlines a structured process for resolving disputes. This type of clause typically specifies a series of steps that must be followed sequentially to address a dispute. It often includes various phases such as negotiation, mediation, or expert determination, each of which must be attempted before proceeding to the next phase. If these steps do not resolve the dispute, the parties may then turn to courts or arbitration as a final recourse. It is important to establish a specific timeframe for mediation or negotiations, ensuring that the parties are aware of when this stage concludes, allowing them to move forward with arbitration. Without a defined time limit, disputes may arise over when, or whether, arbitration can be initiated. It is pertinent to note that, such provision may be a nuisance if a claimant wishes to start the arbitration proceeding promptly. 8) Address Finality of the Award Including a provision in the arbitration clause that stipulates the award shall be "final and binding" is highly advisable. While this provision does not completely eliminate the possibility of the award being challenged or set aside, it clearly indicates the parties' intent for the award to be enforced through the courts. Clarifying the finality of the award in the arbitration clause can help prevent unnecessary delays in enforcing the decision. Conclusion Drafting an effective arbitration clause requires careful attention to several key elements and potential circumstances. By precisely outlining the scope and applicability, selecting the right arbitration rules, specifying the seat and language, addressing procedural issues, and considering the relevant law and jurisdiction, the parties can ensure their arbitration clauses establish a clear and reliable process for dispute resolution. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Lynn Foo Partner Construction & Energy Harold & Lam Partnership lynn.foo@hlplawyers.com More of our articles that you should read: • Can a Fixed Term Contract Employee Be Deemed as a Permanent Employee? • Centralised Air-Conditioning Facilities: Its Classification as “Common Property” Within The Legislative Frameworks • Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only

Brief facts In the case of Teo Heng Tatt v All Kurma Sdn Bhd & Ors [2024] CLJU 1471, the Plaintiff (“Teo”) being a former salaried director, is a minority shareholder that holds 20% of shares in the 1st Defendant Company (“the Company”) while the 2nd and 3rd Defendants (“the Defendants”) are majority shareholders that hold 60% shares in the Company. The parties have previously entered into a Shareholders Agreement (“SA”) which included an arbitration clause at Clause 25 for any disputes arising out of the agreement to be referred to arbitration in Singapore under the Singapore International Arbitration Centre (SIAC) Rules.   The claim of oppression centred on decisions made by the Defendants, which allegedly disadvantaged and/or excluded Teo in their decision-making processes including acts of impropriety and engaging in competing business. At the same time, the 1st Defendant had also filed another action claiming that Teo was in breach of his fiduciary duties for incorporating competing businesses.   Therefore, Teo filed the oppression action herein premised on the contention that the conduct of the Defendants tantamount to oppressive conduct. The Defendants, on the other hand, argued that the dispute should be referred to arbitration, citing the arbitration clause under Clause 25 of the SA.     (a) Plaintiff’s argument Teo argued that the nature of the dispute—oppression of minority shareholders, was a matter that required judicial intervention, and in any event, parties are allowed to bring concurrent proceedings in the High Court even if parties had agreed to go for arbitration.    (b) Defendants’ Argument The defendants contended that the arbitration clause was binding and that all disputes, including oppression claims, should be referred to arbitration.   (c) The High Court’s decision The Court ruled favour in the Defendants that the parties ought to have refer the dispute to arbitration, because: (i) The SA contained a valid arbitration clause that mandated that disputes arising from or in connection with the agreement, including allegations of oppression, were to be resolved through arbitration. (ii) The alleged oppression claims raised by Teo, fell within the scope of the SA and well within the definition of ‘dispute’ and thus, oppression claims are indeed arbitrable by virtue of S 4 of the Arbitration Act 2005. (also referred to Padda Gurtaj Singh v Tune Talk Sdn Bhd & Ors [2022] 4 MLJ 257, where as long as there is valid arbitration agreement, it is mandatory for the Court to stay the proceedings.) (iii) The Defendants did not take any steps in the proceedings, the prior legal suit filed by the Company (albeit under the control of the Defendants) was related to different issues and not filed by the Defendants in their individual capacity as shareholders.   Based on the aforesaid, the Court had granted a stay of proceedings under Section 10 of the Arbitration Act 2005 in holding that the dispute ought to be referred to arbitration, as per the Clause 25 of the SA mutually agreed by the parties.   In conclusion, this decision reaffirms the Malaysian judiciary’s support for arbitration as a means of resolving disputes. A mandatory stay of proceedings will be granted pending matters to be referred to arbitration when it is provided for in the Agreement. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Lum Man ChanPartnerDispute ResolutionHalim Hong & Quekmanchan@hhq.com.my . Esther Lee Zhi QianPupil-in-ChambersDispute ResolutionHalim Hong & Quekesther.lee@hhq.com.my More of our articles that you should read: • Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test” • Private Hospitals to pay for their Doctor’s Negligence • Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

INTRODUCTION On 9.8.2024, the Court of Appeal in the case of CTOS Data Systems Sdn Bhd v Suriati bt Mohd Yusof [2024] MLJU 1935; [2024] CLJU 1719 set aside the decision of the High Court in Suriati binti Mohd Yusof v CTOS Data Systems Sdn Bhd [2024] MLJU 437; [2024] CLJU 440 which previously held that credit reporting agencies are not empowered to formulate a credit score or create their own criteria/ percentage to formulate a credit score. The Court of Appeal ruled that credit reporting agencies, such as CTOS Data Systems Sdn Bhd, are allowed to provide credit information that has bearing on the eligibility of a customer to any credit, including by way of a credit score. . HIGH COURT PROCEEDINGS On 29.1.2020, Suriati Binti Mohd Yusof (“Plaintiff/ Respondent”) commenced a claim for negligence and defamation against CTOS Data Systems Sdn Bhd (“Defendant/ Appellant”) in the Kuala Lumpur High Court. The Plaintiff claimed that: (i) The Defendant provided inaccurate credit information about the Plaintiff concerning a debt due to a company known as Webe Digital Sdn Bhd (“Webe”), leading to a loss of reputation, personal losses as well as business losses. (ii) The Plaintiff attempted to apply for a loan for the purchase of a vehicle with a number of banks but all the applications were rejected as the Plaintiff’s CTOS report (by the Defendant) showed that the Plaintiff had a low credit score. (iii) The Defendant had breached its duty of care to the Plaintiff in the course of collating, reporting and publishing credit information concerning the Plaintiff to the Defendant’s subscribers, including financial institutions. (iv) The Plaintiff’s creditworthiness had been affected by reason of the Defendant giving the Plaintiff a low credit score resulting in her inability to obtain financing from financial institutions. (v) The Defendant defamed the Plaintiff in the course of publishing inaccurate incomplete, misleading and/or outdated credit information concerning the Plaintiff to third parties. On 7.3.2024, the High Court Judge allowed the Plaintiff’s claim against the Defendant and awarded the Plaintiff general damages in the sum of RM200,000.00, interest at the rate of 5% and costs of RM50,000.00. The High Court Judge held that: (i) Pursuant to the Credit Reporting Agencies Act 2010 (Act 710) (“CRAA 2010”), the Defendant’s main role is to collect, record, hold, and store the information received. The Defendant plays a dual role of collecting information and processing that information. The Defendant is also empowered to disseminate the information to its subscribers, including financial institutions. (ii) Section 29 of the CRAA 2010 imposes a duty upon the credit rating agency to verify and to ensure the accuracy of the credit report. The Defendant owed a duty of care towards the Plaintiff in providing accurate credit information. (iii) Plaintiff alerted the Defendant that the information against her was inaccurate. However, the Defendant chose to ignore the communication from the Plaintiff and continued to maintain the said information. By choosing to be indifferent even after being alerted by the Plaintiff, the Defendant has clearly breached the duty of care owed towards the Plaintiff. (iv) There is no provision in the CRAA 2010 empowering the Defendant to formulate a credit score or empowering the Defendant to create its own criteria or percentage to formulate a credit score. The Defendant was just supposed to be a repository of the credit information to which the subscribers have access to. (v) The Defendant defamed the Plaintiff in the course of publishing inaccurate, incomplete, misleading and/or outdated credit information concerning the Plaintiff to third parties. Dissatisfied with the decision of the High Court, the Defendant/ Appellant appealed to the Court of Appeal against the decision.   COURT OF APPEAL On 9.8.2024, the Court of Appeal unanimously allowed the Defendant/ Appellant’s appeal and set aside the order of the High Court. The Court of Appeal found merits in the appeal and was satisfied that there was misdirection on the part of the High Court which warrants appellate intervention. The Court of Appeal ruled that: (i) Defamation Claim The Plaintiff/ Respondent admitted that she had commenced a separate action against Webe in the Kuala Lumpur Sessions Court in which she raised the contention that she was not indebted to Webe. The Sessions Court Judge held that the Plaintiff/ Respondent was indebted in the amount of RM2,186.60 to Webe. Truth or justification is an absolute defence to an action in libel. Therefore, there is no merit on the defamation claim raised by the Plaintiff/ Respondent. Given that the Plaintiff/ Respondent’s debt to Webe was true in substance and in fact, the Plaintiff/ Respondent’s action for defamation cannot stand at all. (ii) Negligence Claim The Plaintiff/ Respondent also pleaded negligence as a cause of action allegedly resulting in damage to her reputation and creditworthiness. As the information of the Plaintiff/ Respondent’s indebtedness to Webe was correct, negligence had not been proven. The Defendant/ Appellant, a Credit Reporting Agency, does not owe a duty of care to the Plaintiff/ Respondent as a customer as defined in the CRAA 2010. Webe is a subscriber to the services of Defendant and the Plaintiff was its customer. The Defendant provides a service where a subscriber may upload information of debts owed to the subscribers by third parties. Webe uploaded information of the Plaintiff’s indebtedness’s in the sum of RM2,186.60. Even if there was a duty of care, there was still no breach of this duty as the information cannot be said to be inaccurate, incomplete, misleading or irrelevant, as the Plaintiff had indeed defaulted on its payment obligations to Webe. (iii) Breach of Statutory Duty The Plaintiff/ Respondent did not specifically plead breach of statutory duty. Therefore, the High Court was not entitled to make any finding on such a claim. Even assuming that there was an implied reference to it, there was no breach of any statutory duty as there was no connection proven between the rejection of the Plaintiff/ Respondent’s car loan application and the contents of the credit report. “Credit Reporting” as defined under the CRAA 2010 includes credit information that has any bearing on the eligibility of a customer to any credit. This would entail a reporting which some credit reporting agencies would do by way of a credit score. In this case, the credit score was calculated by a software using algorithms and bereft of human intervention and there is no evidence to show that the rejection of the car loan was premised on a low credit score. Based on the above, the Defendant/ Appellant had not breached its duty of care to the Plaintiff/ Respondent in all circumstances. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Chew Jin Heng Associate Dispute Resolution Halim Hong & Quek jhchew@hhq.com.my More of our articles that you should read: • Is It True That Only Leasehold Properties Would Require State Authority’s Consent? • Determinants of Share Unit & Its Significance in Strata Development • Definition of Market Value

  Case summary: Datin Nor Rizam bt Abdul Wahab (menyaman sebagai pentadbir estet Dato' Ir Zainudin bin A Kadir) v Pusat Pakar Tawakal Sdn Bhd & Ors [2024] MLJU 1292 Introduction 1. The Plaintiff, Datin Nor Rizam bt Abdul Wahab (“Plaintiff”), acting as the administrator of the estate of her late husband, Dato' Ir Zainudin bin A Kadir (“Deceased”) filed a suit against Pusat Pakar Tawakal Sdn Bhd (“1st Defendant”), Dr. Haji Mohd Solahuddin (“2nd Defendant”) and Dr. Zulkifli Bin Mohamed Haris (“3rd Defendant”) for alleged medical negligence leading to injury and eventual death of the Deceased. 2. Since 2012, the Deceased complained that he was suffering vertigo, fever and flu. After consulting with his physician then, he was referred to the 2nd Defendant where he was advised to undergo an operation known as bilateral functional endoscopic sinus surgery with septoplasty and turbinoplasty (“surgery”). 3. Thereafter, the Deceased was admitted into the care of the 1st However, complications arose post-surgery which purportedly led to the deteriorating health and death of the Deceased. 4. The salient events leading up to the death of the Deceased are set out below. (i) Events at the operating theatre and observation room The records show that the surgery went well and that there was no untoward incident that occurred during the surgery. The 3rd Defendant had administered reversal agents (atropine and neostigmine), and the Deceased was extubated after demonstrating the ability to breathe independently. Based on the Aldrette Scoring system, the score recorded was 10/10 and the Deceased was said to be qualified to be sent to the normal ward instead of the High Dependency Unit or Intensive Care Unit. The pre-discharge checklist indicated that the Deceased did state that the pain was at the rate of 8/10. The Deceased was observed for a period of 15 minutes after the surgery and a further 15 minutes after the reversal agent was administered. The 3rd Defendant had a discussion with the 2nd Defendant before deciding to discharge the Deceased from the observation room to the normal ward. The 3rd Defendant also spoke to the Deceased to ensure that he was well, could control his bodily functions and could breathe unassisted by machines in deciding that it was safe for the Deceased to be released to the normal ward. . (ii) Events at the normal ward The Deceased was carted into the normal ward at 9.10pm. Around 9.30 p.m., the Deceased’s condition deteriorated and showed signs that he was asphyxiated. The Deceased’s skin turned bluish indicating low blood oxygen levels and he had difficulty in breathing. The 2nd Defendant who happened to make his rounds nearby was alerted of the situation and initiated a Code Blue. He immediately started to resuscitate the Deceased after the crash cart was brought into the ward within 5 minutes of the Code Blue alarm.  The initial intubation attempt failed. The 2nd Defendant had only resuscitated the Deceased using the supplied ambu bag with the air alone in the room, without the oxygen link. The oxygen converter required to connect the ambu bag to the oxygen supply was missing from the ward. The 3rd Defendant was also alerted of the Code Blue alarm and arrived at the ward at around 9.35 p.m. It was found that the 2nd Defendant had wrongly intubated the Deceased and the endotracheal tube was inserted into his oesophagus. The 3rd Defendant removed the earlier endotracheal tube. He then ambu bagged the Deceased with the oxygen line connected with sufficient oxygen supplied, and the Deceased was successfully resuscitated. The Deceased was then sent to the Intensive Care Unit for further care. . (iii) Events at the Intensive Care Unit The Deceased underwent multiple CT scans, showing cerebral oedema and both cerebral and cerebellar oedema, consistent with hypoxic ischemic encephalopathy i.e a type of brain injury that occurs when the brain experienced a decrease in oxygen or blood flow. Despite further medical interventions, the Deceased’s condition did not improve, and he was later discharged with severe neurological impairments. He unfortunately passed away subsequently. . Findings of the High Court 5. On the issue of whether the Deceased was fully informed of all possible alternatives and that the risks of the operation and anaesthesia, the Court did not find any liability against the Defendants. (a) The Court found that the doctors have explained all of the related risks to the Deceased. The only error on the part of the 2nd Defendant as pointed out by the learned Judge was the failure to note down in detail the particulars of the advice given to the Deceased. (b) The Deceased was given ample time to consider whether to undertake the operation. In this regard, the Court was of the opinion that the duly executed consent forms were indicative that the risks of the operations and anaesthesia were sufficiently explained to the Deceased. 6. The Court however found the Defendants to be negligent for the events post-surgery and held them to be jointly and severally liable for the damages claimed by the Plaintiff. Below are the findings made by the Court:- In respect of the 2nd Defendant and 3rd Defendant:- (a) The decision to discharge the Deceased after being in the observation room for 30 minutes was found to be premature and taken as evidence that the 2nd Defendant and 3rd Defendant were negligent. (i) There was no proper discussion between the nurses and the doctors on the Aldrette scoring. The nurses did not explain the condition of the Deceased to the 2nd Defendant and 3rd Defendant at the time when the Aldrette scoring was recorded. (ii) The 2nd Defendant’s own expert witness, Dr. Jeevanan Jahendran agreed that based on the risks involved in the operation, it is prudent to have kept the Deceased in the observation bay for at least an hour to ensure that the Deceased would be able to breathe on his own and mitigate any possible risks of asphyxiation, more so when the type of operation was undertaken within the airway region of the Deceased. Dr. Jeevanan Jahendran also said that he would have sent the Deceased to the High Dependency Unit to ensure that the Deceased is given sufficient attention considering the age of the Deceased, his condition that he was still drowsy and the pain score at the rate of 8. (iii) The clinical assessment undertaken, despite being based on the Aldrette score, falls short of the standard expected of a competent and reasonably experienced medical practitioner. The 2nd Defendant and 3rd Defendant had failed to appreciate the risk faced by the Deceased, the type of medication used and the type of operation undertaken in this case before the Deceased was discharged. (b) The Court further found that the 1st Defendant was negligent and did not act in accordance with the expected standards of a hospital providing care to its patient. (i) The 1st Defendant failed to ensure that proper medical facilities were made available to the Deceased at the ward. The oxygen adapter was missing from the room and had to be sourced elsewhere during the critical time, which had led to the Deceased being in a cyanosed state. (ii) The nurses who attended to the Deceased did not record the incident in detail and failed to record the missing oxygen adapter as well as the 2nd Defendant’s failure to undertake the intubation. (iii) There were no records made and kept by the 1st Defendant of the Code Blue event detailing the respiratory or cardiac emergency performed. (c) The Court also found the 2nd Defendant to be negligent in failing to intubate the Deceased successfully when he was cyanosed. The intubation should have been successful within a short time of at most 4 minutes and not within 10 minutes. The Court rejected the 2nd Defendant’s explanation that he does not usually undertake the intubation of the patients and that his last attempt was during his housemanship. In rejecting the 2nd Defendant’s suggestion that such tasks should be left to the anaesthesiologist, the Court relied on the expert’s opinion, Dr. Jeevanan Jahendran and Dr. Syed Rozaidi who explained that an ENT surgeon would be able to intubate properly as they are trained within the trachea region and would be familiar with the air passageway. This is a skill expected of any reasonably competent doctor, even from a houseman fresh from university. (d) In assessing the evidence including the expert’s testimonies, the Court held that the actions of all the Defendants are inextricably linked to one another that caused damage to the Deceased and his eventual death. The Court ordered the damages of RM5,178,037.21 to be borne jointly and severally by the Defendants. Key takeaways 7. This case highlights the following trite legal principles:- (a) A doctor / medical practitioner owes a duty of care to his or her patient that must be discharged in “accordance with a practice accepted by a responsible body of medical men skilled in that particular art. (b) A doctor / medical practitioner is not guilty of negligence if he or she has acted in accordance with such a practice, even if there exists a body of opinion that takes a contrary view. (c) The said doctor / medical practitioner also owes a duty of care to the patient to warn him or her of the material risk inherent in the treatment that is being proposed. (d) What amounts to a material risk will depend on the circumstances of the case and “whether a reasonable person in the patient’s position would be likely to attach significance to the risk. (e) The medical practitioner is “duty bound by law to inform his or her patient, who is capable of understanding and appreciating such information of the risks involved in any proposed treatment” to enable the patient to make an election of whether to proceed with the proposed treatment with knowledge of the risks involved or decline to be subjected to such treatment. . 8. In addition, this case echoes the principle set out recently by the Federal Court in the case of Siow Ching Yee (menyaman melalui isteri dan wakil litigasinya, Chau Wai Kin) v Columbia Asia Sdn Bhd [2024] MLJU 444 wherein the Court emphasized that private hospital owes a non-delegable duty of care for the treatment and care of patients, regardless of who it may have delegated that duty and who may have performed the act or omission complained of. 9. It is also essential to note the importance of maintaining thorough records of all events to effectively present your position in Court. In this case, the Defendants were at a disadvantage due to the absence of records, including the 2nd Defendant’s advice to the Deceased on alternative treatments, discussions between the nurses and the 2nd and 3rd Defendants regarding the Deceased’s condition and Aldrette scoring, and details of the Code Blue event. 10. Lastly, a comprehensive assessment and opinion by experts in the relevant expertise play a critical role in medical negligence claims. For instance, in this case, the Court preferred the opinion of Prof Dr. YK Chan over Dr. Syed Rozaidi, as Prof. Dr. Chan’s report was thorough, took into account all material factors and provided clear justifications for his opinion. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Chan Jia Ying Senior Associate Civil & Commercial Dispute Resolution, Corporate & Commercial Contracts, Taxation, Insolvency & Winding Up, Employment, Medico-Legal Harold & Lam Partnership jiaying@hlplawyers.com . Damia Amani Associate Dispute Resolution Harold & Lam Partnership damia@hlplawyers.com More of our articles that you should read: • Medical Negligence Claims – What Can You Sue For? • Unpacking Shareholders’ Pre-emptive Rights and Minority Oppression: A Case Analysis of Concrete Parade v Apex Equity • (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment

PREMA BONANZA SDN BHD V VIGNESH NAIDU A/L KUPPUSAMY NAIDU (Federal Court Civil Appeal No.: 02(i)-72-08/2022(W) & 02(i)-74-08/2022(W)); OBATA-AMBAK HOLDINGS SDN BHD V PREMA BONANZA SDN BHD (Federal Court, Civil Appeal No.: 02(i)-70-08/2022(W) & 02(i)-71-08/2022(W)); and SRI DAMANSARA SDN BHD V TRIBUNAL TUNTUTAN PEMBELI RUMAH & 2 OTHERS [Federal Court, Civil Appeal No.: 01(f)-1-01/2023(B) 26 July 2024 Coram: Y.A.A TAN SRI DATUK AMAR ABANG ISKANDAR BIN ABANG HASHIM, PMR                                    Y.A. DATO’ ZABARIAH BINTI MOHD YUSOF, HMP Y.A. DATO’ SRI HASNAH BINTI DATO’ MOHAMMED HASHIM, HMP Y.A. DATUK HARMINDAR SINGH DHALIWAL, HMP Y.A. DATUK ABDUL KARIM BIN ABDUL JALIL, HMP Messrs Halim Hong & Quek holding watching brief for Real Estate and Housing Developers’ Association Malaysia (“REHDA”) This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Goh Li FeiPartnerReal EstateHalim Hong & Queklfgoh@hhq.com.my . Hee Sue AnnSenior AssociateReal EstateHalim Hong & Queksahee@hhq.com.my More of our articles that you should read: • Case Update: Can a Non-Paying Party Be Wound Up Pursuant to an Adjudication Decision Under CIPAA 2012? • Limitation of Licenced Manufacturing Warehouse Conditions • Federal Court: Half-Truths that Harm the Reputation of a Person are Defamatory

The Cyber Security Act 2024 (“Act”) came into effect on 26 August 2024, heralding a new era in Malaysia’s cyber security regulation. To complement the Act, four (4) crucial regulations have been introduced, each providing specific guidelines and obligations for entities owning or managing national critical information infrastructures (“NCII”): (i) Cyber Security (Notification of Cyber Security Incident) Regulations 2024; (ii) Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024; (iii) Cyber Security (Compounding of Offences) Regulations 2024; and (iv) Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024. The newly introduced regulations have provided further details regarding some of the key elements under the Act, which we have summarised in this article: 1. Notification of Cyber Security Incidents  The Act imposes certain obligations on the NCII entity to notify the Chief Executive of NACSA and the relevant NCII sector lead(s) upon the happening or suspicion of a cyber security incident. With the introduction of the Cyber Security (Notification of Cyber Security Incident) Regulations 2024, there is now clarify in terms of the procedure and timeline for such cyber security incident notification: • Immediate Notification Upon discovering a cyber security incident or potential incident, the NCII entity must notify the Chief Executive of NACSA and its NCII sector lead immediately via electronic means. It is unclear what does “electronic means” entail, but this could be either via e-mail or a dedicated online portal. . • Within 6 Hours Within 6 hours of discovering the incident, the NCII entity must provide a detailed report which must at the minimum include: • Particulars of the person submitting the notification on the entity’s behalf; • Particulars of the NCII entity concerned, the relevant NCII sector and sector lead(s); • Information concerning the cyber security incident, which would include its severity (this is typically rated using the Common Vulnerability Scoring System, also known as “CVSS”), method of discovery, etc. . • Within 14 Days A more comprehensive report must be submitted within 14 days from initial notification, which, to the fullest extent practicable, must include: • Particulars of the NCII impacted; • Scope of Impact (estimated number of hosts affected); • Particulars of the cyber security threat actor (if known); • Incident Artifacts - Relevant logs, code snippets, or malicious files. • Information on any related incidents and their connection to the current cyber security incident; • Tactics, Techniques, and Procedures employed or exploited by the threat actors; • The incident’s impact on the NCII or interconnected computer systems; • Details of any actions taken to contain or mitigate the effect of the cyber security incident. 2. Period for Cyber Security Risk Assessment and Audit To maintain robust cyber security practices and readiness, NCII entities are required under the Act to perform regular assessments and audits to ensure ongoing compliance and security. The Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 has now provided clarity on the frequency of cyber security risk assessment and audit: . • Annual Risk Assessments NCII Entity is to conduct cyber security risk assessment at least once a year to identify and address potential vulnerabilities. . • Biannual Audits Cyber security audit on the other hand is supposed to be carried out once every 2 years, or more frequently if directed by the Chief Executive of NACSA, to ensure ongoing compliance and address emerging threats. . 3. Compounding of Offences The Cyber Security (Compounding of Offences) Regulations 2024 introduced a mechanism for compounding specific offences, offering an alternative to prosecution. This allows entities to resolve certain violations by paying a fine rather than facing court proceedings. . • Eligible Offences The following offences are eligible for compounding, subject to the Public Prosecutor’s consent. No. Act Description of Offence Penalty 1. Section 20(6) Non-compliance by a NCII entity with requests or requirements related to information disclosure, material changes, or reporting. Fine up to RM100,000 or imprisonment for up to 2 years, or both. 2. Section 20(7) Non-compliance by a NCII sector lead with the requirement to notify the Chief Executive of NACSA about certain information. Fine up to RM100,000. 3. Section 22(7) Failure of an NCII entity to conduct or submit required cyber security risk assessments or audits. Fine up to RM200,000 or imprisonment for up to 3 years, or both. 4. Section 22(8) Failure to comply with directions from the Chief Executive regarding additional risk assessments or audits. Fine up to RM100,000. 5. Section 24(4) Non-compliance with directions from the Chief Executive related to cyber security exercises. Fine up to RM100,000. 6. Section 32(3) Failure by a licensee to maintain or provide records of cyber security services as required. Fine up to RM100,000 or imprisonment for up to 2 years, or both. • Acceptance of Offer If the company is offered the opportunity to compound an offence, the offer must be accepted within 30 days, with payment made electronically. . • Consequences of Non-Payment Failure to pay the compounding fine within the specified period may result in prosecution, without further notice. . 4. Licensing of Cyber Security Service Providers The Act requires cyber security service providers to procure a license before they could offer cyber security services here in Malaysia. The Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 has made it clear that only companies providing managed security operation center (SOC) monitoring or penetration testing services would be subject to the licensing regime: . • Licensing Process Cyber security service providers must apply for the licence electronically, presumably through an online platform to be set up, which would require the applicants to fill in details of their companies and services. Each application and renewal is to be accompanied by the payment of non-refundable fee. . • Penalties for Misrepresentation Providing false or misleading information during the application process can lead to severe penalties, including fines and/or imprisonment. . • Exemptions Exemptions are provided for government entities, services provided by individuals to their related companies, and cyber security services for computers or systems located outside Malaysia. .  Conclusion The Cyber Security Act 2024, along with its subsidiary regulations, impose significant new responsibilities on NCII entities. This framework requires meticulous compliance and proactive management. For tailored advice and assistance in navigating this new framework, our TMT team is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Nicole Shieh E-LynAssociateTechnology, Media & Telecommunications (“TMT”), TMT Disputesnicole.shieh@hhq.com.my More of our Tech articles that you should read: • We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels • Navigating Cyber Security and Data Breaches – Handling Breach Notifications • Urgent Compliance Alert: Malaysia’s New Regulatory Framework for Social Media Services and Internet Messaging Services

The European Union (“EU”) published the long-awaited European Union's Artificial Intelligence Act, Regulation (EU) 2024/1689 ("EU AI Act") on 12 July 2024, and it officially came into force on 1 August 2024.   Consistent with the EU's reputation for comprehensive and detailed legislation, the EU AI Act is notably extensive, spanning 13 chapters and 144 pages. Given the breadth and complexity of this legislation, it is clear that attempting to cover the entire act in a single article would neither do justice to its complexity nor serve the practical needs of businesses. Therefore, this article aims to serve as a preliminary blueprint, highlighting 10 key takeaways that general counsels should note to introduce and understand the EU AI Act. This is by no means exhaustive and these 10 takeaways will provide an introduction to the EU AI Act, with further in-depth articles to follow that will delve into specific topics and obligations.   If you think that this may not concern you because you do not operate within the EU, you may want to continue reading, considering that the extraterritorial scope of the EU AI Act is extremely broad. Even if your companies are located outside of the EU, your company may be affected as well, as long as you are operating within the AI value chain. Hence, we trust that this article will be particularly beneficial in helping general counsels better understand (i) what the EU AI Act is about, (ii) what it intends to achieve, and (iii) who should be paying attention to this legislation.   Key Takeaway 1: What is the EU AI Act About? One of the most frequently asked questions is, "What is the EU AI Act all about?" This is an essential question, as it sets the stage for a comprehensive understanding of the EU AI Act's regulatory scope.   The EU AI Act addresses a wide range of issues, from clearly defining "AI systems" and "general-purpose AI models" to laying down its extraterritorial application, prohibited AI practices, and the classification of high-risk AI systems along with the associated requirements. The EU AI Act also outlines the obligations of providers, importers, distributors, and deployers of high-risk AI systems; transparency obligations for AI system providers and deployers; obligations for providers of general-purpose AI models; obligations of providers of general-purpose AI models with systemic risk; AI regulatory sandboxes; and penalties for non-compliance.   In essence, the EU AI Act establishes a comprehensive framework for the development, import, distribution, and deployment of AI systems within the EU. Given the extensive scope it covers, as long as you are playing a role in the AI value chain within the EU market, you will likely be governed by this EU AI Act.   Key Takeaway 2: Who Does the EU AI Act Apply To? This leads directly to the second key question: “Who exactly does the EU AI Act apply to?” The scope of this legislation is broad, with extraterritorial effects that extend its reach far beyond the borders of the EU. The EU AI Act applies to seven broad key categories of stakeholders:   1. Providers of AI systems or general-purpose AI models in the EU, regardless of whether they are established or located within the Union or in a third country. 2. Deployers of AI systems with a place of establishment or location within the Union. 3. Providers and deployers of AI systems based in third countries where the AI system's output is used within the Union. 4. Importers and distributors of AI systems. 5. Product manufacturers placing on the market or putting into service an AI system together with their product under their own name or trademark. 6. Authorized representatives of providers not established in the Union. 7. Affected persons located in the Union.   In summary, the EU AI Act generally applies to anyone involved in the development, use, import, or distribution of AI systems in the EU, regardless of where they are based. It even extends to providers and deployers of AI systems that are based outside the EU if the output of the AI system is used within the Union. So, if one is providing AI systems regardless of inside or outside of the EU, and the AI system's output is used in the EU, it will be caught by the EU AI Act.   There are specific exclusions to the scope of the EU AI Act, such as AI systems used for military, defence, national security purposes, or personal non-professional use of AI systems, which we will cover more extensively in a subsequent article.   Key Takeaway 3: The Current Status of the EU AI Act and Its Implementation Stages The EU AI Act was officially published on 12 July 2024, and while it came into force on 1 August 2024, it is important to note that its implementation will only happen gradually, extending over several years.   As of the time of writing this article in August 2024, none of the EU AI Act's requirements and obligations are immediately applicable. The first significant date for all general counsels to take note of is 2 February 2025, when Chapters I and II of the EU AI Act, primarily concerning prohibited AI practices, will take effect.   This phased implementation of the EU AI Act is beneficial, given the extensive compliance requirements, and it gives companies enough time to prepare and adapt to the new regulations. That being said, it is essential for general counsels to get ready for the first stage, particularly with regard to prohibited AI practices, which will be further explained below.   Key Takeaway 4: Definitions of "AI System" and "General-Purpose AI Model" To fully understand and appreciate the EU AI Act, it is crucial to first comprehend the definitions of "AI system" and "general-purpose AI model," as each comes with distinct requirements and obligations.   • AI System: This is generally defined as a machine-based system designed to operate with varying levels of autonomy. An AI system may adapt after deployment using the information it receives to create outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. The key factor here is the system's autonomy and its capacity to influence physical or virtual environments. • General-Purpose AI Model: This refers to an AI model trained with large datasets that exhibit significant generality and can perform a wide range of distinct tasks. These models can be integrated into various downstream systems or applications. However, it is important to note that AI models used solely for research, development, or prototyping before market placement are excluded from this definition.   From the reading of the EU AI Act, the key difference between an “AI System” and a “General-Purpose AI Model” lies in the use case of the system and its capabilities. For an AI system, a key characteristic is its ability to infer, such as making predictions, content, recommendations, or decisions that can influence physical and virtual environments, derived from inputs or data. In contrast, general-purpose AI models are typically trained on large amounts of data, and while AI models are essential components of AI systems, they do not constitute AI systems on their own. AI models require the addition of further components, such as a user interface, to become AI systems.   It is crucial to understand the difference between an AI system and a general-purpose AI model, as different requirements and obligations will apply accordingly.   Key Takeaway 5: Prohibited AI Practices The fifth key takeaway concerns prohibited AI practices, which will be enforced starting 2 February 2025. The EU AI Act outlines a list of AI practices that are strictly prohibited, with limited exceptions. These prohibited AI practices generally include:   1. AI systems that manipulate individuals' decisions; 2. AI systems that exploit people's vulnerabilities due to their age, disability, or specific social or economic situation; 3. AI systems that evaluate or classify people based on their social behavior or personal traits; 4. AI systems that predict a person's risk of committing a crime; 5. AI systems that scrape facial images from the internet or CCTV footage; 6. AI systems that infer emotions in the workplace or educational institutions; 7. AI systems that categorize people based on their biometric data.   A subsequent article will be published to provide further details on the AI practices that are prohibited and the exceptions. Given that this is the first set of regulations to be implemented under the EU AI Act, general counsels are advised to pay immediate attention to this particular part.   Key Takeaway 6: Understanding High-Risk AI Systems One of the most critical aspects of the EU AI Act is the classification of high-risk AI systems. Under the EU AI Act, an AI system is considered high-risk if it is intended to be used as a safety component of a product, or if the AI system itself constitutes a product that falls under an extensive list of EU legislation covering diverse areas, including, but not limited to, machinery, toy safety, recreational watercraft, equipment for potentially explosive atmospheres, radio equipment, pressure equipment, cableway installations, and personal protective equipment.   Additionally, the EU AI Act classifies AI systems with particular use cases outlined in Annex III of the Act as high-risk. These use cases include biometrics, critical infrastructure, education and vocational training, employment, and access to essential private and public services.   A subsequent article will discuss in more detail the specific use cases that are considered high-risk AI systems and their exceptions. For now, it is important to note that, besides ensuring that one does not engage in prohibited AI practices, general counsels should examine whether the AI system falls within the high-risk category, as specific compliance requirements and obligations for high-risk AI systems must be adhered to, which will be further explained below.   Key Takeaway 7: Compliance Requirements for High-Risk AI Systems Once an AI system is classified as high-risk, it must comply with a comprehensive list of requirements under the EU AI Act. These include:   1. Risk Management System: A risk management system must be established, implemented, documented, and maintained as a continuous, iterative process throughout the entire lifecycle of the high-risk AI system. 2. Data and Data Governance: Training, validation, and testing datasets must be subject to data governance and management practices appropriate for the intended purpose of the high-risk AI system. 3. Technical Documentation: The technical documentation of a high-risk AI system must be prepared before the system is placed on the market or put into service and must be kept up-to-date. This documentation should demonstrate the system’s compliance with the necessary requirements. 4. Record-Keeping: High-risk AI systems must technically allow for the automatic recording of events (logs) throughout the system's lifetime. 5. Transparency and Information Provision: High-risk AI systems must be designed and developed to ensure sufficient transparency, enabling deployers to interpret the system's output and use it appropriately. Providers must also supply clear instructions, including information about the provider, the system’s capabilities and limitations, and any potential risks. 6. Human Oversight: High-risk AI systems must be designed to allow effective human oversight, ensuring that humans can intervene if necessary. 7. Accuracy, Robustness, and Cybersecurity: High-risk AI systems must achieve and maintain an appropriate level of accuracy, robustness, and cybersecurity throughout their lifecycle.   Key Takeaway 8: Obligations for Different Operators of High-Risk AI Systems The EU AI Act also outlines a comprehensive set of obligations for various operators across the AI value chain concerning high-risk AI systems. These obligations encompass the responsibilities of providers, authorized representatives, importers, distributors, and deployers of high-risk AI systems.   The specific obligations vary depending on the operator's role. For instance, deployers of high-risk AI systems must ensure human oversight by appointing individuals with the necessary competence, training, authority, and support. On the other hand, importers are required to verify that the high-risk AI system complies with the Act before it is placed on the market.   A subsequent article will lay out the specific obligations for different operators. For now, it is crucial for companies to first understand the role they play, as each role carries distinct legal obligations. Whether a company acts as a provider, authorized representative, importer, distributor, or deployer of high-risk AI systems, it must adhere to the relevant obligation requirements set out by the EU AI Act.   Key Takeaway 9: General-Purpose AI Models and Systemic Risk Besides prohibited AI practices and high-risk AI systems, another key aspect of the EU AI Act is its focus on general-purpose AI models, particularly those classified as having "systemic risk."   As previously mentioned, a general-purpose AI model is defined as one that exhibits generality and can competently perform a wide range of distinct tasks, regardless of how it is marketed. These models can be integrated into various downstream systems or applications.   The EU AI Act also introduces the concept of general-purpose AI models with systemic risk. Systemic risk refers to the potential for these AI models to cause actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or society as a whole.   It is essential for companies to understand the distinction between general-purpose AI models and those with systemic risk, as the obligations for providers of general-purpose AI models differ from those for providers of general-purpose AI models with systemic risk.   Key Takeaway 10: Transparency Obligations for Providers and Deployers The final key takeaway from the EU AI Act pertains to the transparency obligations imposed on both providers and deployers of AI systems.   Certain AI systems intended to interact with natural persons or generate content may pose specific risks of impersonation or deception, regardless of whether they are classified as high-risk. Therefore, the use of these AI systems should be subject to specific transparency obligations, without prejudice to the requirements and obligations for high-risk AI systems, and subject to targeted exceptions to accommodate the special needs of law enforcement.   For instance, the EU AI Act mandates that providers ensure AI systems intended to interact directly with natural persons are designed and developed to clearly inform individuals that they are engaging with an AI system. This requirement is waived only when it is obvious to a reasonably well-informed, observant, and circumspect individual, given the circumstances and context of use. Deployers also have transparency obligations, such as disclosing when AI systems generate or manipulate image, audio, or video content that constitutes a deep fake.   Conclusion This article is not intended to be an exhaustive exploration of the entire EU AI Act but rather a preliminary introduction to its key aspects and implications for the AI value chain and all stakeholders involved. Future articles will explore specific topics within the Act in greater detail, providing more comprehensive insights into its requirements and impacts.   For now, general counsels should begin familiarizing themselves with these initial takeaways to better prepare for the challenges and obligations the EU AI Act introduces.   This article provides a foundational overview of the EU AI Act and its implications. For a deeper understanding tailored to your specific needs, or to ensure compliance with the Act’s complex requirements, our Technology Practice Group is here to assist. Our team of experts is well-versed in the intricacies of the EU AI Act and is prepared to offer tailored legal advice and training to support your organization. We invite you to reach out to us to discuss how we can collaborate to navigate the regulatory landscape effectively and ensure your compliance with this significant legislation. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications ("TMT"),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications ("TMT"), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology, Media & Telecommunications ("TMT"), TMT Disputesnicole.shieh@hhq.com.my More of our Tech articles that you should read: • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers • Exploring Bitcoin Halving and its Significance • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services

It is a very common misconception among data users that compliance with the Personal Data Protection Act 2010 (the “PDPA 2010”) ends upon providing data subjects with a copy of the data users’ personal data protection notice and having received express consents from data subjects for the processing of their personal data. Data users often overlook the fact that the PDPA 2010 also provides for certain rights of data users vis-à-vis their personal data that are being processed by the data users, such rights of which include rights to access or correct personal data, rights to limit the processing of their personal data, etc. When faced with a request from data subjects in relation to the processing of their personal data, data users who do not have adequate protocol or internal policy in dealing with such request might find themselves unable to respond to the request appropriately, which may result in a breach of the PDPA 2010.   In this article, we are going to provide a quick step-by-step guide to assist data users with the handling of requests from data subjects to ensure compliance with statutory requirements under the PDPA 2010.   1. Assessing the Type of Request  It goes without saying that the first thing to do for a data user upon receiving a request from data subjects is to ascertain the nature of the request. Under the PDPA, data subjects have certain statutory rights to request (i) access to their personal data that is being processed by the data user; (ii) correction of their personal data; (iii) withdrawal of their consent to the processing of their personal data; and (iv) cessation of processing of their personal data for direct marketing purposes. With the recent introduction of the Personal Data Protection (Amendment) Bill 2024, data subjects may have an additional statutory right to request for the porting of their personal data from one data user to another data user.   Depending on the type of request submitted by a data subject, how the data user should respond to the request would also differ.   2. Assessing the Sufficiency of the Request Upon receiving a request from data subjects, data users generally have twenty-one (21) days under the PDPA 2010 to respond to the same. That said, the ability of a data user to respond to a request from data subject in some instances also depends on whether the data subject has provided the data user with sufficient information that may be required.   Some examples of the circumstances where data users may have difficulty in complying with a data subject request are: (i) where the data subject has not provided sufficient information to identify himself or herself; (ii) where the data subject has not provided information required by the data user to locate the relevant personal data; (iii) where the data user is not satisfied that the personal data in its possession is inaccurate, incomplete, misleading or not up-to-date; or (iv) where the request is in relation to the porting of personal data, there is an incompatibility or technical infeasibility in the data format used by the porting data user and the receiving data user.   Where such an impediment exists, the data user should communicate with the data user to request the necessary information to enable the data user to comply with the request.   The above stated circumstances do not apply however where the requests from data subjects relate to the withdrawal of consent for personal data processing, limiting the processing of personal data for certain specific purposes.   3. Complying with the Request Upon complying with the request, any changes to the personal data in the data users’ possession should be logged accordingly to record the changes. Data users should also confirm the compliance with the request from data subjects by communicating the actions taken to the data subjects.   4. Establish Protocols on Data User Request Given the fixed timeline to comply with or respond to a data subject request under the PDPA 2010, it is fundamental that data users establish a clear protocol internally to deal with or handle data subject requests. This is to ensure that appropriate attention is given to the data subject requests and that appropriate measures can be taken to respond to each and every request.   Such personal data request handling protocol should document the internal process in managing and dealing with personal data request, what are the measures or mechanisms in place to process the personal data request, the manner of implementation of the consequences of complying with the personal data request, etc.   Handling personal data requests is no small feat, especially for a company that handles a large amount of personal data processing. A small slipup in responding to a personal data request may translate to financial penalty and/or imprisonment. Companies and data protection officers should take this task seriously to ensure compliance with the requirements of the PDPA 2010 at all times.   If your organisation needs help with crafting a protocol for the handling of personal data requests from data subjects, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist. About the authors Lo Khai YiPartnerCo-Head of Technology & Corporate Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology & Corporate Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • Consent or Pay: The Controversial Business Model Every General Counsel Must Understand • AI Deepfake Technology: Understanding Its Business Use Case, Legal Considerations, and Best Practices in Modern Marketing • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI

The recent Court of Appeal case of Bludream City Development Sdn Bhd (“Bludream”) v Pembinaan Bina Bumi Sdn Bhd (“PBB”) [2024] 4 MLJ 67 held that the court has jurisdiction and power to wind up a company for failure to comply with an adjudication decision. . The Facts Adjudication Decision and Enforcement Order On 4.2.2020, PBB has obtained an adjudication decision against Bludream for the sum of RM5,510,197.91, together with interests and costs. Subsequently, PBB has applied to the High Court under Section 28 CIPAA 2012 (“CIPAA”), and obtained an Order dated 11.8.2020 to enforce the adjudication decision as if it is a judgment or order of the High Court (“HC Enforcement Order”). The HC Enforcement Order was affirmed by the Court of Appeal on 19.5.2024 (“COA Enforcement Order”) Bludream’s application for leave to appeal against the COA Enforcement Order to the Federal Court has been dismissed on 20.10.2022. . Winding Up Proceedings Armed with the HC Enforcement Order, on 24.8.2021, PBB served a statutory notice pursuant to section 465(1)(e) and 466(1)(a) of the Companies Act 2016 (“Statutory Notice”) demanding for payment of the sum of RM6,175,669.10 premised on the HC Enforcement Order. Due to non-payment of the debt pursuant to the Statutory Notice, PBB commenced winding up proceedings at the High Court against Bludream, and obtained a Winding Up Order on 21.10.2022 (“Winding Up Order”). On 15.11.2022, Bludream filed an appeal to the Court of Appeal against the Winding Up Order. . Findings of the Court of Appeal In support of its appeal against the Winding Up Order, Bludream argued that a party cannot rely on an enforced adjudication decision to commence winding up proceedings based on amongst others, the following grounds: (a) There is no express provision provided in the CIPAA for the winning party to wind up the losing party premised on an adjudication decision. . (b) There are bona fide disputes against the debt. The adjudicated dispute has been referred for final determination to arbitration / court. . (c) Since an adjudication decision is only of temporary finality, the right to wind up a company based on an adjudication decision is contrary to the legislative intent of the CIPAA. Otherwise, the company would be wound up based on an adjudication decision that has permanency from which the company cannot recover. . On 6.3.2024, the Court of Appeal has dismissed Bludream’s appeal against the Winding Up Order, and held amongst others, as follows: (a) The court had jurisdiction and power to wind up Bludream for failure to pay the amount adjudicated under the adjudication decision. Pursuant to Section 31(2) CIPAA, “The remedies provided by this Act are without prejudice to other rights and remedies available in the construction contract or any written law, including any penalty provided under any written law.”. As such, although not expressly provided for under CIPAA, the remedy under Sections 465 and 466 of the Companies Act 2016 is available to PBB. . (b) It is immaterial that the adjudicated dispute is pending final determination in arbitration proceedings. Disputability of a debt had to be seen in its proper context. As the disputed debt has been independently adjudicated by a neutral third party, the debt would cease to be disputable in an ensuing winding up proceeding. It should not be open for Bludream to again dispute the debt when the sanctity of the adjudication decision has been preserved by subsequent court orders pursuant to Section 28 of the CIPAA. . (c) Although the court was mindful that winding up was a draconian procedure which might irreparably damage business and reputation, it had to heed the legislative objective of the CIPAA to alleviate the financial woes prevalent in the Malaysian construction. On 22.7.2024, the Federal Court has dismissed Bludream’s application for leave to appeal to the Federal Court against the Winding Up Order. . KEY TAKEAWAYS This Court of Appeal’s decision has made it clear that upon delivery of an adjudication decision, and the adjudication decision remains binding pursuant to Section 13 CIPAA. In the absence of compliance with the adjudication decision by the non-paying party, the winning party is entitled to commence winding up proceedings against the non-paying party. This is irrespective that the disputes between the parties are still subject to final determination in litigation / arbitration. This Court of Appeal’s decision also serves as a reminder to the stakeholders in the construction industry that the very purpose of CIPAA is to offer the parties a mechanism of “pay now, talk later”, and non-compliance with an adjudication decision may lead to the non-paying party being wound up by the courts, upon a presentation of a winding up petition by the winning party in the adjudication proceeding. In light of the recent dismissal of Bludream’s leave application, this Court of Appeal’s decision remains a binding judicial precedent on this issue, until and unless there is a further development in law in the future. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Lim Ren Wei Associate Dispute Resolution Harold & Lam Partnership renwei@hlplawyers.com More of our articles that you should read: • (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment • Enforcement of Companies (Amendment) Act 2024 • Applicability of CIPAA After the Commencement of Arbitration

A common misconception is that only leasehold properties are required to obtain State Authority’s consent when one acquires an immovable property. While it is certain that leasehold properties usually require approval from the State Authority, there are freehold lands that may have express restrictions in interest that require the State Authority’s consent too. In such circumstances, the State Authority may impose such restrictions in interest upon alienation of land as discussed in the case of Tanasekharan a/l Autherapady & Anor v Pengarah Tanah dan Galian Negeri Perak & Ors [2024] MLJU 865. . Brief facts The Applicants entered into a sale and purchase agreement with a property owner in Perak. Although the property being a freehold land, there was an undisputed restriction of interest on the property stating that the property could not be transferred or leased out without the approval of the Menteri Besar. The owner of the property applied for the Menteri Besar’s approval to transfer the ownership of the property to the Applicants. However, the application was rejected without being given any reasons for the decision. Hence, the filing of a judicial review by the Applicants to quash the decision of the Menteri Besar mainly on the ground that there is no restriction to sell for a freehold land and it was not a Malay Reserve land. The Court had dismissed the application for the judicial review based on the following grounds: 1) The Applicants were fully aware of the restriction on the property and yet, still proceeded with the transaction before any response or approval was obtained. The document of title that expressly showed “Tanah ini tidak boleh dipindah milik atau dipajak tanpa kebenaran Menteri Besar” required a prior written approval of the Menteri Besar before any transfer or lease can be made and this was within the Applicants’ full knowledge of the restrictions since an application for consent was submitted and pending even after the agreement was concluded.  . 2) The Menteri Besar had acted under its prerogative powers in approving or rejecting the consent application. The Court continued to consider on the issue relating to the duty to give reasons, where the Court continued to assess several approaches. Here, the Court stated that it is within the State Authority’s prerogative power in granting the approval and it has no duty to give reasons for rejecting the Applicant’s application as it was not required to do so under any laws.  . 3) Section 120 of the National Land Code mentioned clearly that the State Authority may impose the express conditions and restrictions in interest upon alienation of land, which shall be determined at the time when the land is approved for alienation. To conclude, when express conditions and restrictions in interest are stated clearly on a document of title, the written consent approval from the State Authority to transfer or lease out the property is mandatory regardless of the property comprised of a freehold or leasehold property. Pursuant to section 120 of the National Land Code, the State Authority may alienate a land subject to its express conditions and restrictions in interest. Failure to obtain such approval may result in a non-registration of title for the property. About the author Ainie Ajiera binti Rosman Associate Real Estate Halim Hong & Quek ainie@hhq.com.my More of our articles that you should read: • Private Hospitals to pay for their Doctor’s Negligence • Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test” • Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible

