HHQ Empower

Insights

FEATURED

23 Jan 2024

Addressing Copyright Infringement and Challenges in AI Training

©️ Addressing Copyright Infringement and Challenges in AI Training. In this article, we highlight the overlooked risk of copyright infringement in the training process and offers best practices to safeguard against legal challenges.

array(0) { }

Understand the Differences Between Cyber Security Incident Notification and Personal Data Breach Notification: A Strategic Guide for 2025

As the year draws to a close, legal, compliance, and regulatory teams are deep in preparations, strategy setting, and budgeting for 2025. In Malaysia, 2025 brings a series of significant regulatory shifts with the introduction of new compliance obligations, which will affect not only business operations externally but, more importantly, reshape internal processes within in-house legal departments. Among these changes are two critical developments: the cyber security incident notification and personal data breach notification under the Cyber Security Act 2024 and the Personal Data Protection (Amendment) Act 2024. Both Cyber Security Act 2024 and Personal Data Protection (Amendment) Act 2024 have been gazetted and came into force this year. For in-house legal departments, understanding the differences between cyber security incident notifications and personal data breach notifications will be crucial in ensuring compliance and readiness moving forward. However, many organizations are still grappling with understanding the distinctions between these two types of notifications—raising questions about which companies will be impacted and how they should respond. This article aims to clarify these differences and provide practical insights to help general counsels and legal teams align their compliance frameworks for 2025. We will explore 6 key aspects that will allow companies to better understand the nuances of cyber security incident notification and personal data breach notification and tailor their internal processes accordingly.   1. Are Cyber Security Incident Notification and Personal Data Breach Notification the Same? At first glance, the two notifications may seem interchangeable, often lumped together under the broad term “data breaches.” However, they are distinct obligations governed by different legislations, with separate procedural and substantive requirements. ● Cyber Security Incident Notification: This requirement stems from the Cyber Security Act 2024, which was gazetted and came into force on 26 June 2024. It specifically addresses threats or disruptions to national critical information infrastructure (“NCII”). ● Personal Data Breach Notification: This obligation arises under the Personal Data Protection (Amendment) Act 2024, which came into effect on 17 October 2024. It mainly pertains to the compromise, loss, or mishandling of personal data. These notifications address different issues governed by separate laws, with varying compliance requirements, thresholds, and procedures. For general counsels and legal teams, understanding these foundational differences is critical, as the company’s internal response strategy will need to align accordingly. . 2. Who Will Be Impacted by These Notifications? One of the most important aspects to understand is which companies will be subject to these notification obligations: ● Cyber Security Incident Notification: Contrary to what some may assume, the Cyber Security Act 2024 does not impose blanket cyber security incident notification obligations on all companies. Instead, the cyber security incident notification obligation applies only to organizations designated as NCII entities Under the Cyber Security Act 2024, NCII Leads are responsible for identifying and designating companies that operate or own NCII as NCII entities. While no companies have officially been designated as NCII entities at the time of writing, we understand that some companies have already received informal notifications that they may be subject to future designation. Companies must stay alert to their status, as being designated as an NCII entity will trigger cyber security incident notification obligations. ● Personal Data Breach Notification: In contrast, the Personal Data Protection (Amendment) Act 2024 introduces broader applicability. The obligation applies to all “data controllers”, it is a new term replacing the previous concept of "data users." A data controller is defined as an individual or organization who processes any personal data or has control over or authorizes the processing of any personal data. Given this broad definition, many companies will likely fall under the scope of the amended PDPA and will need to comply with personal data breach notification requirements. / 3. What Constitutes a Cyber Security Incident or a Personal Data Breach? ● Cyber Security Incident Notification: The Cyber Security Act 2024 defines a cyber security incident as: “An act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cybersecurity of that computer or computer system or another computer or computer system.” The key terms to note here are "jeopardize" and "adversely affects." These words help determine the level of materiality and seriousness that will qualify an event as a cyber security incident. Simply put, the act or activity must be serious enough to jeopardize or adversely affect the cyber security of the system in question for it to meet the legal definition and necessitates a notification. However, while the law does not provide detailed guidance on the exact threshold of jeopardy or adverse effect, a strict reading of the definition suggests that the activity must meet a certain level of seriousness to fall within the scope of the definition and trigger the notification requirement. A reasonable interpretation may indicate that minor attempts at unauthorized access to the IT environment, if detected, prevented, and flagged by routine firewall operations, might not trigger the obligation to notify. In contrast, any successful bypass of the firewall by threat actors—particularly if it jeopardizes or adversely affects cybersecurity—should trigger the notification requirement, regardless of whether the threat is subsequently neutralized, whether the critical IT environment is accessed, or whether disruptions occur. As the regulatory landscape evolves, future regulations or guidelines may offer clearer benchmarks on the level of seriousness or materiality required to qualify as a reportable cybersecurity incident. ● Personal Data Breach Notification: The Personal Data Protection (Amendment) Act 2024 does not provide a specific definition for "personal data breach." However, we can draw parallels from other jurisdictions for reference: ◦ EU’s General Data Protection Regulation (“GDPR”): A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” ◦ Singapore’s Personal Data Protection Act 2012: A data breach includes “the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data, or the loss of any storage medium on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.” While Malaysia has yet to issue detailed guidance on the scope of personal data breaches, it is reasonable to expect alignment with these international standards. Further guidance is anticipated from the relevant regulators to clarify the scope of personal data breach notifications. . 4. What Actions Should Companies Take When Notification Obligations Are Triggered? ● Cyber Security Incident Notification: As explained in our recent article (Responding to Cyber Security Incidents: The Strategic Guide for In-House Counsels Under Malaysia’s Cyber Security Act 2024 - HHQ), the Cyber Security Act 2024 requires NCII Entities to act swiftly when a cyber security incident occurs. The process involves three key steps:   Step 1: Immediate Notification Upon Discovery Once the NCII Entity becomes aware that a cyber security incident has occurred or may have occurred, an authorised person must immediately notify the relevant authorities via electronic means. This first immediate official notification should be sent via email to cert@nc4.gov.my. Step 2: Submission of Initial Information within 6 Hours Within 6 hours of the NCII Entity becoming aware of the cyber security incident, the authorised person must submit information on the cyber security incident, including the type and description of the cyber security incident, and the severity of the cyber security incident. Step 3: Supplementary Information within 14 Days Within 14 days after the initial six-hour notification, the authorised person shall to the fullest extent practicable submit the following supplementary information, including the estimated number of host affected by the cyber security incident, the particulars of the cyber security threat actor, and the artifacts related to the cyber security incident.   ● Personal Data Breach Notification: For personal data breaches, the Personal Data Protection (Amendment) Act 2024 introduces a two-tier notification process:   Tier 1: Notifying the Commissioner: If a data controller has reason to believe that a personal data breach has occurred, the data controller shall, as soon as practicable, notify the Commissioner. Tier 2: Notifying Affected Data Subject: Where the personal data breach causes or likely to cause any significant harm to the data subject, the data controller shall notify the personal data breach to the data subject. While the Personal Data Protection (Amendment) Act 2024 does not yet provide specific timelines for these notifications, we expect further guidance to be issued. Should Malaysia adopt an approach similar to Singapore's Personal Data Protection Act 2012, organisations may be required to notify the Commissioner within three calendar days. . 5. Does an Incident Require Compliance with Both Notification Obligations? A critical question for legal departments is whether a single event can trigger both cyber security incident and personal data breach notification obligations. The answer is yes, depending on the extent of the compromise or breach. In the event of a hack or cyber attack that results in both a cyber security incident and a personal data breach, organisations classified as NCII Entities and data controllers will need to comply with both notification obligations. Given the complexities of responding to such incidents, it is vital for companies to develop clear implementation roadmaps and establish compliance frameworks that outline roles, responsibilities, policies, and procedures. A structured approach will ensure swift and effective responses when incidents arise . 6. What Are the Penalties for Non-Compliance?  The penalties for failing to comply with these notification obligations are severe. ● Cyber Security Act 2024: NCII Entities that do not comply with the cyber security incident notification requirements may face fines of up to RM500,000, imprisonment of up to 10 years, or both. ● Personal Data Protection (Amendment) Act 2024: Data controllers who fail to notify either the Commissioner or affected data subject may be fined up to RM250,000, imprisoned for up to 2 years, or both. Given these severe penalties, companies must treat these obligations with utmost seriousness to avoid both financial and reputational risks. . Conclusion and Upcoming Event: Preparing for 2025 As companies prepare for 2025, understanding and implementing compliance measures for both cyber security incident notification and personal data breach notification will be critical. Failure to comply can result in severe financial and legal consequences, but with a structured plan in place, organisations can effectively navigate these new requirements. To support this, we are pleased to announce that Halim Hong & Quek will be co-organising a Cyber Security Incident Simulation Summit in collaboration with S-RM this November. This event will provide practical insights into managing and responding to cyber security incidents effectively under the legal framework of the Cyber Security Act 2024. By understanding the nuances between cyber security incident notification and personal data breach notification, general counsels and compliance teams will be better positioned to navigate the regulatory challenges of 2025. Now is the time to act, align strategies, and ensure your compliance frameworks are ready for the new regulatory era ahead. For tailored advice and assistance in navigating this new cyber security framework, our Technology Practice Group is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Telco Tower Acquisitions and Investments: Issues to Pay Attention to During Due Diligence • Top 10 FAQs on Licensing for Cyber Security Service Providers Under the Cyber Security Act 2024 • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services

透明化之路:实益拥有人(Beneficial Ownership)制度对公司治理的影响

在马来西亚,申报公司实益拥有人是一项法律要求,目的是确保公司股东和实益拥有人的透明度。 马来西亚公司委员会( “CCM “)于2020年3月1日发布了《实益所有权申报框架指南》( “BO指南” ),提倡法律实体包括公司(本地和外国公司)、有限责任合伙企业(本地和外国有限责任合伙企业)以及法人实体(独资经营者和合伙企业),采用自我监管的方式执行BO指南中规定的要求[1]: (a)采取合理措施识别、获取及核实实益拥有人的信息; (b)将实益拥有人的信息准确记录在实益拥有权登记册中; (c)确保实益拥有人的信息始终准确并及时更新,以便及时访问; (d)在实益拥有人的信息发生变更时,及时更新该信息并通知CCM; (e)在CCM办事处或股东登记册/合伙人登记册存放处妥善保留实益拥有人的信息及相关支持文件; (f)向相关政府部门和执法机构提供访问权限,并允许已登记为实益拥有人的个人及其他经实益拥有权人授权的个人访问相关信息。 2024年4月1日为《2024年公司(修正)法》[2]的生效日期,该法案引入了包括公司实益拥有权报告的框架,使得遵守公司股份实益拥有权申报义务成为强制性规定( “实益拥有权申报” )。 实益拥有权的定义 根据《2016年公司法》第2条的定义,“实益拥有人” 是指股份的最终持有人,但不包括任何形式的代理人。 《2024年公司(修正)法》扩展了实益拥有人的定义,新增了第60A(1)条的规定。 若个人是最终拥有或控制一家公司的自然人,并包括对该公司行使最终有效控制权的人,则该人为公司的实益拥有人。 CCM发布的指南 为了完善对“实益拥有人”的诠释,CCM也同步于2024年4月1日发布了最新的BO指南[3],清晰的划分: (i) 有义务申报实益拥有人信息的人员; (ii) 受监管的法人实体; (iii) 实益拥有人信息的获取渠道; (iv) 识别、获取并持续确保实益拥有人信息准确性的合理措施; (v) 确认实益拥有人的身份; (vi) 保存实益拥有人的信息;及 (vii) 提交或登记实益拥有人报告所需文件的时间框架。 除非另有法定豁免[4],任何法人实体均无法规避《2024年公司(修正)法》新增的第8A分部,即针对实益拥有权申报的义务履行。 公司有义务申报实益拥有人信息 (a) 第60C(1)条[5]: 公司有责任要求股东披露实益拥有人信息 (b)第60C(2)条[6]:公司有责任要求实益拥有人确认其身份 (c)第60C(3)条[7]:公司有责任要求任何股东或个人确认实益拥有人身份 (d)第60C(5)条[8]:公司有责任寻求对实益拥有人信息变更的确认 (e)第60C(6)条[9]:公司有责任确认实益拥有人登记册中的信息是否准确 根据《2024年公司(修正)法》第60C(4)条,公司有义务自获得有关实益拥有人信息通知日起的14天内,在公司的实益拥有人登记册中记录该信息的(i)公司发出要求提供实益拥有人信息的通知的日期;以及(ii)相关实益拥有人的详细情况。 除非获要求透露/申报实益拥有人可证明相关实益拥有人信息已为公司所掌握,或提供信息的要求出于其他无关紧要或恶意的原因,任何拒绝配合或违规者均构成犯罪[10]。 相同的,任何人如在声称遵守本条款下做出申报时,在其知情的情况下,做出虚假的陈述,或鲁莽地作出任何虚假陈述,均构成犯罪[11]。 实益拥有人有义务申报实益拥有人信息 《2024年公司(修正)法》第60C(1)条规定,股份的实益拥有人应在可行的情况下尽快: (a)通知公司其为公司股份的实益拥有人;并且 (b)提供可能被规定的信息。 第60D(1)条款[12]规定任何人如果有理由相信其为公司实益拥有人,应尽快通知该公司其为公司的实益拥有人及提供所规定的相关信息。 第60D(2)条款[13]规定,股份实益拥有人有义务通知公司其在公司股份实益拥有人登记册中的任何信息变更。 第60D(3)条款[14]规定在其不再是公司股份实益拥有人时,须向公司说明以下变更: (a)终止发生的日期;和 (b)终止的详细情况。 任何违反上述第60D条款的人均构成犯罪。 公司秘书有义务确保实益拥有人登记册的信息资料的准确性 根据《2024年公司(修正)法》第60C(4)条款的规定,作为妥善记录、保存和定期维护股份实益拥有人登记册的责任,公司秘书/代理人必须确保将实益拥有人信息根据《2024年公司(修正)法》第60B条的要求录入公司的实益拥有人登记册中。 此外,公司秘书/代理人还须负责根据《2024年公司(修正)法》第60C(5)和(6)条款的规定向CCM提交任何股份实益拥有人信息的变更。 实益拥有人登记册法律制定保留期限为最低7年 根据《2024年公司(修正)法》第60B(5)条款的规定,公司应随时确保实益拥有人登记册中相关实益拥有人的信息准确无误,并在任何人士卸除其实益拥有者身份之日起的7年内持续保留其信息[15]。 股份实益拥有人信息的获取渠道[16] (a)新成立的本地注册的本地公司:于首次提交公司年报(Annual Return)的义务之前,确切于公司正式委任公司秘书之日的60天内把股份实益拥有人的资料登记在册,随后的14天内履行向CCM的申报。 (b)新成立的本地注册的外国公司:为注册之目的,须在外国公司正式注册后14天内提供并记录有关实益拥有人的信息。 (c)持续义务:自提交公司年报(Annual Return)后,公司必须持续履行股份实益拥有人申报的义务,即于任何实益拥有人信息的变更日起的14天内把相应实益拥有人信息的详细资料记录在实益拥有人登记册中[17];并且公司应在成立周年日起不超过30天内提交年报及实益拥有人信息[18]。 谁是股份实益拥有人? 股份实益拥有人指: (a)最终拥有或控制公司的法人,并包括对公司行使最终有效控制的人[19]: (i)“最终拥有或控制公司”指通过对公司股份的直接持有(包括不低于20%的间接有效持有)来实现的所有权最终拥有或控制公司的法人; 而 (ii)“最终有效控制”指个人虽然持有少于20%的股份或表决权,但仍对公司的董事或管理层行使重大控制或影响的情况,无论是正式或非正式,该董事或管理层习惯性地或有义务根据该个人的指示、指令或意愿行事。 (b)换句话说,拥有最终有效控制权的个人不一定是持有公司股份或在公司担任任何职务的人。 仅针对股份有限公司,如何确认个人是否符合股份实益拥有人的标准? 法人实体标准[20]股份有限公司  (i)直接持股不低于20%的整体已发行的股份总数,   如果股份是通过间接持有的方式,实益拥有者将根据有效利益进行确认。这种情况包括共同利益及代理协议;   (ii)持有直接或间接20%的表决权股份赋予持有人在股东大会或其他事项的表决权利,该权利可能根据股份类型的不同而有所变化;  (iii)任何个人对公司拥有绝对的有效控制,并且其对公司决策的建议或提议,正式或非正式,都对公司施加主导影响或控制;  (iv)任何个人(一般股东)可以直接或间接任命或罢免在董事会议上持有多数表决权的董事,视为对公司拥有重大影响或控制权;  (v)控制公司的股东通过与公司其他股东达成的协议的累积效应对公司施加实际控制;   (vi)尽管任何个人持有少于20%的公司股份,但当该个人对公司拥有重大影响或控制时,仍然可以被视为实益拥有人。 尽管实益拥有人信息属于不公开资料,但考虑到该信息在特定法律合规事项的鉴定中至关重要,因此相关人员在履行其他书面法律下的职责时可获得该信息的访问权限。部长将规定可获得实益拥有者登记册(RBO)及实益拥有者登记册访问权限的人员或类别[21]。 基于执法层面的考量,《2024年公司(修正)法》的引入,尤其是实益拥有权申报条款,旨在确保整体股权持有和公司控制权的透明度。这将有助于减少或降低规避法律、抵触合规及洗钱等活动的风险,同时通过识别那些可能对相关活动负责的法人,或拥有进一步调查所需信息的法人,以便加强对公司治理的监管。 违规者,不论公司及其每位违反本条款的负责人均构成违法行为,经过定罪后,最高可处以马币2万令吉(RM20,000)的罚款。如该违法行为持续,除定罪外,每持续一天可再处以不超过马币5百令吉(RM500)的罚款[22]。 于此,我们呼吁所有投资人履行相关的法律义务,避免任何违规行为。此外, 实益拥有权信息的及时准确申报不仅是法律合规要求,更是企业良好治理的重要体现。透明的所有权结构有助于企业建立市场信誉,提升投资者信心,并为跨境商业合作创造有利条件。企业主动配合相关申报要求,不仅能够避免违规处罚,还能够在日益重视透明度的国际商业环境中占得先机,为企业的可持续发展打下坚实基础。 如需了解更多详细信息,可随时与我们的团队联系。 作者简介 Choo Sheau Kee周晓淇律师 (科技与企业)Halim Hong & Quek 翰林律务所电话:+603 2710 3818电邮:skchoo@hhq.com.my [1] https://www.ssm.com.my/Pages/Legal_Framework/Document/Guideline%20for%20BO%20Reporting%20Framework%20(27022020).pdf; [2] Companies (Amendment) Act 2024 [3] 日期为2024年4月1日《Guidelines for the Reporting Framework For Beneficial Ownership of Companies》, https://www.ssm.com.my/Pages/Legal_Framework/Document/01_Guideline%20BO%20(Post%20T%26P)%20Final%20Uploaded%20Version.pdf [4] 《2024年公司(修正)法》第60E条; [5] 《2024年公司(修正)法》第60C(1)条; [6] 《2024年公司(修正)法》第60C(2)条; [7] 《2024年公司(修正)法》第60C(3)条; [8] 《2024年公司(修正)法》第60C(5)条; [9] 《2024年公司(修正)法》第60C(6)条; [10] 《2024年公司(修正)法》第60C(8)条; [11] 《2024年公司(修正)法》第60C(9)条; [12] 《2024年公司(修正)法》第60D(1)条; [13] 《2024年公司(修正)法》第60D(2)条; [14] 《2024年公司(修正)法》第60D(3)条; [15] 《2024年公司(修正)法》第60B(5)条; [16] 日期为2024年4月1日《Guidelines for the Reporting Framework For Beneficial Ownership of Companies》, https://www.ssm.com.my/Pages/Legal_Framework/Document/01_Guideline%20BO%20(Post%20T%26P)%20Final%20Uploaded%20Version.pdf [17] 《2024年公司(修正)法》第60B(3)条; [18] 《《2024年公司(修正)法》第68(3)(ia)条, 第576(1) 和 576(2)(ha); [19] 日期为2024年4月1日《Guidelines for the Reporting Framework For Beneficial Ownership of Companies》, https://www.ssm.com.my/Pages/Legal_Framework/Document/01_Guideline%20BO%20(Post%20T%26P)%20Final%20Uploaded%20Version.pdf; [20] Ibid. [21] Ibid. [22] 《2024年公司(修正)法》第60B(6)条.

Responding to Cyber Security Incidents: The Strategic Guide for In-House Counsels Under Malaysia's Cyber Security Act 2024

One of the most impactful legislative developments in Malaysia this year is undoubtedly the Cyber Security Act 2024. With its official implementation on 26 August 2024, the cyber security regulatory framework has transitioned from being merely a buzzword to a crucial area of compliance that organizations must prioritize. This new regulatory layer introduces additional challenges for in-house legal departments, which require immediate and strategic attention.   While many general counsels and in-house legal teams are aware that the Cyber Security Act 2024 imposes stringent cyber security incident notification obligations on National Critical Information Infrastructure (“NCII”) entities, there remains some uncertainties regarding the precise steps to take when managing and responding to a cyber security incident. Therefore, the aim of this article is straightforward, which is to provide a practical and actionable guide for general counsels and in-house lawyers, outlining exactly how to act and respond in the event of a cyber security incident.   When Does the Cybersecurity Incident Notification Obligation Arise? Before exploring the practical steps, it is essential to establish the circumstances under which the cyber security incident notification obligation arises and to understand what qualifies as a cyber security incident   Under the Cyber Security Act 2024, the cyber security notification obligation arises under two scenarios: 1. When it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII has occurred; or 2. When it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII might have occurred.   It is crucial to emphasize that in both cases—whether the cyber security incident has occurred or is merely suspected—the Cyber Security Act 2024 imposes a duty to notify. This reflects the proactive stance of the law in ensuring timely responses to potential cyber security incidents before it escalates further.   What Exactly Constitutes a Cyber Security Incident? One of the most common questions that follows is: What exactly constitutes a cyber security incident? This is a crucial consideration, as it determines when the cyber security notification obligation is triggered.   The Cyber Security Act 2024 defines a cyber security incident as, "an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cybersecurity of that computer or computer system or another computer or computer system."   The key terms to note here are "jeopardize" and "adversely affects." These words help determine the level of materiality and seriousness that will qualify an event as a cyber security incident. Simply put, the act or activity must be serious enough to jeopardize or adversely affect the cyber security of the system in question for it to meet the legal definition and necessitates a notification.   However, while the law does not provide detailed guidance on the exact threshold of jeopardy or adverse effect, a strict reading of the definition suggests that the activity must meet a certain level of seriousness to fall within the scope of the definition and trigger the notification requirement. A reasonable interpretation may indicate that minor attempts at unauthorized access to the IT environment, if detected, prevented, and flagged by routine firewall operations, might not trigger the obligation to notify. In contrast, any successful bypass of the firewall by threat actors—particularly if it jeopardizes or adversely affects cybersecurity—should trigger the notification requirement, regardless of whether the threat is subsequently neutralized, whether the critical IT environment is accessed, or whether disruptions occur. As the regulatory landscape evolves, future regulations or guidelines may offer clearer benchmarks on the level of seriousness or materiality required to qualify as a reportable cybersecurity incident.   3-Step Practical Steps for General Counsels in the Event of a Cybersecurity Incident With a clear understanding of when the notification obligation will be triggered and what constitutes a cyber security incident, we now present a three-step guide for general counsels and in-house lawyers to follow in the event of such an incident.   Step 1: Immediate Notification Upon Discovery Once the NCII Entity becomes aware that a cyber security incident has occurred or may have occurred, an authorised person must immediately notify the relevant authorities via electronic means. This first immediate official notification should be sent via email to cert@nc4.gov.my.   It is important to highlight that only an authorised person of the NCII Entity may issue the notification. But who qualifies as an authorised person? According to the Cyber Security Act 2024, an NCII Entity has 21 days from its designation as an NCII Entity to appoint and submit the details of three authorised persons. These individuals must include:   • One management-level individual that is responsible for overseeing cyber security strategy, risk management, threat detection, and incident response and recovery. • Two operational-level individuals that are tasked with handling responses to cyber security incidents.   This means that in the event of a cyber security incident, one of these three authorised persons must promptly notify the authorities as soon as the incident is discovered.   Step 2: Submission of Initial Information within 6 Hours Within 6 hours of the NCII Entity becoming aware of the cyber security incident, the authorised person must submit the following particulars of information:   i. The particulars of the authorised person; ii. The particulars of the NCII Entity, the NCII sector and the NCII lead to which it relates; and iii. Information on the cyber security incident, including the type and description of the cyber security incident, the severity of the cyber security incident, the data and time of the occurrence of the cyber security incident is known, and the method of discovery of the cyber security incident.   Step 3: Supplementary Information within 14 Days Within 14 days after the initial six-hour notification, the authorised person shall to the fullest extent practicable submit the following supplementary information:   i. the particulars of the national critical information infrastructure affected by the cyber security incident ii. the estimated number of host affected by the cyber security incident; iii. the particulars of the cyber security threat actor; iv. the artifacts related to the cyber security incident; v. the information on any incident relating to, and the manner in which such incident relates to, the cyber security incident; vi. the particulars of the tactics, techniques and procedures of the cyber security incident vii. the impact of the cyber security incident on the national critical information infrastructure or any computer or interconnected computer system; and viii. the action taken.   Seriousness of the Cyber Security Incident Notification Obligation NCII Entities must approach the cyber security incident notification obligation with utmost seriousness, as non-compliance carries severe penalties. Upon conviction, entities may face fines of up to RM500,000, imprisonment for up to 10 years, or both.   However, compliance with the notification requirement is more than a mere formality. The submission of the notification and incident report has far-reaching implications, as authorities could also scrutinize these reports to assess the NCII Entity’s overall compliance with the Cyber Security Act 2024, including adherence to the prescribed code of practice and best practice guidelines for managing cyber security, and a poorly prepared or mishandled incident report can expose the NCII Entity to deeper regulatory scrutiny, potentially uncovering additional compliance breaches beyond the initial incident. Therefore, these incident reports are not merely procedural requirements, but they carry significant legal and regulatory weight.   Given the complexity and importance of these obligations, NCII Entities are advised to work closely with external counsel familiar with cyber security law, particularly during a cyber security incident. Experienced external counsel can provide critical guidance, ensure the company navigates the notification process correctly, and safeguard the NCII Entity from potential legal and regulatory risks.   For tailored advice and assistance in navigating this new cyber security framework, our Technology Practice Group is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology, Media & Telecommunications (“TMT”), TMT Disputesnicole.shieh@hhq.com.my More of our Tech articles that you should read: • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers • Exploring Bitcoin Halving and its Significance • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services

Combating Greenwashing: The Launch of the National Sustainable Reporting Framework (NSRF)

In recent years, Environmental, Social, and Governance (ESG) principles have gained significant traction globally, and Malaysia is no exception. As businesses and investors increasingly recognize the importance of sustainable practices, Malaysia has taken proactive steps to integrate ESG considerations into its corporate and financial sectors. This commitment is evident in the introduction of the National Sustainable Reporting Framework (NSRF) in 2024, a key initiative designed to enhance transparency and combat greenwashing.   The National Sustainable Reporting Framework (NSRF) marks a pivotal step in the fight against greenwashing in Malaysia. This new framework introduces comprehensive measures designed to enhance the reliability of sustainability disclosures, ensuring that companies are held accountable for their environmental claims. Here’s how the NSRF aims to make a difference:-   1. Standardized Sustainability Reporting  At the core of the NSRF is the adoption of the IFRS Sustainability Disclosure Standards (S1 and S2) established by the International Sustainability Standards Board (ISSB). This standardization ensures that companies disclose sustainability information in a consistent, comparable, and reliable manner. By creating a uniform reporting framework, the NSRF makes it more difficult for businesses to exaggerate or fabricate their environmental claims. . 2. External Assurance Requirements To further bolster trust in sustainability reports, the NSRF mandates independent verification of claims. Starting in 2027, companies will need to have their greenhouse gas (GHG) emissions, particularly Scope 1 and Scope 2, independently verified. This external assurance enhances the credibility of disclosed data, significantly reducing the likelihood of greenwashing and ensuring that companies are held accountable for their environmental impacts. . 3. Focus on Climate-related Disclosures The NSRF emphasizes the importance of climate-related disclosures, encouraging companies to prioritize the most significant risks and opportunities within their business segments. This focus ensures that sustainability efforts reported by companies align with their actual operations and impacts, minimizing the risk of selective reporting that highlights only favorable information. . 4. Phased Adoption and Capacity Building Recognizing the challenges companies may face in adjusting to new reporting requirements, the NSRF adopts a phased approach to implementation. This gradual rollout provides businesses with the necessary time to align their operations and reporting processes. Additionally, the NSRF offers resources such as PACE (Policy, Assumptions, Calculators, and Education) to assist companies in making accurate and transparent disclosures, further discouraging greenwashing practices. . Conclusion By mandating transparency, accountability, and external verification, the NSRF establishes a framework where sustainability reports are rooted in genuine actions rather than mere marketing rhetoric. This comprehensive approach positions the NSRF as a vital tool in combating greenwashing and promoting authentic corporate sustainability efforts. As businesses embrace these new standards, the path toward a more sustainable future becomes increasingly credible and achievable.   Stay informed about how these developments unfold and their implications for sustainable practices in the corporate world! About the author Sharifa Nurliliyana binti Abd KarimSenior AssociateBanking & Finance and Real EstateHalim Hong & Queksharifa@hhq.com.my More of our articles that you should read: • Can a Fixed Term Contract Employee Be Deemed as a Permanent Employee? • Centralised Air-Conditioning Facilities: Its Classification as “Common Property” Within The Legislative Frameworks • Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only

𝐓𝐞𝐥𝐜𝐨 𝐓𝐨𝐰𝐞𝐫 𝐀𝐜𝐪𝐮𝐢𝐬𝐢𝐭𝐢𝐨𝐧𝐬 𝐚𝐧𝐝 𝐈𝐧𝐯𝐞𝐬𝐭𝐦𝐞𝐧𝐭𝐬: 𝐈𝐬𝐬𝐮𝐞𝐬 𝐭𝐨 𝐏𝐚𝐲 𝐀𝐭𝐭𝐞𝐧𝐭𝐢𝐨𝐧 𝐭𝐨 𝐃𝐮𝐫𝐢𝐧𝐠 𝐃𝐮𝐞 𝐃𝐢𝐥𝐢𝐠𝐞𝐧𝐜𝐞

Ever since the nationwide 5G rollout that the Malaysian government was actively executing, there has been a general uptick of activities in the telecommunication tower industry. In order for there to be nationwide coverage of 5G network, more telecommunication towers are required to be erected across the countries. The increase in demand for telecommunication towers attracted investments into the industry, which prompted both the consolidation of many smaller telco tower operators, and the acquisition of telco tower assets and companies by institutional investors.   In this article, we are going to take a look at the top four (4) potential issues to take note of for investors looking to invest in the Malaysian telco industry.   1. Valid and Subsisting Network Facilities Provider Licence  Telco tower operators in Malaysia are required to secure a network facilities provider (“NFP”) licence with the Malaysian Communications and Multimedia Commission before they can own and operate any telco towers. Each NFP licence is typically valid for five (5) years, and is renewable subject to the payment of renewal fees. It is thus important for any investors to verify that the target company’s NFP licence is still valid and subsisting, and that all the conditions stated thereunder are being complied with and observed by the target company. Some of the conditions being imposed under an NFP licence are foreign and Bumiputera shareholding requirement, contributions to the Universal Service Provision fund, payment of annual licence fees, limitations on the type of facilities approved, and so on so forth. . 2. Having the Appropriate Permit for Each Towers In Malaysia, the erection of any telco towers is subject to the issuance of building permit by the relevant municipal or local authorities. Essentially, the telco operator is supposed to have applied and received a building permit for the erection of each and every telco tower at their respective sites before doing so. Any telco towers that has been erected illegally may expose the company to financial penalty by the local authorities or worse, be subject to a demolishing notice. The application for a building permit with the municipal or local authorities can be a tedious and slow process, which is why many telco operators tend to erect the telco towers while the application process is still underway. Before undertaking any investment in a telco tower company, it is crucial to verify the number of telco tower sites that are operating without any permits and assess the likelihood of permits being issued for these sites in the future, so that appropriate conditions or risk mitigations can be put in place in the transaction documents to protect the interests of the investors. . 3. Thorough Review of the Site Tenancy Agreements  The sites on which the telco towers are being erected are usually being occupied by the telco tower companies under tenancy or lease agreements with the land or property owners. During legal due diligence, it is also important for the investors to ensure that each of the telco tower sites is being occupied with a valid and subsisting tenancy or lease agreement. From time to time, some land owners might actually include a rental “step up” mechanism in the tenancy or lease agreement to allow a fixed percentage of rental increment every 3 to 5 years. It is thus imperative that investors take this into consideration when calculating the tower cash flow of the telco tower portfolio of a target company. . 4. Thorough Review of the Tower Licence Agreements Telco towers are usually licensed to telco operators or network service providers (“NSPs”) in order for them to install their network equipment on the tower structures. The licences are typically firmed up under licence agreements or access agreements, which would allow the telco tower company to collect monthly licence fees from the licensee. Due to space constraint, each telco tower can typically host up to three (3) or four (4) sets of network equipment, from different telco operators or NSPs. The industry practice is for there to be a licence fee “step down” mechanism whenever there is an increase in the number of collocators on the same tower, resulting in there being fluctuations in the receivables by the telco tower company for each tower. Likewise, the fluctuations in the tower licence fees will directly impact the target company’s tower cash flow and careful assessment of the number of equipment on each tower is required. .   Acquisition or investment into an existing telco tower portfolio or company can be expensive depending on the size of the telco tower portfolio. We cannot stress enough the importance of a thorough legal due diligence on the target company or portfolio to be acquired. Risks and irregularities need to be identified and flagged accordingly during the due diligence process so that effective deal structuring and appropriate risk mitigation can be done to protect the interests of the investors or purchasers.   The Technology Practice Group at HHQ frequently work with companies from the telco industries with matters ranging from regulatory compliance to commercial transactions. We are certainly equipped with the necessary skillsets and industry knowledge to assist you in your telco related matters. Please do not hesitate to reach out to the partners and heads of the Technology Practice Group for more enquiries. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • 8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk? • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

Assessing High-Risk AI Systems Under the EU AI Act: A Practical Four-Step Guide for General Counsels

Identifying High-Risk AI Systems: A Step-by-Step Guide for General Counsels In our previous article, “8 Prohibited AI Practices Under the EU AI Act You Must Know: Are YourAI Systems at Risk?”, we provided an in-depth discussion on the types of AI practices that will beprohibited under the EU AI Act, which is set to be implemented on 2 February 2025. We were alsoprivileged to be invited by BFM to further explore some of these prohibited AI practices, and if you are interested, you can listen to the full discussion here: Click Here   Building on our previous discussion of prohibited AI practices, this article will now explore anothercritical element of the EU AI Act, which is high-risk AI systems. The EU AI Act adopts a risk-basedapproach to regulating AI, classifying AI systems into several tiers: prohibited AI practices, highriskAI systems, and General-Purpose AI Models, with lower or minimal risk. Unlike prohibited AI  systems, which are outright banned, high-risk AI systems are even more relevant to most organizations, as they are often embedded within various AI applications.   Given the complexity and extensive regulatory requirements associated with high-risk AI systems,this article aims to provide general counsels with a practical guide on how to conduct an internalassessment of whether your AI systems fall under the high-risk category. Once classified as highrisk, there are specific obligations that organizations need to fulfill, depending on whether they act as providers, deployers, importers, or distributors of these AI systems. . Step 1: Is the AI System Covered by the Union Harmonization Legislation? The first step in assessing whether an AI system is considered high-risk is to verify if it falls withinthe scope of the Union harmonisation legislation listed in Annex I of the EU AI Act. This legislationcovers specific product categories, and AI systems that are either (i) one of these products or (ii)intended to be used as a safety component in these products which are subject to stricter regulatory oversight. 1. Machinery 2. Toys 3. Watercraft 4. Lifts 5. Explosives 6. Radio equipment 7. Pressure equipment 8. Cableways 9. Personal protective equipment 10. Gas appliances 11. Medical devices 12. Civil aviation 13. Vehicles 14. Marine equipment 15. Rail systems . Step 2: Assess the Need for Third-Party Conformity Assessment If your AI system is either a product or a safety component in one of the products listed above, the next key question is whether that product is required to undergo a third-party conformity assessment before being placed on the market, as mandated by EU harmonisation legislation. If the answer is yes, then the AI system is automatically classified as a high-risk AI system. If the AI system is not a product listed in Annex I or does not serve as a safety component for such products, or if the product does not require a third-party conformity assessment, your assessment does not end there, and you should move to step 3. . Step 3: Review Annex III for Additional High-Risk AI Systems Even if the AI system does not meet the criteria from Steps 1 and 2, it may still be categorized ashigh-risk if it falls under one of the AI systems listed in Annex III of the EU AI Act.Annex III outlines 8 types of high-risk AI systems: 1. Biometrics AI Systems – These include biometric AI systems that are not prohibited. It encompasses: (i) remote biometric identification systems (excluding biometric AI systems used solely for biometric verification and authentication purposes, such as unlocking devices or granting access to premises); (ii) AI systems used for biometric categorisation according to sensitive attributes or characteristics; or (iii) emotion recognition AI systems. . 2. Critical Infrastructure AI Systems – These are AI systems intended for use as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating, or electricity. Critical infrastructure AI systems are considered high-risk because their failure or malfunction may endanger the life and health of individuals on a large scale and lead to significant disruptions in the normal conduct of social and economic activities. Examples of safety components of such critical infrastructure may include systems for monitoring water pressure or fire alarm control systems in cloud computing centres. . 3. Education and Vocational Training AI Systems – These AI systems are intended to: (i) determine access or admission to education or vocational training institutions; (ii) evaluate learning outcomes; (iii) assess the level of education an individual will receive or be able to access; or (iv) monitor and detect prohibited behaviour of students during tests. These are categorised as high-risk AI systems because they may influence the educational and professional trajectory of a person’s life, affecting their ability to secure a livelihood. When improperly designed or used, such systems can be particularly intrusive and may violate the right to education and training. . 4. Employment AI Systems – This includes AI systems used: (i) in the recruitment process, such as targeted job advertisements, job application filtering, and candidate evaluation; or (ii) to make work-related evaluations that affect employment relationships, such as promotion, termination, task allocation, or performance assessment. These systems are considered high-risk because they can significantly impact future career prospects, livelihoods, and workers’ rights. . 5. Private and Public Service and Benefit Access AI Systems – This includes AI systems intended to: (i) evaluate the eligibility of individuals for public assistance benefits and services; (ii) assess a person’s creditworthiness; (iii) perform risk assessment and pricing for life and health insurance; or (iv) evaluate and classify emergency calls or establish priorities in dispatching emergency first-response services. These systems are classified as high-risk because they are often used by individuals in vulnerable positions, dependent on these benefits and services. . 6. Law Enforcement AI Systems – These AI systems are intended for: (i) assessing the risk of a person becoming a victim of criminal offenses; (ii) being used as polygraph tools; (iii) evaluating the reliability of evidence during investigations or prosecutions; (iv) assessing the risk of a person committing or re-committing a crime, based on factors other than personal profiling, such as personality traits or past criminal behaviour; or (v) profiling individuals in the detection, investigation, or prosecution of criminal offenses. These systems are high-risk because they may unjustly single out individuals in a discriminatory or otherwise incorrect manner. Furthermore, their use could undermine important procedural rights, such as the right to an effective remedy, a fair trial, the right of defence, and the presumption of innocence. . 7. Immigration AI Systems – These AI systems are used in migration, asylum, and border control management for: (i) polygraphs or similar tools; (ii) assessing risks, such as security risks, irregular migration risks, or health risks of individuals; (iii) assisting authorities in examining applications for asylum, visas, or residence permits, including eligibility assessments and evaluating the reliability of evidence; or (iv) detecting, recognising, or identifying individuals in migration or border management processes, excluding travel document verification. These systems are classified as high-risk because they affect individuals in particularly vulnerable situations who depend on the decisions of competent public authorities. The accuracy, non-discriminatory nature, and transparency of these AI systems are especially crucial to ensure respect for the fundamental rights of affected persons, including free movement, non-discrimination, privacy, international protection, and good administration. . 8. Administration of Justice and Democratic AI Systems – This includes AI systems intended for: (i) use by or on behalf of judicial authorities to research and interpret facts and law, and apply the law to those facts, or for similar use in alternative dispute resolution; or (ii) influencing the outcome of elections or referenda, or the voting behaviour of individuals exercising their right to vote. These systems are high-risk because of their potential impact on the fundamental processes of justice and democracy.   If your AI system falls into one of these categories, it is automatically classified as high-risk. However, this does not conclude the assessment. You should proceed to step 4, where it is essential to evaluate whether the rebuttal assumption is applicable. . Step 4: Assessing the Impact on Health, Safety, and Fundamental Rights The 8 types of AI systems referred to in Annex III are generally categorized as high-risk. However,this presumption can be rebutted if the AI systems do not pose a significant risk of harm tothe health, safety, or fundamental rights of individuals, including not materially influencing decision-making outcomes. The following four exceptions provide a basis for rebuttal: 1. The AI system is intended to perform a narrow procedural task, such as transforming unstructured data into structured data, classifying incoming documents into categories, or detecting duplicates among a large number of applications 2. The AI system is intended to improve the result of a previously completed human activity, such as AI systems intended to improve the language used in previously drafted documents, for example, improving professional tone, academic style, or aligning text with certain brand messaging. 3. The AI system is intended to detect decision-making patterns from prior decision-making instances and is not meant to replace or influence the previously completed human assessment, without proper human review. 4. The AI system is intended to perform preparatory tasks for assessments relevant to the use cases listed in Annex III, such as smart solutions for file handling, which may include various functions like indexing, searching, text and speech processing, or linking data to other data sources. If the AI systems referenced in Annex III can demonstrate that they do not pose a significant risk of harm to health, safety, or fundamental rights—specifically, that they do not materially influence decision-making outcomes—by satisfying the aforementioned exceptions, they will not be classified as high-risk AI systems. Conversely, if these AI systems fail to meet the criteria for rebuttal, they will be considered highrisk. . Flowchart for Simplifying the Internal Assessment Process We understand that determining whether an AI system is classified as high-risk under the EU AIAct is a complex undertaking that necessitates a structured and methodical approach. Therefore,to aid general counsels in conducting a preliminary internal self-assessment of their AI systems,we have developed a visual flowchart below. This flowchart below serves as a practical internal guide for evaluating whether an AI system fallsinto the high-risk category – while this tool is beneficial for initial assessments, it is important tonote that it may not encompass the full depth of a comprehensive legal audit. Core Requirements for High-Risk AI Systems Once an AI system is classified as “high-risk” under the EU AI Act, such AI systems must complywith seven core requirements specified in the legislation. These requirements encompass criticalareas such as: (i) risk management systems (ii) data governance (iii) technical documentation (iv) record keeping (v) transparency (vi) human oversight (vii) accuracy, robustness, and cybersecurity Given the length of this article, we will delve into each of these seven core requirements and thecorresponding legal obligations for various stakeholders within the AI value chain—whether youare a provider, deployer, distributor, manufacturer, or importer of a high-risk AI system—in subsequent articles. Understanding these distinct compliance measures is essential for ensuring that your organization meets its obligations under the EU AI Act.   Implementation Timeline and Penalties The EU AI Act officially came into force on 1 August 2024; however, its implementation will occurin stages. As outlined in our previous article, the enforcement of prohibited AI practices will commence on 2 February 2025, while the requirements for high-risk AI systems will take effect on 2 August 2026. This extended timeline for high-risk AI systems reflects the significant obligationsthat organizations will need to meet. It is important to recognize that non-compliance with these high-risk AI systems can result insubstantial penalties, including fines of up to €15 million or 3% of global revenue. Therefore, organizations must prepare adequately to ensure compliance and mitigate risks associated with these new regulations. The Technology Practice Group at Halim Hong & Quek is well-versed in technology law, includingthe EU AI Act, and we are currently providing training to multinational corporations in Malaysia onthis subject. Should you require assistance or wish to schedule a more detailed discussion to ensure compliance, please let us know. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Jerrine Gan Jia LynnPupil-in-ChambersTechnology Practice Groupjerrine.gan@hhq.com.my More of our Tech articles that you should read: • 8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk? • EU AI Act: The Essential Guide to Copyright Compliance for General-Purpose AI Models • We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels

Top 10 FAQs on Licensing for Cyber Security Service Providers Under the Cyber Security Act 2024

With the enforcement of the Cyber Security Act 2024, one of the key concerns is the licensing requirements for cyber security service providers. According to the latest information published by the National Cyber Security Agency (“NACSA”), licensing applications for cyber security service providers will officially commence on 1 October 2024, which is just around the corner. Despite the urgency and tight deadlines, confusion persists in the market about who needs to apply for a license, what is actually defined as cyber security service, and the consequences of non-compliance. Therefore, this article seeks to address the top 10 most frequently asked concerns regarding the cyber security service provider licensing requirement. 1. When Can Cyber Security Service Providers Apply for a License, and Is There a Grace Period? The first question on the minds of many in the industry is when exactly they can apply for the license and whether there is a grace period for obtaining one. The licensing application will formally begin on 1 October 2024, and there will indeed be a three-month grace period ending on 31 December 2024. During this grace period until 31 December 2024, cyber security service providers may continue to operate without a license. However, once the grace period lapses on 1 January 2025, it will be unlawful to offer cyber security services without the necessary licensing in place. 2. Who Needs to Apply for the Cyber Security Service Provider License? The next question is: “Who exactly needs to apply for a cyber security service provider license?” The Cyber Security Act 2024 is unequivocally clear on this matter—any company that intends to (i) provide any cyber security service or (ii) advertise itself as a cyber security service provider is required to obtain a cyber security service provider license. This straightforward provision ensures that there is no ambiguity and leaves little room for interpretation—whether you are actively delivering cyber security services or merely advertising that you are providing cyber security services, a license will be mandatory. 3. What Exactly Constitutes a "Cyber Security Service"? A natural follow-up question is what exactly constitutes a "cyber security service." The term “cyber security service” can be broad, and therefore, the Cyber Security Act 2024 narrows down the focus, making it clear that the cyber security service license is applicable only to two specific types of services: 1. Managed Security Operation Centre Monitoring Services, and 2. Penetration Testing Services. Managed Security Operation Centre Monitoring Service Managed security operation centre monitoring service refers to the monitoring of cyber security levels to identify or detect cyber security threats, determine the necessary measures to respond to or recover from any cyber security incidents, and prevent such incidents from occurring in the future. Penetration Testing Service Penetration testing service involves assessing, testing, or evaluating the level of cyber security. It includes the following activities: Determining cyber security vulnerabilities and demonstrating how these vulnerabilities may be exploited; Testing the organization’s ability to identify and respond to cyber security incidents through simulated attempts to penetrate its cyber security defenses; Identifying and measuring cyber security vulnerabilities, preparing appropriate mitigation procedures to eliminate or reduce these vulnerabilities to an acceptable level of risk; orUtilizing social engineering techniques to assess the level of an organization’s vulnerability to cyber security threats. In essence, any company that provides either managed security operation centre monitoring services or penetration testing services, as described above, will need to obtain a cyber security service provider license. 4. Can a Cyber Security Service Provider Offer Both Services? Do They Need Separate Licenses? The fourth question often posed is whether a cyber security service provider can offer both managed security operation centre monitoring services and penetration testing services, and whether separate licenses are required for each. The answer is yes. A cyber security service provider can concurrently offer both managed security operation centre monitoring services and penetration testing services, and only one license is necessary for both services. However, if the initial application covers only one type of cyber security service—say, managed security operation centre monitoring services—then the company would need to apply for another license if it later intends to offer penetration testing services. Hence, if a company plans to provide both types of services, it is advisable to apply for both in the same license to avoid unnecessary complications down the line. 5. Do Subcontractors or Third-Party Providers to the Main Contractor Require an Independent License? A common scenario in the cyber security sector involves service providers fulfilling their contractual obligations through subcontractors or third parties. This raises a critical question: Do subcontractors or third parties providing cyber security services on behalf of a main contractor also need to be licensed? The answer is yes. If a subcontractor or third-party provider delivers cyber security services on behalf of a main contractor, they are required to obtain an independent license. This requirement ensures that all entities directly involved in the provision of cybersecurity services are appropriately regulated, maintaining the integrity and security standards envisioned by the Act. 6. Is a License Required if the Cyber Security Service is Only Provided to Related Companies? Another area of concern is whether a company providing cyber security services exclusively to its related companies is required to obtain a license. The answer depends on the nature of the service provision. If the company offers cyber security services solely to its related companies, such as its holding company, subsidiaries, or fellow subsidiaries under the same holding company, it is not required to obtain a license. However, if the company intends to extend its services beyond this intra-group structure to other companies, a license becomes mandatory. Typically, the term "related company" refers to companies within the same corporate group, including the holding company, any subsidiary, or a subsidiary of the holding company. 7. Is a License Required if the Cyber Security Service is Only Provided to Overseas Companies? The next question is whether a cyber security service provider needs a license if it only provides services to companies located outside Malaysia. The licensing requirement hinges on the location of the service recipients. If the cybersecurity service provider exclusively serves companies located overseas, there is no need to apply for a license. However, if the service provider offers cyber security services to companies located both overseas and within Malaysia, a license will be required. 8. Do Foreign Cyber Security Service Providers Require a License if They Have Already Obtained a License from a Different Jurisdiction? Another frequently asked question is whether foreign companies that have already obtained a cybersecurity license from another jurisdiction need to apply for a Malaysian license. The simple answer is yes—if a foreign company intends to provide cyber security services to companies in Malaysia, it must obtain a local license, regardless of whether it already holds a license in another jurisdiction. However, there is an exception: If the foreign company provides cyber security services solely to its related company registered in Malaysia, it would not require a separate license, as it is only serving its intra-group counterpart. 9. How Will Companies Know if a Cyber Security Service Provider is Licensed? To facilitate transparency and compliance, NACSA will publish a list of licensed cyber security service providers on its licensing portal once the approval process is completed. This list will serve as a reference for companies seeking to engage legitimate and authorized service providers. It is advisable for companies to verify the licensing status of their potential cyber security partners to mitigate any risks associated with engaging unlicensed providers. 10. What are the Consequences of Non-Compliance for Providing Cyber Security Services Without a License? The consequences of non-compliance with the licensing requirements under the Cyber Security Act 2024 are severe. Any person found providing cybersecurity services without the required license may, upon conviction, be liable to a fine not exceeding RM500,000, imprisonment for a term not exceeding 10 years, or both. Such stringent penalties highlight the critical importance of adhering to the licensing requirements and should serve as a wake-up call for all cyber security service providers to ensure compliance. Conclusion The message is clear and loud that all cyber security service providers must comply with the Cyber Security Act 2024 and its licensing requirements. With the application process set to begin on 1 October 2024 and a three-month grace period provided, it is imperative that all cyber security service providers familiarize themselves with the application procedures. For those who require assistance with the application process or have questions about the new regulatory landscape, our Technology Practice Group is ready to provide the necessary support and guidance to ensure compliance. Please do not hesitate to reach out to us should you require assistance with the application process or need further advice on compliance with the Cyber Security Act 2024. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • 8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk? • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

Malaysia's Cyber Security Legal Landscape: Mandatory Compliance or Severe Penalties

Starting from 26 August 2024, the highly anticipated Cyber Security Act 2024 (“Act”), along with four other key regulations, officially comes into force, marking the beginning of a new era in Malaysia's cybersecurity legal landscape. This significant legislative development sets the stage for a strengthened regulatory framework aimed at protecting critical national infrastructure and enhancing the resilience of Malaysia's cyberspace. This article provides a comprehensive overview for general counsels, outlining the key elements of the new legal regime, with a particular focus on the designation of National Critical Information Infrastructure (“NCII”) sectors and the roles and responsibilities of NCII Leads and NCII Entities under the Act, alongside the licensing requirements for cyber security service providers.   Key Regulations in Force Alongside the Cyber Security Act 2024 First and foremost, it is important to recognize the four key regulations that were enacted simultaneously with the Act on 6 August 2024: 1. Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024: Defines the mandatory timelines for conducting cyber security risk assessments and audits, ensuring that organizations remain vigilant and proactive in identifying and mitigating cyber risks. 2. Cyber Security (Licensing of Cyber Security Service Providers) Regulations 2024: Establishes the requirements for obtaining a license to operate as a cyber security service provider in Malaysia, aiming to standardize the quality of cyber security services provided. 3. Cyber Security (Compounding of Offences) Regulations 2024: Outlines the process and conditions under which certain cyber security related offenses may be compounded, providing a mechanism for resolving infractions without resorting to lengthy legal proceedings. 4. Cyber Security (Notification of Cyber Security Incident) Regulations 2024: Stipulates the mandatory reporting requirements for cyber security incidents, ensuring that authorities are promptly informed of any threats or breaches, enabling a coordinated response to mitigate damage.   What is the Cyber Security Act 2024 About? When we provide legal training to our clients on the Act, one of the most frequently asked questions is, “What is the Cyber Security Act 2024 about?” At its core, the Act and its accompanying regulations are designed to govern four key aspects of Malaysia's cybersecurity framework: 1. Establishment and Governance of 11 NCII Sectors: The Act identifies 11 sectors designated as NCII sectors, which are critical to the nation’s security and economic stability. 2. Obligations of NCII Leads: The Act outlines the specific duties and responsibilities for NCII Leads—those entities designated to oversee cybersecurity measures within the NCII sectors. 3. Obligations of NCII Entities: It also specifies the obligations for individual NCII Entities, which are organizations that own or operate NCII. 4. Licensing Requirements for Cyber Security Service Providers: Lastly, the Act introduces a licensing regime for cybersecurity service providers to ensure a high standard of cyber security practices and compliance.   The sections that follow will provide a deeper analysis of each of these four aspects.   What is NCII and What are the 11 NCII Sectors? The concept of NCII is central to the Act, and NCII is defined as “a computer or computer system which, if disrupted or destroyed, would have a detrimental impact on the delivery of any service essential to the security, defense, foreign relations, economy, public health, public safety, or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out their functions effectively.” In simpler terms, NCII refers to the backbone of the nation’s essential services—those computer systems and networks that, if disrupted, could severely impact the country's safety, economy, and government operations. Protecting these critical infrastructures from cyber threats is paramount to ensuring Malaysia’s national security and public welfare. The 11 NCII sectors designated under the Act are as follows: 1. Government 2. Banking and Finance 3. Transportation 4. Defense and National Security 5. Information, Communication, and Digital 6. Healthcare Services 7. Water, Sewerage, and Waste Management 8. Energy 9. Agriculture and Plantation 10. Trade, Industry, and Economy 11. Science, Technology, and Innovation These sectors represent the foundational pillars upon which the nation's security and stability depend. By designating these sectors as NCII, the Act seeks to ensure that adequate measures are in place to safeguard critical infrastructure against cyber threats.   Appointment of NCII Leads Upon understanding the scope of the 11 NCII sectors, the Act empowers the Minister to appoint any government entity or person as the NCII Lead for each of the designated sectors. The Act allows the Minister to appoint more than one NCII Lead for each sector, providing flexibility to address the diverse needs and complexities inherent within each sector. The names of the appointed NCII Leads will be published on the official website of the National Cyber Security Agency, ensuring transparency and public awareness.   Key Responsibilities of NCII Leads The Act outlines five key responsibilities for NCII Leads, focusing on the effective management and security of NCII within their designated sectors: 1. Designate NCII Entities: The NCII Lead is responsible for designating companies that own or operate NCII within their sector as NCII Entities. This designation ensures that entities critical to the sector's functioning are identified and subject to the regulatory requirements under the Act. 2. Prepare Code of Practice: Each NCII Lead is responsible for preparing a Code of Practice, which must be endorsed by the Chief Executive. This Code of Practice will outline the necessary measures, standards, and processes required to secure the NCII within their sector. 3. Prepare and Maintain Best Practice Guidelines: In addition to the Code of Practice, NCII Leads are tasked with preparing and maintaining best practice guidelines related to cybersecurity management. 4. Monitor and Ensure Compliance: The NCII Lead is also responsible for monitoring and ensuring that the actions required of and duties imposed on the NCII Entities are carried out. This role includes oversight of compliance with the Code of Practice and any other relevant regulations, ensuring that NCII Entities meet their obligations under the Act. 5. Report Cybersecurity Threats and Incidents: Finally, the NCII Lead must prepare and submit a report to the Chief Executive on any cybersecurity threats or incidents that have affected the NCII within their sector. This responsibility is crucial for maintaining an up-to-date understanding of the threat landscape and ensuring that the government remains informed and can respond effectively to potential risks.   Legal Obligations for NCII Entities The legal obligations imposed by the Act on NCII Entities are critical for ensuring compliance and avoiding severe penalties. This section is particularly relevant to companies that own or operate NCII, as non-compliance with these obligations can result in significant fines and imprisonment. The Act outlines five broad key obligations for NCII Entities, which are discussed below. 1. Duty to Provide Information Relating to NCII: NCII Entities have a duty to provide information concerning their NCII, which is further divided into three categories: • Request for Information: The NCII Lead may request information regarding the NCII owned or operated by the NCII Entity, and the NCII Entity must comply with this request. • Provision of Additional NCII Information: If an NCII Entity procures or gains control over additional NCII, it must automatically provide relevant information to the NCII Lead. • Notification of Material Changes: Any material change to the design, configuration, security, or operation of the NCII must also be automatically reported to the NCII Lead. Failure to comply with these duties could result in a fine of up to one hundred thousand ringgit or imprisonment for a term not exceeding two years, or both. . 2. Duty to Implement the Code of Practice: NCII Entities must implement the measures, standards, and processes specified in the Code of Practice. However, they may opt for alternative measures if they can demonstrate that these provide an equal or higher level of protection to the NCII. Non-compliance with this obligation can result in a fine of up to five hundred thousand ringgit or imprisonment for a term not exceeding ten years, or both. . 3. Duty to Conduct Cybersecurity Risk Assessment and Audit: NCII Entities are required to conduct a cybersecurity risk assessment in accordance with the Code of Practice at least once a year and an audit at least once every two years. The results of these assessments and audits must be submitted to the Chief Executive. Failure to conduct these assessments or submit the reports can lead to a fine of up to two hundred thousand ringgit or imprisonment for a term not exceeding three years, or both. . 4. Duty to Notify Cyber Security Incidents: In the event of a cybersecurity incident, the NCII Entity must provide an initial notification within six hours, detailing information such as the description of the cybersecurity incident, the severity of the cybersecurity incident, and the method of discovery. A full report must be submitted within 14 days, including details such as the number of hosts affected, information on the cybersecurity threat actor, and the incident's impact. Non-compliance is severe, with penalties of up to five hundred thousand ringgit or imprisonment for a term not exceeding ten years, or both. . 5. Cybersecurity Incident Response Directive: Upon receiving a notification of a cybersecurity incident from an NCII Entity, the Chief Executive will investigate and may issue a directive on necessary measures to respond to or recover from the incident. The term "directive" underscores the importance of compliance. Failure to adhere to these directives may result in a fine of up to two hundred thousand ringgit or imprisonment for a term not exceeding three years, or both.   Licensing Requirements for Cybersecurity Service Providers The Cyber Security Act 2024 introduces stringent licensing requirements for cybersecurity service providers. Under the Act, it is explicitly stated that no person shall provide any cybersecurity service, advertise, or in any way hold themselves out as a provider of such services unless they hold a valid license to do so. The Act categorizes cybersecurity services into two (2) main types: 1. Managed Security Operation Centre (SOC) Monitoring Services: These are services that monitor the level of cyber security for the purpose of identifying or detecting cybersecurity threats to a computer or computer system, or determining the measures necessary to respond to or recover from any cybersecurity incident. 2. Penetration Testing Services: These services involve assessing, testing, or evaluating the level of cybersecurity of a computer or computer system by searching for vulnerabilities and compromising the cyber security defenses of the computer or computer system. Non-compliance with the licensing requirement is a serious offense under the Act, punishable by a fine not exceeding five hundred thousand ringgit, imprisonment for a term not exceeding ten years, or both.   Conclusion The implementation of the Cyber Security Act 2024, along with the four accompanying regulations, marks a transformative moment in Malaysia's cybersecurity framework. General counsels must stay informed and vigilant about these changes, ensuring that their organizations not only comply with the new requirements but also proactively protect their critical infrastructure from emerging threats in an increasingly digital world.   If your organisation has been designated as an NCII Lead or NCII Entity, and you would like us to assist you on the compliance with your obligations under the Cyber Security Act 2024, please do not hesitate to reach out to the partners at our Technology Practice Group, the contact details of which can be found below. The team is well-versed with technology and cyber security, and will certainly be able to assist in your endeavour. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my More of our Tech articles that you should read: • 8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk? • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