In recent years, the "Consent or Pay" business model has garnered increasing attention among companies operating online platforms. If your organisation is contemplating the adoption of this model, this article serves as an essential guide. The "Consent or Pay" model, while relatively novel, has sparked considerable debate, particularly concerning its legal viability and the ethical considerations it entails. This article will explore the key dimensions of this model, offering 3 critical insights for companies evaluating its implementation on their digital platforms. . Understanding the "Consent or Pay" Model At its core, the “Consent or Pay” model presents users with two distinct choices when accessing online services: 1. Payment Option: Users can pay a fee to access the platform’s services or content without their personal data being collected, shared, or used for any marketing or profiling purposes. This option typically appeals to privacy-conscious users who prefer not to exchange personal data for free access. . 2. Consent Option: Alternatively, users can consent to the collection, processing, and use of their personal data, often in return for free access to services or content. In this scenario, the data collected may be used for targeted advertising, personalised content, or other commercial purposes. This model effectively creates a trade-off between privacy and cost, introducing a new dynamic in the relationship between service providers and users. . Key Concerns with the "Consent or Pay" Model The "Consent or Pay" model has sparked significant debate, particularly around the implications of monetising personal data. By positioning personal data as a form of currency, this model underscores the notion that privacy is something to be traded or bought. This raises several ethical and legal concerns: • Monetisation of Personal Data: The model makes the monetisation of personal data more explicit than ever before. It signals to users that if they choose not to pay, their data will be collected and potentially sold or used for profit. This creates a dynamic where personal data becomes a commodity, raising questions about the true cost of "free" services. . • Impact on Lower-Income Users: One of the most pressing concerns is the potential for this model to disproportionately impact lower-income users. Those who cannot afford to pay may feel pressured to consent to data collection, compromising their privacy. This could lead to a digital divide, where privacy becomes a luxury only available to those who can afford it, exacerbating social inequalities. . • User Autonomy and Informed Consent: There is also the question of whether users can truly give informed and voluntary consent under this model. When the alternative is a potentially high fee, users may feel they have no real choice but to consent, calling into question the validity of such consent. . Global Legal Perspectives: The EDPB Opinion The legality of the "Consent or Pay" model is still being tested across various jurisdictions. In April 2024, the European Data Protection Board (“EDPB”) issued an Opinion specifically addressing this model, particularly concerning large online platforms. Although the EDPB did not define what constitutes a "large online platform," the Opinion provides critical guidance: • Permissibility with Conditions: The EDPB confirmed that the "Consent or Pay" model is permissible under the General Data Protection Regulation (“GDPR”), but with stringent conditions. The consent obtained must meet the high standards set by GDPR—being freely given, specific, informed, and unambiguous. . • GDPR Compliance: Beyond consent, the implementation of this model must align with all relevant GDPR principles, including transparency, data minimisation, and purpose limitation. Companies must ensure that users understand what they are consenting to and that their data is handled in accordance with GDPR’s stringent requirements. . • Equivalence and Genuine Choice: Importantly, the EDPB emphasised that a pure "Consent or Pay" model should not be the default approach forward. Users must have an equivalent alternative that does not require payment. This means that any fee charged should not coerce users into consenting; there must be a genuine, free choice available to them. . Implications for Malaysia: PDPA 2010 and Upcoming Personal Data Protection (Amendment) Bill 2024 In Malaysia, the "Consent or Pay" business model remains largely uncharted under the Personal Data Protection Act 2010 (“PDPA 2010”) and the forthcoming Personal Data Protection (Amendment) Bill 2024. However, as global trends influence local practices, companies in Malaysia should consider the following key points: 1. Legality and Feasibility in Malaysia: The "Consent or Pay" model is not explicitly prohibited under Malaysian law. Companies operating in Malaysia can explore this model, but they must do so with careful consideration of the legal landscape and potential regulatory scrutiny. . 2. Adherence to PDPA 2010 Principles: Any collection of personal data under this model must comply with the seven core data protection principles outlined in the PDPA 2010. These include the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle. Compliance with these principles is non-negotiable and critical to the lawful implementation of the model. . 3. Transparency and Fairness in Pricing: If the "Pay" option is chosen, transparency in pricing is essential. The fees must be reasonable and should not unduly burden lower-income users. High prices should not be used as a tool to coerce consent, as this would undermine the concept of voluntary and informed consent. Companies should strive for a balanced approach, potentially offering alternatives beyond a strict "Consent or Pay" model, to ensure fairness and avoid regulatory challenges.. . Conclusion  The "Consent or Pay" model represents a significant shift in how companies interact with users and manage data. While it offers potential benefits in terms of monetisation and user engagement, it also introduces complex legal and ethical challenges. As your company considers this model, it is essential to stay informed about the evolving legal landscape, both globally and locally. By adhering to best practices and ensuring compliance with relevant data protection laws, your company can navigate the "Consent or Pay" model successfully while minimising legal risks and safeguarding user trust. If your organisation is considering implementing the "Consent or Pay" model or you have any questions regarding its legal and ethical implications, our team of experienced lawyers is here to assist. Don't hesitate to reach out to us for tailored advice and comprehensive support in navigating this complex landscape. We are committed to helping you make informed decisions that align with both legal requirements and your business objectives.   About the authors Ong JohnsonPartnerHead of Technology & Corporate Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology & Corporate Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology & Corporate Practice GroupTechnology, Media & Telecommunications, Transactions and Dispute Resolution, Fintech, Privacy and Cybersecuritynicole.shieh@hhq.com.my More of our Tech articles that you should read: • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services • The Hidden Perils of Software Subscriptions: Are High Early Termination Fees a TMT Litigation Time Bomb? • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

Case summary of Muhammad Fawaid Daud v Airod Sdn Bhd [2024] MELRU 836    The dispute between the parties here is on whether Muhamad Fawaid Bin Daud (“Claimant”)’s contracts of employment were genuine fixed term contracts or otherwise. The Claimant was awarded RM1.1 million for unfair dismissal. The Industrial Court ruled that the Claimant, who had been issued annual fixed-term contracts for 20 years, was a permanent employee of Airod Sdn Bhd (“Company”) and was unfairly dismissed. This decision highlighted the company's practice of issuing fixed-term contracts and the associated legal implications.  . INTRODUCTION By an employment contract dated 1.8.1988, the Claimant was employed by the Company as an engineer with a starting salary of RM1,300.00 per month. The Claimant continued in his employment with the Company as a permanent employee and on 1.1.2000, the Company converted the Claimant's permanent employment to a fixed term contract of employment for 1 year as the Company's general manager. Thereafter the Company continued placing the Claimant under fixed term contracts for 20 years without any break in the Claimant's employment with the Company. The Claimant enjoyed automatic renewal of his employment contracts without the Claimant making any application for such renewals. The Claimant's last held position in the Company was a Senior General Manager and his last drawn salary was RM20,307.00 per month. After 32 years of service with the Company, on 21.12.2020, the Company issued a letter to the Claimant informing him that his last fixed term contract of employment that commenced on the 20.1.2020 will come to an end on the 31.12.2020, and that it will be the last date of the Claimant's service with the Company. The Claimant states that the expiry of the Claimant's last fixed term contract leading to his loss of employment in the Company amounted to a dismissal from his employment in the Company. The Claimant asserts that all the fixed term contracts of employment offered to the Claimant since 1.1.2000 were not genuine fixed term contracts but was a permanent contract of employment disguised as fixed term contracts. The Claimant states that he was at all material times a permanent employee of the Company. The Claimant now states that he was dismissed from his employment without just cause or excuse and prays that he be reinstated to his former position in the Company without any loss of wages and other benefits. The Company however maintains that the Claimant's continuous contracts of employment which commenced from the period 1.1.2000 were genuine fixed term contracts of employment and the last genuine fixed term contract of employment had come to an end through an effluxion of time on 31.12.2020. The Company states that the Claimant's employment with the Company effective 1.1.2000 was categorised as managerial level which comes with lucrative salary scheme with additional perks which were not enjoyed by permanent employees of the Company. It is the Company's policy that all employees of the Company under managerial level will be offered fixed term contracts of employment only. The Company states that when the Claimant's permanent contract of employment was converted to fixed term contracts on 1.1.2000 with a senior position in the Company, the Claimant knew that he was voluntarily accepting that genuine fixed term contract and since 1.1.2000, all his fixed term contracts of employment were genuine fixed term contracts which the Claimant signified acceptance without any protest. The Company denies dismissing the Claimant from his employment with the Company.  . INDUSTRIAL COURT’S FINDINGS The Court held that the Claimant was a permanent employee of the Company and all the fixed term contracts of employment given to the Claimant by the Company for a period of 20 years consecutively without any break and by way of an automatic renewal were not genuine fixed term contracts of employment but was in fact a permanent contract of employment disguised as fixed term contracts. It can create a legitimate expectation of permanent employment to the Claimant. The Company’s attempts to use fixed term contracts to circumvent such legitimate expectation, commits unfair labour practice. . CONCLUSION This does not mean that a company cannot have fixed term contract employees. There are many genuine reasons to do so (i.e.: post-retirement roles, for seasonal jobs to complete a specific project, for maternity cover). However, a company cannot use a fixed term contract, no matter how cleverly it is drafted to disguise what is essentially a permanent employment. While fixed term contracts may seem like a “safe bet,” acting inconsistently with a fixed term contract has repercussions. The company's conduct throughout the employee’s employment is as important as the contract terms, when it comes to unfair dismissal complaints. About the author Tey Siaw LingSenior AssociateEmployment and Industrial Relations, Alternative Dispute ResolutionHarold & Lam Partnershipsiawling@hlplawyers.com More of our articles that you should read: • High Court clarifies Item 22(1) of the First Schedule of the Stamp Act 1949 and the Stamp Duty (Remission) (No. 2) Order 2012 • Applicability of CIPAA After the Commencement of Arbitration • Medical Negligence Claims – What Can You Sue For?

On 29 July 2024, we have published an article titled “Urgent Compliance Alert: Malaysia's New Regulatory Framework for Social Media Services and Internet Messaging Services” which highlighted that the Malaysian Communications and Multimedia Commission (“MCMC”) would introduce a new regulatory framework on 1 August 2024. This framework requires companies providing internet messaging services or social media services with at least eight million registered users in Malaysia to apply for an Applications Service Providers Class Licence under the Communications and Multimedia Act 1998. On 1 August, the Regulatory Framework for Internet Messaging Service and Social Media Service Providers has been officially introduced, along with the Communications and Multimedia (Licensing) (Exemption) (Amendment) Order 2024 and the Communications and Multimedia (Licensing) (Amendment) (No. 2) Regulations 2024. Rather than reproducing the entire framework, this article highlights the ten most crucial points that all general counsels from companies providing internet messaging services or social media services should note. 1. Status of the Regulatory Framework The regulatory framework for internet messaging and social media services is gazetted on 1 August 2024 and it will officially come into effect on 1 January 2025.   This provides companies with a clear timeline to ensure compliance with licensing requirements. With a five-month grace period before the enforcement date, companies should use this time effectively to meet the licensing requirements. This period should be adequate for preparing and addressing any necessary compliance measures, provided that efforts are well-coordinated and timely. It is crucial that companies begin their preparations promptly to avoid any last-minute issues and to ensure full compliance by the deadline.   2. Compulsory Licensing Requirement With the enforcement of this framework, all internet messaging service providers or social media service providers with at least eight million registered users in Malaysia must apply for an Applications Service Provider Class Licence (“ASP (C) Licence”) under the Communications and Multimedia Act 1998 (Act 588). The framework explicitly applies only to internet messaging and social media service providers and will not affect end users.   3. Definitions of Internet Messaging Service and Social Media Service The law currently defines "internet messaging service" as an applications service that utilizes internet access service enabling a user to communicate any form of message with another user. "Social media service" is defined as an applications service that utilizes internet access service enabling two or more users to create, upload, share, disseminate, or modify content.   Companies must evaluate their offerings to determine whether their products or services fall within these definitions. Given the evolving nature of technology, it is important for companies to continuously reassess their services to ensure they remain compliant with these definitions. Regular evaluations will help ensure that any changes in technology or service offerings are promptly addressed and that compliance is maintained.   4. Calculation of 8 Million Users The MCMC will primarily use data from its official surveys, including MCMC’s Internet User Survey, to quantify the number of Malaysian users. It will also consider other publicly available and reliable data points.   Companies that fall within the definitions of social media services or internet messaging services must conduct their own assessments to determine whether their user base in Malaysia meets or exceeds the 8 million threshold. It is essential for these companies to regularly monitor and verify their user statistics to ensure compliance with this requirement.   5. Incorporation of Local Companies A key requirement to apply for an ASP (C) Licence is the incorporation of a local company. However, the Minister has the discretion to allow a foreign company to be registered as a class licensee on a case-by-case basis. That said, it is important to emphasise that this discretion is fully at the Minister’s discretion. For foreign companies providing internet messaging services or social media services, it is advisable to incorporate a local company to obtain the ASP (C) Licence. This approach can help avoid unnecessary complications and ensure smoother compliance with licensing requirements.   6. Foreign Shareholding Requirement A frequently asked question is whether there is a foreign shareholding restriction. Currently, there are no foreign shareholding restrictions for ASP (C) Licences. This absence of restrictions aligns with the 'light-handed' approach adopted to promote industry growth and development by facilitating easier market access.   7. Validity Period of the Licence The validity period for the ASP (C) Licence is one year, with a yearly renewal requirement as long as the provider has eight million or more users in Malaysia.   With such annual renewal process, companies are compelled to stay current with regulatory changes and evolving compliance best practices.   8. Consequences of Non-Compliance Internet messaging and social media service providers have a grace period of five months, from 1 August 2024 to 1 January 2025, to apply for the ASP (C) Licence. Starting 1 January 2025, operating without a licence will result in penalties, including fines not exceeding RM500,000 or five years of imprisonment, or both. Service providers will also face an additional fine of RM1,000 for each day the offence continues after conviction.   The stringent penalties for non-compliance highlight the seriousness with which the MCMC views adherence to the new framework, and this serves as a stark reminder for organisations to prioritise compliance as a core component of their licensing strategies.   9. Activities During the Grace Period Between 1 August 2024 and 1 January 2025, the MCMC will develop comprehensive outcome-based guidelines detailing the conduct requirements and key obligations for internet messaging and social media service providers. Proposed key conduct requirements include policies for user data protection, child safety measures, addressing online harm, content moderation, advertising transparency, complaint procedures, and measures to manage deepfakes and harmful AI-generated content.   10. Recommendations for General Counsels To ensure compliance, general counsels should take the following steps:   Step 1: Assess and Confirm Service Applicability Evaluate whether your company falls under the new definitions of social media services or internet messaging services. This assessment is critical to determine regulatory obligations and potential impacts on operations.   Step 2: User Base Evaluation and Documentation Conduct a thorough evaluation and documentation of your user base in Malaysia. Confirm whether your platform surpasses the eight million user threshold which triggers the licensing requirement.   Step 3: Develop a Compliance Strategy Given the tight compliance timeframe, initiate discussions with lawyers familiar with TMT law to apply for the ASP (C) Licence before the deadline of 1 January 2025. The MCMC has identified major providers like Facebook, Instagram, TikTok, WhatsApp, Telegram, WeChat, X, and YouTube as potentially falling under this framework, subject to having eight million or more users in Malaysia. Conclusion In conclusion, the introduction of Malaysia's new regulatory framework for internet messaging services and social media services marks a significant shift in the digital landscape. With mandatory licensing requirements, local incorporation expectations, and stringent penalties for non-compliance, the stakes are high for service providers operating in Malaysia. The five-month grace period offers a crucial window for companies to align their operations with these new regulations, and therefore, general counsels and compliance officers must act swiftly and decisively, leveraging this time to conduct thorough assessments, develop robust compliance strategies, and implement necessary changes. Should you require assistance with obtaining the ASP (C) Licences, our team can help you navigate this regulatory environment with expert insight and strategic planning. We are well-versed in the nuances of Malaysian technology and communications law and can provide the guidance necessary to ensure your platform is fully compliant ahead of the deadline. We have an in-depth understanding of the technology regulatory requirements and are poised to assist in obtaining the requisite ASP (C) Licences.   For further information on how we can assist you in this transition, please contact us directly.   Note: On Monday, August 5, our Technology Practice Group Partners, Ong Johnson and Lo Khai Yi were invited by Malaysia's No. 1 Business Radio Station, BFM 89.9, to shed light on Regulatory Framework for Internet Messaging and Social media Service Providers that's set to take effect on January 1, 2025. Read the news here.   About the authors Ong JohnsonPartnerHead of Technology & Corporate Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology & Corporate Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology & Corporate Practice GroupTechnology, Media & Telecommunications, Transactions and Dispute Resolution, Fintech, Privacy and Cybersecuritynicole.shieh@hhq.com.my More of our Tech articles that you should read: • Understanding the Role of Data Protection Officer Under the Personal Data Protection (Amendment) Bill 2024 • The Hidden Perils of Software Subscriptions: Are High Early Termination Fees a TMT Litigation Time Bomb? • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

Since the publication of the Personal Data Protection (Amendment) Bill 2024 (the “Bill”), we have received several enquiries concerning the role of a data protection officer (“DPO”) as mandated under the Bill. Many companies are now assessing the need to appoint a DPO within their organisations in anticipation of it being a requirement for them to do so once the Bill is passed and comes into force. Some chief compliance officers or chief risk officers are also concerned that they may be designated as the DPO of their respective companies, and are now looking to better understand the responsibilities of a DPO so that they can better prepare for the eventualities.   DPO is not a new role created uniquely by the Bill. The EU’s General Data Protection Regulation (“GDPR”) has long since established the role of a DPO in an organisation. This article seeks to unravel the role of a DPO and provides some high-level guidance on the tasks and responsibilities of a DPO by drawing reference from the EU’s GDPR.   The responsibility of a DPO is first and foremost to ensure that the organisation complies with its statutory obligations under the Personal Data Protection Act 2010 (“PDPA”), be it as a data user (to be known as data controller once the Bill is passed) or a data processor. There are a few key aspects to the role of a DPO in order to discharge the responsibility fully:   1. Providing Training to the Organisation Education is always the first step to compliance. For an organisation to adhere to the requirements of the PDPA, it will first have to understand comprehensively what are the relevant obligations that are applicable to it. DPO is typically expected to have in-depth knowledge on personal data processing law and is thus the default internal consultant to advise key stakeholders on matters concerning personal data. . 2. Formulation of Data Processing Policies For companies that handle a vast amount of personal data, it is important to have in place data processing policies to ensure that best practices are observed and to minimise abuse of personal data by employees. A DPO is expected to formulate and craft the data processing policies of the organisation that he or she is attached to, and to spearhead the implementation of such policies. In order to perform this task properly, DPO should be familiar with the data processing needs of its organisation so that the policies created could cater for all such needs. . 3. Main Liaison with Data Subjects The existing PDPA provides for certain rights of data subjects such as right to access personal data, right to request for correction of personal data or right to limit the processing of personal data. One of the key tasks of a DPO is also to act as the liaison between the organisation and the data subjects. The contact details of a DPO are normally included in the privacy policy or personal data protection notice of a data user or controller. In assisting the organisation to discharge its statutory obligations under the relevant data protection law, a DPO is expected to handle the requests put forth by data subjects and ensure that they are complied with or responded to appropriately by the organisation. . 4. Liaison with Authorities Apart from acting as the liaison with data subjects, DPO also often doubles up as the liaison with authorities, particularly those that oversee or administer the data protection laws. In jurisdictions where data breach notification is mandated (Malaysia will be one if the Bill is passed), DPO is also expected to communicate with the authorities in the event of a data breach and to assist the organisation to contain the effect of such breach. , More often than not, the role of a DPO is undertaken by the Chief Compliance Officer, Chief Risk Officer, Chief Legal Officer or the general counsel of an organisation. A DPO is rarely a dedicated role in an organisation unless the principal business of the organisation is to process personal data. As such, the person appointed as the DPO will normally be wearing more than one hat within the organisation. To ensure compliance with the applicable data protection law, DPO can consider working with external legal counsels, especially when it comes to the provision of training to internal stakeholders and the formulation of data protection policies. Given that a DPO would have an absolute understanding of the organisation’s data processing needs, he or she will be in the best position to advise such needs to external legal counsels, while the external legal counsels can then craft appropriate data processing policies on behalf of the organisation.   As the world pays more attention to individuals’ rights to the processing of their personal data, the role of a DPO is becoming ever more crucial in assisting data controllers and data processors to manoeuvre the intricacies of data protection law. The job of a DPO should not be taken lightly, given that failure to discharge its duties may result in financial penalties to the companies under applicable data protection law, and potentially also attract personal liability to the DPO.   Should you have any questions concerning the obligations of a DPO under the Bill, or if you would like to find out more about the slated changes to the PDPA to be brought forth by the Bill, please do not hesitate to contact our professionals from the Technology & Corporate Practice Group who frequently advise on matters relating to compliance with the PDPA. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • Decoding Personal Data Protection (Amendment) Bill 2024: 10 Key Insights to Stay Ahead • Urgent Compliance Alert: Malaysia’s New Regulatory Framework for Social Media Services and Internet Messaging Services • Reviewing Technology Outsourcing Contracts – What Legal Counsels Should Take Note Of

Starting 1 August 2024, Malaysia is set to introduce a significant regulatory framework that will reshape the legal landscape for all companies providing social media and internet messaging services in the country. This article aims to outline the current status, highlight immediate actions for companies, and provide three key takeaways for general counsels, especially those from companies operating in Malaysia. . Why does this matter? Historically, platforms offering social media and internet messaging services have been exempt from specific licensing requirements. However, to create a safer online ecosystem and combat the rise of cybercrime, scams, online fraud, sexual crimes against children, and cyberbullying, the Malaysian Communications and Multimedia Commission (MCMC) will introduce a new regulatory framework on 1 August 2024. This framework mandates that companies providing these services with at least 8 million registered users in Malaysia must apply for a Class License for Application Service Providers under the Communications and Multimedia Act 1998. The regulatory framework is set for introduction on 1 August 2024, with enforcement commencing on 1 January 2025. This provides a narrow window of not more than six months for companies to comply and apply for the Class License. Most crucially, failure to obtain the appropriate license by 1 January 2025 will be considered an offense, subjecting companies to potential legal action. The full details of the requirements will likely be released alongside the introduction of the regulatory framework on 1 August 2024. The message is clear: for platforms operating social media and internet messaging services with at least 8 million registered users in Malaysia, compliance is mandatory, not optional. The timeframe for compliance is tight, so companies must act quickly. . Here are three key takeaways for general counsels while awaiting the regulatory framework: 3 Key Takeaways for General Counsels 1. Evaluate the Business Nature of Your Company: Start by assessing whether your company provides social media services or internet messaging services within Malaysia. If the answer is yes, it’s time to sit up and take notice, as this new licensing requirement could have significant implications for your operations based on your user base in Malaysia. Given the definition of “messaging service” under existing regulation, “internet messaging service” is likely to cover any applications services that involves the storage or forwarding of message in multimedia form through internet services and/or applications. Unlike “messaging service”, “social media service” is not currently defined under existing regulation. It should however cover any online platforms where the users can interact with one another, whether through sharing of user generated content or leaving of comments on others’ content. . 2. Evaluate and Audit User Base: Once it is confirmed that your company offers these services, conduct an internal evaluation and audit of your registered users in Malaysia. If your platform has over eight million users, it meets the threshold for the new regulatory framework, indicating that you must prepare to apply for the Class License. . 3. Act Within a Tight Timeframe: If you confirm that your company’s platform hosts more than 8 million registered users in Malaysia, the time to act is now. With the framework being introduced on 1 August 2024 and enforcement beginning on 1 January 2025, general counsels are advised to promptly engage with external legal counsels who specialize in TMT and licensing requirements to strategize compliance and avoid potential legal pitfalls. . Conclusion This regulatory shift may have caught many by surprise, but the reality is clear: The clock is ticking, and there is absolutely no time to waste. . Should you require assistance with obtaining the Class License, our team can help you navigate this regulatory environment with expert insight and strategic planning. We are well-versed in the nuances of Malaysian technology and communications law and can provide the guidance necessary to ensure your platform is fully compliant ahead of the deadline. We have an in-depth understanding of the technology regulatory requirements and are poised to assist in obtaining the requisite Class Licenses. For further information on how we can assist you in this transition, please contact us directly. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Navigating Cyber Security and Data Breaches – Handling Breach Notifications • AI-Generated Work and Copyright Law: A Comparative Analysis of US and EU Perspectives • Achieving Net Zero: The Crucial Role of Climate Technology

By now, everybody would have heard of CrowdStrike and its software product, Falcon. Global technology outages that happened last Friday (19 July 2024) and were widely reported over the weekend dominated news reporting and technology publications. Essentially, CrowdStrike, a US-based cybersecurity firm, rolled out an update to its software, Falcon, a cyber security threat detection and automated protection tool, which resulted in Microsoft products installed with the updated version of the Falcon to glitch and display the infamous “blue screen of death”. CrowdStrike has since clarified that the issue is not caused by cyber-attack, but purely due to the malfunctioning of the software triggered by the software update on Windows computers.   The CrowdStrike incident came at a time when companies in Malaysia are still trying to figure out what are the extent of their exposures and obligations under the recently gazetted Cyber Security Act 2024, as well as the recently announced proposed amendments to the Personal Data Protection Act 2010 (“PDP Amendments”). While the CrowdStrike incident was not caused by a cyber-attack, cybercriminals are reportedly trying to take advantage of this incident, potentially posing as personnel from CrowdStrike to gain access to the servers of organisations affected by the outage. If not cautious, companies already reeling from the operational disruption caused by the CrowdStrike outage may even suffer data theft or cyber security incident.   In the face of such cyber security risks, we thought it apt to dedicate an article to share some pointers to general counsels and also data protection officers to assist in navigating the (almost inevitable) eventualities of a cyber security incident or personal data breach.   1. Situation Assessment Malicious actors causing cyber security incidents or personal data breaches in a company’s IT environment may not necessarily come with guns blazing or flashy signboard announcing their achievements. More often than not, threat actors would not even announce to their victims that they have successfully penetrated the victims’ environment, unless for extortion purposes.   During the process of penetrating a company’s IT environment however, threat actors may leave behind crumbs, or trails if you may, of their entry points, potentially a record of multiple failed log-in attempts on multiple employee accounts at odd hours of the day or unusual log-in behaviours of employees who are supposed to be on their vacations. A company having suspected breach of its IT environment should quickly conduct assessment of its system to ascertain whether actual breach has occurred. Companies can deploy sweeper or endpoint detection and response (EDR) tool to scan and detect whether there is any malware. Close coordination between the companies’ IT team and legal team at this stage would be crucial so that legal is aware of the possible threat and could react swiftly to the outcome of the assessment.   2. Submitting Breach Notification Assuming that the IT team has confirmed the occurrence of a cyber security incident, the legal team of the companies will be faced with the important question of whether it is necessary to notify the authorities of the incident pursuant to the Cyber Security Act 2024 (“CSA 2024”). The answer to this question would depend on a few factors – does the company own or operate any national critical information infrastructure? If so, does the cyber security incident affect the national critical information infrastructure owned or operated by the company? If the answers to these two (2) questions are in the affirmative, the company will have an obligation under the CSA 2024 to notify the relevant stakeholders and/or authorities of the incident, and further investigations by the officers authorised under the CSA 2024 will carried out.   In addition to the cyber security incident notification, assuming that the proposed amendments to the Personal Data Protection Act are passed and that the assessment of the breach by the company’s IT team indicates that personal data stored by the company has been accessed unlawfully, the company will also have the added responsibility under the PDP Amendments to notify the Personal Data Protection Commissioner of the personal data breaches.   The purpose of these breach notifications is not just to ensure that the relevant authorities are aware of the breaches, but also for the companies to work with the authorities to agree on appropriate responses to be taken to contain the effect of the breaches and to implement measures in preventing similar incident in the future. As such, it is crucial for the company’s legal counsels and/or personal data protection officers to make sure that sufficient information is given to the authorities for joint formulation of informed decisions.   Engaging external legal counsel is crucial for companies when navigating the complex requirements of breach notification under both cybersecurity and data protection laws. These requirements are mandatory and come with severe consequences for non-compliance, including potential fines, reputational damage, and legal liabilities. External legal counsels can provide valuable guidance and assistance in accurately assessing the situation, ensuring that all necessary information is submitted to the relevant authorities, and advising on appropriate measures to mitigate risks. Therefore, by collaborating with experienced law firms, companies can ensure compliance with legal obligations and better protect their interests during such incidents.   3. Handling the Cyber Security Incidents Dealing with a cyber security incident goes beyond just notifying the relevant authorities of the occurrence of the incident. Arguably the hardest part of dealing with cyber security incident is to effectively contain the breach and to recover the operation that is affected by the cyber security incident.   As most would know by now, the CSA 2024 empowers the Chief Executive of the National Cyber Security Agency (NACSA) to issue directive to the National Critical Information Infrastructure Entities on the measures necessary to respond to or recover from the cyber security incident and to prevent such cyber security incident from occurring in the future. It would be crucial for legal counsels to coordinate closely with the Chief Executive of NACSA concerning the issuance of any directives, as well as the actions to be taken by the company to recover from and to prevent future cyber security incidents.   From the perspective of personal data protection, similarly assuming that the PDP Amendments are passed and where a cyber security incident results in the unlawful access of personal data stored by the affected companies, these companies will also have the statutory obligation under the PDP Amendments to notify the relevant data subjects of the breach in the event that the personal data breach causes or is likely to cause significant harm to the data subjects. To ensure effective communication of personal data breaches to the relevant data subjects, legal counsels and/or personal data protection officers should work with the IT team to come up with an exhaustive list of data subjects who have had their personal data unlawfully accessed.   Assuming that the incident is one that is widely reported, public relations (PR) issue would also come into play. Any public announcement to be made by the company affected by cyber security incidents should be carefully crafted to avoid unnecessary widespread commotion, especially when the incidents relate to national critical information infrastructure. An effective announcement should also briefly mention the action plan to be rolled out by the company to resolve the issue, so as to instil confidence in the public as well as affect data subjects. Likewise, legal counsels play the key role of working with internal and/or external PR team to craft meaningful public announcement in ensuring effective communication of crucial information to the public and affected data subjects.   Given the increased digitalisation of companies everywhere in the world, it is no longer an urban legend for companies to suffer cyber security incidents. Hence, it is crucial that legal counsels and data protection officers alike are prepared on how to effectively deal with and manage a cyber security incident, so that any potential negative sentiment towards the company can be averted.   The technology lawyers at the Technology & Corporate Practice Group of Halim Hong & Quek would be able to assist a company to navigate the challenging ordeal of a cyber security incident and personal data breaches. Please feel free to reach out to our team of professionals should you ever need any assistance or if you would like to know more about cyber security and personal data protection. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • The Hidden Perils of Software Subscriptions: Are High Early Termination Fees a TMT Litigation Time Bomb? • Decoding Personal Data Protection (Amendment) Bill 2024: 10 Key Insights to Stay Ahead • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated?

In recent years, technology companies have increasingly shifted from selling one-time software products to subscription-based business models, particularly when the products are being deployed as Software-as-a-Service (“SaaS”). This transition is driven by the allure of predictable revenue streams and the appeal to consumers of spreading out costs through monthly, quarterly, or annual subscriptions, rather than paying a large upfront sum. While these models offer financial flexibility and lowered commitment for consumers, they often come with a significant catch: hefty early termination fees. Many subscription-based software agreements, particularly those for SaaS, include clauses that impose penalties for early termination. These fees can range from 50% to 70% of the remaining subscription period, effectively discouraging consumers from ending their contracts prematurely. The rationale behind such high early termination fees is clear — these fees are often justified from a commercial perspective, as providing SaaS involves significant investments in infrastructure, development, and onboarding. Also, SaaS providers frequently offer customized integration of their software with customer systems and discounted pricing for long-term commitments. Thus, early termination fees help recoup these costs and ensure that consumers who benefit from discounts and perks fulfill their contractual obligations. However, these high early termination fees are increasingly coming under scrutiny. A recent lawsuit filed by the U.S. Department of Justice against Adobe highlights the potential TMT litigation risks. In June 2024, the Federal Trade Commission (“FTC”) accused Adobe of deceiving consumers by imposing hefty early termination fees and making it difficult to cancel subscriptions. The Department of Justice emphasizes that such high early termination fees can deter consumers from terminating their subscriptions, raising significant legal concerns. Although this lawsuit is within the jurisdiction of the United States, its implications are likely to resonate globally, including in Malaysia and the broader Asia-Pacific region, where similar subscription models are prevalent. Given the rapid growth of technology companies and the increasing complexity of TMT litigation, general counsels must be vigilant about the terms and conditions in their software agreements. In Malaysia and the broader APAC region, many technology companies adopt similar subscription models with comparable early termination clauses. It is not uncommon to see early termination fees ranging from 50% to 70% of the remaining subscription period – some companies have even demanded full payment of the remaining period in the event of early termination. While these fees can be justified from a commercial perspective, helping to recoup significant investments and ensure contractual obligations are met, they also pose substantial risks of TMT litigation. Balancing early termination fees and defending against litigation requires careful attention. Here are five key insights for general counsels and companies: 1. General Legal Position of Contractual Clauses in Malaysia: Malaysian law upholds the freedom of contract, meaning courts are generally reluctant to interfere with commercially negotiated terms. Parties are expected to adhere to the agreed terms, including compensation stipulated in early termination clauses, provided these agreements result from thorough, arm’s-length negotiations. . 2. Enforcement of Early Termination Clauses: Early termination clauses and penalty clauses in software contracts are generally recognized and enforced. To enforce an early termination clause, the enforcing party must demonstrate (i) there is a breach of contract, and (ii) the contract contains a clause specifying a sum to be paid upon breach. If these elements are established, the company is entitled to receive a sum not exceeding the amount stipulated in the contract irrespective of whether actual damage or loss is proven. . 3. Challenging the Reasonableness of the Compensation Sum: The full sum specified in an early termination clause may not always be enforceable. If the breaching party can prove the compensation sum is unreasonable or disproportionate to the damages suffered, the courts may revise the awarded damages. For instance, requiring compensation payment for the entire remaining subscription period could be deemed unconscionable and disproportionate to the damages suffered by the company. . 4. Justification of Early Termination Clauses: Companies should ensure that early termination fees genuinely reflect reasonable and proportionate losses. While proving actual losses is not a required legal burden to enforce the early termination clause, however, being prepared to justify the compensation sum can protect against challenges to its reasonableness. . 5. Clear and Well-Negotiated Clauses: A clear and well-negotiated early termination clause is always crucial. Malaysian courts are unlikely to interfere with clauses that have been properly negotiated and willingly agreed upon by both parties, therefore, a well-documented negotiation process helps ensure enforceability and mitigates arguments that these early termination clauses were hidden or not disclosed. . In conclusion, while early termination fees in software subscription agreements can serve important commercial purposes, they also pose significant TMT litigation risks. By understanding and addressing these risks, general counsels can better navigate the complex landscape of SaaS agreements and protect their companies from potential legal challenges. If you need help with software agreements or any form of TMT litigation dispute, please reach out to us. Our team of legal professionals is ready to advise and assist you with navigating these complex issues and ensuring that your business is well-protected. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology & Corporate Practice GroupTechnology, media & Telecommunications, Transactions andDispute Resolution, Fintech, Privacy and Cybersecuritynicole.shieh@hhq.com.my More of our Tech articles that you should read: • GPU-AS-A-SERVICE – BENEFITS AND LEGAL CONCERNS • Real-World Assets in Blockchain: Why Companies Should Pay Attention • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

One of the most commonly asked questions we face today is: when will the current Personal Data Protection Act 2010 (“PDP Act”) receive its long-overdue amendments? As personal data becomes increasingly important in our digital world, ensuring robust protection measures is crucial. Around the globe, laws like the General Data Protection Regulation (“GDPR”) in the EU, along with similar frameworks in the UK and Singapore, set high standards for privacy and data protection. Finally, Malaysia is catching up with the introduction of the much-anticipated Personal Data Protection (Amendment) Bill 2024 (“PDP Amendment Bill”). These amendments introduce substantial changes to the current data protection regime, which all companies, data protection officers and general counsels should take note of.   In this article, we decode the PDP Amendment Bill and highlight top ten crucial insights for general counsels.   1. Current Status of the Personal Data Protection (Amendment) Bill 2024 On 10 July 2024, the PDP Amendment Bill was tabled at the Dewan Rakyat (House of Representatives) of the Malaysian Parliament for its First Reading, introducing several significant changes to the PDP Act. Currently, the PDP Amendment Bill is subject to debate in Parliament, and it remains to be seen whether it will be passed as is or with further amendments. Therefore, all companies and general counsels should closely monitor the development of this PDP Amendment Bill.   2. Change from “Data User” to “Data Controller” In the current PDP Act, a "data user" is defined as a person who processes any personal data or has control over or authorizes the processing of any personal data. The PDP Amendment Bill seeks to substitute “data user” with “data controller”, aligning more closely with the common terminology used in other jurisdictions such as the EU, UK, and Singapore. Therefore, if “data user” is referenced in any of your PDP notices or agreements, you should be prepared to make necessary changes to reflect this amendment.   3. The New Role of Data Processors The current PDP Act mainly focuses on "data users" or "data controllers," without imposing direct obligations on "data processors." A “data processor” is any person who processes personal data on behalf of a data controller and does not process it for their own purposes, and the lack of direct legal obligation on a “data processor” has always been a key criticism to the current PDP Act.   The PDP Amendment Bill now imposes direct legal obligations on data processors to comply with security principles – this means data processors must take practical steps to protect personal data from loss, misuse, unauthorized access, and other risks. This change will significantly impact companies operating as data processors, requiring them to adjust their operational practices accordingly.   4. Appointment of Data Protection Officer The PDP Amendment Bill makes it mandatory for data controllers and data processors to appoint a Data Protection Officer (“DPO”) who will be accountable for compliance with the PDP Act. This is a significant shift, as organizations can no longer merely designate a contact person in their PDP Notice. The DPO will be held accountable for any breaches of the law, making it a crucial role that companies must take seriously.   5. Mandatory Data Breach Notification to the Personal Data Protection Commissioner One of the most anticipated changes is the mandatory notification of data breaches to the Personal Data Protection Commissioner. If a data controller believes a personal data breach has occurred, they must notify the Personal Data Protection Commissioner. This requirement mirrors the strict data breach notification rules in the recently enacted Cyber Security Act 2024.   This is a strict mandatory requirement as stated in the PDP Amendment Bill. The reading of the PDP Amendment Bill suggests that the duty to notify the Personal Data Protection Commissioner applies regardless of the severity or gravity of the personal data breach. This means that even minor breaches must be reported, emphasizing the importance of transparency and accountability in handling personal data. Many companies may not currently have protocols in place to capture or acknowledge any personal data breaches. This lack of preparation can lead to significant legal and financial repercussions under the new amendments. Therefore, companies should provide comprehensive training to relevant personnel to ensure they understand the importance of this requirement and the procedures for reporting breaches. This proactive approach will help ensure that all personal data breaches are promptly and accurately reported to the Personal Data Protection Commissioner, thereby enhancing the overall data protection framework within the organization.   6. Data Breach Notification to Data Subjects In addition to notifying the Commissioner, if a personal data breach is likely to cause significant harm to the data subject, the data controller must also notify the affected individual without delay. This dual notification requirement highlights the critical need for companies to establish clear protocols and provide comprehensive training for efficient data breach management. However, the definition of what constitutes “significant harm” to the data subject remains unclear at this time.   7. Right to Data Portability The PDP Amendment Bill introduces the right to data portability, allowing data subjects to request the transfer of their personal data to another data controller of their choice. This request is subject to technical feasibility and compatibility of the data format. Data portability empowers individuals by giving them greater control over their personal data and how it is processed.Moving forward, companies should emphasize and focus on data portability to foster competition and innovation among data service providers. When individuals can easily transfer their data from one data service provider to another, it reduces the barriers to switching services or reduce the risk of vendors lock-in, encouraging companies to offer better products and services to retain their customers. This increased mobility of personal data can lead to improved user experiences and drive advancements in data-driven services, ultimately benefiting consumers and the market as a whole.   8. Removal of White-List Countries for Cross-Border Data Transfers The current PDP Act limits personal data transfers to only the "white-list" countries. However, no such “white-list” has been gazetted.   The PDP Amendment Bill removes this “white-list” regime, by allowing data controllers to transfer personal data to any country if the receiving country meets one of two conditions: (i) it has a data protection law substantially similar to Malaysia's; or (ii) it offers an adequate level of protection equivalent to Malaysian law. This change addresses one of the most frequently asked questions about the current data transfer restrictions, offering more operational flexibility.   9. Introduction of Biometric Data The PDP Amendment Bill includes personal data resulting from technical processing related to physical, physiological, or behavioral characteristics, known as biometric data. This addition enhances personal data protection by making it more comprehensive and safeguarding data subjects' privacy more effectively.   10. Heavier Penalties for Non-Compliance with Personal Data Protection Principles Under the current PDP Act, data controllers are obligated to comply with seven personal data protection principles: (i) the general principle, (ii) the notice and choice principle, (iii) the disclosure principle, (iv) the security principle, (v) the retention principle, (vi) the data integrity principle, and (vii) the access principle. Failure to comply with these principles can result in a fine of up to three hundred thousand ringgit or imprisonment for a term not exceeding two years, or both.   The PDP Amendment Bill seeks to introduce even heavier penalties for data controllers that fail to comply with these personal data protection principles. If found liable, the penalty can now be as severe as one million ringgit or imprisonment for a term not exceeding three years, or both. This significant increase in penalties underscores the importance of prioritizing compliance with personal data protection laws. Companies must take proactive measures to ensure they adhere to these principles to avoid severe legal and financial consequences.   Conclusion These amendments to the Personal Data Protection Act 2010 mark a significant shift towards a more comprehensive and robust data protection regime in Malaysia. Companies and general counsels must stay informed and prepared to adapt to these changes to ensure compliance and protect personal data effectively.   If you would like to learn more about personal data protection law in Malaysia, our team of seasoned professionals is here to assist. With in-depth expertise in the Personal Data Protection Act 2010, we are well-equipped to provide you with comprehensive advice and guidance. Please reach out to us to discuss your specific needs and ensure your compliance with the latest regulations. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • AI-Generated Work and Copyright Law: A Comparative Analysis of US and EU Perspectives • Real-World Assets in Blockchain: Why Companies Should Pay Attention • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI

AI continues to revolutionize various industries, and its rapid development shows no signs of slowing down. Jurisdictions worldwide are actively adapting their laws to keep pace with AI's evolution. In one of our earlier articles, "Whether AI-Generated Work Could be Protected by Copyright Law", we explored this issue from a US legal perspective. Today, we delve into a landmark decision by the Municipal Court in Prague, the first EU court to rule on whether AI-generated work can be protected by copyright law.   This provides an opportunity to compare US and EU perspectives on the copyright protection of AI-generated work and highlight three key takeaways for general counsels and companies relying on AI.   The Municipal Court in Prague's Landmark Decision The Municipal Court in Prague recently addressed the question of whether AI-generated work could be protected by copyright law. The case involved a Plaintiff who used an AI program, DALL-E, to generate an image based on the prompt: "create a visual representation of two parties signing a business contract in a formal setting, such as a conference room or a law firm office in Prague. Just show your hands."   The Plaintiff subsequently published the AI-generated image on his website, only to discover that the Defendant had copied and posted the image on their website without authorization. The Plaintiff then sought an injunction to remove or to takedown the AI-generated image, claiming copyright infringement.   The central issue in the case was whether the Plaintiff was the author of the AI-generated image. While it was undisputed that the image was created by AI, the Plaintiff argued that the specific assignment he provided to the AI program made him the author. However, the Plaintiff failed to provide evidence supporting his claim that the image was generated based on his specific assignment.   The court eventually dismissed the Plaintiff's case on two main grounds:   1. AI Cannot Be the Author: The court held that AI cannot be the author of the AI-generated image, as "author" can only refer to a natural person. The Plaintiff in this case failed to prove that he was the author of the AI-generated image.   2. Lack of Unique Creative Activity: The court emphasized that a work of authorship must result from the unique creative activity of a natural person. The Plaintiff could not demonstrate that the AI-generated image was uniquely the result of his creative activity, only that it was created with AI assistance.   Therefore, the court concluded that the AI-generated image was not a work of authorship and did not belong to the Plaintiff.   Comparative Analysis with US Copyright Law This decision mirrors the US stance on AI-generated work, where cases like Zarya of the Dawn and A Recent Entrance to Paradise have reinforced that human authorship is a fundamental requirement for copyright protection. Both US and EU courts have firmly ruled that AI cannot be considered an author under copyright law, and only a natural person can hold such a title.   However, a careful reading of the EU court's decision suggests a potential path for AI-generated work to receive copyright protection if human authorship and unique creative activity by a natural person can be established. While this issue remains unresolved, it hints at a possible future interpretation of the law.   Three Key Takeaways for General Counsels and Companies Given the current legal landscape, general counsels should be cautious when relying on AI to generate work. Here are three practical guidelines:   1. Ensure Human Authorship: Across jurisdictions, it is clear that AI cannot be an author. It is crucial to ensure that a natural person is integral to the creation process to qualify for copyright protection, involving a natural person who contributes significant creative input and direction.   2. Avoid Autonomous AI-Generated Work: To qualify for copyright protection, AI should be used as a tool to assist human creators rather than autonomously generating work. The natural person must maintain significant control over the direction, instructions, and creative input.   3. Document the Creation Process: Document the entire creative process to establish human authorship and control. This can include video recordings or detailed logs demonstrating the human contribution and direction given to the AI.   Conclusion The intersection of AI and copyright law is still developing, with courts in both the US and EU emphasizing the necessity of human authorship. As technology continues to evolve, legal standards will likely adapt to strike a balance between technological innovation and the protection of creative works. General counsels and companies must stay informed and cautious, ensuring compliance with current legal requirements while preparing for future developments.   If you are looking to develop AI tools or have concerns about intellectual property infringement or safeguarding the output due to the use of AI in your organisation, please reach out to our dedicated team of professionals. With a deep understanding of both AI technology and intellectual property law, our lawyers are well-equipped to assist you throughout the entire process, ensuring that your AI-generated work receives the protection it deserves in the rapidly evolving legal landscape. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • The Ultimate Guide to Corporate Investments in Malaysia’s Data Center Sector: Strategies and Opportunities Explained • CYBER SECURITY ACT IMPLEMENTATION – Things for the National Critical Information Infrastructure Entities to Take Note of • E-Waste and ESG Compliance: What Companies Need to Know

1. Damages that one can seek when pursuing a medical negligence claim are compensatory in nature, meant to cover the losses and suffering incurred due to the negligence. Generally, the types of damages fall under the following categories: - (i) Special Damages; (ii) General Damages; and (iii) Aggravated Damages .   Special Damages 2. Special damages are monetary losses that can be quantified for example, medical bills, costs of medical equipment, rehabilitation, supplements and special food, travelling expenses, traditional treatments, counselling, costs of engaging a carer or maid etc. 3. In Nur Arissa Naura Noor Affrizal & Anor v Dr. Abirami Kunaseelan & Ors [2023] 5 CLJ 793, the Court awarded costs for amongst others, cost of special equipment, cost of therapies and counselling sessions, cost of personal care items (wipes and creams), cost of value of care and costs for continuous expenses for nutrition, special food, vitamins and supplements. 4. What if you do not have documentary proof or receipt for certain expenses? Understandably, it would be unrealistic to expect anyone to keep a record of all the receipts, bills and/or invoices for all the expenses. In such situation, the Court may accept oral testimony to support the claims, provided that the expenses are within a reasonable sum and they are justifiable in the circumstances (Nur Syarafina bt Sa’ari v Kerajaan Malaysia & Ors [2019] 12 MLJ 41). 5. Additionally, any pecuniary losses suffered during the period from the date of the negligent act until the conclusion of the case where the Court delivers its decision is also claimable and had been granted by the Court (Nurul Husna Muhammad Hafiz & Anor v. Kerajaan Malaysia & Ors [2015] 1 CLJ 825). .   General Damages 6. In contrast to special damages, other types of claims that are non-monetary and/or cannot be quantified are termed general damages. Examples of general damages, which are non-exhaustive, include the followings:- (i) pain and suffering arising from physical pain and psychological impact such as trauma, anxiety and depression caused by the injury. (ii) loss of amenities of life, e.g. loss of body faculties, deprivation of ordinary experiences, sexual impotence, loss of marriage prospects. (iii) loss of earning capacity. (iv) Gratuitous care provided by family members to the victim. (v) Future general damages such as physiotherapy, medications, surgeries, medical equipment, consumables etc. 7. General damages are commonly awarded based on precedents, comparable cases, factual assessments and estimations of a reasonable sum for the injuries sustained by the victim. 8. For better illustration, below are some cases where the Court awarded general damages. i. In the case of Sheela Christina Nair v Regency Specialist Hospital Sdn Bhd & Ors [2016] MLJU 1899, the plaintiff  underwent a laparotomy to remove fibroids but suffered perforation of her small intestines due to negligently performed surgery. As a result, she suffered injuries to her bowel and had to rely on colostomy bags for support. Despite eventual recovery from the prolonged suffering, the Court recognized the extent of her pain and awarded her RM240,000.00 for both physical and emotional distress, and for the loss of amenities of life. ii. In the case of Pantai Medical Centre Sdn Bhd v Fareed Reezal Arund & Another Appeal [2022] 2 CLJ 173, the Court awarded RM400,000.00 to the plaintiff, who suffered serious brain injury resulting in a persistent vegetative state, as general damages for pain and suffering and loss of amenities of life. iii. In Nur Arissa Naura Noor Affrizal & Anor v Dr Abirami Kunaseelan & Ors [2023] 5 CLJ 793, the Court awarded RM500,000.00 as general damages for pain and suffering, and loss of amenities of life, considering that the patient was a 4-year-old child suffering from brain damage and was estimated to have another 40 years of life expectancy. iv. In Airis Nurhana Bt Alfian (seorang kanak-kanak yang menyaman melalui ibu bapa dan wakil litigasinya Alfian Bin Zainudin) v Darul Aiman Sdn Bhd & Anor [2023] MLJU 214, the Court considered the evidence that de-rotational surgery would be required in the future and allowed reasonable expenses associated with such future expense, including the cost of the surgery, physiotherapy and occupational therapies, consultation fees, cost of equipment and replacements. v. In Yusnita Bt Johari (suing through her husband and litigation representative Khairil Faiz Bin Rahamat) v Dr Jerilee Mariam Khong & Ors [2023] 9 MLJ 629, where the plaintiff suffered severe and irreversible brain damage as a result of the defendant’s negligence, the Court awarded, amongst others, the sum of RM 3,348,889.60 for pain and suffering, loss of amenities of life and future general damages (including cost of assistive equipment, medical expenses, therapy, care, future loss of earnings and the value of care provided by family members). vi. In Norfazlin Bt Zamani v Kerajaan Malaysia & Ors [2022] MLJU 3696, the plaintiff lost her reproductive organs as a result of the defendant’s action. The Court awarded, amongst others, the sum of RM260,000.00 for the physical and psychiatric pain and suffering, and loss of amenities of life that the plaintiff has to endure. . Aggravated Damages 9. Aggravated damages are awarded as additional compensation for intangible injuries to the interest or personality of the victim, resulting from the contumelious, offensive or exceptional conduct of the defendant. 10. In the case of Hari Krishnan & Anor v Megat Noor Ishak Bin Megat Ibrahim & Anor and other appeal [2018] 3 MLJ 281, the Federal Court upheld an award of RM1million as aggravated damages against the defendants who subjected the plaintiff to unnecessary risks of bucking which led to blindness in the plaintiff’s right eye. 11. Other grounds that led the Court to award aggravated damages include the suppression of medical reports, refusal to admit liability in clear cases which prolonged the proceedings, and altering the medical records (Ahmad Radhiq Arbee bin Ahmad Rejal Arbee (as a husband and dependant of Sharifah Shalihah bt Sayed Abdullah, deceased) & Ors v Kerajaan Malaysia & Ors [2020] 10 MLJ 459; Nur Syarafina bt Sa’ari v Kerajaan Malaysia & Ors [2019] 12 MLJ 741; Dato’ Stanley Isaacs v The Government of Malaysia & Ors [2019] 8 MLJ 331). . Conclusion 12. It is important to be mindful that ultimately, the amount awarded by the Court is discretionary and hinges on the specific facts of the case. It is crucial to support your claim with expert medical opinions and seek legal advice promptly, while details are still fresh in mind. This enhances the credibility of your case and ensures that you can effectively pursue compensation for the losses and suffering incurred.   About the author Chan Jia YingSenior AssociateCivil & Commercial Disputes Resolution, Corporate & Commercial Contracts, Taxation, Insolvency & Winding Up, Medico-LegalHarold & Lam Partnershipjiaying@hlplawyers.com . Damia Amani binti Shaiful BahriSenior AssociateDispute ResolutionHarold & Lam Partnershipdamia@hlplawyers.com   More of our articles that you should read: (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment Disposal of Real Properties Subject to Income Tax? Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

Introduction In the recent case of Seema Elizabeth Isoy v Tan Sri David Chiu Tat-Cheong [2024] CLJU 1180, the Federal Court held that a half-truth statement that presents a false impression and that harms the reputation of a person is defamatory. This kind of statement can safely be considered false in the circumstances. The Federal Court held that posting a half-truth statement (deliberately omitting a known material fact) and requesting the reader to google for more information is unfair to the person which the half-truth statement is about.  . Background Facts The Appellant, Seema Elizabeth Isoy, is the registered owner of a unit in Waldorf & Windsor Tower Serviced Apartments (“W&W”) developed by Malaysia Land Properties Sdn Bhd (“Mayland”). The Appellant was a committee member of the W&W Management Corporation (“MC”). The Appellant and 55 other persons consisting of unit owners or their representatives were part of the W&W Whatsapp Group. The Respondent, Tan Sri David Chiu Tat-Cheong, is the chairman and founder of Mayland. There were several disputes involving Mayland and W&W wherein in one of the cases, the High Court decided that Mayland and defrauded and/or made a false representation to W&W owners in respect of a common area in W&W. The Court of Appeal affirmed the decision of the High Court and leave to appeal to the Federal Court was not granted. On 17.8.2017, the Appellant sent a text message (“Impugned Statement”) to the W&W Whatsapp Group (excerpt as follows): . In order for owners to know all the facts, I believe we have to step back even more and ask “who is Mayland?” Mayland is the CHIU family. So who is this Chiu family? Let’s have a very brief look at the publicly known facts about his family: -        The Chiu family is an extremely rich and successful family originating from China, then based in Hong Kong. Now with business in many countries, including Malaysia. I’m always happy for people’s happiness and good fortune but.. -        Deacon Chiu (Sr.) has been in the past arrested and charged with conspiracy to falsify documents of the Far East Bank, where they were the major shareholders. For plotting to defraud the Commissioner of Banking by making false claims concerning the ownership of companies to which the bank had made advances of $ 352.5 million. -        Duncan Chiu (Deacon Sr’s son) has in the past been arrested for allegedly breaching the Theft Ordinance and the Companies Ordinance. -        David Chiu (Deacon Sr’s son) has been in the past arrested and charged for the same offenses as Deacon Sr. He also faced charges of conspiring to falsify documents purporting to show that more than $ 246 million in credit facilities had been granted to the bank by various companies. And now the climax to this family saga: -        The same don (David Chiu) is the founder and Chairman of Mayland !!! Mayland has been convicted of Fraud and Misrepresentation against W&W owners: At High Court level At Court of Appeal level At Federal Court level The apple doesn’t fall far from the tree… Please google these names to read more. "the same son” . High Court Dissatisfied with the Impugned Statement, the Respondent brought an action against the Appellant for defamation. After a full trial, the High Court dismissed the Respondent’s claims. The High Court found that the words referring to the Respondent in the Impugned Statement were not defamatory and that the Appellant established the defence of justification as the Impugned Statement was substantially true. . Court of Appeal The Court of Appeal held that the Impugned Statement was defamatory. The words in the statement conveyed to the ordinary man that the Respondent is dishonest and a fraudster. The statement read as a whole, in its natural and ordinary meaning had the tendency to disparage and injure the Respondent’s standing, character, and reputation. The statement also tended to excite the adverse opinion of those within the W&W Whatsapp Group against the Respondent. The Court of Appeal also found that the posting of the Impugned Statement was actuated with malice. Although the Appellant was fully aware of the fact the Respondent was acquitted from the said charge mentioned in the Impugned Statement long ago, she intentionally omitted to mention it in the statement. The Appellant had posted a half-truth statement and requested the reader to google for more information. As malice had been established, the Court of Appeal held that the Appellant’s defence of qualified privilege and fair comment was unsustainable. The Court Appeal set aside the decision of the High Court. The Respondent was awarded RM 100,000.00 as damages and a permanent injunction was granted to restrain the Appellant from publishing or spreading the Impugned Statement or similar defamatory words concerning the Respondent. . Federal Court The Federal Court granted leave to appeal to the Appellants. The appeal before the Federal Court centers on the effect of a half-truth statement in defamation law in Malaysia, particularly whether a half-truth statement constitutes a false statement. (i) Elements Of Defamation The key elements of defamation are well established. A plaintiff/ claimant must prove on a balance of probabilities that: （a）the words are defamatory （b）the words refer to the Plaintiff （c）the words are published (ii) Defamatory Test The test in determining whether the words are defamatory, is that those words in their natural and ordinary meaning: （a）tend to lower the plaintiff in the estimation of a reasonable man in society （b）impute the plaintiff’s dishonourable conduct or lack of integrity （c）expose the plaintiff to hatred, contempt, or ridicule （d）tends to excite against the plaintiff the adverse opinion of others. The ordinary and natural meaning of the words must be considered in the context of the whole text or message, in its entirety and not in isolation. The Court may consider the literal meaning of the words or their implied, inferred innuendo, or indirect meaning. This also includes the implications or inferences that can be drawn from the words. (iii) Half-Truth Statement In the present case, it was not disputed that the Impugned Words were published by the Appellant in the W&W Whatsapp Group, which referred to the Respondent. The only element left to be proven is whether the Impugned Words were defamatory. The Respondent in the present case complained that the Appellant’s Impugned Statement was not the whole truth of the material facts. It was not disputed that the Respondent was charged with a fraudulent act but was acquitted of the said charge. Although the charge against the Respondent mentioned in the Impugned Statement was true, the evidence was established that when the Appellant published the Impugned Statement in the W&W Whatsapp Group, it was within the knowledge of the Appellant that the Respondent was acquitted of the charge. However, the Appellant omitted to state this material fact. The Appellant in her testimony revealed that she did not include the Respondent’s acquittal in the Impugned Statement as she already asked the readers to google for more information. The Appellant also did not state the Respondent was convicted of the charge. Having perused the Impugned Statement in totality, the Federal Court observed that: （a）The sting effect was that, the Respondent was charged with the fraudulent act same as his father, Deacon Sr. The imputation to the readers was that the Respondent was not a person of good character and tended to excite against the Respondent the adverse opinion of others. （b）If the fact that the Respondent was acquitted of the charge mentioned by the Appellant in the Impugned Statement, which is in the Appellant’s knowledge, it certainly would have neutralized the sting in the eyes of the readers. （c）The defence that the reader was asked to google for more information on the matter could not neutralise the defamatory nature of the Impugned Statement. （d）The charging of the Respondent without stating that the Respondent was acquitted, in the circumstances, is a half-truth statement that harms the Respondent. （e）The statement made is not substantially true and false in substance. This is prejudicial and unfair to the Respondent as he was unable to justify the criminal act imputed by the impugned statement. The Federal Court held that: （a）The full truth that the Respondent was acquitted was deliberately not disclosed in the Impugned Statement and this placed a different complexion and effect on the statement. （b）The message without the fact that the Respondent had been acquitted, tainted the Respondent’s character and conduct and the Respondent was held in ridicule, reprobation, and contempt. （c）This established the defamatory effect of the Impugned Statement. （d）Although the charge against the Respondent was true, the omission to reveal that the Respondent was acquitted of the charge, makes the statement false in substance. （e）The half-truth statement by the Appellant is not substantially true, presenting a false impression that can be considered as a false statement viewed in totality, that adversely affects the Respondent’s reputation. Therefore, the Impugned Statement is defamatory of the Respondent. (iv) Defence Of Justification, Qualified Privilege & Fair Comment The Appellant in the present case raised the defence of justification, qualified privilege and fair comment. The Federal Court was of the view that an action of deliberately publishing a half-truth statement that presents a false impression of a person which affects the person’s reputation and further expects the reader of the impugned statement to do a further search on the information is conduct actuated with malice. If the whole truth was revealed, it presents a completely different complexion of the published statement when read by readers. Having considered the evidence in totality, the Federal Court found that the Impugned Statement concerning the Respondent was actuated with malice. Therefore, the defence of qualified privilege and fair comment is defeated and untenable. Further, the Appellant’s defence of justification is unsustainable as the Impugned Statement was not substantially true and presented a false impression in the readers’ eyes. The defence of justification is founded on the truth of the statement or the statement made is substantially true. . Conclusion The Federal Court unanimously affirmed the decision of the Court of Appeal which set aside the decision of the High Court. About the authors Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my   More of our articles that you should read: Enforcement of Companies (Amendment) Act 2024 Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test” Private Hospitals to pay for their Doctor’s Negligence

[A case summary of Tenaga Nasional Bhd v Malaysian Resources Corporation Bhd and other cases [2024] MLJU 682] . Key Takeaway: Construction Industry Payment and Adjudication Act (“CIPAA 2012”) is not limited to adjudication initiated before or concurrent to reference to arbitration.   Brief Background Facts: The interpretation of the words ‘referred concurrently’ in subsection 37(1) of the CIPAA 2012 was the main issue in this case. Tenaga Nasional Berhad (“TNB”) appointed Malaysian Resources Corporation Berhad (“MRCB”) as the main contractor for a project located at Bangsar, Kuala Lumpur (“Project”). Payment disputes arose between the parties in connection with the Project, particularly regarding the Final Account. MRCB referred the dispute to arbitration on 29.9.2021. MRCB pursued an adjudication proceeding pursuant to CIPAA 2012 after the commencement of arbitration proceedings, by way of a Notice of Adjudication dated 25.3.2022. The Adjudication Decision dated 10.8.2022 was given in favour of MRCB (“Adjudication Decision”). TNB then applied to set aside the Adjudication Decision under section 15 of CIPAA 2012. One of the grounds raised by TNB in its setting aside concerned the issue of ‘whether the Adjudication Decision is null and void because the Adjudicator lacks absolute jurisdiction due to MRCB’s failure to comply with subsection 37(1) CIPAA by commencing the adjudication 5 months and 25 days after the reference to arbitration?’. Section 37 of CIPAA 2012 sets out the relationship between adjudication and other disputes resolution process, as follows: “(1) A dispute in respect of payment under a construction contract may be referred concurrently to adjudication, arbitration or the court.  (2) Subject to subsection (3), a reference to arbitration or the court in respect of a dispute which is being adjudicated shall not bring the adjudication proceedings to an end nor affect the adjudication proceedings. (3) An adjudication proceeding is terminated if the dispute being adjudicated is settled by agreement in writing between the parties or decided by arbitration or the court.”. During the setting aside hearing, TNB took the position that section 37 of CIPAA 2012 envisages a situation where a party may opt to refer the dispute to arbitration or the court after initiation of adjudication proceedings under CIPAA, without any consequential effect to the adjudication proceedings. By commencing arbitration first, MRCB had thereby removed itself from the ambit of CIPAA and the claims do not form part of, or fall within, the parameters of CIPAA 2012 or the subject matter of which CIPAA 2012 has conferred jurisdiction on the adjudicator. On this point, TNB had referred to the wordings in section 37 of CIPAA 2012 and section 23 of the Arbitration Act 2005 (“AA 2005”) on ‘Commencement of arbitral proceedings’, it is the issuance of the notice to arbitrate that has to be concurrent with adjudication under the CIPAA and it must not come after the initiation of adjudication proceedings by serving the written notice of adjudication as stipulated in section 8(1) of the CIPAA 2012. The reason relied upon by TNB is that the purpose of CIPAA 2012 would be defeated if a party opts to resort the dispute through another dispute resolution process instead of adjudication. In addition, thorough discussions and legal research on the definition of the words ‘may’ and ‘concurrent’ in section 37(1) of CIPAA 2012 were submitted by the parties during the hearing. Interestingly, TNB made a comparison between section 37(1) of CIPAA 2012 with section 10 of the AA 2005, and submitted that it is clear that the word "may" in the context of CIPAA 2012 should not be interpreted as merely directive. The word "may" must be considered in conjunction with the term "concurrently" in the same provision. The CIPAA 2012 explicitly states that adjudication proceedings should be commenced concurrently, indicating a requirement for timely action rather than unfettered discretion. The interpretation of "may" should not always be seen as optional, as demonstrated in legal precedents such as Bursa Malaysia Securities Bhd v Mohd Afrizan bin Husain and Maya Maju (M) Sdn Bhd v Putrajaya Homes Sdn Bhd [2018] MLJU 1629. TNB concluded that the word "may" in the context of CIPAA 2012 recognises that parties have the option to choose between commencing adjudication as a stand-alone process or combining adjudication with arbitration or court proceedings. However, if the party selects the latter option, they must do so concurrently, as the mandatory nature of section 37(1) of CIPAA 2012 takes precedence over the discretionary use of the word "may." As regard to the word ‘concurrently’, TNB referred to Black’s Law Dictionary, Ninth Edition where ‘concurrent’ is defined as ‘Operating at the same time’. In the national language version of CIPAA 2012, the word ‘serentak’ is defined in the National Dictionary, 4th Edition as ‘pada waktu yang sama’. TNB then urged the High Court to consider the word ‘referred concurrently’ as denoting the timing for the commencement of the applicable dispute resolution process. On the other hand, MRCB drew a parallel with the concept of imprisonment sentences to run concurrently as opposed to consecutively in criminal cases and therefore, the plain and ordinary meaning of the word would be ‘at the same time’. However, MRCB took the firm position that this interpretation cannot stand as it would lead to absurdity and cause an unpaid party to lose its right to adjudication if the available remedies are not strictly commenced at the same time. Disagreeing with TNB’s interpretation, the High Court found that in interpreting section 37 of CIPAA 2012, the words "may" and "referred concurrently" shouldn't be understood purely on a grammatical level but should be considered on the broader context of the purpose of CIPAA 2012. The Court was of the view that the Court ought to interpret the provision in a manner that aligns with the objectives of CIPAA 2012, as discussed in previous landmark cases. The phrase "being adjudicated" therefore doesn't require an existing adjudication before parties can initiate litigation. . Conclusion Accordingly, the words “referred concurrently” in the context in which these words are used in section 37(1) of CIPAA 2012 and bearing in mind the purpose or object of CIPAA 2012, adjudication proceedings under CIPAA 2012 can be initiated at any time, concurrently with arbitration or litigation, and even after arbitration or court proceedings have commenced and is still pending. About the author Felicia Lai Wai KimSenior AssociateEngineering, Construction & Engineering DisputesHarold & Lam Partnershipfelicia@hlplawyers.com   More of our articles that you should read: Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible - HHQ STAMP DUTY FOR FOREIGN CURRENCY LOAN - HHQ Determinants of Share Unit & Its Significance in Strata Development

Recently, the High Court in Prima Cahaya Sdn Bhd v Pemungut Duti Setem (WA-24-40-07/2022) allowed the stamp duty appeal of Prima Chaya Sdn Bhd (“Taxpayer”) and held that, amongst others, market value means an amount that a willing seller and willing buyer are ready to transact at without any compulsion bearing in mind the assessed market value is a value after the pandemic, when businesses and general economy are struggling to pick up and normalize again. The subject matter of this case is the market value of Menara Tulus (formerly the Royal Malaysian Customs Department’s headquarters at Putrajaya) (“Property”) – whether the market value of the Property is based on the forced sale value transacted or the valuation report prepared by the Jabatan Penilaian and Perkhidmatan Harta (“JPPH”). The salient facts of Prima Cahaya (supra) are as follows: a) TRW Boulevard Square (“Vendor”) had previously charged the Property to Ambank Islamic Berhad (“Ambank”) as security for Islamic financing facilities. b) As the Vendor failed to fulfill its financial obligations, Ambank then placed the Property under receivership. c) The appointed Receivers & Managers (“R&M”) then appointed a valuer to conduct a valuation on the distressed Property - the market value of the Property at RM170,000,000 and the forced sale value at RM130,000,000. d) Upon the R&M application, the Kuala Lumpur High Court granted the order for sale by way of public auction at the reserve price of RM170,000,000. e) However, the Property remained unsold albeit three rounds of public auction and the reserved price was revised downwards to RM137,700,000. f) Subsequently, the R&M received a private offer of RM115,000,000 made by Bestinet Sdn Bhd (“Bestinet”) and the R&M agreed with the said private offer. g) However, Bestinet was unable to complete the principal SPA, and thus Bestinet assigned and transferred all its rights, title, interest, and benefit to the Taxpayer by executing a deed of assignment. h) Pursuant to the submission of instrument by the Taxpayer through its solicitors to the Stamp Office for adjudication, the Stamp Office then submitted an application to JPPH to conduct a valuation on the Property. JPPH valued the Property at RM227,250,000 (“JPPH’s Valuation). i) Although the Taxpayer appealed twice against the JPPH’s Valuation which was adopted by the Stamp Office, the Stamp Office maintained its decision. j) Being aggrieved, the Taxpayer paid the stamp duty under protest and appealed to the High Court.   The High Court allowed the Taxpayer’s appeal and held that, amongst others: Market Value a) The Stamp Act 1949 does not provide for any definition or interpretation of the word "market value'. Therefore, as per the decision of Suffian L. P (as he then was) in the case of Collector of Stamp Duties v. Ng Fah In & Ors [1981] 1 MLJ 288, the definition of market value in the Land Acquisition Act 1960 should be adopted, which reads as follows: “Market Value is the estimated amount for which an asset or liability should exchange on the valuation date between a willing buyer and a willing seller in an arm's length transaction after proper marketing and where the parties had each acted knowledgeably, prudently and without compulsion" b) In Nanyang Manufacturing Co v. The Collector of Land Revenue, Johore [1954] 1 MLJ 69, it was found that the safest guide to determine the fair market value is the evidence of sales of the same land or similar land in the neighborhood after making due allowance for all the circumstances. c) In assessing a valuation, the primary method should be the comparison method. d) Notably, it is a requirement under the Land Acquisition Act 1960 that a comparable must be successfully transacted in order to be used in the comparison method. . JPPH’s Valuation  e) No informal or preliminary report was produced by the Stamp Office to support that JPPH’s Valuation was done before the Stamp Office issued the notice of assessment. f) In fact, the JPPH’s valuation report was prepared after the event as JPPH’s valuer conducted the site visit after the Taxpayer appealed against the notice of assessment. g) Thus, the JPPH’s valuation report is merely an after-the-fact attempt to justify the stamp duty charged. h) Most of the comparables used by the JPPH are not good comparables as those comparables were not successfully transacted. i) Comparables that were successfully transacted that used by the JPPH are still not good comparables as those comparables were transacted 7 years before the date of the Property being successfully transacted. j) Adjustment of 10% for the time factor was unexplained by the JPPH. k) Lastly, one of the comparables cannot be considered because it was transacted in 2011 (the peak of economy), therefore, it would be unfair or at the disadvantage of the Taxpayer for the valuation to not take into account the pandemic in late 2019 to 2021 in assessing the value of the Property. l) By applying the comparison method, the Stamp Office is actually relying on unsuitable or inappropriate comparables. . Determination of Market Value m) Practicality of the situation needs to be considered in determining the market value. n) The Property was a distressed property that was placed under public auction at the reserved price of RM170,000,000 which is far lower than the purported 'market value' as determined by the Stamp Office or the JPPH. o) It must be noted that there was neither an interested nor a willing buyer motivated enough to purchase it at the respective reserved prices (after three rounds of public auctions being held). p) The valuation for the reserved price was conducted in 2018 prior to the Covid-19 pandemic. q) It is noteworthy that a 'reserve price' is fixed with the court's concurrence based on valuation and not some figure plucked out of the sky. r) The agreed sale price of RM117,000,000.00 between a willing seller who was neither overly eager nor forced to sell at that price nor prepared to sell at a price not considered reasonable in the current market and a willing buyer motivated enough to purchase at that price was made at arm's length as the parties are not related. s) It is therefore illogical that the 'market value' as assessed by JPPH which is far higher than the amount anyone is willing to pay in an auction is reflective of a realistic 'market value', a willing buyer and willing seller is ready to transact at without any compulsion bearing in mind the 'market value' as assessed is a value after the pandemic, when businesses and general economy are struggling to pick up and normalize again. . Comments This case is an interesting development in relation to ‘market value’ as the High Court in Prima Cahaya (supra) set out the test in determining ‘market value’ and analysed, amongst others, the comparison method in great length – which serves as a great guidance for the taxpayers at large. This case also reflects that our courts do take cognisance of the pandemic in determining ‘market value’. Notably, the High Court made it crystal clear that ‘market value’ means the sale price agreed by a willing seller who was neither overly eager nor forced to sell at that price nor prepared to sell at a price not considered reasonable in the current market and a willing buyer motivated enough to purchase at that price which was made at arm's length as the parties are not related.   About the author Desmond Liew Zhi HongPartnerTaxHalim Hong & Quekdesmond.liew@hhq.com.my More of our articles that you should read: Can an Adjudication Decision, After Having Been Enforced Pursuant to Section 28 CIPAA 2012, Be Stayed Pursuant to Section 16(1)(b) CIPAA 2012? Determinants of Share Unit & Its Significance in Strata Development Defence of Limitation cannot be raised in Recovery of Tax Action?

Introduction The legal definition of “Common Property” as provided under the relevant Act would include lifts, escalators, stairways, passageways, landings, lobbies, corridors, stairs, parking areas, lavatories for public use, refuse chambers, drains, water mains, sewers, pipes, wires and cables with the list being non-exhaustive, which includes facilities that can be used and enjoyed by occupants of the building. . How do we determine the extent of usage of the common property, particularly the Centralised Air-Conditioning Facilities? In the recent Court of Appeal decision of AUM Capital Sdn Bhd v Menara UOA Bangsar Management Corporation Sdn Bhd [2024] 3 MLRA 428, it was held inter alia that “exclusivity” or extent of usage or benefit by owners of the building is irrelevant to the question of whether the Centralised Air-Conditioning Facilities is common property. The fundamental tenet of strata law is that the common property of a development area is generally taken as a whole, regardless of each proprietor’s level of use or enjoyment of the common property. The appellant, the registered proprietor of the building, Menara UOA Bangsar (“Building”), appealed against the decision delivered by the High Court. There were five (5) questions of laws posed to the High Court, however, we have extracted and summarised the issue relevant to the questions posed under this article as follows: - 1) the Centralised Air-Conditioning Facilities in respect to (i) the common property of Tower A, Tower B and the car parks, and (ii) the private parcels of Tower B and the retail area were not utilised or enjoyed by all occupants of the building but solely for the benefit of a particular private parcel owner, namely UOA REIT; therefore the Centralised Air-Conditioning Facilities cannot be classified as common property; and 2) the Management Corporation has unlawfully utilised the monies from the maintenance account to maintain the Centralised Air-Conditioning Facilities and compelled the Respondent to reimburse all monies paid towards maintaining the same. . Is it common property or otherwise? The Court referred to Section 2 of the Strata Management Act 2013, whereby common property in relation to a subdivided building means “so much of the lot (i) as is not comprised in any parcel, including any accessory parcel, or any provisional block as shown in a certified strata plan and (ii) used or capable of being used or enjoyed by occupiers of two or more parcels” and Section 4 of the Strata Titles Act 1985 “common property means so much of the lot as is not comprised in any parcel (including any accessory parcel), or any provisional block as shown in an approved strata plan”. In addition, the Court relied on the Court of Appeal’s decision in the case of Perbadanan Pengurusan 3 Two Square v. 3 Two Square Sdn Bhd & Anor & Another Appeal [2019] MLRAU 454 where it was held that “… there is no need for there to have been labels affixed to the relevant areas to be designated as common property; all the areas that are not identified as parcels will automatically be regarded as common property; Nowhere is the concept of exclusive or special use provided for in the Strata Titles Act.” Therefore, it was held that common property is almost exclusively defined by reference to the location. Based on the plans of the building and photographs of the Building, it can be clearly seen that Centralised Air-Conditioning Facilities is located outside of any private parcels. Therefore, the Centralised Air-Conditioning Facilities are rightly defined and fall within the definition of common property. . Does the right to seek reimbursement arise? The Court also agreed with the Respondent’s Counsel’s submission that “… the practice of charging different rates of service charges to take into account the specific amount of usage of different elements of common property, for example, lifts and swimming pools, does not accord with the legislative intent of the 2013 Act, which requires the management corporation to impose a single rate of service charges on all parcels according to their share units unless those parcels are used for “substantially different purposes” according to s 60 of the 2013 Act.” The Management Corporation cannot rely on the express wording of Section 59(3)(b) of the Strata Management Act 2013 that empowers a management corporation to recover “any money expended’ in performing any “repairs, work, or act” if “the repairs, work, or act were or was wholly or substantially for the benefit of some of the parcels only...” simply because the Centralised Air-Conditioning Facilities does not benefit some of the parcels of the Building. It follows that the Management Corporation is, therefore, statutorily duty-bound to properly maintain and manage the common property and require the Management Corporation to bear the costs and expenses of operating the Centralised Air-Conditioning Facilities including the electricity and maintenance costs thereon (Section 59 (1) (a) of the Strata Management Act 2013) irrespective of that the facilities substantially benefits some but not all parcels, so long as the facilities benefit the common property as well. Hence, no legal obligation on the Management Corporation to seek reimbursement from the proprietors of individual parcels of the said Building for the maintenance charges paid by the Management Corporation in maintaining the Centralised Air-Conditioning Facilities. . Summary In summary, the decision reaffirms the legislative intent of ensuring equitable management of common property within strata developments, emphasizing the collective responsibility of all owners in bearing maintenance costs. The categorisation of common property within the legislative frameworks is irrespective of individual benefit levels. Referring to pertinent sections of the Strata Management Act 2013 and Strata Titles Act 1985, the court highlighted that common property is primarily determined by location rather than individual usage. Consequently, the legal obligation of the Management Corporation stands within the relevant provisions of the Act to collect and pay for the maintenance of such facilities within the exterior of all common parts regardless of varied benefit distribution among parcels. About the author Sharifa Nurliliyana binti Abd KarimSenior AssociateReal EstateHalim Hong & Queksharifa@hhq.com.my More of our articles that you should read: High Court clarifies Item 22(1) of the First Schedule of the Stamp Act 1949 and the Stamp Duty (Remission) (No. 2) Order 2012 Limitation of Licenced Manufacturing Warehouse Conditions Unpacking Shareholders’ Pre-emptive Rights and Minority Oppression: A Case Analysis of Concrete Parade v Apex Equity

With the AI boom and the rapid advancement of technology, one of the hottest investment opportunities in Malaysia is undoubtedly in the data center sector. Global technology giants such as Nvidia, ByteDance, Microsoft, Google, and Singtel are expanding their data center footprints into Malaysia. Naturally, investors, companies, developers, landowners, contractors, and infrastructure owners are all looking for ways to benefit from this data center boom. In this article, we aim to explore the investment opportunities in data centers from a corporate investment perspective. If you are considering an investment or a stake in data centers, this will serve as a foundational guide to understanding the various business models and opportunities in this sector. The Complexity of Data Center Development Developing a data center is significantly more complex than traditional real estate projects such as corporate towers, shopping malls, or hotels. It is rare for a single entity to handle the entire process of developing, funding, constructing, leasing, finding tenants, and managing a data center due to the following 5 critical factors: 1. Funding: The construction of a data center is capital-intensive, with investments ranging from hundreds of millions to even billions of dollars, depending on the scale and specifications. The cost of developing data center capacity is often measured in price per MW of critical power. For Tier III facilities, this can range from $7-10 million per MW, depending on location and specifications. For instance, the development of a 50MW hyperscale data center in Malaysia can require investments upwards of $450 million. Securing financing involves engaging with core funders who can provide substantial capital or financial guarantees. Potential funding sources include large banks, private equity firms, and institutional investors. Corporate guarantees from financially robust companies are often necessary to secure loans with favorable terms. . 2. Land: Identifying and acquiring suitable land for a data center in Malaysia poses numerous challenges. Beyond just land, there are specific infrastructure requirements such as tunnels for cabling, substations for power distribution, redundant power supplies, and robust water cooling systems. The selection criteria for land include proximity to fiber optic networks, availability of renewable energy sources, and minimal risk of natural disasters. Collaboration with experienced property developers familiar with local zoning laws and government approval processes is crucial to navigate these complexities efficiently. . 3. EPC Contracts: The complexity of modern data centers, particularly hyperscale, Tier-4, or AI data centers, necessitates sophisticated Engineering, Procurement, and Construction (EPC) contracts. Hyperscale data centers, for example, require high-density power configurations, advanced cooling systems, and extensive cybersecurity measures. An effective EPC contract must outline the specific technical requirements, performance standards, and compliance with international standards such as the Uptime Institute’s Tier Standards and ASHRAE guidelines. Choosing experienced EPC contractors with a track record in large-scale data center projects is essential to ensure successful project delivery. . 4. Management: Effective data center management requires specialized expertise in areas such as IT operations, facilities management, and cybersecurity. Data centers demand near 100% uptime, as any failure or downtime can lead to substantial financial losses and significant compensation liabilities. Therefore, it is crucial to implement protocols such as advanced monitoring systems, predictive maintenance, and robust disaster recovery plans as essential components of effective data center management. . 5. Tenants and Clients: Understanding the purpose of the data center—whether for self-consumption or leasing—is critical. As demand for data centers grows, so does the supply. Geopolitical concerns, such as US-China tensions, also influence client decisions, particularly regarding the sources of chips and racks within the data center. To ensure a successful investment return on data centers, typical high utilization rates of 80% are crucial for maximizing returns. In order to attract quality anchor tenants, data centers need to offer value-added services such as cloud computing, colocation, and managed services to attract a diverse, high-quality tenant base and enhance revenue streams. . Corporate Investment Opportunities Given these complexities, corporate investment opportunities in data center development generally fall into three categories: 1. Joint Ventures (JVs): This model involves collaboration among developers, funders, EPC contractors, and data center managers to collectively construct, build, and manage data centers. JVs leverage the strengths of each party to navigate the intricacies of data center projects. For instance, a property developer might provide land and local expertise, while a technology company contributes its knowledge in IT infrastructure and management. The shared risk and pooled resources make JVs a viable option for large-scale data center projects. . 2. Acquisitions: Companies that prefer to avoid the lengthy process of constructing a data center from scratch can opt to acquire existing data centers. This approach allows them to immediately integrate the asset into their portfolio and manage it directly. Acquisitions can be particularly attractive for companies looking to expand their data center footprint quickly to meet growing demand. Due diligence in assessing the existing facility's condition, tenant agreements, and operational performance is crucial to ensure a sound investment. . 3. Funding by Sovereign Wealth Funds, Listed Company or Private Equity Firms: Data centers are highly attractive to sovereign wealth funds, listed company, and private equity firms due to their potential for high returns. In Malaysia, mature data centers can potentially yield standard EBITDA margin between the typical ranges of 40% to 60%, and the capitalization rates and triple-net ROI for data centers could even exceed 7%, influenced by location, tenant quality, lease terms, facility specifications, and overall market conditions, making them a lucrative investment for funds looking to invest and possibly exit through REIT listings. Those sovereign wealth funds, listed company or private equity firms can provide the necessary capital for development and leverage their networks to secure high-value tenants. Additionally, REITs offer liquidity and diversification benefits for investors seeking exposure to the data center sector. . Strategic Considerations for Corporate Investment Depending on their investment thesis, companies may explore various strategic opportunities: 1. Land Disposal: Landowners or developers with significant land banks may view the data center boom as an opportunity to sell land at a premium. This strategy offers a substantial one-time gain but limits long-term profit potential. For example, prime locations near urban centers with excellent connectivity infrastructure can command significantly higher prices, attracting both local and international investors. . 2. JV with Intent to Sell: Some entities might form a JV to develop and construct a data center with the intention of selling it to another company that specializes in data center management. This strategy can be more lucrative than merely selling the land, as the completed data center represents a higher-value asset. By leveraging the combined expertise of JV partners, the project can achieve higher efficiency and quality, making it more attractive to potential buyers. . 3. Long-term JV Management: Developers or landowners might form a JV to co-own and manage the data center, generating long-term income for all stakeholders involved. This approach leverages the ongoing demand for data center services and provides a steady revenue stream. Long-term management requires implementing advanced data center infrastructure management (DCIM) tools, optimizing energy efficiency, and maintaining high levels of customer satisfaction through robust service level agreements (SLAs). . 4. Full Ownership: Ambitious players may choose to fully own and operate the data center. This path is the most challenging as it requires dedicated focus on development, management, maintenance, and client acquisition. However, it also offers the highest potential profits, as there are no management fees to external parties. Full ownership entails significant responsibilities, including continuous innovation in data center technologies, maintaining competitive pricing, and ensuring compliance with evolving regulatory standards. . Conclusion The data center economy in Malaysia is rapidly growing, presenting numerous considerations for potential investors. From a corporate investment perspective, there is no one-size-fits-all solution. The best approach depends on an entity’s capacity and strategic objectives, whether they are seeking short-term gains or aiming for long-term management and income generation. By understanding the various business models and investment opportunities, companies can make informed decisions to capitalize on this booming sector. If you are considering exploring opportunities in Malaysia's thriving data center sector or corporate investments, reach out to our team of experts today. Our experienced lawyers specialize in navigating the complexities of data center development and corporate investments in Malaysia. Whether you're looking for legal guidance on land acquisitions, joint ventures, or navigating regulatory landscapes, we're here to provide tailored advice and support. Contact us to learn more about how we can assist you in maximizing your investments in this dynamic industry.   About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Reviewing Technology Outsourcing Contracts – What Legal Counsels Should Take Note Of • Achieving Net Zero: The Crucial Role of Climate Technology • E-Waste and ESG Compliance: What Companies Need to Know

It is undeniable that technology has become integral to our everyday lives. Beyond our personal lives, we also use technology in our work tasks, almost certainly on a daily basis. Businesses and corporations everywhere in the world have long accepted the fact that technology adoption is crucial in boosting productivity, which in turn drives revenue and business growth. From fundamental productivity tools such as Microsoft 365 subscriptions and customer relationship management softwares, to state-of-the-art and complex cloud infrastructure solutions and mainframe software, different types of software or technology would be sought after by customers from different industries, sizes and profiles. Due to the increasing demand for technology adoption by companies, in-house legal that we have spoken to have generally experienced a gradual increase in the technology outsourcing contracts that they are tasked to review and negotiate on behalf of their employers. To facilitate the work of our in-house legal friends, we have put together a breakdown of the common issues that companies may face in technology outsourcing contracts that the legal teams should pay more attention to while trying to protect the interest of their employers. 1. Understanding the Vendor’s Capacity The vendor in a technology outsourcing contract is often assumed to be the software principal or the owner of the technology. This may not however be the case, given that most technology or software owners deploy their solutions through resellers or channel partners. As such, the vendor that is entering into a technology outsourcing contract with customer may not actually have any ownership of the underlying intellectual property rights being licensed. It would be crucial for in-house legal to ascertain the capacity of the vendor up front, as this will affect the extent of the contractual warranties that the vendor is able to provide, and where resellers or channel partners are involved, the customer may actually be required to separately enter into an End User Licence Agreement (or more commonly known as “EULA”) with the actual solution owner, in order to derive its rights to use the technology or solution. More often than not, the terms of a EULA would be non-negotiable. 2. Data Ownership In cases where the customers’ owned data would actually be inputted into the software or be uploaded onto the cloud, or where the vendors would be tasked to manage and process the customers’ data and that the technology will be used to generate some form of analytical output data based on the customers’ inputted data, regards will have to be paid to the ownership of these data, particularly the analytical output generated. In today’s age where big data is the new oil, data holds significant value to a corporation. Depending on how the data is being processed and analysed, it can potentially show how effective a company’s advertising effort is, which product of a company is generating the most revenue, what are the new features that consumers want a company to introduce in its products, etc. As such, it is important that companies address the ownership of any data it feeds into a software or cloud, as well as the output generated by the software or technology after having processed or analysed the inputted data. 3. Availability of Escrow Software escrow, while not in itself a common offering, can be very crucial in the event a company is licensing a piece of software to be used for its mission critical operation. The company has to rely on the software vendor to provide timely maintenance and consistent update and upgrade to the software. Given that the stake is high if the software is not maintained adequately or where the software vendor goes into liquidation or stops maintaining the software due to obsolescence, the company licensing the software may want to consider requesting for a software escrow arrangement to be in put place. The escrow will clearly spell out the conditions under which the source code of the software will be released to the company, allowing the company to step in to maintain the software on its own. Bankruptcy or liquidation of the software vendor, or cessation of maintenance or support to the licensed software, are some of the more common release triggers in a software escrow arrangement. 4. Intellectual Property Indemnity Given the speed at which new patches, updates or upgrades are being introduced to a piece of software, and how software and technology owners are constantly looking to improve their products with new or enhanced features, there will always be risks that the newly implemented changes to a software may infringe upon third party intellectual property rights. For this reason, software vendors would usually offer intellectual property indemnity to customers, committing to indemnifying the customers for any losses and damages they may suffer in the event of third party intellectual property infringement claims against the customers. The intellectual property indemnity may however be conditional upon the customers having notified the software vendors of the claim promptly, customers agreeing to allow the software vendors to have full control over the defence of any potential claims, the claim is not a result of misuse of the software by the customers, etc. In some circumstances, in addition to intellectual property indemnity, customers can also ask for a commitment by the software vendors to procure rights to continued usage of the infringing software or replace the same with a different product with similar features. 5. Service Level Agreement Service level agreement, or more commonly known as “SLA”, is without a doubt one of the most heavily negotiated components of any technology outsourcing contracts. Depending on how stringent the requirement and expectation of a customer are, and how sophisticated and complex the vendor’s products are, the software vendors may be reluctant to commit to the service levels imposed by the customers, as failure to comply will likely lead to service credit, and potentially triggering rights to terminate the contracts by the customers in the event of repeated failures. Creative structuring of SLA, such as the introduction of progressive service level, service credit holiday, earn-back mechanism, etc., may help to incentivize the software vendors to commit to the service level requested. (For more information on how to structure an SLA, you may refer to our earlier article titled “Structuring Effective Service Level Agreement” at https://hhq.com.my/posts/structuring-effective-service-level-agreement/). Clearly, reviewing and negotiating a technology outsourcing agreement is not as straightforward as some might think, due to the intricacies of the technology industry, and the ever-evolving trends and practices adopted by technology and software providers. As such, it is important for in-house legal to be equipped with some understanding of the industry, or for them to work with technology lawyers who are very well-familiar with the industry, to ensure that the organisation’s interest is well safeguarded. Should you have any enquiries or if you need any assistance in reviewing and/or negotiating any technology outsourcing contracts for your organisation, please do not hesitate to contact the partners from the Technology Practice Group: About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • GPU-AS-A-SERVICE – BENEFITS AND LEGAL CONCERNS • Real-World Assets in Blockchain: Why Companies Should Pay Attention • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

As the technology industry expands at a rapid pace, it brings with it a multitude of legal issues that accompany the growth of both companies and the sector as a whole. In this article, we aim to highlight an area of law that may have been overlooked by companies and general counsel: competition law. This area has increasingly drawn the attention of regulators intent on ensuring that the market remains fair and undistorted for the benefit of consumers.   Heightened Competition Law Scrutiny: A Global Perspective Competition law, or antitrust investigations, is becoming ubiquitous globally, a trend that companies and their legal teams cannot afford to neglect. Recently, U.S. regulators signaled their intention to open antitrust investigations into three major players in the artificial intelligence industry: Microsoft, Nvidia, and OpenAI. These companies, which are rapidly gaining dominance in the AI market with their software and semiconductors, are under scrutiny to determine if their practices are anticompetitive.   Understanding Hardcore Restrictions in Malaysia As Malaysia positions itself as a regional technology hub—particularly in data centers, digital infrastructures, semiconductor manufacturing, and technology software—companies must be vigilant about competition law.   The Competition Act 2010 governs competition law in Malaysia, and it outlines strict regulations against practices that prevent, restrict, or distort competition. In the realm of competition law, context is crucial in determining whether any conduct, agreement, or arrangement has a significant anti-competitive effect. However, certain horizontal agreements are deemed to have anti-competitive objects outright, eliminating the need for further examination of their effects. These agreements, known as "hardcore restrictions," are critical for technology companies to avoid.   Four Types of Hardcore Restrictions: 1. Price Fixing - Price fixing occurs when competing firms at the same market level conspire to set prices for their products or services, bypassing market competition. This disrupts free market competition and can lead to artificially high prices for consumers. In a scenario where software companies conspire to fix subscription prices, it would involve multiple companies in the same market agreeing to maintain a certain price level for their subscription services, thereby eliminating competitive pricing dynamics. For instance, if several cloud storage providers agree to set their monthly subscription fees at $20, regardless of features or quality of service, they would be engaging in price fixing. . 2. Market Allocation - Market allocation involves competitors agreeing to divide customers, markets, or geographic territories to avoid competition. This practice restricts competition and can lead to higher prices and reduced choices for consumers. In the technology industry, market allocation among competing firms might involve agreements to divide up specific customer segments, target demographics, or even technological niches to avoid direct competition. For instance, if two major social media platforms agree to exclusively target different age groups or demographics, such as one platform focusing solely on users aged 18-25 and the other targeting users aged 26-50, they would effectively be engaging in market allocation. . 3. Limiting Production, Market Outlets, Technical Development, or Investment - This type of agreement occurs when competitors agree to restrict production, market outlets, technical development, or investment to reduce competition and maintain higher prices or market shares. In the technology industry, limiting production, market outlets, technical development, or investment could manifest as agreements among competing firms to constrain the release of new products or features, restrict the expansion of distribution channels, or curb investments in research and development to maintain dominance or artificially inflate prices. For example, if several major smartphone manufacturers agree to limit the release of new models to only one per year and refrain from investing in emerging technologies, they would effectively be restricting market supply and impeding technological progress. This would result in consumers having fewer options for innovative devices and features, potentially leading to higher prices and stifling industry advancement. . 4. Bid Rigging - Bid rigging involves competing firms conspiring to manipulate the outcome of a bidding process, typically to ensure each firm wins contracts in turn. This can include agreements to refrain from bidding or submitting deliberately non-competitive bids. For instance, if multiple technology companies bid for digital infrastructure projects and agree that only one will submit a competitive bid while others submit artificially high or substandard bids, they engage in bid rigging. This practice undermines fair competition and can lead to inflated project costs and suboptimal outcomes for the contracting entity. . Conclusion These four types of horizontal agreements are deemed to have anti-competitive objects and are prohibited under competition law, regardless of the market shares of the companies involved. It is crucial for general counsels and organizations within the technology sector to ensure that they do not engage in any of these practices. Vigilance in adhering to competition laws not only avoids legal repercussions but also promotes a fair and competitive market environment that benefits consumers and fosters innovation.   Should any inquiries or concerns arise regarding competition law matters, especially within the technology sector, we encourage reaching out to our experienced legal team. With a deep understanding of both the intricacies of the technology industry and competition law, our lawyers stand ready to provide guidance and support tailored to your specific needs. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • GPU-AS-A-SERVICE – BENEFITS AND LEGAL CONCERNS • Real-World Assets in Blockchain: Why Companies Should Pay Attention • CYBER SECURITY ACT IMPLEMENTATION – Things for the National Critical Information Infrastructure Entities to Take Note of

Artificial intelligence (“AI”) has been the talk of the town for more than a year now. The hype surrounding AI and the potential (think increased revenue and commercial advantages) that it may bring pretty much “convinced” many companies to now also brand themselves as “AI companies”, looking to deploy their own AI models. It is an established fact that training and deploying AI models require a vast amount of computing power. Graphics processing unit (“GPU”) is a type of electronic circuit traditionally used for videos rendering, image creation and to process games with high quality graphics. Owing to its ability to perform and process many operations in parallel, GPU is also very suitable for AI training and generally any tasks that would require high computing power. The increase in the number of AI companies inevitably also translates to an increased demand for advanced GPUs, which in turn results in a supply shortage – like it or not, there are only that many companies globally capable of producing and supplying advanced GPUs. GPU-as-a-Service, or “GPUaaS”, is an attempt by some companies to address the GPU shortage faced by the industry. GPUaaS is essentially a cloud-based solution that rents out access to GPUs to organisations that need them, on-demand. In this article, we will be breaking down some benefits of subscribing to GPUaaS and laying down some of the key considerations to take note of for companies thinking of resorting to GPUaaS.   Benefits of GPU-as-a-Service Apart from allowing quicker access to GPU, GPUaaS also provides several other benefits to its subscribers, allowing easy justification to the stakeholders of companies in its adoption. Cost efficiency is often one of the main benefits cited by companies when opting for GPUaaS as opposed to its on-premise counterpart. Instead of having to invest in and maintain physical infrastructure and specialised hardware, which also attracts other operational costs caused by energy consumption and cooling requirements, companies utilising GPUaaS only pay for subscription fees based on their project requirements. Just like other cloud services, GPUaaS also offers the same flexibility and scalability to its subscribers. Users are often given the option to scale up (or scale down in some instances) their computing needs based on their project requirements, all without the need for having to invest in physical infrastructure and hardware only for that temporal increase in usage need. Given the technicalities and specialised know-how that may be required to operate and maintain an on-premise GPU facility, it may not be worthwhile and commercially viable for companies that are not traditionally involved in this space to set up a new business unit just for this purpose. This is also one of the reasons why GPUaaS became the preferred choice of many companies traditionally involved in other businesses but now decide to venture into the AI space. By paying professional service providers for GPUaaS, companies can better focus their resources and attention on building their business and expanding their topline.   Legal Concerns of GPUaaS We certainly cannot talk about all the advantages of GPUaaS without highlighting some key legal considerations that companies looking to offer or adopt GPUaaS should take note of. 1. Data Security For companies that may have concerns on storing their data on cloud or companies that are under strict regulatory requirements on data security, GPUaaS may not be the most suitable option. Granted that it provides flexibility, scalability and cost-savings, companies subscribed to GPUaaS are essentially relying on the GPUaaS providers to take charge on the security of their data. Companies with data security concerns should ensure that there are adequate data security assurances provided in the GPUaaS agreement with the service providers so that risks are allocated appropriately. Companies may also want to consider retaining the contractual rights to conduct audit on the security measures put in place by the GPUaaS providers. Where regulations impose data localisation requirements, companies should then enquire about the location of the physical facilities of the GPUaaS providers to ensure that the data localisation requirements can be met.   2. Termination Assistance It is of no surprise that companies subscribed to GPUaaS may actually store a vast amount of data on the cloud infrastructure of the GPUaaS provider. Considering the possibility that these data may be of mission-critical to the companies, it is crucial that the companies secure some commitments from the GPUaaS provider for the rendering of termination assistance covering the migration or transition of these data, either to the companies’ own GPU facilities, or a third party outsource service providers in the event of a termination or expiry of the GPUaaS agreement, including stating clear timelines and responsibilities for the termination process to ensure a smooth transition and minimize the risk of data loss or downtime.. This is all to ensure that in the event of a termination or expiry of the GPUaaS contract, the companies will not suffer any unplanned interruption of its business operation.   3. Service Levels In a GPUaaS arrangement, given that the operation of the GPU is beyond the direct control of the companies, the agreement for GPUaaS should address the service level that the GPUaaS provider is committed to. It would be of utmost importance that the GPUaaS agreement at the very minimum provides for the service levels of remedial action that the GPUaaS provider should take in the event of an unplanned service interruption or downtime.   4. Licensing Requirement GPUaaS at its core is essentially a form of infrastructure-as-a-service (“IaaS”). Some countries may actually require the providers of IaaS to obtain certain licence(s) before they can operate within the jurisdiction. Malaysia for one, imposes a legal obligation on either the IaaS provider with locally incorporated company, or a foreign IaaS provider that utilises a local data centre, to obtain an Application Service Provider (Class) licence before it can offer its services here in Malaysia. As such, it is important for companies looking to deploy GPUaaS in any jurisdiction to ensure appropriate due diligence is conducted prior to commencing operation. Conversely, companies looking to subscribe to any GPUaaS should also conduct simple verification to ensure that the service provider indeed has the required licences to conduct its business, so that unwanted interruption to the subscribed services can be avoided. . Conclusion GPUaaS is certainly a creative way to address the GPU crunch suffered by the industry. That being said, companies considering subscribing to GPUaaS should not dive headfirst, but should instead work with internal stakeholders and external advisers to evaluate the needs of the business against what GPUaaS could offer, in order to ascertain whether GPUaaS is the right fit for the organisation, or whether the organisation would be better off securing its own physical infrastructure and hardware. Considering the nuances of GPUaaS, companies should conduct a holistic review of the GPUaaS agreement offered by the service provider to ensure that the companies’ needs and requirements are sufficiently addressed in the agreement.   If you wish to enquire more about GPUaaS, or if you are thinking of subscribing to GPUaaS, please feel free to reach out to the lawyers from our Technology Practice Group. We would certainly be delighted to assist in this exciting endeavours. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • Achieving Net Zero: The Crucial Role of Climate Technology • AI Deepfake Technology: Understanding Its Business Use Case, Legal Considerations, and Best Practices in Modern Marketing • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI

A case study on Ann Joo Integrated Steel Sdn. Bhd. v Pemungut Duti Setem [2023] 8 MLJ   Introduction This case is a stamp duty appeal under Section 39(1) of the Stamp Act 1949 ("Act") made by way of a case stated pursuant to Section 39(2) of the Act. The Plaintiff is seeking for inter alia a declaration from the High Court that the Notice of Stamp Duty Assessment dated 13 February 2019 on the letter of offer which was executed between Alliance Bank Malaysia Berhad (“Alliance Bank”) and the Plaintiff (“LO”) issued by the Defendant ("assessment") is erroneous, null and void.   Background Facts  On 27 December 2018, the Plaintiff accepted the LO for credit from Alliance Bank which offered to the Plaintiff trade facilities amounting to RM105,000,000.00 (“Trade Facilities”). The LO was submitted to the Defendant for adjudication of stamp duty where the Plaintiff sought for the remission of the stamp duty granted under the Stamp Duty (Remission) (No. 2) Order 2012 (“Remission Order”). On 31 January 2019, the Plaintiff was informed by the Defendant that the LO did not qualify for remission of stamp duty under the Remission Order. Subsequently, the Defendant took the position that the LO is subject to stamp duty pursuant to Item 22(1)(a) of the First Schedule of the Act. Thereafter on 13 February 2019, the Plaintiff received the assessment from the Defendant.. Unhappy with the assessment, on 14 February 2019 the Plaintiff had paid the stamp duty to the Defendant under protest in accordance with Section 38A(7) of the Act vide letters dated 14 February 2019 and 11 February 2019. Subsequently, the Plaintiff submitted an application to the Defendant on 28 February 2019 to object against the assessment pursuant to Section 38A of the Act. However on 8 March 2021, the Plaintiff’s application was rejected by the Defendant with no reasons were provided. Being aggrieved by the assessment, the Plaintiff filed an appeal to the High Court by way of a case stated under Section 39(1) of the Act, to seek the opinion of the High Court as to whether the LO falls within the Remission Order.   Legislation Stamp Act Sub-item 22(1) of the First Schedule of the Stamp Act 1949, upon being amended by the Finance Act 2018, states the following: BOND, COVENANT, LOAN, SERVICES, EQUIPMENT LEASE AGREEMENT OR INSTRUMENT of any kind whatsoever: (1) Being the only or principal or primary security for any annuity (except upon the original creation thereof by way of sale or security, and except a superannuation annuity), or for any sum or sums of money at stated periods, not being interest for any sum secured by a duly stamped instrument, nor rent reserved by a lease or tack: (a) for a definite and certain period so that the total amount to be ultimately payable can be ascertained. (b) for the term of life or any other indefinite period: for every RM100 and also for any fractional part of RM100 of the annuity or sum periodically payable. . Remission Order Paragraph 2 of the Stamp Duty (Remission) (No. 2) Order 2012 states that: The amount of stamp duty that is chargeable under sub-subitem 22(1)(b) of the First Schedule to the Act upon a loan agreement or loan instrument without security for any sum or sums of money repayable on demand or in single bullet payment under that sub-subitem which is in excess of zero point one per cent (0.1%) is remitted.   The Defendant's Contentions The Defendant takes the position that there is no error in the assessment and the LO was correctly charged  for stamp duty under Item 22(1)(a) of the First Schedule of the Act, and thus the Remission Order is therefore not applicable to the LO. It is contended that the LO does not spell out the sums of money that must be paid by way of demand or single bullet payment and is, therefore, liable to stamp duty as a loan agreement or loan instrument under Item 22(1)(a) of the First Schedule of the Act.   The Plaintiff’s Contentions The Plaintiff takes the position that the LO clearly states that the loan instrument has no security whatsoever and must be repayable on demand or in a single bullet payment. Therefore, the Plaintiff believed that the LO they had accepted from Alliance Bank was eligible for remission of the stamp duty in excess of 0.1%. It is contended that the correct approach to be adopted in interpreting a taxing statute is that it should be given a strict interpretation, by giving their plain, natural and ordinary meaning, and no intendment can be made in favour of tax liability.   Findings The High Court is making a distinction between two different items in the First Schedule of the Act, specifically Item 22(1)(a) and Item 22(1)(b) of the First Schedule to the Act. The High Court highlights that the material difference between these two Items is that Item 22(1)(a) applies to bond, covenant or instrument within a specific and defined period of time, which allows the total amount payable to be determined. On the other hand, Item 22(1)(b) applies to bond, covenant or instrument that have an indefinite period of time, such as for the term of life. Upon perusal of the LO, the High Court found that the availability of the facility granted by Alliance Bank to the Plaintiff is subject to Alliance Bank’s right to recall/cancel the facility or any part thereof at any time Alliance Bank deems fit whereupon the facility of such part thereof shall be cancelled and the whole indebtedness or such part thereof be repayable on demand. The High Court then cited the relevant provisions of the LO, which are as follows: SPECIFIC CONDITIONS FOR TRADE FACILITIES (i) Repayment Notwithstanding any other provisions herein stated related to the availability of the Facility or any part thereof, the Bank reserves the right to recall/ cancel the facility or any part thereof at any time it deems fit without assigning any reason thereto by giving written notice of the same, whereupon the facility of such part thereof shall be cancelled and the whole indebtedness or such part thereof be repayable on demand. ……… (ii) Forward Foreign Exchange (“Forex”) Specific Condition: Repayment Notwithstanding any other provisions herein stated related to the availability of the Facility or any part thereof, the Bank reserves the right to recall/cancel the facility or any part thereof at any time it deems fit without assigning any reason thereto by giving written notice of the same, whereupon the facility of such part thereof shall be cancelled and the whole indebtedness or such part thereof be repayable on demand.   Based on the above provisions, the High Court finds that there is in fact no definite or certain period of time prescribed under the LO for the Trade Facilities given to the Plaintiff. The LO thereof, falls under Item 22(1)(b) of the First Schedule of the Act, thus qualifying for remission of stamp duty under the Remission Order. The High Court rejected the Defendant’s contention that the LO does not spell out the specific provision on how repayment of the loan is to be made in the ordinary course, i.e. if the Trade Facilities or Forex is not recalled or cancelled by Alliance Bank and that in any event the LO must clearly show that under the LO, the mode of repayment of the loan is either upon demand or a single bullet repayment. According to the learned Judge, there is no specific requirement under the Remission Order for the sums of money to be paid under the LO to be by way of demand or single bullet repayment in the ordinary course. The LO clearly states that the security is on clean basis.   Conclusions The High Court concluded that the LO fell within the ambit of Item 22(1)(b) of the First Schedule of the Act and that on a plain reading of paragraph 2 of the Remission Order, the Plaintiff had fulfilled all the requirements stipulated thereunder as the LO clearly stated that the Trade Facilities and Forex facilities are granted on clean basis i.e. without any security, and that Alliance Bank reserves the right to recall/cancel the facility or any part thereof at any time it seems fit without assigning any reason by giving written notice of the same, whereupon the facility of such part thereof shall be cancelled and the whole indebtedness or such part thereof be repayable on demand. Premised on the reasons above, the High Court allowed the Plaintiff’s appeal with costs and held that the LO qualifies for remission of stamp duty under the Remission Order and ought to be stamped at the rate of 0.1%. Thus, the assessment raised by the Defendant was held to be erroneous.   Comments The two (2) material points that can be extracted from the above case are as follows: - (i) To come within the ambit of Item 22(1)(b) of the First Schedule of the Act, there is no requirement for a LO or agreement for credit facilities to state that the facilities are to be repaid in the ordinary course by bullet repayment or upon demand. Thus, it is sufficient that the credit facilities are repayable on demand at the discretion of the lender. (ii) A LO or agreement for credit facilities in respect of which the stamp duty is payable under Item 22(1)(b) of the First Schedule of the Act will qualify for remission of the stamp duty under the Remission Order if the credit facilities are granted without any security. About the author Norsuriati binti Mohd NoorSenior AssociateReal EstateHalim Hong & Queknorsuriati@hhq.com.my More of our articles that you should read: Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only Clarifying Developer Voting Rights in Management Corporation Meetings Enforcement of Companies (Amendment) Act 2024

The High Court in Pan International Electronics (M) Sdn Bhd v Menteri Kewangan Malaysia and Ketua Pengarah Kastam, Jabatan Di Raja Malaysia (PA-25-65-08/2023) quashed the decision of Ministry of Finance ("MoF") in rejecting the appeal of Pan International Electronics (M) Sdn Bhd (“Taxpayer”) for the remission of import duty and sales tax as it is tainted with illegality and irrationality as the conditions under the licensed manufacturing warehouse (“LMW”) cannot be imposed on the ASEAN Trade in Goods Agreement (“ATIGA”) order. The salient facts of Pan International Electronics (supra) are as follows: a) The Taxpayer is a licensed LMW under Sections 65 and 65A of the Customs Act 1957. b) Pursuant to the ATIGA, the Taxpayer had been importing decoders at 0% import duty and 0% sales tax. c) However, the Royal Malaysian Customs Department (“RMCD”) issued a bill of demand against the Taxpayer for the import duty of RM8,432,282.51 and sales tax of RM841,342 because the Taxpayer had exceeded the local sales quota by 7.21%. This disqualified the decoders from the ATIGA rate of 0%. d) The Taxpayer appealed to the MoF by way of a letter dated 27.3.2023 but such appeal was rejected by the MoF on 22.5.2023. e) Dissatisfied, the Taxpayer filed a judicial review application to challenge the decision (the rejection).   The High Court held that, amongst others: a) The RMCD only has the power under Sections 65 and 65A of the Customs Act 1957 to impose conditions on LMW license. b) The condition of decoders’ local sales quota of 20% is only limited to LMW license. c) The ATIGA rate under the ATIGA order in an order made by the MoF pursuant to the exercise of his powers under Section 11(1) of the Customs Act 1957. d) Under Article 41 of the ATIFGA, each member state undertakes not to adopt or maintain any quantitative restriction on the importation of any goods of the other member states or on the exportation of any goods destined for the territory of the other member states. e) A company is entitled to the ATIGA rate so long the goods imported are classified as such and are imported from the ASEAN countries, regardless of whether the company is clothed with LMW status. f) RMCD does not have any power to alter the ATIGA rate under the ATIGA order, only the MoF has the power to impose conditions in the ATIGA order under Section 11(1) of the Customs Act 1957. g) There are no conditions imposed by the MoF in the ATIGA order that in order for the decoders to be entitled for import duty at the ATIGA rate of 0%, the Taxpayer must not exceed 20% local sales quota. h) LMW status has nothing to do with the goods that are classified under the ATIGA order. i) Hence, the RMCD’s imposition of the LMW conditions into the ATIGA order is illegal and irrational as the RMCD does not have any jurisdiction to fix the customs duty to be levied on any goods imported into or exported from Malaysia under Section 11(1) of the Customs Act 1957. j) The MoF has failed to exercise his discretion to remit the customs duty ‘just and equitably’ as envisaged under Section 14A of the Customs Act 1957 as the MoF had rejected the Taxpayer’s remission application based on the same ground of breach of the LMW condition. k) The MoF had allowed the LMW condition to be imposed on the ATIGA order, albeit no express condition was passed by the MoF under the ATIGA order or the Customs Act 1957. Comments This case, perhaps, is the first case that addressed the limitation of the conditions under the LMW license and the exercise of the MoF’s power under Section 14A of the Customs Act 1957. It is not uncommon for the tax authorities and/or authorities in Malaysia to conflate the conditions under different licenses (or approvals). This case serves as a reminder to taxpayers to always be vigilant and check whether the condition of one license can be imposed into another.   About the author Desmond Liew Zhi HongPartnerTaxHalim Hong & Quekdesmond.liew@hhq.com.my More of our articles that you should read: Defence of Limitation cannot be raised in Recovery of Tax Action? Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test” Can an Adjudication Decision, After Having Been Enforced Pursuant to Section 28 CIPAA 2012, Be Stayed Pursuant to Section 16(1)(b) CIPAA 2012?