8 Prohibited AI Practices Under the EU AI Act You Must Know: Are Your AI Systems at Risk?

On 2 August 2024, the EU AI Act officially came into force, marking a significant milestone in the regulation of artificial intelligence within the European Union.   In our article, “We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels” we provided a broad overview of this crucial AI legislation. Given the extensive scope of the EU AI Act , it is both impractical and insufficient to cover its entirety in a single article. Therefore, we intend to break down the EU AI Act into more manageable topics, offering in-depth analysis through a series of subsequent articles. Our latest publication, “EU AI Act: The Essential Guide to Copyright Compliance for General-Purpose AI Models” delves into copyright compliance specifically related to the training of general-purpose AI models.   In this article, we aim to address another crucial aspect of the EU AI Act: the prohibition of certain AI practices. This topic is extremely important as it concerns AI practices that are strictly prohibited under the EU AI Act, and non-compliance carries severe penalties. The impact of these prohibitions extends to all companies currently developing AI systems, including those established or operating outside the EU, due to the extra-territorial effect of the EU AI Act – as long as the AI systems are intended to be placed, used, or deployed in the EU market, companies must ensure compliance with these prohibitions to avoid significant risks.   The 8 Categories of Prohibited AI Practices Effective 2 February 2025, the EU AI Act will prohibit 8 broad categories of AI practices. This prohibition will extend beyond EU borders, impacting international AI system providers, including those based in Malaysia seeking to enter the EU market. Understanding these prohibitions is essential for compliance and strategic planning. The 8 categories of prohibited AI practices under the EU AI Act are:   1. Manipulative AI Systems The EU AI Act prohibits manipulative AI systems, which are defined as AI systems that employ subliminal, manipulative, or deceptive techniques to distort and impair a person’s ability to make an informed decision, thereby leading them to make choices that could cause significant harm.   The EU AI Act views AI systems that are designed to materially distort human behaviour and cause harm to physical, psychological, or financial interests as dangerous and subject to prohibition. This includes AI systems that use subliminal elements such as audio, image, or video stimuli imperceptible to individuals, or other manipulative techniques that undermine or impair a person’s autonomy, decision-making, or free choice in ways that are not consciously recognized. Even if individuals are aware, they may still be deceived or unable to control or resist these techniques.   2. Exploitative AI Systems The EU AI Act also prohibits exploitative AI systems. Although there are some overlapping similarities with manipulative AI systems, exploitative AI systems specifically target the vulnerabilities of individuals or groups due to their age, disability, or specific social or economic situations, materially distorting their behaviour in a manner likely to cause significant harm. This includes exploiting the vulnerabilities of individuals in extreme poverty, or those belonging to ethnic or religious minorities. The EU AI Act takes the prohibition of both manipulative and exploitative AI systems seriously, as any AI-enabled practice resulting in significant harm is prohibited, regardless of the provider's intention.   3. Social Scoring AI Systems Social scoring AI systems, which are becoming increasingly common in many countries, are prohibited under the EU AI Act. These systems evaluate or classify individuals or groups based on their social behaviour or personality characteristics, with the resulting social score leading to detrimental or unfavourable treatment in social contexts that are either unrelated to the context in which the data was originally generated or collected, or unjustified or disproportionate to the social behaviour or its gravity.   The EU AI Act considers AI systems that provide social scoring of individuals as potentially leading to discriminatory outcomes and exclusion of certain groups. Social scores obtained from such AI systems may result in detrimental or unfavourable treatment in contexts unrelated to the original data collection or may be disproportionate or unjustified relative to the gravity of the social behaviour. As a result, AI systems involving such unacceptable scoring practices are prohibited.   4. Risk Assessment Profiling AI Systems Risk assessment profiling AI systems, which make risk assessments of individuals to predict the risk of committing a criminal offense based solely on profiling or assessing their personality traits and characteristics, are also prohibited under the EU AI Act. However, this prohibition does not apply to AI systems used to support the human assessment of a person’s involvement in criminal activity, which is already based on objective and verifiable facts directly linked to the criminal activity.   In line with the presumption of innocence, the EU AI Act stipulates that a person should not be judged on AI-predicted behaviour based solely on their profiling, personality traits, or characteristics without a reasonable suspicion based on objective, verifiable facts and without human assessment. Therefore, risk assessments carried out to assess the likelihood of offending or predict potential criminal activity solely on profiling should be prohibited.   5. Facial Recognition Databases AI Systems Facial recognition database AI systems are another common AI tools that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage. The use of such systems is prohibited by the EU AI Act because this practice contributes to the feeling of mass surveillance and can lead to severe violations of fundamental rights, including the right to privacy.   6. Emotion Inference AI Systems Emotion inference AI systems, which infer the emotions of a person in workplace and educational institutions, are also prohibited under the EU AI Act, except for medical or safety reasons.   The EU AI Act views AI systems identifying or inferring emotions or intentions based on biometric data as potentially discriminatory and intrusive to individual rights and freedoms. In contexts such as the workplace or education, where there is an inherent power imbalance, such systems could result in unfair or harmful treatment. Therefore, the use of AI systems intended to detect emotional states in these settings is prohibited, unless marketed solely for medical or safety purposes.   7. Biometric Categorisation AI Systems Biometric categorisation AI systems that categorise individuals based on biometric data to infer attributes such as race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation are also prohibited. However, this prohibition does not cover the lawful labelling or filtering of biometric datasets, such as sorting images according to hair or eye colour for law enforcement purposes.   8. Real-time Biometric Identification AI Systems A real-time remote biometric identification system refers to an AI system that identifies individuals without their active involvement, typically at a distance, by comparing a person’s biometric data with biometric data contained in a reference database. The use of 'real-time' remote biometric identification systems in publicly accessible spaces for law enforcement purposes is prohibited unless it is strictly necessary for one of the following objectives: (i) Searching for specific victims of abduction, trafficking, or sexual exploitation, as well as searching for missing persons; (ii) Preventing threats to life or physical safety, or preventing a terrorist attack; or (iii) Localizing or identifying a person suspected of having committed a criminal offense.   The EU AI Act views the use of AI systems for 'real-time' remote biometric identification in publicly accessible spaces for law enforcement purposes as particularly intrusive to the rights and freedoms of the concerned individuals. It may affect the private lives of a large portion of the population, evoke a feeling of constant surveillance, and indirectly dissuade the exercise of the freedom of assembly and other fundamental rights.   The Penalty for Non-Compliance Non-compliance with the prohibited AI practices under the EU AI Act carries severe penalties. Companies found in violation could face administrative fines of up to EUR 35 million or 7% of their total worldwide annual turnover for the previous financial year, whichever is higher.   3 Strategic Actions for General Counsels in Light of the EU AI Act As the enforcement of prohibited AI practices under the EU AI Act approaches on 2 February 2025, general counsels must take decisive actions to ensure compliance and mitigate risk. The following three key steps are essential:   1. Acquire In-Depth Knowledge of Prohibited AI Practices General counsels must thoroughly understand the eight categories of AI practices prohibited by the EU AI Act. This knowledge is critical for effective risk management and ensuring compliance. Familiarity with these prohibited practices will enable early identification of potential issues and facilitate proactive risk mitigation.   2. Conduct a Comprehensive Internal Audit of AI Systems Initiate a detailed internal audit by collaborating with key business units, particularly product development and technology departments. This audit should assess all AI systems and models in development, their intended use cases, and potential impacts. It is crucial to evaluate not only the intended purposes but also the possible effects of these AI systems to identify any practices that may fall within the prohibited categories.   3. Develop a Proactive Compliance Strategy Should the audit uncover any AI activities that fall under the prohibited categories, especially those targeting the EU market, general counsels should swiftly formulate a compliance strategy. Possible actions include limiting distribution to non-EU markets, modifying product functionalities, or ceasing the development of certain AI solutions.   While the EU AI Act presents new compliance challenges, its phased implementation provides an opportunity to prepare. Immediate focus should be on understanding and addressing prohibited AI practices.   The Technology Practice Group at Halim Hong & Quek is well-versed in technology law, including the EU AI Act, and we are currently providing training to multinational corporations in Malaysia on this subject. Should you require assistance or wish to schedule a more detailed discussion to ensure compliance, please let us know. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Jerrine Gan Jia LynnPupil-in-ChambersTechnology Practice Groupjerrine.gan@hhq.com.my More of our Tech articles that you should read: • EU AI Act: The Essential Guide to Copyright Compliance for General-Purpose AI Models • We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels • AI-Generated Work and Copyright Law: A Comparative Analysis of US and EU Perspectives

EU AI Act: The Essential Guide to Copyright Compliance for General-Purpose AI Models

The European Union's Artificial Intelligence Act (“EU AI Act”), which officially came into force on 1 August 2024, marks a significant advancement in artificial intelligence (“AI”) regulation within the European Union (“EU”). This landmark legislation establishes a comprehensive regulatory and legal framework for AI, setting clear compliance requirements for AI providers, deployers, importers, distributors, and manufacturers that place their AI within the EU market. Among the key issues addressed by the EU AI Act is the preservation of copyright in copyrighted materials, particularly against unauthorised usage by general-purpose AI (“GPAI”) model providers.   GPAI models, as the name suggests, are AI models that can be used for a wide range of tasks and are capable of being integrated into a variety of downstream systems or applications. The development and training of GPAI models rely on extensive datasets - often gathered through scraping of text and data online, which would undoubtedly include copyrighted works. This poses challenges for artists, authors, and creators, as their intellectual property might be used without proper authorisation or adequate compensation. The EU AI Act now introduces guidelines to safeguard rightsholders’ intellectual property rights and ensure transparency, balancing technological advancement with recognition for original works.   In this article, we will examine the key measures brought forth through the EU AI Act on preservation of copyright, particularly in the deployment of GPAI model, and to explore the implications of these new regulations. Malaysian companies looking to provide their own GPAI models should definitely pay attention to these regulations, taking into account the extraterritorial nature of the EU AI Act, as well as the possibility of similar regulations being adopted by the Malaysian government in the future.   1. Express Consent from Rightsholders The development and training of GPAI models, especially large generative AI models, often involve using extensive datasets that may include text, images, videos, and other types of data. Under EU’s copyright-related Directives, publicly accessible content (such as those published online) are generally allowed for text and data mining purposes, unless the rightsholders opt out of, or reserve the rights to the mining of their published text and data. The EU AI Act has now made it clear that providers of GPAI models will have to observe the reservation of rights to text and data mining by the relevant rightsholders and obtain their authorisations accordingly should the providers wish to mine the text and data of these rightsholders. To some extent, this has provided a welcome clarity on whether copyright owners can stop AI companies from using their copyrighted work (which has been disseminated online) for AI model training. . 2. Copyright Policy Implementation In addition, providers of GPAI models are mandated under the EU AI Act to implement and maintain comprehensive policies to ensure compliance with EU copyright laws. This includes identifying and respecting any rights reservations expressed by copyright holders. Effectively, this means that it is not sufficient for a provider of GPAI models to merely have knowledge of EU copyright laws, but it is also required to craft and put in place operational policies which demonstrates that its business operation complies with the applicable EU copyright laws. . 3. Transparency and Data Disclosure To enhance transparency, GPAI model providers are required under the EU AI Act to draw up and publicly share a detailed summary of the text and data used in training their AI models. This summary must be comprehensive, specifying key data collections or sets utilised during the training process. The objective is to provide an avenue through which copyright holders are to determine if their works are being used and to effectively exercise and enforce their rights. To avoid unintentional divulging of confidential information and/or trade secrets, companies should be careful in preparing the summary, striking a balance between providing sufficient description of the nature and source of the data used, while avoiding disclosing sensitive or proprietary information. . 4. Conclusion The EU AI Act has extraterritorial reach, meaning its regulations apply to all GPAI model providers entering the EU market, regardless of their origin. Providers must comply with these obligations when placing a GPAI model on the EU market, regardless of where the copyright-related activities underpinning the model’s training occur. For providers based outside the EU, such as in Malaysia, adherence to the EU AI Act’s obligations is essential for accessing the EU market, including securing permissions for copyrighted content and providing detailed transparency reports. . Given the sweeping effect of the EU AI Act, it is assuring to know that companies, particularly providers of GPAI models, are given a 12-month grace period until 2 August 2025 to take the necessary actions to comply with the obligations imposed under the EU AI Act. Companies should make full use of this grace period to consult their legal counsels on the wider implications of the EU AI Act, and to allow effective collaboration between its external legal counsels and its in-house legal and compliance teams in anticipation of compliance with the requirements of the EU AI Act.   For more information on or assistance with compliance with the EU AI Act, please feel free to reach out to the firm’s Technology Practice Group. Our experienced lawyers are ready to support you in navigating the AI regulations and ensuring compliance. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Winn Wong Huang WeeSenior AssociateTechnology Practice GroupTechnology, Media & Telecommunications (“TMT”), Intellectual Propertywinn.wong@hhq.com.my More of our Tech articles that you should read: • CYBER SECURITY REGULATIONS 2024 – Essential Reporting, Audit and Licensing Obligations • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services • Navigating Cyber Security and Data Breaches – Handling Breach Notifications

Essential Tips for Drafting an Arbitration Clause

Introduction Arbitration has become a preferred method for resolving disputes across various industries, offering a private and efficient alternative to litigation. One of the key attractions of arbitration is its flexibility, allowing parties to tailor the process to meet their specific needs. However, this flexibility can be a double-edged sword if the arbitration agreement is not carefully drafted. A defective arbitration clause can lead to significant delays, increased costs, and complications that undermine the very benefits that arbitration is intended to provide. The effectiveness of arbitration largely hinges on the precision and clarity of the arbitration clauses. A well-crafted arbitration agreement can help parties navigate potential disputes smoothly, avoiding unnecessary legal battles and ensuring that the arbitration process unfolds as intended. Conversely, a poorly drafted clause can result in unintended consequences, such as disputes over the validity, scope, or interpretation of the arbitration agreement itself. Below are some practical tips to guide you in drafting an arbitration clause: 1) Define the Scope of Arbitration Clearly A fundamental aspect of any arbitration agreement is the clarity with which it defines the scope of disputes subject to arbitration. It is essential to specify the types of disputes that the arbitration clause will cover, whether they relate to contractual disagreements or any other matters pertinent to the parties. To ensure comprehensive coverage, it is advisable to draft the clause in broad terms, capturing the full range of potential disputes. A commonly used wording, such as “all and any disputes and/or differences arising out of or in connection with this contract shall be referred to arbitration,” can be effective in encompassing a wide array of issues, thereby minimizing the risk of ambiguity or exclusion. 2) Choosing the Appropriate Arbitration Rules When drafting an arbitration agreement, one of the most crucial decisions is whether to adopt the rules of an established arbitral institution (such as the AIAC, which is commonly adopted in Malaysia) to govern the arbitration process. The advantage of this choice is that, for a fee, the institution plays a central role in administering the dispute, offering a well-established and predictable procedure through its rules. 3) Seat of Arbitration Choosing the seat of arbitration is an important decision, as it determines the procedural law that governs the arbitration and can impact the enforceability of the award. The seat may also influence the availability of interim measures and other procedural aspects. 4) Consider Applicable Law The arbitration clause should specify the governing law that applies to the arbitration agreement. This choice sets the legal framework within which the arbitrators will make their decisions. 5) Language Additionally, it is essential to specify the language(s) of the arbitration as this will be the language used in pleadings, submissions, and hearings.  Choosing the language that the parties frequently use in their communications can save translation and interpretation expenses. 6) Number and Method of Arbitrator Appointment The number of arbitrators and the method of their appointment should be clearly defined in the arbitration clause. Depending on the complexity and value of the dispute, parties may opt for a single arbitrator or a panel of three arbitrators. The appointment process should also be outlined, whether it involves mutual agreement between the parties and/or appointment by an appointing authority. 7) Multi-Tier Dispute Resolution Clause The parties to an arbitration may decide if they want to try a non-binding process such as mediation before taking their disputes to arbitration i.e. by incorporating a multi-tier dispute resolution clause. A multi-tier dispute resolution clause typically outlines a structured process for resolving disputes. This type of clause typically specifies a series of steps that must be followed sequentially to address a dispute. It often includes various phases such as negotiation, mediation, or expert determination, each of which must be attempted before proceeding to the next phase. If these steps do not resolve the dispute, the parties may then turn to courts or arbitration as a final recourse. It is important to establish a specific timeframe for mediation or negotiations, ensuring that the parties are aware of when this stage concludes, allowing them to move forward with arbitration. Without a defined time limit, disputes may arise over when, or whether, arbitration can be initiated. It is pertinent to note that, such provision may be a nuisance if a claimant wishes to start the arbitration proceeding promptly. 8) Address Finality of the Award Including a provision in the arbitration clause that stipulates the award shall be "final and binding" is highly advisable. While this provision does not completely eliminate the possibility of the award being challenged or set aside, it clearly indicates the parties' intent for the award to be enforced through the courts. Clarifying the finality of the award in the arbitration clause can help prevent unnecessary delays in enforcing the decision. Conclusion Drafting an effective arbitration clause requires careful attention to several key elements and potential circumstances. By precisely outlining the scope and applicability, selecting the right arbitration rules, specifying the seat and language, addressing procedural issues, and considering the relevant law and jurisdiction, the parties can ensure their arbitration clauses establish a clear and reliable process for dispute resolution. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Lynn Foo Partner Construction & Energy Harold & Lam Partnership lynn.foo@hlplawyers.com More of our articles that you should read: • Can a Fixed Term Contract Employee Be Deemed as a Permanent Employee? • Centralised Air-Conditioning Facilities: Its Classification as “Common Property” Within The Legislative Frameworks • Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only

Are Oppression Claims Arbitrable?

Brief facts In the case of Teo Heng Tatt v All Kurma Sdn Bhd & Ors [2024] CLJU 1471, the Plaintiff (“Teo”) being a former salaried director, is a minority shareholder that holds 20% of shares in the 1st Defendant Company (“the Company”) while the 2nd and 3rd Defendants (“the Defendants”) are majority shareholders that hold 60% shares in the Company. The parties have previously entered into a Shareholders Agreement (“SA”) which included an arbitration clause at Clause 25 for any disputes arising out of the agreement to be referred to arbitration in Singapore under the Singapore International Arbitration Centre (SIAC) Rules.   The claim of oppression centred on decisions made by the Defendants, which allegedly disadvantaged and/or excluded Teo in their decision-making processes including acts of impropriety and engaging in competing business. At the same time, the 1st Defendant had also filed another action claiming that Teo was in breach of his fiduciary duties for incorporating competing businesses.   Therefore, Teo filed the oppression action herein premised on the contention that the conduct of the Defendants tantamount to oppressive conduct. The Defendants, on the other hand, argued that the dispute should be referred to arbitration, citing the arbitration clause under Clause 25 of the SA.     (a) Plaintiff’s argument Teo argued that the nature of the dispute—oppression of minority shareholders, was a matter that required judicial intervention, and in any event, parties are allowed to bring concurrent proceedings in the High Court even if parties had agreed to go for arbitration.    (b) Defendants’ Argument The defendants contended that the arbitration clause was binding and that all disputes, including oppression claims, should be referred to arbitration.   (c) The High Court’s decision The Court ruled favour in the Defendants that the parties ought to have refer the dispute to arbitration, because: (i) The SA contained a valid arbitration clause that mandated that disputes arising from or in connection with the agreement, including allegations of oppression, were to be resolved through arbitration. (ii) The alleged oppression claims raised by Teo, fell within the scope of the SA and well within the definition of ‘dispute’ and thus, oppression claims are indeed arbitrable by virtue of S 4 of the Arbitration Act 2005. (also referred to Padda Gurtaj Singh v Tune Talk Sdn Bhd & Ors [2022] 4 MLJ 257, where as long as there is valid arbitration agreement, it is mandatory for the Court to stay the proceedings.) (iii) The Defendants did not take any steps in the proceedings, the prior legal suit filed by the Company (albeit under the control of the Defendants) was related to different issues and not filed by the Defendants in their individual capacity as shareholders.   Based on the aforesaid, the Court had granted a stay of proceedings under Section 10 of the Arbitration Act 2005 in holding that the dispute ought to be referred to arbitration, as per the Clause 25 of the SA mutually agreed by the parties.   In conclusion, this decision reaffirms the Malaysian judiciary’s support for arbitration as a means of resolving disputes. A mandatory stay of proceedings will be granted pending matters to be referred to arbitration when it is provided for in the Agreement. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Lum Man ChanPartnerDispute ResolutionHalim Hong & Quekmanchan@hhq.com.my . Esther Lee Zhi QianPupil-in-ChambersDispute ResolutionHalim Hong & Quekesther.lee@hhq.com.my More of our articles that you should read: • Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test” • Private Hospitals to pay for their Doctor’s Negligence • Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

Court of Appeal: Credit Reporting Agencies Are Authorised to Formulate Credit Score

INTRODUCTION On 9.8.2024, the Court of Appeal in the case of CTOS Data Systems Sdn Bhd v Suriati bt Mohd Yusof [2024] MLJU 1935; [2024] CLJU 1719 set aside the decision of the High Court in Suriati binti Mohd Yusof v CTOS Data Systems Sdn Bhd [2024] MLJU 437; [2024] CLJU 440 which previously held that credit reporting agencies are not empowered to formulate a credit score or create their own criteria/ percentage to formulate a credit score. The Court of Appeal ruled that credit reporting agencies, such as CTOS Data Systems Sdn Bhd, are allowed to provide credit information that has bearing on the eligibility of a customer to any credit, including by way of a credit score. . HIGH COURT PROCEEDINGS On 29.1.2020, Suriati Binti Mohd Yusof (“Plaintiff/ Respondent”) commenced a claim for negligence and defamation against CTOS Data Systems Sdn Bhd (“Defendant/ Appellant”) in the Kuala Lumpur High Court. The Plaintiff claimed that: (i) The Defendant provided inaccurate credit information about the Plaintiff concerning a debt due to a company known as Webe Digital Sdn Bhd (“Webe”), leading to a loss of reputation, personal losses as well as business losses. (ii) The Plaintiff attempted to apply for a loan for the purchase of a vehicle with a number of banks but all the applications were rejected as the Plaintiff’s CTOS report (by the Defendant) showed that the Plaintiff had a low credit score. (iii) The Defendant had breached its duty of care to the Plaintiff in the course of collating, reporting and publishing credit information concerning the Plaintiff to the Defendant’s subscribers, including financial institutions. (iv) The Plaintiff’s creditworthiness had been affected by reason of the Defendant giving the Plaintiff a low credit score resulting in her inability to obtain financing from financial institutions. (v) The Defendant defamed the Plaintiff in the course of publishing inaccurate incomplete, misleading and/or outdated credit information concerning the Plaintiff to third parties. On 7.3.2024, the High Court Judge allowed the Plaintiff’s claim against the Defendant and awarded the Plaintiff general damages in the sum of RM200,000.00, interest at the rate of 5% and costs of RM50,000.00. The High Court Judge held that: (i) Pursuant to the Credit Reporting Agencies Act 2010 (Act 710) (“CRAA 2010”), the Defendant’s main role is to collect, record, hold, and store the information received. The Defendant plays a dual role of collecting information and processing that information. The Defendant is also empowered to disseminate the information to its subscribers, including financial institutions. (ii) Section 29 of the CRAA 2010 imposes a duty upon the credit rating agency to verify and to ensure the accuracy of the credit report. The Defendant owed a duty of care towards the Plaintiff in providing accurate credit information. (iii) Plaintiff alerted the Defendant that the information against her was inaccurate. However, the Defendant chose to ignore the communication from the Plaintiff and continued to maintain the said information. By choosing to be indifferent even after being alerted by the Plaintiff, the Defendant has clearly breached the duty of care owed towards the Plaintiff. (iv) There is no provision in the CRAA 2010 empowering the Defendant to formulate a credit score or empowering the Defendant to create its own criteria or percentage to formulate a credit score. The Defendant was just supposed to be a repository of the credit information to which the subscribers have access to. (v) The Defendant defamed the Plaintiff in the course of publishing inaccurate, incomplete, misleading and/or outdated credit information concerning the Plaintiff to third parties. Dissatisfied with the decision of the High Court, the Defendant/ Appellant appealed to the Court of Appeal against the decision.   COURT OF APPEAL On 9.8.2024, the Court of Appeal unanimously allowed the Defendant/ Appellant’s appeal and set aside the order of the High Court. The Court of Appeal found merits in the appeal and was satisfied that there was misdirection on the part of the High Court which warrants appellate intervention. The Court of Appeal ruled that: (i) Defamation Claim The Plaintiff/ Respondent admitted that she had commenced a separate action against Webe in the Kuala Lumpur Sessions Court in which she raised the contention that she was not indebted to Webe. The Sessions Court Judge held that the Plaintiff/ Respondent was indebted in the amount of RM2,186.60 to Webe. Truth or justification is an absolute defence to an action in libel. Therefore, there is no merit on the defamation claim raised by the Plaintiff/ Respondent. Given that the Plaintiff/ Respondent’s debt to Webe was true in substance and in fact, the Plaintiff/ Respondent’s action for defamation cannot stand at all. (ii) Negligence Claim The Plaintiff/ Respondent also pleaded negligence as a cause of action allegedly resulting in damage to her reputation and creditworthiness. As the information of the Plaintiff/ Respondent’s indebtedness to Webe was correct, negligence had not been proven. The Defendant/ Appellant, a Credit Reporting Agency, does not owe a duty of care to the Plaintiff/ Respondent as a customer as defined in the CRAA 2010. Webe is a subscriber to the services of Defendant and the Plaintiff was its customer. The Defendant provides a service where a subscriber may upload information of debts owed to the subscribers by third parties. Webe uploaded information of the Plaintiff’s indebtedness’s in the sum of RM2,186.60. Even if there was a duty of care, there was still no breach of this duty as the information cannot be said to be inaccurate, incomplete, misleading or irrelevant, as the Plaintiff had indeed defaulted on its payment obligations to Webe. (iii) Breach of Statutory Duty The Plaintiff/ Respondent did not specifically plead breach of statutory duty. Therefore, the High Court was not entitled to make any finding on such a claim. Even assuming that there was an implied reference to it, there was no breach of any statutory duty as there was no connection proven between the rejection of the Plaintiff/ Respondent’s car loan application and the contents of the credit report. “Credit Reporting” as defined under the CRAA 2010 includes credit information that has any bearing on the eligibility of a customer to any credit. This would entail a reporting which some credit reporting agencies would do by way of a credit score. In this case, the credit score was calculated by a software using algorithms and bereft of human intervention and there is no evidence to show that the rejection of the car loan was premised on a low credit score. Based on the above, the Defendant/ Appellant had not breached its duty of care to the Plaintiff/ Respondent in all circumstances. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Chew Jin Heng Associate Dispute Resolution Halim Hong & Quek jhchew@hhq.com.my More of our articles that you should read: • Is It True That Only Leasehold Properties Would Require State Authority’s Consent? • Determinants of Share Unit & Its Significance in Strata Development • Definition of Market Value

Estate Wins Suit Over Medical Negligence in Tragic Vertigo Case

  Case summary: Datin Nor Rizam bt Abdul Wahab (menyaman sebagai pentadbir estet Dato' Ir Zainudin bin A Kadir) v Pusat Pakar Tawakal Sdn Bhd & Ors [2024] MLJU 1292 Introduction 1. The Plaintiff, Datin Nor Rizam bt Abdul Wahab (“Plaintiff”), acting as the administrator of the estate of her late husband, Dato' Ir Zainudin bin A Kadir (“Deceased”) filed a suit against Pusat Pakar Tawakal Sdn Bhd (“1st Defendant”), Dr. Haji Mohd Solahuddin (“2nd Defendant”) and Dr. Zulkifli Bin Mohamed Haris (“3rd Defendant”) for alleged medical negligence leading to injury and eventual death of the Deceased. 2. Since 2012, the Deceased complained that he was suffering vertigo, fever and flu. After consulting with his physician then, he was referred to the 2nd Defendant where he was advised to undergo an operation known as bilateral functional endoscopic sinus surgery with septoplasty and turbinoplasty (“surgery”). 3. Thereafter, the Deceased was admitted into the care of the 1st However, complications arose post-surgery which purportedly led to the deteriorating health and death of the Deceased. 4. The salient events leading up to the death of the Deceased are set out below. (i) Events at the operating theatre and observation room The records show that the surgery went well and that there was no untoward incident that occurred during the surgery. The 3rd Defendant had administered reversal agents (atropine and neostigmine), and the Deceased was extubated after demonstrating the ability to breathe independently. Based on the Aldrette Scoring system, the score recorded was 10/10 and the Deceased was said to be qualified to be sent to the normal ward instead of the High Dependency Unit or Intensive Care Unit. The pre-discharge checklist indicated that the Deceased did state that the pain was at the rate of 8/10. The Deceased was observed for a period of 15 minutes after the surgery and a further 15 minutes after the reversal agent was administered. The 3rd Defendant had a discussion with the 2nd Defendant before deciding to discharge the Deceased from the observation room to the normal ward. The 3rd Defendant also spoke to the Deceased to ensure that he was well, could control his bodily functions and could breathe unassisted by machines in deciding that it was safe for the Deceased to be released to the normal ward. . (ii) Events at the normal ward The Deceased was carted into the normal ward at 9.10pm. Around 9.30 p.m., the Deceased’s condition deteriorated and showed signs that he was asphyxiated. The Deceased’s skin turned bluish indicating low blood oxygen levels and he had difficulty in breathing. The 2nd Defendant who happened to make his rounds nearby was alerted of the situation and initiated a Code Blue. He immediately started to resuscitate the Deceased after the crash cart was brought into the ward within 5 minutes of the Code Blue alarm.  The initial intubation attempt failed. The 2nd Defendant had only resuscitated the Deceased using the supplied ambu bag with the air alone in the room, without the oxygen link. The oxygen converter required to connect the ambu bag to the oxygen supply was missing from the ward. The 3rd Defendant was also alerted of the Code Blue alarm and arrived at the ward at around 9.35 p.m. It was found that the 2nd Defendant had wrongly intubated the Deceased and the endotracheal tube was inserted into his oesophagus. The 3rd Defendant removed the earlier endotracheal tube. He then ambu bagged the Deceased with the oxygen line connected with sufficient oxygen supplied, and the Deceased was successfully resuscitated. The Deceased was then sent to the Intensive Care Unit for further care. . (iii) Events at the Intensive Care Unit The Deceased underwent multiple CT scans, showing cerebral oedema and both cerebral and cerebellar oedema, consistent with hypoxic ischemic encephalopathy i.e a type of brain injury that occurs when the brain experienced a decrease in oxygen or blood flow. Despite further medical interventions, the Deceased’s condition did not improve, and he was later discharged with severe neurological impairments. He unfortunately passed away subsequently. . Findings of the High Court 5. On the issue of whether the Deceased was fully informed of all possible alternatives and that the risks of the operation and anaesthesia, the Court did not find any liability against the Defendants. (a) The Court found that the doctors have explained all of the related risks to the Deceased. The only error on the part of the 2nd Defendant as pointed out by the learned Judge was the failure to note down in detail the particulars of the advice given to the Deceased. (b) The Deceased was given ample time to consider whether to undertake the operation. In this regard, the Court was of the opinion that the duly executed consent forms were indicative that the risks of the operations and anaesthesia were sufficiently explained to the Deceased. 6. The Court however found the Defendants to be negligent for the events post-surgery and held them to be jointly and severally liable for the damages claimed by the Plaintiff. Below are the findings made by the Court:- In respect of the 2nd Defendant and 3rd Defendant:- (a) The decision to discharge the Deceased after being in the observation room for 30 minutes was found to be premature and taken as evidence that the 2nd Defendant and 3rd Defendant were negligent. (i) There was no proper discussion between the nurses and the doctors on the Aldrette scoring. The nurses did not explain the condition of the Deceased to the 2nd Defendant and 3rd Defendant at the time when the Aldrette scoring was recorded. (ii) The 2nd Defendant’s own expert witness, Dr. Jeevanan Jahendran agreed that based on the risks involved in the operation, it is prudent to have kept the Deceased in the observation bay for at least an hour to ensure that the Deceased would be able to breathe on his own and mitigate any possible risks of asphyxiation, more so when the type of operation was undertaken within the airway region of the Deceased. Dr. Jeevanan Jahendran also said that he would have sent the Deceased to the High Dependency Unit to ensure that the Deceased is given sufficient attention considering the age of the Deceased, his condition that he was still drowsy and the pain score at the rate of 8. (iii) The clinical assessment undertaken, despite being based on the Aldrette score, falls short of the standard expected of a competent and reasonably experienced medical practitioner. The 2nd Defendant and 3rd Defendant had failed to appreciate the risk faced by the Deceased, the type of medication used and the type of operation undertaken in this case before the Deceased was discharged. (b) The Court further found that the 1st Defendant was negligent and did not act in accordance with the expected standards of a hospital providing care to its patient. (i) The 1st Defendant failed to ensure that proper medical facilities were made available to the Deceased at the ward. The oxygen adapter was missing from the room and had to be sourced elsewhere during the critical time, which had led to the Deceased being in a cyanosed state. (ii) The nurses who attended to the Deceased did not record the incident in detail and failed to record the missing oxygen adapter as well as the 2nd Defendant’s failure to undertake the intubation. (iii) There were no records made and kept by the 1st Defendant of the Code Blue event detailing the respiratory or cardiac emergency performed. (c) The Court also found the 2nd Defendant to be negligent in failing to intubate the Deceased successfully when he was cyanosed. The intubation should have been successful within a short time of at most 4 minutes and not within 10 minutes. The Court rejected the 2nd Defendant’s explanation that he does not usually undertake the intubation of the patients and that his last attempt was during his housemanship. In rejecting the 2nd Defendant’s suggestion that such tasks should be left to the anaesthesiologist, the Court relied on the expert’s opinion, Dr. Jeevanan Jahendran and Dr. Syed Rozaidi who explained that an ENT surgeon would be able to intubate properly as they are trained within the trachea region and would be familiar with the air passageway. This is a skill expected of any reasonably competent doctor, even from a houseman fresh from university. (d) In assessing the evidence including the expert’s testimonies, the Court held that the actions of all the Defendants are inextricably linked to one another that caused damage to the Deceased and his eventual death. The Court ordered the damages of RM5,178,037.21 to be borne jointly and severally by the Defendants. Key takeaways 7. This case highlights the following trite legal principles:- (a) A doctor / medical practitioner owes a duty of care to his or her patient that must be discharged in “accordance with a practice accepted by a responsible body of medical men skilled in that particular art. (b) A doctor / medical practitioner is not guilty of negligence if he or she has acted in accordance with such a practice, even if there exists a body of opinion that takes a contrary view. (c) The said doctor / medical practitioner also owes a duty of care to the patient to warn him or her of the material risk inherent in the treatment that is being proposed. (d) What amounts to a material risk will depend on the circumstances of the case and “whether a reasonable person in the patient’s position would be likely to attach significance to the risk. (e) The medical practitioner is “duty bound by law to inform his or her patient, who is capable of understanding and appreciating such information of the risks involved in any proposed treatment” to enable the patient to make an election of whether to proceed with the proposed treatment with knowledge of the risks involved or decline to be subjected to such treatment. . 8. In addition, this case echoes the principle set out recently by the Federal Court in the case of Siow Ching Yee (menyaman melalui isteri dan wakil litigasinya, Chau Wai Kin) v Columbia Asia Sdn Bhd [2024] MLJU 444 wherein the Court emphasized that private hospital owes a non-delegable duty of care for the treatment and care of patients, regardless of who it may have delegated that duty and who may have performed the act or omission complained of. 9. It is also essential to note the importance of maintaining thorough records of all events to effectively present your position in Court. In this case, the Defendants were at a disadvantage due to the absence of records, including the 2nd Defendant’s advice to the Deceased on alternative treatments, discussions between the nurses and the 2nd and 3rd Defendants regarding the Deceased’s condition and Aldrette scoring, and details of the Code Blue event. 10. Lastly, a comprehensive assessment and opinion by experts in the relevant expertise play a critical role in medical negligence claims. For instance, in this case, the Court preferred the opinion of Prof Dr. YK Chan over Dr. Syed Rozaidi, as Prof. Dr. Chan’s report was thorough, took into account all material factors and provided clear justifications for his opinion. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Chan Jia Ying Senior Associate Civil & Commercial Dispute Resolution, Corporate & Commercial Contracts, Taxation, Insolvency & Winding Up, Employment, Medico-Legal Harold & Lam Partnership jiaying@hlplawyers.com . Damia Amani Associate Dispute Resolution Harold & Lam Partnership damia@hlplawyers.com More of our articles that you should read: • Medical Negligence Claims – What Can You Sue For? • Unpacking Shareholders’ Pre-emptive Rights and Minority Oppression: A Case Analysis of Concrete Parade v Apex Equity • (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment

Case summary: Prema Bonanza Sdn Bhd v Vignesh Naidu a/l Kuppusamy

PREMA BONANZA SDN BHD V VIGNESH NAIDU A/L KUPPUSAMY NAIDU (Federal Court Civil Appeal No.: 02(i)-72-08/2022(W) & 02(i)-74-08/2022(W)); OBATA-AMBAK HOLDINGS SDN BHD V PREMA BONANZA SDN BHD (Federal Court, Civil Appeal No.: 02(i)-70-08/2022(W) & 02(i)-71-08/2022(W)); and SRI DAMANSARA SDN BHD V TRIBUNAL TUNTUTAN PEMBELI RUMAH & 2 OTHERS [Federal Court, Civil Appeal No.: 01(f)-1-01/2023(B) 26 July 2024 Coram: Y.A.A TAN SRI DATUK AMAR ABANG ISKANDAR BIN ABANG HASHIM, PMR                                    Y.A. DATO’ ZABARIAH BINTI MOHD YUSOF, HMP Y.A. DATO’ SRI HASNAH BINTI DATO’ MOHAMMED HASHIM, HMP Y.A. DATUK HARMINDAR SINGH DHALIWAL, HMP Y.A. DATUK ABDUL KARIM BIN ABDUL JALIL, HMP Messrs Halim Hong & Quek holding watching brief for Real Estate and Housing Developers’ Association Malaysia (“REHDA”) This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Goh Li FeiPartnerReal EstateHalim Hong & Queklfgoh@hhq.com.my . Hee Sue AnnSenior AssociateReal EstateHalim Hong & Queksahee@hhq.com.my More of our articles that you should read: • Case Update: Can a Non-Paying Party Be Wound Up Pursuant to an Adjudication Decision Under CIPAA 2012? • Limitation of Licenced Manufacturing Warehouse Conditions • Federal Court: Half-Truths that Harm the Reputation of a Person are Defamatory

CYBER SECURITY REGULATIONS 2024 - Essential Reporting, Audit and Licensing Obligations

The Cyber Security Act 2024 (“Act”) came into effect on 26 August 2024, heralding a new era in Malaysia’s cyber security regulation. To complement the Act, four (4) crucial regulations have been introduced, each providing specific guidelines and obligations for entities owning or managing national critical information infrastructures (“NCII”): (i) Cyber Security (Notification of Cyber Security Incident) Regulations 2024; (ii) Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024; (iii) Cyber Security (Compounding of Offences) Regulations 2024; and (iv) Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024. The newly introduced regulations have provided further details regarding some of the key elements under the Act, which we have summarised in this article: 1. Notification of Cyber Security Incidents  The Act imposes certain obligations on the NCII entity to notify the Chief Executive of NACSA and the relevant NCII sector lead(s) upon the happening or suspicion of a cyber security incident. With the introduction of the Cyber Security (Notification of Cyber Security Incident) Regulations 2024, there is now clarify in terms of the procedure and timeline for such cyber security incident notification: • Immediate Notification Upon discovering a cyber security incident or potential incident, the NCII entity must notify the Chief Executive of NACSA and its NCII sector lead immediately via electronic means. It is unclear what does “electronic means” entail, but this could be either via e-mail or a dedicated online portal. . • Within 6 Hours Within 6 hours of discovering the incident, the NCII entity must provide a detailed report which must at the minimum include: • Particulars of the person submitting the notification on the entity’s behalf; • Particulars of the NCII entity concerned, the relevant NCII sector and sector lead(s); • Information concerning the cyber security incident, which would include its severity (this is typically rated using the Common Vulnerability Scoring System, also known as “CVSS”), method of discovery, etc. . • Within 14 Days A more comprehensive report must be submitted within 14 days from initial notification, which, to the fullest extent practicable, must include: • Particulars of the NCII impacted; • Scope of Impact (estimated number of hosts affected); • Particulars of the cyber security threat actor (if known); • Incident Artifacts - Relevant logs, code snippets, or malicious files. • Information on any related incidents and their connection to the current cyber security incident; • Tactics, Techniques, and Procedures employed or exploited by the threat actors; • The incident’s impact on the NCII or interconnected computer systems; • Details of any actions taken to contain or mitigate the effect of the cyber security incident. 2. Period for Cyber Security Risk Assessment and Audit To maintain robust cyber security practices and readiness, NCII entities are required under the Act to perform regular assessments and audits to ensure ongoing compliance and security. The Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 has now provided clarity on the frequency of cyber security risk assessment and audit: . • Annual Risk Assessments NCII Entity is to conduct cyber security risk assessment at least once a year to identify and address potential vulnerabilities. . • Biannual Audits Cyber security audit on the other hand is supposed to be carried out once every 2 years, or more frequently if directed by the Chief Executive of NACSA, to ensure ongoing compliance and address emerging threats. . 3. Compounding of Offences The Cyber Security (Compounding of Offences) Regulations 2024 introduced a mechanism for compounding specific offences, offering an alternative to prosecution. This allows entities to resolve certain violations by paying a fine rather than facing court proceedings. . • Eligible Offences The following offences are eligible for compounding, subject to the Public Prosecutor’s consent. No. Act Description of Offence Penalty 1. Section 20(6) Non-compliance by a NCII entity with requests or requirements related to information disclosure, material changes, or reporting. Fine up to RM100,000 or imprisonment for up to 2 years, or both. 2. Section 20(7) Non-compliance by a NCII sector lead with the requirement to notify the Chief Executive of NACSA about certain information. Fine up to RM100,000. 3. Section 22(7) Failure of an NCII entity to conduct or submit required cyber security risk assessments or audits. Fine up to RM200,000 or imprisonment for up to 3 years, or both. 4. Section 22(8) Failure to comply with directions from the Chief Executive regarding additional risk assessments or audits. Fine up to RM100,000. 5. Section 24(4) Non-compliance with directions from the Chief Executive related to cyber security exercises. Fine up to RM100,000. 6. Section 32(3) Failure by a licensee to maintain or provide records of cyber security services as required. Fine up to RM100,000 or imprisonment for up to 2 years, or both. • Acceptance of Offer If the company is offered the opportunity to compound an offence, the offer must be accepted within 30 days, with payment made electronically. . • Consequences of Non-Payment Failure to pay the compounding fine within the specified period may result in prosecution, without further notice. . 4. Licensing of Cyber Security Service Providers The Act requires cyber security service providers to procure a license before they could offer cyber security services here in Malaysia. The Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024 has made it clear that only companies providing managed security operation center (SOC) monitoring or penetration testing services would be subject to the licensing regime: . • Licensing Process Cyber security service providers must apply for the licence electronically, presumably through an online platform to be set up, which would require the applicants to fill in details of their companies and services. Each application and renewal is to be accompanied by the payment of non-refundable fee. . • Penalties for Misrepresentation Providing false or misleading information during the application process can lead to severe penalties, including fines and/or imprisonment. . • Exemptions Exemptions are provided for government entities, services provided by individuals to their related companies, and cyber security services for computers or systems located outside Malaysia. .  Conclusion The Cyber Security Act 2024, along with its subsidiary regulations, impose significant new responsibilities on NCII entities. This framework requires meticulous compliance and proactive management. For tailored advice and assistance in navigating this new framework, our TMT team is ready to help. Contact us today to ensure your company is fully aligned with the new legal framework and equipped to handle any cyber security challenges that may arise. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications (“TMT”),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Nicole Shieh E-LynAssociateTechnology, Media & Telecommunications (“TMT”), TMT Disputesnicole.shieh@hhq.com.my More of our Tech articles that you should read: • We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels • Navigating Cyber Security and Data Breaches – Handling Breach Notifications • Urgent Compliance Alert: Malaysia’s New Regulatory Framework for Social Media Services and Internet Messaging Services

We Read the EU AI Act So You Don’t Have To: 10 Essential Takeaways for General Counsels

The European Union (“EU”) published the long-awaited European Union's Artificial Intelligence Act, Regulation (EU) 2024/1689 ("EU AI Act") on 12 July 2024, and it officially came into force on 1 August 2024.   Consistent with the EU's reputation for comprehensive and detailed legislation, the EU AI Act is notably extensive, spanning 13 chapters and 144 pages. Given the breadth and complexity of this legislation, it is clear that attempting to cover the entire act in a single article would neither do justice to its complexity nor serve the practical needs of businesses. Therefore, this article aims to serve as a preliminary blueprint, highlighting 10 key takeaways that general counsels should note to introduce and understand the EU AI Act. This is by no means exhaustive and these 10 takeaways will provide an introduction to the EU AI Act, with further in-depth articles to follow that will delve into specific topics and obligations.   If you think that this may not concern you because you do not operate within the EU, you may want to continue reading, considering that the extraterritorial scope of the EU AI Act is extremely broad. Even if your companies are located outside of the EU, your company may be affected as well, as long as you are operating within the AI value chain. Hence, we trust that this article will be particularly beneficial in helping general counsels better understand (i) what the EU AI Act is about, (ii) what it intends to achieve, and (iii) who should be paying attention to this legislation.   Key Takeaway 1: What is the EU AI Act About? One of the most frequently asked questions is, "What is the EU AI Act all about?" This is an essential question, as it sets the stage for a comprehensive understanding of the EU AI Act's regulatory scope.   The EU AI Act addresses a wide range of issues, from clearly defining "AI systems" and "general-purpose AI models" to laying down its extraterritorial application, prohibited AI practices, and the classification of high-risk AI systems along with the associated requirements. The EU AI Act also outlines the obligations of providers, importers, distributors, and deployers of high-risk AI systems; transparency obligations for AI system providers and deployers; obligations for providers of general-purpose AI models; obligations of providers of general-purpose AI models with systemic risk; AI regulatory sandboxes; and penalties for non-compliance.   In essence, the EU AI Act establishes a comprehensive framework for the development, import, distribution, and deployment of AI systems within the EU. Given the extensive scope it covers, as long as you are playing a role in the AI value chain within the EU market, you will likely be governed by this EU AI Act.   Key Takeaway 2: Who Does the EU AI Act Apply To? This leads directly to the second key question: “Who exactly does the EU AI Act apply to?” The scope of this legislation is broad, with extraterritorial effects that extend its reach far beyond the borders of the EU. The EU AI Act applies to seven broad key categories of stakeholders:   1. Providers of AI systems or general-purpose AI models in the EU, regardless of whether they are established or located within the Union or in a third country. 2. Deployers of AI systems with a place of establishment or location within the Union. 3. Providers and deployers of AI systems based in third countries where the AI system's output is used within the Union. 4. Importers and distributors of AI systems. 5. Product manufacturers placing on the market or putting into service an AI system together with their product under their own name or trademark. 6. Authorized representatives of providers not established in the Union. 7. Affected persons located in the Union.   In summary, the EU AI Act generally applies to anyone involved in the development, use, import, or distribution of AI systems in the EU, regardless of where they are based. It even extends to providers and deployers of AI systems that are based outside the EU if the output of the AI system is used within the Union. So, if one is providing AI systems regardless of inside or outside of the EU, and the AI system's output is used in the EU, it will be caught by the EU AI Act.   There are specific exclusions to the scope of the EU AI Act, such as AI systems used for military, defence, national security purposes, or personal non-professional use of AI systems, which we will cover more extensively in a subsequent article.   Key Takeaway 3: The Current Status of the EU AI Act and Its Implementation Stages The EU AI Act was officially published on 12 July 2024, and while it came into force on 1 August 2024, it is important to note that its implementation will only happen gradually, extending over several years.   As of the time of writing this article in August 2024, none of the EU AI Act's requirements and obligations are immediately applicable. The first significant date for all general counsels to take note of is 2 February 2025, when Chapters I and II of the EU AI Act, primarily concerning prohibited AI practices, will take effect.   This phased implementation of the EU AI Act is beneficial, given the extensive compliance requirements, and it gives companies enough time to prepare and adapt to the new regulations. That being said, it is essential for general counsels to get ready for the first stage, particularly with regard to prohibited AI practices, which will be further explained below.   Key Takeaway 4: Definitions of "AI System" and "General-Purpose AI Model" To fully understand and appreciate the EU AI Act, it is crucial to first comprehend the definitions of "AI system" and "general-purpose AI model," as each comes with distinct requirements and obligations.   • AI System: This is generally defined as a machine-based system designed to operate with varying levels of autonomy. An AI system may adapt after deployment using the information it receives to create outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. The key factor here is the system's autonomy and its capacity to influence physical or virtual environments. • General-Purpose AI Model: This refers to an AI model trained with large datasets that exhibit significant generality and can perform a wide range of distinct tasks. These models can be integrated into various downstream systems or applications. However, it is important to note that AI models used solely for research, development, or prototyping before market placement are excluded from this definition.   From the reading of the EU AI Act, the key difference between an “AI System” and a “General-Purpose AI Model” lies in the use case of the system and its capabilities. For an AI system, a key characteristic is its ability to infer, such as making predictions, content, recommendations, or decisions that can influence physical and virtual environments, derived from inputs or data. In contrast, general-purpose AI models are typically trained on large amounts of data, and while AI models are essential components of AI systems, they do not constitute AI systems on their own. AI models require the addition of further components, such as a user interface, to become AI systems.   It is crucial to understand the difference between an AI system and a general-purpose AI model, as different requirements and obligations will apply accordingly.   Key Takeaway 5: Prohibited AI Practices The fifth key takeaway concerns prohibited AI practices, which will be enforced starting 2 February 2025. The EU AI Act outlines a list of AI practices that are strictly prohibited, with limited exceptions. These prohibited AI practices generally include:   1. AI systems that manipulate individuals' decisions; 2. AI systems that exploit people's vulnerabilities due to their age, disability, or specific social or economic situation; 3. AI systems that evaluate or classify people based on their social behavior or personal traits; 4. AI systems that predict a person's risk of committing a crime; 5. AI systems that scrape facial images from the internet or CCTV footage; 6. AI systems that infer emotions in the workplace or educational institutions; 7. AI systems that categorize people based on their biometric data.   A subsequent article will be published to provide further details on the AI practices that are prohibited and the exceptions. Given that this is the first set of regulations to be implemented under the EU AI Act, general counsels are advised to pay immediate attention to this particular part.   Key Takeaway 6: Understanding High-Risk AI Systems One of the most critical aspects of the EU AI Act is the classification of high-risk AI systems. Under the EU AI Act, an AI system is considered high-risk if it is intended to be used as a safety component of a product, or if the AI system itself constitutes a product that falls under an extensive list of EU legislation covering diverse areas, including, but not limited to, machinery, toy safety, recreational watercraft, equipment for potentially explosive atmospheres, radio equipment, pressure equipment, cableway installations, and personal protective equipment.   Additionally, the EU AI Act classifies AI systems with particular use cases outlined in Annex III of the Act as high-risk. These use cases include biometrics, critical infrastructure, education and vocational training, employment, and access to essential private and public services.   A subsequent article will discuss in more detail the specific use cases that are considered high-risk AI systems and their exceptions. For now, it is important to note that, besides ensuring that one does not engage in prohibited AI practices, general counsels should examine whether the AI system falls within the high-risk category, as specific compliance requirements and obligations for high-risk AI systems must be adhered to, which will be further explained below.   Key Takeaway 7: Compliance Requirements for High-Risk AI Systems Once an AI system is classified as high-risk, it must comply with a comprehensive list of requirements under the EU AI Act. These include:   1. Risk Management System: A risk management system must be established, implemented, documented, and maintained as a continuous, iterative process throughout the entire lifecycle of the high-risk AI system. 2. Data and Data Governance: Training, validation, and testing datasets must be subject to data governance and management practices appropriate for the intended purpose of the high-risk AI system. 3. Technical Documentation: The technical documentation of a high-risk AI system must be prepared before the system is placed on the market or put into service and must be kept up-to-date. This documentation should demonstrate the system’s compliance with the necessary requirements. 4. Record-Keeping: High-risk AI systems must technically allow for the automatic recording of events (logs) throughout the system's lifetime. 5. Transparency and Information Provision: High-risk AI systems must be designed and developed to ensure sufficient transparency, enabling deployers to interpret the system's output and use it appropriately. Providers must also supply clear instructions, including information about the provider, the system’s capabilities and limitations, and any potential risks. 6. Human Oversight: High-risk AI systems must be designed to allow effective human oversight, ensuring that humans can intervene if necessary. 7. Accuracy, Robustness, and Cybersecurity: High-risk AI systems must achieve and maintain an appropriate level of accuracy, robustness, and cybersecurity throughout their lifecycle.   Key Takeaway 8: Obligations for Different Operators of High-Risk AI Systems The EU AI Act also outlines a comprehensive set of obligations for various operators across the AI value chain concerning high-risk AI systems. These obligations encompass the responsibilities of providers, authorized representatives, importers, distributors, and deployers of high-risk AI systems.   The specific obligations vary depending on the operator's role. For instance, deployers of high-risk AI systems must ensure human oversight by appointing individuals with the necessary competence, training, authority, and support. On the other hand, importers are required to verify that the high-risk AI system complies with the Act before it is placed on the market.   A subsequent article will lay out the specific obligations for different operators. For now, it is crucial for companies to first understand the role they play, as each role carries distinct legal obligations. Whether a company acts as a provider, authorized representative, importer, distributor, or deployer of high-risk AI systems, it must adhere to the relevant obligation requirements set out by the EU AI Act.   Key Takeaway 9: General-Purpose AI Models and Systemic Risk Besides prohibited AI practices and high-risk AI systems, another key aspect of the EU AI Act is its focus on general-purpose AI models, particularly those classified as having "systemic risk."   As previously mentioned, a general-purpose AI model is defined as one that exhibits generality and can competently perform a wide range of distinct tasks, regardless of how it is marketed. These models can be integrated into various downstream systems or applications.   The EU AI Act also introduces the concept of general-purpose AI models with systemic risk. Systemic risk refers to the potential for these AI models to cause actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or society as a whole.   It is essential for companies to understand the distinction between general-purpose AI models and those with systemic risk, as the obligations for providers of general-purpose AI models differ from those for providers of general-purpose AI models with systemic risk.   Key Takeaway 10: Transparency Obligations for Providers and Deployers The final key takeaway from the EU AI Act pertains to the transparency obligations imposed on both providers and deployers of AI systems.   Certain AI systems intended to interact with natural persons or generate content may pose specific risks of impersonation or deception, regardless of whether they are classified as high-risk. Therefore, the use of these AI systems should be subject to specific transparency obligations, without prejudice to the requirements and obligations for high-risk AI systems, and subject to targeted exceptions to accommodate the special needs of law enforcement.   For instance, the EU AI Act mandates that providers ensure AI systems intended to interact directly with natural persons are designed and developed to clearly inform individuals that they are engaging with an AI system. This requirement is waived only when it is obvious to a reasonably well-informed, observant, and circumspect individual, given the circumstances and context of use. Deployers also have transparency obligations, such as disclosing when AI systems generate or manipulate image, audio, or video content that constitutes a deep fake.   Conclusion This article is not intended to be an exhaustive exploration of the entire EU AI Act but rather a preliminary introduction to its key aspects and implications for the AI value chain and all stakeholders involved. Future articles will explore specific topics within the Act in greater detail, providing more comprehensive insights into its requirements and impacts.   For now, general counsels should begin familiarizing themselves with these initial takeaways to better prepare for the challenges and obligations the EU AI Act introduces.   This article provides a foundational overview of the EU AI Act and its implications. For a deeper understanding tailored to your specific needs, or to ensure compliance with the Act’s complex requirements, our Technology Practice Group is here to assist. Our team of experts is well-versed in the intricacies of the EU AI Act and is prepared to offer tailored legal advice and training to support your organization. We invite you to reach out to us to discuss how we can collaborate to navigate the regulatory landscape effectively and ensure your compliance with this significant legislation. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTechnology, Media & Telecommunications ("TMT"),Fintech, TMT Disputes, TMT Competition, Regulatoryand Compliancejohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications ("TMT"), TechnologyAcquisition and Outsourcing, Telecommunication Licensing andAcquisition, Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology, Media & Telecommunications ("TMT"), TMT Disputesnicole.shieh@hhq.com.my More of our Tech articles that you should read: • Handling Requests from Data Subjects: Practical Guide for Data Protection Officers • Exploring Bitcoin Halving and its Significance • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services

Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

It is a very common misconception among data users that compliance with the Personal Data Protection Act 2010 (the “PDPA 2010”) ends upon providing data subjects with a copy of the data users’ personal data protection notice and having received express consents from data subjects for the processing of their personal data. Data users often overlook the fact that the PDPA 2010 also provides for certain rights of data users vis-à-vis their personal data that are being processed by the data users, such rights of which include rights to access or correct personal data, rights to limit the processing of their personal data, etc. When faced with a request from data subjects in relation to the processing of their personal data, data users who do not have adequate protocol or internal policy in dealing with such request might find themselves unable to respond to the request appropriately, which may result in a breach of the PDPA 2010.   In this article, we are going to provide a quick step-by-step guide to assist data users with the handling of requests from data subjects to ensure compliance with statutory requirements under the PDPA 2010.   1. Assessing the Type of Request  It goes without saying that the first thing to do for a data user upon receiving a request from data subjects is to ascertain the nature of the request. Under the PDPA, data subjects have certain statutory rights to request (i) access to their personal data that is being processed by the data user; (ii) correction of their personal data; (iii) withdrawal of their consent to the processing of their personal data; and (iv) cessation of processing of their personal data for direct marketing purposes. With the recent introduction of the Personal Data Protection (Amendment) Bill 2024, data subjects may have an additional statutory right to request for the porting of their personal data from one data user to another data user.   Depending on the type of request submitted by a data subject, how the data user should respond to the request would also differ.   2. Assessing the Sufficiency of the Request Upon receiving a request from data subjects, data users generally have twenty-one (21) days under the PDPA 2010 to respond to the same. That said, the ability of a data user to respond to a request from data subject in some instances also depends on whether the data subject has provided the data user with sufficient information that may be required.   Some examples of the circumstances where data users may have difficulty in complying with a data subject request are: (i) where the data subject has not provided sufficient information to identify himself or herself; (ii) where the data subject has not provided information required by the data user to locate the relevant personal data; (iii) where the data user is not satisfied that the personal data in its possession is inaccurate, incomplete, misleading or not up-to-date; or (iv) where the request is in relation to the porting of personal data, there is an incompatibility or technical infeasibility in the data format used by the porting data user and the receiving data user.   Where such an impediment exists, the data user should communicate with the data user to request the necessary information to enable the data user to comply with the request.   The above stated circumstances do not apply however where the requests from data subjects relate to the withdrawal of consent for personal data processing, limiting the processing of personal data for certain specific purposes.   3. Complying with the Request Upon complying with the request, any changes to the personal data in the data users’ possession should be logged accordingly to record the changes. Data users should also confirm the compliance with the request from data subjects by communicating the actions taken to the data subjects.   4. Establish Protocols on Data User Request Given the fixed timeline to comply with or respond to a data subject request under the PDPA 2010, it is fundamental that data users establish a clear protocol internally to deal with or handle data subject requests. This is to ensure that appropriate attention is given to the data subject requests and that appropriate measures can be taken to respond to each and every request.   Such personal data request handling protocol should document the internal process in managing and dealing with personal data request, what are the measures or mechanisms in place to process the personal data request, the manner of implementation of the consequences of complying with the personal data request, etc.   Handling personal data requests is no small feat, especially for a company that handles a large amount of personal data processing. A small slipup in responding to a personal data request may translate to financial penalty and/or imprisonment. Companies and data protection officers should take this task seriously to ensure compliance with the requirements of the PDPA 2010 at all times.   If your organisation needs help with crafting a protocol for the handling of personal data requests from data subjects, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist. About the authors Lo Khai YiPartnerCo-Head of Technology & Corporate Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology & Corporate Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • Consent or Pay: The Controversial Business Model Every General Counsel Must Understand • AI Deepfake Technology: Understanding Its Business Use Case, Legal Considerations, and Best Practices in Modern Marketing • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI

Case Update: Can a Non-Paying Party Be Wound Up Pursuant to an Adjudication Decision Under CIPAA 2012?