Net zero should not be unfamiliar territory, particularly for chief sustainability officers, general counsels, and boards of directors. Failing to consider net zero emissions can have significant and multifaceted impacts on an organization’s performance, including regulatory and compliance risk, brand reputation, and financial and investment risk. Companies that overlook climate risks may struggle to attract investment, potentially facing higher capital costs or even divestment. Additionally, sustainability-linked financing, such as green bonds and loans with favorable terms, may be out of reach without a clear net zero strategy. Therefore, companies can no longer ignore this issue. Achieving net zero emissions requires a concerted effort, with climate technology playing a central role. In this article, we explore how climate technology is pivotal in driving forward this initiative.   Understanding Net Zero "Net zero" refers to the balance between the amount of greenhouse gases (GHGs) emitted into the atmosphere and the amount removed from it. Achieving net zero means that any human-caused emissions (anthropogenic emissions) are counterbalanced by an equivalent amount of GHG removal.   Currently, there isn't a single standardized formula for calculating net zero, as it can vary depending on the context, the scope of emissions being considered, and the methodologies used for measurement and accounting. Generally, the steps involve quantifying all GHG emissions from various sources within a defined boundary, including direct emissions from activities like energy production, transportation, industry, and agriculture, as well as indirect emissions associated with purchased electricity and other goods and services. Additionally, any GHG removals or sinks, such as carbon uptake by forests, oceans, soils, and technological solutions like carbon capture and storage, are identified and quantified. The net balance is then calculated by subtracting total emissions from total removals, determining whether an entity is contributing to climate change (positive net balance) or offsetting emissions (negative net balance).   The Role of Climate Technology in Achieving Net Zero Technology is critical in assisting companies in achieving net zero, frequently referred to as climate technology. Here, we highlight five types of climate technology that can help achieve the net zero objective:   1. Renewable Energy Technology: Transitioning from traditional energy sources to renewable energy sources such as solar, wind, hydro, and geothermal power is essential for reducing carbon emissions. These renewable energy sources offer several advantages over traditional fossil fuels in the context of achieving net zero emissions. Unlike fossil fuels, renewable energy sources produce little to no greenhouse gas emissions during operation, thereby significantly reducing carbon footprints. Most importantly, renewable energy technologies are inherently sustainable and abundant, providing a reliable and long-term solution for powering communities and industries without contributing to climate change.   2. Energy Efficient Technology: Energy efficient technology focuses on optimizing energy use to achieve the same or higher levels of performance while consuming less energy. This includes advanced appliances and lighting systems like LED bulbs, high-efficiency HVAC systems, and better insulation materials for buildings. By reducing energy consumption, these technologies decrease the demand for electricity generation, which often relies on fossil fuels, thus lowering greenhouse gas emissions. Compared to conventional energy technologies, which typically operate with higher energy waste and inefficiencies, energy efficient technologies enable significant reductions in overall energy use and emissions.   3. Smart Grid Technology: Smart grid technology enhances the traditional electrical grid by incorporating digital communication, advanced sensors, and automation systems to improve the efficiency, reliability, and sustainability of electricity distribution. Unlike the conventional grid, which is largely one-way and lacks real-time monitoring, smart grids enable two-way communication between utilities and consumers, allowing for dynamic management of electricity flows. This includes real-time monitoring of energy usage, automatic rerouting of power in case of outages, and integration of renewable energy sources like solar and wind into the grid. Smart grids facilitate demand response programs where consumers adjust their usage during peak times, reducing the strain on the grid and lowering emissions. By improving the efficiency and flexibility of the electricity network, smart grids play a critical role in achieving net zero emissions, enabling a more resilient, sustainable, and cleaner energy system compared to traditional grid infrastructure.   4. Carbon Capture, Utilization, and Storage (CCUS): CCUS is a set of technologies designed to capture carbon dioxide (CO2) emissions from industrial processes and power generation, prevent it from entering the atmosphere, and either utilize it in various applications or store it underground. The process begins with capturing CO2 at its source, such as a factory or power plant, using chemical solvents or other methods. The captured CO2 is then compressed and transported, typically via pipelines, to a utilization site where it can be used in products like concrete or biofuels, or to a storage site where it is injected into deep geological formations, such as depleted oil and gas fields, for long-term storage. This technology is particularly suitable for heavy industries that are difficult to decarbonize, providing a means to significantly reduce their emissions while maintaining operational viability.   5. Circular Economy Technology: Circular economy technology revolves around designing products and systems to minimize waste, extend product lifecycles, and regenerate natural systems. This includes advanced recycling processes that break down materials into their basic components for reuse, biodegradable materials that reduce waste, and industrial symbiosis where waste from one process becomes input for another. Companies can employ circular economy principles by designing products for durability, reparability, and recyclability, implementing take-back schemes, and optimizing resource use through digital platforms that track material flows. This approach helps companies achieve net zero by reducing the demand for virgin materials, transforming waste into valuable resources, thereby closing the loop and significantly cutting down the overall carbon footprint compared to conventional, linear business models.   Conclusion Net zero has swiftly transitioned from an optional consideration to an imperative for every company. Climate technological advancements are pivotal in enabling companies to reach this goal, making it an aspect that demands universal attention. Harnessing the potential of innovation and technology, we can overhaul our energy systems, industries, and societies, forging a sustainable and resilient future.   If you have any needs related to ESG, especially in the technology field, do not hesitate to reach out to our legal professionals who specialize in technology law and related areas. Our team is well-equipped to guide you through the complexities of sustainability initiatives, helping you leverage climate technology to achieve your net zero goals while ensuring compliance and maximizing your competitive advantage. Let us partner with you in creating a sustainable and resilient future for your organization. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my   Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my.   Tan Zhen ChaoAssociateReal Estate, Project Development, Strata Management, Dispute Resolutionzctan@hhq.com.my. More of our Tech articles that you should read: • Structuring Effective Service Level Agreement • E-Waste and ESG Compliance: What Companies Need to Know • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case

Service Level Agreement, commonly referred to as “SLA”, is one of the key aspects of technology outsourcing that is frequently negotiated between service providers and customers. An SLA would set out the agreed standards at which the outsourced services are supposed to be provided, how the standards will be measured, and the consequences for failing to meet the agreed standards. When it comes to technology outsourcing, SLA can normally be found in contracts involving the provision of Software-as-a-Service or information technology (IT) managed services. Given the increased reliance on technology in today’s age, it is crucial for a customer to ensure that the new S-a-a-S that it has just subscribed to, or that new service provider engaged to manage its core business IT system, is able to meet the level of service that the customer expects. If the services provided are not satisfactory, the customer should then receive, in one way or another, some form of rebate or credit from the service provider for the less than satisfactory services rendered. Due to this very nature of SLA that may potentially reduce the remuneration that a service provider receives, SLA regularly becomes the subject of contention. In this article, we set out some considerations that businesses should take into consideration when structuring an SLA.   Service Level Objectives From a customer’s perspective, the first thing when structuring SLA is to identify the service level objective that is sought to be achieved from the services outsourced. Depending on the type of services outsourced, the objective could be to ensure high system availability, or that service disruptions are attended to and get resolved promptly. Once the objective has been identified, it then allows clear communication of the objective to the service provider, and to facilitate the determination of appropriate metrics to be used to measure the standards of the services being performed. Failure to properly identify the objectives may result in the service provider’s attention being diverted to aspects of the services that are actually of lesser importance to the customer, hence translating into a mismatch in the level of services being delivered by the service provider.   SLA Metrics Upon the identification of the service level objectives to be achieved, one will then be able to establish the most appropriate metrics to be used to evaluate the quality of the services rendered. Assuming that the service level objective is to ensure that a particular system or software has a high availability, “uptime” would then be the metric of choice. When a customer is looking to ensure that service disruptions are promptly attended to, the most common metrics that the customer can use are response time, resolution time, and/or mean time to recovery. Depending on the metrics chosen, the way that they are being measured may also differ. Take uptime for example, it is typically measured across a period of time, potentially on a quarterly basis, half yearly basis, or annual basis. The customers will have to determine the desired uptime of the system, be it at 99.7% a year, or 99% in a month. For incident response on the other hand, it has to be measured on a case-by-case basis, typically depending on the severity level of the incident, which would in turn affect the expected response and resolution time by the service provider. On top of that, SLA metric should also incorporate flexibility to adapt to changing commercial circumstances, such as business growth, evolving technology, or shifts in the economic landscape, and by incorporating customizable or flexible SLA metric, this adaptability ensures that the SLA remains a living document that continues to serve the interests of the parties over time. The SLA metric is an important component in an SLA as it sets the expected standards at which the service providers should be achieving when delivering their services. Additionally, it allows for clear and objective evaluation of the standards of services provided by the service providers, and paves the way for the implementation of the service credit regime.   Service Credit Regime In an SLA, failure by a service provider to meet the agreed service level objectives based on the agreed metrics would normally result in the customer being entitled to service credits. Service credits can take the form of cash payment by the service provider to the customer, or a rebate in the subsequent fees payable by the customer to the service provider. The rationale of a service credit regime is that a customer should not have to pay the service provider 100% of the agreed fees, since the service provider has failed to perform the services at the level or standard expected. In other words, service credit regime should rightfully reflect the lowered standard of services actually performed by a service provider, as opposed to what the service provider was initially offered to be paid to perform. Many have the misconception that service credit regime is a tool for customers to potentially achieve cost savings or getting huge discount from the fees otherwise payable to the service providers. This thinking often results in the misguided approach of affixing high price tag to service credit that is disproportionate to the magnitude of the corresponding service level failure. It can potentially derail and delay the finalisation of the contract for technology outsourcing, or prompting the service provider to mark up its fees, or worse – causing reluctance among service providers to agree to undertake a particular service. An effective service credit regime will have to take into account the nature and extent of the service level failure – more severe service level breaches should translate into higher service credit, while minor service level breaches should only result in lower service credit.   Creative Structuring of SLA Structuring and negotiating SLA for technology outsourcing requires careful planning. A well-crafted SLA would facilitate service providers to deliver services that meet the expectations of the customers, allowing customers to achieve their business goals. As technology advances, it may not be so easy at times for service providers to meet the service level requirements of the customers, especially when cutting edge technologies are involved. These circumstances may then call for creative structuring of SLA, such as incorporation of service credit holiday, incremental service levels, assigning weightings and multipliers to different type of service level breaches, or potentially allowing service credit earn-back, in order to incentivize the service providers to deliver their best games. Businesses should consult legal professionals in crafting a meaningful SLA that would help in directing the service providers to deliver services at the level and standard expected of them.   Please feel free to reach out our partners from the Technology Practice Group should you have any enquiries in relation to your next technology outsourcing initiative or if you would like a consultation on your service level agreement. Our team of professionals are always here to help. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my.   Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . More of our Tech articles that you should read: • CYBER SECURITY ACT 2024 – STATUTORY OBLIGATIONS OF NCII ENTITIES • E-Waste and ESG Compliance: What Companies Need to Know • Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility  

The Rise of Deepfake Technology As artificial intelligence (“AI”) continues to advance, one of its subfields, deepfake technology, is also garnering significant attention. Deepfake is a form of AI that can manipulate digital media, such as images, videos, and audio, to create highly realistic but fabricated content. It is undeniable that the initial attention surrounding deepfakes has centered on their misuse in spreading disinformation, pornography, and perpetrating scams. For example, scammers generated deepfake robocalls using the voice of President Joe Biden earlier this year to discourage voters from voting, and additionally, a Hong Kong firm fell victim to a $25 million fraud scheme orchestrated through deepfake technology, wherein fraudsters impersonated the company’s chief financial officer during a video conference call. However, savvy businesses and organizations are also beginning to explore the transformative opportunities this technology presents for marketing and advertising campaigns. By harnessing the power of deepfakes, companies can tap into the star power and influence of renowned personalities without the need for their direct and active involvement, potentially revolutionizing the industry. As always, there are always two sides to a coin, and as with any emerging technology, there are legal considerations that companies and their general counsels must navigate carefully, and in this article, we aim to explore the use case of deepfake technology in marketing, legal concerns and best practices that general counsels should take into account. . What are Deepfakes? Before we begin, it would be essential for us to understand what deepfakes are. Deepfakes are a form of AI-generated synthetic media that employs deep learning algorithms to manipulate or fabricate images, videos, or audio recordings. These algorithms are trained on extensive datasets of real media, enabling them to learn and replicate a person's face, voice, or mannerisms with remarkable precision. The resulting deepfake media can be virtually indistinguishable from genuine content, posing a challenge in discerning authenticity. Currently, a simple online search for deepfakes reveals a staggering number of videos circulating on the internet, many of which viewers may not even realize are deepfakes. . The Business Case for Deepfakes in Marketing Traditional celebrity endorsements and influencer collaborations can be prohibitively expensive, often requiring significant financial investments and complex negotiations, as traditional marketing, photoshoots, and video recordings necessitate the direct and active physical involvement of the celebrities and influencers in order to produce the desired content. Deepfake technology now offers a cost-effective alternative, enabling companies to create compelling content featuring the likeness and voices of popular figures without the logistical hurdles and exorbitant costs associated with securing their participation. This approach not only reduces marketing and advertising budgets but also opens up new avenues for creative storytelling and engaging campaigns, all without requiring the direct, actual, and active physical involvement of those celebrities and influencers as in traditional marketing and video shoots, which can be both time and resource-consuming. This democratizes access to star power, allowing smaller businesses and startups to compete on a more level playing field by leveraging the influence of renowned personalities without the financial constraints of traditional endorsement deals. . Legal Considerations and Best Practices for Businesses Utilizing Deepfakes While the potential benefits of deepfakes in marketing are alluring, companies and their general counsels must exercise caution and address several legal considerations before employing this technology. The legal landscape surrounding deepfakes is still evolving, and here are the top five key legal concerns and best practices that should be taken into account:   1. Misrepresentation and Misleading Advertising: The use of deepfakes in advertising and marketing campaigns may be construed as misrepresentation or misleading advertising, especially if it is presented as a genuine endorsement or testimonial from a celebrity without proper disclosure and actual agreement by the celebrity. Therefore, companies should be transparent about the use of deepfake technology and ensure that their campaigns do not deceive or mislead consumers. Also, different jurisdictions may have specific regulations governing the use of deepfakes in advertising, which companies must carefully navigate to avoid legal violations and potential fines or penalties. . 2. Data Protection and Privacy: Deepfakes typically involve processing and using personal data, such as an individual's facial features, voice, or likeness, which can raise data protection concerns and potentially violate privacy laws if not handled properly. Therefore, any attempt to harness individuals' personal data, whether influencers or celebrities, for deepfake purposes without their explicit consent not only risks legal repercussions but also undermines trust and integrity. In the era of stringent regulations like GDPR, companies must navigate deepfake territory with utmost caution, ensuring full compliance with local privacy laws. Securing explicit consent and adhering to relevant data protection laws are non-negotiable steps for businesses venturing into deepfake territory. . 3. Intellectual Property Rights: Besides privacy concerns, it is also essential to recognize that unauthorized utilization of an individual's likeness, voice, or image in deepfake media can constitute significant infringement upon intellectual property (“IP”) rights. Beyond privacy breaches, this includes potential violations of copyright, passing off, and trademarks infringement. Many jurisdictions also recognize a legal right of publicity, especially when it involves the likeness of celebrities, granting individuals control over the commercial use of their identity, and failure to obtain consent for these rights in deepfake media could result in legal repercussions. Therefore, companies must diligently secure all necessary rights and licenses from individuals before engaging in the creation or distribution of deepfake content, obtaining explicit consent for the use of their likeness, voice, or image, and ensuring compliance with relevant IP laws and regulations to mitigate the risk of potential disputes and legal liabilities. . 4. Compliance with AI Laws and Regulations: With the emergence of AI regulations across various jurisdictions, it is imperative for companies to pay particular attention to the development of legislation governing the use of AI. Many jurisdictions are actively drafting and implementing their own regulations to address the ethical and legal implications of AI technologies, hence, staying abreast of these evolving regulations is essential to ensure compliance and shield businesses from accusations of deceptive practices. For instance, in certain jurisdictions, there is a requirement for companies to disclose the use of artificially generated or manipulated content, mandating transparency to prevent deception. Consequently, in marketing practices involving deepfakes, disclosure becomes paramount. Thus, companies must stay updated on AI-related laws and regulations, understanding the dos and don'ts to navigate this evolving landscape effectively. . 5. Comprehensive Contractual Arrangements: Given the nascent and evolving nature of deepfake technology, it's imperative for businesses to establish robust contractual agreements governing the licensing and authorization of individuals' likeness, images, voices, and other personal attributes for deepfake purposes. These contracts should encompass a wide array of considerations such as (i) terms of use to clearly define the scope and limitations of the authorized use of the individual's likeness, image, voice, etc., in deepfake content, (ii) licensing rights to specify whether the license is exclusive, non-exclusive, or limited in any way, and detail any royalties or compensation arrangements, (iii) ownership of IP rights to specify whether the license is exclusive, non-exclusive, or limited in any way, and detail any royalties or compensation arrangements, and (iv) limitation on the distribution channels or platforms of the deepfake content. . As deepfake technology continues to advance, it presents both immense opportunities and significant challenges for businesses. By leveraging the power of deepfakes in marketing campaigns, companies can unlock new frontiers of creativity, cost-efficiency, and brand engagement, by offering businesses a powerful tool for innovative marketing and advertising strategies. However, navigating the legal landscape surrounding deepfakes requires a proactive approach and close collaboration with legal professionals who specialize in emerging technologies and AI regulations. As the technology continues to advance, companies should remain vigilant, seek legal counsel, and prioritize transparency and ethical practices in their use of deepfakes. By doing so, companies can leverage the potential benefits of this technology while mitigating risks and fostering trust with their customers and stakeholders. . If your organization intends to leverage AI deepfake technology in your business, our team is poised to provide expert assistance. Leveraging our proficiency in AI technology and legal frameworks, we offer tailored guidance to safeguard your organization and ensure compliance with legal standards. Contact us today to proactively address these critical considerations. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI • Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated?

It has been more than a month since the passing of the Cyber Security Bill 2024, and many are eagerly waiting for the list of the national critical information infrastructure sector leads (“NCII Leads”) to be published, which is the very first step before a series of implementation under the Cyber Security Act 2024 can be rolled out.   That being said, we believe that many of the stakeholders who own or operate national critical information infrastructure (“NCII”) from the eleven (11) NCII sectors (“NCII Sectors”) would already have some idea as to whether they will be designated as NCII entities (“NCII Entities”). Our article this week seeks to assist soon-to-be NCII Entities to understand better what are the statutory obligations under the Cyber Security Act 2024 that will be imposed upon them once the designation as NCII Entities is finalised, as well as the exposure that the NCII Entities may face for non-compliance with these statutory obligations.   Statutory Obligations of NCII Entities If the Cyber Security Act 2024 is to be described as a screenplay, then the NCII Entity no doubt is the most important role with the most screentime for this play. A quick count of the Cyber Security Act 2024 and one will see that NCII Entities have a total of 13 distinct statutory obligations imposed upon them, and this is not including any additional obligations that they may have under the codes of practice that are to be drawn up for each NCII Sectors. The attention given to the NCII Entities under the Cyber Security Act 2024 is understandable, as they are the ones that either own or actively operating the NCIIs.   To simplify things, the statutory obligations of the NCII Entities can be categorised into four (4) broad categories as follows:   1. Information Disclosure Obligation Upon being designated as an NCII Entity, the NCII Entity will have to provide information relating to the NCII owned or operated by it to the NCII Leads upon request. The objective of this obligation would appear to be so that the relevant NCII Leads would have a clear picture of the type and nature of NCIIs owned or operated by each NCII Entities. To ensure that the information is up to date, NCII Entities will also have a continuing obligation to notify the NCII Leads when the NCII Entities procure or come into possession or control of additional computer or computer system which are believed to be NCIIs, as well as when there are material changes to these NCIIs owned or operated by the NCII Entities.   The NCII Entities also have an obligation to notify the NCII Leads when the computer or computer system owned or operated by the NCII Entities cease to be NCII or when they no longer own or operate any NCII.   2. Codes of Practice Implementation One of the most critical statutory obligations of NCII Entities is the requirement to implement the Codes of Practice put in place for each NCII Sectors. The Codes of Practice will presumably contain the minimum standards and requirements for the NCII Entities to comply with in order to strengthen the cyber security of the NCIIs owned or operated by the NCII Entities.   The Codes of Practice are to be prepared by the NCII Leads appointed for each NCII Sectors. Given that the list of NCII Leads has yet to be finalised, it may still be some time before any Codes of Practice will see the light of day. That said, we believe that the Codes of Practice to be drawn up will likely contain provisions or requirements pertaining to Business Continuity Management and preparation of disaster recovery plan, which are essential for the mitigation of any impact that a cyber security incident may have towards NCIIs.   3. Cyber Security Risk Assessment and Preparation NCII Entities will also be required to conduct cyber security risk assessment from time to time in respect of the NCII owned or operated by them to ensure that appropriate cyber security safeguards are in place as per the requirement of the Codes of Practice and any directives as may be prescribed. Additionally, NCII Entities will also have to allow external auditor to audit their compliance with the Cyber Security Act 2024 from time to time. Reports will have to be drawn up following the conduct of cyber security risk assessment and/or audit and be submitted to the Chief Executive of the National Cyber Security Agency (“Chief Executive”). If the Chief Executive is not satisfied with the result of the cyber security assessment or is of the view that the audit report provided pursuant to an audit is insufficient, it may require the carry out of further cyber security assessment or the rectification of the audit report. NCII Entities may also be required by the Chief Executive to carry out additional cyber security risk assessments or audit where there have been material changes to the design, configuration, security, or operation of the NCIIs owned or operated by the NCII Entities. In addition to the above, NCII Entities will also be required to participate and cooperate with the Chief Executive in any cyber security exercise that the Chief Executive elects to conduct.   The obligations of NCII Entities pertaining to risk assessments, audits and cyber security exercises are important to ensure that the cyber security measures in place appropriately and sufficiently account for all possible cyber security risks out there. As technology advances, threat actors will continuously innovate and deploy new ways and new technologies to breach the cyber security of NCIIs. As such, it is important that the cyber security measures are updated constantly to address any new threats that malicious actors will take advantage of, thereby enhance the cyber security readiness and preparedness of the NCII Entities.   4. Cyber Security Incident Notification and Response Apart from enhancing the cyber security of NCIIs, the Cyber Security Act 2024 also seeks to establish a cyber security incident notification and response regime. Upon detecting a cyber security incident or potential cyber security incident in respect of the NCII owned or operated, an NCII Entity will have an obligation to report the same to the Chief Executive and the NCII Leads within a prescribed period. If further investigation confirms that the relevant NCII(s) has indeed suffered a cyber security incident, any response to the cyber security incident and measures to be taken by the relevant NCII Entity(ies) to recover from the incident, will have to be coordinated with the Chief Executive.   Effectively, NCII Entities will no longer have the discretion to respond to any cyber security incidents without first consulting the Chief Executive, and any measures to be implemented in responding to, recovery from and the prevention of cyber security incident will have to be consistent with the directive given by the Chief Executive.   Exposures for Non-Compliance with Cyber Security Act 2024 Under the Cyber Security Act 2024, penalties for non-compliance vary depending on the type and severity of the violation.   For general non-compliance with the statutory obligations under the Cyber Security Act 2024 by NCII Entities, such as failure to conduct additional cyber security risk assessment or rectify an audit report upon request by the Chief Executive, or failure to notify the NCII Leads of any material changes to the NCII owned or operated, the penalties are generally as follows: 1. a fine of up to Ringgit Malaysia One Hundred Thousand (RM100,000) or Two Hundred Thousand (RM200,000), or 2. either no imprisonment or imprisonment up to three (3) years; or 3. both of the above.   However, for more serious violations involving critical statutory obligations, such as failure to implement the applicable Codes of Practice or failure to notify a cyber security incident, will carry a heavier penalty of fine not exceeding Ringgit Malaysia Five Hundred Thousand (RM500,000) or imprisonment for a term not exceeding ten (10) years or both, upon conviction.   To demonstrate the seriousness of an offence under the Cyber Security Act 2024, management personnel of an NCII Entity can also be made personally liable for any non-compliance by the NCII Entity. The Cyber Security Act 2024 also makes it clear that where an offence is committed by the employee, agent or employee of the agent of an NCII Entity, the NCII Entity will also be made liable to the same punishment or penalty of its employee, agent or employee of its agent.   Conclusion Considering the impact of a cyber security incident in respect of an NCII, the dire need for a robust cyber security regime in respect of the NCIIs in the country and strict compliance and enforcement of the same are no laughing matters.   NCII Entities stand on the frontline of any cyber warfare that may be waged against our nation’s NCIIs, and expectation towards the NCII Entities to safeguard the NCIIs are definitely high. Given the key role that the NCII Entities play, it is advisable that the (soon to be) NCII Entities carefully consider their statutory obligations under the Cyber Security Act 2024 to better prepare for the eventualities. Upon the finalisation of the Codes of Practice for each NCII Sectors, the NCII Entities should consider working with cyber security professionals and legal professionals who are well-versed with technology and cyber security matters to assess their compliance readiness and to put in place internal policies and procedures to meet their obligations under the Cyber Security Act 2024.   Please contact the partners from our Technology Practice Group should you have any enquiries pertaining to the Cyber Security Act 2024 or if you would like to enquire more about the obligations of an NCII Entity under the Cyber Security Act 2024. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More Tech articles: • Cyber Security Bill 2024 Decoded: 5 Key Insights for Strategic Compliance • CYBER SECURITY ACT IMPLEMENTATION – Things for the National Critical Information Infrastructure Entities to Take Note of • E-Waste and ESG Compliance: What Companies Need to Know

IntroductionThe Federal Court's recent judgment in the case of Concrete Parade Sdn Bhd v Apex Equity Holdings Bhd & Ors [2021] 9 CLJ 849 marked the end of a protracted legal battle that reverberated through Malaysia's corporate landscape. In this article, Lum Man Chan and Khew Gerjean provides an overview of the case, shedding light on the complexities surrounding pre-emptive rights of shareholders and the obtaining of shareholder’s approval in corporate exercises pursuant to the Companies Act 2016 (“the Act”). In summary, the Federal Court’s answers to the legal questions that arise in this case are as follows:1) Under S.85 of the Companies Act 2016 (“CA 2016”), pre-emptive rights of the shareholders is not mandatory but subject to the constitution of the company, which may renounce, disapply, or fortify such pre-emptive rights. 2) S.223(1)(i) and (ii) of the Act should be read disjunctively, so shareholders' approval could be obtained either before entering into an agreement for the transaction or before the actual transfer of ownership of the asset. 3) The oppression action was not properly brought by the Concrete Parade Sdn Bhd because the shareholders who had voted in favour of the corporate exercises were not named in the oppression suit. Background of the caseConcrete Parade Sdn Bhd (“Concrete Parade”) initiated a minority oppression action under S.346 CA 2016 against Apex Equity Holdings Berhad (“Apex Equity”) premised upon the following grievances:a) proposed merger transaction between Apex Equity and Mercury Securities which would see Mercury Securities emerging as the largest shareholder in Apex Equity through shares allotment; andb) Apex Equity has conducted share buy-back transactions in 2005 to 2017 in violation of its own M&A. Proposed Merger Transaction Apex Equity, along with its subsidiary JF Apex, planned a merger with Mercury. The proposed merger aimed to transfer Mercury's stockbroking business to JF Apex in exchange for:i. RM48 million cashii. RM100 million worth of new shares in Apex Equity The parties entered into a Heads of Agreement (HOA) on 21 September 2018, followed by a Business Merger Agreement (BMA) on 18 December 2018. Additionally, subscription agreements (SAs) were signed with seven placees for a private placement of new shares (collectively referred as “the Merger Agreements”). After the execution of these documents, the shareholders’ resolutions were passed. Share Buy-back TransactionsBetween 2005 and 2017, Apex Equity undertook multiple shares buy-back transactions (“the transactions”). These transactions were conducted based on mandates and approvals granted by the company's shareholders. However, in 2018, Concrete Parade brought to the attention of the Apex Equity's management that the company's Memorandum and Articles of Association (M&A) did not permit such transactions. Despite the shareholder's objection, the Apex Equity's board sought a further mandate in 2018 to continue with the transactions. However, this resolution was voted against by the shareholders. Hence, Apex Equity filed a proceeding to validate the share buy-back transactions undertaken between 2005 and 2017 and it was eventually allowed by the High Court. The Key Issues and the High Court Findings1. FIRST ISSUE: Whether Apex Equity breached S.85 and S.223 of CA 2016.Concrete Parade argued that it was denied its statutory and contractual pre-emptive rights to be offered new shares in Apex Equity. S.85(1) mandates that existing shareholders should be offered new shares before they are offered to outsiders. However, Apex Equity's memorandum and articles of association, particularly Article 11, did not expressly ensure the protection of Concrete Parade's pre-emptive rights. The High Court Judge concluded that there was no breach of pre-emption rights since shareholders had approved the proposed placement. The shareholders would reasonably understand that a private placement would dilute their interest, even without explicit mention in the circular. Thus, the absence of specific language denoting pre-emption waiver couldn't be deemed as oppressive as long as the transaction's effects were reasonably clear to Apex Equity's shareholders. Further it was held that the shareholder’s approval sufficed either through prior general meeting approval or documentation specifying approval as a condition precedent. Since the BMA required shareholder approval for the acquisition of Mercury’s business, there was no violation. S.223(1) applies only when transactions create enforceable obligations on a company to acquire or dispose of substantial assets. The HOA, although legally binding, did not commit parties to the sale and purchase, thus not mandating shareholder approval. Even if the HOA breached S.223(1), it was superseded by the BMA, which complied with shareholder approval requirements. S.223 should be construed in a disjunctive manner to allow for flexibility, stating that it suffices if either the entry into the arrangement is made conditional on shareholder approval OR if the carrying into effect of the transaction is approved by shareholders. 2. SECOND ISSUE: Whether the Share Buy-Back Transactions are valid and legal.Concrete Parade contended that the share buy-back transactions were illegal due to the contravention of S.67 of the Companies Act 1965 and/or S.123 of the Companies Act 2016. The directors' actions in seeking validation from the Court without amending the M&A were a blatant disregard of the company's governing documents. The directors of Apex Equity should have obtained consent and authority from the shareholders before filing for validation proceedings. They argued that the filing of validation proceedings without prior knowledge or approval of the shareholders resulted in unfair prejudice to Concrete Parade, as it impinged upon their substantive rights. The High Court ruled that the share buy-back transactions undertaken by the Apex Equity between 2005 and 2017 were valid, despite objections raised by the shareholder. While it is acknowledged that Concrete Parade were not notified of the validation proceedings, but it could not establish prejudice to its shareholder rights for recourse under S.346 of the CA 2016. Dissatisfied with the High Court’s decision, Concrete Parade appealed to the Court of Appeal. Court of Appeal FindingsThe Court of Appeal found that Article 11 did not amount to a complete waiver of Concrete Parade's pre-emptive rights. It was held that the Merger Resolutions passed after the execution of several agreements related to the proposed merger did not effectively waive the Concrete Parade's statutory pre-emptive rights. For the Merger Resolutions to constitute an operative direction waiving the pre-emptive rights, specific information regarding the shareholders' rights under the CA 2016 needed to be included. This information should have clarified that existing shareholders had a statutory pre-emptive right to be offered any new shares and that by voting in favour of the Merger Resolutions, they would be indirectly waiving these rights. Since this information was not provided, the court concluded that Concrete Parade's pre-emptive rights had been unfairly denied, resulting in an unjustified dilution of their shareholding. Next, it was held that S.223 is to be read conjunctively notwithstanding the use of the phrase ‘or’ between the two provisos. It imposes two separate requirements: one for entering the transaction and another for carrying it into effect. The Court of Appeal found that the Merger Agreements formed one composite transaction. For compliance with S.223, the HOA should have been subject to or contained a condition precedent for shareholder approval. Additionally, since the BMA was executed before shareholder approval was obtained, it failed to comply with the requirement of prior approval. Therefore, the Court concluded that Apex Equity had failed to fulfil the shareholder approval requirement under S.223, rendering the proposed merger invalid. The Court of Appeal imposed a duty on directors to inform shareholders at both the entry and execution stages of the transaction. It held that failure to obtain prior shareholder approval at either stage renders the transaction void. The Impact of the Court of Appeal’s DecisionThe Court of Appeal's interpretation, where S.223(b)(i) and (ii) are read conjunctively, requires the directors to secure shareholder approval twice: once before entering into any form of agreement for a proposed acquisition or disposal of a substantial asset and again before executing it. This approach seems overly burdensome and impractical, potentially leading to the abandonment of many transactions and necessitating the preparation of two sets of documents. Such a requirement could hinder business operations and create unnecessary complexities. The Court of Appeal further held that the share buy-back transactions remained illegal despite the validation order granted by the High Court due to the contravention of relevant sections of the Companies Act and the failure to obtain shareholder approval. Moreover, the filing of validation proceedings without prior shareholder consent or approval was unjust and prejudicial to the Concrete Parade's rights. It emphasised the importance of obtaining shareholder authorisation before taking actions that significantly affect the company's operations or financial transactions. Analysis of the Federal Court’s Judgment1) S.85 – Pre-emptive rights are subject to company’s constitution S.85(1) grants shareholders the privilege to maintain their proportional ownership by offering them the opportunity to purchase shares before they are issued to outsiders. However, this right is subject to the constitution of the company, which may renounce, disapply, or fortify such pre-emptive rights. The Federal Court disagreed with the Court of Appeal interpretation that the pre-emptive rights are mandatory and pointed out the Court of Appeal’s failure to consider the purpose and intent of the Act in interpreting the provisions. It was held that S.85(1) allows for discretionary application of pre-emptive rights based on the company's constitution. The constitution prevails over statutory pre-emptive rights, allowing shareholders to determine whether to relinquish or retain such rights. Shareholders have the flexibility to determine the extent of their pre-emptive rights, as reflected in the constitution. Parliament did not intend to restrict directors' powers or mandate pre-emptive rights but provided shareholders the freedom to decide through general meetings. Interpretation of S.75 and 85: The Federal Court discussed the relationship between sections 75 and 85. S.75 deals with the power of directors to allot shares, requiring prior approval by the company before directors can proceed. However, exemptions in S.75(2) allow for issuance without general meeting approval for certain purposes, such as financing acquisitions. When read together, S.75 and 85 establish the framework for pre-emptive rights of existing shareholders in the issuance of new shares. S.75 guarantees the general principle of pre-emptive rights, while S.85 allows companies to specify the details of these rights in their Articles of Association. The Articles of Association, as mentioned in S.85, can provide exceptions or modifications to pre-emptive rights, subject to the company's constitution. Interpretation of Article 11: The Court of Appeal interpreted the phrase "subject to direction to the contrary by the company at general meeting" as requiring the company to inform shareholders of their pre-emptive rights before any proposed issuance of new shares for raising capital. This interpretation imposes obligations on the company to seek explicit consent from shareholders before deviating from standard procedures regarding share issuance. However, the Federal Court disagreed with this interpretation. It asserted that pre-emptive rights are discretionary and can be applied based on the company's constitution. The Federal Court emphasised that the phrase allows flexibility for the company to adapt its operations or decision-making processes as required by specific circumstances. Rejecting the imposition of additional conditions on the company could hinder its ability to efficiently conduct corporate transactions. 2) S.223 should be read disjunctively and there is no requirement for 2-tier approval The Federal Court disagreed with the Court of Appeal’s interpretation. It argued that the word "or" should be read disjunctively, meaning that compliance with either sub-paragraph (b)(i) or (b)(ii) sufficed. According to this interpretation, shareholders' approval could be obtained either before entering into an agreement for the transaction or before the actual transfer of ownership of the asset. The Federal Court reasoned that requiring compliance with both sub-paragraphs would lead to impractical consequences for companies. It emphasised the importance of upholding the purpose and intent of the Companies Act, which aims to balance regulatory requirements with the efficient operation of businesses. This interpretation aligns with the overarching goal of ensuring transparency and shareholder awareness without unduly hindering corporate activities. In conclusion, the Federal Court held:- S.223(1)(i) and (ii) of the Act can be read disjunctively, meaning compliance with either sub-paragraph suffices.- At least one agreement forming a composite transaction must contain an express condition precedent requiring shareholder resolution, and shareholder approval in a general meeting satisfies S.223(1)(ii).- S.223(1) of the Act does not impose an incumbent duty on directors to inform shareholders of an intention to enter into or carry out an acquisition or disposal of substantial assets based on previous court decisions. 3) Was Concrete Parade unfairly prejudiced?The Federal Court disagreed with the Court of Appeal's assessment of whether the Concrete Parade suffered unfair prejudice compared to other shareholders. The Federal Court argued that since the majority of shareholders had approved the merger, there was no unfair prejudice. It suggested that the oppression claimed may have been more indicative of a management versus shareholder conflict rather than a minority-majority shareholder dispute. Additionally, the Federal Court questioned the Court of Appeal's decision not to include the majority shareholders, who approved the transactions, as parties to the oppression action. This omission, according to the Federal Court, could have influenced the assessment of whether the Concrete Parade was unfairly prejudiced. It emphasised the principle of majority rule in corporate governance and stated that claims of oppression under S.346 of the CA 2016 cannot be used to circumvent legitimate decisions made by the majority. 4) Was the oppression action properly brought by Concrete Parade?Given the lack of established contraventions of relevant sections of CA 2016 and the failure to conclusively establish illegality regarding the share buy-back transactions, the Federal Court questioned the suitability of the oppression remedy. It was asserted that an oppression finding couldn't be made under S.346 when shareholders had the opportunity to vote on transactions, approved them, and weren't party to oppression proceedings. The Federal Court highlighted the failure of the Court of Appeal to grasp this fundamental issue. Concrete Parade's failure to join the majority shareholders, who allegedly oppressed them, was deemed fatal to the oppression action. By solely targeting the directors, Concrete Parade's complaint lacked grounds for oppression action, suggesting it should have been brought against the officers or directors for contravening CA 2016. The Federal Court argued that Concrete Parade's grievance was essentially against majority rule, disguised as an oppression action, constituting an abuse of statutory remedy. The conduct of Concrete Parade was scrutinised, particularly its decision to pursue an oppression action despite majority approval of transactions. The Federal Court questioned whether the action was filed to hinder the proposed merger rather than to address actual unfair prejudice. Concrete Parade's failure to demonstrate how it uniquely suffered prejudice, coupled with its attempt to hold directors accountable for majority decisions, indicated an abuse of the statutory process. In essence, the Federal Court concluded that Concrete Parade 's oppression action lacked merit and appeared to serve a collateral purpose, constituting an abuse of the statutory process under S.346 of the Act. 5) S. 582: Share Buy-Back Transactions are not illegal under CA 2016 The Federal Court upheld the High Court's decision. Despite finding that the transactions lacked proper authorisation under CA 2016, the Federal Court disagreed with Court of Appeal conclusion that they were unlawful and void. Instead, the Federal Court criticised the Court of Appeal's legal interpretation, arguing that the transactions, while ultra vires, did not automatically constitute illegality. The Federal Court refrained from definitively addressing whether S.582(3) could rectify an illegality, citing the conclusion that oppression wasn't established. Nonetheless, Federal Court acknowledged the general view, that S.582 should not rectify illegality. It was highlighted that uncertainty regarding whether the lack of authorisation for share buy-backs amounted to illegality under S.67A and 127 of the Act. Since the focus was on whether the transactions unfairly prejudiced Concrete Parade, this issue wasn't deemed crucial for resolution. Regarding the High Court's validation order, the Federal Court emphasised that while certain aspects of the transactions were unauthorised, it didn't automatically render the entire process void. Ultimately, even if the transactions are contravened the company constitution/ rendered as void, there is no oppression on Concrete Parade because this would affect all the shareholders instead of Concrete Parade alone. 6) The Importance of Accurate Legal Citations in Judicial ProceedingsFederal Court also took the opportunity to address an important issue regarding the citation of legal precedents. They highlighted a case where incorrect and outdated decisions were cited to the Court of Appeal, potentially leading to an erroneous judgment. Such errors, they emphasised, could have significant consequences, impacting corporate transactions and potentially causing confusion in legal interpretations.Federal Court stressed the responsibility of legal counsel to ensure the accuracy and relevance of cited cases, emphasizing the importance of thorough research. They noted that failure to do so could range from mere oversight to misleading the court, which is unacceptable conduct for any legal practitioner. Federal Court also referenced a previous case to underscore the importance of well-researched advocacy, particularly in appellate proceedings. It is emphasised that judges rely heavily on the arguments and authorities presented by counsel, and any inaccuracies could lead to misinterpretations of the law and undermine the administration of justice. In Malaysia, where legal professionals can appear before courts at various levels, maintaining high standards of advocacy is crucial for ensuring the accuracy and integrity of legal proceedings. ConclusionIn complex transactions like mergers, the interpretation and application of provisions in CA 2016 require careful consideration of legal nuances and procedural requirements. The Federal Court's analysis provides clarity on the scope and application of the provision, guiding companies and legal practitioners in navigating the intricacies of company law. The Court of Appeal's failure to recognize the significance of majority rule in the context of the merger approval is a critical oversight. By overlooking the fact that shareholders collectively voted in favor of the merger at a general meeting, the Court of Appeal failed to grasp that any alleged prejudice suffered by Concrete Parade would have affected all shareholders equally. Moreover, it is essential to emphasise the paramountcy of majority rule in corporate governance. While S.346 of the CA 2016 introduces a statutory mechanism to address oppression, it is incumbent upon claimants to substantiate claims of unfairly prejudicial conduct. Attempting to invoke S.346 to circumvent situations where majority rule legitimately prevails, as demonstrated in this case, undermines the integrity of corporate decision-making processes. In essence, the principle of majority rule serves as the cornerstone of corporate governance, and statutory remedies for oppression should not be misused to challenge bona fide decisions made by the majority of shareholders. About the authors Lum Man ChanPartnerDispute ResolutionHalim Hong & Quekmanchan@hhq.com.my Khew GerjeanPupil-in-ChambersDispute ResolutionHalim Hong & Quekk.gerjean@hhq.com.my More of our articles that you should read: Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only Land Reference Proceedings: Written Opinions of Assessors Must Be Made Available to the Parties Determinants of Share Unit & Its Significance in Strata Development

The Companies (Amendment) Act 2024 (“Amendment Act 2024”) came into operation on 1.4.2024. Following the Amendment Act 2024, the Companies Commission of Malaysia (“CCM”) had issued some guidelines pertaining to the amendments introduced by the Amendment Act 2024. In this article, we will address and highlight some salient amendments to the Companies Act 2016 (“CA 2016”) brought by the Amendment Act 2024. 1) Introduction of new Beneficial Ownership Reporting FrameworkThe new Division 8A of Part II introduced by the Amendment Act 2024 brought in the new beneficial ownership reporting framework. The new sections 60A, 60B, 60C, 60D, 60E and 60F of the CA 2016 cover the following: -i) The criteria of a beneficial owner;ii) Register of beneficial owners;iii) Company has power to obtain beneficial ownership information from its members and any person identified as beneficial owner or has information relating to a beneficial owner of the company; andiv) The obligation of beneficial owners to notify companies of their status as beneficial owners of the companies including any changes to the beneficial ownership information recorded in the register of beneficial owners kept by the companies at the registered office. According to the “Guidelines For The Reporting Framework For Beneficial Ownership Of Companies” issued by CCM, the introduction of the new beneficial ownership reporting framework aims to promote corporate transparency through a disclosure regime. This is due to the rising cases where businesses are misused to carry out illicit activities such as money laundering, terrorism financing, proliferation financing and other serious crimes and that the individual perpetrators hiding behind such businesses employ devious means to avoid their identity from being easily detected. What is a “beneficial owner”? Section 60A of the Companies Act 2016 defines a beneficial owner as “a natural person who ultimately owns or controls over a company and includes a person who exercises ultimate effective control over a company.” Based on the “Case Studies and Illustrations of the Guidelines For the Reporting Framework For Beneficial Ownership of Companies” issued by CCM, an individual is a beneficial owner in a company limited by shares if he meets one or more of the following criteria:a) Criteria AIf he holds directly or indirectly in not less than 20% of the shares of the company. b) Criteria BIf he holds directly or indirectly in not less than 20% of the voting shares of the company. c) Criteria CIf he has the right to exercise ultimate effective control whether formal or informal over the company or the directors or the management of the company. d) Criteria DIf he has the right or power to directly or indirectly appoint or remove a director(s) who holds the majority of the voting rights at the meeting of directors. e) Criteria EIf he is a member of the company and, under an agreement with another member of the company, controls alone a majority of the voting rights in the company. f) Criteria FIf he has less than 20% of shares or voting shares but exercises significant control or influence over the company. For company limited by guarantee (without shares), the assessment will be based on Criteria C, D and E stated above only. Pursuant to Section 60B of the CA 2016, it is mandatory for companies to maintain a register of beneficial owners which must be kept at the registered office of the company, or any other place in Malaysia, as notified to the CCM. Section 60C of the CA 2016 provides that a company has power to require its members to disclose their beneficial owner of company and to provide certain information as specified in the Act. A failure to disclose or the provision of false information is an offence under the CA 2016. In addition, Section 60D of the CA 2016 requires any person who has the reason to believe that he is a beneficial owner of a company to notify the company as well as to provide the necessary information prescribed by the Act to the company. Any person who contravenes this section commits an offence. It shall be highlighted that at the time of this article is written, no company is exempted from the application of new Division 8A of the Companies Act 2016. The beneficial ownership reporting framework is a necessary requirement under the new Division 8A of the Companies Act 2016, which all companies must comply with even though they may incur more cost and take more time. Once again, any non-compliance with the beneficial ownership reporting framework is an offence. 2) Amendments to the Corporate Rescue Mechanism ProvisionsAccording to the “Frequently Asked Questions – Companies (Amendment) Act 2024” issued by CCM, there are two policies underlying the amendments to the Companies Act 2016: Policy 1: Widening the Application of Corporate Rescue Mechanism - Corporate Rescue Arrangement (CVA) and Judical Management (JM) Policy 2: Strengthening the Corporate Rehabilitation Framework Policy 1The amendment to Section 395 of the Companies Act 2016 aims at widening the application of CVA to all companies including public listed companies and companies which have created a charge over their property or undertaking. AmendmentsPre-Amendment Amendment Act 2024  Section 395 –   Substitution for Section 395Non-application of this Subdivision 395. This Subdivision shall not apply to— a)a public company; b)a company which is a licensed institution or an operator of a designated payment system regulated under the laws enforced by the Central Bank of Malaysia; c)a company which is subject to the Capital Markets and Services Act 2007; and d)a company which creates a charge over its property or any of its undertaking.Non-application of this Subdivision 395. This Subdivision shall not apply to— a)a company which is a licensed institution or an operator of a designated payment system regulated under the laws enforced by the Central Bank of Malaysia; b)a company which is approved or registered under Part II, licensed or registered under Part III, approved under Part IIIA or recognised under Part VIII of the Capital Markets and Services Act 2007; and c)a company which is approved under Part II of the Securities Industry (Central Depositories) Act 1991. In addition, the amendment to Section 403 of the Companies Act 2016 is aimed to clarify that judicial management can be applied by all companies including public listed companies. AmendmentsPre-Amendment Amendment Act 2024  Section 403 – Amendment to Section 403    403. This Subdivision shall not apply to— a)a company which is a licensed institution or an operator of a designated payment system regulated under the laws enforced by the Central Bank of Malaysia; and   b)a company which is subject to the Capital Markets and Services Act 2007.403. This Subdivision shall not apply to— a)a company which is a licensed institution or an operator of a designated payment system regulated under the laws enforced by the Central Bank of Malaysia; b)a company which is approved or registered under Part II, licensed or registered under Part III, approved under Part IIIA or recognised under Part VIII of the Capital Markets and Services Act 2007; and c)a company which is approved under Part II of the Securities Industry (Central Depositories) Act 1991. Policy 2The salient amendments to the Companies Act 2016 for the purpose of strengthening corporate rescue mechanism are as follows: - SectionDescription / Remarks    368The new subsection 368(1A) will give companies applying for restraining order under a scheme of arrangement or compromise an automatic moratorium upon filing of such application for a maximum of two months or until the Court decides on the application, whichever is earlier. To prevent abuse of process whereby the application for restraining orders can be used to continuously deprive the rights of creditors, Section 368(3B) provides that no restraining order would be granted by the Court if an order has been granted in the preceding 12 months involving a rescue financing, a cram down, an approval of the proposed scheme without a meeting of creditors or when a related company makes an application for a restraining order in relation to a proposed scheme.368AIn some circumstances, restructuring does not involve just one company. In a larger restructuring of a group of companies, some other entities may be involved although they may not be part of the scheme of arrangement. Section 368A provides that a related company can apply for a restraining order on similar terms with the company undergoing scheme of arrangement provided that the company plays an integral part in the scheme of arrangement.368B   415A    ‘Rescue Financing’ is defined as financing that is necessary for the survival of a company that obtain the financing or that the financing is necessary to achieve a more advantages realisation of the assets of a company.In cognizance of the fact that often financially distressed companies face higher cost of borrowing as banks or financial institutions become more wary to provide fresh loans without some of protection, a new policy is introduced to provide better protection to parties giving the rescue financing.As such, under these sections, the Court is empowered to order the debt arising from any rescue financing to be secured against the property of the company on certain conditions. In the event the company is wound up, debts arising from rescue financing are given super priority over all other debts in the event of a winding up.368DA cram down is a mechanism that will allow the Court to compel dissenting creditors to be bound by the proposed scheme of arrangement. The aim of a cram down is to ensure that companies in distress will have a successful scheme with less interference and at the same time accord protection to the dissenting creditors.An application for cram down could be made to the Court provided that: -i . The scheme i s approved by a majori ty of 75% of the t ot al value of the credi tors ormembers presenti i . The scheme i s fair and equitable to each c lass of dissenting creditors367The amendment to Section 367 of the Companies Act 2016 imposes a mandatory requirement for the appointment of insolvency practitioner to oversee the proposed scheme and report its status to the Court before the scheme is approved. The objective of this amendment is to ensure higher chance that the proposed scheme would be successful.430AFor a company that becomes subject to the proceedings in relation to a compromise or arrangement, a voluntary arrangement or a judicial management, Section 430A provides that an insolvency related clause in any contract for the supply of essential goods and services cannot be exercised against the company merely because the company becomes subject to those proceedings. What this means is that under the new section 430A, suppliers will have to continue to fulfil their commitments under their contract so that companies can continue trading through the rescue process, including making it easier for companies to maintain supply of contracts that are essential for the continuation of the business. Essential supply of contracts proposed under this new section would include supply of water, electricity or gas. ConclusionThe Amendment Act 2024 has brought many important amendments to the CA 2016. The new beneficial ownership reporting framework is introduced to enhance the gaps in the CA 2016 to be in line with the international standards i.e. the Financial Action Task Force (FATF) and the Organisation for Economic Co-Operation and Development (OECD) as well as international best practices. The main objective of those standards is to combat money laundering, terrorist financing and shall include other illegal activities such as corruption and tax evasion. In addition, the amendments to the corporate rescue mechanism aim to facilitate the scheme of arrangement and judicial management. With the Amendment Act 2024, all the public listed companies are allowed to also apply for the corporate rescue mechanism available under the CA 2016. About the author Jessica Wong Yi SingSenior AssociateDispute ResolutionHarold & Lam Partnershipjessica@hlplawyers.com More of our articles that you should read: Disposal of Real Properties Subject to Income Tax? Security Issues in the Secondary Market Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023)

Management Corporation (MC) meetings serve as crucial forums for decision-making in condominium and strata-titled developments, where stakeholders discuss various aspects of property management. One contentious issue often debated is the extent of voting rights held by developers over parcels they own as proprietors. This article aims to thoroughly analyse the legal framework surrounding this issue, shedding light on the nuances of developer entitlement to voting rights in MC meetings. The determination of developer voting rights in MC meetings is guided by statutory provisions that outline the rights and obligations of property stakeholders. Section 21 of Strata Management Act 2013 (SMA 2013) explicitly states that each proprietor, provided they meet eligibility criteria, has the right to vote on matters during MC meetings, whether on a show of hands or on a poll. Furthermore, Section 22(2)(c) identifies proprietors as parcel owners, underscoring their importance in property governance. Central to the interpretation of voting rights is the definition of a parcel owner as outlined in Section 2 of the legislation. According to this provision, a parcel owner is defined as either the purchaser or the developer of a parcel. This definition serves as the foundation for understanding the developer's entitlement to voting rights, particularly concerning both sold and unsold units within the property. Section 22(2)(g) is instrumental in delineating the developer's voting rights over unsold units. It explicitly states that developers possess voting rights equivalent to purchasers in respect of unsold units. This provision acknowledges the developer's ongoing involvement in managing and overseeing unsold parcels until they are transferred to individual purchasers. However, the crux of the issue emerges when considering the developer's voting rights over sold units. Despite being the proprietor of these parcels, the developer's classification as the parcel owner is subject to interpretation. This ambiguity stems from the definition of a purchaser as someone who has acquired an interest in the parcel. In the case of sold units, the interest in the parcel has been transferred to individual purchasers, thereby raising questions about the developer's status as the parcel owner in this context. Moreover, the transition of ownership from the developer to individual purchasers alters the dynamics of property management and governance. While the developer retains control during the development phase, their role evolves upon the sale of units. The transfer of ownership confers rights and responsibilities upon individual purchasers and diminishes the developer's direct involvement in the management of sold units. In conclusion, the issue of developer voting rights in MC meetings requires a meticulous examination of relevant legal provisions. While developers enjoy voting rights akin to purchasers concerning unsold units, their entitlement to vote over sold units hinges on their classification as parcel owners. This classification is influenced by the transfer of ownership to individual purchasers, which diminishes the developer's direct stake in the management of sold units. By elucidating these distinctions, property governance can proceed in a manner that fosters transparency and equitable decision-making within the management corporation. About the author Noorvieana LimAssociateReal EstateHalim Hong & Queknoorvieana.lim@hhq.com.my More of our articles that you should read: Determinants of Share Unit & Its Significance in Strata Development Stranded in Strata: How Unpaid Maintenance Fees Impact Tenants under the Strata Management Act 2013 (SMA) Stamp Duty for Foreign Currency Loan

On 9.2.2024, the Federal Court in the case of Robinder Singh Jaj Bijir Singh v Jasminder Kaur Bhajan Singh [2024] 2 MLJ 126; [2024] 3 CLJ 647 ruled that the cause papers for matrimonial proceedings, including petitions, interlocutory applications and associated affidavits, filed under the Law Reform (Marriage & Divorce) Act 1976 and the Divorce and Matrimonial Proceedings Rules 1980, can be filed solely in English without an accompanying translation in the National Language. In Malaysia, marriage and divorce matters of non-Muslims are governed by the Law Reform (Marriage and Divorce) Act 1976. This Act does not apply to Muslims and the natives of Sabah & Sarawak. BACKGROUND FACTSThe marriage between the parties, the Appellant (Husband) and Respondent (Wife) had irretrievably broken down. On 7.1.2022, the Respondent filed an ex-parte application in the High Court for interim sole custody, care and control of their son (“Enclosure 6”). On 24.1.2022, the High Court granted certain orders in Enclosure 6. However, the order lapsed after 21 days as it was not served on the Appellant. On 27.1.2022, the Respondent filed another application which was similar to Enclosure 6. On 24.3.2022, the Appellant filed an application to set aside the ex-parte order granted by the High Court on 24.1.2022 (“Enclosure 20”). Enclosure 20 was filed in the English Language without an accompanying translation in the National Language. On 18.4.2022, the Appellant filed an application for the interim guardianship, custody, care, control and access. The parties subsequently recorded a consent order. Thereafter, the Appellant requested for Enclosure 20 to be heard, which the Respondent also agreed to as the only matter outstanding was whether damages ought to be granted. HIGH COURTThe High Court dismissed Enclosure 20 based on the following grounds: - The Appellant failed to file the translation for Enclosure 20 within the time ordered. - The Appellant failed to comply with Order 92 Rules 1(1) and (4) of the Rules of Court 2012 (“ROC 2012”) which requires a translation of the documents in the National Language to be filed within two weeks or within such extended time as allowed by the Court. - The unavailability of a translation of the DMP Rules 1980 into the National Language is not a valid reason to not file a translation of Enclosure 20 and the related cause papers. COURT OF APPEALThe Court of Appeal upheld the decision of the High Court and held that Registrar’s Circular No. 5 of 1990 (“Registrar’s Circular”) is administrative in nature and cannot possibly prevail over the language requirement in Order 92 Rules 1(1) and (4) of ROC 2012. ISSUES BEFORE THE FEDERAL COURTThe Federal Court granted leave to appeal in relation to the following questions of law: 1) Whether petitions for judicial separation or divorce (matrimonial proceedings) filed pursuant to the provisions of the Law Reform (Marriage and Divorce) Act 1976 (“LRA 1976”) and Divorce and Matrimonial Proceedings Rules (“DMP Rules 1980”) may be filed in the English Language only; 2) if so, whether all other cause papers filed in the matrimonial proceedings may be filed in the English Language only; and 3) if the answers to either one or both of the questions above are in the negative, whether the filing of the documents in English only is an irregularity that can be cured with the necessary directions by the Court that the said cause papers be filed in Bahasa Malaysia. ANALYSIS AND DETERMINATION OF THE FEDERAL COURTThe Federal Court answered the first two questions in the affirmative, leaving the third question unnecessary for determination. (1) The Registrar’s Circular Remains ValidSection 2 of the National Language Act 1963/67 (Revised 1971) (“NLA 1971”) provides that the National Language shall be used for official purposes “Save as provided in this Act and subject to the safeguards contained in Article 152(1) of the Constitution relating to any other language and the language of any other community in Malaysia”. Section 8 of the NLA 1971 (as amended vide Act A765/1990 with effect from 30.3.1990) permitted the continued use of English for proceedings in court. To facilitate the amendment to Section 8 of NLA 1971, the Chief Judge of Malaya issued Practice Direction No.2 of 1990 (“PD 2/1990”), whereby the substance of PD 2/1990 was substantially reflected in the amended Section 8. Shortly after the issuance of PD 2/1990, the Registrar’s Circular No. 5 of 1990 (“Registrar’s Circular”) was issued, which allows the cause papers relating to divorce and matrimonial proceedings, insolvency and winding up proceedings to be filed in English until such time as the relevant rules are translated into the National Language and the translations are gazetted. In Circular No. 153 of 2019 captioned “Filing of Documents in English for Family Law Matters” dated 6.8.2019, the Managing Judge of the High Court in Kuala Lumpur confirmed that the Registrar’s Circular remains valid, as far as matrimonial proceedings are concerned. The Registrar’s Circular is still in effect today as the DMP Rules 1980, relevant to this appeal, have yet to be translated and gazetted. (2) Order 92 of ROC 2012 Does Not Apply to Matrimonial Proceedings under LRA 1976The High Court Judge dismissed Enclosure 20 as there was no translation of these cause papers into the National Language. The High Court relied on Order 92 Rule 1(1) of the Rules of Court 2012 (“ROC 2012”) which stipulates that “any document required for use in pursuance of these Rules shall be in the national language”. However, Order 1 Rule 2(2) of ROC 2012 provides that “these Rules [ROC 2012] will not have any effect in or to those proceedings where separate rules have already been made or may be made under written law specifically for the purpose of such proceedings”. Further, Order 94 Rule 2(2) of ROC 2012 provides that in the event there is any inconsistency between any of the rules made under the specific written law in Appendix C and the ROC 2012, the former shall prevail. Matrimonial proceedings under LRA 1976 are one of the exempted written laws set out in item 5 of Appendix C. Therefore, ROC 2012 and in particular Order 92 does not apply to the matrimonial proceedings in this case. CONCLUSIONThe Federal Court allowed the appeal and set aside the decisions of the High Court and Court of Appeal. The Federal Court’s ruling resolved the lack of uniformity of practice in matrimonial proceedings. Prior to this decision, the High Court in Kuala Lumpur and Penang are said to accept cause papers for matrimonial proceedings in English while the High Court in Malacca has rejected cause papers that are not translated to the National Language. The position of the law on this issue is now settled – the cause papers for matrimonial proceedings under the LRA 1976 may be filed in English only, until the DMP Rules 1980 are officially translated and gazetted. About the authors Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my Khew GerjeanPupil-in-ChambersDispute ResolutionHalim Hong & Quekk.gerjean@hhq.com.my More of our articles that you should read: Disposal of Real Properties Subject to Income Tax? Private Hospitals to pay for their Doctor’s Negligence Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test”

The Federal Court has in its grounds of judgment for the case of ECONPILE (M) SDN BHD v ASM DEVELOPMENT (KL) SDN BHD [Civil Appeals Nos.: 02(f)-2-01/2023(W) and 02(f)-34-05/2023(W)] answered the following questions of law: Question 1 (answered in the negative)“Whether an adjudication decision, after having been enforced pursuant to Section 28 of CIPAA 2012 as an Order of the Court, can be stayed pursuant to Section 16(1)(b) of the CIPAA 2012” Question 2 (answered in the positive)“Whether the Court of Appeal in so deciding to allow the stay application pursuant to section 16(1)(b) CIPAA 2012 has overruled or disagreed, or gone beyond the ratio decidendi of the Federal Court decision in View Esteem Sdn Bhd v Bina Puri Holdings Sdn Bhd [2018] MLJ 22; [2019] 5 CLJ 479.” The Facts Adjudication DecisionsEconpile obtained 2 separate adjudication decisions against ASM for the respective sums of RM59,767,269.32 (CIPAA 1) and RM5,959,024,99 (CIPAA 2). High Court (CIPAA 1)Due to ASM’s failure to pay the sums awarded under the CIPAA 1 Adjudication Decision, Econpile had made an application to enforce the CIPAA 1 Adjudication Decision as a judgment of the High Court under Section 28 CIPAA 2012. Consequently, ASM had filed applications to set aside and/or stay the CIPAA 1 Adjudication Decision under Section 15(b), 15(d), and 16(1)(b) of CIPAA 2012. On 29.11.2019, the High Court dismissed ASM’s applications for setting aside and stay of the CIPAA 1 Adjudication Decision, and allowed Econpile’s application to enforce the CIPAA 1 Adjudication Decision. In relation to ASM’s stay application, the High Court found that:a) the fact that ASM has a claim which exceeds Econpile’s payment claim in arbitration cannot be regarded as a special circumstance unless it can be shown that there is a real danger that Econpile would not be able to pay ASM, which ASM failed to do so.b) further, there were no clear and unequivocal errors on the part of the learned Adjudicator in arriving at the adjudication decision, nor were there cogent reasons why a stay is warranted to meet the justice of the case or that the discretion ought to be exercised in ASM’s favour. Court of Appeal (CIPAA 1)ASM appealed against all three of the High Court’s decisions to the Court of Appeal. On 26.4.2022, the Court of Appeal dismissed ASM’s appeal against the High Court’s decision to enforce the adjudication decision, and ASM’s appeal against the High Court’s dismissal of ASM’s setting aside application. However, despite the Court of Appeal’s affirmation of the High Court’s enforcement order, the Court of Appeal allowed ASM’s appeal against the High Court’s dismissal of ASM’s stay application (“CIPAA 1 COA Stay Order”), and amongst others, held that there are no express prohibitions in the CIPAA stating that stay applications cannot be allowed after the enforcement order has been made. On 3.1.2023, Econpile was granted leave to appeal against the CIPAA 1 COA Stay Order to the Federal Court. ASM did not file an appeal against the Court of Appeal’s dismissal of ASM’s other two appeals. High Court (CIPAA 2)Similarly, due to ASM’s failure to pay the sums awarded under the CIPAA 2 Adjudication Decision, Econpile had made an application to enforce the CIPAA 2 Adjudication Decision as a judgment of the High Court under Section 28 CIPAA 2012. ASM also filed applications to set aside and/or stay the CIPAA 2 Adjudication Decision under Section 15(b), 15(d), and 16(1)(b) of CIPAA 2012. On 28.10.2020, the High Court allowed Econpile’s application to enforce the CIPAA 2 Adjudication Decision and dismissed ASM’s applications to set aside the CIPAA 2 Adjudication Decision. On 4.2.2021, the High Court dismissed ASM’s application to stay the CIPAA 2 Adjudication Decision. In relation to ASM’s stay application, the High Court found that there are neither instances of disregarding nor wrong interpretation of statute or misreading and/or application of case authorities that resulted in the CIPAA 2 Adjudication Decision as being erroneous and there are no unequivocal errors to justify the stay. Court of Appeal (CIPAA 2)ASM appealed against all three of the High Court’s decisions to the Court of Appeal. The appeal was heard before a different panel from the CIPAA 1 Appeals. On 28.10.2022 and 25.11.2022 respectively, the Court of Appeal after considering the circumstances of the individual case, dismissed ASM’s appeals against the High Court’s decision which enforced the adjudication decision, the High Court’s dismissal of ASM’s setting aside application and the High Court’s dismissal of ASM’s stay application (“CIPAA 2 COA Dismissal of Stay Order”). On 13.4.2023, ASM was granted leave to appeal CIPAA 2 COA Dismissal of Stay Order to the Federal Court. ASM did not file an appeal against the Court of Appeal’s dismissal of ASM’s other two appeals. Federal Court’s Findings (CIPAA 1 & CIPAA 2)Leave to appeal was granted for both cases. At the appeal proper, the Federal Court allowed Econpile’s appeal against the CIPAA 1 COA Stay Order, and dismissed ASM’s appeal against the CIPAA 2 COA Dismissal of Stay Order, with global costs of RM100,000.00 to be paid by ASM to Econpile. Question 1 (answered in the negative)The Federal Court found that the Court of Appeal’s (CIPAA 1) decision in finding that there is no express provision in CIPAA prohibiting the granting of a stay after an enforcement order is granted, an application for stay can be considered and granted, is flawed for the following reasons: A court must favour construction of a statute which promotes the purpose, object or intent of the legislation. CIPAA is a legislation crafted to address issues common in the construction industry in particular relating to cash flow problems for the unpaid party and only as temporary finality to the payment claims. It is not the end of the end. The Act was designed with the ultimate aim to assist the parties in construction dispute to be paid expeditiously for the work which they had carried out and for adjudication proceedings for payment claims that are due and payable before the determination of the contract. There is no provision for a stay of adjudication decision (S.16) after an enforcement order is given. Applying the principles of interpretation of statutes, in the absence of a specific provision the court is not statutorily empowered to grant a stay if the adjudication decision is not set aside. To do so would be incongruent to the intent and purpose of CIPAA. Question 2 (answered in the positive)In answering Question 2, the Federal Court held that the principles enunciated in View Esteem must be followed in an application for a stay of an adjudication decision pursuant to Section 16 CIPAA if an application to set aside the adjudication decision under Section 15 of the same Act has been made or the subject matter of the adjudication decision is pending final determination by arbitration or the court. KEY TAKEAWAYSIn view of the Federal Court’s decision that after an enforcement order under Section 28 CIPAA 2012 is made, an adjudication decision cannot be stayed under Section 16(1)(b) of CIPAA 2012, it is prudent for legal practitioners to ensure that a stay application under Section 16(1)(b) of CIPAA 2012 to be decided before / together with an application under Section 28 of CIPAA 2012. In the circumstance where a party wishes to appeal to the Court of Appeal against a dismissal of a Section 16(1)(b) stay application, it is also prudent for the party to ensure that where an enforcement order has already been made, an appeal should also be filed against the enforcement order. However, one must also bear in mind that the Court’s jurisdiction to grant stay of execution of a court order, based on the special circumstances test, is not curtailed by this Federal Court decision. The Federal Court's decision on this issue is important to the development of the statutory adjudication framework in Malaysia as it has provided clarity to the relationship between Section 28 CIPAA 2012 and Section 16(1)(b) CIPAA 2012. About the author Lim Ren WeiAssociateConstruction & EnergyHarold & Lam Partnershiprenwei@hlplawyers.com More of our articles that you should read: (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment Land Reference Proceedings: Written Opinions of Assessors Must Be Made Available to the Parties Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023)

Owning a strata property comes with the entitlement of share units which entails varying rights and liabilities depending on the value of the share unit owned. The Court of Appeal in the case of Muhamad Nazri Muhamad v. JMB Menara Rajawali & Anor [2020] 4 MLRA 288 (“JMB Rajawali case”) provides a comprehensive explanation of the concept of share unit and the extent of the power of a management committee of a Joint Management Body (“JMB”) or Management Corporation ("MC") concerning share units. According to Section 4 of the Strata Title Act 1985 (“STA”), “share unit” in respect of a parcel means the share units determined for that parcel as shown in the schedule of share units. Section 18 of the STA further provides that every parcel shall have a share value as approved by the Director and expressed in whole numbers to be known as share units. Vernon Ong, one of the panel of judges of the Court of Appeal (“JCA”) (as he then was), explained in the judgment the concept of share unit which is a feature peculiar to strata development. Share unit is an essential method in determining each parcel owner’s: (i) voting rights, (ii) share in the common property, (iii) contribution to maintenance and administrative expenses, and (iv) proportional liability for the debts of the JMB or MC. Concerning voting rights, a matter to be decided in a general meeting is generally on a show of hands, unless a poll is demanded by a proprietor or the proxy, as provided in Section 17(1) of the Second Schedule of Strata Management Act 2013 (“SMA”). In this sense, different amounts of share units determined the extent of voting power in the general meeting, depending on the mode of decision-making. To illustrate, each parcel owner shall have one vote on a show of hands at a general meeting of the JMB or MC. But, on a poll, each parcel owner shall have such number of votes, corresponding to the number of share units, as provided in Section 22(2) of the Second Schedule of SMA. This means parcel owners with higher share value will enjoy more voting power on voting on a poll. Vernon Ong JCA further clarifies that on the flip side, the higher share value translates into a liability to pay higher aggregate maintenance charges and contributions to the sinking fund. Another question begs to be asked is how the share units are determined. Vernon Ong JCA put simply that the share units of a parcel are the area of that parcel multiplied by the weightage factor for that type of parcel, and the weightage factor for the entire floor parcel. If there is any accessory parcel, the area of the accessory parcel is multiplied by a weightage factor for that accessory parcel. If there is more than one accessory parcel, the calculation formula shall apply to each accessory parcel, and it shall then be added accordingly. Both the value of the parcel and accessory parcel are then added to determine the total share units for each parcel. Furthermore, as to how the share unit is calculated, it shall be per the formula under the First Schedule of the SMA, as provided in Section 8(1) of the SMA. The calculation takes into account the area of the parcel and accessory parcel and three weightage factors namely WF1, WF2 and WF3. The formula for the computation of allocated share units can be clearly described as follows: The allocated weightage factors are based on different sets of criteria. In weightage factor WF1, there are 3 main differentiations including (i) type of parcels; (ii) between parcels with or without air-conditioning to the common areas or corridors, lobbies and foyers; and (iii) between parcels having benefit or no benefit of common lift/escalator facility. Weightage factor WF2 is related to the whole floor parcel with differentiation between parcel inclusive or exclusive of lifts or escalator, while weightage factor WF3 is related to an accessory parcel with differentiations between the accessory parcel outside or within buildings. These different weightage factors are taken into account in determining the value of the share unit. In short, this confirmation of share unit, in turn, determines the amount of, among others, the contribution to the management fund by each parcel, which is to be determined by the JMB as required under Sections 21, and 25 of SMA. These provisions mandated that contributions to the management fund be determined on a share-unit basis. On the other hand, as mentioned by Vernon Ong JCA in the JMB Rajawali case, flexibility is conferred on an MC where it can fix different rates for different types of parcel, not necessarily on a share unit basis, as provided in Section 60(3)(b) of SMA, in 2 specific situations including, (i) parcels which are used for significantly different purposes, and (ii) provisional blocks. About the author Muhammad Aiman Anuar bin Mohd Ali AzharAssociateReal EstateHalim Hong & Quekmuhammad.aiman@hhq.com.my More of our articles that you should read: Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible 房地产买卖需知–第一部：房地产及土地背景 Credit Reporting Agencies Are Not Authorised to Formulate Their Own Credit Score

The recent case of Kerajaan Malaysia v Dreamedge Sdn Bhd & Anor [2024] MLJU 473 was a straightforward case where the Government of Malaysia (“Government”) sought to recover outstanding income tax amounting to RM3,292,579 from Dreamedge Sdn Bhd (“Taxpayer”) and its director (“Director”) and the High Court held that, amongst others, the defence of limitation cannot be raised in the recovery of tax action. Background FactsThe Government issued Notices of Additional Assessments dated 31.5.2021 for the years of assessment 2011, 2012, 2013, 2014, and 2015. The Taxpayer and its Director sought to strike out the Government’s claim, relying on Section 91(1) of the Income Tax Act 1967 and/or Section 6(1)(d) of the Limitation Act 1953. The Director also argued that the Notices of Additional Assessments were not properly served on him. The Government sought to enter summary judgment against the Taxpayer and its Director. DecisionThe High Court held that, amongst others:Section 6(1)(d) of the Limitation Act 1953 is an Act of general application, and the proviso in Section 33 of the Limitation Act 1953 clearly states that limitation does not apply to an action by the Government for the recovery of tax. Matters like fraud, wilful default, or negligence under Section 91(3) of the Income Tax Act 1967 are matters for the Special Commissioners of Income Tax’s (“SCIT”) consideration. Besides, the normal argument of triable issues has no application in tax recovery claims filed by the Government. On the issue of service, the High Court held that service on the Taxpayer could not be deemed as service on its Director and found that the Director had not been served in accordance with Section 145 of the Income Tax Act 1967. The summary judgment application against the Taxpayer is allowed but the Director’s striking out application is allowed. CommentaryThis case reaffirms that the defence of limitation cannot be raised in the recovery of tax action. However, it is highlighted that the defence of limitation is still a good ground of defence in challenging a notice of assessment where the burden of proof is on part of the Inland Revenue Board of Malaysia to prove fraud, wilful default, or negligence under Section 91(3) of the Income Tax Act 1967 before the SCIT. Hence, it is imperative for the taxpayers to appeal against the notice of assessment within the statutory timeframe. This case also serves as a reminder that the service of notice of assessment plays a crucial role in proceedings involving income tax, and improper service could (and does) result in a claim being struck out. This is a valid and arguable defence for taxpayers who are otherwise severely handicapped in summary judgment proceedings. Thus, taxpayers are encouraged to be cognizant of the procedural requirements regarding income tax proceedings and consult a tax lawyer on the same (if required). About the authors Desmond Liew Zhi HongPartnerTaxHalim Hong & Quekdesmond.liew@hhq.com.my Boey Kai QiAssociateTaxHalim Hong & Quekkq.boey@hhq.com.my More of our articles that you should read: Real-World Assets in Blockchain: Why Companies Should Pay Attention 网络安全法案2024解读：合规的5个关键见解 Disposal of Real Properties Subject to Income Tax?

The recent Federal Court judgment in Tan Lay Peng v RHB Bank Berhad (Civil Appeal No.01(f)-10-04/2023(P), brings into focus the intricate balance between the contract test and the reasonableness test in cases involving constructive dismissal cases in Malaysia. Our Apex Court reaffirmed the traditional reliance on the contract test, aligning Malaysian position with longstanding common law principles. The Principle of Constructive DismissalConstructive dismissal occurs when an employee resigns/walk out of the employment allegedly due to the employer's conduct which can be regarded as fundamentally breaching the terms of the employment contract thus creating an untenable work environment for the subject employee. Unlike straightforward summary dismissals, constructive dismissal encapsulates situations whereby the termination is forced/triggered by the employer’s actions. Brief background factsThis case involves a former employee one Mr. Tan (“Mr Tan/Appellant”) of RHB Bank Berhad (“the Bank/Respondent”). Mr. Tan was later deceased and was represented by his administratrix, one Ms. Tan. Mr. Tan was employed by the Bank as its Operations Head, Thailand Operations in Bangkok, the sole branch of the Bank at the material time. In November 2013, the Bank opened its second branch in Sri Racha which was placed under the supervision of Mr. Tan. Not long after, the bank issued a transfer order for Mr. Tan to assume the role of Branch Manager of the Ayutthaya branch. The order stipulated that such assignment is for a period not more than 9 months. Mr Tan complied and transferred to the Ayutthya branch since then. However, despite such assignment, the bank subsequently appointed a Thai national as the Branch Manager and issued another transfer order to Mr Tan to the International Infrastructure, PMO and Operation Support, Group International Business in Malaysia. Mr Tan objected vigorously to his repatriation to Malaysia because he opined that such transfer will ‘kill his career’ and was done without any reasonable justification. Therefore, he did not comply with the order and claimed that he was constructively dismissed by the bank. The Industrial Court gave an award in favour of Mr Tan, which the decision was maintained by the High Court. The Bank being dissatisfied with the decision, appealed to the Court of Appeal. Court of AppealThe Court of Appeal reversed the decision on the ground that the Industrial Court had applied the wrong test ie the reasonableness test in determining whether there was constructive dismissal. Question of law posed before the Federal Court“Is there a difference in the contract test or reasonableness test in light of major developments in industrial jurisprudence?” Grounds of judgement of the Federal CourtThe Federal Court upheld the decision of Court of Appeal. It referred to the trite law in Pan Global Textiles Bhd Pulau Pinang v Ang Beng Teik [2002] 1 CLJ 181 whereby the following observation was made, that the court ought to apply the contract test to determine if the employer was guilty of any breach which went to the root of the contract or had evinced an intention not to be bound by it. In the present case, the Federal Court unanimously reaffirmed the primacy of the contract test being the settled law for the applicable test for constructive dismissal cases, The reasonableness of an employer's actions, while relevant, should not alone determine constructive dismissal. The test of reasonableness refers to what a reasonable man, in his right mind considers fair and proper based on the particular facts and circumstances of the case. The assessment must relate to the contract of employment and its fundamental breach or repudiatory breach. The rationale is that the reasonableness of an employer’s conduct is very subjective and depends on the circumstances of the situation and other related factors. It is too wide and indefinite to be made as a legal requirement for a constructive dismissal case. The reasonableness of the employer’s conduct could also be easily subject to different opinions by tribunals or courts. Any departure from the contract test to reasonableness test will entail unsettled industrial relations by introducing uncertainty and confusion. ConclusionThe adherence to the contract test in fact aligns with other jurisdictions like the UK, Singapore and Australia, where the contract test remains foundational, notwithstanding the contextual assessment of reasonableness in determining whether an employer's conduct amounts to a fundamental breach. Put it simple, our court in determining constructive dismissal cases, should consider whether there was a breach of contract by the employer on such conduct/exercise being complained of instead of go in the bone fide and reasonableness of such conduct. About the authors Thoo Yee HuanSenior PartnerDispute ResolutionHalim Hong & Quekyhtoo@hhq.com.my Esther Lee Zhi QianPupil-in-ChambersDispute ResolutionHalim Hong & Quekesther.lee@hhq.com.my More of our articles that you should read: E-Waste and ESG Compliance: What Companies Need to Know (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment Security Issues in the Secondary Market

Introduction In an era of rapid technological advancement, companies are expanding quickly, driven by the efficiencies provided by the latest technology. To stay competitive, companies are constantly upgrading their electrical and electronic equipment; however, this constant upgrading leads to a critical question that too often goes unasked: "Where does our e-waste go?" As Environmental, Social, and Governance (“ESG”) issues become increasingly important, this is a topic that companies, general counsels, chief sustainability officers, and even boards of directors cannot afford to overlook. This article explores the significance of electronic waste (“e-waste”) and how companies should address it within the context of ESG and the legal framework. . What is E-Waste and Why Does it Matter for ESG? To grasp the concept of e-waste, it is important to first note that there isn't a single standardized definition of 'e-waste'. Generally, e-waste refers to discarded electronic and electrical devices. Common corporate e-waste includes computers, laptops, monitors, networking equipment, servers, and storage devices. As technology progresses, these devices quickly become obsolete, and companies frequently update their hardware to keep pace with advancements in software and security, thereby generating significant amounts of e-waste, and as technology continues to advance, the problem only escalates. So, what is the big deal with e-waste? While the responsibility for handling and disposing of e-waste often falls to facilities management or the IT department, the issue is far from straightforward. E-waste typically contains hazardous substances like lead, mercury, and cadmium. Therefore, improper handling and disposal of e-waste can lead to severe environmental damage, including soil contamination, water pollution, and air pollution. Hazardous substances from e-waste can leach into the soil, disrupting plant growth and ecosystems; when e-waste is disposed of near water sources, toxins can seep into groundwater or flow into rivers and lakes, impacting aquatic life and drinking water supplies. Moreover, burning e-waste releases toxic fumes, contributing to respiratory issues and air pollution. Given these impacts, companies committed to ESG principles must take responsibility for managing their e-waste in ways that minimize environmental risks. . E-Waste Regulations in Malaysia: A Checklist for E-Waste Compliance As companies commit to being more ESG-responsible, addressing e-waste has become an unavoidable priority. In Malaysia, the disposal, treatment, storage, and labelling of e-waste are regulated by the Environmental Quality (Scheduled Wastes) Regulations 2005. We will simplify this complex topic into a checklist of five straightforward questions that all companies should ask themselves when it comes to e-waste management: . 1. How is e-waste being disposed of? When it comes to the disposal of e-waste, companies may often choose efficiency or convenience over compliance, such as using illegal landfills, unregulated recyclers, or unauthorized locations like rivers, forests, or vacant land. Legally, e-waste must only be disposed of at licensed facilities, including licensed land treatment facilities, landfills, or waste incinerators. It is crucial to ensure that these facilities are properly licensed, as disposing of e-waste at unlicensed sites is illegal. .  2. How do companies store e-waste? Some companies may store e-waste in non-specialized locations such as regular storehouses, basements, or parking lots, which will lead to potential fire hazards and toxic leaks. Proper storage of e-waste requires containers that are compatible with the nature of the e-waste, designed to prevent spillage and leakage. .  3. Is e-waste being properly labelled? It is essential for companies to label e-waste containers clearly with the name, address, and telephone number of the generating company. Labelling not only facilitates tracking the lifecycle of electronic products but also ensures that companies remain accountable for their products from production to disposal. . 4. Is there an inventory of e-waste? Companies should maintain an accurate and up-to-date inventory of e-waste, including details on the quantities generated, treated, and disposed of, and keep these records for at least three years from the date the e-waste was generated. An inventory not only ensures compliance with environmental laws but also aids in efficient waste management by identifying reusable, recyclable, or specially disposable components. . 5. Are training programs organized about e-waste? Companies must ensure that their employees attend training programs that cover e-waste identification, handling, labelling, transportation, storage, and spill response. . Conclusion Given the growing focus on ESG, companies can no longer afford to ignore e-waste. Proper management and disposal of e-waste are not just about compliance but also about corporate responsibility and minimizing environmental impact. By following the checklist above, companies can ensure they are on the right path toward responsible e-waste management. For further guidance, companies are encouraged to work with external legal counsels familiar with the technology industry and ESG compliance. . If your company is interested in learning more about responsible e-waste management, ESG compliance, or requires legal guidance in addressing any related concerns, please don't hesitate to reach out to our team of experienced lawyers. We are well-versed in regulations governing e-waste and can provide tailored advice to ensure your company aligns with the latest ESG standards. Contact us today to discuss how we can support your sustainability journey and help you navigate the complexities of environmental compliance. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Tan Zhen ChaoAssociateReal Estate, Project Development, Strata Management & Dispute Resolutionzctan@hhq.com.my. More Tech articles: • Exploring Bitcoin Halving and its Significance • Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility • Real-World Assets in Blockchain: Why Companies Should Pay Attention

Introduction As the global acceptance and adoption of blockchain technology accelerates—highlighted by the U.S. approval of Spot Bitcoin ETFs—many companies remain hesitant to engage with this burgeoning field. This reluctance often stems from a lack of familiarity with blockchain’s benefits and its potential applications. While cryptocurrencies often dominate headlines, a quieter yet significant transformation is underway: the tokenization of real-world assets (RWAs). This development has profound implications for businesses across sectors.   In this article, we aim to demystify RWAs tokenization and outline why they deserve more than just cursory attention from corporate strategists.   Understanding Real-World Assets (RWAs) Tokenization To grasp the concept of RWAs tokenization, it is essential to acknowledge that there is no fixed definition, given its evolving nature. Generally, RWAs tokenization can be understood as any asset—physical, digital, tangible, or intangible— from the real world that is tokenized and represented on a blockchain. Tokenizing an asset involves creating a digital twin on the blockchain, facilitated through digital tokens that represent ownership or a share of the RWAs. These tokens can then be traded, transferred, and integrated into smart contracts, offering novel ways to manage and leverage assets in a digital economy.   Why Should Companies Pay Attention to RWAs Tokenization? Companies might then wonder why they should pay attention to RWAs tokenization and what the benefits are for their businesses. In this article, we will explore five key advantages of RWAs tokenization that can drive innovation and growth for companies:   1. Speed and Efficiency: Tokenizing RWAs enables assets to be traded 24/7 globally on the blockchain without any time restrictions. This capability significantly increases the speed and efficiency of transactions since the system operates continuously, even outside traditional trading hours and on holidays. 2. Utilization of Smart Contracts: RWAs tokenization benefit from the integration of smart contracts, which are self-executing contracts with the terms of the agreement embedded in lines of code. Smart contracts are self-executing contracts with terms directly written into lines of code. Stored on a decentralized blockchain network, they automatically execute when predefined conditions are met. Smart contracts facilitate, verify, and enforce contract terms without intermediaries, providing efficiency and security, thus removing the need for third parties to facilitate, verify, or execute contracts, thereby ensuring full transparency and security between parties. 3. Reduced Costs: Since tokenized RWAs operate on blockchain and are supported by smart contracts, they eliminate the need for middlemen to facilitate, verify, and execute contracts, reducing traditional administration costs and transactional costs significantly. 4. Transparency: Transactions involving tokenized RWAs are recorded on blockchains, making all operations, deals, and activities fully visible to network participants. Furthermore, once a smart contract is deployed on a blockchain, it cannot be tampered with or changed, ensuring immutability in a transparent environment that fosters trust among parties and stakeholders. 5. Fractionalization: A largely underemphasized yet revolutionary benefit of tokenized RWAs is their ability to be fractionalized. This means assets can be divided into smaller portions, allowing multiple investors and individuals to co-own parts of the assets. Beyond efficiency, low transaction fees, speed, and transparency, the revolutionary benefit of tokenized RWAs lies in their ability to fractionalize assets, and it is a feature that companies cannot afford to overlook.   Potential Real-World Applications of Tokenized RWAs Companies can harness the benefits of fractionalization by exploring various real-world applications of tokenized assets. Here are three examples of how companies can leverage the fractionalization of tokenized RWAs:   1. Tokenizing Carbon Credits: Companies involved in environmental projects can tokenize carbon credits by converting them into digital tokens on a blockchain. For example, a company that manages reforestation or afforestation projects can receive certification from recognized environmental organizations for the carbon offsets generated. The certified carbon credits are then tokenized on a blockchain, with each token representing a specific quantity of carbon offset—typically, one metric ton of CO2 equivalent. These tokens can be traded, allowing companies and individuals to buy or retire them to offset their carbon footprint. 2. Tokenizing Real Estate: In this scenario, a property developer can tokenize an entire building, such as a corporate tower, offering token holders a share in the rental income generated by the property. This approach opens the door for a broader range of investors to participate in large-scale real estate projects. Instead of relying on a single major funder, who might require significant discounts, the fractionalization of real estate allows multiple investors to contribute smaller amounts. This flexibility can accelerate the funding process and make large real estate projects more accessible. 3. Tokenizing Financial Products: Tokenization can make financial products, like bonds or sukuks, accessible to a wider audience. Traditionally, some of these financial products have only been available to institutional or high-net-worth investors, limiting participation for those who don't meet strict asset or income requirements. However, by tokenizing financial products, they can be divided into smaller, more affordable units. This democratization of financial products allows more investors to participate, thereby increasing market liquidity and diversifying the investor base.   These examples demonstrate how fractionalizing tokenized RWAs can create new opportunities for companies and investors by making assets more accessible, reducing barriers to entry, and promoting broader participation. The shift toward tokenization could lead to greater market efficiency, increased liquidity, and smoother investment processes across various sectors.   However, RWA tokenization remains a relatively new concept, subject to ongoing exploration and testing across different jurisdictions. While the potential benefits are significant—opening new business possibilities for companies—the novelty of the approach brings with it uncertainty in regulations. As a result, companies and, particularly, their general counsels should work closely with lawyers who have a deep understanding of blockchain and RWA tokenization. This collaboration will help ensure that companies navigate regulatory complexities and legal requirements safely and effectively. About the authors   Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my   Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More Tech articles: • Understanding Spot Bitcoin ETF and Its Potential • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case • Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility

Building on our last article on the key takeaways of the new Cyber Security Bill 2024, titled “Cyber Security Bill 2024 Decoded 5 Key Insights for Strategic Compliance”, this article sought to expound on some of the key considerations that soon-to-be national critical information infrastructure (“NCII”) entities (the “NCII Entities”) should pay attention to. As we have covered in our previous article, any government entity or person (legal or natural) that owns or operates any NCII will highly likely be designated as an NCII Entity. Once an NCII Entity, it will have to, among other things, (i) take part in the preparation of the code of practice applicable to the NCII sector that the NCII Entity is in; (ii) provide information, particulars or document potentially relating to the function and design of the computer or computer system owned or operated by the NCII Entity; (iii) provide information relating to the NCII that the NCII Entity owns or operates; and (iv) conduct periodic cyber security assessment and audit and report the same to the Chief Executive of the National Cyber Security Agency (“NACSA”). With this article, we hope that we could draw the attention of the NCII Entities to some of the points to take note of while complying with the obligations under the Cyber Security Act 2024 (the “Act”). Disclosure Requirements As explained earlier, NCII Entities have certain obligations under the Act to disclose certain information and documents to the corresponding NCII sector lead(s) upon request. Information and documents disclosure obligations are also relevant when an NCII Entity encounters cyber security incident and upon completion of cyber security risk assessment and audit. When fulfilling the obligations, it is crucial that the NCII Entities ensure that it does not disclose any information that would jeopardise its business interests or unknowingly translate into risk or liability to the organisations. Assessments should be made during each disclosure to ensure (i) confidential information and sensitive information of the organisation are not inadvertently included in the disclosure; (ii) when disclosing information relating to the computer system of the organisations, and especially where some of the computer systems are proprietary, their source code should not be disclosed unless strictly necessary; (iii) that personal data of data subjects being processed by the NCII Entities are not included or are at least anonymised to avoid potential non-compliance with the personal data protection law, and (iv) only relevant information are disclosed, by applying the principle of data minimisation - NCII Entities should only provide the minimal amount of data necessary for the compliance with regulatory requirements or for effective response to a cyber security incident, and not over share information just for the sake of getting through the regulatory obligations but undermine its business interests in the process.   Potential Centralisation Risk By disclosing information requested by the NCII sector lead(s), especially those relating to the function and design of the computer or computer system owned or operated by the NCII Entities, has the potential of creating centralisation risk. To the extent that the information disclosed could potentially be used to better understand an NCII Entities’ computer’s or computer system’s architecture and design, and to find out the exact software and hardware used by the NCII Entities, it would undeniably become a treasure trove for cyber criminals and advanced persistent threat actors. Gathering these information at one single location, be it with the NCII sector lead(s) or the Chief Executive of NACSA, will draw the attention of malicious actors. While technical measures will certainly be put in place to safeguard these information, NCII Entities should also consider, to the extent permissible, encrypting the information disclosed to the NCII sector lead(s) to better secure the information. Coordinated Incident Response Under the Act, the Chief Executive of NACSA has the power to direct the NCII Entities on how to respond to a cyber security incident, and indirectly, this may mean that an NCII Entity no longer has the full discretion to decide on its incident response measures. Decisions such as whether or not to make ransom payment, how to address the public, whether or not to temporarily shut down the network, negotiation with threat actors, etc., may potentially have to be cleared by the Chief Executive of NACSA before proceeding. Incident response is always a race against time. As such, it is very common for organisations to call the shots quickly while in a war room when faced with cyber security incident to cut losses or to mitigate and contain risks. With the passing of the Act, it would be crucial for the NCII Entities to first communicate its action plan with the Chief Executive of NACSA prior to execution, so as not to attract additional liabilities. Therefore, in addition to coordinating the incident response plans with the Chief Executive of NACSA, NCII Entities should work on establishing pre-defined communication protocols and contact points at NACSA. This preparation should include clear guidelines on how to quickly communicate and escalate incidents to the NACSA. Pre-established communication channels, such as dedicated hotlines, encrypted messaging systems, or secure email gateways, can significantly reduce the response time during a cyber security incident. By having these protocols in place, NCII Entities can ensure that they can swiftly reach the necessary contacts within NACSA and relay critical information without unnecessary delays, thus maintaining the pace needed for an effective response to cyber threats. Closing Remarks Given the importance of NCII to the economy of a country, it is expected that the Act when in force, will be actively enforced by the authorities. In case readers are unable to fully grasp the extent of disruption that can be caused by an NCII-targeted cyber security incident, the Colonial Pipeline ransomware attack that took place back in 2021 in the U.S. offers a good example. Colonial Pipeline, one of the largest and most vital oil pipelines in the U.S. was hit with a ransomware attack in May 2021, which forced Colonial Pipeline to shut down part of its network for several days to contain the incident. Colonial Pipeline eventually paid the ransom and resumed operation of the pipeline, but the damage of the incident was not limited to just monetary loss to Colonial Pipeline. The shutdown of the pipeline caused panic-buying of gas, disruption of the supply chain, as well as the increase of gas price to the highest level since 2014. Several states in the U.S. declared states of emergency due to this incident. No doubt the incident had a direct impact on the daily lives of U.S. citizens, which highlights the importance of NCII and the criticality of ensuring its cyber security preparedness. The Act in itself is not sufficient to increase the cyber security preparedness and readiness of the NCII in Malaysia. It however provides an important framework for the establishment of codes of practice for each NCII sectors, the implementation and compliance of which would ensure certain minimum standards on cyber security are met. NCII Entities form the main line of defence against cyber threat actors from causing disruptions to Malaysia economy, and the stakes are definitely high should they fail to do so. Navigating through compliance with new legislation is never an easy feat. Where there is any doubt or uncertainty as to the newly imposed obligations under the Cyber Security Act 2024, or to what extent must an organisation as the designated national critical information infrastructure entity comply with the provision of the legislation, please feel free to reach out to the partners at the Technology Practice Group of Halim Hong & Quek: About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More Tech articles: • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case • Whether AI-Generated Work Could be Protected by Copyright Law

In our increasingly interconnected world, cyber security threats pose a significant risk to national security. Malicious actors, ranging from state-sponsored hackers to cybercriminal organizations and terrorists, exploit vulnerabilities in critical infrastructure, government systems, and military networks to disrupt essential services and steal sensitive information. These cyberattacks not only disrupt businesses, financial institutions, and supply chains but also directly impact economic stability at both the national and global levels. Therefore, in this article, our focus is on the Cyber Security Bill 2024. Rather than just providing a comprehensive summary, we aim to distill the essence into five key takeaways that every company and general counsel should be aware of. 1. The Objective and Current Status of the Cyber Security Bill 2024 The first takeaway revolves around grasping the core objectives and current status of the Cyber Security Bill 2024 ("Bill"). Essentially, the Bill is designed to establish a regulatory framework aimed at bolstering national cybersecurity. It introduces the notion of national critical information infrastructure, a concept we will delve into shortly, and also sets out provisions for licensing cyber security providers. Notably, the Bill achieved a significant milestone when the upper house of Parliament (Dewan Negara) unanimously passed it after the third reading on 3 April 2024. Subsequently, upon receiving assent from the King (Yang di-Pertuan Agong), the law will come into effect upon publication in the Government Gazette. Given its potential impact, it is imperative for companies to proactively monitor these developments to ensure alignment with the forthcoming legislation, as failure to do so could expose companies to significant risks and liabilities. 2. Defining National Critical Information Infrastructure The second significant takeaway in the Bill is the introduction of the concept of national critical information infrastructure (“NCII”). The Bill defines NCII as "computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defense, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively." Notably, the Bill delineates 11 sectors encompassed within the NCII framework, which are as follows (“NCII Sectors”): I. Banking and finance, II. Transportation, III. Government, IV. Defense and national security, V. Information, communication and digital, VI. Healthcare services, VII. Water, sewerage and waste management, VIII. Energy, IX. Agriculture and plantation, X. Trade, industry and economy, and XI. Science, technology and innovation. 3. The Designation of NCII Sector Leads and NCII Entities The third point emphasizes the appointment of sector leads by the Minister for each of the 11 NCII Sectors (“NCII Sector Leads”). These appointed sector leads' names will be publicly disclosed on the official website of the National Cyber Security Agency (“NCSA”). Subsequently, the respective NCII Sector Leads will develop specific codes of practice for their respective sectors and designate entities that own or operate NCII as national critical information infrastructure entities (“NCII Entities”). Although the Bill does not explicitly define what constitutes "owning or operating NCII" for designation as NCII Entities, however, a literal interpretation suggests that companies meeting certain criteria may fall under this NCII Entities designation. These criteria may include (i) companies with ownership, control or legal rights over NCII, including those with decision-making authority regarding the relevant NCII’s use, security protocols, data access, and terms of third-party usage; and (ii) companies involved in the day-to-day operation, management, maintenance, and security of NCII, including those with decision-making authority affecting the relevant NCII’s functionality, security, and integration with other networks. Therefore, companies can conduct internal checks based on these criteria while awaiting official confirmation to avoid surprises upon designation as NCII Entities. By doing so, companies can better prepare internally and ensure readiness to comply with forthcoming legislation. 4. Regulatory Obligations of NCII Sector Leads and NCII Entities The fourth point is of utmost importance, especially for companies within the NCII Sectors, as they may be designated as NCII Entities. Upon receiving this designation, NCII Entities are obligated to implement the measures, standards, and processes outlined in the code of practice as prepared by the NCII Sector Leads (“Code of Practice”). However, it is conceivable that some NCII Entities may encounter challenges in strictly adhering to all specified measures within the Code of Practice due to various reasons. For instance, financial constraints could pose a significant hurdle for some NCII Entities as implementing these measures may demand substantial investments in advanced technological infrastructure, specialized software, or hardware upgrades. To address this challenge, the Bill allows NCII Entities to implement alternative measures, standards, and processes, subject to approval by the Chief Executive of the NCSA, provided they offer an equal or higher level of protection. Given the flexibility within the regulatory framework to implement alternative measures instead of strictly complying with the Code of Practice, it is advisable for NCII Entities to collaborate with professional legal counsels well-versed in technology law to ensure that any proposed alternative measures undergo thorough scrutiny to meet the standards of applicable Codes of Practice. External legal professionals could also assist in presenting compelling arguments for the approval of alternative measures that not only satisfy the Chief Executive of the NCSA but also uphold the integrity and security of NCII operations. Additionally, the Bill mandated NCII Entities to conduct cybersecurity risk assessments as per the Code of Practice and directives, along with performing audits to ensure compliance with the Cyber Security Act 2024. It is crucial to highlight that in the event of a cybersecurity incident, the Bill also imposes a duty on the NCII Entities to notify both the Chief Executive of the NCSA and the respective NCII Sector Lead(s) (“Cyber Security Incident Notification”). Such Cyber Security Incident Notification in the event of a cybersecurity incident is paramount for effective cyber security incident response. However, if the NCII Sector Lead(s) happens to be a competitor of the NCII Entities, significant legal concerns may potentially emerge as sharing sensitive information with a competitor may raise apprehensions regarding data security, trust, and cooperation within the NCII Sector, potentially hindering timely and collaborative responses to incidents. It is notable that the Bill currently does not have explicit provisions addressing this issue, however, we trust that additional measures should be put in place by the NCII Sector Lead(s) and the Chief Executive of the NCSA to address this potential concern. Considering the sensitive nature of such Cyber Security Incident Notification, where it may potentially involve the exposure and disclosure of proprietary or confidential information of NCII Entities to NCII Sector Leads, it is, therefore, advisable to engage lawyers to facilitate Cyber Security Incident Notification processes, ensuring that appropriate notifications are made while safeguarding sensitive, proprietary, and confidential information of the NCII Entities. External lawyers can also play a vital role in overseeing the notification process, providing legal guidance on compliance with regulatory requirements and contractual obligations, and ensuring that the interests of the NCII Entities are protected. 5. Licensing Regime for Cyber Security Service Providers The fifth key takeaway in the Bill pertains to the licensing requirement for companies providing cyber security services. According to the Bill, no company shall offer any cyber security service or advertise itself as a cyber security service provider unless it holds a valid license to provide such services. The definition and scope of cyber security services will be determined by the Minister, and this licensing requirement will definitely have a significant impact on companies operating in the cyber security sector. It also remains to be seen whether additional licensing terms will be imposed on cyber security service providers through the licensing regime. It is crucial to underscore the profound impact that this new licensing requirement will have on all cyber security service providers, as any company providing cyber security services without a proper license is subject to severe penalties. Upon conviction, such a company may face a fine not exceeding RM500,000, imprisonment for a term not exceeding ten years, or both. This emphasizes the gravity with which the government views the regulation of cyber security services and highlights the importance of adhering to licensing requirements. Conclusion In conclusion, the Bill stands as a pivotal milestone in Malaysia's journey towards bolstering national cyber security. Its implications reverberate not only across critical infrastructure sectors but also through the intricate fabric of businesses operating within the cyber security landscape. As the regulatory landscape evolves, it becomes increasingly imperative for companies to navigate these complexities with precision and foresight. The above five points highlight critical aspects of the Bill that companies should prioritize and understand thoroughly. Given the complex and evolving nature of cyber security, it is imperative that companies collaborate closely with legal professionals who possess a deep understanding of technology law. With our unwavering commitment to excellence and a deep understanding of both legal intricacies and technological nuances, our team of seasoned legal professionals stands ready to guide your organization through the nuances of the Cyber Security Bill 2024. Let us empower your organization to thrive amidst evolving cyber security challenges, ensuring compliance while fortifying your resilience against emerging threats. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More Tech articles: • Air Canada Case Exposes AI Chatbot Hallucination Risks: A Mitigation Guide for General Counsel • Addressing Copyright Infringement and Challenges in AI Training • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated?