The recent Court of Appeal case of Bludream City Development Sdn Bhd (“Bludream”) v Pembinaan Bina Bumi Sdn Bhd (“PBB”) [2024] 4 MLJ 67 held that the court has jurisdiction and power to wind up a company for failure to comply with an adjudication decision. . The Facts Adjudication Decision and Enforcement Order On 4.2.2020, PBB has obtained an adjudication decision against Bludream for the sum of RM5,510,197.91, together with interests and costs. Subsequently, PBB has applied to the High Court under Section 28 CIPAA 2012 (“CIPAA”), and obtained an Order dated 11.8.2020 to enforce the adjudication decision as if it is a judgment or order of the High Court (“HC Enforcement Order”). The HC Enforcement Order was affirmed by the Court of Appeal on 19.5.2024 (“COA Enforcement Order”) Bludream’s application for leave to appeal against the COA Enforcement Order to the Federal Court has been dismissed on 20.10.2022. . Winding Up Proceedings Armed with the HC Enforcement Order, on 24.8.2021, PBB served a statutory notice pursuant to section 465(1)(e) and 466(1)(a) of the Companies Act 2016 (“Statutory Notice”) demanding for payment of the sum of RM6,175,669.10 premised on the HC Enforcement Order. Due to non-payment of the debt pursuant to the Statutory Notice, PBB commenced winding up proceedings at the High Court against Bludream, and obtained a Winding Up Order on 21.10.2022 (“Winding Up Order”). On 15.11.2022, Bludream filed an appeal to the Court of Appeal against the Winding Up Order. . Findings of the Court of Appeal In support of its appeal against the Winding Up Order, Bludream argued that a party cannot rely on an enforced adjudication decision to commence winding up proceedings based on amongst others, the following grounds: (a) There is no express provision provided in the CIPAA for the winning party to wind up the losing party premised on an adjudication decision. . (b) There are bona fide disputes against the debt. The adjudicated dispute has been referred for final determination to arbitration / court. . (c) Since an adjudication decision is only of temporary finality, the right to wind up a company based on an adjudication decision is contrary to the legislative intent of the CIPAA. Otherwise, the company would be wound up based on an adjudication decision that has permanency from which the company cannot recover. . On 6.3.2024, the Court of Appeal has dismissed Bludream’s appeal against the Winding Up Order, and held amongst others, as follows: (a) The court had jurisdiction and power to wind up Bludream for failure to pay the amount adjudicated under the adjudication decision. Pursuant to Section 31(2) CIPAA, “The remedies provided by this Act are without prejudice to other rights and remedies available in the construction contract or any written law, including any penalty provided under any written law.”. As such, although not expressly provided for under CIPAA, the remedy under Sections 465 and 466 of the Companies Act 2016 is available to PBB. . (b) It is immaterial that the adjudicated dispute is pending final determination in arbitration proceedings. Disputability of a debt had to be seen in its proper context. As the disputed debt has been independently adjudicated by a neutral third party, the debt would cease to be disputable in an ensuing winding up proceeding. It should not be open for Bludream to again dispute the debt when the sanctity of the adjudication decision has been preserved by subsequent court orders pursuant to Section 28 of the CIPAA. . (c) Although the court was mindful that winding up was a draconian procedure which might irreparably damage business and reputation, it had to heed the legislative objective of the CIPAA to alleviate the financial woes prevalent in the Malaysian construction. On 22.7.2024, the Federal Court has dismissed Bludream’s application for leave to appeal to the Federal Court against the Winding Up Order. . KEY TAKEAWAYS This Court of Appeal’s decision has made it clear that upon delivery of an adjudication decision, and the adjudication decision remains binding pursuant to Section 13 CIPAA. In the absence of compliance with the adjudication decision by the non-paying party, the winning party is entitled to commence winding up proceedings against the non-paying party. This is irrespective that the disputes between the parties are still subject to final determination in litigation / arbitration. This Court of Appeal’s decision also serves as a reminder to the stakeholders in the construction industry that the very purpose of CIPAA is to offer the parties a mechanism of “pay now, talk later”, and non-compliance with an adjudication decision may lead to the non-paying party being wound up by the courts, upon a presentation of a winding up petition by the winning party in the adjudication proceeding. In light of the recent dismissal of Bludream’s leave application, this Court of Appeal’s decision remains a binding judicial precedent on this issue, until and unless there is a further development in law in the future. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Author Lim Ren Wei Associate Dispute Resolution Harold & Lam Partnership renwei@hlplawyers.com More of our articles that you should read: • (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment • Enforcement of Companies (Amendment) Act 2024 • Applicability of CIPAA After the Commencement of Arbitration

Is It True That Only Leasehold Properties Would Require State Authority’s Consent?

A common misconception is that only leasehold properties are required to obtain State Authority’s consent when one acquires an immovable property. While it is certain that leasehold properties usually require approval from the State Authority, there are freehold lands that may have express restrictions in interest that require the State Authority’s consent too. In such circumstances, the State Authority may impose such restrictions in interest upon alienation of land as discussed in the case of Tanasekharan a/l Autherapady & Anor v Pengarah Tanah dan Galian Negeri Perak & Ors [2024] MLJU 865. . Brief facts The Applicants entered into a sale and purchase agreement with a property owner in Perak. Although the property being a freehold land, there was an undisputed restriction of interest on the property stating that the property could not be transferred or leased out without the approval of the Menteri Besar. The owner of the property applied for the Menteri Besar’s approval to transfer the ownership of the property to the Applicants. However, the application was rejected without being given any reasons for the decision. Hence, the filing of a judicial review by the Applicants to quash the decision of the Menteri Besar mainly on the ground that there is no restriction to sell for a freehold land and it was not a Malay Reserve land. The Court had dismissed the application for the judicial review based on the following grounds: 1) The Applicants were fully aware of the restriction on the property and yet, still proceeded with the transaction before any response or approval was obtained. The document of title that expressly showed “Tanah ini tidak boleh dipindah milik atau dipajak tanpa kebenaran Menteri Besar” required a prior written approval of the Menteri Besar before any transfer or lease can be made and this was within the Applicants’ full knowledge of the restrictions since an application for consent was submitted and pending even after the agreement was concluded.  . 2) The Menteri Besar had acted under its prerogative powers in approving or rejecting the consent application. The Court continued to consider on the issue relating to the duty to give reasons, where the Court continued to assess several approaches. Here, the Court stated that it is within the State Authority’s prerogative power in granting the approval and it has no duty to give reasons for rejecting the Applicant’s application as it was not required to do so under any laws.  . 3) Section 120 of the National Land Code mentioned clearly that the State Authority may impose the express conditions and restrictions in interest upon alienation of land, which shall be determined at the time when the land is approved for alienation. To conclude, when express conditions and restrictions in interest are stated clearly on a document of title, the written consent approval from the State Authority to transfer or lease out the property is mandatory regardless of the property comprised of a freehold or leasehold property. Pursuant to section 120 of the National Land Code, the State Authority may alienate a land subject to its express conditions and restrictions in interest. Failure to obtain such approval may result in a non-registration of title for the property. About the author Ainie Ajiera binti Rosman Associate Real Estate Halim Hong & Quek ainie@hhq.com.my More of our articles that you should read: • Private Hospitals to pay for their Doctor’s Negligence • Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test” • Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible

Consent or Pay: The Controversial Business Model Every General Counsel Must Understand

In recent years, the "Consent or Pay" business model has garnered increasing attention among companies operating online platforms. If your organisation is contemplating the adoption of this model, this article serves as an essential guide. The "Consent or Pay" model, while relatively novel, has sparked considerable debate, particularly concerning its legal viability and the ethical considerations it entails. This article will explore the key dimensions of this model, offering 3 critical insights for companies evaluating its implementation on their digital platforms. . Understanding the "Consent or Pay" Model At its core, the “Consent or Pay” model presents users with two distinct choices when accessing online services: 1. Payment Option: Users can pay a fee to access the platform’s services or content without their personal data being collected, shared, or used for any marketing or profiling purposes. This option typically appeals to privacy-conscious users who prefer not to exchange personal data for free access. . 2. Consent Option: Alternatively, users can consent to the collection, processing, and use of their personal data, often in return for free access to services or content. In this scenario, the data collected may be used for targeted advertising, personalised content, or other commercial purposes. This model effectively creates a trade-off between privacy and cost, introducing a new dynamic in the relationship between service providers and users. . Key Concerns with the "Consent or Pay" Model The "Consent or Pay" model has sparked significant debate, particularly around the implications of monetising personal data. By positioning personal data as a form of currency, this model underscores the notion that privacy is something to be traded or bought. This raises several ethical and legal concerns: • Monetisation of Personal Data: The model makes the monetisation of personal data more explicit than ever before. It signals to users that if they choose not to pay, their data will be collected and potentially sold or used for profit. This creates a dynamic where personal data becomes a commodity, raising questions about the true cost of "free" services. . • Impact on Lower-Income Users: One of the most pressing concerns is the potential for this model to disproportionately impact lower-income users. Those who cannot afford to pay may feel pressured to consent to data collection, compromising their privacy. This could lead to a digital divide, where privacy becomes a luxury only available to those who can afford it, exacerbating social inequalities. . • User Autonomy and Informed Consent: There is also the question of whether users can truly give informed and voluntary consent under this model. When the alternative is a potentially high fee, users may feel they have no real choice but to consent, calling into question the validity of such consent. . Global Legal Perspectives: The EDPB Opinion The legality of the "Consent or Pay" model is still being tested across various jurisdictions. In April 2024, the European Data Protection Board (“EDPB”) issued an Opinion specifically addressing this model, particularly concerning large online platforms. Although the EDPB did not define what constitutes a "large online platform," the Opinion provides critical guidance: • Permissibility with Conditions: The EDPB confirmed that the "Consent or Pay" model is permissible under the General Data Protection Regulation (“GDPR”), but with stringent conditions. The consent obtained must meet the high standards set by GDPR—being freely given, specific, informed, and unambiguous. . • GDPR Compliance: Beyond consent, the implementation of this model must align with all relevant GDPR principles, including transparency, data minimisation, and purpose limitation. Companies must ensure that users understand what they are consenting to and that their data is handled in accordance with GDPR’s stringent requirements. . • Equivalence and Genuine Choice: Importantly, the EDPB emphasised that a pure "Consent or Pay" model should not be the default approach forward. Users must have an equivalent alternative that does not require payment. This means that any fee charged should not coerce users into consenting; there must be a genuine, free choice available to them. . Implications for Malaysia: PDPA 2010 and Upcoming Personal Data Protection (Amendment) Bill 2024 In Malaysia, the "Consent or Pay" business model remains largely uncharted under the Personal Data Protection Act 2010 (“PDPA 2010”) and the forthcoming Personal Data Protection (Amendment) Bill 2024. However, as global trends influence local practices, companies in Malaysia should consider the following key points: 1. Legality and Feasibility in Malaysia: The "Consent or Pay" model is not explicitly prohibited under Malaysian law. Companies operating in Malaysia can explore this model, but they must do so with careful consideration of the legal landscape and potential regulatory scrutiny. . 2. Adherence to PDPA 2010 Principles: Any collection of personal data under this model must comply with the seven core data protection principles outlined in the PDPA 2010. These include the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle. Compliance with these principles is non-negotiable and critical to the lawful implementation of the model. . 3. Transparency and Fairness in Pricing: If the "Pay" option is chosen, transparency in pricing is essential. The fees must be reasonable and should not unduly burden lower-income users. High prices should not be used as a tool to coerce consent, as this would undermine the concept of voluntary and informed consent. Companies should strive for a balanced approach, potentially offering alternatives beyond a strict "Consent or Pay" model, to ensure fairness and avoid regulatory challenges.. . Conclusion  The "Consent or Pay" model represents a significant shift in how companies interact with users and manage data. While it offers potential benefits in terms of monetisation and user engagement, it also introduces complex legal and ethical challenges. As your company considers this model, it is essential to stay informed about the evolving legal landscape, both globally and locally. By adhering to best practices and ensuring compliance with relevant data protection laws, your company can navigate the "Consent or Pay" model successfully while minimising legal risks and safeguarding user trust. If your organisation is considering implementing the "Consent or Pay" model or you have any questions regarding its legal and ethical implications, our team of experienced lawyers is here to assist. Don't hesitate to reach out to us for tailored advice and comprehensive support in navigating this complex landscape. We are committed to helping you make informed decisions that align with both legal requirements and your business objectives.   About the authors Ong JohnsonPartnerHead of Technology & Corporate Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology & Corporate Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology & Corporate Practice GroupTechnology, Media & Telecommunications, Transactions and Dispute Resolution, Fintech, Privacy and Cybersecuritynicole.shieh@hhq.com.my More of our Tech articles that you should read: • Compliance Update: 10 Key Takeaways from Malaysia’s New Regulatory Framework for Internet Messaging and Social Media Services • The Hidden Perils of Software Subscriptions: Are High Early Termination Fees a TMT Litigation Time Bomb? • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

Can a Fixed Term Contract Employee Be Deemed as a Permanent Employee?

Case summary of Muhammad Fawaid Daud v Airod Sdn Bhd [2024] MELRU 836    The dispute between the parties here is on whether Muhamad Fawaid Bin Daud (“Claimant”)’s contracts of employment were genuine fixed term contracts or otherwise. The Claimant was awarded RM1.1 million for unfair dismissal. The Industrial Court ruled that the Claimant, who had been issued annual fixed-term contracts for 20 years, was a permanent employee of Airod Sdn Bhd (“Company”) and was unfairly dismissed. This decision highlighted the company's practice of issuing fixed-term contracts and the associated legal implications.  . INTRODUCTION By an employment contract dated 1.8.1988, the Claimant was employed by the Company as an engineer with a starting salary of RM1,300.00 per month. The Claimant continued in his employment with the Company as a permanent employee and on 1.1.2000, the Company converted the Claimant's permanent employment to a fixed term contract of employment for 1 year as the Company's general manager. Thereafter the Company continued placing the Claimant under fixed term contracts for 20 years without any break in the Claimant's employment with the Company. The Claimant enjoyed automatic renewal of his employment contracts without the Claimant making any application for such renewals. The Claimant's last held position in the Company was a Senior General Manager and his last drawn salary was RM20,307.00 per month. After 32 years of service with the Company, on 21.12.2020, the Company issued a letter to the Claimant informing him that his last fixed term contract of employment that commenced on the 20.1.2020 will come to an end on the 31.12.2020, and that it will be the last date of the Claimant's service with the Company. The Claimant states that the expiry of the Claimant's last fixed term contract leading to his loss of employment in the Company amounted to a dismissal from his employment in the Company. The Claimant asserts that all the fixed term contracts of employment offered to the Claimant since 1.1.2000 were not genuine fixed term contracts but was a permanent contract of employment disguised as fixed term contracts. The Claimant states that he was at all material times a permanent employee of the Company. The Claimant now states that he was dismissed from his employment without just cause or excuse and prays that he be reinstated to his former position in the Company without any loss of wages and other benefits. The Company however maintains that the Claimant's continuous contracts of employment which commenced from the period 1.1.2000 were genuine fixed term contracts of employment and the last genuine fixed term contract of employment had come to an end through an effluxion of time on 31.12.2020. The Company states that the Claimant's employment with the Company effective 1.1.2000 was categorised as managerial level which comes with lucrative salary scheme with additional perks which were not enjoyed by permanent employees of the Company. It is the Company's policy that all employees of the Company under managerial level will be offered fixed term contracts of employment only. The Company states that when the Claimant's permanent contract of employment was converted to fixed term contracts on 1.1.2000 with a senior position in the Company, the Claimant knew that he was voluntarily accepting that genuine fixed term contract and since 1.1.2000, all his fixed term contracts of employment were genuine fixed term contracts which the Claimant signified acceptance without any protest. The Company denies dismissing the Claimant from his employment with the Company.  . INDUSTRIAL COURT’S FINDINGS The Court held that the Claimant was a permanent employee of the Company and all the fixed term contracts of employment given to the Claimant by the Company for a period of 20 years consecutively without any break and by way of an automatic renewal were not genuine fixed term contracts of employment but was in fact a permanent contract of employment disguised as fixed term contracts. It can create a legitimate expectation of permanent employment to the Claimant. The Company’s attempts to use fixed term contracts to circumvent such legitimate expectation, commits unfair labour practice. . CONCLUSION This does not mean that a company cannot have fixed term contract employees. There are many genuine reasons to do so (i.e.: post-retirement roles, for seasonal jobs to complete a specific project, for maternity cover). However, a company cannot use a fixed term contract, no matter how cleverly it is drafted to disguise what is essentially a permanent employment. While fixed term contracts may seem like a “safe bet,” acting inconsistently with a fixed term contract has repercussions. The company's conduct throughout the employee’s employment is as important as the contract terms, when it comes to unfair dismissal complaints. About the author Tey Siaw LingSenior AssociateEmployment and Industrial Relations, Alternative Dispute ResolutionHarold & Lam Partnershipsiawling@hlplawyers.com More of our articles that you should read: • High Court clarifies Item 22(1) of the First Schedule of the Stamp Act 1949 and the Stamp Duty (Remission) (No. 2) Order 2012 • Applicability of CIPAA After the Commencement of Arbitration • Medical Negligence Claims – What Can You Sue For?

Compliance Update: 10 Key Takeaways from Malaysia's New Regulatory Framework for Internet Messaging and Social Media Services

On 29 July 2024, we have published an article titled “Urgent Compliance Alert: Malaysia's New Regulatory Framework for Social Media Services and Internet Messaging Services” which highlighted that the Malaysian Communications and Multimedia Commission (“MCMC”) would introduce a new regulatory framework on 1 August 2024. This framework requires companies providing internet messaging services or social media services with at least eight million registered users in Malaysia to apply for an Applications Service Providers Class Licence under the Communications and Multimedia Act 1998. On 1 August, the Regulatory Framework for Internet Messaging Service and Social Media Service Providers has been officially introduced, along with the Communications and Multimedia (Licensing) (Exemption) (Amendment) Order 2024 and the Communications and Multimedia (Licensing) (Amendment) (No. 2) Regulations 2024. Rather than reproducing the entire framework, this article highlights the ten most crucial points that all general counsels from companies providing internet messaging services or social media services should note. 1. Status of the Regulatory Framework The regulatory framework for internet messaging and social media services is gazetted on 1 August 2024 and it will officially come into effect on 1 January 2025.   This provides companies with a clear timeline to ensure compliance with licensing requirements. With a five-month grace period before the enforcement date, companies should use this time effectively to meet the licensing requirements. This period should be adequate for preparing and addressing any necessary compliance measures, provided that efforts are well-coordinated and timely. It is crucial that companies begin their preparations promptly to avoid any last-minute issues and to ensure full compliance by the deadline.   2. Compulsory Licensing Requirement With the enforcement of this framework, all internet messaging service providers or social media service providers with at least eight million registered users in Malaysia must apply for an Applications Service Provider Class Licence (“ASP (C) Licence”) under the Communications and Multimedia Act 1998 (Act 588). The framework explicitly applies only to internet messaging and social media service providers and will not affect end users.   3. Definitions of Internet Messaging Service and Social Media Service The law currently defines "internet messaging service" as an applications service that utilizes internet access service enabling a user to communicate any form of message with another user. "Social media service" is defined as an applications service that utilizes internet access service enabling two or more users to create, upload, share, disseminate, or modify content.   Companies must evaluate their offerings to determine whether their products or services fall within these definitions. Given the evolving nature of technology, it is important for companies to continuously reassess their services to ensure they remain compliant with these definitions. Regular evaluations will help ensure that any changes in technology or service offerings are promptly addressed and that compliance is maintained.   4. Calculation of 8 Million Users The MCMC will primarily use data from its official surveys, including MCMC’s Internet User Survey, to quantify the number of Malaysian users. It will also consider other publicly available and reliable data points.   Companies that fall within the definitions of social media services or internet messaging services must conduct their own assessments to determine whether their user base in Malaysia meets or exceeds the 8 million threshold. It is essential for these companies to regularly monitor and verify their user statistics to ensure compliance with this requirement.   5. Incorporation of Local Companies A key requirement to apply for an ASP (C) Licence is the incorporation of a local company. However, the Minister has the discretion to allow a foreign company to be registered as a class licensee on a case-by-case basis. That said, it is important to emphasise that this discretion is fully at the Minister’s discretion. For foreign companies providing internet messaging services or social media services, it is advisable to incorporate a local company to obtain the ASP (C) Licence. This approach can help avoid unnecessary complications and ensure smoother compliance with licensing requirements.   6. Foreign Shareholding Requirement A frequently asked question is whether there is a foreign shareholding restriction. Currently, there are no foreign shareholding restrictions for ASP (C) Licences. This absence of restrictions aligns with the 'light-handed' approach adopted to promote industry growth and development by facilitating easier market access.   7. Validity Period of the Licence The validity period for the ASP (C) Licence is one year, with a yearly renewal requirement as long as the provider has eight million or more users in Malaysia.   With such annual renewal process, companies are compelled to stay current with regulatory changes and evolving compliance best practices.   8. Consequences of Non-Compliance Internet messaging and social media service providers have a grace period of five months, from 1 August 2024 to 1 January 2025, to apply for the ASP (C) Licence. Starting 1 January 2025, operating without a licence will result in penalties, including fines not exceeding RM500,000 or five years of imprisonment, or both. Service providers will also face an additional fine of RM1,000 for each day the offence continues after conviction.   The stringent penalties for non-compliance highlight the seriousness with which the MCMC views adherence to the new framework, and this serves as a stark reminder for organisations to prioritise compliance as a core component of their licensing strategies.   9. Activities During the Grace Period Between 1 August 2024 and 1 January 2025, the MCMC will develop comprehensive outcome-based guidelines detailing the conduct requirements and key obligations for internet messaging and social media service providers. Proposed key conduct requirements include policies for user data protection, child safety measures, addressing online harm, content moderation, advertising transparency, complaint procedures, and measures to manage deepfakes and harmful AI-generated content.   10. Recommendations for General Counsels To ensure compliance, general counsels should take the following steps:   Step 1: Assess and Confirm Service Applicability Evaluate whether your company falls under the new definitions of social media services or internet messaging services. This assessment is critical to determine regulatory obligations and potential impacts on operations.   Step 2: User Base Evaluation and Documentation Conduct a thorough evaluation and documentation of your user base in Malaysia. Confirm whether your platform surpasses the eight million user threshold which triggers the licensing requirement.   Step 3: Develop a Compliance Strategy Given the tight compliance timeframe, initiate discussions with lawyers familiar with TMT law to apply for the ASP (C) Licence before the deadline of 1 January 2025. The MCMC has identified major providers like Facebook, Instagram, TikTok, WhatsApp, Telegram, WeChat, X, and YouTube as potentially falling under this framework, subject to having eight million or more users in Malaysia. Conclusion In conclusion, the introduction of Malaysia's new regulatory framework for internet messaging services and social media services marks a significant shift in the digital landscape. With mandatory licensing requirements, local incorporation expectations, and stringent penalties for non-compliance, the stakes are high for service providers operating in Malaysia. The five-month grace period offers a crucial window for companies to align their operations with these new regulations, and therefore, general counsels and compliance officers must act swiftly and decisively, leveraging this time to conduct thorough assessments, develop robust compliance strategies, and implement necessary changes. Should you require assistance with obtaining the ASP (C) Licences, our team can help you navigate this regulatory environment with expert insight and strategic planning. We are well-versed in the nuances of Malaysian technology and communications law and can provide the guidance necessary to ensure your platform is fully compliant ahead of the deadline. We have an in-depth understanding of the technology regulatory requirements and are poised to assist in obtaining the requisite ASP (C) Licences.   For further information on how we can assist you in this transition, please contact us directly.   Note: On Monday, August 5, our Technology Practice Group Partners, Ong Johnson and Lo Khai Yi were invited by Malaysia's No. 1 Business Radio Station, BFM 89.9, to shed light on Regulatory Framework for Internet Messaging and Social media Service Providers that's set to take effect on January 1, 2025. Read the news here.   About the authors Ong JohnsonPartnerHead of Technology & Corporate Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology & Corporate Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology & Corporate Practice GroupTechnology, Media & Telecommunications, Transactions and Dispute Resolution, Fintech, Privacy and Cybersecuritynicole.shieh@hhq.com.my More of our Tech articles that you should read: • Understanding the Role of Data Protection Officer Under the Personal Data Protection (Amendment) Bill 2024 • The Hidden Perils of Software Subscriptions: Are High Early Termination Fees a TMT Litigation Time Bomb? • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

Understanding the Role of Data Protection Officer Under the Personal Data Protection (Amendment) Bill 2024

Since the publication of the Personal Data Protection (Amendment) Bill 2024 (the “Bill”), we have received several enquiries concerning the role of a data protection officer (“DPO”) as mandated under the Bill. Many companies are now assessing the need to appoint a DPO within their organisations in anticipation of it being a requirement for them to do so once the Bill is passed and comes into force. Some chief compliance officers or chief risk officers are also concerned that they may be designated as the DPO of their respective companies, and are now looking to better understand the responsibilities of a DPO so that they can better prepare for the eventualities.   DPO is not a new role created uniquely by the Bill. The EU’s General Data Protection Regulation (“GDPR”) has long since established the role of a DPO in an organisation. This article seeks to unravel the role of a DPO and provides some high-level guidance on the tasks and responsibilities of a DPO by drawing reference from the EU’s GDPR.   The responsibility of a DPO is first and foremost to ensure that the organisation complies with its statutory obligations under the Personal Data Protection Act 2010 (“PDPA”), be it as a data user (to be known as data controller once the Bill is passed) or a data processor. There are a few key aspects to the role of a DPO in order to discharge the responsibility fully:   1. Providing Training to the Organisation Education is always the first step to compliance. For an organisation to adhere to the requirements of the PDPA, it will first have to understand comprehensively what are the relevant obligations that are applicable to it. DPO is typically expected to have in-depth knowledge on personal data processing law and is thus the default internal consultant to advise key stakeholders on matters concerning personal data. . 2. Formulation of Data Processing Policies For companies that handle a vast amount of personal data, it is important to have in place data processing policies to ensure that best practices are observed and to minimise abuse of personal data by employees. A DPO is expected to formulate and craft the data processing policies of the organisation that he or she is attached to, and to spearhead the implementation of such policies. In order to perform this task properly, DPO should be familiar with the data processing needs of its organisation so that the policies created could cater for all such needs. . 3. Main Liaison with Data Subjects The existing PDPA provides for certain rights of data subjects such as right to access personal data, right to request for correction of personal data or right to limit the processing of personal data. One of the key tasks of a DPO is also to act as the liaison between the organisation and the data subjects. The contact details of a DPO are normally included in the privacy policy or personal data protection notice of a data user or controller. In assisting the organisation to discharge its statutory obligations under the relevant data protection law, a DPO is expected to handle the requests put forth by data subjects and ensure that they are complied with or responded to appropriately by the organisation. . 4. Liaison with Authorities Apart from acting as the liaison with data subjects, DPO also often doubles up as the liaison with authorities, particularly those that oversee or administer the data protection laws. In jurisdictions where data breach notification is mandated (Malaysia will be one if the Bill is passed), DPO is also expected to communicate with the authorities in the event of a data breach and to assist the organisation to contain the effect of such breach. , More often than not, the role of a DPO is undertaken by the Chief Compliance Officer, Chief Risk Officer, Chief Legal Officer or the general counsel of an organisation. A DPO is rarely a dedicated role in an organisation unless the principal business of the organisation is to process personal data. As such, the person appointed as the DPO will normally be wearing more than one hat within the organisation. To ensure compliance with the applicable data protection law, DPO can consider working with external legal counsels, especially when it comes to the provision of training to internal stakeholders and the formulation of data protection policies. Given that a DPO would have an absolute understanding of the organisation’s data processing needs, he or she will be in the best position to advise such needs to external legal counsels, while the external legal counsels can then craft appropriate data processing policies on behalf of the organisation.   As the world pays more attention to individuals’ rights to the processing of their personal data, the role of a DPO is becoming ever more crucial in assisting data controllers and data processors to manoeuvre the intricacies of data protection law. The job of a DPO should not be taken lightly, given that failure to discharge its duties may result in financial penalties to the companies under applicable data protection law, and potentially also attract personal liability to the DPO.   Should you have any questions concerning the obligations of a DPO under the Bill, or if you would like to find out more about the slated changes to the PDPA to be brought forth by the Bill, please do not hesitate to contact our professionals from the Technology & Corporate Practice Group who frequently advise on matters relating to compliance with the PDPA. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • Decoding Personal Data Protection (Amendment) Bill 2024: 10 Key Insights to Stay Ahead • Urgent Compliance Alert: Malaysia’s New Regulatory Framework for Social Media Services and Internet Messaging Services • Reviewing Technology Outsourcing Contracts – What Legal Counsels Should Take Note Of

Urgent Compliance Alert: Malaysia's New Regulatory Framework for Social Media Services and Internet Messaging Services

Starting 1 August 2024, Malaysia is set to introduce a significant regulatory framework that will reshape the legal landscape for all companies providing social media and internet messaging services in the country. This article aims to outline the current status, highlight immediate actions for companies, and provide three key takeaways for general counsels, especially those from companies operating in Malaysia. . Why does this matter? Historically, platforms offering social media and internet messaging services have been exempt from specific licensing requirements. However, to create a safer online ecosystem and combat the rise of cybercrime, scams, online fraud, sexual crimes against children, and cyberbullying, the Malaysian Communications and Multimedia Commission (MCMC) will introduce a new regulatory framework on 1 August 2024. This framework mandates that companies providing these services with at least 8 million registered users in Malaysia must apply for a Class License for Application Service Providers under the Communications and Multimedia Act 1998. The regulatory framework is set for introduction on 1 August 2024, with enforcement commencing on 1 January 2025. This provides a narrow window of not more than six months for companies to comply and apply for the Class License. Most crucially, failure to obtain the appropriate license by 1 January 2025 will be considered an offense, subjecting companies to potential legal action. The full details of the requirements will likely be released alongside the introduction of the regulatory framework on 1 August 2024. The message is clear: for platforms operating social media and internet messaging services with at least 8 million registered users in Malaysia, compliance is mandatory, not optional. The timeframe for compliance is tight, so companies must act quickly. . Here are three key takeaways for general counsels while awaiting the regulatory framework: 3 Key Takeaways for General Counsels 1. Evaluate the Business Nature of Your Company: Start by assessing whether your company provides social media services or internet messaging services within Malaysia. If the answer is yes, it’s time to sit up and take notice, as this new licensing requirement could have significant implications for your operations based on your user base in Malaysia. Given the definition of “messaging service” under existing regulation, “internet messaging service” is likely to cover any applications services that involves the storage or forwarding of message in multimedia form through internet services and/or applications. Unlike “messaging service”, “social media service” is not currently defined under existing regulation. It should however cover any online platforms where the users can interact with one another, whether through sharing of user generated content or leaving of comments on others’ content. . 2. Evaluate and Audit User Base: Once it is confirmed that your company offers these services, conduct an internal evaluation and audit of your registered users in Malaysia. If your platform has over eight million users, it meets the threshold for the new regulatory framework, indicating that you must prepare to apply for the Class License. . 3. Act Within a Tight Timeframe: If you confirm that your company’s platform hosts more than 8 million registered users in Malaysia, the time to act is now. With the framework being introduced on 1 August 2024 and enforcement beginning on 1 January 2025, general counsels are advised to promptly engage with external legal counsels who specialize in TMT and licensing requirements to strategize compliance and avoid potential legal pitfalls. . Conclusion This regulatory shift may have caught many by surprise, but the reality is clear: The clock is ticking, and there is absolutely no time to waste. . Should you require assistance with obtaining the Class License, our team can help you navigate this regulatory environment with expert insight and strategic planning. We are well-versed in the nuances of Malaysian technology and communications law and can provide the guidance necessary to ensure your platform is fully compliant ahead of the deadline. We have an in-depth understanding of the technology regulatory requirements and are poised to assist in obtaining the requisite Class Licenses. For further information on how we can assist you in this transition, please contact us directly. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Navigating Cyber Security and Data Breaches – Handling Breach Notifications • AI-Generated Work and Copyright Law: A Comparative Analysis of US and EU Perspectives • Achieving Net Zero: The Crucial Role of Climate Technology

Navigating Cyber Security and Data Breaches – Handling Breach Notifications

By now, everybody would have heard of CrowdStrike and its software product, Falcon. Global technology outages that happened last Friday (19 July 2024) and were widely reported over the weekend dominated news reporting and technology publications. Essentially, CrowdStrike, a US-based cybersecurity firm, rolled out an update to its software, Falcon, a cyber security threat detection and automated protection tool, which resulted in Microsoft products installed with the updated version of the Falcon to glitch and display the infamous “blue screen of death”. CrowdStrike has since clarified that the issue is not caused by cyber-attack, but purely due to the malfunctioning of the software triggered by the software update on Windows computers.   The CrowdStrike incident came at a time when companies in Malaysia are still trying to figure out what are the extent of their exposures and obligations under the recently gazetted Cyber Security Act 2024, as well as the recently announced proposed amendments to the Personal Data Protection Act 2010 (“PDP Amendments”). While the CrowdStrike incident was not caused by a cyber-attack, cybercriminals are reportedly trying to take advantage of this incident, potentially posing as personnel from CrowdStrike to gain access to the servers of organisations affected by the outage. If not cautious, companies already reeling from the operational disruption caused by the CrowdStrike outage may even suffer data theft or cyber security incident.   In the face of such cyber security risks, we thought it apt to dedicate an article to share some pointers to general counsels and also data protection officers to assist in navigating the (almost inevitable) eventualities of a cyber security incident or personal data breach.   1. Situation Assessment Malicious actors causing cyber security incidents or personal data breaches in a company’s IT environment may not necessarily come with guns blazing or flashy signboard announcing their achievements. More often than not, threat actors would not even announce to their victims that they have successfully penetrated the victims’ environment, unless for extortion purposes.   During the process of penetrating a company’s IT environment however, threat actors may leave behind crumbs, or trails if you may, of their entry points, potentially a record of multiple failed log-in attempts on multiple employee accounts at odd hours of the day or unusual log-in behaviours of employees who are supposed to be on their vacations. A company having suspected breach of its IT environment should quickly conduct assessment of its system to ascertain whether actual breach has occurred. Companies can deploy sweeper or endpoint detection and response (EDR) tool to scan and detect whether there is any malware. Close coordination between the companies’ IT team and legal team at this stage would be crucial so that legal is aware of the possible threat and could react swiftly to the outcome of the assessment.   2. Submitting Breach Notification Assuming that the IT team has confirmed the occurrence of a cyber security incident, the legal team of the companies will be faced with the important question of whether it is necessary to notify the authorities of the incident pursuant to the Cyber Security Act 2024 (“CSA 2024”). The answer to this question would depend on a few factors – does the company own or operate any national critical information infrastructure? If so, does the cyber security incident affect the national critical information infrastructure owned or operated by the company? If the answers to these two (2) questions are in the affirmative, the company will have an obligation under the CSA 2024 to notify the relevant stakeholders and/or authorities of the incident, and further investigations by the officers authorised under the CSA 2024 will carried out.   In addition to the cyber security incident notification, assuming that the proposed amendments to the Personal Data Protection Act are passed and that the assessment of the breach by the company’s IT team indicates that personal data stored by the company has been accessed unlawfully, the company will also have the added responsibility under the PDP Amendments to notify the Personal Data Protection Commissioner of the personal data breaches.   The purpose of these breach notifications is not just to ensure that the relevant authorities are aware of the breaches, but also for the companies to work with the authorities to agree on appropriate responses to be taken to contain the effect of the breaches and to implement measures in preventing similar incident in the future. As such, it is crucial for the company’s legal counsels and/or personal data protection officers to make sure that sufficient information is given to the authorities for joint formulation of informed decisions.   Engaging external legal counsel is crucial for companies when navigating the complex requirements of breach notification under both cybersecurity and data protection laws. These requirements are mandatory and come with severe consequences for non-compliance, including potential fines, reputational damage, and legal liabilities. External legal counsels can provide valuable guidance and assistance in accurately assessing the situation, ensuring that all necessary information is submitted to the relevant authorities, and advising on appropriate measures to mitigate risks. Therefore, by collaborating with experienced law firms, companies can ensure compliance with legal obligations and better protect their interests during such incidents.   3. Handling the Cyber Security Incidents Dealing with a cyber security incident goes beyond just notifying the relevant authorities of the occurrence of the incident. Arguably the hardest part of dealing with cyber security incident is to effectively contain the breach and to recover the operation that is affected by the cyber security incident.   As most would know by now, the CSA 2024 empowers the Chief Executive of the National Cyber Security Agency (NACSA) to issue directive to the National Critical Information Infrastructure Entities on the measures necessary to respond to or recover from the cyber security incident and to prevent such cyber security incident from occurring in the future. It would be crucial for legal counsels to coordinate closely with the Chief Executive of NACSA concerning the issuance of any directives, as well as the actions to be taken by the company to recover from and to prevent future cyber security incidents.   From the perspective of personal data protection, similarly assuming that the PDP Amendments are passed and where a cyber security incident results in the unlawful access of personal data stored by the affected companies, these companies will also have the statutory obligation under the PDP Amendments to notify the relevant data subjects of the breach in the event that the personal data breach causes or is likely to cause significant harm to the data subjects. To ensure effective communication of personal data breaches to the relevant data subjects, legal counsels and/or personal data protection officers should work with the IT team to come up with an exhaustive list of data subjects who have had their personal data unlawfully accessed.   Assuming that the incident is one that is widely reported, public relations (PR) issue would also come into play. Any public announcement to be made by the company affected by cyber security incidents should be carefully crafted to avoid unnecessary widespread commotion, especially when the incidents relate to national critical information infrastructure. An effective announcement should also briefly mention the action plan to be rolled out by the company to resolve the issue, so as to instil confidence in the public as well as affect data subjects. Likewise, legal counsels play the key role of working with internal and/or external PR team to craft meaningful public announcement in ensuring effective communication of crucial information to the public and affected data subjects.   Given the increased digitalisation of companies everywhere in the world, it is no longer an urban legend for companies to suffer cyber security incidents. Hence, it is crucial that legal counsels and data protection officers alike are prepared on how to effectively deal with and manage a cyber security incident, so that any potential negative sentiment towards the company can be averted.   The technology lawyers at the Technology & Corporate Practice Group of Halim Hong & Quek would be able to assist a company to navigate the challenging ordeal of a cyber security incident and personal data breaches. Please feel free to reach out to our team of professionals should you ever need any assistance or if you would like to know more about cyber security and personal data protection. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • The Hidden Perils of Software Subscriptions: Are High Early Termination Fees a TMT Litigation Time Bomb? • Decoding Personal Data Protection (Amendment) Bill 2024: 10 Key Insights to Stay Ahead • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated?

The Hidden Perils of Software Subscriptions: Are High Early Termination Fees a TMT Litigation Time Bomb?

In recent years, technology companies have increasingly shifted from selling one-time software products to subscription-based business models, particularly when the products are being deployed as Software-as-a-Service (“SaaS”). This transition is driven by the allure of predictable revenue streams and the appeal to consumers of spreading out costs through monthly, quarterly, or annual subscriptions, rather than paying a large upfront sum. While these models offer financial flexibility and lowered commitment for consumers, they often come with a significant catch: hefty early termination fees. Many subscription-based software agreements, particularly those for SaaS, include clauses that impose penalties for early termination. These fees can range from 50% to 70% of the remaining subscription period, effectively discouraging consumers from ending their contracts prematurely. The rationale behind such high early termination fees is clear — these fees are often justified from a commercial perspective, as providing SaaS involves significant investments in infrastructure, development, and onboarding. Also, SaaS providers frequently offer customized integration of their software with customer systems and discounted pricing for long-term commitments. Thus, early termination fees help recoup these costs and ensure that consumers who benefit from discounts and perks fulfill their contractual obligations. However, these high early termination fees are increasingly coming under scrutiny. A recent lawsuit filed by the U.S. Department of Justice against Adobe highlights the potential TMT litigation risks. In June 2024, the Federal Trade Commission (“FTC”) accused Adobe of deceiving consumers by imposing hefty early termination fees and making it difficult to cancel subscriptions. The Department of Justice emphasizes that such high early termination fees can deter consumers from terminating their subscriptions, raising significant legal concerns. Although this lawsuit is within the jurisdiction of the United States, its implications are likely to resonate globally, including in Malaysia and the broader Asia-Pacific region, where similar subscription models are prevalent. Given the rapid growth of technology companies and the increasing complexity of TMT litigation, general counsels must be vigilant about the terms and conditions in their software agreements. In Malaysia and the broader APAC region, many technology companies adopt similar subscription models with comparable early termination clauses. It is not uncommon to see early termination fees ranging from 50% to 70% of the remaining subscription period – some companies have even demanded full payment of the remaining period in the event of early termination. While these fees can be justified from a commercial perspective, helping to recoup significant investments and ensure contractual obligations are met, they also pose substantial risks of TMT litigation. Balancing early termination fees and defending against litigation requires careful attention. Here are five key insights for general counsels and companies: 1. General Legal Position of Contractual Clauses in Malaysia: Malaysian law upholds the freedom of contract, meaning courts are generally reluctant to interfere with commercially negotiated terms. Parties are expected to adhere to the agreed terms, including compensation stipulated in early termination clauses, provided these agreements result from thorough, arm’s-length negotiations. . 2. Enforcement of Early Termination Clauses: Early termination clauses and penalty clauses in software contracts are generally recognized and enforced. To enforce an early termination clause, the enforcing party must demonstrate (i) there is a breach of contract, and (ii) the contract contains a clause specifying a sum to be paid upon breach. If these elements are established, the company is entitled to receive a sum not exceeding the amount stipulated in the contract irrespective of whether actual damage or loss is proven. . 3. Challenging the Reasonableness of the Compensation Sum: The full sum specified in an early termination clause may not always be enforceable. If the breaching party can prove the compensation sum is unreasonable or disproportionate to the damages suffered, the courts may revise the awarded damages. For instance, requiring compensation payment for the entire remaining subscription period could be deemed unconscionable and disproportionate to the damages suffered by the company. . 4. Justification of Early Termination Clauses: Companies should ensure that early termination fees genuinely reflect reasonable and proportionate losses. While proving actual losses is not a required legal burden to enforce the early termination clause, however, being prepared to justify the compensation sum can protect against challenges to its reasonableness. . 5. Clear and Well-Negotiated Clauses: A clear and well-negotiated early termination clause is always crucial. Malaysian courts are unlikely to interfere with clauses that have been properly negotiated and willingly agreed upon by both parties, therefore, a well-documented negotiation process helps ensure enforceability and mitigates arguments that these early termination clauses were hidden or not disclosed. . In conclusion, while early termination fees in software subscription agreements can serve important commercial purposes, they also pose significant TMT litigation risks. By understanding and addressing these risks, general counsels can better navigate the complex landscape of SaaS agreements and protect their companies from potential legal challenges. If you need help with software agreements or any form of TMT litigation dispute, please reach out to us. Our team of legal professionals is ready to advise and assist you with navigating these complex issues and ensuring that your business is well-protected. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Nicole Shieh E-LynAssociateTechnology & Corporate Practice GroupTechnology, media & Telecommunications, Transactions andDispute Resolution, Fintech, Privacy and Cybersecuritynicole.shieh@hhq.com.my More of our Tech articles that you should read: • GPU-AS-A-SERVICE – BENEFITS AND LEGAL CONCERNS • Real-World Assets in Blockchain: Why Companies Should Pay Attention • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

Decoding Personal Data Protection (Amendment) Bill 2024: 10 Key Insights to Stay Ahead

One of the most commonly asked questions we face today is: when will the current Personal Data Protection Act 2010 (“PDP Act”) receive its long-overdue amendments? As personal data becomes increasingly important in our digital world, ensuring robust protection measures is crucial. Around the globe, laws like the General Data Protection Regulation (“GDPR”) in the EU, along with similar frameworks in the UK and Singapore, set high standards for privacy and data protection. Finally, Malaysia is catching up with the introduction of the much-anticipated Personal Data Protection (Amendment) Bill 2024 (“PDP Amendment Bill”). These amendments introduce substantial changes to the current data protection regime, which all companies, data protection officers and general counsels should take note of.   In this article, we decode the PDP Amendment Bill and highlight top ten crucial insights for general counsels.   1. Current Status of the Personal Data Protection (Amendment) Bill 2024 On 10 July 2024, the PDP Amendment Bill was tabled at the Dewan Rakyat (House of Representatives) of the Malaysian Parliament for its First Reading, introducing several significant changes to the PDP Act. Currently, the PDP Amendment Bill is subject to debate in Parliament, and it remains to be seen whether it will be passed as is or with further amendments. Therefore, all companies and general counsels should closely monitor the development of this PDP Amendment Bill.   2. Change from “Data User” to “Data Controller” In the current PDP Act, a "data user" is defined as a person who processes any personal data or has control over or authorizes the processing of any personal data. The PDP Amendment Bill seeks to substitute “data user” with “data controller”, aligning more closely with the common terminology used in other jurisdictions such as the EU, UK, and Singapore. Therefore, if “data user” is referenced in any of your PDP notices or agreements, you should be prepared to make necessary changes to reflect this amendment.   3. The New Role of Data Processors The current PDP Act mainly focuses on "data users" or "data controllers," without imposing direct obligations on "data processors." A “data processor” is any person who processes personal data on behalf of a data controller and does not process it for their own purposes, and the lack of direct legal obligation on a “data processor” has always been a key criticism to the current PDP Act.   The PDP Amendment Bill now imposes direct legal obligations on data processors to comply with security principles – this means data processors must take practical steps to protect personal data from loss, misuse, unauthorized access, and other risks. This change will significantly impact companies operating as data processors, requiring them to adjust their operational practices accordingly.   4. Appointment of Data Protection Officer The PDP Amendment Bill makes it mandatory for data controllers and data processors to appoint a Data Protection Officer (“DPO”) who will be accountable for compliance with the PDP Act. This is a significant shift, as organizations can no longer merely designate a contact person in their PDP Notice. The DPO will be held accountable for any breaches of the law, making it a crucial role that companies must take seriously.   5. Mandatory Data Breach Notification to the Personal Data Protection Commissioner One of the most anticipated changes is the mandatory notification of data breaches to the Personal Data Protection Commissioner. If a data controller believes a personal data breach has occurred, they must notify the Personal Data Protection Commissioner. This requirement mirrors the strict data breach notification rules in the recently enacted Cyber Security Act 2024.   This is a strict mandatory requirement as stated in the PDP Amendment Bill. The reading of the PDP Amendment Bill suggests that the duty to notify the Personal Data Protection Commissioner applies regardless of the severity or gravity of the personal data breach. This means that even minor breaches must be reported, emphasizing the importance of transparency and accountability in handling personal data. Many companies may not currently have protocols in place to capture or acknowledge any personal data breaches. This lack of preparation can lead to significant legal and financial repercussions under the new amendments. Therefore, companies should provide comprehensive training to relevant personnel to ensure they understand the importance of this requirement and the procedures for reporting breaches. This proactive approach will help ensure that all personal data breaches are promptly and accurately reported to the Personal Data Protection Commissioner, thereby enhancing the overall data protection framework within the organization.   6. Data Breach Notification to Data Subjects In addition to notifying the Commissioner, if a personal data breach is likely to cause significant harm to the data subject, the data controller must also notify the affected individual without delay. This dual notification requirement highlights the critical need for companies to establish clear protocols and provide comprehensive training for efficient data breach management. However, the definition of what constitutes “significant harm” to the data subject remains unclear at this time.   7. Right to Data Portability The PDP Amendment Bill introduces the right to data portability, allowing data subjects to request the transfer of their personal data to another data controller of their choice. This request is subject to technical feasibility and compatibility of the data format. Data portability empowers individuals by giving them greater control over their personal data and how it is processed.Moving forward, companies should emphasize and focus on data portability to foster competition and innovation among data service providers. When individuals can easily transfer their data from one data service provider to another, it reduces the barriers to switching services or reduce the risk of vendors lock-in, encouraging companies to offer better products and services to retain their customers. This increased mobility of personal data can lead to improved user experiences and drive advancements in data-driven services, ultimately benefiting consumers and the market as a whole.   8. Removal of White-List Countries for Cross-Border Data Transfers The current PDP Act limits personal data transfers to only the "white-list" countries. However, no such “white-list” has been gazetted.   The PDP Amendment Bill removes this “white-list” regime, by allowing data controllers to transfer personal data to any country if the receiving country meets one of two conditions: (i) it has a data protection law substantially similar to Malaysia's; or (ii) it offers an adequate level of protection equivalent to Malaysian law. This change addresses one of the most frequently asked questions about the current data transfer restrictions, offering more operational flexibility.   9. Introduction of Biometric Data The PDP Amendment Bill includes personal data resulting from technical processing related to physical, physiological, or behavioral characteristics, known as biometric data. This addition enhances personal data protection by making it more comprehensive and safeguarding data subjects' privacy more effectively.   10. Heavier Penalties for Non-Compliance with Personal Data Protection Principles Under the current PDP Act, data controllers are obligated to comply with seven personal data protection principles: (i) the general principle, (ii) the notice and choice principle, (iii) the disclosure principle, (iv) the security principle, (v) the retention principle, (vi) the data integrity principle, and (vii) the access principle. Failure to comply with these principles can result in a fine of up to three hundred thousand ringgit or imprisonment for a term not exceeding two years, or both.   The PDP Amendment Bill seeks to introduce even heavier penalties for data controllers that fail to comply with these personal data protection principles. If found liable, the penalty can now be as severe as one million ringgit or imprisonment for a term not exceeding three years, or both. This significant increase in penalties underscores the importance of prioritizing compliance with personal data protection laws. Companies must take proactive measures to ensure they adhere to these principles to avoid severe legal and financial consequences.   Conclusion These amendments to the Personal Data Protection Act 2010 mark a significant shift towards a more comprehensive and robust data protection regime in Malaysia. Companies and general counsels must stay informed and prepared to adapt to these changes to ensure compliance and protect personal data effectively.   If you would like to learn more about personal data protection law in Malaysia, our team of seasoned professionals is here to assist. With in-depth expertise in the Personal Data Protection Act 2010, we are well-equipped to provide you with comprehensive advice and guidance. Please reach out to us to discuss your specific needs and ensure your compliance with the latest regulations. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • AI-Generated Work and Copyright Law: A Comparative Analysis of US and EU Perspectives • Real-World Assets in Blockchain: Why Companies Should Pay Attention • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI

AI-Generated Work and Copyright Law: A Comparative Analysis of US and EU Perspectives

AI continues to revolutionize various industries, and its rapid development shows no signs of slowing down. Jurisdictions worldwide are actively adapting their laws to keep pace with AI's evolution. In one of our earlier articles, "Whether AI-Generated Work Could be Protected by Copyright Law", we explored this issue from a US legal perspective. Today, we delve into a landmark decision by the Municipal Court in Prague, the first EU court to rule on whether AI-generated work can be protected by copyright law.   This provides an opportunity to compare US and EU perspectives on the copyright protection of AI-generated work and highlight three key takeaways for general counsels and companies relying on AI.   The Municipal Court in Prague's Landmark Decision The Municipal Court in Prague recently addressed the question of whether AI-generated work could be protected by copyright law. The case involved a Plaintiff who used an AI program, DALL-E, to generate an image based on the prompt: "create a visual representation of two parties signing a business contract in a formal setting, such as a conference room or a law firm office in Prague. Just show your hands."   The Plaintiff subsequently published the AI-generated image on his website, only to discover that the Defendant had copied and posted the image on their website without authorization. The Plaintiff then sought an injunction to remove or to takedown the AI-generated image, claiming copyright infringement.   The central issue in the case was whether the Plaintiff was the author of the AI-generated image. While it was undisputed that the image was created by AI, the Plaintiff argued that the specific assignment he provided to the AI program made him the author. However, the Plaintiff failed to provide evidence supporting his claim that the image was generated based on his specific assignment.   The court eventually dismissed the Plaintiff's case on two main grounds:   1. AI Cannot Be the Author: The court held that AI cannot be the author of the AI-generated image, as "author" can only refer to a natural person. The Plaintiff in this case failed to prove that he was the author of the AI-generated image.   2. Lack of Unique Creative Activity: The court emphasized that a work of authorship must result from the unique creative activity of a natural person. The Plaintiff could not demonstrate that the AI-generated image was uniquely the result of his creative activity, only that it was created with AI assistance.   Therefore, the court concluded that the AI-generated image was not a work of authorship and did not belong to the Plaintiff.   Comparative Analysis with US Copyright Law This decision mirrors the US stance on AI-generated work, where cases like Zarya of the Dawn and A Recent Entrance to Paradise have reinforced that human authorship is a fundamental requirement for copyright protection. Both US and EU courts have firmly ruled that AI cannot be considered an author under copyright law, and only a natural person can hold such a title.   However, a careful reading of the EU court's decision suggests a potential path for AI-generated work to receive copyright protection if human authorship and unique creative activity by a natural person can be established. While this issue remains unresolved, it hints at a possible future interpretation of the law.   Three Key Takeaways for General Counsels and Companies Given the current legal landscape, general counsels should be cautious when relying on AI to generate work. Here are three practical guidelines:   1. Ensure Human Authorship: Across jurisdictions, it is clear that AI cannot be an author. It is crucial to ensure that a natural person is integral to the creation process to qualify for copyright protection, involving a natural person who contributes significant creative input and direction.   2. Avoid Autonomous AI-Generated Work: To qualify for copyright protection, AI should be used as a tool to assist human creators rather than autonomously generating work. The natural person must maintain significant control over the direction, instructions, and creative input.   3. Document the Creation Process: Document the entire creative process to establish human authorship and control. This can include video recordings or detailed logs demonstrating the human contribution and direction given to the AI.   Conclusion The intersection of AI and copyright law is still developing, with courts in both the US and EU emphasizing the necessity of human authorship. As technology continues to evolve, legal standards will likely adapt to strike a balance between technological innovation and the protection of creative works. General counsels and companies must stay informed and cautious, ensuring compliance with current legal requirements while preparing for future developments.   If you are looking to develop AI tools or have concerns about intellectual property infringement or safeguarding the output due to the use of AI in your organisation, please reach out to our dedicated team of professionals. With a deep understanding of both AI technology and intellectual property law, our lawyers are well-equipped to assist you throughout the entire process, ensuring that your AI-generated work receives the protection it deserves in the rapidly evolving legal landscape. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • The Ultimate Guide to Corporate Investments in Malaysia’s Data Center Sector: Strategies and Opportunities Explained • CYBER SECURITY ACT IMPLEMENTATION – Things for the National Critical Information Infrastructure Entities to Take Note of • E-Waste and ESG Compliance: What Companies Need to Know

Medical Negligence Claims – What Can You Sue For?