Introduction The Construction Industry Payment and Adjudication Act 2012 (“CIPAA 2012”) was passed by the Malaysian Parliament in 2012 and CIPAA 2012 came into force on 15.4.2014. CIPAA 2012 was introduced to facilitate regular and timely payment in respect of construction contracts and to provide for speedy dispute resolution through adjudication. The primary objective of CIPAA 2012 is to address critical cash flow issues in the construction industry and to facilitate payments for those down the chain of construction contracts for work done or services rendered. Section 35 of CIPAA 2012 – Prohibition of Conditional PaymentCIPAA 2012 introduced Section 35 which prohibits the practice of conditional payment terms that inhibit cash flow: “35 Prohibition of conditional payment 1. Any conditional payment provision in a construction contract in relation to payment under the construction contract is void. 2. For the purposes of this section, it is a conditional payment provision when- a) the obligation of one party to make payment is conditional upon that party having received payment from a third party; or b) the obligation of one party to make payment is conditional upon the availability of funds or drawdown of financing facilities of that party.” What constitutes a “conditional payment provision/ clause/ term”?The High Court in the case of Econpile (M) Sdn Bhd v IRDK Ventures Sdn Bhd and another case [2017] 7 MLJ 732; [2016] 5 CLJ 882 enunciated that Parliament had left it to the Courts to determine on a case by case basis as to whether conditional payment provisions in a construction contract would defeat the intent and purpose of CIPAA 2012. The High Court in the case of Terminal Perintis Sdn Bhd v. Tan Ngee Hong Construction Sdn Bhd [2017] MLJU 242; [2017] CLJU 177; [2017] 1 LNS 177 ruled that the question of whether a payment term in a construction contract constitutes a conditional payment clause under Section 35 of CIPAA 2012 is a mix finding of fact and law and the Courts would not interfere in the adjudicator's interpretation. Overview of Cases/ AuthoritiesA) “Pay When Paid”/ “Pay If Paid”/ “Back to Back” CIPAA 2012 expressly prohibits “pay when paid”/ “pay if paid” clauses which makes the obligation of the main contractor to pay a subcontractor conditional upon the main contractor having received payment from the principal. Such contractual clauses are void and unenforceable pursuant to Section 35 of CIPAA 2012. The High Court in the case of Khairi Consult Sdn Bhd v GJ Runding Sdn Bhd [2021] MLJU 694; [2021] CLJU 571; [2021] 1 LNS 57 held that a contractual provision which provided for the payment to be on “back to back” basis is void under Section 35 of CIPAA 2012. The Defendant in this case was the main consultant for a construction project. By way of a contract/ letter, the Defendant appointed the Plaintiff as a consultant to provide engineering consultancy services for the project. Clause 9 of the contract provides that: “Payment shall be on a back to back basis i.e you [Plaintiff] shall be paid within 7 days upon [the Defendant's] received [sic] payment from the client." The High Court held that: Clause 9 is void as it is a “conditional payment provision” within the meaning of Section 35 of CIPAA 2012. This is because the Defendant's payment to the Plaintiff is on a "back to back" basis i.e. the Defendant is only required to pay the Plaintiff when the Defendant has received payment from a third party (the employer/ client). The High Court in the case of KS Swee Construction Sdn Bhd v BHF Multibina (M) Sdn Bhd [2019] MLJU 1508; [2019] CLJU 1849; [2019] 1 LNS 1849 held that a contractual provision which stipulated that payment to the subcontractor is “back to back” to the payment from the main contractor is a conditional payment under Section 35 of CIPAA 2012. The Plaintiff in this case was engaged by the Defendant to carry out construction works. Clause 7 of the contract provides that: “Bayaran kemajuan kerja kepada Sub Kontraktor adalah secara timbal balik (back to back) dengan bayaran kemajuan daripada Kontraktor Utama” Therefore, the Plaintiff will only be paid on a “back to back” basis i.e. the Plaintiff's payment becomes due only when the Defendant receives payment from the main contractor. The High Court held that Clause 7 is a conditional payment within the confines of Section 35 of CIPAA 2012. The High Court in the case of Sinwira Bina Sdn Bhd v Puteri Nusantara Sdn Bhd [2017] MLJU 1836; [2017] CLJU 1819; [2017] 1 LNS 1819 held that a “back to back” clause is a “conditional payment provision” provided under Section 35 of CIPAA 2012. The subcontract entered between the Plaintiff and Defendant in this case contained the following clause: “The Sub-Contract Sum shall be paid to the Sub-Contractor on the basis of back-to-back payment, as and when received by the Contractor from the Client. Unless a special arrangement is made, the Employer shall not be liable to pay the Sub-Contractor in the event that no corresponding payment is paid by the Client.” The High Court found the said clause to be a "conditional payment provision" as provided in Section 35 of CIPAA 2012 and is therefore void. (B) Termination and Final Accounts In the case of Maju Holdings Sdn Bhd v Spring Energy Sdn Bhd and other cases [2021] MLJU 541; [2021] CLJU 367; [2021] 1 LNS 367 the High Court held that the contractual clause in the subcontract which provided that, payment to the subcontractor shall be withheld upon the termination of the subcontract until the final accounts have been determined, is a conditional payment provision which runs afoul of Section 35 of CIPAA 2012. The High Court in the case of Econpile (M) Sdn Bhd v IRDK Ventures Sdn Bhd and another case [2017] 7 MLJ 732; [2016] 5 CLJ 882 held that Clause 25.4(d) of the industry-based standard form PAM Contract 2006 is a conditional payment provision which is prohibited under Section 35 of CIPAA 2012. Clause 25.4(d) of the PAM Contract 2006 provides as follows: “25.4(d) the Contractor shall allow or pay to the Employer all cost incurred to complete the Works including all loss and/or expense suffered by the Employer. Until after the completion of the Works under Clause 25.4(a), the Employer shall not be bound by any provision in the Contract to make any further payment to the Contractor, including payments which have been certified but not yet paid when the employment of the Contractor was determined. Upon completion of the Works, an account taking into consideration the value of works carried out by the Contractor and all cost incurred by the Employer to complete the Works including loss and/or expense suffered by the Employer shall be incorporated in a final account prepared in accordance with Clause 25.6.” The High Court held that Clause 25.4(d) has the effect, upon the termination of the contract, of postponing payment due until the final accounts are concluded and the works completed. This clause defeats the purpose of the CIPAA 2012 and is thus void and unenforceable. (C) “Pay If Certified” The Court of Appeal in the case of Lion Pacific Sdn Bhd v Pestech Technology Sdn Bhd and another appeal [2022] 6 MLJ 967; [2022] 9 CLJ 488 clarified and ruled that “pay-if-certified” provisions cannot be construed as a conditional payment clause under Section 35 of CIPAA. In 2013, the Government of Malaysia accepted a tender submitted by a consortium for a construction project. The appellant was appointed as a subcontractor for the system works package parcel for the project. The appellant then appointed the respondent as a subcontractor by way of a subcontract. The subcontract in this case contained a clause whereby certification by the Ministry of Transportation (“MOT”) is required prior to any payment to the respondent. Particularly, Clause 4.1 of the subcontract provides that: “Verification and approval by ICC-MOT 15th - 24th every month. Payment to Sub-Contractor 40 days after certification by MOT” The Court of Appeal held that: The "pay-if-certified" provision in Clause 4.1 of the subcontract cannot be construed as a conditional payment clause under Section 35 of CIPAA 2012, as the mutual agreement of the parties was that the appellant's obligation to make payment would only arise upon certification of the works done by the MOT, failing which the works cannot be considered as having been carried out. Notwithstanding the objective of CIPAA 2012 to facilitate prompt payment, the contractual obligations of the parties expressly agreed upon cannot be disregarded. Whilst CIPAA 2012 was intended to alleviate cash flow problems of contractors and prohibited conditional payments, it was clearly not intended to replace the certification or valuation to assess the progress of works carried out by the relevant authority for payment to be affected. About the authors Rohan Arasoo JeyabalahPartnerCorporate Disputes, Employment & Industrial RelationsHarold & Lam Partnershiprohan@hlplawyers.com Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my More of our articles that you should read: Disposal of Real Properties Subject to Income Tax? CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023)

Introduction The Federal Court in the case of Tegas Sejati Sdn Bhd v Pentadbir Tanah dan Daerah Hulu Langat & Anor [2024] MLJU 416; [2024] CLJU 330; (Civil Appeal No.01(f)-46-11/2022(B)) held that the written opinions of assessors that assist the High Court Judge during land reference proceedings must be provided to the parties involved in the proceedings. The Federal Court in this case found that there was non-compliance of Section 40C of the Land Acquisition Act 1960 (Act 486) (“LAA 1960”) as the written opinions of the assessors were never made available to the parties. The Federal Court ruled the non-compliance to be serious warranting appellate intervention and ordered the matter to be remitted to the High Court for a rehearing. Background FactsIn 1987, the Appellant, Tegas Sejati Sdn Bhd (“TSSB”) entered into a joint venture agreement with Perbadanan Setiausaha Kerajaan Selangor (“PSKS”) to develop several lots of land located at Section 15, Daerah Hulu Langat in the State of Selangor. PSKS is the registered proprietor of the lands. Pursuant to the joint venture agreement, PSKS relinquished its rights to the land to TSSB. Several lots of the land were acquired by the State Government for the purpose of the project known as “Projek Lebuhraya Bertingkat Sungai Besi – Ulu Kelang” (SUKE Expressway). The 2nd Respondent, Lembaga Lebuhraya Malaysia (“LLM”) was the paymaster for this acquisition. After the enquiry held on 16.5.2027, the 1st Respondent, the Land Administrator handed down an award for compensation on 16.5.2017. The award was objected by both LLM and TSSB. Land Reference Proceedings (High Court)Both LLM and TSSB filed their objections via Form N, culminating in two land reference proceedings before the High Court. Both land reference proceedings were consolidated and heard together. On 22.9.2020, TSSB applied to strike out the LLM’s land reference proceedings. TSSB’s application was heard together with the merits of the land reference proceedings with the assistance of two assessors. On 14.2.2020, the High Court dismissed TSSB’s striking out application. The High Court also dismissed TSSB’s land reference and allowed LLM’s land reference. TSSB appealed against the decision of the High Court to the Court of Appeal. On 4.10.2022, the Court of Appeal dismissed TSSB’s appeal and allowed LLM’s cross-appeal. Questions/ Issues Before The Federal CourtTSSB appealed to the Federal Court. The Federal Court heard submissions from the parties on 18.8.2023. However, the proceedings were adjourned to ascertain whether there was compliance of Section 40C of the LAA 1960. Section 40C the LAA 1960 provides that: “40C. Opinion of assessors The opinion of each assessor on the various heads of compensation claimed by all persons interested shall be given in writing and shall be recorded by the Judge.” The Federal Court registry requested from the registry of the High Court for a sight of the written opinion of the assessors involved in the land reference proceedings in the High Court. Upon obtaining the written opinions, the Federal Court registry sent them to the parties. One of the main issues before the Federal Court in this case is whether the written opinions of the assessors which are to be recorded by the judge hearing a land reference, necessarily for the eyes of the judges of the High Court, Court of Appeal and Federal Court only, and not the parties? Grounds Of Judgment Of The Federal Court1. Role of Assessors in Land Reference Proceedings Section 40A (2) of LAA 1960 provides that for land reference proceedings concerning an objection over the adequacy of compensation, the Court shall appoint two assessors for the purpose of aiding the Court in determining the objection and in arriving at a fair and reasonable amount of compensation. The two assessors will sit with the High Court Judge in hearing the objections over the amount of compensation. The written opinions of the assessors are intended to assist the Court in arriving at a decision on the amount of compensation. These written opinions form and must be part of the records of the land reference proceedings. 2. Adequacy of Compensation Article 13(2) of the Federal Constitution provides that “no law shall provide for compulsory acquisition or use of property without adequate compensation”. In the interpretation and construction of Section 40C of LAA 1960, the Courts must give real meaning and adopt a construction which preserves the rights enshrined under Article 13(2) of the Federal Constitution. Although Section 40C does not explain in detail how the written opinions of the two assessors are to be handled, it cannot be denied that the written opinions form part of the proceedings. The High Court in assessing the complaint of adequacy of compensation is bound to balance competing interests of TSSB, the landowner and LLM, the acquiring authority or paying master. Therefore, it is necessary that all relevant material is placed before the Court for that assessment and determination. If these written opinions of the assessors are not made available, the question of adequacy of compensation cannot be properly addressed, which would be contrary to the right enshrined in Article 13(2) of the Federal Constitution. 3. Availability of the Written Opinions The question of adequacy of compensation can only be properly determined if all the parties concerned have had the opportunity to address the reasons, factors or circumstances which are relevant and necessary when computing or calculating that compensation. Therefore, the written opinions of the assessors who assisted the High Court Judge in determining there is adequate compensation must be made known to the landowners and those affected by the compulsory acquisition. The obligation to make known the reasons or factors extends to everyone who has any role to play in that decision, be it the judge or the assessors. Land reference proceedings are open Court proceedings and it is integral to the rule of law that there is transparency and fairness not just in the conduct of those proceedings but in the manner any evidence, including opinion evidence is received and treated by the Court. Once available, the written opinions of the assessors must be provided to the parties. The Federal Court found that there was non-compliance of Section 40C in this case as the written opinions of the assessors were never made available to the parties or even called for by the Court of Appeal. The Federal Court set aside the orders of the High Court and Court of Appeal and ordered the matter to be remitted to the High Court for a rehearing before another judge. About the author Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my More of our articles that you should read: Private Hospitals to pay for their Doctor’s Negligence Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023) Security Issues in the Secondary Market

What is Maintenance fees and Sinking fund? Under the Strata Management Act 2013 (SMA), the management body of a condominium needs to provide proper maintenance and management for the buildings and common property, as well as other related matters. To achieve this, each condominium unit owner will need to pay fees to these management bodies. Section 25 (1) of the Strata Management Act 2013 states that: “Each purchaser shall pay the Charges, and contribution to the sinking fund, in respect of his parcel to the joint management body for the maintenance and management of the buildings or lands intended for subdivisions into parcels and the common property in a development area.” Service charges are the monthly payments of ongoing maintenance fee for keeping the common facilities and common property. It includes swimming pools, services lifts, lighting, air conditioning, cleaning and landscaping services, security services and etc. Meanwhile, sinking fund is maintained in a separate account from maintenance fees. Typically, it is calculated as 10% of the maintenance fee and is allocated for anticipated future expenses, such as extensive repairs or significant improvements to the property. These funds serve as a reserve for emergencies as well as for major works like repainting the exterior of the building or repairing the damage caused by flood. What are the consequences if the owners fail to make any payment charged by the Management Body including the Charges and Contribution to Sinking Fund? Failure to settle the outstanding sum due and payable to the management body after 14 days from the date of receiving the notice requesting said outstanding sum from the management body will give the management body the right:- i. to charge an interest on outstanding sum;ii. to include the owner’s name, parcel and total outstanding amount in a defaulters' list and display the said list on the notice board;iii. to deactivate any electromagnetic access card, tag or transponder;iv. to stop you and/or your occupiers)/visitors) from using any common facilities or common services; andv. to take action against you before the court or Strata Management Tribunal But the one who defaulted is my landlord. I’m just the tenant. Will I also be affected? The Third Schedule of Strata Management (Maintenance and Management) Regulations 2015, specifically regulation 6, outlines the definition of a defaulter and the potential consequences that may ensue. a. a defaulter is a proprietor who has not fully paid the Charges or contribution to the sinking fund in respect of his parcel or any other money imposed by or due and payable to the management corporation under the Act at the expiry of the period of fourteen days of receiving a notice from the management corporation; and b. any restriction or action imposed against a defaulter shall include his family or any chargee, assignee, successor-in-title, lessee, tenant or occupier of his parcel. Regulation 6 clearly specifies that the defaulter may be subject to restrictions or legal action, including ‘his family, charge, assignee, successor-in-title, lessee, tenant or occupier of his parcel’. Therefore, it is clear that if your landlord fails to pay the maintenance costs, the management body may take specific measures against you as a tenant. Nevertheless, even though they have the right to deactivate your access card, as tenant, you cannot be prevented from entering your unit. Conclusion In conclusion, residing (be it owning or renting) in a strata property such as condominium entails being part of a community. It comes with its own set of rights and responsibilities that every landlords and tenants should understand. The payment of maintenance fees is crucial to maintaining harmony and ensuring the upkeep of the property. As a tenant, it's imperative to remain vigilant and inquire about the tenancy agreement and determining whether your landlord has fulfilled their obligation to pay these fees, thereby avoiding potential hassles down the line. About the author Nur Anis Amani binti Mohd RazaliAssociateReal EstateHalim Hong & Queknur.anis@hhq.com.my More of our articles that you should read: Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI Credit Reporting Agencies Are Not Authorised to Formulate Their Own Credit Score “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

Bank Negara Malaysia (“BNM”) has on 29 February 2024 issued a new Policy Document (“PD”) on Financial Technology Regulatory Sandbox Framework (the “Framework”) to replace the earlier version that was issued back in 2016. The new PD came into force on the date of its issuance, and it seeks to enhance the Framework so as to ensure proportionate regulatory facilitation and improving the operational efficiency of the existing sandbox procedures. This article attempts to provide a brief outline of the Framework and the enhancements introduced by the PD. Financial Technology Regulatory SandboxAs most would no doubt agree, the financial services industry is one of the most regulated industries anywhere in the world. This is hardly surprising given the importance of stability in the money market. That being said, it is also equally important for the financial services industry to keep pace with the development of technology to ensure innovation and service improvement. Due to its disruptive nature, financial technology (“Fintech”) providers often find themselves facing difficulties in the deployment of their solutions, owing to potential archaic or non-accommodative regulatory framework. The Fintech regulatory sandbox (“Sandbox”) established under the Framework is an attempt by BNM to address this pain point. The purpose of the Sandbox is essentially to allow Fintech solutions providers to have temporary rights to deploy and operate their solutions in a live environment, with more “relaxed” regulatory treatment. Participants in the Sandbox would have identified a series of regulatory requirements that they are unable to meet due to the nature of their solutions or business model, and exemptions would be granted to them for a limited duration from having to comply with these regulatory impediments. Upon the expiry of the “playtime”, BNM will then make an assessment as to whether a Sandbox participant should be allowed continued operation of its solution. Enhancements to the Fintech Regulatory Sandbox FrameworkThe PD introduces two (2) enhancements to the Framework: i. A fast-track application and Fintech solutions testing approval process called the “Green Lane”; andii. A simplified process to assess the eligibility of an applicant to participate in the “Standard Sandbox”. We will provide a summary of each of the enhancements in turn below. 1. Green LaneThe Green Lane is a fast-track approval process set up especially for financial institutions (“FIs”) only. FIs with proven track records in strong risk management, compliance and governance, can utilise the Green Lane to shorten the time required to obtain approval to test their Fintech solutions in the Sandbox. Interested and eligible FIs can make an application to participate in the Sandbox through the Green Lane by demonstrating their past records in risk management, compliance and governance. Once the BNM is satisfied of an FI’s track record in risk management, compliance and governance, a Green Lane approval will be issued. Thereafter, the FI will only have to register its Fintech solutions with BNM for testing in the Sandbox, at least 15 days prior to the intended testing commencement date. FI with Green Lane qualification can register multiple Fintech solutions for testing over the subsistence of its Green Lane qualification, and there is no need for the FI to make fresh Green Lane application each time. Overall, the Green Lane is a new path to Fintech solution testing in the Sandbox that is much simpler than the Standard Sandbox process (which we will get to in the next section). The Green Lane affords FIs a faster process to test their Fintech solutions in the Sandbox, subject to the FIs first proving their eligibility to be in the Green Lane. Notwithstanding the easier access to the Sandbox however, the FIs in the Green Lane will still have to adhere to certain parameters and safeguards prescribed under the PD, primarily for customer protections, and BNM still reserves the right to revoke an FI’s Green Lane qualification or reject the registration of Fintech solutions to be tested, particularly where adverse developments have been observed during the testing of Fintech solutions. Fintech companies or non-FIs can make use of the Green Lane by collaborating with FIs (e.g., outsourcing of Fintech solutions to FIs, equity participation, joint venture, etc.), subject however to the discretion of BNM. 2. Simplified Eligibility Assessment for the Standard SandboxThe Standard Sandbox entails a 2-tiered assessment process. In the first stage, applicants are first assessed on whether they are eligible to take part in the Standard Sandbox. Once the first stage has been passed, the applicants are then assessed on their readiness or preparedness in satisfying BNM’s considerations to test the Fintech solutions. Under the new PD, the stage 1 assessment is simplified to the extent that an applicant will only have to demonstrate (amongst others) its ability to identify and mitigate risks associated with the Fintech solution testing, and a semi-functional prototype of the Fintech solution within 3 months from the date of application for participation in the Standard Sandbox. This is a much-welcomed change from the regulator’s past approach of requiring applicant to have a ready product before making any application to participate in the Sandbox. Now, an applicant will only be required to come up with a fully functional prototype during the second stage of the assessment process, allowing greater flexibility to the applicant. The effort of BNM in ensuring the regulatory framework keeps pace with technology evolution certainly deserves applause. The enhancements to the Framework brought by the new PD effectively make the Sandbox more accessible to innovators and Fintech solutions providers. This should drive innovations and hopefully boost investment into the Fintech sector in Malaysia, giving Malaysians better financial services experience enhanced by technology, as well as extending the reach of financial services to the financially underserved. About the author Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and CybersecurityHalim Hong & Quekjohnson.ong@hhq.com.my More of our articles that you should read: Compulsory Acquisition: Landowners Are Not Entitled To Compensation For Illegally Constructed Buildings CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

In the recent High Court decision of Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd, the High Court of Malaysia examined, amongst others, whether a liquidator of a wound-up company is bound by any arbitration agreement which was not entered by the liquidator, but the wound-up company prior to liquidation. Brief Backgrounds FactsPembinaan Federal Sdn Bhd, the Appellant, and Biaxis (M) Sdn Bhd, the Respondent, had entered into the following two (2) contracts on a development (phase 2A and 2B) on a piece of land in Mukim Petaling for Messrs Masteron Sdn Bhd:- i. Piling Contract; andii. Pile caps and Basement 2 Slab Contract (hereinafter referred as “the Contracts”) Pursuant to clause 3 of the Contracts, the parties had agreed to enter into a contract based on the Agreement and Conditions of PAM Contract 2006 (“PAM Contract”). The Respondent was wound up on 20.4.2022 by the Penang High Court and consequentially, one Dato’ Dr. Shanmughanathan a/l Vellanthurai was appointed as the Liquidator (“Liquidator”). The Liquidator had discovered that there was a sum of RM703,640.97 which was due and unpaid by the Appellant to the Respondent under the Project (“Outstanding Sum”). Therefore on 2.3.2023, the Respondent (the Liquidator initiated an action in the name of the Respondent) commenced a suit against the Appellant at the Sessions Court, claiming for said Outstanding Sum. On 19.4.2023, the Appellant filed an application for a Stay of Proceedings pursuant to Section 10 of the Arbitration Act 2005, for which the Sessions Court Judge had dismissed the Appellant’s application with cost of RM 2,000.00 to be paid by the Appellant to the Respondent. Being unsatisfied with the decision of the Sessions Court, the Appellant had filed an appeal to the High Court against said decision. Findings of the High CourtThe issues to be considered by the High Court are as below:i. Whether the Liquidator is a party to the arbitration agreement entered between the parties (“Arbitration Agreement”);ii. Whether the Arbitration Agreement is inoperative;iii. Whether the nature of arbitral proceedings is contrary to the purpose of insolvency law; andiv. Whether there is any dispute between the parties which warrants an arbitral proceeding to be commenced pursuant to the Contracts. Whether the Liquidator is a party to the Arbitration Agreement entered between the partiesOn this issue, it was held by the High Court that: i. It is not disputed by the parties that there is an Arbitration Clause in the PAM Contract entered between the Respondent and the Appellant. Therefore, whether there is a valid and enforceable Arbitration Agreement pursuant to Section 9 of the Arbitration Act, the answer is in the affirmative; ii. As the Respondent has been wound up, the Liquidator appointed steps into the Respondent’s shoes in dealing with matters related to the wound-up company. These powers are conferred to the Liquidator pursuant to Section 486 of the Companies Act 2016; iii. There is no where in the Companies Act 2016 which requires for there to be a separate agreement duly signed by the Liquidator in order for him to be bound to the terms and conditions of the original contract. Therefore, since the cause of action arose from the Contracts, the parties including the Liquidator are subjected to the terms and conditions of the Contracts and the Arbitration Agreement; iv. It cannot be agreed that the Arbitration Act 2005 is irrelevant to the Liquidator. Therefore, even if the Liquidator is not directly named in the Arbitration Agreement, by virtue of the Liquidator having stepped into the shoes of the Respondent, he becomes a party to it. Whether the Arbitration Agreement is inoperativeSection 10 of the Arbitration Act states as follows: “(1) A court before which proceedings are brought in respect of a matter which is the subject of an arbitration agreement shall, where a party makes an application before taking any other steps in the proceedings, stay those proceedings and refer the parties to arbitration unless it finds that the agreement is null and void, inoperative or incapable of being performed.” The High Court in this case, having adopted the definition of “inoperative” in the case of Peace River Hydro Partners v Petrowest Corp [2022] SCJ No. 41, held that:i. the Arbitration Agreement between the Respondent and the Appellant is inoperative because the Respondent has been wound up and as such, is subject to insolvency protection; ii. since it is found that the Arbitration Agreement is inoperative, it is not necessary to determine whether the Arbitration Agreement is null and void, or whether it is incapable of being performed; and iii. Therefore, Section 10(1) of the Arbitration Act 2005 cannot be invoked against the Respondent by the Appellant. It can also be concluded that the Plaintiff is subjected to the relevant insolvency proceedings having established that the Arbitration Agreement is inoperative against the Respondent. Whether the nature of arbitral proceedings is contrary to the purpose of insolvency law/ Whether there is any dispute between the parties which warrants an arbitral proceeding to be commenced pursuant to the Contracts On whether the nature of arbitral proceedings is contrary to the purpose of insolvency law, it was held by the High Court that: i. Arbitration proceedings generally involve higher cost and delay in time; ii. Considering the Liquidator’s primary function is to manage the wound-up company’s assets and liabilities, an increase in cost and delay would certainly be detrimental to the interest of the creditors and the shareholder of the wound-up company. On whether there is any dispute between the parties which warrants an arbitral proceeding to be commenced pursuant to the Contracts, it was held by the High Court that based on the given facts, the Respondent’s claim sum is based on an undisputed sum which had been certified. In the absence of any dispute, the arbitration clause cannot be invoked and as such, the Respondent had the power to commence a court action against the Appellant pursuant to Section 486 of the Companies Act 2016. Based on the reasons above, the High Court had dismissed the Appellant’s Appeal. COMMENT It is interesting to note that whilst the High Court has decided that the Liquidator is essentially a party to the Arbitration Agreement entered between the parties, the Arbitration Agreement is nonetheless inoperative in view that one of the parties in the Arbitration Agreement has been wound up. This raises the question of whether all ongoing arbitration proceedings will automatically be deemed as “inoperative” the moment any of the parties in the arbitration proceeding is wound up. As at the date of this article, we understand that the Appellant, being unsatisfied with the decision of the High Court, had filed an appeal to the Court of Appeal. About the author Ooi Hui YingSenior AssociateArbitration, Construction & Engineering DisputesHarold & Lam Partnershiphuiying@hlplawyers.com More of our articles that you should read: Compulsory Acquisition: Landowners Are Not Entitled To Compensation For Illegally Constructed Buildings CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

What is Secondary MarketThe secondary market refers to a financial market where investors trade previously issued financial instruments and securities after a company has made an initial public offering of its securities on the primary market. It is a market where securities that were previously sold in the primary market are traded among investors rather than being sold directly by the issuing company. The secondary market facilitates liquidity for investors, allowing them to sell their securities readily and expeditiously should the need arise to access funds. As such, the terms ‘secondary market’ and ‘stock market’ or ‘stock exchange’ are used interchangeably. Capital Raising SecuritiesUpon successfully floating its securities through a primary market transaction and securing a listing of its securities on Bursa Malaysia, a diverse array of alternative capital-raising opportunities emerges. These avenues allow the company’s shareholders and the market at large to be approached for additional issuances of equity and debt securities. Modes of Issuing SecuritiesListed companies have at their disposal a range of methods to issue additional securities. While some of these issues may be aimed at raising equity capital to facilitate business expansion or diversification, others serve different purposes. The following are brief discussions of some of these modes of issuing securities on the secondary market. Public IssueA public issue represents the issuance of new shares available for public sale at a price agreed by the issuer and its Principal Adviser. Rights IssueThe issuance of new shares to existing shareholders for cash, typically at an advantageous price (discounted from the current pre-announcement market price), constitutes a right issue. It is a requirement that a rights issue is renounceable, allowing shareholders to either subscribe to the new shares or sell their rights, in whole or in part, to a third party on Bursa Malaysia. Additionally, any rights issues without irrevocable written undertakings from shareholders to subscribe to their full entitlement must be underwritten. Private PlacementA private placement involves the issuance of securities that are not available to the general public but are instead offered to independent parties who are not under the control or influence of the issuer’s directors or substantial shareholders. The pricing of these securities is typically based on the weighted average market price of the shares over the preceding five days before the placement takes place. Issues for Acquisitions, Take-overs, MergersThe issuance of shares for acquisitions, take-overs, mergers of another company involves offering shares to acquire assets or capital from the other entity. This process may lead to dilution of existing shareholders’ holdings, prompting the listed issuer to negotiate for the highest possible value for their shares to mitigate the dilution impact. Issue of Shares from Conversion of Warrants and ConvertiblesThis is an additional issue of shares to holders of other classes of securities (such as warrants and convertible securities) upon exercise or conversion of securities held. When they are issued, warrants are usually bundled together with debt securities (particularly bonds). The holder of a warrant has the right to purchase a proportional quantity of shares from the issuing company at a pre-established price during a specified timeframe. Convertible securities, on the other hand, are a form of deferred equity. The company can secure funds upon issuance, while the holder of convertible loans has the option to convert them into company shares at a predetermined price within a specified timeframe. Warrants and convertible securities are commonly issued by companies undertaking projects with extended development periods. The issuance is strategically timed so that the expiration of warrants or convertible securities, which results in the issuance of additional company shares, aligns with the period when potential earnings from the projects begin to materialize. As a result, the subsequent issuance of shares is anticipated to be strengthened by the increased earnings of the company. Issue of shares from ESOSCertain companies offer Employee Share Option Scheme (ESOS) to their staff, aiming to, amongst other things, foster allegiance and loyalty to the organization. This grants employees the opportunity to acquire a specified quantity of company shares within a timeframe, up to a maximum of 10 years, at a predetermined exercise price. Bonus IssueThis is an offer given to the existing shareholders of the company to subscribe for additional shares at zero cost in specified proportion of shares that they already held. Bonus issue does not involve any cash outflow, rather only book entries in the accounts of the company for the transfer of the company’s retained profits or reserves available to the share capital account to pay up the bonus shares which are to be distributed to the shareholders. Thus, there are no changes to the worth of the company. Legal dimensions, their Objectives, and Safeguarding InvestorsThe legal dimensions pertaining to securities issuance in the secondary market in Malaysia encompass a diverse array of regulations and factors, all directed towards the objectives of fostering transparency, equity, and safeguarding the interests of investors. Essential legal facets governing this area is discussed below. Regulatory FrameworkSecurities issuance within the secondary market is governed by an extensive regulatory framework established by authorities such as the Securities Commission Malaysia (SC) and Bursa Malaysia. These regulations outline the requirements and processes on the issuance, trading and listing of securities on the secondary market. Chapter 6 of Bursa Malaysia’s Listing Requirements sets out the requirements that must be complied with by the company for any new issue of securities. Companies seeking to issue new securities is required to submit to Bursa Malaysia an application for the listing of and quotation of the new shares to be issued as well as seek its shareholders’ approval prior to such issuance of securities and adhere to the specific requirements as set out in Chapter 6 of the Listing Requirements. Disclosure ObligationsIssuers of securities on the secondary market are typically mandated to furnish exhaustive and precise information to investors. This entails providing, inter alia,financial statements, reports, prospectuses, information memorandums and other pertinent disclosures to enable investors to make informed investment decisions.Chapter 9 of the Listing Requirements mandates that any proposed issue or offer of securities must make an immediate announcement to Bursa Malaysia and such announcement must contain all information as set out in Part A of Appendix 6A of the Listing Requirements. Prevention of Insider Trading and Market ManipulationLegislative and regulatory provisions are in place to prohibit insider trading and market manipulation, safeguarding against the unauthorized exploitation of confidential information or the manipulation of security prices for personal gain. These measures are implemented to maintain market integrity and ensure fair treatment of all investors. Insider trading happens when an individual holds confidential information that, if disclosed, would significantly impact the price or value of the company’s securities, and then engages in trading or transactions involving those securities. According to the Capital Markets Act 2007, insider trading constitutes a criminal offence. If convicted under sections 188(2) or (3), the perpetrator faces a minimum fine of RM1,000,000 and a maximum prison sentence of 10 years. Corporate Governance StandardsMalaysia has made significant strides in enhancing corporate governance practices with the aim of promoting transparency, accountability and ethical behavior. The Malaysian Code on Corporate Governance (MCCG) sets out principles and best practices to guide companies in improving their corporate governance standards. It covers areas such as board composition, responsibilities of the board and management, risk management and disclosure practices. Regulatory authorities do actively monitor and enforce compliance with such corporate governance regulations with penalties and sanctions in place on companies and individuals found to be in violation of these regulations. Enforcement Mechanisms and PenaltiesEntities such as SC and Bursa Malaysia possess authority to enforce securities laws and regulations, enabling them to investigate and impose penalties for any breaches. Violations may lead to consequences such as fines, sanctions and legal actions to ensure that the integrity of the marketplace and in turn, reflect genuine market supply and demand. Authorities are equipped with numerous enforcement actions against violations of regulations concerning market misconduct and abusive trading practices. These actions were taken in response to activities that lead to false or misleading appearances of active trading or manipulated the prices or markets for securities and derivatives. The type of penalties taken is determined on a case-by-case basis depending on considerations such as the severity of the misconduct or breach, its duration and frequency, its impact on the public or market, any ill-gotten gains and whether the actions were intentional or reckless. Violations that significantly impact the market, causing harm and disrupting its orderly operation, are subject to a more severe penalty. In a Nutshell The legal framework governing securities issuance in the secondary market is comprehensive and meticulously crafted to address various aspects of market operation and investor protection. The regulations are designed to instill confidence among investors by setting clear guidelines and standards to provide the necessary assurance their investments are being conducted in a transparent and regulated environment. Preservation of market integrity is also a key focus of the regulatory framework. Market integrity ensures that transactions are conducted fairly and that prices reflect supply and demand dynamics. Regulations against market manipulation and insider trading help maintain a level playing field for all participants. The regulatory framework too, aims to facilitate the efficient operation of capital markets. By establishing rules for timely and accurate disclosure of information and standards for corporate governance and market conduct, the framework ensure that capital flows smoothly and efficiently between investors and companies. Overall, the legal intricacies governing securities issuance in Malaysia’s secondary market are essential for fostering investor confidence, preserving market integrity, and ensuring the efficient operation of capital markets. Compliance is crucial for all stakeholders to uphold the integrity of the securities market and contribute to its long-term sustainability. About the authorLaurel Lim Mei YingAssociateCorporate & CommercialHalim Hong & Queklaurel.lim@hhq.com.my More of our articles that you should read: Disposal of Real Properties Subject to Income Tax? CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

Non-delegable duty of care1. The claim in this case is based on the tort of negligence. The law of tort is based on a fault-based system where it imposes liability on the wrongdoer, also known as the tortfeasor. Ordinarily, the law does not hold one accountable for the actions or inactions of another. 2. Conversely, a non-delegable duty of care is where the usual principle is displaced under certain circumstances. While a party can generally assign its responsibilities to an independent third-party contractor, the principle of non-delegable duty of care arises in situations where such duty cannot be delegated away, even if the duty is performed by an independent contractor. Brief facts3. The Appellant patient underwent a series of medical procedures including tonsillectomy, palatal stiffening and endoscopic sinus surgery at the Subang Jaya Medical Centre (‘SJMC’) on 10.3.2010. At about 3.30 a.m. on 22.3.2010, the Appellant experienced bleeding at the operation site and was brought to the emergency department of Columbia Asia Hospital (Puchong), the Respondent. 4. He was attended to by a medical officer and later by a Consultant Ear, Nose, and Throat surgeon (“Dr. M”), and a Consultant Aaesthetist (“Dr. N”). 5. Complications arose before the surgery began. In the airlock area outside the operating theatre, the Appellant started vomiting copious amount of blood and there was profuse bleeding leading to the Appellant’s collapse and the subsequent emergency resuscitation. 6. The intended surgery was performed. Unfortunately, the Appellant suffered hypoxic brain damage. After surgery, the Appellant was admitted to the intensive care unit of the Respondent for continued post-surgical care and management, and was later transferred out to SJMC on 28.3.2010. 7. The Appellant is now permanently mentally and physically disabled due to massive cerebral hypoxia. Through his wife, the Appellant initiated a suit against Dr. M, Dr. N and the Respondent hospital at the High Court for negligence and breach of duties under the Private Healthcare Facilities and Services Act 1998 (‘Act’). 8. The Appellant alleged that the Respondent is vicariously liable for the negligence of Dr. M and Dr. N, and is also directly liable for breach of its non-delegable duty of care. 9. In response, the Respondent asserted that its responsibility was merely to ensure the provision of facilities and medical equipment, including nursing staff. The 2 medical practitioners carried out their respective medical practice at the Respondent hospital as independent contractors under contracts for services. As such, all diagnosis, medical advice including material risks and known complications, medical treatments, operations and referrals are the doctors’ own responsibilities. High Court and Court of Appeal10. Both the High Court and Court of Appeal found that only Dr. N was liable for negligence due to her conduct falling below the standard of skill and care expected from an ordinary competent doctor professing the relevant specialist skills based on which she was entrusted to treat the Appellant. 11. On the issue of vicarious liability and direct non-delegable duty of care, the court found that Dr. M and Dr. N were carrying out their practice at all material times in the hospital not as employees, servants or agents of the Respondent but as independent contractors. Hence, the Respondent is not liable for the negligence of Dr. N.12. The High Court awarded damages of approximately RM1.9 million to the Appellant. The Court of Appeal later increased the damages to approximately RM2.1million to the Appellant. 13. Both the Appellant and Dr. N appealed. The Court of Appeal dismissed the appeal against the Respondent hospital. Dr. N’s appeal was also dismissed. Analysis and findings of the Federal Court14. The appeal filed by the Appellant at the Federal Court is only in respect of the Respondent only. 15. A total of 7 questions were posed to the court and as summarised by the majority of the Federal Court Judges, the focus of the appeal was whether the hospital owes an independent duty of care which is non-delegable, regardless of whom it may have delegated that duty to, irrespective of who may have performed the act or omission complained of, whether under a contract for service or due to the patient’s own choice. 16. It was emphasised by the court that the principle of non-delegable duty of care becomes relevant only if presence of negligence is shown in the first place. Here, the High Court and the Court of Appeal had held Dr. N to be negligent. 17. In affirming that the principle of non-delegable duty of care applies to the present appeal, the Federal Court adopted and refined the five features laid down by Lord Sumption in the English case of Woodland v Swimming Teachers Association & Others [2014] AC 537. The court held:- a. Firstly, the Appellant is in a vulnerable position and is totally reliant on the Respondent for its care and treatment, more so when the Appellant was admitted to its emergency services. b. Secondly, the existence of an antecedent relationship is affirmed by the assumption of positive duties by the Respondent in ensuring that reasonable care is taken to persons who knock on its door and seek treatment and care. Echoing its judgment in Dr Kok Choong Seng & Anor v Soo Cheng Lin & Another Appeal [2018] 1 MLJ 685, the court emphasised Act and the related regulations clearly envisage that private hospital is and remains responsible for not just the efficacy of premises or facilities, but also for the treatment and care of patients, regardless of how and who the responsibility may have been delegated to. Furthermore, the hospital held itself out as a one-stop-centre for all treatments and procedures on its website. Unlike the English case of Woodlands which applied a further consideration as to ‘whether it is fair, just and reasonable to impose the non-delegable duty of care’ in addition to the five features, our Federal Court held that such elements of fair, just and reasonable had already been considered and embedded in the Act and its related regulations. Hence, there is no need for a separate exercise of consideration. c. Fourthly, the Appellant had no control over how the Respondent was to perform its function rendering emergency care and treatment. d. Fifthly, Dr. N was undeniably negligent in the performance of the very function of rendering proper emergency care and treatment of the Appellant that was assumed by the Respondent but which was delegated by the Respondent to her. 18. In short, the Federal Court held that private hospitals cannot put the blame on its doctors in the name of contracts. They have a duty of care which cannot be delegated. The Federal Court allowed the Appellant’s appeal against the Respondent, and increased the damages to RM4.5million. Conclusion The Federal Court ruling would have an impact on the private hospitals and doctors in Malaysia in the following ways:- a. The indemnity clause within consultant agreements between private hospitals and their doctors may now seem to be redundant. b. Private hospitals would now be the ultimate paymaster for their consultants’ negligence. c. It is essential for private hospitals to reassess their insurance coverage and implement systems and procedures to prevent medical errors. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Chan Jia YingSenior AssociateDispute ResolutionHarold & Lam Partnershipjiaying@hlplawyers.com Damia AmaniLegal ExecutiveDispute ResolutionHarold & Lam Partnershipdamia@hlplawyers.com More of our articles that you should read: Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective STAMP DUTY FOR FOREIGN CURRENCY LOAN Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

On 7.3.2024, the Kuala Lumpur High Court in the case of Suriati binti Mohd Yusof v CTOS Data Systems Sdn Bhd [2024] MLJU 437; CLJU 440; (Civil Suit No. WA-23NCvC-8-01/2020) ruled that credit reporting agencies are not empowered to formulate a credit score or create their own criteria/ percentage to formulate a credit score. The High Court found that the credit reporting agency in this case provided inaccurate/ false credit information and awarded a sum of RM200,000 as general damages to the person whom the credit information was related to. Background FactsThe Plaintiff, Suriati Binti Mohd Yusof, is the director and shareholder of a resort situated in Terengganu. The Defendant, CTOS Data Systems Sdn Bhd, is a credit reporting agency registered under the Credit Reporting Agencies Act 2010 (Act 710) (“CRAA 2010”). The Defendant is responsible for collating credit reports from various sources for the purpose of disseminating the information to its subscribers. On or around May 2019, the Plaintiff discovered that her loan application for a car was rejected due to a negative report from the Defendant. The Plaintiff further discovered that the data collated and kept by the Defendant was inaccurate and false, which led to her negative credit rating. The Defendant also gave the Plaintiff a low credit score leading to loss of confidence from financial institutions. The Plaintiff filed a civil suit in the High Court against the Defendant to claim for damages suffered as a result of the Defendant’s negligence and breach of fiduciary duty in misrepresenting her credit rating leading to a loss of reputation, personal losses as well as business losses. The Plaintiff contended that as a result of the inaccurate information and wrong credit score provided by the Defendant, the Plaintiff was considered as not creditworthy and suffered losses. The Defendant contended that the Defendant’s role was merely to collate the information and it was not the duty of the Defendant to verify the accuracy of the information. Grounds of Judgment of the High Court1. Accuracy of Credit Information The High Court observed that pursuant to the CRAA 2010, the Defendant as a credit reporting agency is tasked with the main role of collecting, recording, holding and storing credit information. The Defendant is also empowered to disseminate the information to its subscribers, which includes financial institutions. The High Court ruled that Section 29 of the CRAA 2010 imposes a duty upon the Defendant to verify and to ensure the accuracy of the credit information/ credit report. Further, CRAA 2010 was enacted to empower credit agencies such as the Defendant to provide accurate information to financial institutions in approving and disbursing financial aid to applicants. Therefore, the Defendant had a duty of care to provide accurate credit information to financial institutions and the persons concerned against whom the information was related to. The Defendant owed a duty of care towards the Plaintiff in providing accurate credit information. The evidence in this case showed that the Plaintiff alerted the Defendant that the information against her was inaccurate. However, the Defendant ignored the communication from the Plaintiff and continued to maintain the inaccurate information. The High Court was of the view that the Defendant could have suspended the information pending verification or notify subscribers that the information was pending verification. The High Court ruled that the Defendant breached the duty of care owed towards the Plaintiff as the Defendant was indifferent even after being alerted by the Plaintiff. 2. Credit Score Formulated by Credit Reporting Agencies The Defendant formulated a credit score based on certain criteria which include payment history, amount owed, credit history length, credit mix and new credit. Using this criteria, the Defendant classified the Plaintiff as a serious delinquent. The High Court held that there is no provision in the CRAA 2010 which empowered the Defendant to formulate a credit score or create its own criteria/percentage to formulate a credit score. The Defendant is just supposed to be a repository of the credit information to which its subscribers have access to. By formulating a credit score, the Defendant has gone beyond its statutory functions. The Plaintiff suffered losses as a result of being labeled as a delinquent by the Defendant when the Defendant did not have the right to do so. 3. Compensation Awarded by the High CourtThe High Court held that the Defendant had (i) breached the duty of care owed to the Plaintiff; and (ii) overstepped the functions they were registered for under the CRAA 2010. The High Court ruled that the Plaintiff suffered personal losses. The Plaintiff’s reputation and relationship with her spouse had broken down as a result of the Defendant’s negligence and breach of fiduciary duties. The High Court awarded the sum of RM200,000 as general damages and costs of RM50,000 to the Plaintiff. Note: The Defendant has filed an appeal against the decision of the High Court to the Court of Appeal. This matter will be heard before the Court of Appeal. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the authorChew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my More of our articles that you should read: Compulsory Acquisition: Landowners Are Not Entitled To Compensation For Illegally Constructed Buildings CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