1. Damages that one can seek when pursuing a medical negligence claim are compensatory in nature, meant to cover the losses and suffering incurred due to the negligence. Generally, the types of damages fall under the following categories: - (i) Special Damages; (ii) General Damages; and (iii) Aggravated Damages .   Special Damages 2. Special damages are monetary losses that can be quantified for example, medical bills, costs of medical equipment, rehabilitation, supplements and special food, travelling expenses, traditional treatments, counselling, costs of engaging a carer or maid etc. 3. In Nur Arissa Naura Noor Affrizal & Anor v Dr. Abirami Kunaseelan & Ors [2023] 5 CLJ 793, the Court awarded costs for amongst others, cost of special equipment, cost of therapies and counselling sessions, cost of personal care items (wipes and creams), cost of value of care and costs for continuous expenses for nutrition, special food, vitamins and supplements. 4. What if you do not have documentary proof or receipt for certain expenses? Understandably, it would be unrealistic to expect anyone to keep a record of all the receipts, bills and/or invoices for all the expenses. In such situation, the Court may accept oral testimony to support the claims, provided that the expenses are within a reasonable sum and they are justifiable in the circumstances (Nur Syarafina bt Sa’ari v Kerajaan Malaysia & Ors [2019] 12 MLJ 41). 5. Additionally, any pecuniary losses suffered during the period from the date of the negligent act until the conclusion of the case where the Court delivers its decision is also claimable and had been granted by the Court (Nurul Husna Muhammad Hafiz & Anor v. Kerajaan Malaysia & Ors [2015] 1 CLJ 825). .   General Damages 6. In contrast to special damages, other types of claims that are non-monetary and/or cannot be quantified are termed general damages. Examples of general damages, which are non-exhaustive, include the followings:- (i) pain and suffering arising from physical pain and psychological impact such as trauma, anxiety and depression caused by the injury. (ii) loss of amenities of life, e.g. loss of body faculties, deprivation of ordinary experiences, sexual impotence, loss of marriage prospects. (iii) loss of earning capacity. (iv) Gratuitous care provided by family members to the victim. (v) Future general damages such as physiotherapy, medications, surgeries, medical equipment, consumables etc. 7. General damages are commonly awarded based on precedents, comparable cases, factual assessments and estimations of a reasonable sum for the injuries sustained by the victim. 8. For better illustration, below are some cases where the Court awarded general damages. i. In the case of Sheela Christina Nair v Regency Specialist Hospital Sdn Bhd & Ors [2016] MLJU 1899, the plaintiff  underwent a laparotomy to remove fibroids but suffered perforation of her small intestines due to negligently performed surgery. As a result, she suffered injuries to her bowel and had to rely on colostomy bags for support. Despite eventual recovery from the prolonged suffering, the Court recognized the extent of her pain and awarded her RM240,000.00 for both physical and emotional distress, and for the loss of amenities of life. ii. In the case of Pantai Medical Centre Sdn Bhd v Fareed Reezal Arund & Another Appeal [2022] 2 CLJ 173, the Court awarded RM400,000.00 to the plaintiff, who suffered serious brain injury resulting in a persistent vegetative state, as general damages for pain and suffering and loss of amenities of life. iii. In Nur Arissa Naura Noor Affrizal & Anor v Dr Abirami Kunaseelan & Ors [2023] 5 CLJ 793, the Court awarded RM500,000.00 as general damages for pain and suffering, and loss of amenities of life, considering that the patient was a 4-year-old child suffering from brain damage and was estimated to have another 40 years of life expectancy. iv. In Airis Nurhana Bt Alfian (seorang kanak-kanak yang menyaman melalui ibu bapa dan wakil litigasinya Alfian Bin Zainudin) v Darul Aiman Sdn Bhd & Anor [2023] MLJU 214, the Court considered the evidence that de-rotational surgery would be required in the future and allowed reasonable expenses associated with such future expense, including the cost of the surgery, physiotherapy and occupational therapies, consultation fees, cost of equipment and replacements. v. In Yusnita Bt Johari (suing through her husband and litigation representative Khairil Faiz Bin Rahamat) v Dr Jerilee Mariam Khong & Ors [2023] 9 MLJ 629, where the plaintiff suffered severe and irreversible brain damage as a result of the defendant’s negligence, the Court awarded, amongst others, the sum of RM 3,348,889.60 for pain and suffering, loss of amenities of life and future general damages (including cost of assistive equipment, medical expenses, therapy, care, future loss of earnings and the value of care provided by family members). vi. In Norfazlin Bt Zamani v Kerajaan Malaysia & Ors [2022] MLJU 3696, the plaintiff lost her reproductive organs as a result of the defendant’s action. The Court awarded, amongst others, the sum of RM260,000.00 for the physical and psychiatric pain and suffering, and loss of amenities of life that the plaintiff has to endure. . Aggravated Damages 9. Aggravated damages are awarded as additional compensation for intangible injuries to the interest or personality of the victim, resulting from the contumelious, offensive or exceptional conduct of the defendant. 10. In the case of Hari Krishnan & Anor v Megat Noor Ishak Bin Megat Ibrahim & Anor and other appeal [2018] 3 MLJ 281, the Federal Court upheld an award of RM1million as aggravated damages against the defendants who subjected the plaintiff to unnecessary risks of bucking which led to blindness in the plaintiff’s right eye. 11. Other grounds that led the Court to award aggravated damages include the suppression of medical reports, refusal to admit liability in clear cases which prolonged the proceedings, and altering the medical records (Ahmad Radhiq Arbee bin Ahmad Rejal Arbee (as a husband and dependant of Sharifah Shalihah bt Sayed Abdullah, deceased) & Ors v Kerajaan Malaysia & Ors [2020] 10 MLJ 459; Nur Syarafina bt Sa’ari v Kerajaan Malaysia & Ors [2019] 12 MLJ 741; Dato’ Stanley Isaacs v The Government of Malaysia & Ors [2019] 8 MLJ 331). . Conclusion 12. It is important to be mindful that ultimately, the amount awarded by the Court is discretionary and hinges on the specific facts of the case. It is crucial to support your claim with expert medical opinions and seek legal advice promptly, while details are still fresh in mind. This enhances the credibility of your case and ensures that you can effectively pursue compensation for the losses and suffering incurred.   About the author Chan Jia YingSenior AssociateCivil & Commercial Disputes Resolution, Corporate & Commercial Contracts, Taxation, Insolvency & Winding Up, Medico-LegalHarold & Lam Partnershipjiaying@hlplawyers.com . Damia Amani binti Shaiful BahriSenior AssociateDispute ResolutionHarold & Lam Partnershipdamia@hlplawyers.com   More of our articles that you should read: (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment Disposal of Real Properties Subject to Income Tax? Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

Federal Court: Half-Truths that Harm the Reputation of a Person are Defamatory

Introduction In the recent case of Seema Elizabeth Isoy v Tan Sri David Chiu Tat-Cheong [2024] CLJU 1180, the Federal Court held that a half-truth statement that presents a false impression and that harms the reputation of a person is defamatory. This kind of statement can safely be considered false in the circumstances. The Federal Court held that posting a half-truth statement (deliberately omitting a known material fact) and requesting the reader to google for more information is unfair to the person which the half-truth statement is about.  . Background Facts The Appellant, Seema Elizabeth Isoy, is the registered owner of a unit in Waldorf & Windsor Tower Serviced Apartments (“W&W”) developed by Malaysia Land Properties Sdn Bhd (“Mayland”). The Appellant was a committee member of the W&W Management Corporation (“MC”). The Appellant and 55 other persons consisting of unit owners or their representatives were part of the W&W Whatsapp Group. The Respondent, Tan Sri David Chiu Tat-Cheong, is the chairman and founder of Mayland. There were several disputes involving Mayland and W&W wherein in one of the cases, the High Court decided that Mayland and defrauded and/or made a false representation to W&W owners in respect of a common area in W&W. The Court of Appeal affirmed the decision of the High Court and leave to appeal to the Federal Court was not granted. On 17.8.2017, the Appellant sent a text message (“Impugned Statement”) to the W&W Whatsapp Group (excerpt as follows): . In order for owners to know all the facts, I believe we have to step back even more and ask “who is Mayland?” Mayland is the CHIU family. So who is this Chiu family? Let’s have a very brief look at the publicly known facts about his family: -        The Chiu family is an extremely rich and successful family originating from China, then based in Hong Kong. Now with business in many countries, including Malaysia. I’m always happy for people’s happiness and good fortune but.. -        Deacon Chiu (Sr.) has been in the past arrested and charged with conspiracy to falsify documents of the Far East Bank, where they were the major shareholders. For plotting to defraud the Commissioner of Banking by making false claims concerning the ownership of companies to which the bank had made advances of $ 352.5 million. -        Duncan Chiu (Deacon Sr’s son) has in the past been arrested for allegedly breaching the Theft Ordinance and the Companies Ordinance. -        David Chiu (Deacon Sr’s son) has been in the past arrested and charged for the same offenses as Deacon Sr. He also faced charges of conspiring to falsify documents purporting to show that more than $ 246 million in credit facilities had been granted to the bank by various companies. And now the climax to this family saga: -        The same don (David Chiu) is the founder and Chairman of Mayland !!! Mayland has been convicted of Fraud and Misrepresentation against W&W owners: At High Court level At Court of Appeal level At Federal Court level The apple doesn’t fall far from the tree… Please google these names to read more. "the same son” . High Court Dissatisfied with the Impugned Statement, the Respondent brought an action against the Appellant for defamation. After a full trial, the High Court dismissed the Respondent’s claims. The High Court found that the words referring to the Respondent in the Impugned Statement were not defamatory and that the Appellant established the defence of justification as the Impugned Statement was substantially true. . Court of Appeal The Court of Appeal held that the Impugned Statement was defamatory. The words in the statement conveyed to the ordinary man that the Respondent is dishonest and a fraudster. The statement read as a whole, in its natural and ordinary meaning had the tendency to disparage and injure the Respondent’s standing, character, and reputation. The statement also tended to excite the adverse opinion of those within the W&W Whatsapp Group against the Respondent. The Court of Appeal also found that the posting of the Impugned Statement was actuated with malice. Although the Appellant was fully aware of the fact the Respondent was acquitted from the said charge mentioned in the Impugned Statement long ago, she intentionally omitted to mention it in the statement. The Appellant had posted a half-truth statement and requested the reader to google for more information. As malice had been established, the Court of Appeal held that the Appellant’s defence of qualified privilege and fair comment was unsustainable. The Court Appeal set aside the decision of the High Court. The Respondent was awarded RM 100,000.00 as damages and a permanent injunction was granted to restrain the Appellant from publishing or spreading the Impugned Statement or similar defamatory words concerning the Respondent. . Federal Court The Federal Court granted leave to appeal to the Appellants. The appeal before the Federal Court centers on the effect of a half-truth statement in defamation law in Malaysia, particularly whether a half-truth statement constitutes a false statement. (i) Elements Of Defamation The key elements of defamation are well established. A plaintiff/ claimant must prove on a balance of probabilities that: (a)the words are defamatory (b)the words refer to the Plaintiff (c)the words are published (ii) Defamatory Test The test in determining whether the words are defamatory, is that those words in their natural and ordinary meaning: (a)tend to lower the plaintiff in the estimation of a reasonable man in society (b)impute the plaintiff’s dishonourable conduct or lack of integrity (c)expose the plaintiff to hatred, contempt, or ridicule (d)tends to excite against the plaintiff the adverse opinion of others. The ordinary and natural meaning of the words must be considered in the context of the whole text or message, in its entirety and not in isolation. The Court may consider the literal meaning of the words or their implied, inferred innuendo, or indirect meaning. This also includes the implications or inferences that can be drawn from the words. (iii) Half-Truth Statement In the present case, it was not disputed that the Impugned Words were published by the Appellant in the W&W Whatsapp Group, which referred to the Respondent. The only element left to be proven is whether the Impugned Words were defamatory. The Respondent in the present case complained that the Appellant’s Impugned Statement was not the whole truth of the material facts. It was not disputed that the Respondent was charged with a fraudulent act but was acquitted of the said charge. Although the charge against the Respondent mentioned in the Impugned Statement was true, the evidence was established that when the Appellant published the Impugned Statement in the W&W Whatsapp Group, it was within the knowledge of the Appellant that the Respondent was acquitted of the charge. However, the Appellant omitted to state this material fact. The Appellant in her testimony revealed that she did not include the Respondent’s acquittal in the Impugned Statement as she already asked the readers to google for more information. The Appellant also did not state the Respondent was convicted of the charge. Having perused the Impugned Statement in totality, the Federal Court observed that: (a)The sting effect was that, the Respondent was charged with the fraudulent act same as his father, Deacon Sr. The imputation to the readers was that the Respondent was not a person of good character and tended to excite against the Respondent the adverse opinion of others. (b)If the fact that the Respondent was acquitted of the charge mentioned by the Appellant in the Impugned Statement, which is in the Appellant’s knowledge, it certainly would have neutralized the sting in the eyes of the readers. (c)The defence that the reader was asked to google for more information on the matter could not neutralise the defamatory nature of the Impugned Statement. (d)The charging of the Respondent without stating that the Respondent was acquitted, in the circumstances, is a half-truth statement that harms the Respondent. (e)The statement made is not substantially true and false in substance. This is prejudicial and unfair to the Respondent as he was unable to justify the criminal act imputed by the impugned statement. The Federal Court held that: (a)The full truth that the Respondent was acquitted was deliberately not disclosed in the Impugned Statement and this placed a different complexion and effect on the statement. (b)The message without the fact that the Respondent had been acquitted, tainted the Respondent’s character and conduct and the Respondent was held in ridicule, reprobation, and contempt. (c)This established the defamatory effect of the Impugned Statement. (d)Although the charge against the Respondent was true, the omission to reveal that the Respondent was acquitted of the charge, makes the statement false in substance. (e)The half-truth statement by the Appellant is not substantially true, presenting a false impression that can be considered as a false statement viewed in totality, that adversely affects the Respondent’s reputation. Therefore, the Impugned Statement is defamatory of the Respondent. (iv) Defence Of Justification, Qualified Privilege & Fair Comment The Appellant in the present case raised the defence of justification, qualified privilege and fair comment. The Federal Court was of the view that an action of deliberately publishing a half-truth statement that presents a false impression of a person which affects the person’s reputation and further expects the reader of the impugned statement to do a further search on the information is conduct actuated with malice. If the whole truth was revealed, it presents a completely different complexion of the published statement when read by readers. Having considered the evidence in totality, the Federal Court found that the Impugned Statement concerning the Respondent was actuated with malice. Therefore, the defence of qualified privilege and fair comment is defeated and untenable. Further, the Appellant’s defence of justification is unsustainable as the Impugned Statement was not substantially true and presented a false impression in the readers’ eyes. The defence of justification is founded on the truth of the statement or the statement made is substantially true. . Conclusion The Federal Court unanimously affirmed the decision of the Court of Appeal which set aside the decision of the High Court. About the authors Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my   More of our articles that you should read: Enforcement of Companies (Amendment) Act 2024 Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test” Private Hospitals to pay for their Doctor’s Negligence

Applicability of CIPAA After the Commencement of Arbitration

[A case summary of Tenaga Nasional Bhd v Malaysian Resources Corporation Bhd and other cases [2024] MLJU 682] . Key Takeaway: Construction Industry Payment and Adjudication Act (“CIPAA 2012”) is not limited to adjudication initiated before or concurrent to reference to arbitration.   Brief Background Facts: The interpretation of the words ‘referred concurrently’ in subsection 37(1) of the CIPAA 2012 was the main issue in this case. Tenaga Nasional Berhad (“TNB”) appointed Malaysian Resources Corporation Berhad (“MRCB”) as the main contractor for a project located at Bangsar, Kuala Lumpur (“Project”). Payment disputes arose between the parties in connection with the Project, particularly regarding the Final Account. MRCB referred the dispute to arbitration on 29.9.2021. MRCB pursued an adjudication proceeding pursuant to CIPAA 2012 after the commencement of arbitration proceedings, by way of a Notice of Adjudication dated 25.3.2022. The Adjudication Decision dated 10.8.2022 was given in favour of MRCB (“Adjudication Decision”). TNB then applied to set aside the Adjudication Decision under section 15 of CIPAA 2012. One of the grounds raised by TNB in its setting aside concerned the issue of ‘whether the Adjudication Decision is null and void because the Adjudicator lacks absolute jurisdiction due to MRCB’s failure to comply with subsection 37(1) CIPAA by commencing the adjudication 5 months and 25 days after the reference to arbitration?’. Section 37 of CIPAA 2012 sets out the relationship between adjudication and other disputes resolution process, as follows: “(1) A dispute in respect of payment under a construction contract may be referred concurrently to adjudication, arbitration or the court.  (2) Subject to subsection (3), a reference to arbitration or the court in respect of a dispute which is being adjudicated shall not bring the adjudication proceedings to an end nor affect the adjudication proceedings. (3) An adjudication proceeding is terminated if the dispute being adjudicated is settled by agreement in writing between the parties or decided by arbitration or the court.”. During the setting aside hearing, TNB took the position that section 37 of CIPAA 2012 envisages a situation where a party may opt to refer the dispute to arbitration or the court after initiation of adjudication proceedings under CIPAA, without any consequential effect to the adjudication proceedings. By commencing arbitration first, MRCB had thereby removed itself from the ambit of CIPAA and the claims do not form part of, or fall within, the parameters of CIPAA 2012 or the subject matter of which CIPAA 2012 has conferred jurisdiction on the adjudicator. On this point, TNB had referred to the wordings in section 37 of CIPAA 2012 and section 23 of the Arbitration Act 2005 (“AA 2005”) on ‘Commencement of arbitral proceedings’, it is the issuance of the notice to arbitrate that has to be concurrent with adjudication under the CIPAA and it must not come after the initiation of adjudication proceedings by serving the written notice of adjudication as stipulated in section 8(1) of the CIPAA 2012. The reason relied upon by TNB is that the purpose of CIPAA 2012 would be defeated if a party opts to resort the dispute through another dispute resolution process instead of adjudication. In addition, thorough discussions and legal research on the definition of the words ‘may’ and ‘concurrent’ in section 37(1) of CIPAA 2012 were submitted by the parties during the hearing. Interestingly, TNB made a comparison between section 37(1) of CIPAA 2012 with section 10 of the AA 2005, and submitted that it is clear that the word "may" in the context of CIPAA 2012 should not be interpreted as merely directive. The word "may" must be considered in conjunction with the term "concurrently" in the same provision. The CIPAA 2012 explicitly states that adjudication proceedings should be commenced concurrently, indicating a requirement for timely action rather than unfettered discretion. The interpretation of "may" should not always be seen as optional, as demonstrated in legal precedents such as Bursa Malaysia Securities Bhd v Mohd Afrizan bin Husain and Maya Maju (M) Sdn Bhd v Putrajaya Homes Sdn Bhd [2018] MLJU 1629. TNB concluded that the word "may" in the context of CIPAA 2012 recognises that parties have the option to choose between commencing adjudication as a stand-alone process or combining adjudication with arbitration or court proceedings. However, if the party selects the latter option, they must do so concurrently, as the mandatory nature of section 37(1) of CIPAA 2012 takes precedence over the discretionary use of the word "may." As regard to the word ‘concurrently’, TNB referred to Black’s Law Dictionary, Ninth Edition where ‘concurrent’ is defined as ‘Operating at the same time’. In the national language version of CIPAA 2012, the word ‘serentak’ is defined in the National Dictionary, 4th Edition as ‘pada waktu yang sama’. TNB then urged the High Court to consider the word ‘referred concurrently’ as denoting the timing for the commencement of the applicable dispute resolution process. On the other hand, MRCB drew a parallel with the concept of imprisonment sentences to run concurrently as opposed to consecutively in criminal cases and therefore, the plain and ordinary meaning of the word would be ‘at the same time’. However, MRCB took the firm position that this interpretation cannot stand as it would lead to absurdity and cause an unpaid party to lose its right to adjudication if the available remedies are not strictly commenced at the same time. Disagreeing with TNB’s interpretation, the High Court found that in interpreting section 37 of CIPAA 2012, the words "may" and "referred concurrently" shouldn't be understood purely on a grammatical level but should be considered on the broader context of the purpose of CIPAA 2012. The Court was of the view that the Court ought to interpret the provision in a manner that aligns with the objectives of CIPAA 2012, as discussed in previous landmark cases. The phrase "being adjudicated" therefore doesn't require an existing adjudication before parties can initiate litigation. . Conclusion Accordingly, the words “referred concurrently” in the context in which these words are used in section 37(1) of CIPAA 2012 and bearing in mind the purpose or object of CIPAA 2012, adjudication proceedings under CIPAA 2012 can be initiated at any time, concurrently with arbitration or litigation, and even after arbitration or court proceedings have commenced and is still pending. About the author Felicia Lai Wai KimSenior AssociateEngineering, Construction & Engineering DisputesHarold & Lam Partnershipfelicia@hlplawyers.com   More of our articles that you should read: Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible - HHQ STAMP DUTY FOR FOREIGN CURRENCY LOAN - HHQ Determinants of Share Unit & Its Significance in Strata Development

Definition of Market Value

Recently, the High Court in Prima Cahaya Sdn Bhd v Pemungut Duti Setem (WA-24-40-07/2022) allowed the stamp duty appeal of Prima Chaya Sdn Bhd (“Taxpayer”) and held that, amongst others, market value means an amount that a willing seller and willing buyer are ready to transact at without any compulsion bearing in mind the assessed market value is a value after the pandemic, when businesses and general economy are struggling to pick up and normalize again. The subject matter of this case is the market value of Menara Tulus (formerly the Royal Malaysian Customs Department’s headquarters at Putrajaya) (“Property”) – whether the market value of the Property is based on the forced sale value transacted or the valuation report prepared by the Jabatan Penilaian and Perkhidmatan Harta (“JPPH”). The salient facts of Prima Cahaya (supra) are as follows: a) TRW Boulevard Square (“Vendor”) had previously charged the Property to Ambank Islamic Berhad (“Ambank”) as security for Islamic financing facilities. b) As the Vendor failed to fulfill its financial obligations, Ambank then placed the Property under receivership. c) The appointed Receivers & Managers (“R&M”) then appointed a valuer to conduct a valuation on the distressed Property - the market value of the Property at RM170,000,000 and the forced sale value at RM130,000,000. d) Upon the R&M application, the Kuala Lumpur High Court granted the order for sale by way of public auction at the reserve price of RM170,000,000. e) However, the Property remained unsold albeit three rounds of public auction and the reserved price was revised downwards to RM137,700,000. f) Subsequently, the R&M received a private offer of RM115,000,000 made by Bestinet Sdn Bhd (“Bestinet”) and the R&M agreed with the said private offer. g) However, Bestinet was unable to complete the principal SPA, and thus Bestinet assigned and transferred all its rights, title, interest, and benefit to the Taxpayer by executing a deed of assignment. h) Pursuant to the submission of instrument by the Taxpayer through its solicitors to the Stamp Office for adjudication, the Stamp Office then submitted an application to JPPH to conduct a valuation on the Property. JPPH valued the Property at RM227,250,000 (“JPPH’s Valuation). i) Although the Taxpayer appealed twice against the JPPH’s Valuation which was adopted by the Stamp Office, the Stamp Office maintained its decision. j) Being aggrieved, the Taxpayer paid the stamp duty under protest and appealed to the High Court.   The High Court allowed the Taxpayer’s appeal and held that, amongst others: Market Value a) The Stamp Act 1949 does not provide for any definition or interpretation of the word "market value'. Therefore, as per the decision of Suffian L. P (as he then was) in the case of Collector of Stamp Duties v. Ng Fah In & Ors [1981] 1 MLJ 288, the definition of market value in the Land Acquisition Act 1960 should be adopted, which reads as follows: “Market Value is the estimated amount for which an asset or liability should exchange on the valuation date between a willing buyer and a willing seller in an arm's length transaction after proper marketing and where the parties had each acted knowledgeably, prudently and without compulsion" b) In Nanyang Manufacturing Co v. The Collector of Land Revenue, Johore [1954] 1 MLJ 69, it was found that the safest guide to determine the fair market value is the evidence of sales of the same land or similar land in the neighborhood after making due allowance for all the circumstances. c) In assessing a valuation, the primary method should be the comparison method. d) Notably, it is a requirement under the Land Acquisition Act 1960 that a comparable must be successfully transacted in order to be used in the comparison method. . JPPH’s Valuation  e) No informal or preliminary report was produced by the Stamp Office to support that JPPH’s Valuation was done before the Stamp Office issued the notice of assessment. f) In fact, the JPPH’s valuation report was prepared after the event as JPPH’s valuer conducted the site visit after the Taxpayer appealed against the notice of assessment. g) Thus, the JPPH’s valuation report is merely an after-the-fact attempt to justify the stamp duty charged. h) Most of the comparables used by the JPPH are not good comparables as those comparables were not successfully transacted. i) Comparables that were successfully transacted that used by the JPPH are still not good comparables as those comparables were transacted 7 years before the date of the Property being successfully transacted. j) Adjustment of 10% for the time factor was unexplained by the JPPH. k) Lastly, one of the comparables cannot be considered because it was transacted in 2011 (the peak of economy), therefore, it would be unfair or at the disadvantage of the Taxpayer for the valuation to not take into account the pandemic in late 2019 to 2021 in assessing the value of the Property. l) By applying the comparison method, the Stamp Office is actually relying on unsuitable or inappropriate comparables. . Determination of Market Value m) Practicality of the situation needs to be considered in determining the market value. n) The Property was a distressed property that was placed under public auction at the reserved price of RM170,000,000 which is far lower than the purported 'market value' as determined by the Stamp Office or the JPPH. o) It must be noted that there was neither an interested nor a willing buyer motivated enough to purchase it at the respective reserved prices (after three rounds of public auctions being held). p) The valuation for the reserved price was conducted in 2018 prior to the Covid-19 pandemic. q) It is noteworthy that a 'reserve price' is fixed with the court's concurrence based on valuation and not some figure plucked out of the sky. r) The agreed sale price of RM117,000,000.00 between a willing seller who was neither overly eager nor forced to sell at that price nor prepared to sell at a price not considered reasonable in the current market and a willing buyer motivated enough to purchase at that price was made at arm's length as the parties are not related. s) It is therefore illogical that the 'market value' as assessed by JPPH which is far higher than the amount anyone is willing to pay in an auction is reflective of a realistic 'market value', a willing buyer and willing seller is ready to transact at without any compulsion bearing in mind the 'market value' as assessed is a value after the pandemic, when businesses and general economy are struggling to pick up and normalize again. . Comments This case is an interesting development in relation to ‘market value’ as the High Court in Prima Cahaya (supra) set out the test in determining ‘market value’ and analysed, amongst others, the comparison method in great length – which serves as a great guidance for the taxpayers at large. This case also reflects that our courts do take cognisance of the pandemic in determining ‘market value’. Notably, the High Court made it crystal clear that ‘market value’ means the sale price agreed by a willing seller who was neither overly eager nor forced to sell at that price nor prepared to sell at a price not considered reasonable in the current market and a willing buyer motivated enough to purchase at that price which was made at arm's length as the parties are not related.   About the author Desmond Liew Zhi HongPartnerTaxHalim Hong & Quekdesmond.liew@hhq.com.my More of our articles that you should read: Can an Adjudication Decision, After Having Been Enforced Pursuant to Section 28 CIPAA 2012, Be Stayed Pursuant to Section 16(1)(b) CIPAA 2012? Determinants of Share Unit & Its Significance in Strata Development Defence of Limitation cannot be raised in Recovery of Tax Action?

Centralised Air-Conditioning Facilities: Its Classification as “Common Property” Within The Legislative Frameworks

Introduction The legal definition of “Common Property” as provided under the relevant Act would include lifts, escalators, stairways, passageways, landings, lobbies, corridors, stairs, parking areas, lavatories for public use, refuse chambers, drains, water mains, sewers, pipes, wires and cables with the list being non-exhaustive, which includes facilities that can be used and enjoyed by occupants of the building. . How do we determine the extent of usage of the common property, particularly the Centralised Air-Conditioning Facilities? In the recent Court of Appeal decision of AUM Capital Sdn Bhd v Menara UOA Bangsar Management Corporation Sdn Bhd [2024] 3 MLRA 428, it was held inter alia that “exclusivity” or extent of usage or benefit by owners of the building is irrelevant to the question of whether the Centralised Air-Conditioning Facilities is common property. The fundamental tenet of strata law is that the common property of a development area is generally taken as a whole, regardless of each proprietor’s level of use or enjoyment of the common property. The appellant, the registered proprietor of the building, Menara UOA Bangsar (“Building”), appealed against the decision delivered by the High Court. There were five (5) questions of laws posed to the High Court, however, we have extracted and summarised the issue relevant to the questions posed under this article as follows: - 1) the Centralised Air-Conditioning Facilities in respect to (i) the common property of Tower A, Tower B and the car parks, and (ii) the private parcels of Tower B and the retail area were not utilised or enjoyed by all occupants of the building but solely for the benefit of a particular private parcel owner, namely UOA REIT; therefore the Centralised Air-Conditioning Facilities cannot be classified as common property; and 2) the Management Corporation has unlawfully utilised the monies from the maintenance account to maintain the Centralised Air-Conditioning Facilities and compelled the Respondent to reimburse all monies paid towards maintaining the same. . Is it common property or otherwise? The Court referred to Section 2 of the Strata Management Act 2013, whereby common property in relation to a subdivided building means “so much of the lot (i) as is not comprised in any parcel, including any accessory parcel, or any provisional block as shown in a certified strata plan and (ii) used or capable of being used or enjoyed by occupiers of two or more parcels” and Section 4 of the Strata Titles Act 1985 “common property means so much of the lot as is not comprised in any parcel (including any accessory parcel), or any provisional block as shown in an approved strata plan”. In addition, the Court relied on the Court of Appeal’s decision in the case of Perbadanan Pengurusan 3 Two Square v. 3 Two Square Sdn Bhd & Anor & Another Appeal [2019] MLRAU 454 where it was held that “… there is no need for there to have been labels affixed to the relevant areas to be designated as common property; all the areas that are not identified as parcels will automatically be regarded as common property; Nowhere is the concept of exclusive or special use provided for in the Strata Titles Act.” Therefore, it was held that common property is almost exclusively defined by reference to the location. Based on the plans of the building and photographs of the Building, it can be clearly seen that Centralised Air-Conditioning Facilities is located outside of any private parcels. Therefore, the Centralised Air-Conditioning Facilities are rightly defined and fall within the definition of common property. . Does the right to seek reimbursement arise? The Court also agreed with the Respondent’s Counsel’s submission that “… the practice of charging different rates of service charges to take into account the specific amount of usage of different elements of common property, for example, lifts and swimming pools, does not accord with the legislative intent of the 2013 Act, which requires the management corporation to impose a single rate of service charges on all parcels according to their share units unless those parcels are used for “substantially different purposes” according to s 60 of the 2013 Act.” The Management Corporation cannot rely on the express wording of Section 59(3)(b) of the Strata Management Act 2013 that empowers a management corporation to recover “any money expended’ in performing any “repairs, work, or act” if “the repairs, work, or act were or was wholly or substantially for the benefit of some of the parcels only...” simply because the Centralised Air-Conditioning Facilities does not benefit some of the parcels of the Building. It follows that the Management Corporation is, therefore, statutorily duty-bound to properly maintain and manage the common property and require the Management Corporation to bear the costs and expenses of operating the Centralised Air-Conditioning Facilities including the electricity and maintenance costs thereon (Section 59 (1) (a) of the Strata Management Act 2013) irrespective of that the facilities substantially benefits some but not all parcels, so long as the facilities benefit the common property as well. Hence, no legal obligation on the Management Corporation to seek reimbursement from the proprietors of individual parcels of the said Building for the maintenance charges paid by the Management Corporation in maintaining the Centralised Air-Conditioning Facilities. . Summary In summary, the decision reaffirms the legislative intent of ensuring equitable management of common property within strata developments, emphasizing the collective responsibility of all owners in bearing maintenance costs. The categorisation of common property within the legislative frameworks is irrespective of individual benefit levels. Referring to pertinent sections of the Strata Management Act 2013 and Strata Titles Act 1985, the court highlighted that common property is primarily determined by location rather than individual usage. Consequently, the legal obligation of the Management Corporation stands within the relevant provisions of the Act to collect and pay for the maintenance of such facilities within the exterior of all common parts regardless of varied benefit distribution among parcels. About the author Sharifa Nurliliyana binti Abd KarimSenior AssociateReal EstateHalim Hong & Queksharifa@hhq.com.my More of our articles that you should read: High Court clarifies Item 22(1) of the First Schedule of the Stamp Act 1949 and the Stamp Duty (Remission) (No. 2) Order 2012 Limitation of Licenced Manufacturing Warehouse Conditions Unpacking Shareholders’ Pre-emptive Rights and Minority Oppression: A Case Analysis of Concrete Parade v Apex Equity

The Ultimate Guide to Corporate Investments in Malaysia's Data Center Sector: Strategies and Opportunities Explained

With the AI boom and the rapid advancement of technology, one of the hottest investment opportunities in Malaysia is undoubtedly in the data center sector. Global technology giants such as Nvidia, ByteDance, Microsoft, Google, and Singtel are expanding their data center footprints into Malaysia. Naturally, investors, companies, developers, landowners, contractors, and infrastructure owners are all looking for ways to benefit from this data center boom.   In this article, we aim to explore the investment opportunities in data centers from a corporate investment perspective. If you are considering an investment or a stake in data centers, this will serve as a foundational guide to understanding the various business models and opportunities in this sector.   The Complexity of Data Center Development Developing a data center is significantly more complex than traditional real estate projects such as corporate towers, shopping malls, or hotels. It is rare for a single entity to handle the entire process of developing, funding, constructing, leasing, finding tenants, and managing a data center due to the following 5 critical factors:   1. Funding: The construction of a data center is capital-intensive, with investments ranging from hundreds of millions to even billions of dollars, depending on the scale and specifications. The cost of developing data center capacity is often measured in price per MW of critical power. For Tier III facilities, this can range from $7-10 million per MW, depending on location and specifications. For instance, the development of a 50MW hyperscale data center in Malaysia can require investments upwards of $450 million. Securing financing involves engaging with core funders who can provide substantial capital or financial guarantees. Potential funding sources include large banks, private equity firms, and institutional investors. Corporate guarantees from financially robust companies are often necessary to secure loans with favorable terms. . 2. Land: Identifying and acquiring suitable land for a data center in Malaysia poses numerous challenges. Beyond just land, there are specific infrastructure requirements such as tunnels for cabling, substations for power distribution, redundant power supplies, and robust water cooling systems. The selection criteria for land include proximity to fiber optic networks, availability of renewable energy sources, and minimal risk of natural disasters. Collaboration with experienced property developers familiar with local zoning laws and government approval processes is crucial to navigate these complexities efficiently. . 3. EPC Contracts: The complexity of modern data centers, particularly hyperscale, Tier-4, or AI data centers, necessitates sophisticated Engineering, Procurement, and Construction (EPC) contracts. Hyperscale data centers, for example, require high-density power configurations, advanced cooling systems, and extensive cybersecurity measures. An effective EPC contract must outline the specific technical requirements, performance standards, and compliance with international standards such as the Uptime Institute’s Tier Standards and ASHRAE guidelines. Choosing experienced EPC contractors with a track record in large-scale data center projects is essential to ensure successful project delivery. . 4. Management: Effective data center management requires specialized expertise in areas such as IT operations, facilities management, and cybersecurity. Data centers demand near 100% uptime, as any failure or downtime can lead to substantial financial losses and significant compensation liabilities. Therefore, it is crucial to implement protocols such as advanced monitoring systems, predictive maintenance, and robust disaster recovery plans as essential components of effective data center management. . 5. Tenants and Clients: Understanding the purpose of the data center—whether for self-consumption or leasing—is critical. As demand for data centers grows, so does the supply. Geopolitical concerns, such as US-China tensions, also influence client decisions, particularly regarding the sources of chips and racks within the data center. To ensure a successful investment return on data centers, typical high utilization rates of 80% are crucial for maximizing returns. In order to attract quality anchor tenants, data centers need to offer value-added services such as cloud computing, colocation, and managed services to attract a diverse, high-quality tenant base and enhance revenue streams. . Corporate Investment Opportunities Given these complexities, corporate investment opportunities in data center development generally fall into three categories: 1. Joint Ventures (JVs): This model involves collaboration among developers, funders, EPC contractors, and data center managers to collectively construct, build, and manage data centers. JVs leverage the strengths of each party to navigate the intricacies of data center projects. For instance, a property developer might provide land and local expertise, while a technology company contributes its knowledge in IT infrastructure and management. The shared risk and pooled resources make JVs a viable option for large-scale data center projects. . 2. Acquisitions: Companies that prefer to avoid the lengthy process of constructing a data center from scratch can opt to acquire existing data centers. This approach allows them to immediately integrate the asset into their portfolio and manage it directly. Acquisitions can be particularly attractive for companies looking to expand their data center footprint quickly to meet growing demand. Due diligence in assessing the existing facility's condition, tenant agreements, and operational performance is crucial to ensure a sound investment. . 3. Funding by Sovereign Wealth Funds, Listed Company or Private Equity Firms: Data centers are highly attractive to sovereign wealth funds, listed company, and private equity firms due to their potential for high returns. In Malaysia, mature data centers can potentially yield standard EBITDA margin between the typical ranges of 40% to 60%, and the capitalization rates and triple-net ROI for data centers could even exceed 7%, influenced by location, tenant quality, lease terms, facility specifications, and overall market conditions, making them a lucrative investment for funds looking to invest and possibly exit through REIT listings. Those sovereign wealth funds, listed company or private equity firms can provide the necessary capital for development and leverage their networks to secure high-value tenants. Additionally, REITs offer liquidity and diversification benefits for investors seeking exposure to the data center sector. . Strategic Considerations for Corporate Investment Depending on their investment thesis, companies may explore various strategic opportunities: 1. Land Disposal: Landowners or developers with significant land banks may view the data center boom as an opportunity to sell land at a premium. This strategy offers a substantial one-time gain but limits long-term profit potential. For example, prime locations near urban centers with excellent connectivity infrastructure can command significantly higher prices, attracting both local and international investors. . 2. JV with Intent to Sell: Some entities might form a JV to develop and construct a data center with the intention of selling it to another company that specializes in data center management. This strategy can be more lucrative than merely selling the land, as the completed data center represents a higher-value asset. By leveraging the combined expertise of JV partners, the project can achieve higher efficiency and quality, making it more attractive to potential buyers. . 3. Long-term JV Management: Developers or landowners might form a JV to co-own and manage the data center, generating long-term income for all stakeholders involved. This approach leverages the ongoing demand for data center services and provides a steady revenue stream. Long-term management requires implementing advanced data center infrastructure management (DCIM) tools, optimizing energy efficiency, and maintaining high levels of customer satisfaction through robust service level agreements (SLAs). . 4. Full Ownership: Ambitious players may choose to fully own and operate the data center. This path is the most challenging as it requires dedicated focus on development, management, maintenance, and client acquisition. However, it also offers the highest potential profits, as there are no management fees to external parties. Full ownership entails significant responsibilities, including continuous innovation in data center technologies, maintaining competitive pricing, and ensuring compliance with evolving regulatory standards. . Conclusion The data center economy in Malaysia is rapidly growing, presenting numerous considerations for potential investors. From a corporate investment perspective, there is no one-size-fits-all solution. The best approach depends on an entity’s capacity and strategic objectives, whether they are seeking short-term gains or aiming for long-term management and income generation. By understanding the various business models and investment opportunities, companies can make informed decisions to capitalize on this booming sector.   If you are considering exploring opportunities in Malaysia's thriving data center sector or corporate investments, reach out to our team of experts today. Our experienced lawyers specialize in navigating the complexities of data center development and corporate investments in Malaysia. Whether you're looking for legal guidance on land acquisitions, joint ventures, or navigating regulatory landscapes, we're here to provide tailored advice and support. Contact us to learn more about how we can assist you in maximizing your investments in this dynamic industry. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Reviewing Technology Outsourcing Contracts – What Legal Counsels Should Take Note Of • Achieving Net Zero: The Crucial Role of Climate Technology • E-Waste and ESG Compliance: What Companies Need to Know

Reviewing Technology Outsourcing Contracts – What Legal Counsels Should Take Note Of

It is undeniable that technology has become integral to our everyday lives. Beyond our personal lives, we also use technology in our work tasks, almost certainly on a daily basis. Businesses and corporations everywhere in the world have long accepted the fact that technology adoption is crucial in boosting productivity, which in turn drives revenue and business growth. From fundamental productivity tools such as Microsoft 365 subscriptions and customer relationship management softwares, to state-of-the-art and complex cloud infrastructure solutions and mainframe software, different types of software or technology would be sought after by customers from different industries, sizes and profiles. Due to the increasing demand for technology adoption by companies, in-house legal that we have spoken to have generally experienced a gradual increase in the technology outsourcing contracts that they are tasked to review and negotiate on behalf of their employers. To facilitate the work of our in-house legal friends, we have put together a breakdown of the common issues that companies may face in technology outsourcing contracts that the legal teams should pay more attention to while trying to protect the interest of their employers. 1. Understanding the Vendor’s Capacity The vendor in a technology outsourcing contract is often assumed to be the software principal or the owner of the technology. This may not however be the case, given that most technology or software owners deploy their solutions through resellers or channel partners. As such, the vendor that is entering into a technology outsourcing contract with customer may not actually have any ownership of the underlying intellectual property rights being licensed. It would be crucial for in-house legal to ascertain the capacity of the vendor up front, as this will affect the extent of the contractual warranties that the vendor is able to provide, and where resellers or channel partners are involved, the customer may actually be required to separately enter into an End User Licence Agreement (or more commonly known as “EULA”) with the actual solution owner, in order to derive its rights to use the technology or solution. More often than not, the terms of a EULA would be non-negotiable. 2. Data Ownership In cases where the customers’ owned data would actually be inputted into the software or be uploaded onto the cloud, or where the vendors would be tasked to manage and process the customers’ data and that the technology will be used to generate some form of analytical output data based on the customers’ inputted data, regards will have to be paid to the ownership of these data, particularly the analytical output generated. In today’s age where big data is the new oil, data holds significant value to a corporation. Depending on how the data is being processed and analysed, it can potentially show how effective a company’s advertising effort is, which product of a company is generating the most revenue, what are the new features that consumers want a company to introduce in its products, etc. As such, it is important that companies address the ownership of any data it feeds into a software or cloud, as well as the output generated by the software or technology after having processed or analysed the inputted data. 3. Availability of Escrow Software escrow, while not in itself a common offering, can be very crucial in the event a company is licensing a piece of software to be used for its mission critical operation. The company has to rely on the software vendor to provide timely maintenance and consistent update and upgrade to the software. Given that the stake is high if the software is not maintained adequately or where the software vendor goes into liquidation or stops maintaining the software due to obsolescence, the company licensing the software may want to consider requesting for a software escrow arrangement to be in put place. The escrow will clearly spell out the conditions under which the source code of the software will be released to the company, allowing the company to step in to maintain the software on its own. Bankruptcy or liquidation of the software vendor, or cessation of maintenance or support to the licensed software, are some of the more common release triggers in a software escrow arrangement. 4. Intellectual Property Indemnity Given the speed at which new patches, updates or upgrades are being introduced to a piece of software, and how software and technology owners are constantly looking to improve their products with new or enhanced features, there will always be risks that the newly implemented changes to a software may infringe upon third party intellectual property rights. For this reason, software vendors would usually offer intellectual property indemnity to customers, committing to indemnifying the customers for any losses and damages they may suffer in the event of third party intellectual property infringement claims against the customers. The intellectual property indemnity may however be conditional upon the customers having notified the software vendors of the claim promptly, customers agreeing to allow the software vendors to have full control over the defence of any potential claims, the claim is not a result of misuse of the software by the customers, etc. In some circumstances, in addition to intellectual property indemnity, customers can also ask for a commitment by the software vendors to procure rights to continued usage of the infringing software or replace the same with a different product with similar features. 5. Service Level Agreement Service level agreement, or more commonly known as “SLA”, is without a doubt one of the most heavily negotiated components of any technology outsourcing contracts. Depending on how stringent the requirement and expectation of a customer are, and how sophisticated and complex the vendor’s products are, the software vendors may be reluctant to commit to the service levels imposed by the customers, as failure to comply will likely lead to service credit, and potentially triggering rights to terminate the contracts by the customers in the event of repeated failures. Creative structuring of SLA, such as the introduction of progressive service level, service credit holiday, earn-back mechanism, etc., may help to incentivize the software vendors to commit to the service level requested. (For more information on how to structure an SLA, you may refer to our earlier article titled “Structuring Effective Service Level Agreement” at https://hhq.com.my/posts/structuring-effective-service-level-agreement/). Clearly, reviewing and negotiating a technology outsourcing agreement is not as straightforward as some might think, due to the intricacies of the technology industry, and the ever-evolving trends and practices adopted by technology and software providers. As such, it is important for in-house legal to be equipped with some understanding of the industry, or for them to work with technology lawyers who are very well-familiar with the industry, to ensure that the organisation’s interest is well safeguarded. Should you have any enquiries or if you need any assistance in reviewing and/or negotiating any technology outsourcing contracts for your organisation, please do not hesitate to contact the partners from the Technology Practice Group: About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • GPU-AS-A-SERVICE – BENEFITS AND LEGAL CONCERNS • Real-World Assets in Blockchain: Why Companies Should Pay Attention • Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

Navigating Competition Law in the Expanding Technology Industry: A Focus on Hardcore Horizontal Restrictions

As the technology industry expands at a rapid pace, it brings with it a multitude of legal issues that accompany the growth of both companies and the sector as a whole. In this article, we aim to highlight an area of law that may have been overlooked by companies and general counsel: competition law. This area has increasingly drawn the attention of regulators intent on ensuring that the market remains fair and undistorted for the benefit of consumers.   Heightened Competition Law Scrutiny: A Global Perspective Competition law, or antitrust investigations, is becoming ubiquitous globally, a trend that companies and their legal teams cannot afford to neglect. Recently, U.S. regulators signaled their intention to open antitrust investigations into three major players in the artificial intelligence industry: Microsoft, Nvidia, and OpenAI. These companies, which are rapidly gaining dominance in the AI market with their software and semiconductors, are under scrutiny to determine if their practices are anticompetitive.   Understanding Hardcore Restrictions in Malaysia As Malaysia positions itself as a regional technology hub—particularly in data centers, digital infrastructures, semiconductor manufacturing, and technology software—companies must be vigilant about competition law.   The Competition Act 2010 governs competition law in Malaysia, and it outlines strict regulations against practices that prevent, restrict, or distort competition. In the realm of competition law, context is crucial in determining whether any conduct, agreement, or arrangement has a significant anti-competitive effect. However, certain horizontal agreements are deemed to have anti-competitive objects outright, eliminating the need for further examination of their effects. These agreements, known as "hardcore restrictions," are critical for technology companies to avoid.   Four Types of Hardcore Restrictions: 1. Price Fixing - Price fixing occurs when competing firms at the same market level conspire to set prices for their products or services, bypassing market competition. This disrupts free market competition and can lead to artificially high prices for consumers. In a scenario where software companies conspire to fix subscription prices, it would involve multiple companies in the same market agreeing to maintain a certain price level for their subscription services, thereby eliminating competitive pricing dynamics. For instance, if several cloud storage providers agree to set their monthly subscription fees at $20, regardless of features or quality of service, they would be engaging in price fixing. . 2. Market Allocation - Market allocation involves competitors agreeing to divide customers, markets, or geographic territories to avoid competition. This practice restricts competition and can lead to higher prices and reduced choices for consumers. In the technology industry, market allocation among competing firms might involve agreements to divide up specific customer segments, target demographics, or even technological niches to avoid direct competition. For instance, if two major social media platforms agree to exclusively target different age groups or demographics, such as one platform focusing solely on users aged 18-25 and the other targeting users aged 26-50, they would effectively be engaging in market allocation. . 3. Limiting Production, Market Outlets, Technical Development, or Investment - This type of agreement occurs when competitors agree to restrict production, market outlets, technical development, or investment to reduce competition and maintain higher prices or market shares. In the technology industry, limiting production, market outlets, technical development, or investment could manifest as agreements among competing firms to constrain the release of new products or features, restrict the expansion of distribution channels, or curb investments in research and development to maintain dominance or artificially inflate prices. For example, if several major smartphone manufacturers agree to limit the release of new models to only one per year and refrain from investing in emerging technologies, they would effectively be restricting market supply and impeding technological progress. This would result in consumers having fewer options for innovative devices and features, potentially leading to higher prices and stifling industry advancement. . 4. Bid Rigging - Bid rigging involves competing firms conspiring to manipulate the outcome of a bidding process, typically to ensure each firm wins contracts in turn. This can include agreements to refrain from bidding or submitting deliberately non-competitive bids. For instance, if multiple technology companies bid for digital infrastructure projects and agree that only one will submit a competitive bid while others submit artificially high or substandard bids, they engage in bid rigging. This practice undermines fair competition and can lead to inflated project costs and suboptimal outcomes for the contracting entity. . Conclusion These four types of horizontal agreements are deemed to have anti-competitive objects and are prohibited under competition law, regardless of the market shares of the companies involved. It is crucial for general counsels and organizations within the technology sector to ensure that they do not engage in any of these practices. Vigilance in adhering to competition laws not only avoids legal repercussions but also promotes a fair and competitive market environment that benefits consumers and fosters innovation.   Should any inquiries or concerns arise regarding competition law matters, especially within the technology sector, we encourage reaching out to our experienced legal team. With a deep understanding of both the intricacies of the technology industry and competition law, our lawyers stand ready to provide guidance and support tailored to your specific needs. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • GPU-AS-A-SERVICE – BENEFITS AND LEGAL CONCERNS • Real-World Assets in Blockchain: Why Companies Should Pay Attention • CYBER SECURITY ACT IMPLEMENTATION – Things for the National Critical Information Infrastructure Entities to Take Note of

GPU-AS-A-SERVICE – BENEFITS AND LEGAL CONCERNS

Artificial intelligence (“AI”) has been the talk of the town for more than a year now. The hype surrounding AI and the potential (think increased revenue and commercial advantages) that it may bring pretty much “convinced” many companies to now also brand themselves as “AI companies”, looking to deploy their own AI models. It is an established fact that training and deploying AI models require a vast amount of computing power. Graphics processing unit (“GPU”) is a type of electronic circuit traditionally used for videos rendering, image creation and to process games with high quality graphics. Owing to its ability to perform and process many operations in parallel, GPU is also very suitable for AI training and generally any tasks that would require high computing power. The increase in the number of AI companies inevitably also translates to an increased demand for advanced GPUs, which in turn results in a supply shortage – like it or not, there are only that many companies globally capable of producing and supplying advanced GPUs. GPU-as-a-Service, or “GPUaaS”, is an attempt by some companies to address the GPU shortage faced by the industry. GPUaaS is essentially a cloud-based solution that rents out access to GPUs to organisations that need them, on-demand. In this article, we will be breaking down some benefits of subscribing to GPUaaS and laying down some of the key considerations to take note of for companies thinking of resorting to GPUaaS.   Benefits of GPU-as-a-Service Apart from allowing quicker access to GPU, GPUaaS also provides several other benefits to its subscribers, allowing easy justification to the stakeholders of companies in its adoption. Cost efficiency is often one of the main benefits cited by companies when opting for GPUaaS as opposed to its on-premise counterpart. Instead of having to invest in and maintain physical infrastructure and specialised hardware, which also attracts other operational costs caused by energy consumption and cooling requirements, companies utilising GPUaaS only pay for subscription fees based on their project requirements. Just like other cloud services, GPUaaS also offers the same flexibility and scalability to its subscribers. Users are often given the option to scale up (or scale down in some instances) their computing needs based on their project requirements, all without the need for having to invest in physical infrastructure and hardware only for that temporal increase in usage need. Given the technicalities and specialised know-how that may be required to operate and maintain an on-premise GPU facility, it may not be worthwhile and commercially viable for companies that are not traditionally involved in this space to set up a new business unit just for this purpose. This is also one of the reasons why GPUaaS became the preferred choice of many companies traditionally involved in other businesses but now decide to venture into the AI space. By paying professional service providers for GPUaaS, companies can better focus their resources and attention on building their business and expanding their topline.   Legal Concerns of GPUaaS We certainly cannot talk about all the advantages of GPUaaS without highlighting some key legal considerations that companies looking to offer or adopt GPUaaS should take note of. 1. Data Security For companies that may have concerns on storing their data on cloud or companies that are under strict regulatory requirements on data security, GPUaaS may not be the most suitable option. Granted that it provides flexibility, scalability and cost-savings, companies subscribed to GPUaaS are essentially relying on the GPUaaS providers to take charge on the security of their data. Companies with data security concerns should ensure that there are adequate data security assurances provided in the GPUaaS agreement with the service providers so that risks are allocated appropriately. Companies may also want to consider retaining the contractual rights to conduct audit on the security measures put in place by the GPUaaS providers. Where regulations impose data localisation requirements, companies should then enquire about the location of the physical facilities of the GPUaaS providers to ensure that the data localisation requirements can be met.   2. Termination Assistance It is of no surprise that companies subscribed to GPUaaS may actually store a vast amount of data on the cloud infrastructure of the GPUaaS provider. Considering the possibility that these data may be of mission-critical to the companies, it is crucial that the companies secure some commitments from the GPUaaS provider for the rendering of termination assistance covering the migration or transition of these data, either to the companies’ own GPU facilities, or a third party outsource service providers in the event of a termination or expiry of the GPUaaS agreement, including stating clear timelines and responsibilities for the termination process to ensure a smooth transition and minimize the risk of data loss or downtime.. This is all to ensure that in the event of a termination or expiry of the GPUaaS contract, the companies will not suffer any unplanned interruption of its business operation.   3. Service Levels In a GPUaaS arrangement, given that the operation of the GPU is beyond the direct control of the companies, the agreement for GPUaaS should address the service level that the GPUaaS provider is committed to. It would be of utmost importance that the GPUaaS agreement at the very minimum provides for the service levels of remedial action that the GPUaaS provider should take in the event of an unplanned service interruption or downtime.   4. Licensing Requirement GPUaaS at its core is essentially a form of infrastructure-as-a-service (“IaaS”). Some countries may actually require the providers of IaaS to obtain certain licence(s) before they can operate within the jurisdiction. Malaysia for one, imposes a legal obligation on either the IaaS provider with locally incorporated company, or a foreign IaaS provider that utilises a local data centre, to obtain an Application Service Provider (Class) licence before it can offer its services here in Malaysia. As such, it is important for companies looking to deploy GPUaaS in any jurisdiction to ensure appropriate due diligence is conducted prior to commencing operation. Conversely, companies looking to subscribe to any GPUaaS should also conduct simple verification to ensure that the service provider indeed has the required licences to conduct its business, so that unwanted interruption to the subscribed services can be avoided. . Conclusion GPUaaS is certainly a creative way to address the GPU crunch suffered by the industry. That being said, companies considering subscribing to GPUaaS should not dive headfirst, but should instead work with internal stakeholders and external advisers to evaluate the needs of the business against what GPUaaS could offer, in order to ascertain whether GPUaaS is the right fit for the organisation, or whether the organisation would be better off securing its own physical infrastructure and hardware. Considering the nuances of GPUaaS, companies should conduct a holistic review of the GPUaaS agreement offered by the service provider to ensure that the companies’ needs and requirements are sufficiently addressed in the agreement.   If you wish to enquire more about GPUaaS, or if you are thinking of subscribing to GPUaaS, please feel free to reach out to the lawyers from our Technology Practice Group. We would certainly be delighted to assist in this exciting endeavours. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More of our Tech articles that you should read: • Achieving Net Zero: The Crucial Role of Climate Technology • AI Deepfake Technology: Understanding Its Business Use Case, Legal Considerations, and Best Practices in Modern Marketing • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI

High Court clarifies Item 22(1) of the First Schedule of the Stamp Act 1949 and the Stamp Duty (Remission) (No. 2) Order 2012

A case study on Ann Joo Integrated Steel Sdn. Bhd. v Pemungut Duti Setem [2023] 8 MLJ   Introduction This case is a stamp duty appeal under Section 39(1) of the Stamp Act 1949 ("Act") made by way of a case stated pursuant to Section 39(2) of the Act. The Plaintiff is seeking for inter alia a declaration from the High Court that the Notice of Stamp Duty Assessment dated 13 February 2019 on the letter of offer which was executed between Alliance Bank Malaysia Berhad (“Alliance Bank”) and the Plaintiff (“LO”) issued by the Defendant ("assessment") is erroneous, null and void.   Background Facts  On 27 December 2018, the Plaintiff accepted the LO for credit from Alliance Bank which offered to the Plaintiff trade facilities amounting to RM105,000,000.00 (“Trade Facilities”). The LO was submitted to the Defendant for adjudication of stamp duty where the Plaintiff sought for the remission of the stamp duty granted under the Stamp Duty (Remission) (No. 2) Order 2012 (“Remission Order”). On 31 January 2019, the Plaintiff was informed by the Defendant that the LO did not qualify for remission of stamp duty under the Remission Order. Subsequently, the Defendant took the position that the LO is subject to stamp duty pursuant to Item 22(1)(a) of the First Schedule of the Act. Thereafter on 13 February 2019, the Plaintiff received the assessment from the Defendant.. Unhappy with the assessment, on 14 February 2019 the Plaintiff had paid the stamp duty to the Defendant under protest in accordance with Section 38A(7) of the Act vide letters dated 14 February 2019 and 11 February 2019. Subsequently, the Plaintiff submitted an application to the Defendant on 28 February 2019 to object against the assessment pursuant to Section 38A of the Act. However on 8 March 2021, the Plaintiff’s application was rejected by the Defendant with no reasons were provided. Being aggrieved by the assessment, the Plaintiff filed an appeal to the High Court by way of a case stated under Section 39(1) of the Act, to seek the opinion of the High Court as to whether the LO falls within the Remission Order.   Legislation Stamp Act Sub-item 22(1) of the First Schedule of the Stamp Act 1949, upon being amended by the Finance Act 2018, states the following: BOND, COVENANT, LOAN, SERVICES, EQUIPMENT LEASE AGREEMENT OR INSTRUMENT of any kind whatsoever: (1) Being the only or principal or primary security for any annuity (except upon the original creation thereof by way of sale or security, and except a superannuation annuity), or for any sum or sums of money at stated periods, not being interest for any sum secured by a duly stamped instrument, nor rent reserved by a lease or tack: (a) for a definite and certain period so that the total amount to be ultimately payable can be ascertained. (b) for the term of life or any other indefinite period: for every RM100 and also for any fractional part of RM100 of the annuity or sum periodically payable. . Remission Order Paragraph 2 of the Stamp Duty (Remission) (No. 2) Order 2012 states that: The amount of stamp duty that is chargeable under sub-subitem 22(1)(b) of the First Schedule to the Act upon a loan agreement or loan instrument without security for any sum or sums of money repayable on demand or in single bullet payment under that sub-subitem which is in excess of zero point one per cent (0.1%) is remitted.   The Defendant's Contentions The Defendant takes the position that there is no error in the assessment and the LO was correctly charged  for stamp duty under Item 22(1)(a) of the First Schedule of the Act, and thus the Remission Order is therefore not applicable to the LO. It is contended that the LO does not spell out the sums of money that must be paid by way of demand or single bullet payment and is, therefore, liable to stamp duty as a loan agreement or loan instrument under Item 22(1)(a) of the First Schedule of the Act.   The Plaintiff’s Contentions The Plaintiff takes the position that the LO clearly states that the loan instrument has no security whatsoever and must be repayable on demand or in a single bullet payment. Therefore, the Plaintiff believed that the LO they had accepted from Alliance Bank was eligible for remission of the stamp duty in excess of 0.1%. It is contended that the correct approach to be adopted in interpreting a taxing statute is that it should be given a strict interpretation, by giving their plain, natural and ordinary meaning, and no intendment can be made in favour of tax liability.   Findings The High Court is making a distinction between two different items in the First Schedule of the Act, specifically Item 22(1)(a) and Item 22(1)(b) of the First Schedule to the Act. The High Court highlights that the material difference between these two Items is that Item 22(1)(a) applies to bond, covenant or instrument within a specific and defined period of time, which allows the total amount payable to be determined. On the other hand, Item 22(1)(b) applies to bond, covenant or instrument that have an indefinite period of time, such as for the term of life. Upon perusal of the LO, the High Court found that the availability of the facility granted by Alliance Bank to the Plaintiff is subject to Alliance Bank’s right to recall/cancel the facility or any part thereof at any time Alliance Bank deems fit whereupon the facility of such part thereof shall be cancelled and the whole indebtedness or such part thereof be repayable on demand. The High Court then cited the relevant provisions of the LO, which are as follows: SPECIFIC CONDITIONS FOR TRADE FACILITIES (i) Repayment Notwithstanding any other provisions herein stated related to the availability of the Facility or any part thereof, the Bank reserves the right to recall/ cancel the facility or any part thereof at any time it deems fit without assigning any reason thereto by giving written notice of the same, whereupon the facility of such part thereof shall be cancelled and the whole indebtedness or such part thereof be repayable on demand. ……… (ii) Forward Foreign Exchange (“Forex”) Specific Condition: Repayment Notwithstanding any other provisions herein stated related to the availability of the Facility or any part thereof, the Bank reserves the right to recall/cancel the facility or any part thereof at any time it deems fit without assigning any reason thereto by giving written notice of the same, whereupon the facility of such part thereof shall be cancelled and the whole indebtedness or such part thereof be repayable on demand.   Based on the above provisions, the High Court finds that there is in fact no definite or certain period of time prescribed under the LO for the Trade Facilities given to the Plaintiff. The LO thereof, falls under Item 22(1)(b) of the First Schedule of the Act, thus qualifying for remission of stamp duty under the Remission Order. The High Court rejected the Defendant’s contention that the LO does not spell out the specific provision on how repayment of the loan is to be made in the ordinary course, i.e. if the Trade Facilities or Forex is not recalled or cancelled by Alliance Bank and that in any event the LO must clearly show that under the LO, the mode of repayment of the loan is either upon demand or a single bullet repayment. According to the learned Judge, there is no specific requirement under the Remission Order for the sums of money to be paid under the LO to be by way of demand or single bullet repayment in the ordinary course. The LO clearly states that the security is on clean basis.   Conclusions The High Court concluded that the LO fell within the ambit of Item 22(1)(b) of the First Schedule of the Act and that on a plain reading of paragraph 2 of the Remission Order, the Plaintiff had fulfilled all the requirements stipulated thereunder as the LO clearly stated that the Trade Facilities and Forex facilities are granted on clean basis i.e. without any security, and that Alliance Bank reserves the right to recall/cancel the facility or any part thereof at any time it seems fit without assigning any reason by giving written notice of the same, whereupon the facility of such part thereof shall be cancelled and the whole indebtedness or such part thereof be repayable on demand. Premised on the reasons above, the High Court allowed the Plaintiff’s appeal with costs and held that the LO qualifies for remission of stamp duty under the Remission Order and ought to be stamped at the rate of 0.1%. Thus, the assessment raised by the Defendant was held to be erroneous.   Comments The two (2) material points that can be extracted from the above case are as follows: - (i) To come within the ambit of Item 22(1)(b) of the First Schedule of the Act, there is no requirement for a LO or agreement for credit facilities to state that the facilities are to be repaid in the ordinary course by bullet repayment or upon demand. Thus, it is sufficient that the credit facilities are repayable on demand at the discretion of the lender. (ii) A LO or agreement for credit facilities in respect of which the stamp duty is payable under Item 22(1)(b) of the First Schedule of the Act will qualify for remission of the stamp duty under the Remission Order if the credit facilities are granted without any security. About the author Norsuriati binti Mohd NoorSenior AssociateReal EstateHalim Hong & Queknorsuriati@hhq.com.my More of our articles that you should read: Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only Clarifying Developer Voting Rights in Management Corporation Meetings Enforcement of Companies (Amendment) Act 2024

Limitation of Licenced Manufacturing Warehouse Conditions

The High Court in Pan International Electronics (M) Sdn Bhd v Menteri Kewangan Malaysia and Ketua Pengarah Kastam, Jabatan Di Raja Malaysia (PA-25-65-08/2023) quashed the decision of Ministry of Finance ("MoF") in rejecting the appeal of Pan International Electronics (M) Sdn Bhd (“Taxpayer”) for the remission of import duty and sales tax as it is tainted with illegality and irrationality as the conditions under the licensed manufacturing warehouse (“LMW”) cannot be imposed on the ASEAN Trade in Goods Agreement (“ATIGA”) order. The salient facts of Pan International Electronics (supra) are as follows: a) The Taxpayer is a licensed LMW under Sections 65 and 65A of the Customs Act 1957. b) Pursuant to the ATIGA, the Taxpayer had been importing decoders at 0% import duty and 0% sales tax. c) However, the Royal Malaysian Customs Department (“RMCD”) issued a bill of demand against the Taxpayer for the import duty of RM8,432,282.51 and sales tax of RM841,342 because the Taxpayer had exceeded the local sales quota by 7.21%. This disqualified the decoders from the ATIGA rate of 0%. d) The Taxpayer appealed to the MoF by way of a letter dated 27.3.2023 but such appeal was rejected by the MoF on 22.5.2023. e) Dissatisfied, the Taxpayer filed a judicial review application to challenge the decision (the rejection).   The High Court held that, amongst others: a) The RMCD only has the power under Sections 65 and 65A of the Customs Act 1957 to impose conditions on LMW license. b) The condition of decoders’ local sales quota of 20% is only limited to LMW license. c) The ATIGA rate under the ATIGA order in an order made by the MoF pursuant to the exercise of his powers under Section 11(1) of the Customs Act 1957. d) Under Article 41 of the ATIFGA, each member state undertakes not to adopt or maintain any quantitative restriction on the importation of any goods of the other member states or on the exportation of any goods destined for the territory of the other member states. e) A company is entitled to the ATIGA rate so long the goods imported are classified as such and are imported from the ASEAN countries, regardless of whether the company is clothed with LMW status. f) RMCD does not have any power to alter the ATIGA rate under the ATIGA order, only the MoF has the power to impose conditions in the ATIGA order under Section 11(1) of the Customs Act 1957. g) There are no conditions imposed by the MoF in the ATIGA order that in order for the decoders to be entitled for import duty at the ATIGA rate of 0%, the Taxpayer must not exceed 20% local sales quota. h) LMW status has nothing to do with the goods that are classified under the ATIGA order. i) Hence, the RMCD’s imposition of the LMW conditions into the ATIGA order is illegal and irrational as the RMCD does not have any jurisdiction to fix the customs duty to be levied on any goods imported into or exported from Malaysia under Section 11(1) of the Customs Act 1957. j) The MoF has failed to exercise his discretion to remit the customs duty ‘just and equitably’ as envisaged under Section 14A of the Customs Act 1957 as the MoF had rejected the Taxpayer’s remission application based on the same ground of breach of the LMW condition. k) The MoF had allowed the LMW condition to be imposed on the ATIGA order, albeit no express condition was passed by the MoF under the ATIGA order or the Customs Act 1957. Comments This case, perhaps, is the first case that addressed the limitation of the conditions under the LMW license and the exercise of the MoF’s power under Section 14A of the Customs Act 1957. It is not uncommon for the tax authorities and/or authorities in Malaysia to conflate the conditions under different licenses (or approvals). This case serves as a reminder to taxpayers to always be vigilant and check whether the condition of one license can be imposed into another.   About the author Desmond Liew Zhi HongPartnerTaxHalim Hong & Quekdesmond.liew@hhq.com.my More of our articles that you should read: Defence of Limitation cannot be raised in Recovery of Tax Action? Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test” Can an Adjudication Decision, After Having Been Enforced Pursuant to Section 28 CIPAA 2012, Be Stayed Pursuant to Section 16(1)(b) CIPAA 2012?

Achieving Net Zero: The Crucial Role of Climate Technology

Net zero should not be unfamiliar territory, particularly for chief sustainability officers, general counsels, and boards of directors. Failing to consider net zero emissions can have significant and multifaceted impacts on an organization’s performance, including regulatory and compliance risk, brand reputation, and financial and investment risk. Companies that overlook climate risks may struggle to attract investment, potentially facing higher capital costs or even divestment. Additionally, sustainability-linked financing, such as green bonds and loans with favorable terms, may be out of reach without a clear net zero strategy. Therefore, companies can no longer ignore this issue. Achieving net zero emissions requires a concerted effort, with climate technology playing a central role. In this article, we explore how climate technology is pivotal in driving forward this initiative.   Understanding Net Zero "Net zero" refers to the balance between the amount of greenhouse gases (GHGs) emitted into the atmosphere and the amount removed from it. Achieving net zero means that any human-caused emissions (anthropogenic emissions) are counterbalanced by an equivalent amount of GHG removal.   Currently, there isn't a single standardized formula for calculating net zero, as it can vary depending on the context, the scope of emissions being considered, and the methodologies used for measurement and accounting. Generally, the steps involve quantifying all GHG emissions from various sources within a defined boundary, including direct emissions from activities like energy production, transportation, industry, and agriculture, as well as indirect emissions associated with purchased electricity and other goods and services. Additionally, any GHG removals or sinks, such as carbon uptake by forests, oceans, soils, and technological solutions like carbon capture and storage, are identified and quantified. The net balance is then calculated by subtracting total emissions from total removals, determining whether an entity is contributing to climate change (positive net balance) or offsetting emissions (negative net balance).   The Role of Climate Technology in Achieving Net Zero Technology is critical in assisting companies in achieving net zero, frequently referred to as climate technology. Here, we highlight five types of climate technology that can help achieve the net zero objective:   1. Renewable Energy Technology: Transitioning from traditional energy sources to renewable energy sources such as solar, wind, hydro, and geothermal power is essential for reducing carbon emissions. These renewable energy sources offer several advantages over traditional fossil fuels in the context of achieving net zero emissions. Unlike fossil fuels, renewable energy sources produce little to no greenhouse gas emissions during operation, thereby significantly reducing carbon footprints. Most importantly, renewable energy technologies are inherently sustainable and abundant, providing a reliable and long-term solution for powering communities and industries without contributing to climate change.   2. Energy Efficient Technology: Energy efficient technology focuses on optimizing energy use to achieve the same or higher levels of performance while consuming less energy. This includes advanced appliances and lighting systems like LED bulbs, high-efficiency HVAC systems, and better insulation materials for buildings. By reducing energy consumption, these technologies decrease the demand for electricity generation, which often relies on fossil fuels, thus lowering greenhouse gas emissions. Compared to conventional energy technologies, which typically operate with higher energy waste and inefficiencies, energy efficient technologies enable significant reductions in overall energy use and emissions.   3. Smart Grid Technology: Smart grid technology enhances the traditional electrical grid by incorporating digital communication, advanced sensors, and automation systems to improve the efficiency, reliability, and sustainability of electricity distribution. Unlike the conventional grid, which is largely one-way and lacks real-time monitoring, smart grids enable two-way communication between utilities and consumers, allowing for dynamic management of electricity flows. This includes real-time monitoring of energy usage, automatic rerouting of power in case of outages, and integration of renewable energy sources like solar and wind into the grid. Smart grids facilitate demand response programs where consumers adjust their usage during peak times, reducing the strain on the grid and lowering emissions. By improving the efficiency and flexibility of the electricity network, smart grids play a critical role in achieving net zero emissions, enabling a more resilient, sustainable, and cleaner energy system compared to traditional grid infrastructure.   4. Carbon Capture, Utilization, and Storage (CCUS): CCUS is a set of technologies designed to capture carbon dioxide (CO2) emissions from industrial processes and power generation, prevent it from entering the atmosphere, and either utilize it in various applications or store it underground. The process begins with capturing CO2 at its source, such as a factory or power plant, using chemical solvents or other methods. The captured CO2 is then compressed and transported, typically via pipelines, to a utilization site where it can be used in products like concrete or biofuels, or to a storage site where it is injected into deep geological formations, such as depleted oil and gas fields, for long-term storage. This technology is particularly suitable for heavy industries that are difficult to decarbonize, providing a means to significantly reduce their emissions while maintaining operational viability.   5. Circular Economy Technology: Circular economy technology revolves around designing products and systems to minimize waste, extend product lifecycles, and regenerate natural systems. This includes advanced recycling processes that break down materials into their basic components for reuse, biodegradable materials that reduce waste, and industrial symbiosis where waste from one process becomes input for another. Companies can employ circular economy principles by designing products for durability, reparability, and recyclability, implementing take-back schemes, and optimizing resource use through digital platforms that track material flows. This approach helps companies achieve net zero by reducing the demand for virgin materials, transforming waste into valuable resources, thereby closing the loop and significantly cutting down the overall carbon footprint compared to conventional, linear business models.   Conclusion Net zero has swiftly transitioned from an optional consideration to an imperative for every company. Climate technological advancements are pivotal in enabling companies to reach this goal, making it an aspect that demands universal attention. Harnessing the potential of innovation and technology, we can overhaul our energy systems, industries, and societies, forging a sustainable and resilient future.   If you have any needs related to ESG, especially in the technology field, do not hesitate to reach out to our legal professionals who specialize in technology law and related areas. Our team is well-equipped to guide you through the complexities of sustainability initiatives, helping you leverage climate technology to achieve your net zero goals while ensuring compliance and maximizing your competitive advantage. Let us partner with you in creating a sustainable and resilient future for your organization. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my   Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my.   Tan Zhen ChaoAssociateReal Estate, Project Development, Strata Management, Dispute Resolutionzctan@hhq.com.my. More of our Tech articles that you should read: • Structuring Effective Service Level Agreement • E-Waste and ESG Compliance: What Companies Need to Know • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case

Structuring Effective Service Level Agreement

Service Level Agreement, commonly referred to as “SLA”, is one of the key aspects of technology outsourcing that is frequently negotiated between service providers and customers. An SLA would set out the agreed standards at which the outsourced services are supposed to be provided, how the standards will be measured, and the consequences for failing to meet the agreed standards. When it comes to technology outsourcing, SLA can normally be found in contracts involving the provision of Software-as-a-Service or information technology (IT) managed services. Given the increased reliance on technology in today’s age, it is crucial for a customer to ensure that the new S-a-a-S that it has just subscribed to, or that new service provider engaged to manage its core business IT system, is able to meet the level of service that the customer expects. If the services provided are not satisfactory, the customer should then receive, in one way or another, some form of rebate or credit from the service provider for the less than satisfactory services rendered. Due to this very nature of SLA that may potentially reduce the remuneration that a service provider receives, SLA regularly becomes the subject of contention. In this article, we set out some considerations that businesses should take into consideration when structuring an SLA.   Service Level Objectives From a customer’s perspective, the first thing when structuring SLA is to identify the service level objective that is sought to be achieved from the services outsourced. Depending on the type of services outsourced, the objective could be to ensure high system availability, or that service disruptions are attended to and get resolved promptly. Once the objective has been identified, it then allows clear communication of the objective to the service provider, and to facilitate the determination of appropriate metrics to be used to measure the standards of the services being performed. Failure to properly identify the objectives may result in the service provider’s attention being diverted to aspects of the services that are actually of lesser importance to the customer, hence translating into a mismatch in the level of services being delivered by the service provider.   SLA Metrics Upon the identification of the service level objectives to be achieved, one will then be able to establish the most appropriate metrics to be used to evaluate the quality of the services rendered. Assuming that the service level objective is to ensure that a particular system or software has a high availability, “uptime” would then be the metric of choice. When a customer is looking to ensure that service disruptions are promptly attended to, the most common metrics that the customer can use are response time, resolution time, and/or mean time to recovery. Depending on the metrics chosen, the way that they are being measured may also differ. Take uptime for example, it is typically measured across a period of time, potentially on a quarterly basis, half yearly basis, or annual basis. The customers will have to determine the desired uptime of the system, be it at 99.7% a year, or 99% in a month. For incident response on the other hand, it has to be measured on a case-by-case basis, typically depending on the severity level of the incident, which would in turn affect the expected response and resolution time by the service provider. On top of that, SLA metric should also incorporate flexibility to adapt to changing commercial circumstances, such as business growth, evolving technology, or shifts in the economic landscape, and by incorporating customizable or flexible SLA metric, this adaptability ensures that the SLA remains a living document that continues to serve the interests of the parties over time. The SLA metric is an important component in an SLA as it sets the expected standards at which the service providers should be achieving when delivering their services. Additionally, it allows for clear and objective evaluation of the standards of services provided by the service providers, and paves the way for the implementation of the service credit regime.   Service Credit Regime In an SLA, failure by a service provider to meet the agreed service level objectives based on the agreed metrics would normally result in the customer being entitled to service credits. Service credits can take the form of cash payment by the service provider to the customer, or a rebate in the subsequent fees payable by the customer to the service provider. The rationale of a service credit regime is that a customer should not have to pay the service provider 100% of the agreed fees, since the service provider has failed to perform the services at the level or standard expected. In other words, service credit regime should rightfully reflect the lowered standard of services actually performed by a service provider, as opposed to what the service provider was initially offered to be paid to perform. Many have the misconception that service credit regime is a tool for customers to potentially achieve cost savings or getting huge discount from the fees otherwise payable to the service providers. This thinking often results in the misguided approach of affixing high price tag to service credit that is disproportionate to the magnitude of the corresponding service level failure. It can potentially derail and delay the finalisation of the contract for technology outsourcing, or prompting the service provider to mark up its fees, or worse – causing reluctance among service providers to agree to undertake a particular service. An effective service credit regime will have to take into account the nature and extent of the service level failure – more severe service level breaches should translate into higher service credit, while minor service level breaches should only result in lower service credit.   Creative Structuring of SLA Structuring and negotiating SLA for technology outsourcing requires careful planning. A well-crafted SLA would facilitate service providers to deliver services that meet the expectations of the customers, allowing customers to achieve their business goals. As technology advances, it may not be so easy at times for service providers to meet the service level requirements of the customers, especially when cutting edge technologies are involved. These circumstances may then call for creative structuring of SLA, such as incorporation of service credit holiday, incremental service levels, assigning weightings and multipliers to different type of service level breaches, or potentially allowing service credit earn-back, in order to incentivize the service providers to deliver their best games. Businesses should consult legal professionals in crafting a meaningful SLA that would help in directing the service providers to deliver services at the level and standard expected of them.   Please feel free to reach out our partners from the Technology Practice Group should you have any enquiries in relation to your next technology outsourcing initiative or if you would like a consultation on your service level agreement. Our team of professionals are always here to help. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my.   Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . More of our Tech articles that you should read: • CYBER SECURITY ACT 2024 – STATUTORY OBLIGATIONS OF NCII ENTITIES • E-Waste and ESG Compliance: What Companies Need to Know • Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility  

AI Deepfake Technology: Understanding Its Business Use Case, Legal Considerations, and Best Practices in Modern Marketing

The Rise of Deepfake Technology As artificial intelligence (“AI”) continues to advance, one of its subfields, deepfake technology, is also garnering significant attention. Deepfake is a form of AI that can manipulate digital media, such as images, videos, and audio, to create highly realistic but fabricated content. It is undeniable that the initial attention surrounding deepfakes has centered on their misuse in spreading disinformation, pornography, and perpetrating scams. For example, scammers generated deepfake robocalls using the voice of President Joe Biden earlier this year to discourage voters from voting, and additionally, a Hong Kong firm fell victim to a $25 million fraud scheme orchestrated through deepfake technology, wherein fraudsters impersonated the company’s chief financial officer during a video conference call. However, savvy businesses and organizations are also beginning to explore the transformative opportunities this technology presents for marketing and advertising campaigns. By harnessing the power of deepfakes, companies can tap into the star power and influence of renowned personalities without the need for their direct and active involvement, potentially revolutionizing the industry. As always, there are always two sides to a coin, and as with any emerging technology, there are legal considerations that companies and their general counsels must navigate carefully, and in this article, we aim to explore the use case of deepfake technology in marketing, legal concerns and best practices that general counsels should take into account. . What are Deepfakes? Before we begin, it would be essential for us to understand what deepfakes are. Deepfakes are a form of AI-generated synthetic media that employs deep learning algorithms to manipulate or fabricate images, videos, or audio recordings. These algorithms are trained on extensive datasets of real media, enabling them to learn and replicate a person's face, voice, or mannerisms with remarkable precision. The resulting deepfake media can be virtually indistinguishable from genuine content, posing a challenge in discerning authenticity. Currently, a simple online search for deepfakes reveals a staggering number of videos circulating on the internet, many of which viewers may not even realize are deepfakes. . The Business Case for Deepfakes in Marketing Traditional celebrity endorsements and influencer collaborations can be prohibitively expensive, often requiring significant financial investments and complex negotiations, as traditional marketing, photoshoots, and video recordings necessitate the direct and active physical involvement of the celebrities and influencers in order to produce the desired content. Deepfake technology now offers a cost-effective alternative, enabling companies to create compelling content featuring the likeness and voices of popular figures without the logistical hurdles and exorbitant costs associated with securing their participation. This approach not only reduces marketing and advertising budgets but also opens up new avenues for creative storytelling and engaging campaigns, all without requiring the direct, actual, and active physical involvement of those celebrities and influencers as in traditional marketing and video shoots, which can be both time and resource-consuming. This democratizes access to star power, allowing smaller businesses and startups to compete on a more level playing field by leveraging the influence of renowned personalities without the financial constraints of traditional endorsement deals. . Legal Considerations and Best Practices for Businesses Utilizing Deepfakes While the potential benefits of deepfakes in marketing are alluring, companies and their general counsels must exercise caution and address several legal considerations before employing this technology. The legal landscape surrounding deepfakes is still evolving, and here are the top five key legal concerns and best practices that should be taken into account:   1. Misrepresentation and Misleading Advertising: The use of deepfakes in advertising and marketing campaigns may be construed as misrepresentation or misleading advertising, especially if it is presented as a genuine endorsement or testimonial from a celebrity without proper disclosure and actual agreement by the celebrity. Therefore, companies should be transparent about the use of deepfake technology and ensure that their campaigns do not deceive or mislead consumers. Also, different jurisdictions may have specific regulations governing the use of deepfakes in advertising, which companies must carefully navigate to avoid legal violations and potential fines or penalties. . 2. Data Protection and Privacy: Deepfakes typically involve processing and using personal data, such as an individual's facial features, voice, or likeness, which can raise data protection concerns and potentially violate privacy laws if not handled properly. Therefore, any attempt to harness individuals' personal data, whether influencers or celebrities, for deepfake purposes without their explicit consent not only risks legal repercussions but also undermines trust and integrity. In the era of stringent regulations like GDPR, companies must navigate deepfake territory with utmost caution, ensuring full compliance with local privacy laws. Securing explicit consent and adhering to relevant data protection laws are non-negotiable steps for businesses venturing into deepfake territory. . 3. Intellectual Property Rights: Besides privacy concerns, it is also essential to recognize that unauthorized utilization of an individual's likeness, voice, or image in deepfake media can constitute significant infringement upon intellectual property (“IP”) rights. Beyond privacy breaches, this includes potential violations of copyright, passing off, and trademarks infringement. Many jurisdictions also recognize a legal right of publicity, especially when it involves the likeness of celebrities, granting individuals control over the commercial use of their identity, and failure to obtain consent for these rights in deepfake media could result in legal repercussions. Therefore, companies must diligently secure all necessary rights and licenses from individuals before engaging in the creation or distribution of deepfake content, obtaining explicit consent for the use of their likeness, voice, or image, and ensuring compliance with relevant IP laws and regulations to mitigate the risk of potential disputes and legal liabilities. . 4. Compliance with AI Laws and Regulations: With the emergence of AI regulations across various jurisdictions, it is imperative for companies to pay particular attention to the development of legislation governing the use of AI. Many jurisdictions are actively drafting and implementing their own regulations to address the ethical and legal implications of AI technologies, hence, staying abreast of these evolving regulations is essential to ensure compliance and shield businesses from accusations of deceptive practices. For instance, in certain jurisdictions, there is a requirement for companies to disclose the use of artificially generated or manipulated content, mandating transparency to prevent deception. Consequently, in marketing practices involving deepfakes, disclosure becomes paramount. Thus, companies must stay updated on AI-related laws and regulations, understanding the dos and don'ts to navigate this evolving landscape effectively. . 5. Comprehensive Contractual Arrangements: Given the nascent and evolving nature of deepfake technology, it's imperative for businesses to establish robust contractual agreements governing the licensing and authorization of individuals' likeness, images, voices, and other personal attributes for deepfake purposes. These contracts should encompass a wide array of considerations such as (i) terms of use to clearly define the scope and limitations of the authorized use of the individual's likeness, image, voice, etc., in deepfake content, (ii) licensing rights to specify whether the license is exclusive, non-exclusive, or limited in any way, and detail any royalties or compensation arrangements, (iii) ownership of IP rights to specify whether the license is exclusive, non-exclusive, or limited in any way, and detail any royalties or compensation arrangements, and (iv) limitation on the distribution channels or platforms of the deepfake content. . As deepfake technology continues to advance, it presents both immense opportunities and significant challenges for businesses. By leveraging the power of deepfakes in marketing campaigns, companies can unlock new frontiers of creativity, cost-efficiency, and brand engagement, by offering businesses a powerful tool for innovative marketing and advertising strategies. However, navigating the legal landscape surrounding deepfakes requires a proactive approach and close collaboration with legal professionals who specialize in emerging technologies and AI regulations. As the technology continues to advance, companies should remain vigilant, seek legal counsel, and prioritize transparency and ethical practices in their use of deepfakes. By doing so, companies can leverage the potential benefits of this technology while mitigating risks and fostering trust with their customers and stakeholders. . If your organization intends to leverage AI deepfake technology in your business, our team is poised to provide expert assistance. Leveraging our proficiency in AI technology and legal frameworks, we offer tailored guidance to safeguard your organization and ensure compliance with legal standards. Contact us today to proactively address these critical considerations. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More of our Tech articles that you should read: • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI • Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated?

CYBER SECURITY ACT 2024 – STATUTORY OBLIGATIONS OF NCII ENTITIES

It has been more than a month since the passing of the Cyber Security Bill 2024, and many are eagerly waiting for the list of the national critical information infrastructure sector leads (“NCII Leads”) to be published, which is the very first step before a series of implementation under the Cyber Security Act 2024 can be rolled out.   That being said, we believe that many of the stakeholders who own or operate national critical information infrastructure (“NCII”) from the eleven (11) NCII sectors (“NCII Sectors”) would already have some idea as to whether they will be designated as NCII entities (“NCII Entities”). Our article this week seeks to assist soon-to-be NCII Entities to understand better what are the statutory obligations under the Cyber Security Act 2024 that will be imposed upon them once the designation as NCII Entities is finalised, as well as the exposure that the NCII Entities may face for non-compliance with these statutory obligations.   Statutory Obligations of NCII Entities If the Cyber Security Act 2024 is to be described as a screenplay, then the NCII Entity no doubt is the most important role with the most screentime for this play. A quick count of the Cyber Security Act 2024 and one will see that NCII Entities have a total of 13 distinct statutory obligations imposed upon them, and this is not including any additional obligations that they may have under the codes of practice that are to be drawn up for each NCII Sectors. The attention given to the NCII Entities under the Cyber Security Act 2024 is understandable, as they are the ones that either own or actively operating the NCIIs.   To simplify things, the statutory obligations of the NCII Entities can be categorised into four (4) broad categories as follows:   1. Information Disclosure Obligation Upon being designated as an NCII Entity, the NCII Entity will have to provide information relating to the NCII owned or operated by it to the NCII Leads upon request. The objective of this obligation would appear to be so that the relevant NCII Leads would have a clear picture of the type and nature of NCIIs owned or operated by each NCII Entities. To ensure that the information is up to date, NCII Entities will also have a continuing obligation to notify the NCII Leads when the NCII Entities procure or come into possession or control of additional computer or computer system which are believed to be NCIIs, as well as when there are material changes to these NCIIs owned or operated by the NCII Entities.   The NCII Entities also have an obligation to notify the NCII Leads when the computer or computer system owned or operated by the NCII Entities cease to be NCII or when they no longer own or operate any NCII.   2. Codes of Practice Implementation One of the most critical statutory obligations of NCII Entities is the requirement to implement the Codes of Practice put in place for each NCII Sectors. The Codes of Practice will presumably contain the minimum standards and requirements for the NCII Entities to comply with in order to strengthen the cyber security of the NCIIs owned or operated by the NCII Entities.   The Codes of Practice are to be prepared by the NCII Leads appointed for each NCII Sectors. Given that the list of NCII Leads has yet to be finalised, it may still be some time before any Codes of Practice will see the light of day. That said, we believe that the Codes of Practice to be drawn up will likely contain provisions or requirements pertaining to Business Continuity Management and preparation of disaster recovery plan, which are essential for the mitigation of any impact that a cyber security incident may have towards NCIIs.   3. Cyber Security Risk Assessment and Preparation NCII Entities will also be required to conduct cyber security risk assessment from time to time in respect of the NCII owned or operated by them to ensure that appropriate cyber security safeguards are in place as per the requirement of the Codes of Practice and any directives as may be prescribed. Additionally, NCII Entities will also have to allow external auditor to audit their compliance with the Cyber Security Act 2024 from time to time. Reports will have to be drawn up following the conduct of cyber security risk assessment and/or audit and be submitted to the Chief Executive of the National Cyber Security Agency (“Chief Executive”). If the Chief Executive is not satisfied with the result of the cyber security assessment or is of the view that the audit report provided pursuant to an audit is insufficient, it may require the carry out of further cyber security assessment or the rectification of the audit report. NCII Entities may also be required by the Chief Executive to carry out additional cyber security risk assessments or audit where there have been material changes to the design, configuration, security, or operation of the NCIIs owned or operated by the NCII Entities. In addition to the above, NCII Entities will also be required to participate and cooperate with the Chief Executive in any cyber security exercise that the Chief Executive elects to conduct.   The obligations of NCII Entities pertaining to risk assessments, audits and cyber security exercises are important to ensure that the cyber security measures in place appropriately and sufficiently account for all possible cyber security risks out there. As technology advances, threat actors will continuously innovate and deploy new ways and new technologies to breach the cyber security of NCIIs. As such, it is important that the cyber security measures are updated constantly to address any new threats that malicious actors will take advantage of, thereby enhance the cyber security readiness and preparedness of the NCII Entities.   4. Cyber Security Incident Notification and Response Apart from enhancing the cyber security of NCIIs, the Cyber Security Act 2024 also seeks to establish a cyber security incident notification and response regime. Upon detecting a cyber security incident or potential cyber security incident in respect of the NCII owned or operated, an NCII Entity will have an obligation to report the same to the Chief Executive and the NCII Leads within a prescribed period. If further investigation confirms that the relevant NCII(s) has indeed suffered a cyber security incident, any response to the cyber security incident and measures to be taken by the relevant NCII Entity(ies) to recover from the incident, will have to be coordinated with the Chief Executive.   Effectively, NCII Entities will no longer have the discretion to respond to any cyber security incidents without first consulting the Chief Executive, and any measures to be implemented in responding to, recovery from and the prevention of cyber security incident will have to be consistent with the directive given by the Chief Executive.   Exposures for Non-Compliance with Cyber Security Act 2024 Under the Cyber Security Act 2024, penalties for non-compliance vary depending on the type and severity of the violation.   For general non-compliance with the statutory obligations under the Cyber Security Act 2024 by NCII Entities, such as failure to conduct additional cyber security risk assessment or rectify an audit report upon request by the Chief Executive, or failure to notify the NCII Leads of any material changes to the NCII owned or operated, the penalties are generally as follows: 1. a fine of up to Ringgit Malaysia One Hundred Thousand (RM100,000) or Two Hundred Thousand (RM200,000), or 2. either no imprisonment or imprisonment up to three (3) years; or 3. both of the above.   However, for more serious violations involving critical statutory obligations, such as failure to implement the applicable Codes of Practice or failure to notify a cyber security incident, will carry a heavier penalty of fine not exceeding Ringgit Malaysia Five Hundred Thousand (RM500,000) or imprisonment for a term not exceeding ten (10) years or both, upon conviction.   To demonstrate the seriousness of an offence under the Cyber Security Act 2024, management personnel of an NCII Entity can also be made personally liable for any non-compliance by the NCII Entity. The Cyber Security Act 2024 also makes it clear that where an offence is committed by the employee, agent or employee of the agent of an NCII Entity, the NCII Entity will also be made liable to the same punishment or penalty of its employee, agent or employee of its agent.   Conclusion Considering the impact of a cyber security incident in respect of an NCII, the dire need for a robust cyber security regime in respect of the NCIIs in the country and strict compliance and enforcement of the same are no laughing matters.   NCII Entities stand on the frontline of any cyber warfare that may be waged against our nation’s NCIIs, and expectation towards the NCII Entities to safeguard the NCIIs are definitely high. Given the key role that the NCII Entities play, it is advisable that the (soon to be) NCII Entities carefully consider their statutory obligations under the Cyber Security Act 2024 to better prepare for the eventualities. Upon the finalisation of the Codes of Practice for each NCII Sectors, the NCII Entities should consider working with cyber security professionals and legal professionals who are well-versed with technology and cyber security matters to assess their compliance readiness and to put in place internal policies and procedures to meet their obligations under the Cyber Security Act 2024.   Please contact the partners from our Technology Practice Group should you have any enquiries pertaining to the Cyber Security Act 2024 or if you would like to enquire more about the obligations of an NCII Entity under the Cyber Security Act 2024. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More Tech articles: • Cyber Security Bill 2024 Decoded: 5 Key Insights for Strategic Compliance • CYBER SECURITY ACT IMPLEMENTATION – Things for the National Critical Information Infrastructure Entities to Take Note of • E-Waste and ESG Compliance: What Companies Need to Know

Unpacking Shareholders' Pre-emptive Rights and Minority Oppression: A Case Analysis of Concrete Parade v Apex Equity

IntroductionThe Federal Court's recent judgment in the case of Concrete Parade Sdn Bhd v Apex Equity Holdings Bhd & Ors [2021] 9 CLJ 849 marked the end of a protracted legal battle that reverberated through Malaysia's corporate landscape. In this article, Lum Man Chan and Khew Gerjean provides an overview of the case, shedding light on the complexities surrounding pre-emptive rights of shareholders and the obtaining of shareholder’s approval in corporate exercises pursuant to the Companies Act 2016 (“the Act”). In summary, the Federal Court’s answers to the legal questions that arise in this case are as follows:1) Under S.85 of the Companies Act 2016 (“CA 2016”), pre-emptive rights of the shareholders is not mandatory but subject to the constitution of the company, which may renounce, disapply, or fortify such pre-emptive rights. 2) S.223(1)(i) and (ii) of the Act should be read disjunctively, so shareholders' approval could be obtained either before entering into an agreement for the transaction or before the actual transfer of ownership of the asset. 3) The oppression action was not properly brought by the Concrete Parade Sdn Bhd because the shareholders who had voted in favour of the corporate exercises were not named in the oppression suit. Background of the caseConcrete Parade Sdn Bhd (“Concrete Parade”) initiated a minority oppression action under S.346 CA 2016 against Apex Equity Holdings Berhad (“Apex Equity”) premised upon the following grievances:a) proposed merger transaction between Apex Equity and Mercury Securities which would see Mercury Securities emerging as the largest shareholder in Apex Equity through shares allotment; andb) Apex Equity has conducted share buy-back transactions in 2005 to 2017 in violation of its own M&A. Proposed Merger Transaction Apex Equity, along with its subsidiary JF Apex, planned a merger with Mercury. The proposed merger aimed to transfer Mercury's stockbroking business to JF Apex in exchange for:i. RM48 million cashii. RM100 million worth of new shares in Apex Equity The parties entered into a Heads of Agreement (HOA) on 21 September 2018, followed by a Business Merger Agreement (BMA) on 18 December 2018. Additionally, subscription agreements (SAs) were signed with seven placees for a private placement of new shares (collectively referred as “the Merger Agreements”). After the execution of these documents, the shareholders’ resolutions were passed. Share Buy-back TransactionsBetween 2005 and 2017, Apex Equity undertook multiple shares buy-back transactions (“the transactions”). These transactions were conducted based on mandates and approvals granted by the company's shareholders. However, in 2018, Concrete Parade brought to the attention of the Apex Equity's management that the company's Memorandum and Articles of Association (M&A) did not permit such transactions. Despite the shareholder's objection, the Apex Equity's board sought a further mandate in 2018 to continue with the transactions. However, this resolution was voted against by the shareholders. Hence, Apex Equity filed a proceeding to validate the share buy-back transactions undertaken between 2005 and 2017 and it was eventually allowed by the High Court. The Key Issues and the High Court Findings1. FIRST ISSUE: Whether Apex Equity breached S.85 and S.223 of CA 2016.Concrete Parade argued that it was denied its statutory and contractual pre-emptive rights to be offered new shares in Apex Equity. S.85(1) mandates that existing shareholders should be offered new shares before they are offered to outsiders. However, Apex Equity's memorandum and articles of association, particularly Article 11, did not expressly ensure the protection of Concrete Parade's pre-emptive rights. The High Court Judge concluded that there was no breach of pre-emption rights since shareholders had approved the proposed placement. The shareholders would reasonably understand that a private placement would dilute their interest, even without explicit mention in the circular. Thus, the absence of specific language denoting pre-emption waiver couldn't be deemed as oppressive as long as the transaction's effects were reasonably clear to Apex Equity's shareholders. Further it was held that the shareholder’s approval sufficed either through prior general meeting approval or documentation specifying approval as a condition precedent. Since the BMA required shareholder approval for the acquisition of Mercury’s business, there was no violation. S.223(1) applies only when transactions create enforceable obligations on a company to acquire or dispose of substantial assets. The HOA, although legally binding, did not commit parties to the sale and purchase, thus not mandating shareholder approval. Even if the HOA breached S.223(1), it was superseded by the BMA, which complied with shareholder approval requirements. S.223 should be construed in a disjunctive manner to allow for flexibility, stating that it suffices if either the entry into the arrangement is made conditional on shareholder approval OR if the carrying into effect of the transaction is approved by shareholders. 2. SECOND ISSUE: Whether the Share Buy-Back Transactions are valid and legal.Concrete Parade contended that the share buy-back transactions were illegal due to the contravention of S.67 of the Companies Act 1965 and/or S.123 of the Companies Act 2016. The directors' actions in seeking validation from the Court without amending the M&A were a blatant disregard of the company's governing documents. The directors of Apex Equity should have obtained consent and authority from the shareholders before filing for validation proceedings. They argued that the filing of validation proceedings without prior knowledge or approval of the shareholders resulted in unfair prejudice to Concrete Parade, as it impinged upon their substantive rights. The High Court ruled that the share buy-back transactions undertaken by the Apex Equity between 2005 and 2017 were valid, despite objections raised by the shareholder. While it is acknowledged that Concrete Parade were not notified of the validation proceedings, but it could not establish prejudice to its shareholder rights for recourse under S.346 of the CA 2016. Dissatisfied with the High Court’s decision, Concrete Parade appealed to the Court of Appeal. Court of Appeal FindingsThe Court of Appeal found that Article 11 did not amount to a complete waiver of Concrete Parade's pre-emptive rights. It was held that the Merger Resolutions passed after the execution of several agreements related to the proposed merger did not effectively waive the Concrete Parade's statutory pre-emptive rights. For the Merger Resolutions to constitute an operative direction waiving the pre-emptive rights, specific information regarding the shareholders' rights under the CA 2016 needed to be included. This information should have clarified that existing shareholders had a statutory pre-emptive right to be offered any new shares and that by voting in favour of the Merger Resolutions, they would be indirectly waiving these rights. Since this information was not provided, the court concluded that Concrete Parade's pre-emptive rights had been unfairly denied, resulting in an unjustified dilution of their shareholding. Next, it was held that S.223 is to be read conjunctively notwithstanding the use of the phrase ‘or’ between the two provisos. It imposes two separate requirements: one for entering the transaction and another for carrying it into effect. The Court of Appeal found that the Merger Agreements formed one composite transaction. For compliance with S.223, the HOA should have been subject to or contained a condition precedent for shareholder approval. Additionally, since the BMA was executed before shareholder approval was obtained, it failed to comply with the requirement of prior approval. Therefore, the Court concluded that Apex Equity had failed to fulfil the shareholder approval requirement under S.223, rendering the proposed merger invalid. The Court of Appeal imposed a duty on directors to inform shareholders at both the entry and execution stages of the transaction. It held that failure to obtain prior shareholder approval at either stage renders the transaction void. The Impact of the Court of Appeal’s DecisionThe Court of Appeal's interpretation, where S.223(b)(i) and (ii) are read conjunctively, requires the directors to secure shareholder approval twice: once before entering into any form of agreement for a proposed acquisition or disposal of a substantial asset and again before executing it. This approach seems overly burdensome and impractical, potentially leading to the abandonment of many transactions and necessitating the preparation of two sets of documents. Such a requirement could hinder business operations and create unnecessary complexities. The Court of Appeal further held that the share buy-back transactions remained illegal despite the validation order granted by the High Court due to the contravention of relevant sections of the Companies Act and the failure to obtain shareholder approval. Moreover, the filing of validation proceedings without prior shareholder consent or approval was unjust and prejudicial to the Concrete Parade's rights. It emphasised the importance of obtaining shareholder authorisation before taking actions that significantly affect the company's operations or financial transactions. Analysis of the Federal Court’s Judgment1) S.85 – Pre-emptive rights are subject to company’s constitution S.85(1) grants shareholders the privilege to maintain their proportional ownership by offering them the opportunity to purchase shares before they are issued to outsiders. However, this right is subject to the constitution of the company, which may renounce, disapply, or fortify such pre-emptive rights. The Federal Court disagreed with the Court of Appeal interpretation that the pre-emptive rights are mandatory and pointed out the Court of Appeal’s failure to consider the purpose and intent of the Act in interpreting the provisions. It was held that S.85(1) allows for discretionary application of pre-emptive rights based on the company's constitution. The constitution prevails over statutory pre-emptive rights, allowing shareholders to determine whether to relinquish or retain such rights. Shareholders have the flexibility to determine the extent of their pre-emptive rights, as reflected in the constitution. Parliament did not intend to restrict directors' powers or mandate pre-emptive rights but provided shareholders the freedom to decide through general meetings. Interpretation of S.75 and 85: The Federal Court discussed the relationship between sections 75 and 85. S.75 deals with the power of directors to allot shares, requiring prior approval by the company before directors can proceed. However, exemptions in S.75(2) allow for issuance without general meeting approval for certain purposes, such as financing acquisitions. When read together, S.75 and 85 establish the framework for pre-emptive rights of existing shareholders in the issuance of new shares. S.75 guarantees the general principle of pre-emptive rights, while S.85 allows companies to specify the details of these rights in their Articles of Association. The Articles of Association, as mentioned in S.85, can provide exceptions or modifications to pre-emptive rights, subject to the company's constitution. Interpretation of Article 11: The Court of Appeal interpreted the phrase "subject to direction to the contrary by the company at general meeting" as requiring the company to inform shareholders of their pre-emptive rights before any proposed issuance of new shares for raising capital. This interpretation imposes obligations on the company to seek explicit consent from shareholders before deviating from standard procedures regarding share issuance. However, the Federal Court disagreed with this interpretation. It asserted that pre-emptive rights are discretionary and can be applied based on the company's constitution. The Federal Court emphasised that the phrase allows flexibility for the company to adapt its operations or decision-making processes as required by specific circumstances. Rejecting the imposition of additional conditions on the company could hinder its ability to efficiently conduct corporate transactions. 2) S.223 should be read disjunctively and there is no requirement for 2-tier approval The Federal Court disagreed with the Court of Appeal’s interpretation. It argued that the word "or" should be read disjunctively, meaning that compliance with either sub-paragraph (b)(i) or (b)(ii) sufficed. According to this interpretation, shareholders' approval could be obtained either before entering into an agreement for the transaction or before the actual transfer of ownership of the asset. The Federal Court reasoned that requiring compliance with both sub-paragraphs would lead to impractical consequences for companies. It emphasised the importance of upholding the purpose and intent of the Companies Act, which aims to balance regulatory requirements with the efficient operation of businesses. This interpretation aligns with the overarching goal of ensuring transparency and shareholder awareness without unduly hindering corporate activities. In conclusion, the Federal Court held:- S.223(1)(i) and (ii) of the Act can be read disjunctively, meaning compliance with either sub-paragraph suffices.- At least one agreement forming a composite transaction must contain an express condition precedent requiring shareholder resolution, and shareholder approval in a general meeting satisfies S.223(1)(ii).- S.223(1) of the Act does not impose an incumbent duty on directors to inform shareholders of an intention to enter into or carry out an acquisition or disposal of substantial assets based on previous court decisions. 3) Was Concrete Parade unfairly prejudiced?The Federal Court disagreed with the Court of Appeal's assessment of whether the Concrete Parade suffered unfair prejudice compared to other shareholders. The Federal Court argued that since the majority of shareholders had approved the merger, there was no unfair prejudice. It suggested that the oppression claimed may have been more indicative of a management versus shareholder conflict rather than a minority-majority shareholder dispute. Additionally, the Federal Court questioned the Court of Appeal's decision not to include the majority shareholders, who approved the transactions, as parties to the oppression action. This omission, according to the Federal Court, could have influenced the assessment of whether the Concrete Parade was unfairly prejudiced. It emphasised the principle of majority rule in corporate governance and stated that claims of oppression under S.346 of the CA 2016 cannot be used to circumvent legitimate decisions made by the majority. 4) Was the oppression action properly brought by Concrete Parade?Given the lack of established contraventions of relevant sections of CA 2016 and the failure to conclusively establish illegality regarding the share buy-back transactions, the Federal Court questioned the suitability of the oppression remedy. It was asserted that an oppression finding couldn't be made under S.346 when shareholders had the opportunity to vote on transactions, approved them, and weren't party to oppression proceedings. The Federal Court highlighted the failure of the Court of Appeal to grasp this fundamental issue. Concrete Parade's failure to join the majority shareholders, who allegedly oppressed them, was deemed fatal to the oppression action. By solely targeting the directors, Concrete Parade's complaint lacked grounds for oppression action, suggesting it should have been brought against the officers or directors for contravening CA 2016. The Federal Court argued that Concrete Parade's grievance was essentially against majority rule, disguised as an oppression action, constituting an abuse of statutory remedy. The conduct of Concrete Parade was scrutinised, particularly its decision to pursue an oppression action despite majority approval of transactions. The Federal Court questioned whether the action was filed to hinder the proposed merger rather than to address actual unfair prejudice. Concrete Parade's failure to demonstrate how it uniquely suffered prejudice, coupled with its attempt to hold directors accountable for majority decisions, indicated an abuse of the statutory process. In essence, the Federal Court concluded that Concrete Parade 's oppression action lacked merit and appeared to serve a collateral purpose, constituting an abuse of the statutory process under S.346 of the Act. 5) S. 582: Share Buy-Back Transactions are not illegal under CA 2016 The Federal Court upheld the High Court's decision. Despite finding that the transactions lacked proper authorisation under CA 2016, the Federal Court disagreed with Court of Appeal conclusion that they were unlawful and void. Instead, the Federal Court criticised the Court of Appeal's legal interpretation, arguing that the transactions, while ultra vires, did not automatically constitute illegality. The Federal Court refrained from definitively addressing whether S.582(3) could rectify an illegality, citing the conclusion that oppression wasn't established. Nonetheless, Federal Court acknowledged the general view, that S.582 should not rectify illegality. It was highlighted that uncertainty regarding whether the lack of authorisation for share buy-backs amounted to illegality under S.67A and 127 of the Act. Since the focus was on whether the transactions unfairly prejudiced Concrete Parade, this issue wasn't deemed crucial for resolution. Regarding the High Court's validation order, the Federal Court emphasised that while certain aspects of the transactions were unauthorised, it didn't automatically render the entire process void. Ultimately, even if the transactions are contravened the company constitution/ rendered as void, there is no oppression on Concrete Parade because this would affect all the shareholders instead of Concrete Parade alone. 6) The Importance of Accurate Legal Citations in Judicial ProceedingsFederal Court also took the opportunity to address an important issue regarding the citation of legal precedents. They highlighted a case where incorrect and outdated decisions were cited to the Court of Appeal, potentially leading to an erroneous judgment. Such errors, they emphasised, could have significant consequences, impacting corporate transactions and potentially causing confusion in legal interpretations.Federal Court stressed the responsibility of legal counsel to ensure the accuracy and relevance of cited cases, emphasizing the importance of thorough research. They noted that failure to do so could range from mere oversight to misleading the court, which is unacceptable conduct for any legal practitioner. Federal Court also referenced a previous case to underscore the importance of well-researched advocacy, particularly in appellate proceedings. It is emphasised that judges rely heavily on the arguments and authorities presented by counsel, and any inaccuracies could lead to misinterpretations of the law and undermine the administration of justice. In Malaysia, where legal professionals can appear before courts at various levels, maintaining high standards of advocacy is crucial for ensuring the accuracy and integrity of legal proceedings. ConclusionIn complex transactions like mergers, the interpretation and application of provisions in CA 2016 require careful consideration of legal nuances and procedural requirements. The Federal Court's analysis provides clarity on the scope and application of the provision, guiding companies and legal practitioners in navigating the intricacies of company law. The Court of Appeal's failure to recognize the significance of majority rule in the context of the merger approval is a critical oversight. By overlooking the fact that shareholders collectively voted in favor of the merger at a general meeting, the Court of Appeal failed to grasp that any alleged prejudice suffered by Concrete Parade would have affected all shareholders equally. Moreover, it is essential to emphasise the paramountcy of majority rule in corporate governance. While S.346 of the CA 2016 introduces a statutory mechanism to address oppression, it is incumbent upon claimants to substantiate claims of unfairly prejudicial conduct. Attempting to invoke S.346 to circumvent situations where majority rule legitimately prevails, as demonstrated in this case, undermines the integrity of corporate decision-making processes. In essence, the principle of majority rule serves as the cornerstone of corporate governance, and statutory remedies for oppression should not be misused to challenge bona fide decisions made by the majority of shareholders. About the authors Lum Man ChanPartnerDispute ResolutionHalim Hong & Quekmanchan@hhq.com.my Khew GerjeanPupil-in-ChambersDispute ResolutionHalim Hong & Quekk.gerjean@hhq.com.my More of our articles that you should read: Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only Land Reference Proceedings: Written Opinions of Assessors Must Be Made Available to the Parties Determinants of Share Unit & Its Significance in Strata Development

Enforcement of Companies (Amendment) Act 2024

The Companies (Amendment) Act 2024 (“Amendment Act 2024”) came into operation on 1.4.2024. Following the Amendment Act 2024, the Companies Commission of Malaysia (“CCM”) had issued some guidelines pertaining to the amendments introduced by the Amendment Act 2024. In this article, we will address and highlight some salient amendments to the Companies Act 2016 (“CA 2016”) brought by the Amendment Act 2024. 1) Introduction of new Beneficial Ownership Reporting FrameworkThe new Division 8A of Part II introduced by the Amendment Act 2024 brought in the new beneficial ownership reporting framework. The new sections 60A, 60B, 60C, 60D, 60E and 60F of the CA 2016 cover the following: -i) The criteria of a beneficial owner;ii) Register of beneficial owners;iii) Company has power to obtain beneficial ownership information from its members and any person identified as beneficial owner or has information relating to a beneficial owner of the company; andiv) The obligation of beneficial owners to notify companies of their status as beneficial owners of the companies including any changes to the beneficial ownership information recorded in the register of beneficial owners kept by the companies at the registered office. According to the “Guidelines For The Reporting Framework For Beneficial Ownership Of Companies” issued by CCM, the introduction of the new beneficial ownership reporting framework aims to promote corporate transparency through a disclosure regime. This is due to the rising cases where businesses are misused to carry out illicit activities such as money laundering, terrorism financing, proliferation financing and other serious crimes and that the individual perpetrators hiding behind such businesses employ devious means to avoid their identity from being easily detected. What is a “beneficial owner”? Section 60A of the Companies Act 2016 defines a beneficial owner as “a natural person who ultimately owns or controls over a company and includes a person who exercises ultimate effective control over a company.” Based on the “Case Studies and Illustrations of the Guidelines For the Reporting Framework For Beneficial Ownership of Companies” issued by CCM, an individual is a beneficial owner in a company limited by shares if he meets one or more of the following criteria:a) Criteria AIf he holds directly or indirectly in not less than 20% of the shares of the company. b) Criteria BIf he holds directly or indirectly in not less than 20% of the voting shares of the company. c) Criteria CIf he has the right to exercise ultimate effective control whether formal or informal over the company or the directors or the management of the company. d) Criteria DIf he has the right or power to directly or indirectly appoint or remove a director(s) who holds the majority of the voting rights at the meeting of directors. e) Criteria EIf he is a member of the company and, under an agreement with another member of the company, controls alone a majority of the voting rights in the company. f) Criteria FIf he has less than 20% of shares or voting shares but exercises significant control or influence over the company. For company limited by guarantee (without shares), the assessment will be based on Criteria C, D and E stated above only. Pursuant to Section 60B of the CA 2016, it is mandatory for companies to maintain a register of beneficial owners which must be kept at the registered office of the company, or any other place in Malaysia, as notified to the CCM. Section 60C of the CA 2016 provides that a company has power to require its members to disclose their beneficial owner of company and to provide certain information as specified in the Act. A failure to disclose or the provision of false information is an offence under the CA 2016. In addition, Section 60D of the CA 2016 requires any person who has the reason to believe that he is a beneficial owner of a company to notify the company as well as to provide the necessary information prescribed by the Act to the company. Any person who contravenes this section commits an offence. It shall be highlighted that at the time of this article is written, no company is exempted from the application of new Division 8A of the Companies Act 2016. The beneficial ownership reporting framework is a necessary requirement under the new Division 8A of the Companies Act 2016, which all companies must comply with even though they may incur more cost and take more time. Once again, any non-compliance with the beneficial ownership reporting framework is an offence. 2) Amendments to the Corporate Rescue Mechanism ProvisionsAccording to the “Frequently Asked Questions – Companies (Amendment) Act 2024” issued by CCM, there are two policies underlying the amendments to the Companies Act 2016: Policy 1: Widening the Application of Corporate Rescue Mechanism - Corporate Rescue Arrangement (CVA) and Judical Management (JM) Policy 2: Strengthening the Corporate Rehabilitation Framework Policy 1The amendment to Section 395 of the Companies Act 2016 aims at widening the application of CVA to all companies including public listed companies and companies which have created a charge over their property or undertaking. AmendmentsPre-Amendment Amendment Act 2024  Section 395 –   Substitution for Section 395Non-application of this Subdivision 395. This Subdivision shall not apply to— a)a public company; b)a company which is a licensed institution or an operator of a designated payment system regulated under the laws enforced by the Central Bank of Malaysia; c)a company which is subject to the Capital Markets and Services Act 2007; and d)a company which creates a charge over its property or any of its undertaking.Non-application of this Subdivision 395. This Subdivision shall not apply to— a)a company which is a licensed institution or an operator of a designated payment system regulated under the laws enforced by the Central Bank of Malaysia; b)a company which is approved or registered under Part II, licensed or registered under Part III, approved under Part IIIA or recognised under Part VIII of the Capital Markets and Services Act 2007; and c)a company which is approved under Part II of the Securities Industry (Central Depositories) Act 1991. In addition, the amendment to Section 403 of the Companies Act 2016 is aimed to clarify that judicial management can be applied by all companies including public listed companies. AmendmentsPre-Amendment Amendment Act 2024  Section 403 – Amendment to Section 403    403. This Subdivision shall not apply to— a)a company which is a licensed institution or an operator of a designated payment system regulated under the laws enforced by the Central Bank of Malaysia; and   b)a company which is subject to the Capital Markets and Services Act 2007.403. This Subdivision shall not apply to— a)a company which is a licensed institution or an operator of a designated payment system regulated under the laws enforced by the Central Bank of Malaysia; b)a company which is approved or registered under Part II, licensed or registered under Part III, approved under Part IIIA or recognised under Part VIII of the Capital Markets and Services Act 2007; and c)a company which is approved under Part II of the Securities Industry (Central Depositories) Act 1991. Policy 2The salient amendments to the Companies Act 2016 for the purpose of strengthening corporate rescue mechanism are as follows: - SectionDescription / Remarks    368The new subsection 368(1A) will give companies applying for restraining order under a scheme of arrangement or compromise an automatic moratorium upon filing of such application for a maximum of two months or until the Court decides on the application, whichever is earlier. To prevent abuse of process whereby the application for restraining orders can be used to continuously deprive the rights of creditors, Section 368(3B) provides that no restraining order would be granted by the Court if an order has been granted in the preceding 12 months involving a rescue financing, a cram down, an approval of the proposed scheme without a meeting of creditors or when a related company makes an application for a restraining order in relation to a proposed scheme.368AIn some circumstances, restructuring does not involve just one company. In a larger restructuring of a group of companies, some other entities may be involved although they may not be part of the scheme of arrangement. Section 368A provides that a related company can apply for a restraining order on similar terms with the company undergoing scheme of arrangement provided that the company plays an integral part in the scheme of arrangement.368B   415A    ‘Rescue Financing’ is defined as financing that is necessary for the survival of a company that obtain the financing or that the financing is necessary to achieve a more advantages realisation of the assets of a company.In cognizance of the fact that often financially distressed companies face higher cost of borrowing as banks or financial institutions become more wary to provide fresh loans without some of protection, a new policy is introduced to provide better protection to parties giving the rescue financing.As such, under these sections, the Court is empowered to order the debt arising from any rescue financing to be secured against the property of the company on certain conditions. In the event the company is wound up, debts arising from rescue financing are given super priority over all other debts in the event of a winding up.368DA cram down is a mechanism that will allow the Court to compel dissenting creditors to be bound by the proposed scheme of arrangement. The aim of a cram down is to ensure that companies in distress will have a successful scheme with less interference and at the same time accord protection to the dissenting creditors.An application for cram down could be made to the Court provided that: -i . The scheme i s approved by a majori ty of 75% of the t ot al value of the credi tors ormembers presenti i . The scheme i s fair and equitable to each c lass of dissenting creditors367The amendment to Section 367 of the Companies Act 2016 imposes a mandatory requirement for the appointment of insolvency practitioner to oversee the proposed scheme and report its status to the Court before the scheme is approved. The objective of this amendment is to ensure higher chance that the proposed scheme would be successful.430AFor a company that becomes subject to the proceedings in relation to a compromise or arrangement, a voluntary arrangement or a judicial management, Section 430A provides that an insolvency related clause in any contract for the supply of essential goods and services cannot be exercised against the company merely because the company becomes subject to those proceedings. What this means is that under the new section 430A, suppliers will have to continue to fulfil their commitments under their contract so that companies can continue trading through the rescue process, including making it easier for companies to maintain supply of contracts that are essential for the continuation of the business. Essential supply of contracts proposed under this new section would include supply of water, electricity or gas. ConclusionThe Amendment Act 2024 has brought many important amendments to the CA 2016. The new beneficial ownership reporting framework is introduced to enhance the gaps in the CA 2016 to be in line with the international standards i.e. the Financial Action Task Force (FATF) and the Organisation for Economic Co-Operation and Development (OECD) as well as international best practices. The main objective of those standards is to combat money laundering, terrorist financing and shall include other illegal activities such as corruption and tax evasion. In addition, the amendments to the corporate rescue mechanism aim to facilitate the scheme of arrangement and judicial management. With the Amendment Act 2024, all the public listed companies are allowed to also apply for the corporate rescue mechanism available under the CA 2016. About the author Jessica Wong Yi SingSenior AssociateDispute ResolutionHarold & Lam Partnershipjessica@hlplawyers.com More of our articles that you should read: Disposal of Real Properties Subject to Income Tax? Security Issues in the Secondary Market Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023)

Clarifying Developer Voting Rights in Management Corporation Meetings

Management Corporation (MC) meetings serve as crucial forums for decision-making in condominium and strata-titled developments, where stakeholders discuss various aspects of property management. One contentious issue often debated is the extent of voting rights held by developers over parcels they own as proprietors. This article aims to thoroughly analyse the legal framework surrounding this issue, shedding light on the nuances of developer entitlement to voting rights in MC meetings. The determination of developer voting rights in MC meetings is guided by statutory provisions that outline the rights and obligations of property stakeholders. Section 21 of Strata Management Act 2013 (SMA 2013) explicitly states that each proprietor, provided they meet eligibility criteria, has the right to vote on matters during MC meetings, whether on a show of hands or on a poll. Furthermore, Section 22(2)(c) identifies proprietors as parcel owners, underscoring their importance in property governance. Central to the interpretation of voting rights is the definition of a parcel owner as outlined in Section 2 of the legislation. According to this provision, a parcel owner is defined as either the purchaser or the developer of a parcel. This definition serves as the foundation for understanding the developer's entitlement to voting rights, particularly concerning both sold and unsold units within the property. Section 22(2)(g) is instrumental in delineating the developer's voting rights over unsold units. It explicitly states that developers possess voting rights equivalent to purchasers in respect of unsold units. This provision acknowledges the developer's ongoing involvement in managing and overseeing unsold parcels until they are transferred to individual purchasers. However, the crux of the issue emerges when considering the developer's voting rights over sold units. Despite being the proprietor of these parcels, the developer's classification as the parcel owner is subject to interpretation. This ambiguity stems from the definition of a purchaser as someone who has acquired an interest in the parcel. In the case of sold units, the interest in the parcel has been transferred to individual purchasers, thereby raising questions about the developer's status as the parcel owner in this context. Moreover, the transition of ownership from the developer to individual purchasers alters the dynamics of property management and governance. While the developer retains control during the development phase, their role evolves upon the sale of units. The transfer of ownership confers rights and responsibilities upon individual purchasers and diminishes the developer's direct involvement in the management of sold units. In conclusion, the issue of developer voting rights in MC meetings requires a meticulous examination of relevant legal provisions. While developers enjoy voting rights akin to purchasers concerning unsold units, their entitlement to vote over sold units hinges on their classification as parcel owners. This classification is influenced by the transfer of ownership to individual purchasers, which diminishes the developer's direct stake in the management of sold units. By elucidating these distinctions, property governance can proceed in a manner that fosters transparency and equitable decision-making within the management corporation. About the author Noorvieana LimAssociateReal EstateHalim Hong & Queknoorvieana.lim@hhq.com.my More of our articles that you should read: Determinants of Share Unit & Its Significance in Strata Development Stranded in Strata: How Unpaid Maintenance Fees Impact Tenants under the Strata Management Act 2013 (SMA) Stamp Duty for Foreign Currency Loan

Cause Papers for Matrimonial Proceedings May Be Filed in the English Language Only

On 9.2.2024, the Federal Court in the case of Robinder Singh Jaj Bijir Singh v Jasminder Kaur Bhajan Singh [2024] 2 MLJ 126; [2024] 3 CLJ 647 ruled that the cause papers for matrimonial proceedings, including petitions, interlocutory applications and associated affidavits, filed under the Law Reform (Marriage & Divorce) Act 1976 and the Divorce and Matrimonial Proceedings Rules 1980, can be filed solely in English without an accompanying translation in the National Language. In Malaysia, marriage and divorce matters of non-Muslims are governed by the Law Reform (Marriage and Divorce) Act 1976. This Act does not apply to Muslims and the natives of Sabah & Sarawak. BACKGROUND FACTSThe marriage between the parties, the Appellant (Husband) and Respondent (Wife) had irretrievably broken down. On 7.1.2022, the Respondent filed an ex-parte application in the High Court for interim sole custody, care and control of their son (“Enclosure 6”). On 24.1.2022, the High Court granted certain orders in Enclosure 6. However, the order lapsed after 21 days as it was not served on the Appellant. On 27.1.2022, the Respondent filed another application which was similar to Enclosure 6. On 24.3.2022, the Appellant filed an application to set aside the ex-parte order granted by the High Court on 24.1.2022 (“Enclosure 20”). Enclosure 20 was filed in the English Language without an accompanying translation in the National Language. On 18.4.2022, the Appellant filed an application for the interim guardianship, custody, care, control and access. The parties subsequently recorded a consent order. Thereafter, the Appellant requested for Enclosure 20 to be heard, which the Respondent also agreed to as the only matter outstanding was whether damages ought to be granted. HIGH COURTThe High Court dismissed Enclosure 20 based on the following grounds: - The Appellant failed to file the translation for Enclosure 20 within the time ordered. - The Appellant failed to comply with Order 92 Rules 1(1) and (4) of the Rules of Court 2012 (“ROC 2012”) which requires a translation of the documents in the National Language to be filed within two weeks or within such extended time as allowed by the Court. - The unavailability of a translation of the DMP Rules 1980 into the National Language is not a valid reason to not file a translation of Enclosure 20 and the related cause papers. COURT OF APPEALThe Court of Appeal upheld the decision of the High Court and held that Registrar’s Circular No. 5 of 1990 (“Registrar’s Circular”) is administrative in nature and cannot possibly prevail over the language requirement in Order 92 Rules 1(1) and (4) of ROC 2012. ISSUES BEFORE THE FEDERAL COURTThe Federal Court granted leave to appeal in relation to the following questions of law: 1) Whether petitions for judicial separation or divorce (matrimonial proceedings) filed pursuant to the provisions of the Law Reform (Marriage and Divorce) Act 1976 (“LRA 1976”) and Divorce and Matrimonial Proceedings Rules (“DMP Rules 1980”) may be filed in the English Language only; 2) if so, whether all other cause papers filed in the matrimonial proceedings may be filed in the English Language only; and 3) if the answers to either one or both of the questions above are in the negative, whether the filing of the documents in English only is an irregularity that can be cured with the necessary directions by the Court that the said cause papers be filed in Bahasa Malaysia. ANALYSIS AND DETERMINATION OF THE FEDERAL COURTThe Federal Court answered the first two questions in the affirmative, leaving the third question unnecessary for determination. (1) The Registrar’s Circular Remains ValidSection 2 of the National Language Act 1963/67 (Revised 1971) (“NLA 1971”) provides that the National Language shall be used for official purposes “Save as provided in this Act and subject to the safeguards contained in Article 152(1) of the Constitution relating to any other language and the language of any other community in Malaysia”. Section 8 of the NLA 1971 (as amended vide Act A765/1990 with effect from 30.3.1990) permitted the continued use of English for proceedings in court. To facilitate the amendment to Section 8 of NLA 1971, the Chief Judge of Malaya issued Practice Direction No.2 of 1990 (“PD 2/1990”), whereby the substance of PD 2/1990 was substantially reflected in the amended Section 8. Shortly after the issuance of PD 2/1990, the Registrar’s Circular No. 5 of 1990 (“Registrar’s Circular”) was issued, which allows the cause papers relating to divorce and matrimonial proceedings, insolvency and winding up proceedings to be filed in English until such time as the relevant rules are translated into the National Language and the translations are gazetted. In Circular No. 153 of 2019 captioned “Filing of Documents in English for Family Law Matters” dated 6.8.2019, the Managing Judge of the High Court in Kuala Lumpur confirmed that the Registrar’s Circular remains valid, as far as matrimonial proceedings are concerned. The Registrar’s Circular is still in effect today as the DMP Rules 1980, relevant to this appeal, have yet to be translated and gazetted. (2) Order 92 of ROC 2012 Does Not Apply to Matrimonial Proceedings under LRA 1976The High Court Judge dismissed Enclosure 20 as there was no translation of these cause papers into the National Language. The High Court relied on Order 92 Rule 1(1) of the Rules of Court 2012 (“ROC 2012”) which stipulates that “any document required for use in pursuance of these Rules shall be in the national language”. However, Order 1 Rule 2(2) of ROC 2012 provides that “these Rules [ROC 2012] will not have any effect in or to those proceedings where separate rules have already been made or may be made under written law specifically for the purpose of such proceedings”. Further, Order 94 Rule 2(2) of ROC 2012 provides that in the event there is any inconsistency between any of the rules made under the specific written law in Appendix C and the ROC 2012, the former shall prevail. Matrimonial proceedings under LRA 1976 are one of the exempted written laws set out in item 5 of Appendix C. Therefore, ROC 2012 and in particular Order 92 does not apply to the matrimonial proceedings in this case. CONCLUSIONThe Federal Court allowed the appeal and set aside the decisions of the High Court and Court of Appeal. The Federal Court’s ruling resolved the lack of uniformity of practice in matrimonial proceedings. Prior to this decision, the High Court in Kuala Lumpur and Penang are said to accept cause papers for matrimonial proceedings in English while the High Court in Malacca has rejected cause papers that are not translated to the National Language. The position of the law on this issue is now settled – the cause papers for matrimonial proceedings under the LRA 1976 may be filed in English only, until the DMP Rules 1980 are officially translated and gazetted. About the authors Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my Khew GerjeanPupil-in-ChambersDispute ResolutionHalim Hong & Quekk.gerjean@hhq.com.my More of our articles that you should read: Disposal of Real Properties Subject to Income Tax? Private Hospitals to pay for their Doctor’s Negligence Constructive Dismissal: The Applicable Test – “Contract Test” vs The “Reasonableness Test”

Can an Adjudication Decision, After Having Been Enforced Pursuant to Section 28 CIPAA 2012, Be Stayed Pursuant to Section 16(1)(b) CIPAA 2012?