Background Facts 1. International Naturopathis Bio-Tech (M) Sdn Bhd (“the Taxpayer”) was involved in naturopathic medicine, which bought six different shop lot units (3 shoplots in Block A and 3 shoplots in Block B) (“Properties”). 2. The delivery of vacant possession of the Properties was made in August 2010 and the Taxpayer sold the Properties respectively in June 2011 and August 2011. 3. The Director of Inland Revenue (“DGIR”) in 2014 raised a notice of assessment in respect of the disposal of the properties amounting to RM543,906 for the year of assessment 2011. 4. The issue in dispute was whether the disposal of the properties was subject to RPGT or income tax. 5. The Special Commissioner of Income Tax (“SCIT”) and the High Court (“HC”) held that the disposal of the properties was subject to income tax. Being dissatisfied, the Taxpayer filed the appeal to the CoA. Decision 6. The CoA confirmed the decision of the SCIT and HC and held that, amongst others, the disposal of the Properties subject to income tax and not RPGT as: a) the Properties were sold within a short period of time (i.e. 6 months and 12 months after delivery of vacant possession; b) no effort was done to look for a tenant; c) disposal of the Properties was not undertaken to help pay for the Taxpayer’s medical bills; d) the intention of buying the Properties is to trade as (i) the purchase of the Properties was financed by the loans taken by a director and not the Taxpayer; and (ii) the Properties located at a strategic business location area; e) the Taxpayer gave no evidence of a change in the ‘intention’; f) the Taxpayer face no difficulty in selling the Properties within such short period of time; and g) accounting evidence is not conclusive. Comments This is a classic RPGT vs income tax case. For decades, taxpayers have been in tug-of-war with the DGIR in determining whether a disposal of a real property is subject to income tax or RPGT. In this case, the CoA succinctly laid down the following badges of trade: i. Intention or the motive of the purchase of the property which is subsequently disposed of; ii. Subject matter/nature of the asset disposed of; iii. Interval of time between purchase and sale/Length of period of ownership; iv. Number or frequency of transactions; v. Changes made to the asset would make it more saleable; vi. The circumstances responsible for the realisation of the property; vii. Method of finance for the purchase of the property; viii. Existence of similar trading transactions or interests; and ix. The way the sale or disposal was carried out. Notably, CoA also made the following key observations on the application of the badges of trade: a) these badges are merely a guide which assists the deliberation as to whether a set of facts and circumstances would constitute a trade or an adventure in the nature of trade; b) no one single badge of trade is usually conclusive or determinative; c) it is also not uncommon that the application of one badge may lead to one answer but that of another results in another, potentially contradictory conclusion; d) deliberation involves the interplay of the combination of the various badges of trade, and the weight attached to each badge of trade will depend on the precise circumstances of the case; and e) it is also fair to say that the more badges of trade can be fastened on a transaction making it more likely that the transaction will be construed as a trade and thus subject to income tax. This case serves as good guidance in applying the badges of trade and understanding the interaction between these badges. Remember, no one single badge of trade is conclusive and accounting evidence itself is not conclusive. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Desmond Liew Zhi HongPartnerTaxHalim Hong & Quekdesmond.liew@hhq.com.my Boey Kai QiAssociateTaxHalim Hong & Quekkq.boey@hhq.com.my More of our articles that you should read: Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility Whether AI-Generated Work Could be Protected by Copyright Law

The concept of “open source” and “closed source” artificial intelligence (“AI”) have attracted increasing public attention ever since Elon Musk filed a lawsuit against OpenAI, the company behind ChatGPT, alleging among others, OpenAI’s breach of its founding agreement. During the Musk and OpenAI saga, the billionaire has called on OpenAI to change its name to “ClosedAI”, seemingly taking a swipe at the lack of transparency and the “closed” nature of OpenAI’s large language model, ChatGPT. . Dissecting the Concept of Open Source and Closed Source AI In order to appreciate the grievances raised by Elon Musk in this upcoming legal drama with OpenAI, we need to first understand the concept behind “open source” and “closed source”. The terms are not unique to AI but are used commonly to refer to the manners in which technologies (most commonly, software) are made available by their developers. Open source software generally refers to software where the source code is readily accessible, customisable, adaptable and/or distributable, either with little or no costs, but subject at all times to the compliance of the open source licensing terms, which typically require users to also make public the modified version of their software which incorporates the open source software. Closed source software on the other hand, generally refers to proprietary software that are licensed by the vendors or software principals for use at a cost under limited or defined licensing terms, and the source code of the proprietary software are usually kept inaccessible. . In the context of AI, open source refers to practices where the core aspects of an AI model – its model structure, training process, training data, and source code, are shared publicly for anyone to use, modify and distribute. In contrast, a closed source AI is where most, if not all, of the aforementioned aspects of an AI model are kept private by the developers or owners. . Pros and Cons of Open Source and Closed Source AI As explained above, the terms “open source” and “closed source” essentially refer to the manner in which a technology is made available. Despite heated debates between the proponents of open source and closed source AIs, there is not necessarily a “one-size-fits-all” approach here. Be it open source or closed source AI, they each have their own sets of pros and cons, which should be carefully evaluated by businesses looking to deploy or adopt AI. The table below illustrates some of the pros and cons of open source and closed source AI:   1. Open Source AI (i) Pros - As with all open source initiatives, the concept promotes a higher level of community collaboration and would in turn drive creativity, innovation and improvements to the technology placed under open source. When one user has a breakthrough, the community as a whole benefits from that breakthrough. - Due to the ease of access of open source technology, it creates a level playing field for businesses looking to deploy the technology but lacks the scale of funding that big corporations have. - Given the transparency to the model structure, training process, training data and source of the AI, it would be easier for vulnerabilities to be fleshed out by the community. - Where the training data and data provenance are made public, it provides an avenue for users to verify the legitimacy and ethical aspects of the data used to train the AI. . (ii) Cons - Owing to its accessibility, open source AI also lowers the barrier of entry for cybercriminals and malicious actors to build so-called “AI without guardrails”. - Sustainability of an open source initiative is also a key concern. Given that there is usually little to no cost for the access of open source technology, the community is usually not paid to maintain the initiative and is doing it purely out of passion. An open source project that fails to maintain adequate attention from the community will have a high likelihood of failure. - Due to the lack of dedicated personnel in an open source initiative, businesses in need of technical support after adopting the open source technology may struggle to receive timely support services. - The potential legal risk associated with open source AI is intellectual property disputes. When multiple contributors collaborate on an open source project, there is inherently a risk that someone may inadvertently or unintentionally contribute code or other intellectual property that they do not have the legal right to share. This could lead to legal challenges regarding ownership, licensing rights, or infringement claims, particularly if the project gains significant traction or commercial use. .    2. Closed Source AI (i) Pros - A private owned AI model is usually easier to use and integrate into existing systems, offering a plug-and-play solution to businesses that may not have high-level of technical capabilities. - Due to the proprietary nature of a closed source AI, it provides some level of control as to who can license, access and use the AI, thereby reducing risks for misuse or abuse. - Organisations deploying closed source AI would typically have dedicated teams providing support to users. As such, users of closed source AI can expect certain service levels from the licensors. - Closed source AI is also often the preferred model of distribution for companies looking to maintain competitive edge in the market, by keeping their technology behind walled garden, treating them as trade secrets. . (ii) Cons - Owing to lack of transparency in the data provenance of a closed source AI, users will not be able to independently verify the legitimacy of the data used to train the AI model. - Use of closed source AI may also lead to vendor lock-in, making it challenging for users to switch to another AI provider. - Costs required to access a closed source AI may also be a concern, and this is often a stumbling block for companies with limited budget. . Choosing Between an Open Source or Closed Source AI There is no fixed answer as to whether an open source or closed source AI is better. Ultimately, it all depends on what is the company’s objective for the use AI, its in-house AI capability, and the specific concerns that the company has when it comes to AI deployment. . A company that lacks the capabilities and resources to modify and customise an open source AI may be more suitable to license a closed source AI with focus on user-friendliness. On the other hand, a company with a very unique AI needs may not be able to find a closed source AI that is suitable for its intended usage, and may be better off building on an open source AI on its own. . Another crucial factor in choosing between open source and closed source AI is the legal consideration, including, but not limited to regulatory compliance and data privacy requirements. Depending on the jurisdiction, there may be specific regulations or code of ethics governing the use and deployment of AI, particularly regarding data handling, privacy protection, ethical considerations and/or risk assessments. Companies must carefully assess whether the chosen AI solution, whether open source or closed source, aligns with these legal regulatory frameworks and considerations, and what are the additional obligations imposed under applicable laws before an AI can be implemented. . Adoption of open source and closed source AI both present their own sets of challenges. The open source licensing terms of an open source AI may have express requirements to be met before users can enjoy the AI for its intended open source benefits. For example, users could be required to make public the result of its customisations of the open source AI, failing which certain payment obligations may be required. For private owned, closed source AIs, the vendors may be imposing terms that could be onerous or unfavourable to the users in its licensing agreement. It is as such extremely crucial that businesses employ a legal team that is well familiar with the AI industry and software licensing terms to advise on the risks involved and how to mitigate them. . Before any form of AI adoption, the best practice is always to procure legal advice on the risks associated with the AI project and what are the legal requirements that would apply. Legal counsels that are familiar with the AI industry and software licensing would also be able to assist on the reviewing and/or structuring of the AI licensing terms, ensuring your objectives are met and that risks are well addressed and mitigated. If you have any questions or needs when it comes to AI adoption, please feel free to reach out to the team of technology lawyers at Halim Hong & Quek. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . More of our Tech articles that you should read: • Air Canada Case Exposes AI Chatbot Hallucination Risks: A Mitigation Guide for General Counsel • Addressing Copyright Infringement and Challenges in AI Training • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated?  

In the current business landscape, the race to harness the power of Artificial Intelligence (“AI”) is in full swing. One of the most straightforward and cost-effective strategies is the integration of AI Chatbots into company websites, as these AI Chatbots are capable of interacting with customers and answering their queries, which can significantly reduce expenses tied to traditional customer service. However, while many companies are eager to adopt AI Chatbots, there is a critical issue that often goes overlooked or remains unaddressed: the problem of AI Chatbot hallucinations. This issue can lead to severe legal complications, such as negligent misrepresentation, and in this article, we aim to delve deeper into this serious concern.  . Understanding AI Chatbot Hallucinations To fully grasp the issue at hand, it is essential to understand what “hallucination” means in the context of AI. While many might expect AI to provide perfect and flawless answers, the reality often falls short, with AI-generated outputs frequently being inaccurate—a phenomenon referred to as "hallucination." In the realm of AI, especially in machine learning and neural networks, hallucination refers to the generation of incorrect, nonsensical, or entirely fabricated information during data processing or generation. This issue is often most prevalent in generative models, such as GPT (for text) or DALL-E (for images), where the AI might produce outputs that do not accurately reflect the input data or real-world knowledge. These inaccuracies can stem from biases in the training data, overfitting, underfitting, or limitations in the model’s architecture. For instance, an AI trained on a dataset of images might “hallucinate” objects in generated images that weren’t present in the original prompt, or it might combine features of different objects in nonsensical ways. Similarly, in natural language processing, an AI might generate plausible-sounding but factually incorrect statements based on patterns it learned during training, which don’t actually represent real-world knowledge.  . The Air Canada Case: Legal Implications of AI Chatbot Hallucinations The hallucination effect of AI Chatbots could land companies in hot water legally, especially when customers rely on the information provided by the AI chatbot to make decisions, and this is exactly what happened in the very recent decision of Moffatt v. Air Canada, 2024 BCCRT 149 (“the Air Canada case”) where Air Canada faced legal consequences due to the hallucination effect of their AI Chatbot. The Air Canada case, while seemingly straightforward, carries profound implications and offers invaluable lessons for companies implementing AI Chatbots on their websites, apps, or other platforms. The Air Canada case revolves around a customer who, following the death of a family member, sought to book a flight with Air Canada. The customer interacted with the AI Chatbot on the Air Canada website, which advised that the customer could apply for bereavement fares retroactively by submitting a request within 90 days of ticket issuance. Relying on the advice and information provided by the AI Chatbot, the customer purchased the ticket and then applied for the bereavement reduction within the 90 days stipulated period as advised. However, the situation took a turn when Air Canada denied the bereavement fare claim, explaining that the AI Chatbot had provided "misleading words" that contradicted the information on the bereavement travel webpage, as according to the webpage, the bereavement policy does not apply retroactively, rendering the customer ineligible for the bereavement fares. Air Canada attempted to absolve itself of liability for the wrong information provided by the AI Chatbot by arguing that the AI Chatbot is a separate legal entity that is responsible for its own actions. This argument, however, was rejected by the Civil Resolution Tribunal ("CRT") in Canada. The CRT unequivocally stated that "while a chatbot has an interactive component, it is still just a part of Air Canada's website. It should be obvious to Air Canada that it is responsible for all the information on its website… I find Air Canada did not take reasonable care to ensure its chatbot was accurate." The CRT further ruled that the customer had relied on the chatbot to provide accurate information, which the AI Chatbot failed to do. Therefore, this is a case of negligent misrepresentation on the part of Air Canada, and the customer is entitled to damages. The Air Canada case serves as a critical examination of how companies utilize AI Chatbots and the potential legal ramifications. Indeed, Air Canada attempted to make an interesting argument by claiming that the AI Chatbot is a separate legal entity and should be responsible for its own actions. However, it is a concept that is often misunderstood that AI is a sentient entity capable of independent thought and action. In reality, AI operates through neural networks that undergo continuous training and adjustment of weights and biases based on the input data. It is crucial to grasp that AI doesn't possess consciousness or autonomy; rather, its functionality is entirely determined by the parameters set during its training. The outcomes produced by AI are essentially predictable and controllable, as they are guided by the patterns and information ingrained within the training data. In essence, AI should be viewed as a sophisticated tool that executes tasks based on predefined algorithms and learned patterns, rather than exhibiting genuine cognitive processes or decision-making abilities. Given that companies owe a duty of care to ensure that the representation, advice or answers provided by the AI Chatbot to be true, accurate and not misleading, the next question is at the current state of "hallucinations" condition in AI, is it even possible for companies to completely eliminating "hallucinations" or errors in AI-generated content. The truth is eliminating hallucinations entirely in AI systems is a daunting task. Even reducing these errors and striving for greater accuracy would demand significant resources and effort, as it involves the acquisition of high-quality data, the training of sophisticated models that require substantial computational power, and the continuous development of new model architectures or training techniques that can better handle the nuances of human language and knowledge. While many companies are keen to employ and leverage AI in their technology, most may not be prepared to invest such high costs in ensuring the accuracy and correctness of AI-generated answers due to the extremely high costs of investment and resource-intensive work involved. Therefore, companies need to find a balance between leveraging AI technology in their offerings to reduce costs and investing resources to eliminate hallucinations in AI. This involves ensuring that the representations made are true, accurate, and not misleading to potential customers. This issue also poses a significant concern for general counsels, as traditionally, legal teams would provide training to business units and employees to ensure that representations made to customers are accurate and to avoid negligent misrepresentation. However, general counsels cannot provide training to AI Chatbots, posing a potential risk and crisis management issue that should now be considered by general counsels. . Addressing the Challenge: Strategies for Risk Mitigation In response to the challenges arising from potential inaccuracies and distortions in AI-generated content, companies utilizing AI Chatbots can adopt several strategic insights to effectively address and mitigate these concerns:   1. Strengthening Terms of Use: Companies should promptly reinforce their terms of use or terms of service agreements on their platforms. These updates should explicitly acknowledge the potential for inaccuracies in AI Chatbot responses, and customers should be informed of their responsibility not to solely rely on AI Chatbot information and to cross-reference data from official website sources. . 2. Implementing Robust Disclaimers: It is imperative for companies to incorporate clear and comprehensive disclaimers and terms of use notices for users engaging with AI Chatbots. These disclaimers should unequivocally state the possibility of inaccuracies in the advice or information provided by the AI Chatbot, and users should explicitly acknowledge and agree that such responses cannot be construed as misrepresentation, thereby protecting the company from liabilities stemming from inconsistencies or inaccuracies. . 3. Providing Training and Developing Internal Policies: Collaboration between legal and technology teams responsible for AI Chatbot deployment is paramount. Legal counsel should conduct training sessions to enhance the understanding of the data inputs driving the neural network systems behind AI Chatbots. Moreover, these interdisciplinary teams should collaborate to devise internal policies aimed at continuously enhancing the accuracy and reliability of the AI system's outputs. . 4. Regular Auditing, Monitoring, and AI Model Red Teaming: Implementing regular audits, monitoring procedures, and AI model red teaming can collectively help identify and mitigate potential legal risks associated with AI Chatbot interactions. Companies should establish protocols for monitoring the performance and behavior of AI Chatbots, including reviewing chat logs, analyzing user feedback, and conducting periodic assessments of accuracy and compliance with legal standards. Additionally, integrating AI model red teaming, where teams simulate adversarial attacks to uncover vulnerabilities, can provide valuable insights into potential weaknesses and enhance overall robustness. . 5. Transparent Communication Channels: Providing transparent communication channels for users to report inaccuracies or raise concerns about AI Chatbot responses can help mitigate legal risk. Companies should establish clear avenues for users to provide feedback or seek assistance when they encounter misleading or incorrect information from AI Chatbots. Additionally, companies should communicate openly with users about the limitations of AI technology and the steps being taken to improve accuracy and reliability. By fostering transparency and accountability, companies can build trust with users and minimize the risk of legal disputes related to AI Chatbot interactions. . Conclusion By adopting these strategic insights, general counsels can effectively mitigate the risks associated with AI-generated content, ensure transparency with their customers, and proactively enhance the accuracy of their AI Chatbot interactions. As this field continues to evolve, it is advisable for companies and general counsels to collaborate with legal professionals well-versed in technology law to develop the right internal policies and strengthen the current terms and conditions on their webpages. In doing so, companies can continue to advance their technology while simultaneously reducing the risk of potential lawsuits arising from AI Chatbot hallucinations by ensuring a balance between technological advancement and legal safety.   If your organization is grappling with concerns regarding the accuracy of AI Chatbots and the potential legal risks associated with misrepresentation, our team is poised to provide expert assistance. Leveraging our proficiency in AI technology and legal frameworks, we offer tailored guidance to safeguard your Chatbot's outputs and ensure compliance with legal standards. Contact us today to proactively address these critical considerations. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my. . More of our Tech articles that you should read: • Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility • LICENSING OF DATA FOR AI MODEL TRAINING – Things to Take Note of • Whether AI-Generated Work Could be Protected by Copyright Law

Bank Negara Malaysia (“BNM”) has on 29 February 2024 issued a new Policy Document (“PD”) on Financial Technology Regulatory Sandbox Framework (the “Framework”) to replace the earlier version that was issued back in 2016. . The new PD came into force on the date of its issuance, and it seeks to enhance the Framework so as to ensure proportionate regulatory facilitation and improving the operational efficiency of the existing sandbox procedures. This article attempts to provide a brief outline of the Framework and the enhancements introduced by the PD. . Financial Technology Regulatory Sandbox As most would no doubt agree, the financial services industry is one of the most regulated industries anywhere in the world. This is hardly surprising given the importance of stability in the money market. . That being said, it is also equally important for the financial services industry to keep pace with the development of technology to ensure innovation and service improvement. Due to its disruptive nature, financial technology (“Fintech”) providers often find themselves facing difficulties in the deployment of their solutions, owing to potential archaic or non-accommodative regulatory framework. The Fintech regulatory sandbox (“Sandbox”) established under the Framework is an attempt by BNM to address this pain point. . The purpose of the Sandbox is essentially to allow Fintech solutions providers to have temporary rights to deploy and operate their solutions in a live environment, with more “relaxed” regulatory treatment. Participants in the Sandbox would have identified a series of regulatory requirements that they are unable to meet due to the nature of their solutions or business model, and exemptions would be granted to them for a limited duration from having to comply with these regulatory impediments. Upon the expiry of the “playtime”, BNM will then make an assessment as to whether a Sandbox participant should be allowed continued operation of its solution. . Enhancements to the Fintech Regulatory Sandbox Framework The PD introduces two (2) enhancements to the Framework: (i) A fast-track application and Fintech solutions testing approval process called the “Green Lane”; and (ii) A simplified process to assess the eligibility of an applicant to participate in the “Standard Sandbox”.   We will provide a summary of each of the enhancements in turn below.   1. Green Lane The Green Lane is a fast-track approval process set up especially for financial institutions (“FIs”) only. FIs with proven track records in strong risk management, compliance and governance, can utilise the Green Lane to shorten the time required to obtain approval to test their Fintech solutions in the Sandbox. . Interested and eligible FIs can make an application to participate in the Sandbox through the Green Lane by demonstrating their past records in risk management, compliance and governance. Once the BNM is satisfied of an FI’s track record in risk management, compliance and governance, a Green Lane approval will be issued. Thereafter, the FI will only have to register its Fintech solutions with BNM for testing in the Sandbox, at least 15 days prior to the intended testing commencement date. FI with Green Lane qualification can register multiple Fintech solutions for testing over the subsistence of its Green Lane qualification, and there is no need for the FI to make fresh Green Lane application each time. . Overall, the Green Lane is a new path to Fintech solution testing in the Sandbox that is much simpler than the Standard Sandbox process (which we will get to in the next section). The Green Lane affords FIs a faster process to test their Fintech solutions in the Sandbox, subject to the FIs first proving their eligibility to be in the Green Lane. Notwithstanding the easier access to the Sandbox however, the FIs in the Green Lane will still have to adhere to certain parameters and safeguards prescribed under the PD, primarily for customer protections, and BNM still reserves the right to revoke an FI’s Green Lane qualification or reject the registration of Fintech solutions to be tested, particularly where adverse developments have been observed during the testing of Fintech solutions. . Fintech companies or non-FIs can make use of the Green Lane by collaborating with FIs (e.g., outsourcing of Fintech solutions to FIs, equity participation, joint venture, etc.), subject however to the discretion of BNM. . 2. Simplified Eligibility Assessment for the Standard Sandbox The Standard Sandbox entails a 2-tiered assessment process. In the first stage, applicants are first assessed on whether they are eligible to take part in the Standard Sandbox. Once the first stage has been passed, the applicants are then assessed on their readiness or preparedness in satisfying BNM’s considerations to test the Fintech solutions. . Under the new PD, the stage 1 assessment is simplified to the extent that an applicant will only have to demonstrate (amongst others) its ability to identify and mitigate risks associated with the Fintech solution testing, and a semi-functional prototype of the Fintech solution within 3 months from the date of application for participation in the Standard Sandbox. This is a much-welcomed change from the regulator’s past approach of requiring applicant to have a ready product before making any application to participate in the Sandbox. Now, an applicant will only be required to come up with a fully functional prototype during the second stage of the assessment process, allowing greater flexibility to the applicant. . The effort of BNM in ensuring the regulatory framework keeps pace with technology evolution certainly deserves applause. The enhancements to the Framework brought by the new PD effectively make the Sandbox more accessible to innovators and Fintech solutions providers. This should drive innovations and hopefully boost investment into the Fintech sector in Malaysia, giving Malaysians better financial services experience enhanced by technology, as well as extending the reach of financial services to the financially underserved. . If you wish to know more about the Financial Technology Regulatory Sandbox Framework or need assistance in your application to take part in the Sandbox, you may reach out to our partners below. About the authors . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . More of our Tech articles that you should read: • Exploring Bitcoin Halving and its Significance • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case • Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective  

In continuation of our exploration into the intricacies of the cryptocurrency market, particularly in the wake of recent developments such as the approval of Spot Bitcoin ETFs in the United States, our focus shifts this week towards a phenomenon that has historically proven to be a pivotal event in the world of Bitcoin: the Bitcoin halving. . Building upon our previous discussions on "Understanding Spot Bitcoin ETF and Its Potential" and "Spot Bitcoin ETF Approval: A Rollercoaster 48 Hours and Its Global Regulatory Implications", we delve deeper into the significance of Bitcoin halving and its potential implications. . Understanding Bitcoin Halving Bitcoin halving, occurring approximately every four years within the Bitcoin network, entails a reduction in the reward granted to miners for validating and appending new blocks to the blockchain. With each halving event, the miner reward is slashed in half, resulting in a gradual reduction in the rate of new Bitcoin issuance. . To grasp the significance of Bitcoin halving, it is imperative to comprehend the underlying mechanics of the Bitcoin network. Fundamentally, Bitcoin operates on blockchain technology, a decentralized ledger maintained by a network of computers, or nodes. These nodes validate transactions and ensure their integrity before appending them to the blockchain. “Mining”, a crucial aspect of the Bitcoin ecosystem, involves participants using specialized hardware to validate transactions and secure the network. In return for their efforts, miners are rewarded with Bitcoin. . The History of Bitcoin Halving Since its inception in 2009, Bitcoin has undergone several halving events, each marked by a reduction in the block reward. From the initial reward of 50 Bitcoins per block, subsequent halvings in 2012, 2016, and 2020 have progressively decreased the reward to 25, 12.5, and 6.25 Bitcoins per block, respectively. The upcoming halving, slated for April 2024, is expected to further reduce the block reward to 3.125 Bitcoins. . The significance of Bitcoin halving lies in its profound impact on the supply dynamics of Bitcoin. As the rate of new Bitcoin issuance decreases with each halving, it results in a gradual reduction in the inflation rate of the Bitcoin supply. This scarcity mechanism often leads to increased demand and, consequently, upward price pressure on Bitcoin. . Moreover, the recent approval of Spot Bitcoin ETFs in the United States, though distinct from the halving event, is perceived by many as a catalyst for heightened institutional interest and investment in Bitcoin. The convergence of Spot Bitcoin ETFs approval which shores up institutional demand of Bitcoin, and the upcoming Bitcoin halving which will reduce supply of Bitcoin on the other hand, amplifies the potential implications for the cryptocurrency market. . Potential Impacts of Bitcoin Halving We anticipate three primary impacts stemming from the upcoming Bitcoin halving and the recent ETFs approval: 1. Institutional Adoption and Regulatory Implications: The combination of reduced Bitcoin supply and increased institutional interest driven by the Spot Bitcoin ETFs approval may catalyze greater institutional adoption of Bitcoin. This influx of institutional capital could prompt regulators worldwide to reassess their approach to cryptocurrency regulation, potentially leading to more comprehensive frameworks to govern the burgeoning industry. . 2. Market Volatility and Increased Public Attention: Historically, Bitcoin halving events have been accompanied by heightened market volatility and increased media attention. The convergence of the halving with the ETFs approval is likely to amplify these effects, drawing renewed interest from retail investors and businesses alike. This renewed attention could further fuel market dynamics and shape broader perceptions of cryptocurrencies. . 3. Business Integration of Blockchain Technology: With Bitcoin and blockchain technology gaining prominence, businesses may increasingly explore opportunities to leverage these innovations. The scarcity created by the halving, combined with institutional endorsement through ETFs approval, may incentivize businesses to integrate blockchain technology or even incorporate cryptocurrencies into their operations. However, this trend could also prompt regulators to impose tighter regulations to manage associated risks adequately. . The Intersection of Innovation and Regulation In conclusion, the evolving regulatory landscape, coupled with significant market events such as the Bitcoin halving and Spot Bitcoin ETFs approval, underscore the need for institutions and businesses to navigate the cryptocurrency space with vigilance. . As regulations continue to evolve in tandem with technological innovation, stakeholders must prioritize compliance and risk management to thrive in this dynamic ecosystem. The forthcoming Bitcoin halving event serves as a poignant reminder of the interconnectedness of regulatory developments and market dynamics, urging stakeholders to remain proactive in their approach to navigating the evolving crypto landscape. . For comprehensive guidance and legal insights regarding the dynamic landscape of cryptocurrency and/or Fintech, our team of experts is ready to assist you. Feel free to reach out to us for further assistance and a tailored approach to navigating the complexities of this decentralized future. We look forward to being your trusted partner on this transformative journey. About the authors . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my . More of our Tech articles that you should read: • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated? • Whether AI-Generated Work Could be Protected by Copyright Law

This week, we aim to delve into one of the most intriguing and arguably significant developments in the field of AI: whether Artificial Neural Networks (ANN) would be subject to exclusion as invention under the UK Patents Act 1977. . It is well established that Section 1(2)(c) of the Patents Act 1977 excludes 'a program for a computer' as an invention and thereby denies patent protection in relation thereto.  However, the pivotal question at hand is whether ANN falls within this exclusion. This precise issue was examined in the UK High Court case of Emotional Perception AI Ltd v Comptroller-General of Patents, Designs, and Trade Marks [2023] EWHC 2948 (Ch). The case focuses solely on the matter of exclusion, and in this article, we aim to meticulously examine and analyze this critical judgment. . The Emotional Perception AI Case holds particular significance and interest as it represents the first authoritative examination of the exclusion concern pertaining to patent protection for ANN. For this reason, the case extensively addresses the nature of ANN and their operational mechanisms before delving into the question of whether ANN falls within the exclusion under Section 1(2)(c) of the Patents Act 1977. . Examining the Structure and Functionality of ANNs The case begins by dedicating an entire section to elucidating and clarifying the structure of ANN and its functionality. The UK High Court explains that an ANN 'can be envisaged as a black box which is capable of being trained on how to process an input, learning through that training process, retaining that learning internally, and subsequently processing input in a manner derived from that training and learning.' . The UK High Court further elaborated that a hardware ANN essentially constitutes a physical box containing electronic components. The ANN ‘consists of layers of neurons which, anthropomorphising somewhat, are akin to the neurons in the brain. They are arranged in layers and connected to each other, or at least some others, and to layers below. Each neuron is capable of processing inputs and producing an output which is passed on to other neurons in other layers, save that the last layer produces an output from the system and not to another layer. The processing is done according to internal instructions and further processes such as weights and biases applied by the neurons. Thus one feeds data in at the "top" and it is processed down through the layers in accordance with the states of the neurons, each applying its weights and biases and passing the result on, until the result of the processing is reflected in an output at the bottom.' . Additionally, the court elucidated the training process of an ANN, highlighting that once an ANN has completed its training and learning process, the ANN’s structure becomes fixed and ready for use with real data. At this stage, no further adjustments or programming activities occur. The data passing through the ANN undergoes processing solely through the ANN’s nodes, with no human intervention in determining their state or operations, as ‘the state of the nodes, in terms of how they each operate and pass on data, is determined by the ANN itself, which learns via the learning process described above.’ . Summarizing the nature of a hardware ANN, the UK High Court stated, 'What I have just described is a hardware ANN. That is to say, it is a piece of hardware which can be bought off the shelf and which contains the nodes and layers in hardware form. However, an ANN can also exist in a computer emulation. In this scenario a conventional computer runs a piece of software which enables the computer to emulate the hardware ANN as if it were a hardware ANN.' . Whether a Hardware ANN is a Computer? Unexpectedly, while addressing the exclusion issue, one of the pivotal aspects scrutinized by the UK High Court was to actually determine the definition of a 'computer' for the purpose of exclusion, and whether a hardware ANN qualifies as a ‘computer’ or a ‘program for a computer’. Referring to the Oxford English Dictionary, the court found that a hardware ANN aligns with the definition of a computer, and consequently, the judge asserted, 'I consider that in everyday parlance it would be regarded as a computer, and ought to be treated as one within the exclusion.' In essence, since the ANN itself isn't a program for a computer, the entirety of the claim wouldn't fall under the exclusion stipulated in Section 1(2)(c) of the Patents Act 1977. . Technical Contribution and Patentability After concluding that ANN was not a program for a computer, but indeed a computer itself, the UK High Court proceeded with caution by further analyzing a series of cases on technical contribution and concluded that a trained hardware ANN ‘can be regarded as a technical effect which prevents the exclusion applying… insofar as necessary, the trained hardware ANN is capable of being an external technical effect which prevents the exclusion applying to any prior computer program. There ought to be no difference between a hardware ANN and an emulated ANN for these purposes.’ . Conclusion and Outlook The Emotional Perception AI Case holds particular significance for two distinct reasons. Firstly, it establishes that a hardware ANN should be classified not as a program for a computer, but as a computer itself. Secondly, even if the first determination were to be considered inaccurate, the High Court further ruled that a trained hardware ANN could be deemed to possess a technical effect, thus preventing the exclusion from applying to any preceding computer program. This judgment marks a significant milestone in AI development, offering a fresh perspective and opening up new possibilities for the patentability of AI inventions. . With that being said, we still maintain a cautious approach and will continue to monitor legal developments in this area, and as we continue to navigate the complexities of AI patent law, this ruling serves as a beacon of progress, fostering optimism for future legal developments that accommodate and encourage innovation in AI. . If you are looking to develop AI tools and have concerns about intellectual property protection or safeguarding the output, please reach out to our dedicated team of professionals. With a deep understanding of both AI technology and intellectual property law, our lawyers are well-equipped to assist you throughout the entire process, ensuring that your AI-generated work receives the protection it deserves in the rapidly evolving legal landscape. About the authors . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my . More of our Tech articles that you should read: Licensing of Data For AI Model Training - Things to Take Note of Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective Artificial Intelligence and Cybersecurity: A Double-Edged Sword Fight

In the recent case of Ketua Pengarah Hasil Dalam Negeri Malaysia v Ehsan Armada Sdn Bhd [2023] MLJU 2906 , the Court of Appeal held that payment made by Ehsan Armada Sdn Bhd

Introduction The "notice provision" tends to be overlooked by the parties entering into agreements as these clauses often seen as a standard boilerplate clause, presumed to have minimal significance or impact. However, the notice provision/clause found in the miscellaneous clauses at the end of the contracts or sometimes appears as a standalone section, deserves more attention. The intention of this article is to encourage a careful examination of this clause/provision each time it surfaces in a contract. . Purpose of a “Notice Provision” Unlike many other terms in an agreement, the notices provision is rarely subject to negotiation and it is not crafted to benefit one party over the other. Instead, its purpose is to minimise potential disputes by defining the criteria or requirements for giving a valid contractual notice. A “Notice Clause” usually outlines the necessary details on how and to whom notices must be delivered for the contract to be legally binding. These clauses are essential in specifying notice periods for various scenarios, such as term renewals, exercising a right under the contract, event of default, termination, etc. hese clauses ensure that one party gives fair warning to the other when exercising their legal rights under the contract. Essentially, the notice provisions establish the methods and recipients for communication, ensuring that critical matters are brought to the attention of the involved parties in accordance with the terms of the contract.   Things to note when reviewing the “Notice Provision” When reviewing the notice provision, the key elements to focus on are, as follows: Examples of “Notice Provisions” Below are some examples of “notice provisions/clauses” extracted from different types of agreements. While these examples may not encompass the entire spectrum of notice clauses encountered, they serve to demonstrate the diversity of these provisions across different contracts. . Sample Notice Clause No.1 (a)    All notices, demands or other communications required to be given or made in connection with this Agreement shall be in writing and shall be sufficiently given or made if – (i)     delivered by hand; (ii)    sent by pre-paid registered post; or (iii)   sent by email (provided that there has been successful transmission),  addressed to the person authorised to receive the notice as set out in Schedule 1 or at such address or email address as may be notified in writing by one Party to the other Party from time to time.  . (b)   Any such notice, demand or other communication shall be deemed to have been duly served if it is (i) delivered by hand or sent by pre-paid registered post, at the time of delivery; or (ii) if made by email transmission, at the time of email transmission (provided that there is no non-delivery notice received by the sender), provided that if the time of delivery or transmission falls beyond 6.00 pm on a Business Day, such notice, demand or other communication shall be deemed to have been duly served at 9.00 am the next Business Day.  . Sample Notice Clause No.2 1.1  Any notice to be given under this Agreement shall be in writing and either be delivered personally or sent by registered post or, by courier or email.  . 1.2  Unless earlier notified to the other Party of any other address for service, the address for service of each Party shall be as follows:   (a) ABC  Sdn Bhd No. 123, Wembley Street, 60000 Kuala Lumpur  Email address: ABC@email.com Attention to: Contract Manager (b) XYZ Sdn Bhd No. 888, Lorong Kenari, 47000 Petaling Jaya, Selangor Tel No.: 03-8888888 Email address: XYZ@email.com Attention to: Legal Manager 1.3  A notice shall be deemed to have been served: (a) If delivered personally, at the time of delivery; (b) If posted by way of registered post, three (3) Business Days after posting; or (c) If made by email transmission, at the time of email transmission (provided that there is no non-delivery notice received by the sender)   1.4  A party may change its address, email address for notices by giving written notice to the other party. . Sample Clause No. 3 NOTICES a) Any notice to be given by either party to the other in connection with this Agreement shall be in writing and may be given personally or sent by fax or by prepaid registered post to the other party at the address contained in this Agreement.   b) Any notice sent by facsimile shall, in the case of a facsimile sent before 5.00 pm on a Business Day, be deemed served on receipt of a successful transmission notice and, in the case of a facsimile sent after 5.00 pm on a Business Day, at 10 am on the next following Business Day. If delivered by hand, any notice shall be deemed to have been served at the time and date of delivery. Any notice served by registered post shall be deemed served 5 Business Days after posting. In proving the service of any notice it will be sufficient to prove, in the case of a letter, that such letter was properly stamped, addressed and placed in the post and, in the case a facsimile, that such a facsimile was duly dispatched to a current fax number of the addressee. Notice given under this Agreement shall not be validly served if sent by email.   Conclusion Failing to adhere to the requirements of a notice clause in the contract can lead to significant consequences. Hence, it is crucial for the parties involved in the contract to ensure that they meet all the contractual requirements/obligations when issuing the notice under the contract. Further, this process becomes straightforward when the notice clause is drafted in a clear and concise manner. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the author Lynn Foo Partner Construction & Energy Unit Harold & Lam Partnership lynn.foo@hlplawyers.com More of our articles that you should read: Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective STAMP DUTY FOR FOREIGN CURRENCY LOAN Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal Protecting Yourself: A Legal Perspective on Online Scams

Introduction Stamp duty is chargeable on instruments but it is not chargeable on transactions. The instruments that are liable to stamp duty are listed in the First Schedule of the Stamp Act (Act 378) (“the Act”). Any unstamped or insufficiently stamped instruments are inadmissible as evidence in the court of law, nor will it be acted upon by a public officer. . Ad Valorem Stamp The rates of the stamp duty payable vary based on the nature of the instrument, i.e.  whether the instrument will be stamped ad valorem (that is, according to the value) or in fixed stamp duty. In the case of ad valorem stamp, the amount of the considerations stated in the instruments or the market value of the property plays a vital role in deciding the amount of the stamp duty. According to the guideline provided by Lembaga Hasil Dalam Negeri (“LHDN”)[i], the imposition of ad valorem duty is on: 1. Instruments of transfer (implementing a sale or gift) of property including marketable securities (meaning loan stocks and shares of public companies listed on the Bursa Malaysia Berhad), shares of other companies and of non-tangible property (e.g. book debts, benefits to legal rights and goodwill); 2. Instruments creating interests in property (e.g. Tenancies and Statutory Leases); 3. Instruments of security for monies, including instruments creating contracts for payment of monies or obligation for payment of monies (generally described as `Bond`); and 4. Certain capital market instruments (e.g. Contract Notes). . Foreign Currency Loan Agreement/Loan Instrument The calculation of stamp duty on the loan agreements for foreign currency loan is different from Malaysian Ringgit loan. Malaysian Ringgit loan agreements generally attract stamp duty at 0.5% whereas for foreign currency loan, there will be a flat rate stamp duty of RM5 per RM100 or part thereof. The RM2,000 stamp duty ceiling cap is no longer applicable ever since the enforcement of Section 27(iii) of the First Schedule of the said Act on 1 January 2024. The wordings of Section 27(iii) of the First Schedule of the said Act are as follows: For illustration purpose, please see the example below regarding the calculation for the stamp duty on a facility agreement dated 2 January 2024 (the facility agreement as the principal agreement will be subject to ad valorem duty) for a loan of USD100,000.00: [i] https://www.hasil.gov.my/en/stamp-duty/ This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the author Loong Shi Yi Associate Real Estate, Banking & Finance Halim Hong & Quek syloong@hhq.com.my More of our articles that you should read: Compulsory Acquisition: Landowners Are Not Entitled To Compensation For Illegally Constructed Buildings CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order LICENSING OF DATA FOR AI MODEL TRAINING – Things to Take Note of

Anas Construction Sdn Bhd v JKP Sdn Bhd & Another Appeal  [2024] MLJU 53; [2024] CLJU 63; (Civil Appeal No.: 02(f)-4-01-2023(P) (Federal Court) . This recent Federal Court decision confirms the position that an Adjudicator can only decide on the cause of action (provisions in the contract) that have been specifically referred to him/her pursuant to the Payment Claim. The Court held that the Adjudicator had exceeded his jurisdiction by referring to another provision in the contract that has not been referred by the claimant in the Payment Claim.. In coming to this decision, the Federal Court, in a majority judgment (2:1), found that the plain meaning of section 27(1) of the Construction Industry Payment and Adjudication Act 2012 (“CIPAA 2012”) is that the jurisdiction of an Adjudicator is limited to matters referred to by parties pursuant to sections 5 and 6 of CIPAA 2012. Since section 5(2)(b) of CIPAA 2012 requires the claimant to include in the Payment Claim the cause of action and the provision under the contract to which the payment relates, the Federal Court stated that the claimant must identify all the provisions in which it seeks to rely on, and the Adjudicator cannot rely on other provisions which have not been referred by parties. . Background Facts The Respondent appointed the Appellant as the main contractor for the construction and completion of a project in Penang, for a sum of RM67,994,500.00. In carrying out the Project, the Appellant had engaged independent professional Consultants to provide a report in regards to cracked beams and a safety report. The consultants’ fees incurred by the Appellant were RM855,074.21. As the Respondent had allegedly failed, neglected, or refused to pay the consultants’ fees, the Appellant brought a payment claim against the Respondent to adjudication under CIPAA 2012. The Appellant served the Payment Claim on the Respondent on 6.3.2019. In the Payment Claim, the Appellant pleaded clauses 28, 55 and 56 of the Contract to establish its cause of action against the Respondent. In the Payment Response dated 22.3.2019, the Respondent contended, among others, that the Appellant’s claim does not fall within the meaning of “construction contract” under section 5(1) of CIPAA 2012. Thereafter, in the Adjudication Claim, the Appellant again referred to and relied on clauses 28, 55and 56 of the Contract in support of its claim for the consultants’ fees. On the other hand, in the Adjudication Response, the Respondent contend that the relevant clause in relation to the Appellant’s claim would be clause 36.5 of the Contract which was not relied upon by the Appellant. On 12.9.2019, the Adjudicator handed down the Adjudication Decision in favour of the Appellant. The Adjudicator awarded the sum of RM806,673.78 being the adjudicated sum, to the Appellant. In coming to the decision, the Adjudicator relied on clause 36.6 of the Contract rather than clauses 28, 55 and 56 of the Contract as submitted by the Appellant in the Payment Claim and Adjudication Claim. The Adjudicator found that clause 36.6 was most applicable to the Appellant’s claim. At the High Court, the Appellant’s application to enforce the Adjudication Decision was allowed. Consequently, the High Court dismissed the Respondent’s application to set aside the Adjudication Decision. The High Court was of the view that the Adjudicator did not act beyond his jurisdiction and had acted fairly and independently. However, the High Court’s decision was reversed on appeal. The Court of Appeal held that the Adjudicator had acted in excess of his jurisdiction when deciding the adjudication on a clause of the Contract that was not relied upon by the Appellant in the Payment Claim and Adjudication Claim. Further, the Court of Appeal found that the omission of the Adjudicator to invite the parties to submit on clause 36.6 of the Contract is a denial of natural justice. Hence, the Adjudication Decision was set aside. On 3.1.2023, the Federal Court granted the Appellant’s leave to appeal on the following questions of law, namely: . Q1: Do the strict rules of pleadings, as applicable in civil claims before the Malaysian Courts, apply in adjudicating proceedings under the CIPAA 2012? Q2: Whether the dicta in View Esteem Sdn Bhd v Bina Puri Holdings Bhd [2018] 2 MLJ 22 prohibits an adjudicator from referring to a specific clause in a construction contract when allowing the claim when the said clause was not specifically stated in the Payment Claim and Adjudication Claim by the claiming party? Q3: In a CIPAA Award, does the adjudicator’s consideration of a specific clause in the construction contract, not specifically stated in the Payment Claim or Adjudication Claim, without inviting parties to submit further on the said clause, amount to a breach of natural justice or an act excess in the jurisdiction, such that the said Award ought to be set aside. . Summary of the Majority Grounds of Judgment by Nordin Bin Hassan, FCJ In determining the appeal, the Federal Court found that the main issue relates to the jurisdiction of an Adjudicator under CIPAA 2012. Section 27 of CIPAA which speaks on the jurisdiction of the Adjudicator is held to be plain and unambiguous; in that the jurisdiction of an Adjudicator is limited to matters referred to by parties pursuant to sections 5 and 6 of CIPAA 2012. Section 5 of CIPAA 2012 relates to Payment Claim, whereas Section 6 of CIPAA 2012 is in relation to Payment Response. Amongst others, section 5(b) of CIPAA 2012 requires the claimant to include in the Payment Claim the cause of action and the provision under the contract to which the payment relates. On this point, the Federal Court held that the cause of action in a contract must relate to a provision or provisions in the construction contract to support the claim. The cause of action arises when there is a breach of a provision of the contract and therefore, the cause of action is subject to the agreed provisions in the contract. On the facts, the Federal Court found that the Adjudicator had relied on clause 36.6 of the Contract in allowing the Appellant’s claim, and did not rely on any of the clauses referred by the Appellant in the Payment Claim filed pursuant to section 5 of CIPAA 2012. The Court further commented that the parties did not give written consent to extend the jurisdiction of the Adjudicator to adjudicate the matters relying on clause 36.6 of the Contract, as required under section 27(2) of CIPAA 2012, which the Court opined should have been done. Since the Adjudicator’s jurisdiction is limited to matters referred to the Adjudicator under Sections 5 and 6 of CIPAA 2012, the Adjudicator exceeded his jurisdiction in deciding the dispute based on Clause 36.6 of the Contract (not pleaded/ relied upon by the parties). As the Federal Court found that the Adjudicator had acted in excess of his jurisdiction, the Adjudication Decision can be set aside under section 15(d) of CIPAA 2012. On the issue of denial of natural justice, the Federal Court found that it is undisputed that parties were not given the opportunity to submit on the cause of action under clause 36.6 of the Contract before the Adjudication Decision was delivered. Further, submissions by the parties may have persuaded the Adjudicator in the present case to decide differently. The principle of natural justice includes allowing parties to present their case effectively. The failure of the Adjudicator to provide an opportunity to the parties to submit on the cause of action under Clause 36.6 of the Contract before arriving at his decision in the Adjudication Decision, is a denial of natural justice. In light of the above, the Court found that the issue of strict rules of pleadings does not arise as the Adjudicator’s jurisdiction is governed by section 27(1) of CIPAA 2012. Therefore, the Federal Court affirmed the decisions of the Court of Appeal. . Summary of the Minority Grounds of Judgment by Mary Lim Thiam Suan, FCJ The learned Federal Court Judge (FCJ) foremost opined that the analysis and resolution of the 3 questions of law requires a return to the fundamental principles of statutory adjudication introduced in Malaysia, and that it is a regime solely and exclusively for and in the realm and practice of construction contracts as defined in section 4 of CIPAA 2012. Further, the learned FCJ stated that the adjudication regime is only available to payment disputes, and that it is meant to resolve disputes relating to claims of non-payment for work done or services rendered under the express terms of a construction contract. Another facet of the adjudication regime as highlighted by the learned FCJ is that persons who are qualified to sit or be appointed as adjudicators are not necessarily legally qualified. This feature has, in the learned FCJ’s view, a substantial bearing against any argument or insistence of likening adjudication proceedings to proceedings in a Court of law. Having set out the basic principles of statutory adjudication in Malaysia, the learned FCJ went on to discuss the 3 questions posed: . Question 1 The learned FCJ was of the view that the answer must be in the negative as there are no pleadings in statutory adjudication as generally understood and practised in Court proceedings. Under CIPAA, there are only 2 sets of documentation. The first set of documentation is known as the payment claim and the payment response, provided under sections 5 and 6 of CIPAA. The learned FCJ likened payment claim to a letter of demand, as at that stage, there is no payment dispute as yet to refer to adjudication. The second set of documentation would be the adjudication claim, adjudication response and adjudication reply. The learned FCJ referred to View Esteem and stated that the difference between a payment claim and an adjudication claim is that the adjudication claim broadly outlines the “nature and description of the dispute along with the remedy sought” whereas the payment claim contains the details of the claim so that the cause of action can be discerned. Hence, it is the dispute that arises from the payment claim that the adjudicator is required to adjudicate upon, decide and deliver the adjudication decision. And because it is the dispute arising from the payment claim that is being referred to adjudication, the learned FCJ took the position that it would be erroneous and misleading to describe the payment claim and payment response as pleadings. On the facts, the learned FCJ found that it was not the case that the Appellant failed to cite any provisions of the Contract and/or that the Appellant had failed to comply with section 5(2)(b) of CIPAA 2012. Even if the Adjudicator had determined the claim upon clause 36.6 of the Contract, which the learned FCJ opined he did not, the learned FCJ was of the view that this is not at all fatal to the Appellant. Thus, the learned FCJ disagreed with the Court of Appeal when it concluded that the Adjudicator’s reference or reliance to clause 36.6 of the Contract was fatal to the Appellant. The learned FCJ also opined that the Court of Appeal had failed to give proper and due regard to the whole statutory adjudication scheme, the intent of CIPAA, its operation and application. Specifically on section 5(2)(b) of CIPAA 2012, the learned FCJ is of the view that the inclusion of the words “including the provision in the construction contract to which the payment relates” is intended to be illustrative of what those details may be. The reason for this is so that the non-paying party can respond to the claim for work done or services rendered. In this case, the learned FCJ found that the Respondent had no difficulty at any stage to respond to the Appellant’s claim. As regards section 27 of CIPAA 2012 on the jurisdiction of an adjudicator, the learned FCJ stated that the matter in dispute which was referred to adjudication was the claim for professional fees due under the terminated contract, and the Respondent was fully aware of that being the real and sole issue. Hence, the learned FCJ was of the view that the non-citing or even the citing of a wrong clause or provision of the contract does not render and cannot render the adjudicator bereft of jurisdiction. In addition to the above, the learned FCJ found that on the examination of the correspondence exchanged, especially the letters sent by the Appellant, the letters show that the Appellant had actually invoked, among others, clause 36.6 of the Contract. The relevant correspondence was also cited in the Payment Claim, and also form part of the Adjudication Claim. Hence, clause 36.6 of the contract was quite clearly cited, and the Adjudicator’s reference to this clause was not done in the frolic of his own. The learned FCJ further added that the whole construction contract was already before the Adjudicator, “pleaded” as it were, and it would be naïve to suggest that the Adjudicator is not entitled to look at the whole contract for its full terms and effect. . Question 2 The learned FCJ stated that in view of Her Ladyship’s reasons in relation to Question 1 and Her Ladyship’s finding that clause 36.6 of the Contract was actually “pleaded” or raised in the Payment Claim as well as Adjudication Claim, this question does not arise. In any case, the learned FCJ was of the view that even if the Adjudicator had referred to or relied on clause 36.6 and such clause was not raised by the Appellant in the Payment Claim or Adjudication Claim, such reference or reliance is not fatal to the Appellant’s cause by reason of section 5(2)(b) of CIPAA 2012. The learned FCJ disagreed with the Court of Appeal’s interpretation of the dicta in View Esteem. The effect of View Esteem in respect of section 27 of CIPAA 2012 is simply that the adjudicator’s jurisdiction in relation to any dispute is limited to the matter of the claim which was referred to adjudication under sections 5 and 6 of CIPAA 2012. As such, Question 2 is in the negative. . Question 3 In light of the learned FCJ’s findings that clause 36.6 of the Contract which purportedly formed the basis of the Adjudicator’s decision was actually cited in the Payment Claim, this Question was also answered in the negative. In discussing this Question, the learned FCJ stated that it is only if the adjudicator goes off on a frolic of his own, decide the case on a factual or legal basis which has not been argued or put forward by either side, without giving the parties an opportunity to comment or put in relevant evidence, if appropriate, that the breach may be said to be material rendering the decision reached liable to be set aside. However, if the “frolic” of the adjudicator makes no difference to the outcome, the decision must be enforced. On the facts, the learned FCJ found that the reference by the Adjudicator to clause 36.6 of the Contract did not have the same materiality or significance. In addition to the fact that the Respondent was fully aware of the entire clause 36 of the Contract, the learned FCJ found that it was a matter of contractual construction which the Adjudicator was entitled to decide. The learned FCJ concluded that it should only be in rare circumstances that an adjudication decision is set aside. . Comments In light of the majority decision of the Federal Court, the non-paid party/ claimant must be careful to refer and rely on all relevant clauses of the construction contract in the payment claim as well as adjudication claim, to avoid the adjudication decision being set aside on the grounds of excess of jurisdiction and/or breach of natural justice. The adjudicator is strictly confined to adjudicate on matters pleaded within the adjudication pleadings. Therefore, parties involved in adjudication proceedings must be meticulous and ensure that the relevant clauses in a contract and/or cause of action is pleaded in the adjudication pleadings. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the author Amy Hiew Kar Yi Partner Corporate Disputes, Construction, Projects & Energy Harold & Lam Partnership amy@hlplawyers.com . Chew Jin Heng Associate Dispute Resolution Halim Hong & Quek jhchew@hhq.com.my More of our articles that you should read: LICENSING OF DATA FOR AI MODEL TRAINING – Things to Take Note of Different Rates of Charge on Residential and Commercial Parcels During the Preliminary Management Period and During the Management Period Settlement Agreement attracts ad valorem stamp duty? ISSUANCE AND SERVICE OF NOTICE OF ARBITRATION: A SUFFICIENT TRIGGER? Examining the Interpretation of a “Stay Pending Final Determination by Arbitration” under Section 16(1)(b) of CIPAA 2012