The Federal Court has in its grounds of judgment for the case of ECONPILE (M) SDN BHD v ASM DEVELOPMENT (KL) SDN BHD [Civil Appeals Nos.: 02(f)-2-01/2023(W) and 02(f)-34-05/2023(W)] answered the following questions of law: Question 1 (answered in the negative)“Whether an adjudication decision, after having been enforced pursuant to Section 28 of CIPAA 2012 as an Order of the Court, can be stayed pursuant to Section 16(1)(b) of the CIPAA 2012” Question 2 (answered in the positive)“Whether the Court of Appeal in so deciding to allow the stay application pursuant to section 16(1)(b) CIPAA 2012 has overruled or disagreed, or gone beyond the ratio decidendi of the Federal Court decision in View Esteem Sdn Bhd v Bina Puri Holdings Sdn Bhd [2018] MLJ 22; [2019] 5 CLJ 479.” The Facts Adjudication DecisionsEconpile obtained 2 separate adjudication decisions against ASM for the respective sums of RM59,767,269.32 (CIPAA 1) and RM5,959,024,99 (CIPAA 2). High Court (CIPAA 1)Due to ASM’s failure to pay the sums awarded under the CIPAA 1 Adjudication Decision, Econpile had made an application to enforce the CIPAA 1 Adjudication Decision as a judgment of the High Court under Section 28 CIPAA 2012. Consequently, ASM had filed applications to set aside and/or stay the CIPAA 1 Adjudication Decision under Section 15(b), 15(d), and 16(1)(b) of CIPAA 2012. On 29.11.2019, the High Court dismissed ASM’s applications for setting aside and stay of the CIPAA 1 Adjudication Decision, and allowed Econpile’s application to enforce the CIPAA 1 Adjudication Decision. In relation to ASM’s stay application, the High Court found that:a) the fact that ASM has a claim which exceeds Econpile’s payment claim in arbitration cannot be regarded as a special circumstance unless it can be shown that there is a real danger that Econpile would not be able to pay ASM, which ASM failed to do so.b) further, there were no clear and unequivocal errors on the part of the learned Adjudicator in arriving at the adjudication decision, nor were there cogent reasons why a stay is warranted to meet the justice of the case or that the discretion ought to be exercised in ASM’s favour. Court of Appeal (CIPAA 1)ASM appealed against all three of the High Court’s decisions to the Court of Appeal. On 26.4.2022, the Court of Appeal dismissed ASM’s appeal against the High Court’s decision to enforce the adjudication decision, and ASM’s appeal against the High Court’s dismissal of ASM’s setting aside application. However, despite the Court of Appeal’s affirmation of the High Court’s enforcement order, the Court of Appeal allowed ASM’s appeal against the High Court’s dismissal of ASM’s stay application (“CIPAA 1 COA Stay Order”), and amongst others, held that there are no express prohibitions in the CIPAA stating that stay applications cannot be allowed after the enforcement order has been made. On 3.1.2023, Econpile was granted leave to appeal against the CIPAA 1 COA Stay Order to the Federal Court. ASM did not file an appeal against the Court of Appeal’s dismissal of ASM’s other two appeals. High Court (CIPAA 2)Similarly, due to ASM’s failure to pay the sums awarded under the CIPAA 2 Adjudication Decision, Econpile had made an application to enforce the CIPAA 2 Adjudication Decision as a judgment of the High Court under Section 28 CIPAA 2012. ASM also filed applications to set aside and/or stay the CIPAA 2 Adjudication Decision under Section 15(b), 15(d), and 16(1)(b) of CIPAA 2012. On 28.10.2020, the High Court allowed Econpile’s application to enforce the CIPAA 2 Adjudication Decision and dismissed ASM’s applications to set aside the CIPAA 2 Adjudication Decision. On 4.2.2021, the High Court dismissed ASM’s application to stay the CIPAA 2 Adjudication Decision. In relation to ASM’s stay application, the High Court found that there are neither instances of disregarding nor wrong interpretation of statute or misreading and/or application of case authorities that resulted in the CIPAA 2 Adjudication Decision as being erroneous and there are no unequivocal errors to justify the stay. Court of Appeal (CIPAA 2)ASM appealed against all three of the High Court’s decisions to the Court of Appeal. The appeal was heard before a different panel from the CIPAA 1 Appeals. On 28.10.2022 and 25.11.2022 respectively, the Court of Appeal after considering the circumstances of the individual case, dismissed ASM’s appeals against the High Court’s decision which enforced the adjudication decision, the High Court’s dismissal of ASM’s setting aside application and the High Court’s dismissal of ASM’s stay application (“CIPAA 2 COA Dismissal of Stay Order”). On 13.4.2023, ASM was granted leave to appeal CIPAA 2 COA Dismissal of Stay Order to the Federal Court. ASM did not file an appeal against the Court of Appeal’s dismissal of ASM’s other two appeals. Federal Court’s Findings (CIPAA 1 & CIPAA 2)Leave to appeal was granted for both cases. At the appeal proper, the Federal Court allowed Econpile’s appeal against the CIPAA 1 COA Stay Order, and dismissed ASM’s appeal against the CIPAA 2 COA Dismissal of Stay Order, with global costs of RM100,000.00 to be paid by ASM to Econpile. Question 1 (answered in the negative)The Federal Court found that the Court of Appeal’s (CIPAA 1) decision in finding that there is no express provision in CIPAA prohibiting the granting of a stay after an enforcement order is granted, an application for stay can be considered and granted, is flawed for the following reasons: A court must favour construction of a statute which promotes the purpose, object or intent of the legislation. CIPAA is a legislation crafted to address issues common in the construction industry in particular relating to cash flow problems for the unpaid party and only as temporary finality to the payment claims. It is not the end of the end. The Act was designed with the ultimate aim to assist the parties in construction dispute to be paid expeditiously for the work which they had carried out and for adjudication proceedings for payment claims that are due and payable before the determination of the contract. There is no provision for a stay of adjudication decision (S.16) after an enforcement order is given. Applying the principles of interpretation of statutes, in the absence of a specific provision the court is not statutorily empowered to grant a stay if the adjudication decision is not set aside. To do so would be incongruent to the intent and purpose of CIPAA. Question 2 (answered in the positive)In answering Question 2, the Federal Court held that the principles enunciated in View Esteem must be followed in an application for a stay of an adjudication decision pursuant to Section 16 CIPAA if an application to set aside the adjudication decision under Section 15 of the same Act has been made or the subject matter of the adjudication decision is pending final determination by arbitration or the court. KEY TAKEAWAYSIn view of the Federal Court’s decision that after an enforcement order under Section 28 CIPAA 2012 is made, an adjudication decision cannot be stayed under Section 16(1)(b) of CIPAA 2012, it is prudent for legal practitioners to ensure that a stay application under Section 16(1)(b) of CIPAA 2012 to be decided before / together with an application under Section 28 of CIPAA 2012. In the circumstance where a party wishes to appeal to the Court of Appeal against a dismissal of a Section 16(1)(b) stay application, it is also prudent for the party to ensure that where an enforcement order has already been made, an appeal should also be filed against the enforcement order. However, one must also bear in mind that the Court’s jurisdiction to grant stay of execution of a court order, based on the special circumstances test, is not curtailed by this Federal Court decision. The Federal Court's decision on this issue is important to the development of the statutory adjudication framework in Malaysia as it has provided clarity to the relationship between Section 28 CIPAA 2012 and Section 16(1)(b) CIPAA 2012. About the author Lim Ren WeiAssociateConstruction & EnergyHarold & Lam Partnershiprenwei@hlplawyers.com More of our articles that you should read: (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment Land Reference Proceedings: Written Opinions of Assessors Must Be Made Available to the Parties Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023)

Determinants of Share Unit & Its Significance in Strata Development

Owning a strata property comes with the entitlement of share units which entails varying rights and liabilities depending on the value of the share unit owned. The Court of Appeal in the case of Muhamad Nazri Muhamad v. JMB Menara Rajawali & Anor [2020] 4 MLRA 288 (“JMB Rajawali case”) provides a comprehensive explanation of the concept of share unit and the extent of the power of a management committee of a Joint Management Body (“JMB”) or Management Corporation ("MC") concerning share units. According to Section 4 of the Strata Title Act 1985 (“STA”), “share unit” in respect of a parcel means the share units determined for that parcel as shown in the schedule of share units. Section 18 of the STA further provides that every parcel shall have a share value as approved by the Director and expressed in whole numbers to be known as share units. Vernon Ong, one of the panel of judges of the Court of Appeal (“JCA”) (as he then was), explained in the judgment the concept of share unit which is a feature peculiar to strata development. Share unit is an essential method in determining each parcel owner’s: (i) voting rights, (ii) share in the common property, (iii) contribution to maintenance and administrative expenses, and (iv) proportional liability for the debts of the JMB or MC. Concerning voting rights, a matter to be decided in a general meeting is generally on a show of hands, unless a poll is demanded by a proprietor or the proxy, as provided in Section 17(1) of the Second Schedule of Strata Management Act 2013 (“SMA”). In this sense, different amounts of share units determined the extent of voting power in the general meeting, depending on the mode of decision-making. To illustrate, each parcel owner shall have one vote on a show of hands at a general meeting of the JMB or MC. But, on a poll, each parcel owner shall have such number of votes, corresponding to the number of share units, as provided in Section 22(2) of the Second Schedule of SMA. This means parcel owners with higher share value will enjoy more voting power on voting on a poll. Vernon Ong JCA further clarifies that on the flip side, the higher share value translates into a liability to pay higher aggregate maintenance charges and contributions to the sinking fund. Another question begs to be asked is how the share units are determined. Vernon Ong JCA put simply that the share units of a parcel are the area of that parcel multiplied by the weightage factor for that type of parcel, and the weightage factor for the entire floor parcel. If there is any accessory parcel, the area of the accessory parcel is multiplied by a weightage factor for that accessory parcel. If there is more than one accessory parcel, the calculation formula shall apply to each accessory parcel, and it shall then be added accordingly. Both the value of the parcel and accessory parcel are then added to determine the total share units for each parcel. Furthermore, as to how the share unit is calculated, it shall be per the formula under the First Schedule of the SMA, as provided in Section 8(1) of the SMA. The calculation takes into account the area of the parcel and accessory parcel and three weightage factors namely WF1, WF2 and WF3. The formula for the computation of allocated share units can be clearly described as follows: The allocated weightage factors are based on different sets of criteria. In weightage factor WF1, there are 3 main differentiations including (i) type of parcels; (ii) between parcels with or without air-conditioning to the common areas or corridors, lobbies and foyers; and (iii) between parcels having benefit or no benefit of common lift/escalator facility. Weightage factor WF2 is related to the whole floor parcel with differentiation between parcel inclusive or exclusive of lifts or escalator, while weightage factor WF3 is related to an accessory parcel with differentiations between the accessory parcel outside or within buildings. These different weightage factors are taken into account in determining the value of the share unit. In short, this confirmation of share unit, in turn, determines the amount of, among others, the contribution to the management fund by each parcel, which is to be determined by the JMB as required under Sections 21, and 25 of SMA. These provisions mandated that contributions to the management fund be determined on a share-unit basis. On the other hand, as mentioned by Vernon Ong JCA in the JMB Rajawali case, flexibility is conferred on an MC where it can fix different rates for different types of parcel, not necessarily on a share unit basis, as provided in Section 60(3)(b) of SMA, in 2 specific situations including, (i) parcels which are used for significantly different purposes, and (ii) provisional blocks. About the author Muhammad Aiman Anuar bin Mohd Ali AzharAssociateReal EstateHalim Hong & Quekmuhammad.aiman@hhq.com.my More of our articles that you should read: Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible 房地产买卖需知–第一部:房地产及土地背景 Credit Reporting Agencies Are Not Authorised to Formulate Their Own Credit Score

Defence of Limitation cannot be raised in Recovery of Tax Action?

The recent case of Kerajaan Malaysia v Dreamedge Sdn Bhd & Anor [2024] MLJU 473 was a straightforward case where the Government of Malaysia (“Government”) sought to recover outstanding income tax amounting to RM3,292,579 from Dreamedge Sdn Bhd (“Taxpayer”) and its director (“Director”) and the High Court held that, amongst others, the defence of limitation cannot be raised in the recovery of tax action. Background FactsThe Government issued Notices of Additional Assessments dated 31.5.2021 for the years of assessment 2011, 2012, 2013, 2014, and 2015. The Taxpayer and its Director sought to strike out the Government’s claim, relying on Section 91(1) of the Income Tax Act 1967 and/or Section 6(1)(d) of the Limitation Act 1953. The Director also argued that the Notices of Additional Assessments were not properly served on him. The Government sought to enter summary judgment against the Taxpayer and its Director. DecisionThe High Court held that, amongst others:Section 6(1)(d) of the Limitation Act 1953 is an Act of general application, and the proviso in Section 33 of the Limitation Act 1953 clearly states that limitation does not apply to an action by the Government for the recovery of tax. Matters like fraud, wilful default, or negligence under Section 91(3) of the Income Tax Act 1967 are matters for the Special Commissioners of Income Tax’s (“SCIT”) consideration. Besides, the normal argument of triable issues has no application in tax recovery claims filed by the Government. On the issue of service, the High Court held that service on the Taxpayer could not be deemed as service on its Director and found that the Director had not been served in accordance with Section 145 of the Income Tax Act 1967. The summary judgment application against the Taxpayer is allowed but the Director’s striking out application is allowed. CommentaryThis case reaffirms that the defence of limitation cannot be raised in the recovery of tax action. However, it is highlighted that the defence of limitation is still a good ground of defence in challenging a notice of assessment where the burden of proof is on part of the Inland Revenue Board of Malaysia to prove fraud, wilful default, or negligence under Section 91(3) of the Income Tax Act 1967 before the SCIT. Hence, it is imperative for the taxpayers to appeal against the notice of assessment within the statutory timeframe. This case also serves as a reminder that the service of notice of assessment plays a crucial role in proceedings involving income tax, and improper service could (and does) result in a claim being struck out. This is a valid and arguable defence for taxpayers who are otherwise severely handicapped in summary judgment proceedings. Thus, taxpayers are encouraged to be cognizant of the procedural requirements regarding income tax proceedings and consult a tax lawyer on the same (if required). About the authors Desmond Liew Zhi HongPartnerTaxHalim Hong & Quekdesmond.liew@hhq.com.my Boey Kai QiAssociateTaxHalim Hong & Quekkq.boey@hhq.com.my More of our articles that you should read: Real-World Assets in Blockchain: Why Companies Should Pay Attention 网络安全法案2024解读:合规的5个关键见解 Disposal of Real Properties Subject to Income Tax?

Constructive Dismissal: The Applicable Test - “Contract Test” vs The “Reasonableness Test”

The recent Federal Court judgment in Tan Lay Peng v RHB Bank Berhad (Civil Appeal No.01(f)-10-04/2023(P), brings into focus the intricate balance between the contract test and the reasonableness test in cases involving constructive dismissal cases in Malaysia. Our Apex Court reaffirmed the traditional reliance on the contract test, aligning Malaysian position with longstanding common law principles. The Principle of Constructive DismissalConstructive dismissal occurs when an employee resigns/walk out of the employment allegedly due to the employer's conduct which can be regarded as fundamentally breaching the terms of the employment contract thus creating an untenable work environment for the subject employee. Unlike straightforward summary dismissals, constructive dismissal encapsulates situations whereby the termination is forced/triggered by the employer’s actions. Brief background factsThis case involves a former employee one Mr. Tan (“Mr Tan/Appellant”) of RHB Bank Berhad (“the Bank/Respondent”). Mr. Tan was later deceased and was represented by his administratrix, one Ms. Tan. Mr. Tan was employed by the Bank as its Operations Head, Thailand Operations in Bangkok, the sole branch of the Bank at the material time. In November 2013, the Bank opened its second branch in Sri Racha which was placed under the supervision of Mr. Tan. Not long after, the bank issued a transfer order for Mr. Tan to assume the role of Branch Manager of the Ayutthaya branch. The order stipulated that such assignment is for a period not more than 9 months. Mr Tan complied and transferred to the Ayutthya branch since then. However, despite such assignment, the bank subsequently appointed a Thai national as the Branch Manager and issued another transfer order to Mr Tan to the International Infrastructure, PMO and Operation Support, Group International Business in Malaysia. Mr Tan objected vigorously to his repatriation to Malaysia because he opined that such transfer will ‘kill his career’ and was done without any reasonable justification. Therefore, he did not comply with the order and claimed that he was constructively dismissed by the bank. The Industrial Court gave an award in favour of Mr Tan, which the decision was maintained by the High Court. The Bank being dissatisfied with the decision, appealed to the Court of Appeal. Court of AppealThe Court of Appeal reversed the decision on the ground that the Industrial Court had applied the wrong test ie the reasonableness test in determining whether there was constructive dismissal. Question of law posed before the Federal Court“Is there a difference in the contract test or reasonableness test in light of major developments in industrial jurisprudence?” Grounds of judgement of the Federal CourtThe Federal Court upheld the decision of Court of Appeal. It referred to the trite law in Pan Global Textiles Bhd Pulau Pinang v Ang Beng Teik [2002] 1 CLJ 181 whereby the following observation was made, that the court ought to apply the contract test to determine if the employer was guilty of any breach which went to the root of the contract or had evinced an intention not to be bound by it. In the present case, the Federal Court unanimously reaffirmed the primacy of the contract test being the settled law for the applicable test for constructive dismissal cases, The reasonableness of an employer's actions, while relevant, should not alone determine constructive dismissal. The test of reasonableness refers to what a reasonable man, in his right mind considers fair and proper based on the particular facts and circumstances of the case. The assessment must relate to the contract of employment and its fundamental breach or repudiatory breach. The rationale is that the reasonableness of an employer’s conduct is very subjective and depends on the circumstances of the situation and other related factors. It is too wide and indefinite to be made as a legal requirement for a constructive dismissal case. The reasonableness of the employer’s conduct could also be easily subject to different opinions by tribunals or courts. Any departure from the contract test to reasonableness test will entail unsettled industrial relations by introducing uncertainty and confusion. ConclusionThe adherence to the contract test in fact aligns with other jurisdictions like the UK, Singapore and Australia, where the contract test remains foundational, notwithstanding the contextual assessment of reasonableness in determining whether an employer's conduct amounts to a fundamental breach. Put it simple, our court in determining constructive dismissal cases, should consider whether there was a breach of contract by the employer on such conduct/exercise being complained of instead of go in the bone fide and reasonableness of such conduct. About the authors Thoo Yee HuanSenior PartnerDispute ResolutionHalim Hong & Quekyhtoo@hhq.com.my Esther Lee Zhi QianPupil-in-ChambersDispute ResolutionHalim Hong & Quekesther.lee@hhq.com.my More of our articles that you should read: E-Waste and ESG Compliance: What Companies Need to Know (Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment Security Issues in the Secondary Market

E-Waste and ESG Compliance: What Companies Need to Know

Introduction In an era of rapid technological advancement, companies are expanding quickly, driven by the efficiencies provided by the latest technology. To stay competitive, companies are constantly upgrading their electrical and electronic equipment; however, this constant upgrading leads to a critical question that too often goes unasked: "Where does our e-waste go?" As Environmental, Social, and Governance (“ESG”) issues become increasingly important, this is a topic that companies, general counsels, chief sustainability officers, and even boards of directors cannot afford to overlook. This article explores the significance of electronic waste (“e-waste”) and how companies should address it within the context of ESG and the legal framework. . What is E-Waste and Why Does it Matter for ESG? To grasp the concept of e-waste, it is important to first note that there isn't a single standardized definition of 'e-waste'. Generally, e-waste refers to discarded electronic and electrical devices. Common corporate e-waste includes computers, laptops, monitors, networking equipment, servers, and storage devices. As technology progresses, these devices quickly become obsolete, and companies frequently update their hardware to keep pace with advancements in software and security, thereby generating significant amounts of e-waste, and as technology continues to advance, the problem only escalates. So, what is the big deal with e-waste? While the responsibility for handling and disposing of e-waste often falls to facilities management or the IT department, the issue is far from straightforward. E-waste typically contains hazardous substances like lead, mercury, and cadmium. Therefore, improper handling and disposal of e-waste can lead to severe environmental damage, including soil contamination, water pollution, and air pollution. Hazardous substances from e-waste can leach into the soil, disrupting plant growth and ecosystems; when e-waste is disposed of near water sources, toxins can seep into groundwater or flow into rivers and lakes, impacting aquatic life and drinking water supplies. Moreover, burning e-waste releases toxic fumes, contributing to respiratory issues and air pollution. Given these impacts, companies committed to ESG principles must take responsibility for managing their e-waste in ways that minimize environmental risks. . E-Waste Regulations in Malaysia: A Checklist for E-Waste Compliance As companies commit to being more ESG-responsible, addressing e-waste has become an unavoidable priority. In Malaysia, the disposal, treatment, storage, and labelling of e-waste are regulated by the Environmental Quality (Scheduled Wastes) Regulations 2005. We will simplify this complex topic into a checklist of five straightforward questions that all companies should ask themselves when it comes to e-waste management: . 1. How is e-waste being disposed of? When it comes to the disposal of e-waste, companies may often choose efficiency or convenience over compliance, such as using illegal landfills, unregulated recyclers, or unauthorized locations like rivers, forests, or vacant land. Legally, e-waste must only be disposed of at licensed facilities, including licensed land treatment facilities, landfills, or waste incinerators. It is crucial to ensure that these facilities are properly licensed, as disposing of e-waste at unlicensed sites is illegal. .  2. How do companies store e-waste? Some companies may store e-waste in non-specialized locations such as regular storehouses, basements, or parking lots, which will lead to potential fire hazards and toxic leaks. Proper storage of e-waste requires containers that are compatible with the nature of the e-waste, designed to prevent spillage and leakage. .  3. Is e-waste being properly labelled? It is essential for companies to label e-waste containers clearly with the name, address, and telephone number of the generating company. Labelling not only facilitates tracking the lifecycle of electronic products but also ensures that companies remain accountable for their products from production to disposal. . 4. Is there an inventory of e-waste? Companies should maintain an accurate and up-to-date inventory of e-waste, including details on the quantities generated, treated, and disposed of, and keep these records for at least three years from the date the e-waste was generated. An inventory not only ensures compliance with environmental laws but also aids in efficient waste management by identifying reusable, recyclable, or specially disposable components. . 5. Are training programs organized about e-waste? Companies must ensure that their employees attend training programs that cover e-waste identification, handling, labelling, transportation, storage, and spill response. . Conclusion Given the growing focus on ESG, companies can no longer afford to ignore e-waste. Proper management and disposal of e-waste are not just about compliance but also about corporate responsibility and minimizing environmental impact. By following the checklist above, companies can ensure they are on the right path toward responsible e-waste management. For further guidance, companies are encouraged to work with external legal counsels familiar with the technology industry and ESG compliance. . If your company is interested in learning more about responsible e-waste management, ESG compliance, or requires legal guidance in addressing any related concerns, please don't hesitate to reach out to our team of experienced lawyers. We are well-versed in regulations governing e-waste and can provide tailored advice to ensure your company aligns with the latest ESG standards. Contact us today to discuss how we can support your sustainability journey and help you navigate the complexities of environmental compliance. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. . Tan Zhen ChaoAssociateReal Estate, Project Development, Strata Management & Dispute Resolutionzctan@hhq.com.my. More Tech articles: • Exploring Bitcoin Halving and its Significance • Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility • Real-World Assets in Blockchain: Why Companies Should Pay Attention

Real-World Assets in Blockchain: Why Companies Should Pay Attention

Introduction As the global acceptance and adoption of blockchain technology accelerates—highlighted by the U.S. approval of Spot Bitcoin ETFs—many companies remain hesitant to engage with this burgeoning field. This reluctance often stems from a lack of familiarity with blockchain’s benefits and its potential applications. While cryptocurrencies often dominate headlines, a quieter yet significant transformation is underway: the tokenization of real-world assets (RWAs). This development has profound implications for businesses across sectors.   In this article, we aim to demystify RWAs tokenization and outline why they deserve more than just cursory attention from corporate strategists.   Understanding Real-World Assets (RWAs) Tokenization To grasp the concept of RWAs tokenization, it is essential to acknowledge that there is no fixed definition, given its evolving nature. Generally, RWAs tokenization can be understood as any asset—physical, digital, tangible, or intangible— from the real world that is tokenized and represented on a blockchain. Tokenizing an asset involves creating a digital twin on the blockchain, facilitated through digital tokens that represent ownership or a share of the RWAs. These tokens can then be traded, transferred, and integrated into smart contracts, offering novel ways to manage and leverage assets in a digital economy.   Why Should Companies Pay Attention to RWAs Tokenization? Companies might then wonder why they should pay attention to RWAs tokenization and what the benefits are for their businesses. In this article, we will explore five key advantages of RWAs tokenization that can drive innovation and growth for companies:   1. Speed and Efficiency: Tokenizing RWAs enables assets to be traded 24/7 globally on the blockchain without any time restrictions. This capability significantly increases the speed and efficiency of transactions since the system operates continuously, even outside traditional trading hours and on holidays. 2. Utilization of Smart Contracts: RWAs tokenization benefit from the integration of smart contracts, which are self-executing contracts with the terms of the agreement embedded in lines of code. Smart contracts are self-executing contracts with terms directly written into lines of code. Stored on a decentralized blockchain network, they automatically execute when predefined conditions are met. Smart contracts facilitate, verify, and enforce contract terms without intermediaries, providing efficiency and security, thus removing the need for third parties to facilitate, verify, or execute contracts, thereby ensuring full transparency and security between parties. 3. Reduced Costs: Since tokenized RWAs operate on blockchain and are supported by smart contracts, they eliminate the need for middlemen to facilitate, verify, and execute contracts, reducing traditional administration costs and transactional costs significantly. 4. Transparency: Transactions involving tokenized RWAs are recorded on blockchains, making all operations, deals, and activities fully visible to network participants. Furthermore, once a smart contract is deployed on a blockchain, it cannot be tampered with or changed, ensuring immutability in a transparent environment that fosters trust among parties and stakeholders. 5. Fractionalization: A largely underemphasized yet revolutionary benefit of tokenized RWAs is their ability to be fractionalized. This means assets can be divided into smaller portions, allowing multiple investors and individuals to co-own parts of the assets. Beyond efficiency, low transaction fees, speed, and transparency, the revolutionary benefit of tokenized RWAs lies in their ability to fractionalize assets, and it is a feature that companies cannot afford to overlook.   Potential Real-World Applications of Tokenized RWAs Companies can harness the benefits of fractionalization by exploring various real-world applications of tokenized assets. Here are three examples of how companies can leverage the fractionalization of tokenized RWAs:   1. Tokenizing Carbon Credits: Companies involved in environmental projects can tokenize carbon credits by converting them into digital tokens on a blockchain. For example, a company that manages reforestation or afforestation projects can receive certification from recognized environmental organizations for the carbon offsets generated. The certified carbon credits are then tokenized on a blockchain, with each token representing a specific quantity of carbon offset—typically, one metric ton of CO2 equivalent. These tokens can be traded, allowing companies and individuals to buy or retire them to offset their carbon footprint. 2. Tokenizing Real Estate: In this scenario, a property developer can tokenize an entire building, such as a corporate tower, offering token holders a share in the rental income generated by the property. This approach opens the door for a broader range of investors to participate in large-scale real estate projects. Instead of relying on a single major funder, who might require significant discounts, the fractionalization of real estate allows multiple investors to contribute smaller amounts. This flexibility can accelerate the funding process and make large real estate projects more accessible. 3. Tokenizing Financial Products: Tokenization can make financial products, like bonds or sukuks, accessible to a wider audience. Traditionally, some of these financial products have only been available to institutional or high-net-worth investors, limiting participation for those who don't meet strict asset or income requirements. However, by tokenizing financial products, they can be divided into smaller, more affordable units. This democratization of financial products allows more investors to participate, thereby increasing market liquidity and diversifying the investor base.   These examples demonstrate how fractionalizing tokenized RWAs can create new opportunities for companies and investors by making assets more accessible, reducing barriers to entry, and promoting broader participation. The shift toward tokenization could lead to greater market efficiency, increased liquidity, and smoother investment processes across various sectors.   However, RWA tokenization remains a relatively new concept, subject to ongoing exploration and testing across different jurisdictions. While the potential benefits are significant—opening new business possibilities for companies—the novelty of the approach brings with it uncertainty in regulations. As a result, companies and, particularly, their general counsels should work closely with lawyers who have a deep understanding of blockchain and RWA tokenization. This collaboration will help ensure that companies navigate regulatory complexities and legal requirements safely and effectively. About the authors   Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my   Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. More Tech articles: • Understanding Spot Bitcoin ETF and Its Potential • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case • Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility

CYBER SECURITY ACT IMPLEMENTATION – Things for the National Critical Information Infrastructure Entities to Take Note of

Building on our last article on the key takeaways of the new Cyber Security Bill 2024, titled “Cyber Security Bill 2024 Decoded 5 Key Insights for Strategic Compliance”, this article sought to expound on some of the key considerations that soon-to-be national critical information infrastructure (“NCII”) entities (the “NCII Entities”) should pay attention to. As we have covered in our previous article, any government entity or person (legal or natural) that owns or operates any NCII will highly likely be designated as an NCII Entity. Once an NCII Entity, it will have to, among other things, (i) take part in the preparation of the code of practice applicable to the NCII sector that the NCII Entity is in; (ii) provide information, particulars or document potentially relating to the function and design of the computer or computer system owned or operated by the NCII Entity; (iii) provide information relating to the NCII that the NCII Entity owns or operates; and (iv) conduct periodic cyber security assessment and audit and report the same to the Chief Executive of the National Cyber Security Agency (“NACSA”). With this article, we hope that we could draw the attention of the NCII Entities to some of the points to take note of while complying with the obligations under the Cyber Security Act 2024 (the “Act”). Disclosure Requirements As explained earlier, NCII Entities have certain obligations under the Act to disclose certain information and documents to the corresponding NCII sector lead(s) upon request. Information and documents disclosure obligations are also relevant when an NCII Entity encounters cyber security incident and upon completion of cyber security risk assessment and audit. When fulfilling the obligations, it is crucial that the NCII Entities ensure that it does not disclose any information that would jeopardise its business interests or unknowingly translate into risk or liability to the organisations. Assessments should be made during each disclosure to ensure (i) confidential information and sensitive information of the organisation are not inadvertently included in the disclosure; (ii) when disclosing information relating to the computer system of the organisations, and especially where some of the computer systems are proprietary, their source code should not be disclosed unless strictly necessary; (iii) that personal data of data subjects being processed by the NCII Entities are not included or are at least anonymised to avoid potential non-compliance with the personal data protection law, and (iv) only relevant information are disclosed, by applying the principle of data minimisation - NCII Entities should only provide the minimal amount of data necessary for the compliance with regulatory requirements or for effective response to a cyber security incident, and not over share information just for the sake of getting through the regulatory obligations but undermine its business interests in the process.   Potential Centralisation Risk By disclosing information requested by the NCII sector lead(s), especially those relating to the function and design of the computer or computer system owned or operated by the NCII Entities, has the potential of creating centralisation risk. To the extent that the information disclosed could potentially be used to better understand an NCII Entities’ computer’s or computer system’s architecture and design, and to find out the exact software and hardware used by the NCII Entities, it would undeniably become a treasure trove for cyber criminals and advanced persistent threat actors. Gathering these information at one single location, be it with the NCII sector lead(s) or the Chief Executive of NACSA, will draw the attention of malicious actors. While technical measures will certainly be put in place to safeguard these information, NCII Entities should also consider, to the extent permissible, encrypting the information disclosed to the NCII sector lead(s) to better secure the information. Coordinated Incident Response Under the Act, the Chief Executive of NACSA has the power to direct the NCII Entities on how to respond to a cyber security incident, and indirectly, this may mean that an NCII Entity no longer has the full discretion to decide on its incident response measures. Decisions such as whether or not to make ransom payment, how to address the public, whether or not to temporarily shut down the network, negotiation with threat actors, etc., may potentially have to be cleared by the Chief Executive of NACSA before proceeding. Incident response is always a race against time. As such, it is very common for organisations to call the shots quickly while in a war room when faced with cyber security incident to cut losses or to mitigate and contain risks. With the passing of the Act, it would be crucial for the NCII Entities to first communicate its action plan with the Chief Executive of NACSA prior to execution, so as not to attract additional liabilities. Therefore, in addition to coordinating the incident response plans with the Chief Executive of NACSA, NCII Entities should work on establishing pre-defined communication protocols and contact points at NACSA. This preparation should include clear guidelines on how to quickly communicate and escalate incidents to the NACSA. Pre-established communication channels, such as dedicated hotlines, encrypted messaging systems, or secure email gateways, can significantly reduce the response time during a cyber security incident. By having these protocols in place, NCII Entities can ensure that they can swiftly reach the necessary contacts within NACSA and relay critical information without unnecessary delays, thus maintaining the pace needed for an effective response to cyber threats. Closing Remarks Given the importance of NCII to the economy of a country, it is expected that the Act when in force, will be actively enforced by the authorities. In case readers are unable to fully grasp the extent of disruption that can be caused by an NCII-targeted cyber security incident, the Colonial Pipeline ransomware attack that took place back in 2021 in the U.S. offers a good example. Colonial Pipeline, one of the largest and most vital oil pipelines in the U.S. was hit with a ransomware attack in May 2021, which forced Colonial Pipeline to shut down part of its network for several days to contain the incident. Colonial Pipeline eventually paid the ransom and resumed operation of the pipeline, but the damage of the incident was not limited to just monetary loss to Colonial Pipeline. The shutdown of the pipeline caused panic-buying of gas, disruption of the supply chain, as well as the increase of gas price to the highest level since 2014. Several states in the U.S. declared states of emergency due to this incident. No doubt the incident had a direct impact on the daily lives of U.S. citizens, which highlights the importance of NCII and the criticality of ensuring its cyber security preparedness. The Act in itself is not sufficient to increase the cyber security preparedness and readiness of the NCII in Malaysia. It however provides an important framework for the establishment of codes of practice for each NCII sectors, the implementation and compliance of which would ensure certain minimum standards on cyber security are met. NCII Entities form the main line of defence against cyber threat actors from causing disruptions to Malaysia economy, and the stakes are definitely high should they fail to do so. Navigating through compliance with new legislation is never an easy feat. Where there is any doubt or uncertainty as to the newly imposed obligations under the Cyber Security Act 2024, or to what extent must an organisation as the designated national critical information infrastructure entity comply with the provision of the legislation, please feel free to reach out to the partners at the Technology Practice Group of Halim Hong & Quek: About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More Tech articles: • Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case • Whether AI-Generated Work Could be Protected by Copyright Law

Cyber Security Bill 2024 Decoded: 5 Key Insights for Strategic Compliance

In our increasingly interconnected world, cyber security threats pose a significant risk to national security. Malicious actors, ranging from state-sponsored hackers to cybercriminal organizations and terrorists, exploit vulnerabilities in critical infrastructure, government systems, and military networks to disrupt essential services and steal sensitive information. These cyberattacks not only disrupt businesses, financial institutions, and supply chains but also directly impact economic stability at both the national and global levels. Therefore, in this article, our focus is on the Cyber Security Bill 2024. Rather than just providing a comprehensive summary, we aim to distill the essence into five key takeaways that every company and general counsel should be aware of. 1. The Objective and Current Status of the Cyber Security Bill 2024 The first takeaway revolves around grasping the core objectives and current status of the Cyber Security Bill 2024 ("Bill"). Essentially, the Bill is designed to establish a regulatory framework aimed at bolstering national cybersecurity. It introduces the notion of national critical information infrastructure, a concept we will delve into shortly, and also sets out provisions for licensing cyber security providers. Notably, the Bill achieved a significant milestone when the upper house of Parliament (Dewan Negara) unanimously passed it after the third reading on 3 April 2024. Subsequently, upon receiving assent from the King (Yang di-Pertuan Agong), the law will come into effect upon publication in the Government Gazette. Given its potential impact, it is imperative for companies to proactively monitor these developments to ensure alignment with the forthcoming legislation, as failure to do so could expose companies to significant risks and liabilities. 2. Defining National Critical Information Infrastructure The second significant takeaway in the Bill is the introduction of the concept of national critical information infrastructure (“NCII”). The Bill defines NCII as "computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defense, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the State Governments to carry out its functions effectively." Notably, the Bill delineates 11 sectors encompassed within the NCII framework, which are as follows (“NCII Sectors”): I. Banking and finance, II. Transportation, III. Government, IV. Defense and national security, V. Information, communication and digital, VI. Healthcare services, VII. Water, sewerage and waste management, VIII. Energy, IX. Agriculture and plantation, X. Trade, industry and economy, and XI. Science, technology and innovation. 3. The Designation of NCII Sector Leads and NCII Entities The third point emphasizes the appointment of sector leads by the Minister for each of the 11 NCII Sectors (“NCII Sector Leads”). These appointed sector leads' names will be publicly disclosed on the official website of the National Cyber Security Agency (“NCSA”). Subsequently, the respective NCII Sector Leads will develop specific codes of practice for their respective sectors and designate entities that own or operate NCII as national critical information infrastructure entities (“NCII Entities”). Although the Bill does not explicitly define what constitutes "owning or operating NCII" for designation as NCII Entities, however, a literal interpretation suggests that companies meeting certain criteria may fall under this NCII Entities designation. These criteria may include (i) companies with ownership, control or legal rights over NCII, including those with decision-making authority regarding the relevant NCII’s use, security protocols, data access, and terms of third-party usage; and (ii) companies involved in the day-to-day operation, management, maintenance, and security of NCII, including those with decision-making authority affecting the relevant NCII’s functionality, security, and integration with other networks. Therefore, companies can conduct internal checks based on these criteria while awaiting official confirmation to avoid surprises upon designation as NCII Entities. By doing so, companies can better prepare internally and ensure readiness to comply with forthcoming legislation. 4. Regulatory Obligations of NCII Sector Leads and NCII Entities The fourth point is of utmost importance, especially for companies within the NCII Sectors, as they may be designated as NCII Entities. Upon receiving this designation, NCII Entities are obligated to implement the measures, standards, and processes outlined in the code of practice as prepared by the NCII Sector Leads (“Code of Practice”). However, it is conceivable that some NCII Entities may encounter challenges in strictly adhering to all specified measures within the Code of Practice due to various reasons. For instance, financial constraints could pose a significant hurdle for some NCII Entities as implementing these measures may demand substantial investments in advanced technological infrastructure, specialized software, or hardware upgrades. To address this challenge, the Bill allows NCII Entities to implement alternative measures, standards, and processes, subject to approval by the Chief Executive of the NCSA, provided they offer an equal or higher level of protection. Given the flexibility within the regulatory framework to implement alternative measures instead of strictly complying with the Code of Practice, it is advisable for NCII Entities to collaborate with professional legal counsels well-versed in technology law to ensure that any proposed alternative measures undergo thorough scrutiny to meet the standards of applicable Codes of Practice. External legal professionals could also assist in presenting compelling arguments for the approval of alternative measures that not only satisfy the Chief Executive of the NCSA but also uphold the integrity and security of NCII operations. Additionally, the Bill mandated NCII Entities to conduct cybersecurity risk assessments as per the Code of Practice and directives, along with performing audits to ensure compliance with the Cyber Security Act 2024. It is crucial to highlight that in the event of a cybersecurity incident, the Bill also imposes a duty on the NCII Entities to notify both the Chief Executive of the NCSA and the respective NCII Sector Lead(s) (“Cyber Security Incident Notification”). Such Cyber Security Incident Notification in the event of a cybersecurity incident is paramount for effective cyber security incident response. However, if the NCII Sector Lead(s) happens to be a competitor of the NCII Entities, significant legal concerns may potentially emerge as sharing sensitive information with a competitor may raise apprehensions regarding data security, trust, and cooperation within the NCII Sector, potentially hindering timely and collaborative responses to incidents. It is notable that the Bill currently does not have explicit provisions addressing this issue, however, we trust that additional measures should be put in place by the NCII Sector Lead(s) and the Chief Executive of the NCSA to address this potential concern. Considering the sensitive nature of such Cyber Security Incident Notification, where it may potentially involve the exposure and disclosure of proprietary or confidential information of NCII Entities to NCII Sector Leads, it is, therefore, advisable to engage lawyers to facilitate Cyber Security Incident Notification processes, ensuring that appropriate notifications are made while safeguarding sensitive, proprietary, and confidential information of the NCII Entities. External lawyers can also play a vital role in overseeing the notification process, providing legal guidance on compliance with regulatory requirements and contractual obligations, and ensuring that the interests of the NCII Entities are protected. 5. Licensing Regime for Cyber Security Service Providers The fifth key takeaway in the Bill pertains to the licensing requirement for companies providing cyber security services. According to the Bill, no company shall offer any cyber security service or advertise itself as a cyber security service provider unless it holds a valid license to provide such services. The definition and scope of cyber security services will be determined by the Minister, and this licensing requirement will definitely have a significant impact on companies operating in the cyber security sector. It also remains to be seen whether additional licensing terms will be imposed on cyber security service providers through the licensing regime. It is crucial to underscore the profound impact that this new licensing requirement will have on all cyber security service providers, as any company providing cyber security services without a proper license is subject to severe penalties. Upon conviction, such a company may face a fine not exceeding RM500,000, imprisonment for a term not exceeding ten years, or both. This emphasizes the gravity with which the government views the regulation of cyber security services and highlights the importance of adhering to licensing requirements. Conclusion In conclusion, the Bill stands as a pivotal milestone in Malaysia's journey towards bolstering national cyber security. Its implications reverberate not only across critical infrastructure sectors but also through the intricate fabric of businesses operating within the cyber security landscape. As the regulatory landscape evolves, it becomes increasingly imperative for companies to navigate these complexities with precision and foresight. The above five points highlight critical aspects of the Bill that companies should prioritize and understand thoroughly. Given the complex and evolving nature of cyber security, it is imperative that companies collaborate closely with legal professionals who possess a deep understanding of technology law. With our unwavering commitment to excellence and a deep understanding of both legal intricacies and technological nuances, our team of seasoned legal professionals stands ready to guide your organization through the nuances of the Cyber Security Bill 2024. Let us empower your organization to thrive amidst evolving cyber security challenges, ensuring compliance while fortifying your resilience against emerging threats. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and Cybersecurityky.lo@hhq.com.my. Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my More Tech articles: • Air Canada Case Exposes AI Chatbot Hallucination Risks: A Mitigation Guide for General Counsel • Addressing Copyright Infringement and Challenges in AI Training • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated?

(Section 35 of CIPAA 2012) Overview of Authorities on Conditional Payment

Introduction The Construction Industry Payment and Adjudication Act 2012 (“CIPAA 2012”) was passed by the Malaysian Parliament in 2012 and CIPAA 2012 came into force on 15.4.2014. CIPAA 2012 was introduced to facilitate regular and timely payment in respect of construction contracts and to provide for speedy dispute resolution through adjudication. The primary objective of CIPAA 2012 is to address critical cash flow issues in the construction industry and to facilitate payments for those down the chain of construction contracts for work done or services rendered. Section 35 of CIPAA 2012 – Prohibition of Conditional PaymentCIPAA 2012 introduced Section 35 which prohibits the practice of conditional payment terms that inhibit cash flow: “35 Prohibition of conditional payment 1. Any conditional payment provision in a construction contract in relation to payment under the construction contract is void. 2. For the purposes of this section, it is a conditional payment provision when- a) the obligation of one party to make payment is conditional upon that party having received payment from a third party; or b) the obligation of one party to make payment is conditional upon the availability of funds or drawdown of financing facilities of that party.” What constitutes a “conditional payment provision/ clause/ term”?The High Court in the case of Econpile (M) Sdn Bhd v IRDK Ventures Sdn Bhd and another case [2017] 7 MLJ 732; [2016] 5 CLJ 882 enunciated that Parliament had left it to the Courts to determine on a case by case basis as to whether conditional payment provisions in a construction contract would defeat the intent and purpose of CIPAA 2012. The High Court in the case of Terminal Perintis Sdn Bhd v. Tan Ngee Hong Construction Sdn Bhd [2017] MLJU 242; [2017] CLJU 177; [2017] 1 LNS 177 ruled that the question of whether a payment term in a construction contract constitutes a conditional payment clause under Section 35 of CIPAA 2012 is a mix finding of fact and law and the Courts would not interfere in the adjudicator's interpretation. Overview of Cases/ AuthoritiesA) “Pay When Paid”/ “Pay If Paid”/ “Back to Back” CIPAA 2012 expressly prohibits “pay when paid”/ “pay if paid” clauses which makes the obligation of the main contractor to pay a subcontractor conditional upon the main contractor having received payment from the principal. Such contractual clauses are void and unenforceable pursuant to Section 35 of CIPAA 2012. The High Court in the case of Khairi Consult Sdn Bhd v GJ Runding Sdn Bhd [2021] MLJU 694; [2021] CLJU 571; [2021] 1 LNS 57 held that a contractual provision which provided for the payment to be on “back to back” basis is void under Section 35 of CIPAA 2012. The Defendant in this case was the main consultant for a construction project. By way of a contract/ letter, the Defendant appointed the Plaintiff as a consultant to provide engineering consultancy services for the project. Clause 9 of the contract provides that: “Payment shall be on a back to back basis i.e you [Plaintiff] shall be paid within 7 days upon [the Defendant's] received [sic] payment from the client." The High Court held that: Clause 9 is void as it is a “conditional payment provision” within the meaning of Section 35 of CIPAA 2012. This is because the Defendant's payment to the Plaintiff is on a "back to back" basis i.e. the Defendant is only required to pay the Plaintiff when the Defendant has received payment from a third party (the employer/ client). The High Court in the case of KS Swee Construction Sdn Bhd v BHF Multibina (M) Sdn Bhd [2019] MLJU 1508; [2019] CLJU 1849; [2019] 1 LNS 1849 held that a contractual provision which stipulated that payment to the subcontractor is “back to back” to the payment from the main contractor is a conditional payment under Section 35 of CIPAA 2012. The Plaintiff in this case was engaged by the Defendant to carry out construction works. Clause 7 of the contract provides that: “Bayaran kemajuan kerja kepada Sub Kontraktor adalah secara timbal balik (back to back) dengan bayaran kemajuan daripada Kontraktor Utama” Therefore, the Plaintiff will only be paid on a “back to back” basis i.e. the Plaintiff's payment becomes due only when the Defendant receives payment from the main contractor. The High Court held that Clause 7 is a conditional payment within the confines of Section 35 of CIPAA 2012. The High Court in the case of Sinwira Bina Sdn Bhd v Puteri Nusantara Sdn Bhd [2017] MLJU 1836; [2017] CLJU 1819; [2017] 1 LNS 1819 held that a “back to back” clause is a “conditional payment provision” provided under Section 35 of CIPAA 2012. The subcontract entered between the Plaintiff and Defendant in this case contained the following clause: “The Sub-Contract Sum shall be paid to the Sub-Contractor on the basis of back-to-back payment, as and when received by the Contractor from the Client. Unless a special arrangement is made, the Employer shall not be liable to pay the Sub-Contractor in the event that no corresponding payment is paid by the Client.” The High Court found the said clause to be a "conditional payment provision" as provided in Section 35 of CIPAA 2012 and is therefore void. (B) Termination and Final Accounts In the case of Maju Holdings Sdn Bhd v Spring Energy Sdn Bhd and other cases [2021] MLJU 541; [2021] CLJU 367; [2021] 1 LNS 367 the High Court held that the contractual clause in the subcontract which provided that, payment to the subcontractor shall be withheld upon the termination of the subcontract until the final accounts have been determined, is a conditional payment provision which runs afoul of Section 35 of CIPAA 2012. The High Court in the case of Econpile (M) Sdn Bhd v IRDK Ventures Sdn Bhd and another case [2017] 7 MLJ 732; [2016] 5 CLJ 882 held that Clause 25.4(d) of the industry-based standard form PAM Contract 2006 is a conditional payment provision which is prohibited under Section 35 of CIPAA 2012. Clause 25.4(d) of the PAM Contract 2006 provides as follows: “25.4(d) the Contractor shall allow or pay to the Employer all cost incurred to complete the Works including all loss and/or expense suffered by the Employer. Until after the completion of the Works under Clause 25.4(a), the Employer shall not be bound by any provision in the Contract to make any further payment to the Contractor, including payments which have been certified but not yet paid when the employment of the Contractor was determined. Upon completion of the Works, an account taking into consideration the value of works carried out by the Contractor and all cost incurred by the Employer to complete the Works including loss and/or expense suffered by the Employer shall be incorporated in a final account prepared in accordance with Clause 25.6.” The High Court held that Clause 25.4(d) has the effect, upon the termination of the contract, of postponing payment due until the final accounts are concluded and the works completed. This clause defeats the purpose of the CIPAA 2012 and is thus void and unenforceable. (C) “Pay If Certified” The Court of Appeal in the case of Lion Pacific Sdn Bhd v Pestech Technology Sdn Bhd and another appeal [2022] 6 MLJ 967; [2022] 9 CLJ 488 clarified and ruled that “pay-if-certified” provisions cannot be construed as a conditional payment clause under Section 35 of CIPAA. In 2013, the Government of Malaysia accepted a tender submitted by a consortium for a construction project. The appellant was appointed as a subcontractor for the system works package parcel for the project. The appellant then appointed the respondent as a subcontractor by way of a subcontract. The subcontract in this case contained a clause whereby certification by the Ministry of Transportation (“MOT”) is required prior to any payment to the respondent. Particularly, Clause 4.1 of the subcontract provides that: “Verification and approval by ICC-MOT 15th - 24th every month. Payment to Sub-Contractor 40 days after certification by MOT” The Court of Appeal held that: The "pay-if-certified" provision in Clause 4.1 of the subcontract cannot be construed as a conditional payment clause under Section 35 of CIPAA 2012, as the mutual agreement of the parties was that the appellant's obligation to make payment would only arise upon certification of the works done by the MOT, failing which the works cannot be considered as having been carried out. Notwithstanding the objective of CIPAA 2012 to facilitate prompt payment, the contractual obligations of the parties expressly agreed upon cannot be disregarded. Whilst CIPAA 2012 was intended to alleviate cash flow problems of contractors and prohibited conditional payments, it was clearly not intended to replace the certification or valuation to assess the progress of works carried out by the relevant authority for payment to be affected. About the authors Rohan Arasoo JeyabalahPartnerCorporate Disputes, Employment & Industrial RelationsHarold & Lam Partnershiprohan@hlplawyers.com Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my More of our articles that you should read: Disposal of Real Properties Subject to Income Tax? CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023)

Land Reference Proceedings: Written Opinions of Assessors Must Be Made Available to the Parties

Introduction The Federal Court in the case of Tegas Sejati Sdn Bhd v Pentadbir Tanah dan Daerah Hulu Langat & Anor [2024] MLJU 416; [2024] CLJU 330; (Civil Appeal No.01(f)-46-11/2022(B)) held that the written opinions of assessors that assist the High Court Judge during land reference proceedings must be provided to the parties involved in the proceedings. The Federal Court in this case found that there was non-compliance of Section 40C of the Land Acquisition Act 1960 (Act 486) (“LAA 1960”) as the written opinions of the assessors were never made available to the parties. The Federal Court ruled the non-compliance to be serious warranting appellate intervention and ordered the matter to be remitted to the High Court for a rehearing. Background FactsIn 1987, the Appellant, Tegas Sejati Sdn Bhd (“TSSB”) entered into a joint venture agreement with Perbadanan Setiausaha Kerajaan Selangor (“PSKS”) to develop several lots of land located at Section 15, Daerah Hulu Langat in the State of Selangor. PSKS is the registered proprietor of the lands. Pursuant to the joint venture agreement, PSKS relinquished its rights to the land to TSSB. Several lots of the land were acquired by the State Government for the purpose of the project known as “Projek Lebuhraya Bertingkat Sungai Besi – Ulu Kelang” (SUKE Expressway). The 2nd Respondent, Lembaga Lebuhraya Malaysia (“LLM”) was the paymaster for this acquisition. After the enquiry held on 16.5.2027, the 1st Respondent, the Land Administrator handed down an award for compensation on 16.5.2017. The award was objected by both LLM and TSSB. Land Reference Proceedings (High Court)Both LLM and TSSB filed their objections via Form N, culminating in two land reference proceedings before the High Court. Both land reference proceedings were consolidated and heard together. On 22.9.2020, TSSB applied to strike out the LLM’s land reference proceedings. TSSB’s application was heard together with the merits of the land reference proceedings with the assistance of two assessors. On 14.2.2020, the High Court dismissed TSSB’s striking out application. The High Court also dismissed TSSB’s land reference and allowed LLM’s land reference. TSSB appealed against the decision of the High Court to the Court of Appeal. On 4.10.2022, the Court of Appeal dismissed TSSB’s appeal and allowed LLM’s cross-appeal. Questions/ Issues Before The Federal CourtTSSB appealed to the Federal Court. The Federal Court heard submissions from the parties on 18.8.2023. However, the proceedings were adjourned to ascertain whether there was compliance of Section 40C of the LAA 1960. Section 40C the LAA 1960 provides that: “40C. Opinion of assessors The opinion of each assessor on the various heads of compensation claimed by all persons interested shall be given in writing and shall be recorded by the Judge.” The Federal Court registry requested from the registry of the High Court for a sight of the written opinion of the assessors involved in the land reference proceedings in the High Court. Upon obtaining the written opinions, the Federal Court registry sent them to the parties. One of the main issues before the Federal Court in this case is whether the written opinions of the assessors which are to be recorded by the judge hearing a land reference, necessarily for the eyes of the judges of the High Court, Court of Appeal and Federal Court only, and not the parties? Grounds Of Judgment Of The Federal Court1. Role of Assessors in Land Reference Proceedings Section 40A (2) of LAA 1960 provides that for land reference proceedings concerning an objection over the adequacy of compensation, the Court shall appoint two assessors for the purpose of aiding the Court in determining the objection and in arriving at a fair and reasonable amount of compensation. The two assessors will sit with the High Court Judge in hearing the objections over the amount of compensation. The written opinions of the assessors are intended to assist the Court in arriving at a decision on the amount of compensation. These written opinions form and must be part of the records of the land reference proceedings. 2. Adequacy of Compensation Article 13(2) of the Federal Constitution provides that “no law shall provide for compulsory acquisition or use of property without adequate compensation”. In the interpretation and construction of Section 40C of LAA 1960, the Courts must give real meaning and adopt a construction which preserves the rights enshrined under Article 13(2) of the Federal Constitution. Although Section 40C does not explain in detail how the written opinions of the two assessors are to be handled, it cannot be denied that the written opinions form part of the proceedings. The High Court in assessing the complaint of adequacy of compensation is bound to balance competing interests of TSSB, the landowner and LLM, the acquiring authority or paying master. Therefore, it is necessary that all relevant material is placed before the Court for that assessment and determination. If these written opinions of the assessors are not made available, the question of adequacy of compensation cannot be properly addressed, which would be contrary to the right enshrined in Article 13(2) of the Federal Constitution. 3. Availability of the Written Opinions The question of adequacy of compensation can only be properly determined if all the parties concerned have had the opportunity to address the reasons, factors or circumstances which are relevant and necessary when computing or calculating that compensation. Therefore, the written opinions of the assessors who assisted the High Court Judge in determining there is adequate compensation must be made known to the landowners and those affected by the compulsory acquisition. The obligation to make known the reasons or factors extends to everyone who has any role to play in that decision, be it the judge or the assessors. Land reference proceedings are open Court proceedings and it is integral to the rule of law that there is transparency and fairness not just in the conduct of those proceedings but in the manner any evidence, including opinion evidence is received and treated by the Court. Once available, the written opinions of the assessors must be provided to the parties. The Federal Court found that there was non-compliance of Section 40C in this case as the written opinions of the assessors were never made available to the parties or even called for by the Court of Appeal. The Federal Court set aside the orders of the High Court and Court of Appeal and ordered the matter to be remitted to the High Court for a rehearing before another judge. About the author Chew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my More of our articles that you should read: Private Hospitals to pay for their Doctor’s Negligence Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023) Security Issues in the Secondary Market

Stranded in Strata: How Unpaid Maintenance Fees Impact Tenants under the Strata Management Act 2013 (SMA)

What is Maintenance fees and Sinking fund? Under the Strata Management Act 2013 (SMA), the management body of a condominium needs to provide proper maintenance and management for the buildings and common property, as well as other related matters. To achieve this, each condominium unit owner will need to pay fees to these management bodies. Section 25 (1) of the Strata Management Act 2013 states that: “Each purchaser shall pay the Charges, and contribution to the sinking fund, in respect of his parcel to the joint management body for the maintenance and management of the buildings or lands intended for subdivisions into parcels and the common property in a development area.” Service charges are the monthly payments of ongoing maintenance fee for keeping the common facilities and common property. It includes swimming pools, services lifts, lighting, air conditioning, cleaning and landscaping services, security services and etc. Meanwhile, sinking fund is maintained in a separate account from maintenance fees. Typically, it is calculated as 10% of the maintenance fee and is allocated for anticipated future expenses, such as extensive repairs or significant improvements to the property. These funds serve as a reserve for emergencies as well as for major works like repainting the exterior of the building or repairing the damage caused by flood. What are the consequences if the owners fail to make any payment charged by the Management Body including the Charges and Contribution to Sinking Fund? Failure to settle the outstanding sum due and payable to the management body after 14 days from the date of receiving the notice requesting said outstanding sum from the management body will give the management body the right:- i. to charge an interest on outstanding sum;ii. to include the owner’s name, parcel and total outstanding amount in a defaulters' list and display the said list on the notice board;iii. to deactivate any electromagnetic access card, tag or transponder;iv. to stop you and/or your occupiers)/visitors) from using any common facilities or common services; andv. to take action against you before the court or Strata Management Tribunal But the one who defaulted is my landlord. I’m just the tenant. Will I also be affected? The Third Schedule of Strata Management (Maintenance and Management) Regulations 2015, specifically regulation 6, outlines the definition of a defaulter and the potential consequences that may ensue. a. a defaulter is a proprietor who has not fully paid the Charges or contribution to the sinking fund in respect of his parcel or any other money imposed by or due and payable to the management corporation under the Act at the expiry of the period of fourteen days of receiving a notice from the management corporation; and b. any restriction or action imposed against a defaulter shall include his family or any chargee, assignee, successor-in-title, lessee, tenant or occupier of his parcel. Regulation 6 clearly specifies that the defaulter may be subject to restrictions or legal action, including ‘his family, charge, assignee, successor-in-title, lessee, tenant or occupier of his parcel’. Therefore, it is clear that if your landlord fails to pay the maintenance costs, the management body may take specific measures against you as a tenant. Nevertheless, even though they have the right to deactivate your access card, as tenant, you cannot be prevented from entering your unit. Conclusion In conclusion, residing (be it owning or renting) in a strata property such as condominium entails being part of a community. It comes with its own set of rights and responsibilities that every landlords and tenants should understand. The payment of maintenance fees is crucial to maintaining harmony and ensuring the upkeep of the property. As a tenant, it's imperative to remain vigilant and inquire about the tenancy agreement and determining whether your landlord has fulfilled their obligation to pay these fees, thereby avoiding potential hassles down the line. About the author Nur Anis Amani binti Mohd RazaliAssociateReal EstateHalim Hong & Queknur.anis@hhq.com.my More of our articles that you should read: Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI Credit Reporting Agencies Are Not Authorised to Formulate Their Own Credit Score “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility

Bank Negara Malaysia (“BNM”) has on 29 February 2024 issued a new Policy Document (“PD”) on Financial Technology Regulatory Sandbox Framework (the “Framework”) to replace the earlier version that was issued back in 2016. The new PD came into force on the date of its issuance, and it seeks to enhance the Framework so as to ensure proportionate regulatory facilitation and improving the operational efficiency of the existing sandbox procedures. This article attempts to provide a brief outline of the Framework and the enhancements introduced by the PD. Financial Technology Regulatory SandboxAs most would no doubt agree, the financial services industry is one of the most regulated industries anywhere in the world. This is hardly surprising given the importance of stability in the money market. That being said, it is also equally important for the financial services industry to keep pace with the development of technology to ensure innovation and service improvement. Due to its disruptive nature, financial technology (“Fintech”) providers often find themselves facing difficulties in the deployment of their solutions, owing to potential archaic or non-accommodative regulatory framework. The Fintech regulatory sandbox (“Sandbox”) established under the Framework is an attempt by BNM to address this pain point. The purpose of the Sandbox is essentially to allow Fintech solutions providers to have temporary rights to deploy and operate their solutions in a live environment, with more “relaxed” regulatory treatment. Participants in the Sandbox would have identified a series of regulatory requirements that they are unable to meet due to the nature of their solutions or business model, and exemptions would be granted to them for a limited duration from having to comply with these regulatory impediments. Upon the expiry of the “playtime”, BNM will then make an assessment as to whether a Sandbox participant should be allowed continued operation of its solution. Enhancements to the Fintech Regulatory Sandbox FrameworkThe PD introduces two (2) enhancements to the Framework: i. A fast-track application and Fintech solutions testing approval process called the “Green Lane”; andii. A simplified process to assess the eligibility of an applicant to participate in the “Standard Sandbox”. We will provide a summary of each of the enhancements in turn below. 1. Green LaneThe Green Lane is a fast-track approval process set up especially for financial institutions (“FIs”) only. FIs with proven track records in strong risk management, compliance and governance, can utilise the Green Lane to shorten the time required to obtain approval to test their Fintech solutions in the Sandbox. Interested and eligible FIs can make an application to participate in the Sandbox through the Green Lane by demonstrating their past records in risk management, compliance and governance. Once the BNM is satisfied of an FI’s track record in risk management, compliance and governance, a Green Lane approval will be issued. Thereafter, the FI will only have to register its Fintech solutions with BNM for testing in the Sandbox, at least 15 days prior to the intended testing commencement date. FI with Green Lane qualification can register multiple Fintech solutions for testing over the subsistence of its Green Lane qualification, and there is no need for the FI to make fresh Green Lane application each time. Overall, the Green Lane is a new path to Fintech solution testing in the Sandbox that is much simpler than the Standard Sandbox process (which we will get to in the next section). The Green Lane affords FIs a faster process to test their Fintech solutions in the Sandbox, subject to the FIs first proving their eligibility to be in the Green Lane. Notwithstanding the easier access to the Sandbox however, the FIs in the Green Lane will still have to adhere to certain parameters and safeguards prescribed under the PD, primarily for customer protections, and BNM still reserves the right to revoke an FI’s Green Lane qualification or reject the registration of Fintech solutions to be tested, particularly where adverse developments have been observed during the testing of Fintech solutions. Fintech companies or non-FIs can make use of the Green Lane by collaborating with FIs (e.g., outsourcing of Fintech solutions to FIs, equity participation, joint venture, etc.), subject however to the discretion of BNM. 2. Simplified Eligibility Assessment for the Standard SandboxThe Standard Sandbox entails a 2-tiered assessment process. In the first stage, applicants are first assessed on whether they are eligible to take part in the Standard Sandbox. Once the first stage has been passed, the applicants are then assessed on their readiness or preparedness in satisfying BNM’s considerations to test the Fintech solutions. Under the new PD, the stage 1 assessment is simplified to the extent that an applicant will only have to demonstrate (amongst others) its ability to identify and mitigate risks associated with the Fintech solution testing, and a semi-functional prototype of the Fintech solution within 3 months from the date of application for participation in the Standard Sandbox. This is a much-welcomed change from the regulator’s past approach of requiring applicant to have a ready product before making any application to participate in the Sandbox. Now, an applicant will only be required to come up with a fully functional prototype during the second stage of the assessment process, allowing greater flexibility to the applicant. The effort of BNM in ensuring the regulatory framework keeps pace with technology evolution certainly deserves applause. The enhancements to the Framework brought by the new PD effectively make the Sandbox more accessible to innovators and Fintech solutions providers. This should drive innovations and hopefully boost investment into the Fintech sector in Malaysia, giving Malaysians better financial services experience enhanced by technology, as well as extending the reach of financial services to the financially underserved. About the author Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and CybersecurityHalim Hong & Quekjohnson.ong@hhq.com.my More of our articles that you should read: Compulsory Acquisition: Landowners Are Not Entitled To Compensation For Illegally Constructed Buildings CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd (Case No. BA-12AC-3-07/2023)