The complexities surrounding intellectual property and artificial intelligence (“AI”) continue to unfold. While our previous article explored the murky waters of copyright protection for AI-generated works, this week we delve into another pivotal question: can AI be designated as the "inventor" under UK patent law? This issue has recently been addressed by the UK Supreme Court, offering some much-needed clarity on a subject rife with legal implications. The Case Study: Dr. Thaler and "DABUS"Filing of patent applications requires the inventor(s) to be named. Now imagine a scenario where an AI autonomously creates an invention, without any human interference or control. Could this AI be named as the "inventor" under UK patent law?This is more than an academic discussion but an actual case in the United Kingdom, where Dr. Thaler filed two patent applications under the Patents Act 1977 for (i) a new kind of food or beverage container, and (ii) a new kind of emergency light beacon. Notably, neither application named a human inventor, nor did Dr. Thaler file a separate document designating one. In fact, Dr. Thaler emphasized and clarified that these inventions were created by his AI machine, called "DABUS", in which Dr. Thaler claimed that "DABUS" is the 'inventor', and since he is the owner of DABUS, he also claimed that he should be granted the right of patents for those applications.This case doesn't focus on whether AI-generated technical advances are patentable or whether the term "inventor" needs broadening. Instead, it explores two key questions: (i) can AI ever be named as the "inventor," and (ii) can the owner of an AI machine obtain patents for inventions autonomously generated by that AI machine? It is crucial to note that this is not a case where Dr. Thaler is claiming that he was the inventor and used DABUS as a highly sophisticated tool, but a case where the claim is made on the basis that all inventions were made by his AI machine, DABUS, and since he owned DABUS, he should be granted the patent rights for those inventions. Can AI be Designated as an "Inventor" under UK Patent Law?Turning to the first question on whether AI could be named as the inventor under UK patent law.The UK Supreme Court examined Sections 7 and 13 of the Patents Act 1977 and unanimously affirmed that the context of the Patents Act 1977 permits only one interpretation: an inventor must be a natural person. It allows no other interpretation to permit DABUS to be named as the inventor because "an inventor within the meaning of the 1977 Act must be a natural person, and DABUS is not a person at all, let alone a natural person... Accordingly, it is not and never was an inventor for the purposes of Sections 7 and 13 of the 1977 Act."From the above, it is clear that the current UK patent law leaves no room for an AI to ever be named as the "inventor" given the strict requirement that an "inventor" must be a natural person. Ownership of AI Machines and Patent RightsNow we will turn to explore the second question: whether the owner of the AI machine is entitled to apply and obtain the patent in respect of any invention or any technical advance autonomously generated by the AI machine.This is closely linked to the first question. The UK Supreme Court reiterated that the patent law is clear that the inventor must be a person. In this case, it is without doubt that DABUS was not and is not a person, and hence DABUS could not be named as the "inventor" under the patent law. It went on to clearly explain that "Section 7 does not confer on any person a right to obtain a patent for any new product or process created or generated autonomously by a machine, such as DABUS, let alone a person who claims that right purely on the basis of ownership of the machine." Therefore, given that DABUS could not be the "inventor", there is technically no "inventor" through whom Dr. Thaler could claim the right to obtain a patent for any technical advance.From the above, two strong conclusions are made: (i) AI could not be named as the "inventor", as it must be a natural person, and (ii) the owner of the AI machine could not apply for and obtain patents for the technical developments purely on the basis that he has ownership of the AI machine when the inventions were wholly created by the AI machine autonomously. Differentiating Human Oversight from Autonomous AI InventionsIt is crucial to highlight an important remark made by the Supreme Court that in cases where the inventor uses DABUS as a highly sophisticated tool, the outcome of these proceedings might well have been different.This indicates that under the current law, inventions autonomously created by AI without any human inventor are not patentable in the UK. However, in cases where there is human oversight of AI in directing its work, the human inventor could then be named and be granted patent protection for the invention. Implications and RecommendationsIn conclusion, the UK Supreme Court's ruling has provided unequivocal clarity on the matter: AI cannot be designated as an inventor under current UK patent law. Furthermore, the ownership of an AI machine does not confer the right to obtain patents for inventions autonomously generated by the AI. These decisions underscore the necessity for organizations investing in AI to collaborate closely with legal experts to navigate the evolving landscape of intellectual property rights.As technology continues to advance and AI plays an increasingly significant role in innovation, it is imperative for policymakers and legal frameworks to adapt accordingly. The current limitations highlight the urgency for legislative updates that address the unique challenges posed by AI-generated inventions. Until such reforms are enacted, organizations must prioritize comprehensive strategies for protecting their AI-driven innovations, ensuring that the contributions of both human inventors and AI systems are recognized and safeguarded within the bounds of existing legal frameworks. If you are looking to develop AI tools and have concerns about intellectual property protection or safeguarding the output, please reach out to our dedicated team of professionals. With a deep understanding of both AI technology and intellectual property law, our lawyers are well-equipped to assist you throughout the entire process, ensuring that your AI-generated work receives the protection it deserves in the rapidly evolving legal landscape.This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my

In the current era, artificial intelligence (AI) has evolved from mere buzzword to a tangible advancement with an expansive

The release of ChatGPT brought along with it a wave of Artificial Intelligence (“AI”) driven revolution. It is no exaggeration to say that AI has infiltrated almost every industry in existence. Some view AI as a harbinger of doom; some see it as a bearer of good news, here to ease our daily lives. For the cybersecurity market, it seems to have found itself in a love-hate relationship with AI. In this newsletter, we will be looking at how AI has single-handedly enhanced the efficiency and effectiveness of cybersecurity efforts, but at the same time also created more cybersecurity threats to individuals and organisations. AI-Enhanced Cybersecurity The underlying feature of AI is always to imitate human behaviour and actions, whether it is spotting trends and anomalies, or content writing and generation. When it comes to cybersecurity, AI can also be trained to facilitate and assist in the work of cybersecurity professionals. Oftentimes, the attack vectors that cybercriminals use to gain a foothold in their target’s IT environment are zero-day vulnerabilities in software used by the target. Zero-day vulnerabilities are hard to protect against because they are legacy issues unknown even to the owners or developers of the software. A specially designed and trained AI can be used to detect zero-day vulnerabilities in software, thereby helping cybersecurity researchers to flesh out potential attack vectors and to deploy patches and fixes accordingly, before actual exploitation by malicious actors. When AI is deployed in an organisation’s network server, it can also be used to flag potential phishing emails. Other than predictive initiatives, AI can also be trained to perform malware detection and tracing in the event of a cybersecurity breach. During a cybersecurity incident, the response team is always racing against time to mitigate damage. AI can substantially cut down the time in locating the root cause of the breach or to detect malware. AI Posing Cybersecurity Risks While there are many use cases of AI in enhancing cybersecurity, the flip side is also true in that AI itself is presenting new cybersecurity risks. Phishing emails crafted with AI are more convincing and sophisticated than ever, making them harder to be noticed. AI can also be used to learn the behaviour of a particular person before deploying phishing email to increase the chances of the phishing email being clicked on. For example, if an AI gathered that the target will normally receive and open emails sent by tax agents to his or her work email, a phishing email can then be crafted to imitate one sent by tax agents. The proliferation of AI also prompted the creation of the dark-side of ChatGPT – introducing the likes of WormGPT and FraudGPT. Unlike ChatGPT, these generative AI models do not have any safety guardrails. They are deployed to help cybercriminals to write malware and convincing phishing emails, thereby lowering the barrier to execute an attack. AI, just like any piece of software, if integrated and embedded in an organisation’s IT environment, can also potentially be used by cybercriminals as a possible attack vector if there are loopholes or vulnerabilities in the system. In an effort to deploy AI, an organisation may actually unknowingly create a way into its IT environment for threat actors. If cybersecurity researchers can use AI to locate zero-day vulnerabilities and to patch them, then cybercriminals can also use AI to find vulnerabilities in software to exploit and compromise. Fighting AI with AI AI has proven time and again that it can perform better (or at least faster) than human in many of the tasks that involve pattern and anomaly spotting, as well as information gathering and sorting. Crucially these are the nature of the work of cybersecurity professionals. There is a saying that to beat evil, one must become a greater evil. It seems a quick solution to cybersecurity risks exacerbated by AI is to deploy more advanced AI to strengthen cybersecurity. It will be a matter of the sharpest spear against the toughest shield. Malaysia Cybersecurity Bill Given the importance of cybersecurity, the Malaysia Cybersecurity Bill that is currently in the work will be a vital bullet in the fight against cyber threats. It remains to be seen what sort of tools the legislation will offer to defend the digital landscape, but it is definitely a move in the right direction. If you wish to know more about cybersecurity best practices, legal requirements relating to cybersecurity, personal data and breach notification requirements, please feel free to reach out to our team of experts. We look forward to working with you on your digital transformation journey.This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the authorsLo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my

Follow-up to the Previous Article: "Understanding Spot Bitcoin ETF and Its Potential" In a historic move, Gary Gensler, the Chair of the U.S. Securities and Exchange Commission (SEC), has officially confirmed the approval and impending listing of Spot Bitcoin ETFs. This development marks the debut of the first Spot Bitcoin ETF in the U.S., shaping up to be one of the most anticipated and significant regulatory decisions in January 2024. The following chronicle outlines the dramatic 48 hours leading to the SEC's approval, shedding light on cybersecurity lessons and global regulatory implications. Rollercoaster 48 Hours: A Chronicle of Events Leading to ApprovalOver the past 48 hours, the journey towards the SEC's official approval of Spot Bitcoin ETFs has been nothing short of dramatic. On January 9, 2024 (US time), the SEC posted a now-deleted tweet on X (formerly Twitter), announcing the approval of #Bitcoin ETFs for listing on all registered national securities exchanges. However, the excitement was short-lived as the SEC swiftly deleted the tweet, attributing the action to a compromise of their official X account. Both the SEC and Gary Gensler later clarified in a subsequent tweet that the @SECGov X account had been compromised, emphasizing that no approval had been granted for spot bitcoin exchange-traded products.Further investigation by X revealed that the compromise was not due to any breach of X’s systems but rather a case of an unidentified individual gaining control over a phone number associated with the @SECGov account through a third party. Notably, the compromised account lacked two-factor authentication at the time.Finally, a few hours ago, the SEC officially published Record No. 34-99306 on its website, formally approving Spot Bitcoin ETFs, in which Gary Gensler also concurrently released an official statement, marking the historic and authorized approval of the Spot Bitcoin ETFs. Key Takeaways and Global Regulatory ImplicationsThe recent events surrounding the approval of Spot Bitcoin ETFs offer several crucial insights with potential global regulatory impacts.1. Emphasis on Cybersecurity: The foremost lesson from this rollercoaster ride is the critical importance of cybersecurity. Regardless of whether the compromise originated internally or from an external third party, this incident underscores the paramount need for robust cybersecurity measures. In the digital age, any compromise can lead to irreparable damage to a company, the market, and, significantly, the organization's reputation. It serves as a stark reminder that investing in cybersecurity is not just prudent but imperative in safeguarding against unforeseen challenges. 2. Verification of Official Announcements: The second takeaway revolves around the necessity to verify the source of official announcements diligently. The unauthorized tweet from the SEC's compromised account highlights the vulnerability of relying solely on social media for crucial information. Legal due diligence demands a thorough examination of official legal sources, including but not limited to websites and supporting materials. Organizations and individuals alike should exercise caution, and when in doubt, consult legal advisors to verify the authenticity of information disseminated through unofficial channels. 3. Global Regulatory Shift: With the official approval of Spot Bitcoin ETFs by the SEC, a potential paradigm shift in the global regulatory landscape for digital assets is imminent. This positive development suggests that other countries may follow suit in embracing similar regulatory approaches to cryptocurrencies, stablecoins, and NFTs. ConclusionIn conclusion, the approval of Spot Bitcoin ETFs by the US SEC has not only marked a significant milestone for cryptocurrency enthusiasts but has also triggered a cascade of lessons and considerations for organizations, regulators, and investors alike in navigating the dynamic intersection of finance and technology on a global scale. Organizations are advised to stay vigilant, collaborate with legal advisors, and actively engage with regulators as local frameworks adapt to the evolving global regulatory landscape.For comprehensive guidance and legal insights regarding the dynamic landscape of cryptocurrency and/or Fintech, our team of experts is ready to assist you. Feel free to reach out to us for further assistance and a tailored approach to navigating the complexities of this decentralized future. We look forward to being your trusted partner on this transformative journey.This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice.About the authorsOng JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.myLo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my

Since the European Union Artificial Intelligence Act (the “EU AI Act”) was proposed by the European Commission in 2021, the European Parliament and Council have finally reached a provisional agreement on the final version of the EU AI Act on 9 December 2023. The final text of the EU AI Act will go through technical review and refinements before being released to the public. From the European Parliament’s press releases however, one can have some preliminary idea of the general scope of the EU AI Act.  Should Artificial Intelligence be Regulated? The EU AI Act is often touted as a “global first” legal framework for the regulation of artificial intelligence (“AI”) with clear rules for its usage. This definitely begs the question “Should AI be regulated?”. Consensus reached on this question seems to be skewed largely towards a “YES”, when even the industry players, the technology companies and the developers of AI themselves are calling for regulation, or at least some industry standards as to the ethical and safe development of AI. The reasoning for regulation goes beyond doomsayers’ fear of AI potentially dominating humanity or even destroying it, like what we saw in The Terminator franchise. What is actually driving the call for regulation is much more imminent – ethical concerns as well as safety and security reasons. Depending on the data sets used to train an AI model, its usage may cause discrimination against marginalised group of people (e.g., rating a person with darker skin tone as being more likely to default on loan, or a facial recognition AI model that cannot recognise certain skin tone as well as it does the others). Inappropriate usage of AI may also cause the spread of misinformation and disinformation or wrongful arrest of suspects by law enforcements. In the face of these imminent threats of AI, regulation seems necessary to provide a guardrail in ensuring the development of ethical and safe AI, which is what the EU AI Act sets out to achieve. The EU AI Act: A friend or a foe? Regulations on AI must be delicately crafted – too stringent, it may become a stranglehold that stifles innovation and development; too loose, it may become a stingless bee. The EU AI Act’s solution to a balance in regulation can be seen in its risk-based approach to AI. To start with, the EU AI Act seems to adopt a neutral and broad definition of “AI systems” that is aligned with what was proposed by the Organisation for Economic Co-Operation and Development: “A machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments”. Within this definition of AI systems, AI is further categorised based on the risk level the AI system poses: (i) minimal / no risk (e.g., AI-enabled recommender systems in Netflix and Instagram); (ii) limited risk (e.g., simple chatbots and AI-enabled sorting systems); (iii) high risk (e.g., AI-enabled medical devices, AI for law enforcement purposes, etc.); and (iv) unacceptable risk (predictive policing AI, AI that processes sensitive personal information such as sexual orientation, political and religious beliefs). Depending on the category of the AI systems, they are subject to different levels of scrutiny. The AI systems with the highest level of risk are banned outright; whereas those with acceptable and manageable risks are subject to high-level of oversight and reporting requirements; while those with low to minimal risks are being given a free-pass or with simple obligations to at least inform its users that they are dealing with AI generated content. The EU AI Act also seeks to impose additional obligations in respect of “general purpose AI systems” (“GPAI”) – AI systems that have a wide range of possible uses, both intended and unintended by the developers (think ChatGPT, Dall-E, Bing AI, PaLM). Deployer or provider of these GPAI may be required to conduct risk evaluation of the AI systems before launch, disclose the source of the training data set, monitoring and reporting on its energy efficiency, conducting red teaming, etc. These additional guardrails on GPAI appear to seek to prevent unauthorised exploitation of third-party work that have been made available online, minimise unintended usage of the GPAI, and to address ESG concerns posed by proliferation of large language models. Scope of Applicability of EU AI Act Based on the version of the EU AI Act that was proposed by the European Commission back in 2021, the EU AI Act was intended to have an extraterritorial application. In addition to users and providers of AI systems who are based in the European Union, providers and users of AI systems that are based outside of EU but the output produced by their AI systems are used in the EU are also subject to the EU AI Act. If this scope of the EU AI Act in the proposal draft makes its way to the final text, the EU AI Act will have an overarching reach and as long as an AI system is to be used in the EU, compliance with the EU AI Act will be compulsory. Failure to comply with the EU AI Act may attract fines based on a certain percentage of the violator’s global annual turnover. Conclusion As one of the first (if not the first) comprehensive regulations on AI, the EU AI Act will likely become the model of similar regulations in many other countries and influence how the rest of the countries around the world shape their AI legal framework. Deployers and builders of AI systems outside of the EU will definitely be paying close attention to the implementation and enforcement of the EU AI Act in the EU. We would even recommend that the deployers and builders of AI systems outside of the EU benchmark their AI models and practices against the EU AI Act, in anticipation of similar rules being drawn up closer to home. It is no doubt that AI is a powerful tool with wide ranging possibilities of applications in our daily lives. It can affect our social behaviour, determine which candidates get hired, improve accessibility to medical treatment, and impact human lives in many other ways. Like it or not, the technology is here to stay. To ensure the ethical and safe development of the technology, regulation is inevitable. Industry players should not see regulation as a force against innovation, but rather a guardrail to foster and nurture sustainable growth of the technology to maximise its potential for the betterment of humankind. To better understand the regulatory landscape in relation to AI, or if you need legal assistance in adopting or deploying AI in your organisations, our team of experts is ready to help. Feel free to reach out to us for further information or to schedule a discussion. We look forward to being your trusted partner on your digital transformation journey. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice.About the authorsLo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.myOng JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my

In the midst of the ongoing crypto winter, characterized by disillusionment and skepticism in the cryptocurrency market, a potential game-changer emerges—the Spot Bitcoin ETF. As we progress through the crypto winter in 2022 and 2023, the prospect of Spot Bitcoin ETF gaining approval in the United States has sparked renewed interest in the crypto space. This article delves into what Spot Bitcoin ETF entails, its key differentiators from Bitcoin Future ETFs, and the potential impact of its approval on the broader regulatory landscape. Spot Bitcoin ETF vs. Bitcoin Futures ETF Spot Bitcoin ETF operates akin to traditional Exchange-Traded Funds (ETFs), with a crucial distinction—the underlying asset is Bitcoin. However, to fully understand the "spot" designation, it is essential to contrast Spot Bitcoin ETF with Bitcoin Futures ETF - while both involve Bitcoin, their operational mechanisms diverge significantly. Spot Bitcoin ETFs denote direct ownership and exposure to Bitcoins, which are securely stored in digital vaults. In contrast, Bitcoin Futures ETFs derive their value from Bitcoin futures contracts, introducing complexities like contango and backwardation. Contango is a futures market occurrence marked by futures contract prices rising above spot prices, whereas backwardation is when the current price of an underlying asset is higher than prices trading in the futures market. Investors choosing Bitcoin Futures ETFs may exploit market nuances, but those seeking direct correlation with Bitcoin's market price movement will opt for Spot Bitcoin ETFs. Advantages of Spot Bitcoin ETF The key question then arises: Why invest in Spot Bitcoin ETF when one can directly purchase Bitcoin from the market?  “Convenience” emerges as a compelling answer for one to opt for Spot Bitcoin ETFs – Spot Bitcoin ETFs offer a hassle-free alternative to managing wallets, navigating crypto exchanges, and safeguarding private keys, rendering it easier for adoption by traders accustomed to conventional trading. Investors can gain exposure to Bitcoin's price movements without operational intricacies by simply paying management fees and brokerage commissions, making it an appealing option for those prioritizing ease of access. However, it is equally crucial to consider potential limitations compared to direct ownership, including counterparty risk, lack of control over private keys, and other fees involved. Concentration of large amount of the underlying assets – Bitcoin in this case, in one digital vault may also make it a high-value target for mouth-watering cybercriminals. Current Status and Implications As of the time of writing, Spot Bitcoin ETF approval in the United States is still pending SEC review, while attracting applications from reputable global issuers like BlackRock, Ark Investment, WisdomTree, Invesco, and VenEck. Even though the outcome remains uncertain, industry players and all regulators around the globe are closely monitoring this development, as the approval of Spot Bitcoin ETFs could reshape the global regulatory landscape, signifying stronger recognition for Bitcoin and other cryptocurrencies, potentially leading to increased institutional investment and thereby shoring up trading activities in general as well. Conclusion In conclusion, the evolving landscape of Spot Bitcoin ETFs presents both challenges and opportunities for investors. While awaiting regulatory approval in the United States, industry participants, especially those in the financial sector, are advised to closely observe, strategize and prepare for potential shifts in the regulatory framework to leverage the advantages offered by Spot Bitcoin ETFs as and when its approval comes through, as it could mark the beginning of a new era in cryptocurrency investment. The key lies in staying informed, adaptable, and proactive in navigating the evolving cryptocurrency ecosystem. For comprehensive guidance and legal insights regarding the dynamic landscape of cryptocurrency and/or Fintech, our team of experts is ready to assist you. Feel free to reach out to us for further assistance and a tailored approach to navigating the complexities of this decentralized future. We look forward to being your trusted partner on this transformative journey. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice.About the authorsOng JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my

In a significant move to refine corporate governance, the Companies (Amendment) Bill 2023, recently passed by both Houses of Parliament, signals a transformative shift in the corporate landscape. This Bill, aligning Malaysia with global standards, introduces comprehensive changes aimed at enhancing transparency, simplifying restructuring processes, and strengthening insolvency frameworks. Such reforms are not just legislative updates but strategic steps towards fostering a resilient and investor-friendly business environment in Malaysia.In this article we explore the key highlights which is set to introduce various changes to the laws of restructuring and insolvency.1. Enhanced Restraining Order Section 368(1A) introduces an immediate moratorium period which takes effect upon filing of an application for restraining order, up to two (2) months or until the application is decided by the Court, whichever earlier. Section 368(3A) provides protections to a company with the effect to prevent or discontinue actions taken against the company such as winding up proceedings, appointment of receiver, execution process and etc. Section 368(3B) disallows granting of further restraining order to a company if an order under Sections 368(1), Sections 368B, 368D or 369C has been granted to a company or its related company under Section 368A, in the preceding 12 months. This amendment seeks to prevent abuse of process which might prejudice the rights of members and creditors. Section 368A allows a related company to apply for a restraining order if the related company plays an integral role in a proposed scheme of arrangement.  2. Cross-class Cram down Section 368D empowers the Court to cram down on a class of creditors if it is satisfied that the dissenting class of creditors are not prejudiced when approving a scheme of arrangement. Under Section 368D(2) and Section 368D(3), the Court may make an order to approve the scheme of arrangement and order the company and all classes of creditors concerned shall be bound by the scheme provided that: (a) a majority of 75% of the total value of creditors or class of creditors present and voting either in person or by proxy at the relevant meeting, have agreed to the scheme; and (b) the Court if satisfied that the scheme does not discriminate unfairly between two or more classes of creditors and is fair and equitable to the dissenting class. Section 368D(4) sets out the conditions of what is fair and equitable to a dissenting class.  3. Approval of Scheme without Meeting of Creditors Section 369C empowers the Court to issue an order to approve a proposed scheme of arrangement even without meeting of creditors if it is satisfied that the creditors would have agreed to such scheme had the meeting of creditors been convened. Under Section 369C(3), the Court may approve a scheme in fast-tracked manner if: (a) The company has provided the creditors with an explanatory statement which contains the information stipulated under Section 369C(3)(a) and Section 369C(6). (b) The Court is satisfied that had a meeting of creditors been summoned, the scheme would have been agreed by a majority of a majority of 75% of the total value of creditors under Section 366(3).4. Super Priority Rescue Financing Section 368B and Section 415A introduces super priority rescue financing to a company in a scheme of arrangement and under judicial management, and that rescue financing is given greater priority ranking in the event of a winding up. A company may make an application to the Court for the following orders: Section 368B(1)(a) & Section 415A(1)(a) An order that the debt arising from any rescue financing obtained by the company shall be paid immediately after costs and expenses of winding up [pursuant to Section 527(1)(a)] are paid. This “super priority debt” is to have priority above all other unsecured debts referred to in Sections 527(1)(b) to (f) Section 368B(1)(b) & Section 415A(1)(b) An order to secure debt arising from any rescue financing by the creation of security interest over unsecured assets. Section 368B(1)(c) & Section 415A(1)(c) An order to secure debt arising from any rescue financing by the creation of security interest of the same priority or a higher priority over existing security interest. This order is subject to the protection of the interests of existing security interest holder.  5. Procedure for Schemes of Arrangement Section 368(1A) provides that all meetings held pursuant to an order of the Court under Section 366 shall be chaired either by an insolvency practitioner or a person elected by the majority in value of the creditors or members. Section 369A empowers the Court to order a company to hold another meeting of the creditors or class of creditors to revote on the compromise or arrangement subject to such terms as the Court thinks fit. Section 369B requires creditors to file the proof of debt with the company and the period within which the proof is to be filed in order to allow them to vote in the meeting to consider the proposed scheme or arrangement.Section 369D empowers the Court to clarify the termsof a scheme of arrangement which has been approved, uponan application the company or creditor bound by the scheme.  6. Insolvency Practitioner in Schemes of ArrangementSection 367(3) makes it mandatory for the Court to appoint an insolvency practitioner for the company in cases where: (a) The company makes an application under Sections 368B (super priority rescue financing), 368D (cram down), or 369C (approval of scheme without meeting); or (b) A related company applies for a restraining order under Section 368A.  7. Wider Application of Corporate Voluntary Arrangement and Judicial Management Section 395 has shrunk the scope into excluding only the companies which are approved and registered under:- (a) The Central Bank of Malaysia.(b) Certain parts of the Capital Markets and Services Act 2007 (Act 671).(c) Securities Industry (Central Depositories) Act 1991 (Act 453). This amendment extends the application of the CVA to all companies including companies which have created a charge over their property or undertaking. Section 403 allows wider application of judicial management including certain public listed companies.  8. Extension of Judicial Management Section 406 allows a judicial management order to be extended for a period of six (6) months or longer as the Court may allow.9. Protection for Essential Goods and Services Under Section 430(2), a supplier who wishes to exercise his rights pursuant to an insolvency related clause in a contract shall communicate his intention to do so to the company in writing at least thirty (30) days before exercising his rights under the insolvency related clause. Subject to the above, any insolvency related clause under any contract for the supply of essential goods and services shall not be exercised against any company. The Ninth A Schedule lists the types essential goods and services under Section 430: - Supply of water- Supply of electricity- Supply of gas- Point of sales terminals- Computer software and hardware- Information, advice and technical assistance in connection with the use of IT- Data storage and processing- Website hosting Please do not hesitate to get in touch with the authors of the article and / or the firm if you have any queries on the amendments.This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice.About the authorLum Man Chan PartnerDispute Resolution, Employment, Liquidation & Restructuring, Regulatory & Corporate ComplianceHalim Hong & Quekmanchan@hhq.com.myChew Jin HengAssociateArbitration & Adjudication, Debt Recovery and General Litigation, Construction Disputes, Contractual Disputes, Land Disputes, Family LawHalim Hong & Quekjhchew@hhq.com.my

INTRODUCTION On 22.6.2023, the Federal Court in the case of Govindan Kumar A/L Muniandy & Anor v Eco Green City Sdn Bhd [Civil Application No.: 08(f)-521-11/2022(B)] unanimously dismissed the Purchaser’s application for leave to appeal to the Federal Court against the Court of Appeal’s decision dated 17.10.2022 [Civil Appeal No.: B-01(A)-467-09/2020], which held that the phrase “ready for connection” found in the Sale and Purchase Agreement (Schedule G) entered between the Developer and Purchaser shall be interpreted to mean that the electrical points and water fittings and fixtures have been installed and supply is available for tapping i.e. ready for connection of supply, and does not mean that supply is actually connected. The Developer, Eco Green City Sdn Bhd was represented by our partner, Ankit R Sanghvi and our associate, Chew Jin Heng. . FACTS On 28.10.2015, the Developer and the Purchaser entered into a Sale and Purchase Agreement for the purchase of the Property for a purchase price of RM663,800.00 (“SPA”). The SPA (Schedule G) is prescribed under the Housing Development (Control and Licensing) Regulations 1989 (“HDR”) and Housing Development (Control and Licensing) Act 1966 (“HDA”). Pursuant to Clause 22 of the SPA, vacant possession of the Property is to be delivered to the Purchaser in the manner stipulated in Clause 23 within 36 months from the date of the SPA. Liquidated damages (“LD”) shall be calculated from day to day at the rate of 10% per annum of the purchase price, from the expiry date of the delivery of vacant possession until the date the Purchaser takes vacant possession of the Property. Clause 23 of the SPA reads: (1)     The Vendor [Developer] shall let the Purchaser into possession of the said Property upon the following: (a)  … (b) water and electricity supply are ready for connection to the said Building;  . Clause 31 (e) of the SPA reads: “ready for connection” means electrical points and water fittings and fixtures have been installed by the Vendor [Developer] and tested and commissioned by the Appropriate Authority or its authorised agent and supply is available for tapping into individual building units; Time for the delivery of vacant possession of the Property was 36 months, which started from 28.10.2015 and ended on 27.10.2018. Notice of delivery of vacant possession of the Property was issued on 15.11.2018 by the Developer to the Purchaser. The electricity meter of the Property was installed on 6.3.2019. . TRIBUNAL On 12.3.2019, the Purchaser filed a claim in the Tribunal against the Developer for LD. On 2.5.2019, the Tribunal decided in favour of the Purchaser and awarded LD in the sum of RM23,642.19, calculated from 27.10.2018 to 6.3.2019 (date of installation of electricity meter) (“Award”). . HIGH COURT On 26.7.2019, the Developer filed a judicial review application to seek for an order of certiorari to quash the Tribunal’s Award. On 19.8.2020, the High Court in Eco Green City Sdn Bhd v Tribunal Tuntutan Pembeli Rumah & Anor [2020] MLJU 1670 allowed the judicial review and held that: (1) Vacant possession of the Property was delivered on 5.2018 upon the issuance of the notice. Therefore, LD shall be calculated from 27.10.2018 to 11.5.2018 (date the notice of vacant possession of the Property was issued). (2) The Tribunal had committed an error in law by concluding that vacant possession was delivered when the electricity meter was installed. (3) The Tribunal failed to give effect to the clear and unambiguous provision in the SPA, and over-stretched the meaning of the words “ready for connection”. . COURT OF APPEAL Aggrieved by the decision of the High Court, the Purchaser appealed to the Court of Appeal for the determination of one principal issue – What is the correct cut-off date for the calculation of LD i.e. (a) date the notice of vacant possession of the Property was issued; or (b) date of installation of electricity meter. On 17.10.2022, the Court of Appeal unanimously dismissed the Purchaser’s appeal and upheld the High Court’s decision. The Court of Appeal held that: (1) “Ready for connection” does not mean that the unit in question must be installed with actual supply and it does not require actual connection. (2) There is no such requirement for meter installation by the Developer in Clause 31(e). This provision only compels the Developer to install the electrical points, and not the electrical meters. . FEDERAL COURT On 16.11.2022, the Purchaser filed a leave application to appeal to the Federal Court against the Court of Appeal’s decision. The Purchaser relied on the Federal Court’s recent decision in the case of Remeggious Krishnan v SKS Southern Sdn Bhd (formerly known as MB Builders Sdn Bhd) [2023] 3 MLJ 1 which made a finding on the interpretation of “ready for connection” under the statutory agreement (Schedule H) prescribed under the HDR and HDA. During the hearing before the Federal Court on 22.6.2023, the Developer submitted that the case of SKS Southern is distinguishable from the facts in this case: (1) Unlike the developer in SKS Southern that made an application to Tenaga Nasional Berhad (“TNB”) after vacant possession was delivered, the Developer in this case made an application to TNB 3 months BEFORE vacant possession was delivered to the Purchaser. Therefore, the Developer in this case had carried out its obligation to ensure the property was “ready for connection” before the notice of vacant possession was issued. (2) The developer in SKS Southern was early and delivered vacant possession of the property before the expiry of the time to do so. However, the developer was found to be liable for “compensatory damages” due to its breach on the manner of delivery of vacant possession. (3) This is different from the facts in this case as the Purchaser in this case is claiming from additional liquidated damages due to the late installation of the electricity meter after vacant possession was already delivered. . After hearing the submissions from both parties, the Federal Court unanimously dismissed the Purchaser’s application for leave with costs of RM30,000.00, as the questions posed by the Purchaser did not meet the threshold and requirements for leave to be granted under Section 96 of the Courts of Judicature Act 1964. . COMMENTS With the decision of the Federal Court, the decision of the Court of Appeal dated 17.10.2022 remains final. The cut-off date for the calculation of LD shall be date the notice of vacant possession of the Property was issued, NOT the date of installation of electricity meter. However, it is important to highlight that since the Purchaser’s leave application was dismissed, the Federal Court did not make any findings or delve into the issues and merits of this case, including the interpretation of the phrase “ready for connection”. As such, the Federal Court’s decision in SKS Southern remains to be the leading authority and law on the phrase “ready for connection” in relation to the supply of electricity and water which is present in all the SPAs (Schedules G, H, I & J) prescribed under the HDR and HDA. This decision, much to the dismay of developers, appears to be a new added burden placed on the heads of developers to ensure that there is actual supply of water and electricity to the property in question at the point of time the notice for delivery of vacant possession is given. Failure to ensure the same would result in the delivery of vacant possession to be deemed invalid and a developer similarly circumstanced would be exposed to compensatory damages, even if the developer actually delivery the notice for delivery of vacant possession within the prescribed time permitted under the SPA in question.    Please do not hesitate to get in touch with the authors of the article and/or the firm if you have any queries on how this recent decision may impact your business or if you require legal advice on this issue.   This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the author Ankit R Sanghvi Partner Arbitration & Adjudication, Asset & Debt Recovery, Banking Litigation, Commercial & Corporate Litigation, Insurance Law, Land Law Litigation, Liquidation & Insolvency, Tort & Negligence Halim Hong & Quek ankit.sanghvi@hhq.com.my . Chew Jin Heng Associate Arbitration & Adjudication, Debt Recovery & General Litigation, Construction Disputes, Contractual Disputes, Land Disputes, Family Law Halim Hong & Quek jhchew@hhq.com.my

A person owns real estate by registering his or her ownership or interest in the issue document of title. Generally, there are two types in real estate ownership, which can be categorised according to their respective land tenure, namely leasehold and freehold. A freehold title vests ownership of real estate in perpetuity for an indefinite period within the bounds of Malaysian law. On the other hand, a leasehold title vests the right to real estate for a term not exceeding 99 years. Commonly granted leasehold tenures are for a period of 30 years, 60 years or 99 years, depending on the state authority's policies then in place. A leasehold title may require a lengthier process to acquire and dispose as compared to a freehold title as the state authority's consent is usually required prior to the title registration. Leasehold tenures are mostly renewable with payment of a premium to the state authority. As such, generally, the transaction price of freehold real estate is higher as compared to leasehold real estate due to the land tenure and the conditions on the title required prior to real estate acquisition and disposal. In Malaysia, we have adopted the Torrens System for a record of ownership and dealings of real estate. Under the Torrens System, registration of title is everything and the indefeasibility of title is guaranteed to the proprietor whose name is registered on the document of title. The Torrens System allows a proprietor to hold the document of title officially issued by the land authority, with the details accurately described via a proper land survey. The boundaries and exact size of the property will be marked on a plan attached together with the document of title. The registration of all dealings is done via the statutory forms prescribed under the National Land Code. Consequently, any person who wishes to look for the details of a title, including the ownership, may conduct searches through the respective local land office. Click here to read more.

BACKGROUND All eyes are on the Employment (Amendment) Act 2022 (“Amendment Act”) and the Employment (Amendment of First Schedule) Order 2022 (“Amendment Order”) which will be in force from 1 September 2022 to amend the Employment Act 1955 (“Employment Act”). The Employment Act (as amended by the Amendment Act and the Amendment Order) are only applicable to Peninsular Malaysia (being the states of Johore, Kedah, Kelantan, Malacca, Negeri Sembilan, Pahang, Perak, Perlis, Selangor and Terengganu and the Federal Territory of Kuala Lumpur and Putrajaya[1]) and Labuan, excluding Sabah and Sarawak which are governed by separate laws.   WHAT ARE THE KEY AMENDMENTS MADE TO THE EMPLOYMENT? (1) The Employment Act will apply to all employees regardless of their monthly wages subject to certain exceptions The Employment Act will apply to all employees regardless of their monthly wages, except that the following provisions will not apply to employees whose monthly wages exceed RM4,000: (a) Section 60(3) of the Employment Act which provides the rates of payment to employees who are required to work during their rest days; (b) Section 60A(3) of the Employment Act which provides the rate of payment to employees who work overtime during a normal working day; (c) Section 60C(2A) of the Employment Act which gives the power to the Minister of Human Resource to make regulations relating to the entitlement of allowance during the employees’ shift work; (d) Section 60D(3) of the Employment Act which provides the rates of payment to employees who are required to work during a public holiday; (e) Section 60D(4) of the Employment Act which provides that if any holiday that falls on a half working day, the ordinary rate of pay shall be that of a full working day; and (f) Section 60J of the Employment Act which provides for termination, lay-off and retirement benefits[2].   “wages” means basic wages and all other payments in cash payable to an employee for work done in respect of his contract of service but does not include: (a) the value of any house accommodation or the supply of any food, fuel, light or water or medical attendance, or of any approved amenity or approved service; (b) any contribution paid by the employer on his own account to any pension fund, provident fund, superannuation scheme, retrenchment, termination, lay-off or retirement scheme, thrift scheme or any other fund or scheme established for the benefit or welfare of the employee; (c) any travelling allowance or the value of any travelling concession; (d) any sum payable to the employee to defray special expenses entailed on him by the nature of his employment; (e) any gratuity payable on discharge or retirement; (f) any annual bonus or any part of any annual bonus; or (g) any payment by way of commission, subsistence allowance and overtime payment[3].   (2) Paid Maternity Leave will be increased Paid maternity leave will be increased from 60 days to 98 days[4]. - What happens if employers fail to comply? Any employer who terminates the service of a female employee during the period in which she is entitled to maternity leave commits an offence provided that such termination shall not include termination on the ground of closure of the employer's business[5]. Any employer who fails to grant maternity leave to a female employee commits an offence, and shall also on conviction, be ordered by the court before which he is convicted to pay the female employee the maternity allowance to which she may be entitled in respect of every day on which the female employee had worked during the eligible period, the payment so ordered being in addition to the wages payable to her, and the amount of maternity allowance so ordered by the court to be paid shall be recoverable as if it were a fine imposed by such court[6]. Further, any condition in a contract of service whereby a female employee relinquishes or is deemed to relinquish any right under Part IX of the Employment Act (which includes the paid maternity leave above) shall be void and of no effect and the right conferred thereunder shall be deemed to be substituted for such condition[7]. Please also refer to the implications highlighted in the conclusion section below. - (3) Termination of Pregnant Female Employee because of Her Pregnancy or Illness arising out of Pregnancy will be prohibited Where a female employee is pregnant or is suffering from an illness arising out of her pregnancy, it shall be an offence for her employer to terminate her services or give her notice of termination of service, except on the grounds of: (a) wilful breach of a condition of the contract of service; (b) misconduct; or (c) closure of the employer's business. Where the service of a female employee above is terminated, the burden of proving that such termination is not on the ground of her pregnancy or on the ground of illness arising out of her pregnancy, shall rest on the employer[8]. - What happens if employers fail to comply? Any condition in a contract of service whereby a female employee relinquishes or is deemed to relinquish any right under Part IX of the Employment Act (which includes the termination of pregnant female employees due to her pregnancy or illness arising out of her pregnancy above) shall be void and of no effect and the right conferred thereunder shall be deemed to be substituted for such condition[9]. Please also refer to the implications highlighted in the conclusion section below.   (4) Weekly Working Hour will be reduced The weekly working hour of an employee will be reduced from 48 hours in one week to 45 hours in one week[10]. Overtime rates (at least one and half times the employee’s hourly rate) will therefore be charged for any hours in excess of the revised total 45 hours per week[11]. Please note that overtime rates will not apply to employees whose monthly wages exceed RM4,000. - What happens if employers fail to comply? Any employer who fails to pay to any of his employees any overtime wages as provided under the Employment Act or any subsidiary legislation made thereunder commits an offence, and shall also, on conviction, be ordered by the court before which he is convicted to pay to the employee concerned the overtime wages due, and the amount of overtime wages so ordered by the court to be paid shall be recoverable as if it were a fine imposed by such court[12]. Please also refer to the implications highlighted in the conclusion section below.   (5) Paid Sick Leave (when hospitalisation is not necessary) will be excluded when using 60 days of Paid Hospitalisation Leave Employees will not be required to use any of their paid sick leave entitlement (when hospitalisation is not necessary) when using their 60 days of paid hospitalisation leave in each calendar year[13]. The paid sick leave (when hospitalisation is not necessary) in each calendar year under the Employment Act depend on the length of service as follows: (a) 14 days if the employee has been employed for less than 2 years; (b) 18 days if the employee has been employed for 2 years or more but less than 5 years; or (c) 22 days if the employee has been employed for 5 years or more[14]. - What happens if employers fail to comply? Any employer who fails to grant sick leave, or fails to pay sick leave pay, to any of his employees, commits an offence, and shall also, on conviction, be ordered by the court before which he is convicted to pay to the employee concerned the sick leave pay for every day of such sick leave at the rate provided under the Employment Act, and the amount so ordered by the court to be paid shall be recoverable as if it were a fine imposed by such court[15]. Please also refer to the implications highlighted in the conclusion section below. - (6) Paid paternity leave of 7 consecutive days per confinement limited to 5 confinements will be introduced Married male employee will have the right to 7 consecutive days of paid paternity leave per confinement up to a maximum of 5 confinements irrespective of the number of spouses. To qualify such paternity leave, a married male employee is required to fulfil the following requirements: (a) he has been employed by the same employer at least 12 months immediately before the commencement of such paternity leave; and (b) he has notified his employer of the pregnancy of his spouse at least 30 days prior to the expected confinement or as early as possible after the birth[16].   What happens if employers fail to comply? Please refer to the implications highlighted in the conclusion section below.   (7) Employers to obtain prior approval from the Director General of Labour before employing foreign employees Employers shall obtain the prior approval from the Director General of Labour before employing foreign employees. An application for the approval shall be made in the form and manner as may be determined by the Director General of Labour. Upon approval of the Director General of Labour, an employer shall, within 14 days from the date of the employment of a foreign employee, furnish the Director General of Labour with the particulars relating to the foreign employee in such manner as the Director General of Labour may direct. The Director General of Labour may, subject to any written law, approve an application if the employer complies with the following conditions: (a) the employer satisfies the Director General of Labour that on the date on which he makes the application: (i) he has no outstanding matter relating to any decision, order or directive issued under the Employment Act; or (ii) he has no outstanding matter or case relating to any conviction for any offence under the Employment Act, the Employees' Social Security Act 1969, the Employees' Minimum Standards of Housing, Accommodations and Amenities Act 1990 or the National Wages Consultative Council Act 2011; or (b) the employer has not been convicted of any offence under any written law in relation to anti-trafficking in persons and forced labour[17]. - What happens if employers fail to comply? Employers who contravene commits an offence and shall, on conviction, be liable to a fine not exceeding RM100,000 fine and/or 5 years imprisonment[18]. Please also refer to the implications highlighted in the conclusion section below.   (8) Employers to inform the Director General of Labour of the Termination of Employment of Foreign Employees If the service of a foreign employee is terminated: (a) by his employer; (b) by reason of the expiry of the employment pass issued by the Immigration Department of Malaysia to the foreign employee; or (c) by reason of the repatriation or deportation of the foreign employee, the employer shall, within 30 days of the termination of service, inform the Director General of Labour of the termination in the manner as may be determined by the Director General of Labour. On the other hand, if a foreign employee terminates his service or absconds from his place of employment, the employer shall, within 14 days of the termination of service or after the foreign employee's absence, inform the Director General of Labour in the manner as may be determined by the Director General of Labour[19]. - What happens if employers fail to comply? Please refer to the implications highlighted in the conclusion section below.   (9) Flexible Working Arrangement (subject to the discretion of the Employers) will be introduced Employees can apply for flexible work arrangement with their employers to vary the hours of work, days of work or place of work in relation to his employment. Where there is a collective agreement, any application made by the employee above shall be consistent with the terms and conditions in the collective agreement[20]. Further, the employee shall make an application for flexible working arrangement above in writing and in the form and manner as may be determined by the Director General of Labour. Upon the application, an employer shall, within 60 days from the date such application is received, approve or refuse the application. The employer shall inform the employee in writing of the employer's approval or refusal of the application above and in the case of a refusal, the employer shall state the ground of such refusal[21]. - What happens if employers fail to comply? Please refer to the implications highlighted in the conclusion section below.   (10) Director General of Labour has the power to inquire on Complaints relating to Discrimination The Director General of Labour is given the power to inquire into and decide any dispute between an employee and his employer in respect of any matter relating to discrimination in employment, and the Director General of Labour may, pursuant to such decision, make an order[22]. What amounts to “discrimination” is however not provided for in the Employment Act. - What happens if employers fail to comply? Employers who fail to comply with the Director General of Labour’s order commit an offence and shall on conviction, be liable to a fine not exceeding RM50,000 and for continuing offence, a daily fine not exceeding RM1,000 for each day the offence continues[23]. Please also refer to the implications highlighted in the conclusion section below.   (11) Exhibit of Notice of Sexual Harassment at the Workplace Employers must exhibit conspicuously a notice to raise awareness on sexual harassment at the workplace[24]. - What happens if employers fail to comply? Please refer to the implications highlighted in the conclusion section below.   (12) Prohibition of Forced Labour Any employer is prohibited from forced labour, i.e. threatening, deceiving or forcing an employee to do any activity, service or work and prevents that employee from proceeding beyond the place or area where such activity, service or work is done[25].   What happens if employers fail to comply? Employers shall commit an offence and shall, on conviction, be liable to a fine not exceeding RM100,000 or to imprisonment for a term not exceeding 2 years or to both[26].- Please refer to the implications highlighted in the conclusion section below.   Conclusion It was reported that the Malaysian Employers Federation has urged the government to delay implementing the amendments to the Employment Act 1995 from 1 September 2022, which it estimates will cost employers nationwide an extra RM110.99 billion per year which derived from the following: (a) increase in overtime costs to RM4,000 per month from RM2,000 (RM80.87 billion); (b) reduction of hours of work to 45 hours per week, from 48 hours (RM26.88 billion); (c) increase maternity leave to 98 days, from 60 days (RM2.97 billion); and (d) paternity leave of seven continuous days per birth (RM275 million).[27] - With the above Amendment Act and Amendment Order that are going to bring about more protection and advantages for the employees with effect from 1 September 2022, all employers should get themselves prepared and consider engaging their lawyers to review their existing employment contracts and employment handbook/policies to ensure that they comply with the Employment Act taking into account that: (a) Any term or condition of a contract of service or of an agreement, whether such contract or agreement was entered into before or after the coming into force of the Employment Act, which provides a term or condition of service which is less favourable to an employee than a term or condition of service prescribed by the Employment Act or any regulations, order or other subsidiary legislation whatsoever made thereunder shall be void and of no effect to that extent and the more favourable provisions of the Employment Act or any regulations, order or other subsidiary legislation whatsoever made thereunder shall be substituted therefor[28]. (b) Further, apart from the specific penalties highlighted above, any person who commits any offence under, or contravenes any provision of, the Employment Act, or any regulations, order, or other subsidiary legislation whatsoever made thereunder, in respect of which no penalty is provided, shall be liable, on conviction, to a fine not exceeding RM50,000[29]. (c) Where an offence under the Employment Act has been committed by, amongst others, body corporate, any person who is a director, manager, or other similar officer of the body corporate at the time of the commission of the offence shall be deemed to have committed the offence and may be charged jointly or severally in the same proceedings as the body corporate[30]. (d) If any person fails to comply any decision or order of the Director General of Labour pursuant to an enquiry, such person commits an offence and shall be liable, on conviction, to a fine not exceeding RM50,000; and shall also, in the case of a continuing offence, be liable to a daily fine not exceeding RM1,000 for each day the offence continues after conviction[31]. (e) Where an employer has been convicted of an offence relating to the payment of wages or any other payments payable to an employee under the Employment Act, the court before which he is convicted may order the employer to pay any payment due to the employee in relation to that offence. Where an employer fails to comply with an order, the court shall, on the application of the employee, issue a warrant to levy the employer's property for any payments due in the following manner: (i) by way of distress and sale of employer's property in accordance with the same procedure of execution under the Rules of Court 2012 and this execution shall apply mutatis mutandis notwithstanding the amount in the order; or (ii) in the same manner as a fine as provided under section 283 of the Criminal Procedure Code[32]. - - - [1] Section 2 of the Employment Act and Section 3 of the Interpretation Acts 1948 and 1967. [2] Section 2 of the Amendment Order (as incorporated in the First Schedule of the Employment Act). [3] Section 2(1) of the Employment Act and First Schedule of the Employment Act. [4] Section 12 of the Amendment Act (as incorporated in Section 37(1)(d)(ii) of the Employment Act). [5] Section 37(4) of the Employment Act. [6] Section 94 of the Employment Act. [7] Section 43 of the Employment Act. [8] Section 13 of the Amendment Act (as incorporated as a new Section 41A of the Employment Act). [9] Section 43 of the Employment Act. [10] Section 20 of the Amendment Act (as incorporated in Section 60A(1)(d) of the Employment Act). [11] Section 60A(3) of the Employment Act. [12] Section 100(2) of the Employment Act. [13] Section 22 of the Amendment Act (as incorporated in Section 60(F)(1) of the Employment Act). [14] Section 60(F)(1)(aa) of the Employment Act. [15] Section 100(5) of the Employment Act. [16] Section 23 of the Amendment Act (as incorporated as a new Section 60FA of the Employment Act). [17] Section 24 of the Amendment Act (as incorporated as a new Section 60K of the Employment Act). [18] Section 24 of the Amendment Act (as incorporated as a new Section 60K(5) of the Employment Act). [19] Section 25 of the Amendment Act (as incorporated as a new Section 60KA of the Employment Act). [20] Section 27 of the Amendment Act (as incorporated as a new Section 60P of the Employment Act). [21] Section 27 of the Amendment Act (as incorporated as a new Section 60Q of the Employment Act). [22] Section 30 of the Amendment Act (as incorporated as a new Section 60F of the Employment Act). [23] Section 30 of the Amendment Act (as incorporated as a new Section 60F(2) of the Employment Act). [24] Section 36 of the Amendment Act (as incorporated as a new Section 81H of the Employment Act). [25] Section 41 of the Amendment Act (as incorporated as a new Section 90B of the Employment Act). [26] Section 41 of the Amendment Act (as incorporated as a new Section 90B of the Employment Act). [27] https://www.theedgemarkets.com/article/mef-urges-govt-delay-enforcing-employment-act-amendments-estimated-cost-rm111-bil-year [28] Section 7 of the Employment Act. [29] Section 99A of the Employment Act. [30] Section 101B of the Employment Act. [31] Section 69 of the Employment Act. [32] Section 40 of the Amendment Act (as incorporated as a new Section 87A of the Employment Act). . About the Author Maple Chieng Hea Fong Partner Halim Hong & Quek maple.chieng@hhq.com.my This article dated 19 August 2022 is contributed by Maple Chieng for general information/guidance only and is not meant to be exhaustive, and it is not a substitute for legal advice.