In the recent High Court decision of Pembinaan Federal Sdn Bhd v Biaxis (M) Sdn Bhd, the High Court of Malaysia examined, amongst others, whether a liquidator of a wound-up company is bound by any arbitration agreement which was not entered by the liquidator, but the wound-up company prior to liquidation. Brief Backgrounds FactsPembinaan Federal Sdn Bhd, the Appellant, and Biaxis (M) Sdn Bhd, the Respondent, had entered into the following two (2) contracts on a development (phase 2A and 2B) on a piece of land in Mukim Petaling for Messrs Masteron Sdn Bhd:- i. Piling Contract; andii. Pile caps and Basement 2 Slab Contract (hereinafter referred as “the Contracts”) Pursuant to clause 3 of the Contracts, the parties had agreed to enter into a contract based on the Agreement and Conditions of PAM Contract 2006 (“PAM Contract”). The Respondent was wound up on 20.4.2022 by the Penang High Court and consequentially, one Dato’ Dr. Shanmughanathan a/l Vellanthurai was appointed as the Liquidator (“Liquidator”). The Liquidator had discovered that there was a sum of RM703,640.97 which was due and unpaid by the Appellant to the Respondent under the Project (“Outstanding Sum”). Therefore on 2.3.2023, the Respondent (the Liquidator initiated an action in the name of the Respondent) commenced a suit against the Appellant at the Sessions Court, claiming for said Outstanding Sum. On 19.4.2023, the Appellant filed an application for a Stay of Proceedings pursuant to Section 10 of the Arbitration Act 2005, for which the Sessions Court Judge had dismissed the Appellant’s application with cost of RM 2,000.00 to be paid by the Appellant to the Respondent. Being unsatisfied with the decision of the Sessions Court, the Appellant had filed an appeal to the High Court against said decision. Findings of the High CourtThe issues to be considered by the High Court are as below:i. Whether the Liquidator is a party to the arbitration agreement entered between the parties (“Arbitration Agreement”);ii. Whether the Arbitration Agreement is inoperative;iii. Whether the nature of arbitral proceedings is contrary to the purpose of insolvency law; andiv. Whether there is any dispute between the parties which warrants an arbitral proceeding to be commenced pursuant to the Contracts. Whether the Liquidator is a party to the Arbitration Agreement entered between the partiesOn this issue, it was held by the High Court that: i. It is not disputed by the parties that there is an Arbitration Clause in the PAM Contract entered between the Respondent and the Appellant. Therefore, whether there is a valid and enforceable Arbitration Agreement pursuant to Section 9 of the Arbitration Act, the answer is in the affirmative; ii. As the Respondent has been wound up, the Liquidator appointed steps into the Respondent’s shoes in dealing with matters related to the wound-up company. These powers are conferred to the Liquidator pursuant to Section 486 of the Companies Act 2016; iii. There is no where in the Companies Act 2016 which requires for there to be a separate agreement duly signed by the Liquidator in order for him to be bound to the terms and conditions of the original contract. Therefore, since the cause of action arose from the Contracts, the parties including the Liquidator are subjected to the terms and conditions of the Contracts and the Arbitration Agreement; iv. It cannot be agreed that the Arbitration Act 2005 is irrelevant to the Liquidator. Therefore, even if the Liquidator is not directly named in the Arbitration Agreement, by virtue of the Liquidator having stepped into the shoes of the Respondent, he becomes a party to it. Whether the Arbitration Agreement is inoperativeSection 10 of the Arbitration Act states as follows: “(1) A court before which proceedings are brought in respect of a matter which is the subject of an arbitration agreement shall, where a party makes an application before taking any other steps in the proceedings, stay those proceedings and refer the parties to arbitration unless it finds that the agreement is null and void, inoperative or incapable of being performed.” The High Court in this case, having adopted the definition of “inoperative” in the case of Peace River Hydro Partners v Petrowest Corp [2022] SCJ No. 41, held that:i. the Arbitration Agreement between the Respondent and the Appellant is inoperative because the Respondent has been wound up and as such, is subject to insolvency protection; ii. since it is found that the Arbitration Agreement is inoperative, it is not necessary to determine whether the Arbitration Agreement is null and void, or whether it is incapable of being performed; and iii. Therefore, Section 10(1) of the Arbitration Act 2005 cannot be invoked against the Respondent by the Appellant. It can also be concluded that the Plaintiff is subjected to the relevant insolvency proceedings having established that the Arbitration Agreement is inoperative against the Respondent. Whether the nature of arbitral proceedings is contrary to the purpose of insolvency law/ Whether there is any dispute between the parties which warrants an arbitral proceeding to be commenced pursuant to the Contracts On whether the nature of arbitral proceedings is contrary to the purpose of insolvency law, it was held by the High Court that: i. Arbitration proceedings generally involve higher cost and delay in time; ii. Considering the Liquidator’s primary function is to manage the wound-up company’s assets and liabilities, an increase in cost and delay would certainly be detrimental to the interest of the creditors and the shareholder of the wound-up company. On whether there is any dispute between the parties which warrants an arbitral proceeding to be commenced pursuant to the Contracts, it was held by the High Court that based on the given facts, the Respondent’s claim sum is based on an undisputed sum which had been certified. In the absence of any dispute, the arbitration clause cannot be invoked and as such, the Respondent had the power to commence a court action against the Appellant pursuant to Section 486 of the Companies Act 2016. Based on the reasons above, the High Court had dismissed the Appellant’s Appeal. COMMENT It is interesting to note that whilst the High Court has decided that the Liquidator is essentially a party to the Arbitration Agreement entered between the parties, the Arbitration Agreement is nonetheless inoperative in view that one of the parties in the Arbitration Agreement has been wound up. This raises the question of whether all ongoing arbitration proceedings will automatically be deemed as “inoperative” the moment any of the parties in the arbitration proceeding is wound up. As at the date of this article, we understand that the Appellant, being unsatisfied with the decision of the High Court, had filed an appeal to the Court of Appeal. About the author Ooi Hui YingSenior AssociateArbitration, Construction & Engineering DisputesHarold & Lam Partnershiphuiying@hlplawyers.com More of our articles that you should read: Compulsory Acquisition: Landowners Are Not Entitled To Compensation For Illegally Constructed Buildings CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

Security Issues in the Secondary Market

What is Secondary MarketThe secondary market refers to a financial market where investors trade previously issued financial instruments and securities after a company has made an initial public offering of its securities on the primary market. It is a market where securities that were previously sold in the primary market are traded among investors rather than being sold directly by the issuing company. The secondary market facilitates liquidity for investors, allowing them to sell their securities readily and expeditiously should the need arise to access funds. As such, the terms ‘secondary market’ and ‘stock market’ or ‘stock exchange’ are used interchangeably. Capital Raising SecuritiesUpon successfully floating its securities through a primary market transaction and securing a listing of its securities on Bursa Malaysia, a diverse array of alternative capital-raising opportunities emerges. These avenues allow the company’s shareholders and the market at large to be approached for additional issuances of equity and debt securities. Modes of Issuing SecuritiesListed companies have at their disposal a range of methods to issue additional securities. While some of these issues may be aimed at raising equity capital to facilitate business expansion or diversification, others serve different purposes. The following are brief discussions of some of these modes of issuing securities on the secondary market. Public IssueA public issue represents the issuance of new shares available for public sale at a price agreed by the issuer and its Principal Adviser. Rights IssueThe issuance of new shares to existing shareholders for cash, typically at an advantageous price (discounted from the current pre-announcement market price), constitutes a right issue. It is a requirement that a rights issue is renounceable, allowing shareholders to either subscribe to the new shares or sell their rights, in whole or in part, to a third party on Bursa Malaysia. Additionally, any rights issues without irrevocable written undertakings from shareholders to subscribe to their full entitlement must be underwritten. Private PlacementA private placement involves the issuance of securities that are not available to the general public but are instead offered to independent parties who are not under the control or influence of the issuer’s directors or substantial shareholders. The pricing of these securities is typically based on the weighted average market price of the shares over the preceding five days before the placement takes place. Issues for Acquisitions, Take-overs, MergersThe issuance of shares for acquisitions, take-overs, mergers of another company involves offering shares to acquire assets or capital from the other entity. This process may lead to dilution of existing shareholders’ holdings, prompting the listed issuer to negotiate for the highest possible value for their shares to mitigate the dilution impact. Issue of Shares from Conversion of Warrants and ConvertiblesThis is an additional issue of shares to holders of other classes of securities (such as warrants and convertible securities) upon exercise or conversion of securities held. When they are issued, warrants are usually bundled together with debt securities (particularly bonds). The holder of a warrant has the right to purchase a proportional quantity of shares from the issuing company at a pre-established price during a specified timeframe. Convertible securities, on the other hand, are a form of deferred equity. The company can secure funds upon issuance, while the holder of convertible loans has the option to convert them into company shares at a predetermined price within a specified timeframe. Warrants and convertible securities are commonly issued by companies undertaking projects with extended development periods. The issuance is strategically timed so that the expiration of warrants or convertible securities, which results in the issuance of additional company shares, aligns with the period when potential earnings from the projects begin to materialize. As a result, the subsequent issuance of shares is anticipated to be strengthened by the increased earnings of the company. Issue of shares from ESOSCertain companies offer Employee Share Option Scheme (ESOS) to their staff, aiming to, amongst other things, foster allegiance and loyalty to the organization. This grants employees the opportunity to acquire a specified quantity of company shares within a timeframe, up to a maximum of 10 years, at a predetermined exercise price. Bonus IssueThis is an offer given to the existing shareholders of the company to subscribe for additional shares at zero cost in specified proportion of shares that they already held. Bonus issue does not involve any cash outflow, rather only book entries in the accounts of the company for the transfer of the company’s retained profits or reserves available to the share capital account to pay up the bonus shares which are to be distributed to the shareholders. Thus, there are no changes to the worth of the company. Legal dimensions, their Objectives, and Safeguarding InvestorsThe legal dimensions pertaining to securities issuance in the secondary market in Malaysia encompass a diverse array of regulations and factors, all directed towards the objectives of fostering transparency, equity, and safeguarding the interests of investors. Essential legal facets governing this area is discussed below. Regulatory FrameworkSecurities issuance within the secondary market is governed by an extensive regulatory framework established by authorities such as the Securities Commission Malaysia (SC) and Bursa Malaysia. These regulations outline the requirements and processes on the issuance, trading and listing of securities on the secondary market. Chapter 6 of Bursa Malaysia’s Listing Requirements sets out the requirements that must be complied with by the company for any new issue of securities. Companies seeking to issue new securities is required to submit to Bursa Malaysia an application for the listing of and quotation of the new shares to be issued as well as seek its shareholders’ approval prior to such issuance of securities and adhere to the specific requirements as set out in Chapter 6 of the Listing Requirements. Disclosure ObligationsIssuers of securities on the secondary market are typically mandated to furnish exhaustive and precise information to investors. This entails providing, inter alia,financial statements, reports, prospectuses, information memorandums and other pertinent disclosures to enable investors to make informed investment decisions.Chapter 9 of the Listing Requirements mandates that any proposed issue or offer of securities must make an immediate announcement to Bursa Malaysia and such announcement must contain all information as set out in Part A of Appendix 6A of the Listing Requirements. Prevention of Insider Trading and Market ManipulationLegislative and regulatory provisions are in place to prohibit insider trading and market manipulation, safeguarding against the unauthorized exploitation of confidential information or the manipulation of security prices for personal gain. These measures are implemented to maintain market integrity and ensure fair treatment of all investors. Insider trading happens when an individual holds confidential information that, if disclosed, would significantly impact the price or value of the company’s securities, and then engages in trading or transactions involving those securities. According to the Capital Markets Act 2007, insider trading constitutes a criminal offence. If convicted under sections 188(2) or (3), the perpetrator faces a minimum fine of RM1,000,000 and a maximum prison sentence of 10 years. Corporate Governance StandardsMalaysia has made significant strides in enhancing corporate governance practices with the aim of promoting transparency, accountability and ethical behavior. The Malaysian Code on Corporate Governance (MCCG) sets out principles and best practices to guide companies in improving their corporate governance standards. It covers areas such as board composition, responsibilities of the board and management, risk management and disclosure practices. Regulatory authorities do actively monitor and enforce compliance with such corporate governance regulations with penalties and sanctions in place on companies and individuals found to be in violation of these regulations. Enforcement Mechanisms and PenaltiesEntities such as SC and Bursa Malaysia possess authority to enforce securities laws and regulations, enabling them to investigate and impose penalties for any breaches. Violations may lead to consequences such as fines, sanctions and legal actions to ensure that the integrity of the marketplace and in turn, reflect genuine market supply and demand. Authorities are equipped with numerous enforcement actions against violations of regulations concerning market misconduct and abusive trading practices. These actions were taken in response to activities that lead to false or misleading appearances of active trading or manipulated the prices or markets for securities and derivatives. The type of penalties taken is determined on a case-by-case basis depending on considerations such as the severity of the misconduct or breach, its duration and frequency, its impact on the public or market, any ill-gotten gains and whether the actions were intentional or reckless. Violations that significantly impact the market, causing harm and disrupting its orderly operation, are subject to a more severe penalty. In a Nutshell The legal framework governing securities issuance in the secondary market is comprehensive and meticulously crafted to address various aspects of market operation and investor protection. The regulations are designed to instill confidence among investors by setting clear guidelines and standards to provide the necessary assurance their investments are being conducted in a transparent and regulated environment. Preservation of market integrity is also a key focus of the regulatory framework. Market integrity ensures that transactions are conducted fairly and that prices reflect supply and demand dynamics. Regulations against market manipulation and insider trading help maintain a level playing field for all participants. The regulatory framework too, aims to facilitate the efficient operation of capital markets. By establishing rules for timely and accurate disclosure of information and standards for corporate governance and market conduct, the framework ensure that capital flows smoothly and efficiently between investors and companies. Overall, the legal intricacies governing securities issuance in Malaysia’s secondary market are essential for fostering investor confidence, preserving market integrity, and ensuring the efficient operation of capital markets. Compliance is crucial for all stakeholders to uphold the integrity of the securities market and contribute to its long-term sustainability. About the authorLaurel Lim Mei YingAssociateCorporate & CommercialHalim Hong & Queklaurel.lim@hhq.com.my More of our articles that you should read: Disposal of Real Properties Subject to Income Tax? CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

Private Hospitals to pay for their Doctor’s Negligence

Non-delegable duty of care1. The claim in this case is based on the tort of negligence. The law of tort is based on a fault-based system where it imposes liability on the wrongdoer, also known as the tortfeasor. Ordinarily, the law does not hold one accountable for the actions or inactions of another. 2. Conversely, a non-delegable duty of care is where the usual principle is displaced under certain circumstances. While a party can generally assign its responsibilities to an independent third-party contractor, the principle of non-delegable duty of care arises in situations where such duty cannot be delegated away, even if the duty is performed by an independent contractor. Brief facts3. The Appellant patient underwent a series of medical procedures including tonsillectomy, palatal stiffening and endoscopic sinus surgery at the Subang Jaya Medical Centre (‘SJMC’) on 10.3.2010. At about 3.30 a.m. on 22.3.2010, the Appellant experienced bleeding at the operation site and was brought to the emergency department of Columbia Asia Hospital (Puchong), the Respondent. 4. He was attended to by a medical officer and later by a Consultant Ear, Nose, and Throat surgeon (“Dr. M”), and a Consultant Aaesthetist (“Dr. N”). 5. Complications arose before the surgery began. In the airlock area outside the operating theatre, the Appellant started vomiting copious amount of blood and there was profuse bleeding leading to the Appellant’s collapse and the subsequent emergency resuscitation. 6. The intended surgery was performed. Unfortunately, the Appellant suffered hypoxic brain damage. After surgery, the Appellant was admitted to the intensive care unit of the Respondent for continued post-surgical care and management, and was later transferred out to SJMC on 28.3.2010. 7. The Appellant is now permanently mentally and physically disabled due to massive cerebral hypoxia. Through his wife, the Appellant initiated a suit against Dr. M, Dr. N and the Respondent hospital at the High Court for negligence and breach of duties under the Private Healthcare Facilities and Services Act 1998 (‘Act’). 8. The Appellant alleged that the Respondent is vicariously liable for the negligence of Dr. M and Dr. N, and is also directly liable for breach of its non-delegable duty of care. 9. In response, the Respondent asserted that its responsibility was merely to ensure the provision of facilities and medical equipment, including nursing staff. The 2 medical practitioners carried out their respective medical practice at the Respondent hospital as independent contractors under contracts for services. As such, all diagnosis, medical advice including material risks and known complications, medical treatments, operations and referrals are the doctors’ own responsibilities. High Court and Court of Appeal10. Both the High Court and Court of Appeal found that only Dr. N was liable for negligence due to her conduct falling below the standard of skill and care expected from an ordinary competent doctor professing the relevant specialist skills based on which she was entrusted to treat the Appellant. 11. On the issue of vicarious liability and direct non-delegable duty of care, the court found that Dr. M and Dr. N were carrying out their practice at all material times in the hospital not as employees, servants or agents of the Respondent but as independent contractors. Hence, the Respondent is not liable for the negligence of Dr. N.12. The High Court awarded damages of approximately RM1.9 million to the Appellant. The Court of Appeal later increased the damages to approximately RM2.1million to the Appellant. 13. Both the Appellant and Dr. N appealed. The Court of Appeal dismissed the appeal against the Respondent hospital. Dr. N’s appeal was also dismissed. Analysis and findings of the Federal Court14. The appeal filed by the Appellant at the Federal Court is only in respect of the Respondent only. 15. A total of 7 questions were posed to the court and as summarised by the majority of the Federal Court Judges, the focus of the appeal was whether the hospital owes an independent duty of care which is non-delegable, regardless of whom it may have delegated that duty to, irrespective of who may have performed the act or omission complained of, whether under a contract for service or due to the patient’s own choice. 16. It was emphasised by the court that the principle of non-delegable duty of care becomes relevant only if presence of negligence is shown in the first place. Here, the High Court and the Court of Appeal had held Dr. N to be negligent. 17. In affirming that the principle of non-delegable duty of care applies to the present appeal, the Federal Court adopted and refined the five features laid down by Lord Sumption in the English case of Woodland v Swimming Teachers Association & Others [2014] AC 537. The court held:- a. Firstly, the Appellant is in a vulnerable position and is totally reliant on the Respondent for its care and treatment, more so when the Appellant was admitted to its emergency services. b. Secondly, the existence of an antecedent relationship is affirmed by the assumption of positive duties by the Respondent in ensuring that reasonable care is taken to persons who knock on its door and seek treatment and care. Echoing its judgment in Dr Kok Choong Seng & Anor v Soo Cheng Lin & Another Appeal [2018] 1 MLJ 685, the court emphasised Act and the related regulations clearly envisage that private hospital is and remains responsible for not just the efficacy of premises or facilities, but also for the treatment and care of patients, regardless of how and who the responsibility may have been delegated to. Furthermore, the hospital held itself out as a one-stop-centre for all treatments and procedures on its website. Unlike the English case of Woodlands which applied a further consideration as to ‘whether it is fair, just and reasonable to impose the non-delegable duty of care’ in addition to the five features, our Federal Court held that such elements of fair, just and reasonable had already been considered and embedded in the Act and its related regulations. Hence, there is no need for a separate exercise of consideration. c. Fourthly, the Appellant had no control over how the Respondent was to perform its function rendering emergency care and treatment. d. Fifthly, Dr. N was undeniably negligent in the performance of the very function of rendering proper emergency care and treatment of the Appellant that was assumed by the Respondent but which was delegated by the Respondent to her. 18. In short, the Federal Court held that private hospitals cannot put the blame on its doctors in the name of contracts. They have a duty of care which cannot be delegated. The Federal Court allowed the Appellant’s appeal against the Respondent, and increased the damages to RM4.5million. Conclusion The Federal Court ruling would have an impact on the private hospitals and doctors in Malaysia in the following ways:- a. The indemnity clause within consultant agreements between private hospitals and their doctors may now seem to be redundant. b. Private hospitals would now be the ultimate paymaster for their consultants’ negligence. c. It is essential for private hospitals to reassess their insurance coverage and implement systems and procedures to prevent medical errors. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Chan Jia YingSenior AssociateDispute ResolutionHarold & Lam Partnershipjiaying@hlplawyers.com Damia AmaniLegal ExecutiveDispute ResolutionHarold & Lam Partnershipdamia@hlplawyers.com More of our articles that you should read: Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective STAMP DUTY FOR FOREIGN CURRENCY LOAN Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

Credit Reporting Agencies Are Not Authorised to Formulate Their Own Credit Score

On 7.3.2024, the Kuala Lumpur High Court in the case of Suriati binti Mohd Yusof v CTOS Data Systems Sdn Bhd [2024] MLJU 437; CLJU 440; (Civil Suit No. WA-23NCvC-8-01/2020) ruled that credit reporting agencies are not empowered to formulate a credit score or create their own criteria/ percentage to formulate a credit score. The High Court found that the credit reporting agency in this case provided inaccurate/ false credit information and awarded a sum of RM200,000 as general damages to the person whom the credit information was related to. Background FactsThe Plaintiff, Suriati Binti Mohd Yusof, is the director and shareholder of a resort situated in Terengganu. The Defendant, CTOS Data Systems Sdn Bhd, is a credit reporting agency registered under the Credit Reporting Agencies Act 2010 (Act 710) (“CRAA 2010”). The Defendant is responsible for collating credit reports from various sources for the purpose of disseminating the information to its subscribers. On or around May 2019, the Plaintiff discovered that her loan application for a car was rejected due to a negative report from the Defendant. The Plaintiff further discovered that the data collated and kept by the Defendant was inaccurate and false, which led to her negative credit rating. The Defendant also gave the Plaintiff a low credit score leading to loss of confidence from financial institutions. The Plaintiff filed a civil suit in the High Court against the Defendant to claim for damages suffered as a result of the Defendant’s negligence and breach of fiduciary duty in misrepresenting her credit rating leading to a loss of reputation, personal losses as well as business losses. The Plaintiff contended that as a result of the inaccurate information and wrong credit score provided by the Defendant, the Plaintiff was considered as not creditworthy and suffered losses. The Defendant contended that the Defendant’s role was merely to collate the information and it was not the duty of the Defendant to verify the accuracy of the information. Grounds of Judgment of the High Court1. Accuracy of Credit Information The High Court observed that pursuant to the CRAA 2010, the Defendant as a credit reporting agency is tasked with the main role of collecting, recording, holding and storing credit information. The Defendant is also empowered to disseminate the information to its subscribers, which includes financial institutions. The High Court ruled that Section 29 of the CRAA 2010 imposes a duty upon the Defendant to verify and to ensure the accuracy of the credit information/ credit report. Further, CRAA 2010 was enacted to empower credit agencies such as the Defendant to provide accurate information to financial institutions in approving and disbursing financial aid to applicants. Therefore, the Defendant had a duty of care to provide accurate credit information to financial institutions and the persons concerned against whom the information was related to. The Defendant owed a duty of care towards the Plaintiff in providing accurate credit information. The evidence in this case showed that the Plaintiff alerted the Defendant that the information against her was inaccurate. However, the Defendant ignored the communication from the Plaintiff and continued to maintain the inaccurate information. The High Court was of the view that the Defendant could have suspended the information pending verification or notify subscribers that the information was pending verification. The High Court ruled that the Defendant breached the duty of care owed towards the Plaintiff as the Defendant was indifferent even after being alerted by the Plaintiff. 2. Credit Score Formulated by Credit Reporting Agencies The Defendant formulated a credit score based on certain criteria which include payment history, amount owed, credit history length, credit mix and new credit. Using this criteria, the Defendant classified the Plaintiff as a serious delinquent. The High Court held that there is no provision in the CRAA 2010 which empowered the Defendant to formulate a credit score or create its own criteria/percentage to formulate a credit score. The Defendant is just supposed to be a repository of the credit information to which its subscribers have access to. By formulating a credit score, the Defendant has gone beyond its statutory functions. The Plaintiff suffered losses as a result of being labeled as a delinquent by the Defendant when the Defendant did not have the right to do so. 3. Compensation Awarded by the High CourtThe High Court held that the Defendant had (i) breached the duty of care owed to the Plaintiff; and (ii) overstepped the functions they were registered for under the CRAA 2010. The High Court ruled that the Plaintiff suffered personal losses. The Plaintiff’s reputation and relationship with her spouse had broken down as a result of the Defendant’s negligence and breach of fiduciary duties. The High Court awarded the sum of RM200,000 as general damages and costs of RM50,000 to the Plaintiff. Note: The Defendant has filed an appeal against the decision of the High Court to the Court of Appeal. This matter will be heard before the Court of Appeal. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the authorChew Jin HengAssociateDispute ResolutionHalim Hong & Quekjhchew@hhq.com.my More of our articles that you should read: Compulsory Acquisition: Landowners Are Not Entitled To Compensation For Illegally Constructed Buildings CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order

Disposal of Real Properties Subject to Income Tax?

Background Facts 1. International Naturopathis Bio-Tech (M) Sdn Bhd (“the Taxpayer”) was involved in naturopathic medicine, which bought six different shop lot units (3 shoplots in Block A and 3 shoplots in Block B) (“Properties”). 2. The delivery of vacant possession of the Properties was made in August 2010 and the Taxpayer sold the Properties respectively in June 2011 and August 2011. 3. The Director of Inland Revenue (“DGIR”) in 2014 raised a notice of assessment in respect of the disposal of the properties amounting to RM543,906 for the year of assessment 2011. 4. The issue in dispute was whether the disposal of the properties was subject to RPGT or income tax. 5. The Special Commissioner of Income Tax (“SCIT”) and the High Court (“HC”) held that the disposal of the properties was subject to income tax. Being dissatisfied, the Taxpayer filed the appeal to the CoA. Decision 6. The CoA confirmed the decision of the SCIT and HC and held that, amongst others, the disposal of the Properties subject to income tax and not RPGT as: a) the Properties were sold within a short period of time (i.e. 6 months and 12 months after delivery of vacant possession; b) no effort was done to look for a tenant; c) disposal of the Properties was not undertaken to help pay for the Taxpayer’s medical bills; d) the intention of buying the Properties is to trade as (i) the purchase of the Properties was financed by the loans taken by a director and not the Taxpayer; and (ii) the Properties located at a strategic business location area; e) the Taxpayer gave no evidence of a change in the ‘intention’; f) the Taxpayer face no difficulty in selling the Properties within such short period of time; and g) accounting evidence is not conclusive. Comments This is a classic RPGT vs income tax case. For decades, taxpayers have been in tug-of-war with the DGIR in determining whether a disposal of a real property is subject to income tax or RPGT. In this case, the CoA succinctly laid down the following badges of trade: i. Intention or the motive of the purchase of the property which is subsequently disposed of; ii. Subject matter/nature of the asset disposed of; iii. Interval of time between purchase and sale/Length of period of ownership; iv. Number or frequency of transactions; v. Changes made to the asset would make it more saleable; vi. The circumstances responsible for the realisation of the property; vii. Method of finance for the purchase of the property; viii. Existence of similar trading transactions or interests; and ix. The way the sale or disposal was carried out. Notably, CoA also made the following key observations on the application of the badges of trade: a) these badges are merely a guide which assists the deliberation as to whether a set of facts and circumstances would constitute a trade or an adventure in the nature of trade; b) no one single badge of trade is usually conclusive or determinative; c) it is also not uncommon that the application of one badge may lead to one answer but that of another results in another, potentially contradictory conclusion; d) deliberation involves the interplay of the combination of the various badges of trade, and the weight attached to each badge of trade will depend on the precise circumstances of the case; and e) it is also fair to say that the more badges of trade can be fastened on a transaction making it more likely that the transaction will be construed as a trade and thus subject to income tax. This case serves as good guidance in applying the badges of trade and understanding the interaction between these badges. Remember, no one single badge of trade is conclusive and accounting evidence itself is not conclusive. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the Authors Desmond Liew Zhi HongPartnerTaxHalim Hong & Quekdesmond.liew@hhq.com.my Boey Kai QiAssociateTaxHalim Hong & Quekkq.boey@hhq.com.my More of our articles that you should read: Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility Whether AI-Generated Work Could be Protected by Copyright Law

Choosing Between Open Source and Closed Source AI: Considerations for Companies Looking to Onboard AI

The concept of “open source” and “closed source” artificial intelligence (“AI”) have attracted increasing public attention ever since Elon Musk filed a lawsuit against OpenAI, the company behind ChatGPT, alleging among others, OpenAI’s breach of its founding agreement. During the Musk and OpenAI saga, the billionaire has called on OpenAI to change its name to “ClosedAI”, seemingly taking a swipe at the lack of transparency and the “closed” nature of OpenAI’s large language model, ChatGPT. . Dissecting the Concept of Open Source and Closed Source AI In order to appreciate the grievances raised by Elon Musk in this upcoming legal drama with OpenAI, we need to first understand the concept behind “open source” and “closed source”. The terms are not unique to AI but are used commonly to refer to the manners in which technologies (most commonly, software) are made available by their developers. Open source software generally refers to software where the source code is readily accessible, customisable, adaptable and/or distributable, either with little or no costs, but subject at all times to the compliance of the open source licensing terms, which typically require users to also make public the modified version of their software which incorporates the open source software. Closed source software on the other hand, generally refers to proprietary software that are licensed by the vendors or software principals for use at a cost under limited or defined licensing terms, and the source code of the proprietary software are usually kept inaccessible. . In the context of AI, open source refers to practices where the core aspects of an AI model – its model structure, training process, training data, and source code, are shared publicly for anyone to use, modify and distribute. In contrast, a closed source AI is where most, if not all, of the aforementioned aspects of an AI model are kept private by the developers or owners. . Pros and Cons of Open Source and Closed Source AI As explained above, the terms “open source” and “closed source” essentially refer to the manner in which a technology is made available. Despite heated debates between the proponents of open source and closed source AIs, there is not necessarily a “one-size-fits-all” approach here. Be it open source or closed source AI, they each have their own sets of pros and cons, which should be carefully evaluated by businesses looking to deploy or adopt AI. The table below illustrates some of the pros and cons of open source and closed source AI:   1. Open Source AI (i) Pros - As with all open source initiatives, the concept promotes a higher level of community collaboration and would in turn drive creativity, innovation and improvements to the technology placed under open source. When one user has a breakthrough, the community as a whole benefits from that breakthrough. - Due to the ease of access of open source technology, it creates a level playing field for businesses looking to deploy the technology but lacks the scale of funding that big corporations have. - Given the transparency to the model structure, training process, training data and source of the AI, it would be easier for vulnerabilities to be fleshed out by the community. - Where the training data and data provenance are made public, it provides an avenue for users to verify the legitimacy and ethical aspects of the data used to train the AI. . (ii) Cons - Owing to its accessibility, open source AI also lowers the barrier of entry for cybercriminals and malicious actors to build so-called “AI without guardrails”. - Sustainability of an open source initiative is also a key concern. Given that there is usually little to no cost for the access of open source technology, the community is usually not paid to maintain the initiative and is doing it purely out of passion. An open source project that fails to maintain adequate attention from the community will have a high likelihood of failure. - Due to the lack of dedicated personnel in an open source initiative, businesses in need of technical support after adopting the open source technology may struggle to receive timely support services. - The potential legal risk associated with open source AI is intellectual property disputes. When multiple contributors collaborate on an open source project, there is inherently a risk that someone may inadvertently or unintentionally contribute code or other intellectual property that they do not have the legal right to share. This could lead to legal challenges regarding ownership, licensing rights, or infringement claims, particularly if the project gains significant traction or commercial use. .    2. Closed Source AI (i) Pros - A private owned AI model is usually easier to use and integrate into existing systems, offering a plug-and-play solution to businesses that may not have high-level of technical capabilities. - Due to the proprietary nature of a closed source AI, it provides some level of control as to who can license, access and use the AI, thereby reducing risks for misuse or abuse. - Organisations deploying closed source AI would typically have dedicated teams providing support to users. As such, users of closed source AI can expect certain service levels from the licensors. - Closed source AI is also often the preferred model of distribution for companies looking to maintain competitive edge in the market, by keeping their technology behind walled garden, treating them as trade secrets. . (ii) Cons - Owing to lack of transparency in the data provenance of a closed source AI, users will not be able to independently verify the legitimacy of the data used to train the AI model. - Use of closed source AI may also lead to vendor lock-in, making it challenging for users to switch to another AI provider. - Costs required to access a closed source AI may also be a concern, and this is often a stumbling block for companies with limited budget. . Choosing Between an Open Source or Closed Source AI There is no fixed answer as to whether an open source or closed source AI is better. Ultimately, it all depends on what is the company’s objective for the use AI, its in-house AI capability, and the specific concerns that the company has when it comes to AI deployment. . A company that lacks the capabilities and resources to modify and customise an open source AI may be more suitable to license a closed source AI with focus on user-friendliness. On the other hand, a company with a very unique AI needs may not be able to find a closed source AI that is suitable for its intended usage, and may be better off building on an open source AI on its own. . Another crucial factor in choosing between open source and closed source AI is the legal consideration, including, but not limited to regulatory compliance and data privacy requirements. Depending on the jurisdiction, there may be specific regulations or code of ethics governing the use and deployment of AI, particularly regarding data handling, privacy protection, ethical considerations and/or risk assessments. Companies must carefully assess whether the chosen AI solution, whether open source or closed source, aligns with these legal regulatory frameworks and considerations, and what are the additional obligations imposed under applicable laws before an AI can be implemented. . Adoption of open source and closed source AI both present their own sets of challenges. The open source licensing terms of an open source AI may have express requirements to be met before users can enjoy the AI for its intended open source benefits. For example, users could be required to make public the result of its customisations of the open source AI, failing which certain payment obligations may be required. For private owned, closed source AIs, the vendors may be imposing terms that could be onerous or unfavourable to the users in its licensing agreement. It is as such extremely crucial that businesses employ a legal team that is well familiar with the AI industry and software licensing terms to advise on the risks involved and how to mitigate them. . Before any form of AI adoption, the best practice is always to procure legal advice on the risks associated with the AI project and what are the legal requirements that would apply. Legal counsels that are familiar with the AI industry and software licensing would also be able to assist on the reviewing and/or structuring of the AI licensing terms, ensuring your objectives are met and that risks are well addressed and mitigated. If you have any questions or needs when it comes to AI adoption, please feel free to reach out to the team of technology lawyers at Halim Hong & Quek. About the authors Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my. . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . More of our Tech articles that you should read: • Air Canada Case Exposes AI Chatbot Hallucination Risks: A Mitigation Guide for General Counsel • Addressing Copyright Infringement and Challenges in AI Training • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated?  

Air Canada Case Exposes AI Chatbot Hallucination Risks: A Mitigation Guide for General Counsel

In the current business landscape, the race to harness the power of Artificial Intelligence (“AI”) is in full swing. One of the most straightforward and cost-effective strategies is the integration of AI Chatbots into company websites, as these AI Chatbots are capable of interacting with customers and answering their queries, which can significantly reduce expenses tied to traditional customer service. However, while many companies are eager to adopt AI Chatbots, there is a critical issue that often goes overlooked or remains unaddressed: the problem of AI Chatbot hallucinations. This issue can lead to severe legal complications, such as negligent misrepresentation, and in this article, we aim to delve deeper into this serious concern.  . Understanding AI Chatbot Hallucinations To fully grasp the issue at hand, it is essential to understand what “hallucination” means in the context of AI. While many might expect AI to provide perfect and flawless answers, the reality often falls short, with AI-generated outputs frequently being inaccurate—a phenomenon referred to as "hallucination." In the realm of AI, especially in machine learning and neural networks, hallucination refers to the generation of incorrect, nonsensical, or entirely fabricated information during data processing or generation. This issue is often most prevalent in generative models, such as GPT (for text) or DALL-E (for images), where the AI might produce outputs that do not accurately reflect the input data or real-world knowledge. These inaccuracies can stem from biases in the training data, overfitting, underfitting, or limitations in the model’s architecture. For instance, an AI trained on a dataset of images might “hallucinate” objects in generated images that weren’t present in the original prompt, or it might combine features of different objects in nonsensical ways. Similarly, in natural language processing, an AI might generate plausible-sounding but factually incorrect statements based on patterns it learned during training, which don’t actually represent real-world knowledge.  . The Air Canada Case: Legal Implications of AI Chatbot Hallucinations The hallucination effect of AI Chatbots could land companies in hot water legally, especially when customers rely on the information provided by the AI chatbot to make decisions, and this is exactly what happened in the very recent decision of Moffatt v. Air Canada, 2024 BCCRT 149 (“the Air Canada case”) where Air Canada faced legal consequences due to the hallucination effect of their AI Chatbot. The Air Canada case, while seemingly straightforward, carries profound implications and offers invaluable lessons for companies implementing AI Chatbots on their websites, apps, or other platforms. The Air Canada case revolves around a customer who, following the death of a family member, sought to book a flight with Air Canada. The customer interacted with the AI Chatbot on the Air Canada website, which advised that the customer could apply for bereavement fares retroactively by submitting a request within 90 days of ticket issuance. Relying on the advice and information provided by the AI Chatbot, the customer purchased the ticket and then applied for the bereavement reduction within the 90 days stipulated period as advised. However, the situation took a turn when Air Canada denied the bereavement fare claim, explaining that the AI Chatbot had provided "misleading words" that contradicted the information on the bereavement travel webpage, as according to the webpage, the bereavement policy does not apply retroactively, rendering the customer ineligible for the bereavement fares. Air Canada attempted to absolve itself of liability for the wrong information provided by the AI Chatbot by arguing that the AI Chatbot is a separate legal entity that is responsible for its own actions. This argument, however, was rejected by the Civil Resolution Tribunal ("CRT") in Canada. The CRT unequivocally stated that "while a chatbot has an interactive component, it is still just a part of Air Canada's website. It should be obvious to Air Canada that it is responsible for all the information on its website… I find Air Canada did not take reasonable care to ensure its chatbot was accurate." The CRT further ruled that the customer had relied on the chatbot to provide accurate information, which the AI Chatbot failed to do. Therefore, this is a case of negligent misrepresentation on the part of Air Canada, and the customer is entitled to damages. The Air Canada case serves as a critical examination of how companies utilize AI Chatbots and the potential legal ramifications. Indeed, Air Canada attempted to make an interesting argument by claiming that the AI Chatbot is a separate legal entity and should be responsible for its own actions. However, it is a concept that is often misunderstood that AI is a sentient entity capable of independent thought and action. In reality, AI operates through neural networks that undergo continuous training and adjustment of weights and biases based on the input data. It is crucial to grasp that AI doesn't possess consciousness or autonomy; rather, its functionality is entirely determined by the parameters set during its training. The outcomes produced by AI are essentially predictable and controllable, as they are guided by the patterns and information ingrained within the training data. In essence, AI should be viewed as a sophisticated tool that executes tasks based on predefined algorithms and learned patterns, rather than exhibiting genuine cognitive processes or decision-making abilities. Given that companies owe a duty of care to ensure that the representation, advice or answers provided by the AI Chatbot to be true, accurate and not misleading, the next question is at the current state of "hallucinations" condition in AI, is it even possible for companies to completely eliminating "hallucinations" or errors in AI-generated content. The truth is eliminating hallucinations entirely in AI systems is a daunting task. Even reducing these errors and striving for greater accuracy would demand significant resources and effort, as it involves the acquisition of high-quality data, the training of sophisticated models that require substantial computational power, and the continuous development of new model architectures or training techniques that can better handle the nuances of human language and knowledge. While many companies are keen to employ and leverage AI in their technology, most may not be prepared to invest such high costs in ensuring the accuracy and correctness of AI-generated answers due to the extremely high costs of investment and resource-intensive work involved. Therefore, companies need to find a balance between leveraging AI technology in their offerings to reduce costs and investing resources to eliminate hallucinations in AI. This involves ensuring that the representations made are true, accurate, and not misleading to potential customers. This issue also poses a significant concern for general counsels, as traditionally, legal teams would provide training to business units and employees to ensure that representations made to customers are accurate and to avoid negligent misrepresentation. However, general counsels cannot provide training to AI Chatbots, posing a potential risk and crisis management issue that should now be considered by general counsels. . Addressing the Challenge: Strategies for Risk Mitigation In response to the challenges arising from potential inaccuracies and distortions in AI-generated content, companies utilizing AI Chatbots can adopt several strategic insights to effectively address and mitigate these concerns:   1. Strengthening Terms of Use: Companies should promptly reinforce their terms of use or terms of service agreements on their platforms. These updates should explicitly acknowledge the potential for inaccuracies in AI Chatbot responses, and customers should be informed of their responsibility not to solely rely on AI Chatbot information and to cross-reference data from official website sources. . 2. Implementing Robust Disclaimers: It is imperative for companies to incorporate clear and comprehensive disclaimers and terms of use notices for users engaging with AI Chatbots. These disclaimers should unequivocally state the possibility of inaccuracies in the advice or information provided by the AI Chatbot, and users should explicitly acknowledge and agree that such responses cannot be construed as misrepresentation, thereby protecting the company from liabilities stemming from inconsistencies or inaccuracies. . 3. Providing Training and Developing Internal Policies: Collaboration between legal and technology teams responsible for AI Chatbot deployment is paramount. Legal counsel should conduct training sessions to enhance the understanding of the data inputs driving the neural network systems behind AI Chatbots. Moreover, these interdisciplinary teams should collaborate to devise internal policies aimed at continuously enhancing the accuracy and reliability of the AI system's outputs. . 4. Regular Auditing, Monitoring, and AI Model Red Teaming: Implementing regular audits, monitoring procedures, and AI model red teaming can collectively help identify and mitigate potential legal risks associated with AI Chatbot interactions. Companies should establish protocols for monitoring the performance and behavior of AI Chatbots, including reviewing chat logs, analyzing user feedback, and conducting periodic assessments of accuracy and compliance with legal standards. Additionally, integrating AI model red teaming, where teams simulate adversarial attacks to uncover vulnerabilities, can provide valuable insights into potential weaknesses and enhance overall robustness. . 5. Transparent Communication Channels: Providing transparent communication channels for users to report inaccuracies or raise concerns about AI Chatbot responses can help mitigate legal risk. Companies should establish clear avenues for users to provide feedback or seek assistance when they encounter misleading or incorrect information from AI Chatbots. Additionally, companies should communicate openly with users about the limitations of AI technology and the steps being taken to improve accuracy and reliability. By fostering transparency and accountability, companies can build trust with users and minimize the risk of legal disputes related to AI Chatbot interactions. . Conclusion By adopting these strategic insights, general counsels can effectively mitigate the risks associated with AI-generated content, ensure transparency with their customers, and proactively enhance the accuracy of their AI Chatbot interactions. As this field continues to evolve, it is advisable for companies and general counsels to collaborate with legal professionals well-versed in technology law to develop the right internal policies and strengthen the current terms and conditions on their webpages. In doing so, companies can continue to advance their technology while simultaneously reducing the risk of potential lawsuits arising from AI Chatbot hallucinations by ensuring a balance between technological advancement and legal safety.   If your organization is grappling with concerns regarding the accuracy of AI Chatbots and the potential legal risks associated with misrepresentation, our team is poised to provide expert assistance. Leveraging our proficiency in AI technology and legal frameworks, we offer tailored guidance to safeguard your Chatbot's outputs and ensure compliance with legal standards. Contact us today to proactively address these critical considerations. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my. . More of our Tech articles that you should read: • Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility • LICENSING OF DATA FOR AI MODEL TRAINING – Things to Take Note of • Whether AI-Generated Work Could be Protected by Copyright Law

Updated Financial Technology Regulatory Sandbox Framework Enhancements Introduced to Increase Accessibility

Bank Negara Malaysia (“BNM”) has on 29 February 2024 issued a new Policy Document (“PD”) on Financial Technology Regulatory Sandbox Framework (the “Framework”) to replace the earlier version that was issued back in 2016. . The new PD came into force on the date of its issuance, and it seeks to enhance the Framework so as to ensure proportionate regulatory facilitation and improving the operational efficiency of the existing sandbox procedures. This article attempts to provide a brief outline of the Framework and the enhancements introduced by the PD. . Financial Technology Regulatory Sandbox As most would no doubt agree, the financial services industry is one of the most regulated industries anywhere in the world. This is hardly surprising given the importance of stability in the money market. . That being said, it is also equally important for the financial services industry to keep pace with the development of technology to ensure innovation and service improvement. Due to its disruptive nature, financial technology (“Fintech”) providers often find themselves facing difficulties in the deployment of their solutions, owing to potential archaic or non-accommodative regulatory framework. The Fintech regulatory sandbox (“Sandbox”) established under the Framework is an attempt by BNM to address this pain point. . The purpose of the Sandbox is essentially to allow Fintech solutions providers to have temporary rights to deploy and operate their solutions in a live environment, with more “relaxed” regulatory treatment. Participants in the Sandbox would have identified a series of regulatory requirements that they are unable to meet due to the nature of their solutions or business model, and exemptions would be granted to them for a limited duration from having to comply with these regulatory impediments. Upon the expiry of the “playtime”, BNM will then make an assessment as to whether a Sandbox participant should be allowed continued operation of its solution. . Enhancements to the Fintech Regulatory Sandbox Framework The PD introduces two (2) enhancements to the Framework: (i) A fast-track application and Fintech solutions testing approval process called the “Green Lane”; and (ii) A simplified process to assess the eligibility of an applicant to participate in the “Standard Sandbox”.   We will provide a summary of each of the enhancements in turn below.   1. Green Lane The Green Lane is a fast-track approval process set up especially for financial institutions (“FIs”) only. FIs with proven track records in strong risk management, compliance and governance, can utilise the Green Lane to shorten the time required to obtain approval to test their Fintech solutions in the Sandbox. . Interested and eligible FIs can make an application to participate in the Sandbox through the Green Lane by demonstrating their past records in risk management, compliance and governance. Once the BNM is satisfied of an FI’s track record in risk management, compliance and governance, a Green Lane approval will be issued. Thereafter, the FI will only have to register its Fintech solutions with BNM for testing in the Sandbox, at least 15 days prior to the intended testing commencement date. FI with Green Lane qualification can register multiple Fintech solutions for testing over the subsistence of its Green Lane qualification, and there is no need for the FI to make fresh Green Lane application each time. . Overall, the Green Lane is a new path to Fintech solution testing in the Sandbox that is much simpler than the Standard Sandbox process (which we will get to in the next section). The Green Lane affords FIs a faster process to test their Fintech solutions in the Sandbox, subject to the FIs first proving their eligibility to be in the Green Lane. Notwithstanding the easier access to the Sandbox however, the FIs in the Green Lane will still have to adhere to certain parameters and safeguards prescribed under the PD, primarily for customer protections, and BNM still reserves the right to revoke an FI’s Green Lane qualification or reject the registration of Fintech solutions to be tested, particularly where adverse developments have been observed during the testing of Fintech solutions. . Fintech companies or non-FIs can make use of the Green Lane by collaborating with FIs (e.g., outsourcing of Fintech solutions to FIs, equity participation, joint venture, etc.), subject however to the discretion of BNM. . 2. Simplified Eligibility Assessment for the Standard Sandbox The Standard Sandbox entails a 2-tiered assessment process. In the first stage, applicants are first assessed on whether they are eligible to take part in the Standard Sandbox. Once the first stage has been passed, the applicants are then assessed on their readiness or preparedness in satisfying BNM’s considerations to test the Fintech solutions. . Under the new PD, the stage 1 assessment is simplified to the extent that an applicant will only have to demonstrate (amongst others) its ability to identify and mitigate risks associated with the Fintech solution testing, and a semi-functional prototype of the Fintech solution within 3 months from the date of application for participation in the Standard Sandbox. This is a much-welcomed change from the regulator’s past approach of requiring applicant to have a ready product before making any application to participate in the Sandbox. Now, an applicant will only be required to come up with a fully functional prototype during the second stage of the assessment process, allowing greater flexibility to the applicant. . The effort of BNM in ensuring the regulatory framework keeps pace with technology evolution certainly deserves applause. The enhancements to the Framework brought by the new PD effectively make the Sandbox more accessible to innovators and Fintech solutions providers. This should drive innovations and hopefully boost investment into the Fintech sector in Malaysia, giving Malaysians better financial services experience enhanced by technology, as well as extending the reach of financial services to the financially underserved. . If you wish to know more about the Financial Technology Regulatory Sandbox Framework or need assistance in your application to take part in the Sandbox, you may reach out to our partners below. About the authors . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . More of our Tech articles that you should read: • Exploring Bitcoin Halving and its Significance • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case • Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective  

Exploring Bitcoin Halving and its Significance

In continuation of our exploration into the intricacies of the cryptocurrency market, particularly in the wake of recent developments such as the approval of Spot Bitcoin ETFs in the United States, our focus shifts this week towards a phenomenon that has historically proven to be a pivotal event in the world of Bitcoin: the Bitcoin halving. . Building upon our previous discussions on "Understanding Spot Bitcoin ETF and Its Potential" and "Spot Bitcoin ETF Approval: A Rollercoaster 48 Hours and Its Global Regulatory Implications", we delve deeper into the significance of Bitcoin halving and its potential implications. . Understanding Bitcoin Halving Bitcoin halving, occurring approximately every four years within the Bitcoin network, entails a reduction in the reward granted to miners for validating and appending new blocks to the blockchain. With each halving event, the miner reward is slashed in half, resulting in a gradual reduction in the rate of new Bitcoin issuance. . To grasp the significance of Bitcoin halving, it is imperative to comprehend the underlying mechanics of the Bitcoin network. Fundamentally, Bitcoin operates on blockchain technology, a decentralized ledger maintained by a network of computers, or nodes. These nodes validate transactions and ensure their integrity before appending them to the blockchain. “Mining”, a crucial aspect of the Bitcoin ecosystem, involves participants using specialized hardware to validate transactions and secure the network. In return for their efforts, miners are rewarded with Bitcoin. . The History of Bitcoin Halving Since its inception in 2009, Bitcoin has undergone several halving events, each marked by a reduction in the block reward. From the initial reward of 50 Bitcoins per block, subsequent halvings in 2012, 2016, and 2020 have progressively decreased the reward to 25, 12.5, and 6.25 Bitcoins per block, respectively. The upcoming halving, slated for April 2024, is expected to further reduce the block reward to 3.125 Bitcoins. . The significance of Bitcoin halving lies in its profound impact on the supply dynamics of Bitcoin. As the rate of new Bitcoin issuance decreases with each halving, it results in a gradual reduction in the inflation rate of the Bitcoin supply. This scarcity mechanism often leads to increased demand and, consequently, upward price pressure on Bitcoin. . Moreover, the recent approval of Spot Bitcoin ETFs in the United States, though distinct from the halving event, is perceived by many as a catalyst for heightened institutional interest and investment in Bitcoin. The convergence of Spot Bitcoin ETFs approval which shores up institutional demand of Bitcoin, and the upcoming Bitcoin halving which will reduce supply of Bitcoin on the other hand, amplifies the potential implications for the cryptocurrency market. . Potential Impacts of Bitcoin Halving We anticipate three primary impacts stemming from the upcoming Bitcoin halving and the recent ETFs approval: 1. Institutional Adoption and Regulatory Implications: The combination of reduced Bitcoin supply and increased institutional interest driven by the Spot Bitcoin ETFs approval may catalyze greater institutional adoption of Bitcoin. This influx of institutional capital could prompt regulators worldwide to reassess their approach to cryptocurrency regulation, potentially leading to more comprehensive frameworks to govern the burgeoning industry. . 2. Market Volatility and Increased Public Attention: Historically, Bitcoin halving events have been accompanied by heightened market volatility and increased media attention. The convergence of the halving with the ETFs approval is likely to amplify these effects, drawing renewed interest from retail investors and businesses alike. This renewed attention could further fuel market dynamics and shape broader perceptions of cryptocurrencies. . 3. Business Integration of Blockchain Technology: With Bitcoin and blockchain technology gaining prominence, businesses may increasingly explore opportunities to leverage these innovations. The scarcity created by the halving, combined with institutional endorsement through ETFs approval, may incentivize businesses to integrate blockchain technology or even incorporate cryptocurrencies into their operations. However, this trend could also prompt regulators to impose tighter regulations to manage associated risks adequately. . The Intersection of Innovation and Regulation In conclusion, the evolving regulatory landscape, coupled with significant market events such as the Bitcoin halving and Spot Bitcoin ETFs approval, underscore the need for institutions and businesses to navigate the cryptocurrency space with vigilance. . As regulations continue to evolve in tandem with technological innovation, stakeholders must prioritize compliance and risk management to thrive in this dynamic ecosystem. The forthcoming Bitcoin halving event serves as a poignant reminder of the interconnectedness of regulatory developments and market dynamics, urging stakeholders to remain proactive in their approach to navigating the evolving crypto landscape. . For comprehensive guidance and legal insights regarding the dynamic landscape of cryptocurrency and/or Fintech, our team of experts is ready to assist you. Feel free to reach out to us for further assistance and a tailored approach to navigating the complexities of this decentralized future. We look forward to being your trusted partner on this transformative journey. About the authors . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my . More of our Tech articles that you should read: • Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case • The European Union Artificial Intelligence Act – Should Artificial Intelligence Be Regulated? • Whether AI-Generated Work Could be Protected by Copyright Law

Exploring the Patentability of Artificial Neural Networks (ANN) under UK Patent Law: The Emotional Perception AI Case

This week, we aim to delve into one of the most intriguing and arguably significant developments in the field of AI: whether Artificial Neural Networks (ANN) would be subject to exclusion as invention under the UK Patents Act 1977. . It is well established that Section 1(2)(c) of the Patents Act 1977 excludes 'a program for a computer' as an invention and thereby denies patent protection in relation thereto.  However, the pivotal question at hand is whether ANN falls within this exclusion. This precise issue was examined in the UK High Court case of Emotional Perception AI Ltd v Comptroller-General of Patents, Designs, and Trade Marks [2023] EWHC 2948 (Ch). The case focuses solely on the matter of exclusion, and in this article, we aim to meticulously examine and analyze this critical judgment. . The Emotional Perception AI Case holds particular significance and interest as it represents the first authoritative examination of the exclusion concern pertaining to patent protection for ANN. For this reason, the case extensively addresses the nature of ANN and their operational mechanisms before delving into the question of whether ANN falls within the exclusion under Section 1(2)(c) of the Patents Act 1977. . Examining the Structure and Functionality of ANNs The case begins by dedicating an entire section to elucidating and clarifying the structure of ANN and its functionality. The UK High Court explains that an ANN 'can be envisaged as a black box which is capable of being trained on how to process an input, learning through that training process, retaining that learning internally, and subsequently processing input in a manner derived from that training and learning.' . The UK High Court further elaborated that a hardware ANN essentially constitutes a physical box containing electronic components. The ANN ‘consists of layers of neurons which, anthropomorphising somewhat, are akin to the neurons in the brain. They are arranged in layers and connected to each other, or at least some others, and to layers below. Each neuron is capable of processing inputs and producing an output which is passed on to other neurons in other layers, save that the last layer produces an output from the system and not to another layer. The processing is done according to internal instructions and further processes such as weights and biases applied by the neurons. Thus one feeds data in at the "top" and it is processed down through the layers in accordance with the states of the neurons, each applying its weights and biases and passing the result on, until the result of the processing is reflected in an output at the bottom.' . Additionally, the court elucidated the training process of an ANN, highlighting that once an ANN has completed its training and learning process, the ANN’s structure becomes fixed and ready for use with real data. At this stage, no further adjustments or programming activities occur. The data passing through the ANN undergoes processing solely through the ANN’s nodes, with no human intervention in determining their state or operations, as ‘the state of the nodes, in terms of how they each operate and pass on data, is determined by the ANN itself, which learns via the learning process described above.’ . Summarizing the nature of a hardware ANN, the UK High Court stated, 'What I have just described is a hardware ANN. That is to say, it is a piece of hardware which can be bought off the shelf and which contains the nodes and layers in hardware form. However, an ANN can also exist in a computer emulation. In this scenario a conventional computer runs a piece of software which enables the computer to emulate the hardware ANN as if it were a hardware ANN.' . Whether a Hardware ANN is a Computer? Unexpectedly, while addressing the exclusion issue, one of the pivotal aspects scrutinized by the UK High Court was to actually determine the definition of a 'computer' for the purpose of exclusion, and whether a hardware ANN qualifies as a ‘computer’ or a ‘program for a computer’. Referring to the Oxford English Dictionary, the court found that a hardware ANN aligns with the definition of a computer, and consequently, the judge asserted, 'I consider that in everyday parlance it would be regarded as a computer, and ought to be treated as one within the exclusion.' In essence, since the ANN itself isn't a program for a computer, the entirety of the claim wouldn't fall under the exclusion stipulated in Section 1(2)(c) of the Patents Act 1977. . Technical Contribution and Patentability After concluding that ANN was not a program for a computer, but indeed a computer itself, the UK High Court proceeded with caution by further analyzing a series of cases on technical contribution and concluded that a trained hardware ANN ‘can be regarded as a technical effect which prevents the exclusion applying… insofar as necessary, the trained hardware ANN is capable of being an external technical effect which prevents the exclusion applying to any prior computer program. There ought to be no difference between a hardware ANN and an emulated ANN for these purposes.’ . Conclusion and Outlook The Emotional Perception AI Case holds particular significance for two distinct reasons. Firstly, it establishes that a hardware ANN should be classified not as a program for a computer, but as a computer itself. Secondly, even if the first determination were to be considered inaccurate, the High Court further ruled that a trained hardware ANN could be deemed to possess a technical effect, thus preventing the exclusion from applying to any preceding computer program. This judgment marks a significant milestone in AI development, offering a fresh perspective and opening up new possibilities for the patentability of AI inventions. . With that being said, we still maintain a cautious approach and will continue to monitor legal developments in this area, and as we continue to navigate the complexities of AI patent law, this ruling serves as a beacon of progress, fostering optimism for future legal developments that accommodate and encourage innovation in AI. . If you are looking to develop AI tools and have concerns about intellectual property protection or safeguarding the output, please reach out to our dedicated team of professionals. With a deep understanding of both AI technology and intellectual property law, our lawyers are well-equipped to assist you throughout the entire process, ensuring that your AI-generated work receives the protection it deserves in the rapidly evolving legal landscape. About the authors . Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my . Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my . More of our Tech articles that you should read: Licensing of Data For AI Model Training - Things to Take Note of Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective Artificial Intelligence and Cybersecurity: A Double-Edged Sword Fight

Payment for Exemption from Building Low-Cost Housing is NOT Tax-Deductible

In the recent case of Ketua Pengarah Hasil Dalam Negeri Malaysia v Ehsan Armada Sdn Bhd [2023] MLJU 2906 , the Court of Appeal held that payment made by Ehsan Armada Sdn Bhd

A QUICK GUIDE ON “NOTICE PROVISION” IN A CONTRACT

Introduction The "notice provision" tends to be overlooked by the parties entering into agreements as these clauses often seen as a standard boilerplate clause, presumed to have minimal significance or impact. However, the notice provision/clause found in the miscellaneous clauses at the end of the contracts or sometimes appears as a standalone section, deserves more attention. The intention of this article is to encourage a careful examination of this clause/provision each time it surfaces in a contract. . Purpose of a “Notice Provision” Unlike many other terms in an agreement, the notices provision is rarely subject to negotiation and it is not crafted to benefit one party over the other. Instead, its purpose is to minimise potential disputes by defining the criteria or requirements for giving a valid contractual notice. A “Notice Clause” usually outlines the necessary details on how and to whom notices must be delivered for the contract to be legally binding. These clauses are essential in specifying notice periods for various scenarios, such as term renewals, exercising a right under the contract, event of default, termination, etc. hese clauses ensure that one party gives fair warning to the other when exercising their legal rights under the contract. Essentially, the notice provisions establish the methods and recipients for communication, ensuring that critical matters are brought to the attention of the involved parties in accordance with the terms of the contract.   Things to note when reviewing the “Notice Provision” When reviewing the notice provision, the key elements to focus on are, as follows: Examples of “Notice Provisions” Below are some examples of “notice provisions/clauses” extracted from different types of agreements. While these examples may not encompass the entire spectrum of notice clauses encountered, they serve to demonstrate the diversity of these provisions across different contracts. . Sample Notice Clause No.1 (a)    All notices, demands or other communications required to be given or made in connection with this Agreement shall be in writing and shall be sufficiently given or made if – (i)     delivered by hand; (ii)    sent by pre-paid registered post; or (iii)   sent by email (provided that there has been successful transmission),  addressed to the person authorised to receive the notice as set out in Schedule 1 or at such address or email address as may be notified in writing by one Party to the other Party from time to time.  . (b)   Any such notice, demand or other communication shall be deemed to have been duly served if it is (i) delivered by hand or sent by pre-paid registered post, at the time of delivery; or (ii) if made by email transmission, at the time of email transmission (provided that there is no non-delivery notice received by the sender), provided that if the time of delivery or transmission falls beyond 6.00 pm on a Business Day, such notice, demand or other communication shall be deemed to have been duly served at 9.00 am the next Business Day.  . Sample Notice Clause No.2 1.1  Any notice to be given under this Agreement shall be in writing and either be delivered personally or sent by registered post or, by courier or email.  . 1.2  Unless earlier notified to the other Party of any other address for service, the address for service of each Party shall be as follows:   (a) ABC  Sdn Bhd No. 123, Wembley Street, 60000 Kuala Lumpur  Email address: ABC@email.com Attention to: Contract Manager (b) XYZ Sdn Bhd No. 888, Lorong Kenari, 47000 Petaling Jaya, Selangor Tel No.: 03-8888888 Email address: XYZ@email.com Attention to: Legal Manager 1.3  A notice shall be deemed to have been served: (a) If delivered personally, at the time of delivery; (b) If posted by way of registered post, three (3) Business Days after posting; or (c) If made by email transmission, at the time of email transmission (provided that there is no non-delivery notice received by the sender)   1.4  A party may change its address, email address for notices by giving written notice to the other party. . Sample Clause No. 3 NOTICES a) Any notice to be given by either party to the other in connection with this Agreement shall be in writing and may be given personally or sent by fax or by prepaid registered post to the other party at the address contained in this Agreement.   b) Any notice sent by facsimile shall, in the case of a facsimile sent before 5.00 pm on a Business Day, be deemed served on receipt of a successful transmission notice and, in the case of a facsimile sent after 5.00 pm on a Business Day, at 10 am on the next following Business Day. If delivered by hand, any notice shall be deemed to have been served at the time and date of delivery. Any notice served by registered post shall be deemed served 5 Business Days after posting. In proving the service of any notice it will be sufficient to prove, in the case of a letter, that such letter was properly stamped, addressed and placed in the post and, in the case a facsimile, that such a facsimile was duly dispatched to a current fax number of the addressee. Notice given under this Agreement shall not be validly served if sent by email.   Conclusion Failing to adhere to the requirements of a notice clause in the contract can lead to significant consequences. Hence, it is crucial for the parties involved in the contract to ensure that they meet all the contractual requirements/obligations when issuing the notice under the contract. Further, this process becomes straightforward when the notice clause is drafted in a clear and concise manner. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the author Lynn Foo Partner Construction & Energy Unit Harold & Lam Partnership lynn.foo@hlplawyers.com More of our articles that you should read: Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective STAMP DUTY FOR FOREIGN CURRENCY LOAN Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal Protecting Yourself: A Legal Perspective on Online Scams

STAMP DUTY FOR FOREIGN CURRENCY LOAN

Introduction Stamp duty is chargeable on instruments but it is not chargeable on transactions. The instruments that are liable to stamp duty are listed in the First Schedule of the Stamp Act (Act 378) (“the Act”). Any unstamped or insufficiently stamped instruments are inadmissible as evidence in the court of law, nor will it be acted upon by a public officer. . Ad Valorem Stamp The rates of the stamp duty payable vary based on the nature of the instrument, i.e.  whether the instrument will be stamped ad valorem (that is, according to the value) or in fixed stamp duty. In the case of ad valorem stamp, the amount of the considerations stated in the instruments or the market value of the property plays a vital role in deciding the amount of the stamp duty. According to the guideline provided by Lembaga Hasil Dalam Negeri (“LHDN”)[i], the imposition of ad valorem duty is on: 1. Instruments of transfer (implementing a sale or gift) of property including marketable securities (meaning loan stocks and shares of public companies listed on the Bursa Malaysia Berhad), shares of other companies and of non-tangible property (e.g. book debts, benefits to legal rights and goodwill); 2. Instruments creating interests in property (e.g. Tenancies and Statutory Leases); 3. Instruments of security for monies, including instruments creating contracts for payment of monies or obligation for payment of monies (generally described as `Bond`); and 4. Certain capital market instruments (e.g. Contract Notes). . Foreign Currency Loan Agreement/Loan Instrument The calculation of stamp duty on the loan agreements for foreign currency loan is different from Malaysian Ringgit loan. Malaysian Ringgit loan agreements generally attract stamp duty at 0.5% whereas for foreign currency loan, there will be a flat rate stamp duty of RM5 per RM100 or part thereof. The RM2,000 stamp duty ceiling cap is no longer applicable ever since the enforcement of Section 27(iii) of the First Schedule of the said Act on 1 January 2024. The wordings of Section 27(iii) of the First Schedule of the said Act are as follows: For illustration purpose, please see the example below regarding the calculation for the stamp duty on a facility agreement dated 2 January 2024 (the facility agreement as the principal agreement will be subject to ad valorem duty) for a loan of USD100,000.00: [i] https://www.hasil.gov.my/en/stamp-duty/ This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the author Loong Shi Yi Associate Real Estate, Banking & Finance Halim Hong & Quek syloong@hhq.com.my More of our articles that you should read: Compulsory Acquisition: Landowners Are Not Entitled To Compensation For Illegally Constructed Buildings CASE SUMMARY: CAUSE OF ACTION (CLAUSES IN THE CONTRACT) MUST BE SPECIFICALLY STATED IN THE PAYMENT CLAIM “Garnishee Order to Show Cause” Does Not Affect / Freeze Monies Paid After Service of Order LICENSING OF DATA FOR AI MODEL TRAINING – Things to Take Note of

Failure to Plead the Relevant Contractual Clause in Adjudication Proceedings (CIPAA 2012) is Fatal

Anas Construction Sdn Bhd v JKP Sdn Bhd & Another Appeal  [2024] MLJU 53; [2024] CLJU 63; (Civil Appeal No.: 02(f)-4-01-2023(P) (Federal Court) . This recent Federal Court decision confirms the position that an Adjudicator can only decide on the cause of action (provisions in the contract) that have been specifically referred to him/her pursuant to the Payment Claim. The Court held that the Adjudicator had exceeded his jurisdiction by referring to another provision in the contract that has not been referred by the claimant in the Payment Claim.. In coming to this decision, the Federal Court, in a majority judgment (2:1), found that the plain meaning of section 27(1) of the Construction Industry Payment and Adjudication Act 2012 (“CIPAA 2012”) is that the jurisdiction of an Adjudicator is limited to matters referred to by parties pursuant to sections 5 and 6 of CIPAA 2012. Since section 5(2)(b) of CIPAA 2012 requires the claimant to include in the Payment Claim the cause of action and the provision under the contract to which the payment relates, the Federal Court stated that the claimant must identify all the provisions in which it seeks to rely on, and the Adjudicator cannot rely on other provisions which have not been referred by parties. . Background Facts The Respondent appointed the Appellant as the main contractor for the construction and completion of a project in Penang, for a sum of RM67,994,500.00. In carrying out the Project, the Appellant had engaged independent professional Consultants to provide a report in regards to cracked beams and a safety report. The consultants’ fees incurred by the Appellant were RM855,074.21. As the Respondent had allegedly failed, neglected, or refused to pay the consultants’ fees, the Appellant brought a payment claim against the Respondent to adjudication under CIPAA 2012. The Appellant served the Payment Claim on the Respondent on 6.3.2019. In the Payment Claim, the Appellant pleaded clauses 28, 55 and 56 of the Contract to establish its cause of action against the Respondent. In the Payment Response dated 22.3.2019, the Respondent contended, among others, that the Appellant’s claim does not fall within the meaning of “construction contract” under section 5(1) of CIPAA 2012. Thereafter, in the Adjudication Claim, the Appellant again referred to and relied on clauses 28, 55and 56 of the Contract in support of its claim for the consultants’ fees. On the other hand, in the Adjudication Response, the Respondent contend that the relevant clause in relation to the Appellant’s claim would be clause 36.5 of the Contract which was not relied upon by the Appellant. On 12.9.2019, the Adjudicator handed down the Adjudication Decision in favour of the Appellant. The Adjudicator awarded the sum of RM806,673.78 being the adjudicated sum, to the Appellant. In coming to the decision, the Adjudicator relied on clause 36.6 of the Contract rather than clauses 28, 55 and 56 of the Contract as submitted by the Appellant in the Payment Claim and Adjudication Claim. The Adjudicator found that clause 36.6 was most applicable to the Appellant’s claim. At the High Court, the Appellant’s application to enforce the Adjudication Decision was allowed. Consequently, the High Court dismissed the Respondent’s application to set aside the Adjudication Decision. The High Court was of the view that the Adjudicator did not act beyond his jurisdiction and had acted fairly and independently. However, the High Court’s decision was reversed on appeal. The Court of Appeal held that the Adjudicator had acted in excess of his jurisdiction when deciding the adjudication on a clause of the Contract that was not relied upon by the Appellant in the Payment Claim and Adjudication Claim. Further, the Court of Appeal found that the omission of the Adjudicator to invite the parties to submit on clause 36.6 of the Contract is a denial of natural justice. Hence, the Adjudication Decision was set aside. On 3.1.2023, the Federal Court granted the Appellant’s leave to appeal on the following questions of law, namely: . Q1: Do the strict rules of pleadings, as applicable in civil claims before the Malaysian Courts, apply in adjudicating proceedings under the CIPAA 2012? Q2: Whether the dicta in View Esteem Sdn Bhd v Bina Puri Holdings Bhd [2018] 2 MLJ 22 prohibits an adjudicator from referring to a specific clause in a construction contract when allowing the claim when the said clause was not specifically stated in the Payment Claim and Adjudication Claim by the claiming party? Q3: In a CIPAA Award, does the adjudicator’s consideration of a specific clause in the construction contract, not specifically stated in the Payment Claim or Adjudication Claim, without inviting parties to submit further on the said clause, amount to a breach of natural justice or an act excess in the jurisdiction, such that the said Award ought to be set aside. . Summary of the Majority Grounds of Judgment by Nordin Bin Hassan, FCJ In determining the appeal, the Federal Court found that the main issue relates to the jurisdiction of an Adjudicator under CIPAA 2012. Section 27 of CIPAA which speaks on the jurisdiction of the Adjudicator is held to be plain and unambiguous; in that the jurisdiction of an Adjudicator is limited to matters referred to by parties pursuant to sections 5 and 6 of CIPAA 2012. Section 5 of CIPAA 2012 relates to Payment Claim, whereas Section 6 of CIPAA 2012 is in relation to Payment Response. Amongst others, section 5(b) of CIPAA 2012 requires the claimant to include in the Payment Claim the cause of action and the provision under the contract to which the payment relates. On this point, the Federal Court held that the cause of action in a contract must relate to a provision or provisions in the construction contract to support the claim. The cause of action arises when there is a breach of a provision of the contract and therefore, the cause of action is subject to the agreed provisions in the contract. On the facts, the Federal Court found that the Adjudicator had relied on clause 36.6 of the Contract in allowing the Appellant’s claim, and did not rely on any of the clauses referred by the Appellant in the Payment Claim filed pursuant to section 5 of CIPAA 2012. The Court further commented that the parties did not give written consent to extend the jurisdiction of the Adjudicator to adjudicate the matters relying on clause 36.6 of the Contract, as required under section 27(2) of CIPAA 2012, which the Court opined should have been done. Since the Adjudicator’s jurisdiction is limited to matters referred to the Adjudicator under Sections 5 and 6 of CIPAA 2012, the Adjudicator exceeded his jurisdiction in deciding the dispute based on Clause 36.6 of the Contract (not pleaded/ relied upon by the parties). As the Federal Court found that the Adjudicator had acted in excess of his jurisdiction, the Adjudication Decision can be set aside under section 15(d) of CIPAA 2012. On the issue of denial of natural justice, the Federal Court found that it is undisputed that parties were not given the opportunity to submit on the cause of action under clause 36.6 of the Contract before the Adjudication Decision was delivered. Further, submissions by the parties may have persuaded the Adjudicator in the present case to decide differently. The principle of natural justice includes allowing parties to present their case effectively. The failure of the Adjudicator to provide an opportunity to the parties to submit on the cause of action under Clause 36.6 of the Contract before arriving at his decision in the Adjudication Decision, is a denial of natural justice. In light of the above, the Court found that the issue of strict rules of pleadings does not arise as the Adjudicator’s jurisdiction is governed by section 27(1) of CIPAA 2012. Therefore, the Federal Court affirmed the decisions of the Court of Appeal. . Summary of the Minority Grounds of Judgment by Mary Lim Thiam Suan, FCJ The learned Federal Court Judge (FCJ) foremost opined that the analysis and resolution of the 3 questions of law requires a return to the fundamental principles of statutory adjudication introduced in Malaysia, and that it is a regime solely and exclusively for and in the realm and practice of construction contracts as defined in section 4 of CIPAA 2012. Further, the learned FCJ stated that the adjudication regime is only available to payment disputes, and that it is meant to resolve disputes relating to claims of non-payment for work done or services rendered under the express terms of a construction contract. Another facet of the adjudication regime as highlighted by the learned FCJ is that persons who are qualified to sit or be appointed as adjudicators are not necessarily legally qualified. This feature has, in the learned FCJ’s view, a substantial bearing against any argument or insistence of likening adjudication proceedings to proceedings in a Court of law. Having set out the basic principles of statutory adjudication in Malaysia, the learned FCJ went on to discuss the 3 questions posed: . Question 1 The learned FCJ was of the view that the answer must be in the negative as there are no pleadings in statutory adjudication as generally understood and practised in Court proceedings. Under CIPAA, there are only 2 sets of documentation. The first set of documentation is known as the payment claim and the payment response, provided under sections 5 and 6 of CIPAA. The learned FCJ likened payment claim to a letter of demand, as at that stage, there is no payment dispute as yet to refer to adjudication. The second set of documentation would be the adjudication claim, adjudication response and adjudication reply. The learned FCJ referred to View Esteem and stated that the difference between a payment claim and an adjudication claim is that the adjudication claim broadly outlines the “nature and description of the dispute along with the remedy sought” whereas the payment claim contains the details of the claim so that the cause of action can be discerned. Hence, it is the dispute that arises from the payment claim that the adjudicator is required to adjudicate upon, decide and deliver the adjudication decision. And because it is the dispute arising from the payment claim that is being referred to adjudication, the learned FCJ took the position that it would be erroneous and misleading to describe the payment claim and payment response as pleadings. On the facts, the learned FCJ found that it was not the case that the Appellant failed to cite any provisions of the Contract and/or that the Appellant had failed to comply with section 5(2)(b) of CIPAA 2012. Even if the Adjudicator had determined the claim upon clause 36.6 of the Contract, which the learned FCJ opined he did not, the learned FCJ was of the view that this is not at all fatal to the Appellant. Thus, the learned FCJ disagreed with the Court of Appeal when it concluded that the Adjudicator’s reference or reliance to clause 36.6 of the Contract was fatal to the Appellant. The learned FCJ also opined that the Court of Appeal had failed to give proper and due regard to the whole statutory adjudication scheme, the intent of CIPAA, its operation and application. Specifically on section 5(2)(b) of CIPAA 2012, the learned FCJ is of the view that the inclusion of the words “including the provision in the construction contract to which the payment relates” is intended to be illustrative of what those details may be. The reason for this is so that the non-paying party can respond to the claim for work done or services rendered. In this case, the learned FCJ found that the Respondent had no difficulty at any stage to respond to the Appellant’s claim. As regards section 27 of CIPAA 2012 on the jurisdiction of an adjudicator, the learned FCJ stated that the matter in dispute which was referred to adjudication was the claim for professional fees due under the terminated contract, and the Respondent was fully aware of that being the real and sole issue. Hence, the learned FCJ was of the view that the non-citing or even the citing of a wrong clause or provision of the contract does not render and cannot render the adjudicator bereft of jurisdiction. In addition to the above, the learned FCJ found that on the examination of the correspondence exchanged, especially the letters sent by the Appellant, the letters show that the Appellant had actually invoked, among others, clause 36.6 of the Contract. The relevant correspondence was also cited in the Payment Claim, and also form part of the Adjudication Claim. Hence, clause 36.6 of the contract was quite clearly cited, and the Adjudicator’s reference to this clause was not done in the frolic of his own. The learned FCJ further added that the whole construction contract was already before the Adjudicator, “pleaded” as it were, and it would be naïve to suggest that the Adjudicator is not entitled to look at the whole contract for its full terms and effect. . Question 2 The learned FCJ stated that in view of Her Ladyship’s reasons in relation to Question 1 and Her Ladyship’s finding that clause 36.6 of the Contract was actually “pleaded” or raised in the Payment Claim as well as Adjudication Claim, this question does not arise. In any case, the learned FCJ was of the view that even if the Adjudicator had referred to or relied on clause 36.6 and such clause was not raised by the Appellant in the Payment Claim or Adjudication Claim, such reference or reliance is not fatal to the Appellant’s cause by reason of section 5(2)(b) of CIPAA 2012. The learned FCJ disagreed with the Court of Appeal’s interpretation of the dicta in View Esteem. The effect of View Esteem in respect of section 27 of CIPAA 2012 is simply that the adjudicator’s jurisdiction in relation to any dispute is limited to the matter of the claim which was referred to adjudication under sections 5 and 6 of CIPAA 2012. As such, Question 2 is in the negative. . Question 3 In light of the learned FCJ’s findings that clause 36.6 of the Contract which purportedly formed the basis of the Adjudicator’s decision was actually cited in the Payment Claim, this Question was also answered in the negative. In discussing this Question, the learned FCJ stated that it is only if the adjudicator goes off on a frolic of his own, decide the case on a factual or legal basis which has not been argued or put forward by either side, without giving the parties an opportunity to comment or put in relevant evidence, if appropriate, that the breach may be said to be material rendering the decision reached liable to be set aside. However, if the “frolic” of the adjudicator makes no difference to the outcome, the decision must be enforced. On the facts, the learned FCJ found that the reference by the Adjudicator to clause 36.6 of the Contract did not have the same materiality or significance. In addition to the fact that the Respondent was fully aware of the entire clause 36 of the Contract, the learned FCJ found that it was a matter of contractual construction which the Adjudicator was entitled to decide. The learned FCJ concluded that it should only be in rare circumstances that an adjudication decision is set aside. . Comments In light of the majority decision of the Federal Court, the non-paid party/ claimant must be careful to refer and rely on all relevant clauses of the construction contract in the payment claim as well as adjudication claim, to avoid the adjudication decision being set aside on the grounds of excess of jurisdiction and/or breach of natural justice. The adjudicator is strictly confined to adjudicate on matters pleaded within the adjudication pleadings. Therefore, parties involved in adjudication proceedings must be meticulous and ensure that the relevant clauses in a contract and/or cause of action is pleaded in the adjudication pleadings. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the author Amy Hiew Kar Yi Partner Corporate Disputes, Construction, Projects & Energy Harold & Lam Partnership amy@hlplawyers.com . Chew Jin Heng Associate Dispute Resolution Halim Hong & Quek jhchew@hhq.com.my More of our articles that you should read: LICENSING OF DATA FOR AI MODEL TRAINING – Things to Take Note of Different Rates of Charge on Residential and Commercial Parcels During the Preliminary Management Period and During the Management Period Settlement Agreement attracts ad valorem stamp duty? ISSUANCE AND SERVICE OF NOTICE OF ARBITRATION: A SUFFICIENT TRIGGER? Examining the Interpretation of a “Stay Pending Final Determination by Arbitration” under Section 16(1)(b) of CIPAA 2012

Exploring the Legal Implications of AI as Inventors: UK Patent Law Perspective

The complexities surrounding intellectual property and artificial intelligence (“AI”) continue to unfold. While our previous article explored the murky waters of copyright protection for AI-generated works, this week we delve into another pivotal question: can AI be designated as the "inventor" under UK patent law? This issue has recently been addressed by the UK Supreme Court, offering some much-needed clarity on a subject rife with legal implications. The Case Study: Dr. Thaler and "DABUS"Filing of patent applications requires the inventor(s) to be named. Now imagine a scenario where an AI autonomously creates an invention, without any human interference or control. Could this AI be named as the "inventor" under UK patent law?This is more than an academic discussion but an actual case in the United Kingdom, where Dr. Thaler filed two patent applications under the Patents Act 1977 for (i) a new kind of food or beverage container, and (ii) a new kind of emergency light beacon. Notably, neither application named a human inventor, nor did Dr. Thaler file a separate document designating one. In fact, Dr. Thaler emphasized and clarified that these inventions were created by his AI machine, called "DABUS", in which Dr. Thaler claimed that "DABUS" is the 'inventor', and since he is the owner of DABUS, he also claimed that he should be granted the right of patents for those applications.This case doesn't focus on whether AI-generated technical advances are patentable or whether the term "inventor" needs broadening. Instead, it explores two key questions: (i) can AI ever be named as the "inventor," and (ii) can the owner of an AI machine obtain patents for inventions autonomously generated by that AI machine? It is crucial to note that this is not a case where Dr. Thaler is claiming that he was the inventor and used DABUS as a highly sophisticated tool, but a case where the claim is made on the basis that all inventions were made by his AI machine, DABUS, and since he owned DABUS, he should be granted the patent rights for those inventions. Can AI be Designated as an "Inventor" under UK Patent Law?Turning to the first question on whether AI could be named as the inventor under UK patent law.The UK Supreme Court examined Sections 7 and 13 of the Patents Act 1977 and unanimously affirmed that the context of the Patents Act 1977 permits only one interpretation: an inventor must be a natural person. It allows no other interpretation to permit DABUS to be named as the inventor because "an inventor within the meaning of the 1977 Act must be a natural person, and DABUS is not a person at all, let alone a natural person... Accordingly, it is not and never was an inventor for the purposes of Sections 7 and 13 of the 1977 Act."From the above, it is clear that the current UK patent law leaves no room for an AI to ever be named as the "inventor" given the strict requirement that an "inventor" must be a natural person. Ownership of AI Machines and Patent RightsNow we will turn to explore the second question: whether the owner of the AI machine is entitled to apply and obtain the patent in respect of any invention or any technical advance autonomously generated by the AI machine.This is closely linked to the first question. The UK Supreme Court reiterated that the patent law is clear that the inventor must be a person. In this case, it is without doubt that DABUS was not and is not a person, and hence DABUS could not be named as the "inventor" under the patent law. It went on to clearly explain that "Section 7 does not confer on any person a right to obtain a patent for any new product or process created or generated autonomously by a machine, such as DABUS, let alone a person who claims that right purely on the basis of ownership of the machine." Therefore, given that DABUS could not be the "inventor", there is technically no "inventor" through whom Dr. Thaler could claim the right to obtain a patent for any technical advance.From the above, two strong conclusions are made: (i) AI could not be named as the "inventor", as it must be a natural person, and (ii) the owner of the AI machine could not apply for and obtain patents for the technical developments purely on the basis that he has ownership of the AI machine when the inventions were wholly created by the AI machine autonomously. Differentiating Human Oversight from Autonomous AI InventionsIt is crucial to highlight an important remark made by the Supreme Court that in cases where the inventor uses DABUS as a highly sophisticated tool, the outcome of these proceedings might well have been different.This indicates that under the current law, inventions autonomously created by AI without any human inventor are not patentable in the UK. However, in cases where there is human oversight of AI in directing its work, the human inventor could then be named and be granted patent protection for the invention. Implications and RecommendationsIn conclusion, the UK Supreme Court's ruling has provided unequivocal clarity on the matter: AI cannot be designated as an inventor under current UK patent law. Furthermore, the ownership of an AI machine does not confer the right to obtain patents for inventions autonomously generated by the AI. These decisions underscore the necessity for organizations investing in AI to collaborate closely with legal experts to navigate the evolving landscape of intellectual property rights.As technology continues to advance and AI plays an increasingly significant role in innovation, it is imperative for policymakers and legal frameworks to adapt accordingly. The current limitations highlight the urgency for legislative updates that address the unique challenges posed by AI-generated inventions. Until such reforms are enacted, organizations must prioritize comprehensive strategies for protecting their AI-driven innovations, ensuring that the contributions of both human inventors and AI systems are recognized and safeguarded within the bounds of existing legal frameworks. If you are looking to develop AI tools and have concerns about intellectual property protection or safeguarding the output, please reach out to our dedicated team of professionals. With a deep understanding of both AI technology and intellectual property law, our lawyers are well-equipped to assist you throughout the entire process, ensuring that your AI-generated work receives the protection it deserves in the rapidly evolving legal landscape.This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the authors Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my

Whether AI-Generated Work Could be Protected by Copyright Law

In the current era, artificial intelligence (AI) has evolved from mere buzzword to a tangible advancement with an expansive

Artificial Intelligence and Cybersecurity: A Double-Edged Sword Fight

The release of ChatGPT brought along with it a wave of Artificial Intelligence (“AI”) driven revolution. It is no exaggeration to say that AI has infiltrated almost every industry in existence. Some view AI as a harbinger of doom; some see it as a bearer of good news, here to ease our daily lives. For the cybersecurity market, it seems to have found itself in a love-hate relationship with AI. In this newsletter, we will be looking at how AI has single-handedly enhanced the efficiency and effectiveness of cybersecurity efforts, but at the same time also created more cybersecurity threats to individuals and organisations. AI-Enhanced Cybersecurity The underlying feature of AI is always to imitate human behaviour and actions, whether it is spotting trends and anomalies, or content writing and generation. When it comes to cybersecurity, AI can also be trained to facilitate and assist in the work of cybersecurity professionals. Oftentimes, the attack vectors that cybercriminals use to gain a foothold in their target’s IT environment are zero-day vulnerabilities in software used by the target. Zero-day vulnerabilities are hard to protect against because they are legacy issues unknown even to the owners or developers of the software. A specially designed and trained AI can be used to detect zero-day vulnerabilities in software, thereby helping cybersecurity researchers to flesh out potential attack vectors and to deploy patches and fixes accordingly, before actual exploitation by malicious actors. When AI is deployed in an organisation’s network server, it can also be used to flag potential phishing emails. Other than predictive initiatives, AI can also be trained to perform malware detection and tracing in the event of a cybersecurity breach. During a cybersecurity incident, the response team is always racing against time to mitigate damage. AI can substantially cut down the time in locating the root cause of the breach or to detect malware. AI Posing Cybersecurity Risks While there are many use cases of AI in enhancing cybersecurity, the flip side is also true in that AI itself is presenting new cybersecurity risks. Phishing emails crafted with AI are more convincing and sophisticated than ever, making them harder to be noticed. AI can also be used to learn the behaviour of a particular person before deploying phishing email to increase the chances of the phishing email being clicked on. For example, if an AI gathered that the target will normally receive and open emails sent by tax agents to his or her work email, a phishing email can then be crafted to imitate one sent by tax agents. The proliferation of AI also prompted the creation of the dark-side of ChatGPT – introducing the likes of WormGPT and FraudGPT. Unlike ChatGPT, these generative AI models do not have any safety guardrails. They are deployed to help cybercriminals to write malware and convincing phishing emails, thereby lowering the barrier to execute an attack. AI, just like any piece of software, if integrated and embedded in an organisation’s IT environment, can also potentially be used by cybercriminals as a possible attack vector if there are loopholes or vulnerabilities in the system. In an effort to deploy AI, an organisation may actually unknowingly create a way into its IT environment for threat actors. If cybersecurity researchers can use AI to locate zero-day vulnerabilities and to patch them, then cybercriminals can also use AI to find vulnerabilities in software to exploit and compromise. Fighting AI with AI AI has proven time and again that it can perform better (or at least faster) than human in many of the tasks that involve pattern and anomaly spotting, as well as information gathering and sorting. Crucially these are the nature of the work of cybersecurity professionals. There is a saying that to beat evil, one must become a greater evil. It seems a quick solution to cybersecurity risks exacerbated by AI is to deploy more advanced AI to strengthen cybersecurity. It will be a matter of the sharpest spear against the toughest shield. Malaysia Cybersecurity Bill Given the importance of cybersecurity, the Malaysia Cybersecurity Bill that is currently in the work will be a vital bullet in the fight against cyber threats. It remains to be seen what sort of tools the legislation will offer to defend the digital landscape, but it is definitely a move in the right direction. If you wish to know more about cybersecurity best practices, legal requirements relating to cybersecurity, personal data and breach notification requirements, please feel free to reach out to our team of experts. We look forward to working with you on your digital transformation journey.This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the authorsLo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my Ong JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my

Spot Bitcoin ETF Approval: A Rollercoaster 48 Hours and Its Global Regulatory Implications

Follow-up to the Previous Article: "Understanding Spot Bitcoin ETF and Its Potential" In a historic move, Gary Gensler, the Chair of the U.S. Securities and Exchange Commission (SEC), has officially confirmed the approval and impending listing of Spot Bitcoin ETFs. This development marks the debut of the first Spot Bitcoin ETF in the U.S., shaping up to be one of the most anticipated and significant regulatory decisions in January 2024. The following chronicle outlines the dramatic 48 hours leading to the SEC's approval, shedding light on cybersecurity lessons and global regulatory implications. Rollercoaster 48 Hours: A Chronicle of Events Leading to ApprovalOver the past 48 hours, the journey towards the SEC's official approval of Spot Bitcoin ETFs has been nothing short of dramatic. On January 9, 2024 (US time), the SEC posted a now-deleted tweet on X (formerly Twitter), announcing the approval of #Bitcoin ETFs for listing on all registered national securities exchanges. However, the excitement was short-lived as the SEC swiftly deleted the tweet, attributing the action to a compromise of their official X account. Both the SEC and Gary Gensler later clarified in a subsequent tweet that the @SECGov X account had been compromised, emphasizing that no approval had been granted for spot bitcoin exchange-traded products.Further investigation by X revealed that the compromise was not due to any breach of X’s systems but rather a case of an unidentified individual gaining control over a phone number associated with the @SECGov account through a third party. Notably, the compromised account lacked two-factor authentication at the time.Finally, a few hours ago, the SEC officially published Record No. 34-99306 on its website, formally approving Spot Bitcoin ETFs, in which Gary Gensler also concurrently released an official statement, marking the historic and authorized approval of the Spot Bitcoin ETFs. Key Takeaways and Global Regulatory ImplicationsThe recent events surrounding the approval of Spot Bitcoin ETFs offer several crucial insights with potential global regulatory impacts.1. Emphasis on Cybersecurity: The foremost lesson from this rollercoaster ride is the critical importance of cybersecurity. Regardless of whether the compromise originated internally or from an external third party, this incident underscores the paramount need for robust cybersecurity measures. In the digital age, any compromise can lead to irreparable damage to a company, the market, and, significantly, the organization's reputation. It serves as a stark reminder that investing in cybersecurity is not just prudent but imperative in safeguarding against unforeseen challenges. 2. Verification of Official Announcements: The second takeaway revolves around the necessity to verify the source of official announcements diligently. The unauthorized tweet from the SEC's compromised account highlights the vulnerability of relying solely on social media for crucial information. Legal due diligence demands a thorough examination of official legal sources, including but not limited to websites and supporting materials. Organizations and individuals alike should exercise caution, and when in doubt, consult legal advisors to verify the authenticity of information disseminated through unofficial channels. 3. Global Regulatory Shift: With the official approval of Spot Bitcoin ETFs by the SEC, a potential paradigm shift in the global regulatory landscape for digital assets is imminent. This positive development suggests that other countries may follow suit in embracing similar regulatory approaches to cryptocurrencies, stablecoins, and NFTs. ConclusionIn conclusion, the approval of Spot Bitcoin ETFs by the US SEC has not only marked a significant milestone for cryptocurrency enthusiasts but has also triggered a cascade of lessons and considerations for organizations, regulators, and investors alike in navigating the dynamic intersection of finance and technology on a global scale. Organizations are advised to stay vigilant, collaborate with legal advisors, and actively engage with regulators as local frameworks adapt to the evolving global regulatory landscape.For comprehensive guidance and legal insights regarding the dynamic landscape of cryptocurrency and/or Fintech, our team of experts is ready to assist you. Feel free to reach out to us for further assistance and a tailored approach to navigating the complexities of this decentralized future. We look forward to being your trusted partner on this transformative journey.This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice.About the authorsOng JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.myLo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my

The European Union Artificial Intelligence Act - Should Artificial Intelligence Be Regulated?

Since the European Union Artificial Intelligence Act (the “EU AI Act”) was proposed by the European Commission in 2021, the European Parliament and Council have finally reached a provisional agreement on the final version of the EU AI Act on 9 December 2023. The final text of the EU AI Act will go through technical review and refinements before being released to the public. From the European Parliament’s press releases however, one can have some preliminary idea of the general scope of the EU AI Act.  Should Artificial Intelligence be Regulated? The EU AI Act is often touted as a “global first” legal framework for the regulation of artificial intelligence (“AI”) with clear rules for its usage. This definitely begs the question “Should AI be regulated?”. Consensus reached on this question seems to be skewed largely towards a “YES”, when even the industry players, the technology companies and the developers of AI themselves are calling for regulation, or at least some industry standards as to the ethical and safe development of AI. The reasoning for regulation goes beyond doomsayers’ fear of AI potentially dominating humanity or even destroying it, like what we saw in The Terminator franchise. What is actually driving the call for regulation is much more imminent – ethical concerns as well as safety and security reasons. Depending on the data sets used to train an AI model, its usage may cause discrimination against marginalised group of people (e.g., rating a person with darker skin tone as being more likely to default on loan, or a facial recognition AI model that cannot recognise certain skin tone as well as it does the others). Inappropriate usage of AI may also cause the spread of misinformation and disinformation or wrongful arrest of suspects by law enforcements. In the face of these imminent threats of AI, regulation seems necessary to provide a guardrail in ensuring the development of ethical and safe AI, which is what the EU AI Act sets out to achieve. The EU AI Act: A friend or a foe? Regulations on AI must be delicately crafted – too stringent, it may become a stranglehold that stifles innovation and development; too loose, it may become a stingless bee. The EU AI Act’s solution to a balance in regulation can be seen in its risk-based approach to AI. To start with, the EU AI Act seems to adopt a neutral and broad definition of “AI systems” that is aligned with what was proposed by the Organisation for Economic Co-Operation and Development: “A machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments”. Within this definition of AI systems, AI is further categorised based on the risk level the AI system poses: (i) minimal / no risk (e.g., AI-enabled recommender systems in Netflix and Instagram); (ii) limited risk (e.g., simple chatbots and AI-enabled sorting systems); (iii) high risk (e.g., AI-enabled medical devices, AI for law enforcement purposes, etc.); and (iv) unacceptable risk (predictive policing AI, AI that processes sensitive personal information such as sexual orientation, political and religious beliefs). Depending on the category of the AI systems, they are subject to different levels of scrutiny. The AI systems with the highest level of risk are banned outright; whereas those with acceptable and manageable risks are subject to high-level of oversight and reporting requirements; while those with low to minimal risks are being given a free-pass or with simple obligations to at least inform its users that they are dealing with AI generated content. The EU AI Act also seeks to impose additional obligations in respect of “general purpose AI systems” (“GPAI”) – AI systems that have a wide range of possible uses, both intended and unintended by the developers (think ChatGPT, Dall-E, Bing AI, PaLM). Deployer or provider of these GPAI may be required to conduct risk evaluation of the AI systems before launch, disclose the source of the training data set, monitoring and reporting on its energy efficiency, conducting red teaming, etc. These additional guardrails on GPAI appear to seek to prevent unauthorised exploitation of third-party work that have been made available online, minimise unintended usage of the GPAI, and to address ESG concerns posed by proliferation of large language models. Scope of Applicability of EU AI Act Based on the version of the EU AI Act that was proposed by the European Commission back in 2021, the EU AI Act was intended to have an extraterritorial application. In addition to users and providers of AI systems who are based in the European Union, providers and users of AI systems that are based outside of EU but the output produced by their AI systems are used in the EU are also subject to the EU AI Act. If this scope of the EU AI Act in the proposal draft makes its way to the final text, the EU AI Act will have an overarching reach and as long as an AI system is to be used in the EU, compliance with the EU AI Act will be compulsory. Failure to comply with the EU AI Act may attract fines based on a certain percentage of the violator’s global annual turnover. Conclusion As one of the first (if not the first) comprehensive regulations on AI, the EU AI Act will likely become the model of similar regulations in many other countries and influence how the rest of the countries around the world shape their AI legal framework. Deployers and builders of AI systems outside of the EU will definitely be paying close attention to the implementation and enforcement of the EU AI Act in the EU. We would even recommend that the deployers and builders of AI systems outside of the EU benchmark their AI models and practices against the EU AI Act, in anticipation of similar rules being drawn up closer to home. It is no doubt that AI is a powerful tool with wide ranging possibilities of applications in our daily lives. It can affect our social behaviour, determine which candidates get hired, improve accessibility to medical treatment, and impact human lives in many other ways. Like it or not, the technology is here to stay. To ensure the ethical and safe development of the technology, regulation is inevitable. Industry players should not see regulation as a force against innovation, but rather a guardrail to foster and nurture sustainable growth of the technology to maximise its potential for the betterment of humankind. To better understand the regulatory landscape in relation to AI, or if you need legal assistance in adopting or deploying AI in your organisations, our team of experts is ready to help. Feel free to reach out to us for further information or to schedule a discussion. We look forward to being your trusted partner on your digital transformation journey. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice.About the authorsLo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.myOng JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my

Understanding Spot Bitcoin ETF and Its Potential

In the midst of the ongoing crypto winter, characterized by disillusionment and skepticism in the cryptocurrency market, a potential game-changer emerges—the Spot Bitcoin ETF. As we progress through the crypto winter in 2022 and 2023, the prospect of Spot Bitcoin ETF gaining approval in the United States has sparked renewed interest in the crypto space. This article delves into what Spot Bitcoin ETF entails, its key differentiators from Bitcoin Future ETFs, and the potential impact of its approval on the broader regulatory landscape. Spot Bitcoin ETF vs. Bitcoin Futures ETF Spot Bitcoin ETF operates akin to traditional Exchange-Traded Funds (ETFs), with a crucial distinction—the underlying asset is Bitcoin. However, to fully understand the "spot" designation, it is essential to contrast Spot Bitcoin ETF with Bitcoin Futures ETF - while both involve Bitcoin, their operational mechanisms diverge significantly. Spot Bitcoin ETFs denote direct ownership and exposure to Bitcoins, which are securely stored in digital vaults. In contrast, Bitcoin Futures ETFs derive their value from Bitcoin futures contracts, introducing complexities like contango and backwardation. Contango is a futures market occurrence marked by futures contract prices rising above spot prices, whereas backwardation is when the current price of an underlying asset is higher than prices trading in the futures market. Investors choosing Bitcoin Futures ETFs may exploit market nuances, but those seeking direct correlation with Bitcoin's market price movement will opt for Spot Bitcoin ETFs. Advantages of Spot Bitcoin ETF The key question then arises: Why invest in Spot Bitcoin ETF when one can directly purchase Bitcoin from the market?  “Convenience” emerges as a compelling answer for one to opt for Spot Bitcoin ETFs – Spot Bitcoin ETFs offer a hassle-free alternative to managing wallets, navigating crypto exchanges, and safeguarding private keys, rendering it easier for adoption by traders accustomed to conventional trading. Investors can gain exposure to Bitcoin's price movements without operational intricacies by simply paying management fees and brokerage commissions, making it an appealing option for those prioritizing ease of access. However, it is equally crucial to consider potential limitations compared to direct ownership, including counterparty risk, lack of control over private keys, and other fees involved. Concentration of large amount of the underlying assets – Bitcoin in this case, in one digital vault may also make it a high-value target for mouth-watering cybercriminals. Current Status and Implications As of the time of writing, Spot Bitcoin ETF approval in the United States is still pending SEC review, while attracting applications from reputable global issuers like BlackRock, Ark Investment, WisdomTree, Invesco, and VenEck. Even though the outcome remains uncertain, industry players and all regulators around the globe are closely monitoring this development, as the approval of Spot Bitcoin ETFs could reshape the global regulatory landscape, signifying stronger recognition for Bitcoin and other cryptocurrencies, potentially leading to increased institutional investment and thereby shoring up trading activities in general as well. Conclusion In conclusion, the evolving landscape of Spot Bitcoin ETFs presents both challenges and opportunities for investors. While awaiting regulatory approval in the United States, industry participants, especially those in the financial sector, are advised to closely observe, strategize and prepare for potential shifts in the regulatory framework to leverage the advantages offered by Spot Bitcoin ETFs as and when its approval comes through, as it could mark the beginning of a new era in cryptocurrency investment. The key lies in staying informed, adaptable, and proactive in navigating the evolving cryptocurrency ecosystem. For comprehensive guidance and legal insights regarding the dynamic landscape of cryptocurrency and/or Fintech, our team of experts is ready to assist you. Feel free to reach out to us for further assistance and a tailored approach to navigating the complexities of this decentralized future. We look forward to being your trusted partner on this transformative journey. This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice.About the authorsOng JohnsonPartnerHead of Technology Practice GroupTransactions and Dispute Resolution, Technology,Media & Telecommunications, Intellectual Property,Fintech, Privacy and Cybersecurityjohnson.ong@hhq.com.my Lo Khai YiPartnerCo-Head of Technology Practice GroupTechnology, Media & Telecommunications, IntellectualProperty, Corporate/M&A, Projects and Infrastructure,Privacy and CybersecurityHalim Hong & Quekky.lo@hhq.com.my

马来西亚国家银行外汇政策: 担保 (Guarantee)

根据2013年《金融服务法》的第214(2)、214(5)、214(6)和261节,以及2013年《伊斯兰金融服务法》的第225(2)、225(5)、225(6)和272节的授予权限,马来西亚国家银行发布了一系列关于外汇政策通告。在我们之前的文章中(马来西亚外汇政策(Foreign Exchange Policy(FEP)):居民与非居民在马来西亚借贷),我们探讨了马来西亚国家银行的外汇政策,特别是通告二 (Notice 2),阐述了居民和非居民在境内外的借贷限制。而今,我们将对该通告中关于财务与非财务担保的条款与限制进行详细解读。在外汇政策通告的序言时和解释中,“财务担保”(Financial Guarantee)被定义为任何形式的保证、赔偿或承诺以确保借款的偿还,而“非财务担保”(Non-financial Guarantee)是指为非借款担保目的而发行或获得的任何担保、赔偿或承诺(财务担保除外),包括履约保函、投标保函、货物或服务供应保证或船运担保。获取财务担保  1. 在马来西亚,居民享有向非居民(包括非本地金融机构)获得财务担保的自由,无需事先获得国家银行外汇政策的批准。这种灵活性不仅为个人和企业提供了更广泛的金融选择,同时也反映了国家银行对于推动经济多样性和活力的承诺。发放财务担保2. 居民通常可自由向非居民提供财务担保或协助其获取借贷,但在特定情况下需事先获得国家银行的许可。这些情况包括:a.当居民担保人发放财务担保是以协助非居民特殊目的实体(Non-resident Special Purpose Vehicle) 从居民担保人集团外的非居民实体获得外币借贷,或者如果借贷款项是被居民担保人使用,或是被居民担保人同一集团内的另一非居民实体使用时,这种情况下的财务担保将被视为居民担保人的借款。居民担保人将受制于国家银行通告二规定的的贷款限制;b.当居民担保人已达成正式或非正式安排,以外币形式偿还借款,而不是在发生违约事件时由债权人启动的“启用”时,此偿还将被视为对外币资产的投资,并将受制于外汇政策通告三的外币资产限制。(“启用”应由贷款人以书面形式通知担保人发起,且担保人不得主动启动财务担保的“启用”。在担保人的指示下清算了财务担保时,担保人必须获得银行的事先批准。)如果担保协议中的条款附有“支付契约”的条款,说明担保人有责任在不触发违约事件的情况下偿还借贷人的外币借款,此类的条款足以构成以上述说的正式或非正式安排。在这种情况下,这类型的财务担保发放将被被视为居民有义务代表非居民借款人偿还外币借款,因此,这样的财务担保也将受到外汇政策通告三规定的外币资产投资限制的约束。3. 另外,居民放贷人可以在无需事先得到国家银行许可的情况下,从非居民担保人处获得任何金额的外币或马来西亚令吉的财务担保,以担保居民或非居民的借款。此外,在通告二中获得批准的,或经银行书面批准的,以马来西亚令吉或外币获得的居民借款的情况下,用于担保此类借款的财务担保将被自动视为已获国家银行的批准。放款与还款4. 居民之间外币的财务担保引起的任何付款应以马来西亚令吉支付。然而,符合以下范畴的居民担保人则可选择以马来西亚令吉或外币进行付款:a.借款人集团内的实体;b.借款人的直接股东;c.直系亲属;或d.持牌离岸银行。5.另外,任何为协助非居民借款人发放的财务担保必须以外币进行支付。然而,非居民担保人可以在获得外汇政策通告二批准或经银行书面批准的情况下,在以马来西亚令吉计价的财务担保中向居民放贷人支付马来西亚令吉或外币。6.在处理偿还由非居民担保人提供的财务担保所导致的附带债务时,任何付款必须以外币进行。持牌境内银行有关的财务担保7. 持牌境内银行可自由为其账户获取任何金额的马来西亚令吉或外币的财务担保,同时也可代表其金融集团或客户发放任何金额的马来西亚令吉或外币的财务担保,而无需事先获得国家银行外汇政策的批准。非财务担保8. 居民和非居民:无论是向非居民还是从非居民,居民都可以以任何金额的外币或马来西亚令吉发放或获得非财务担保,并且无需得到国家银行的许可。居民可以向非居民担保人支付马来西亚令吉,前提是所涉及的非财务担保是以马来西亚令吉计价的,且发行的非财务担保是为在马来西亚使用的。此外,支付的马来西亚令吉必须划入非居民担保人的外部账户。对于在驻外账户中的马来西亚令吉资金使用也需遵守外汇政策的通告四的规定。9. 居民之间:居民之间发放或获得以外币计价的非财务担保是无需得到国家银行的许可的。然而,两名居民之间的任何非财务担保所产生的付款必须以马来西亚令吉进行。申请、查询,修改必须通过在线方式进行10. 最后,通过这篇文章,我们也提供了简要的在线申请程序供参考。居民在进行任何外汇政策通告二允许之外的交易前,必须通过在线提交门户进行申请,纸质申请将不予受理。任何批准、通知和查询的申请也都需要通过在线方式提交。11. 申请人需先通过此链接完成注册账户(非注册用户在提交查询之前也需完成简单的注册过程):https://fep.bnm.gov.my/fep-pub/sign-up12. 与通告二相关的申请表格如下供参考: 13. 申请表格可以由申请人或代表申请人的第三方提交。第三方提交表格可以通过申请人的注册帐户进行,并同时附上一封经过签署的授权/委任信函。14.更多详情以及用户指南,申请人可以游览:https://www.bnm.gov.my/submission-of-application以上所述规定反映了截至2023年的情况。如需了解更多详细信息,可随时与我们的团队联系。作者简介Noelle Low Pui Voon 刘佩焕伙伴律师(企业房地产、产业园、租赁、银行与金融)Halim Hong & Quek 翰林律务所电话:+603 2710 3818电邮:noelle.low@hhq.com.my

Key Amendments to Restructuring and Insolvency

In a significant move to refine corporate governance, the Companies (Amendment) Bill 2023, recently passed by both Houses of Parliament, signals a transformative shift in the corporate landscape. This Bill, aligning Malaysia with global standards, introduces comprehensive changes aimed at enhancing transparency, simplifying restructuring processes, and strengthening insolvency frameworks. Such reforms are not just legislative updates but strategic steps towards fostering a resilient and investor-friendly business environment in Malaysia.In this article we explore the key highlights which is set to introduce various changes to the laws of restructuring and insolvency.1. Enhanced Restraining Order Section 368(1A) introduces an immediate moratorium period which takes effect upon filing of an application for restraining order, up to two (2) months or until the application is decided by the Court, whichever earlier. Section 368(3A) provides protections to a company with the effect to prevent or discontinue actions taken against the company such as winding up proceedings, appointment of receiver, execution process and etc. Section 368(3B) disallows granting of further restraining order to a company if an order under Sections 368(1), Sections 368B, 368D or 369C has been granted to a company or its related company under Section 368A, in the preceding 12 months. This amendment seeks to prevent abuse of process which might prejudice the rights of members and creditors. Section 368A allows a related company to apply for a restraining order if the related company plays an integral role in a proposed scheme of arrangement.  2. Cross-class Cram down Section 368D empowers the Court to cram down on a class of creditors if it is satisfied that the dissenting class of creditors are not prejudiced when approving a scheme of arrangement. Under Section 368D(2) and Section 368D(3), the Court may make an order to approve the scheme of arrangement and order the company and all classes of creditors concerned shall be bound by the scheme provided that: (a) a majority of 75% of the total value of creditors or class of creditors present and voting either in person or by proxy at the relevant meeting, have agreed to the scheme; and (b) the Court if satisfied that the scheme does not discriminate unfairly between two or more classes of creditors and is fair and equitable to the dissenting class. Section 368D(4) sets out the conditions of what is fair and equitable to a dissenting class.  3. Approval of Scheme without Meeting of Creditors Section 369C empowers the Court to issue an order to approve a proposed scheme of arrangement even without meeting of creditors if it is satisfied that the creditors would have agreed to such scheme had the meeting of creditors been convened. Under Section 369C(3), the Court may approve a scheme in fast-tracked manner if: (a) The company has provided the creditors with an explanatory statement which contains the information stipulated under Section 369C(3)(a) and Section 369C(6). (b) The Court is satisfied that had a meeting of creditors been summoned, the scheme would have been agreed by a majority of a majority of 75% of the total value of creditors under Section 366(3).4. Super Priority Rescue Financing Section 368B and Section 415A introduces super priority rescue financing to a company in a scheme of arrangement and under judicial management, and that rescue financing is given greater priority ranking in the event of a winding up. A company may make an application to the Court for the following orders: Section 368B(1)(a) & Section 415A(1)(a) An order that the debt arising from any rescue financing obtained by the company shall be paid immediately after costs and expenses of winding up [pursuant to Section 527(1)(a)] are paid. This “super priority debt” is to have priority above all other unsecured debts referred to in Sections 527(1)(b) to (f) Section 368B(1)(b) & Section 415A(1)(b) An order to secure debt arising from any rescue financing by the creation of security interest over unsecured assets. Section 368B(1)(c) & Section 415A(1)(c) An order to secure debt arising from any rescue financing by the creation of security interest of the same priority or a higher priority over existing security interest. This order is subject to the protection of the interests of existing security interest holder.  5. Procedure for Schemes of Arrangement Section 368(1A) provides that all meetings held pursuant to an order of the Court under Section 366 shall be chaired either by an insolvency practitioner or a person elected by the majority in value of the creditors or members. Section 369A empowers the Court to order a company to hold another meeting of the creditors or class of creditors to revote on the compromise or arrangement subject to such terms as the Court thinks fit. Section 369B requires creditors to file the proof of debt with the company and the period within which the proof is to be filed in order to allow them to vote in the meeting to consider the proposed scheme or arrangement.Section 369D empowers the Court to clarify the termsof a scheme of arrangement which has been approved, uponan application the company or creditor bound by the scheme.  6. Insolvency Practitioner in Schemes of ArrangementSection 367(3) makes it mandatory for the Court to appoint an insolvency practitioner for the company in cases where: (a) The company makes an application under Sections 368B (super priority rescue financing), 368D (cram down), or 369C (approval of scheme without meeting); or (b) A related company applies for a restraining order under Section 368A.  7. Wider Application of Corporate Voluntary Arrangement and Judicial Management Section 395 has shrunk the scope into excluding only the companies which are approved and registered under:- (a) The Central Bank of Malaysia.(b) Certain parts of the Capital Markets and Services Act 2007 (Act 671).(c) Securities Industry (Central Depositories) Act 1991 (Act 453). This amendment extends the application of the CVA to all companies including companies which have created a charge over their property or undertaking. Section 403 allows wider application of judicial management including certain public listed companies.  8. Extension of Judicial Management Section 406 allows a judicial management order to be extended for a period of six (6) months or longer as the Court may allow.9. Protection for Essential Goods and Services Under Section 430(2), a supplier who wishes to exercise his rights pursuant to an insolvency related clause in a contract shall communicate his intention to do so to the company in writing at least thirty (30) days before exercising his rights under the insolvency related clause. Subject to the above, any insolvency related clause under any contract for the supply of essential goods and services shall not be exercised against any company. The Ninth A Schedule lists the types essential goods and services under Section 430: - Supply of water- Supply of electricity- Supply of gas- Point of sales terminals- Computer software and hardware- Information, advice and technical assistance in connection with the use of IT- Data storage and processing- Website hosting Please do not hesitate to get in touch with the authors of the article and / or the firm if you have any queries on the amendments.This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice.About the authorLum Man Chan PartnerDispute Resolution, Employment, Liquidation & Restructuring, Regulatory & Corporate ComplianceHalim Hong & Quekmanchan@hhq.com.myChew Jin HengAssociateArbitration & Adjudication, Debt Recovery and General Litigation, Construction Disputes, Contractual Disputes, Land Disputes, Family LawHalim Hong & Quekjhchew@hhq.com.my

马来西亚: 合资(Joint Venture)

近年来,越来越多的马来西亚企业选择与本地或外资企业进行合资 (Joint Venture)。合资是一种以双方或多方共同合作于特定项目或追求共同业务目标为形式的商业安排。在马来西亚,合资所采取的形式和结构取决于业务的性质、合作的目标、以及有关法律的考虑因素。以下是一些马来西亚常见的合资类型:(a) 股权合资企业(Equity/Incorporated Joint Venture)合资企业可选择成立一家特殊项目公司 (特殊项目公司) ,以进行特定项目或投资。参与方将其资源和资产投入特殊项目公司,以共享特殊项目公司的所有权和掌控权。特殊项目公司是一个仅为合资企业项目而成立的独立法律实体。通常一旦项目完成或达到约定的时间期限,除非参与方选择延长合作,否则合资企业将会解散特殊项目公司。特殊项目公司的法律实体可以是依据《2016年马来西亚公司法 》(Companies Act 2016) 而成立的有限公司 (有限公司),或是根据《2012年马来西亚有限责任合伙企业法 》(Limited Liability Partnership Act 2012) 而成立的有限责任合伙企业(LLP)。若特殊项目公司是根据公司法所成立的有限公司,合资企业须准备一份合资协议和股东协议来阐明合资企业的运营模式,内容须包含参与方、资金投入、股权分配、管理与控制、利润与亏损分配、期限、推出机制、争议解决等 。如果特殊项目公司是以有限责任合伙企业的形式组建,每个合作伙伴的责任有限,利润和亏损通常按照事先协商的所有权百分比分配,并在合资协议中阐明。无论是有限公司还是LLP的法律实体,参与方通常都会选择参与特殊项目公司的管理和决策发表。参与程度一般会根据其投资或权益的比例而异。尽管股权合资企业涉及多个实体之间的合作,但特殊项目公司本身是独立于合资企业的“母”方,拥有自己的管理结构,以一个独立的法律实体在马来西亚运营。(b) 合同合资企业(Contractual/Unincorporated Joint Venture)合同合资企业(也称为契约合资企业或合作合资企业)是一种不同于股权合资的合作模式。在这种安排中,参与方通过签订合同而不是成立一个新的独立法人实体来合作。这种类型的合资企业主要在那些法律环境或商业实践不利于或不允许成立股权合资企业的情况下使用。 这种合作形式通常针对特定的项目或任务,而不是长期的、不确定的业务活动。合作的条款和条件完全由合同规定,包括资源的投入、责任分配、利润分配、管理和运营方式等。合作伙伴根据合同协议共享资源、技术、市场渠道等,并共同承担项目风险。参与方通常继续作为独立的法律实体运营,各自承担自己的财务和法律责任。合同中会详细说明如何在合作伙伴之间分配利润和成本。相比于股权合资企业,合同合资企业通常在操作上更加灵活,更容易适应变化和调整合作条款。(c) 联合体 (Consortium)联合体是指两个或多个独立的实体(如公司、组织或政府机构)为了实现一个共同的目标或项目而形成的临时性合作伙伴关系。这种合作关系通常不涉及创建一个新的独立法人实体,而是基于合作各方之间的协议或合同。在联合体的形式中所有参与的实体共同追求一个特定的目标,如完成一个大型项目、参与一个招标、开发一个新产品等、参与方之间通常会签订一份合作协议,明确各方的责任、贡献、收益分配、决策过程等。联合体在建筑工程、国际贸易、研发合作、大型事件组织等领域非常普遍。通过联合体,各成员可以结合各自的优势,共同完成无法单独承担或需要多方专业技能的大型和复杂项目。 (d) 战略联盟 (Strategic Alliance)战略联盟是指两个或多个组织之间为了实现共同的战略目标而形成的合作关系。这种联盟可以在不同的组织(如公司、政府机构或非营利组织)之间形成,并且不一定涉及资本投资或新实体的创建。参与方通过合作来实现各自的长期战略目标,这些目标通常与市场扩张、技术发展、产品开发等相关。不同于项目特定的合作,战略联盟通常关注长期合作关系的建立。战略联盟可以采取多种形式,包括但不限于合作研发、共同市场营销、供应链合作等。 在马来西亚参与合资企业,必须遵守当地的法律和法规。以下是在马来西亚参与合资企业时所需考量的一些常见法律相关因素:(a) 业务实体的结构和组建:每种结构类型有着不同的合规要求和影响,因此需确保所选择的业务实体和结构符合该合资企业的需求和目标。不同的结构类型可能会影响责任、税收和管理控制等事项。请参考以上合资企业类型。 (b) 合资协议:草拟一份全面的合资企业协议,详细表列各方的权利、责任和义务,且涵盖所有关键条款,例如合资企业目的、资本贡献、利润分享、管理结构、退出战略包括买断条款、优先购买权和出售或转让所有权的流程等。参与方应在协议中建立纠纷解决机制如调解、仲裁或诉讼,确立解决各方之间争端的机制,并规定在发生分歧时应采取的方案。 (c) 本地法律条规:不同的业务性质涉及不同的法规和许可要求,这可能会影响合资企业的结构和运作,例如合资企业可能受到反垄断和竞争法的约束;若合资企业涉及土地的收购或使用权,土地法规可能对土地的外国所有权存在一些限制;若涉及雇员,合资企业需遵守马来西亚的雇佣法规,了解员工权利、福利以及现有员工待遇等相关问题。 (d) 税收影响: 参与方需了解合资企业结构在实体层面和个体参与方层面的税收影响,包括优化税收效益、遵守马来西亚消费税或销售和服务税等法规。 (e) 知识产权的保障: 参与方应考量所涉及的知识产权,包括商标、专利、版权和商业机密等的所有权、使用权和保护措施,,并协议与现有知识产权以及在合资企业过程中新开发的知识产权相关事项。 (f) 保密准则: 参与方需制定有关机密讯息和数据的保护准则,以防止其他参与方未经授权的使用或泄露。 (g) 外来投资相关的批准: 根据合资的性质和外国方的参与程度而定,某些行业设有对外国股权参与的限制,因此需获取马来西亚投资发展局(MIDA)等监管机构的批准方可进行投资。 (h) 政府机构的批准: 某些合资企业的业务性质可能需要从政府机构获得特定批准。例如,电信或能源行业可能需要向马来西亚通信和多媒体委员会(MCMC)或能源委员会申请获得批准。 合资企业在马来西亚各个领域越来越普遍,这包括制造业、科技电子、技术、金融和再生能源等领域。它们为企业提供了一种灵活而协作的多方合作方式,选择具体的合资类型将取决于合作的目标、对业务所需的掌控度和风险分担水平等,以及各方所涉及的法律和税收影响。各方之间的约定、条款和条件,应在进入合资前,在协议中详细说明,并确保协议草拟得当以及符合相关的法律法规,以确保合资企业可以在合规的情况下,顺利地在马来西亚落地及运营。以下为在参与合资之前,我们建议您考量的其中先决条件的事项(非详尽):• 您即将参与的合资建立以及资产转让是否需要政府或相关监管机构批准?• 所涉及的业务是否需要特定的许可证?• 是否需要第三方同意,以使关键合同、知识产权等可被纳入合资企业?• 是否需要税务许可?• 是否需要从抵押债券或其他借款人处获得批准?• 是否需要参与方完成尽职调查?• 是否需要取得参与方的股东批准?• 是否需要为完成先决条件设定期限?• 如需了解更多详细信息,可随时与我们的团队联系。作者简介Tan Lee Weei陈莉惟资深助理律师 (股权资本市场、公司/并购、监管与合规)Halim Hong & Quek 翰林律务所lwtan@hhq.com.my Details

马来西亚:产权转让登记及抵押程序的重要性

许多购房者误以为一旦他们与开发商签署了买卖合同,即正式成为房产的注册和实际所有者。然而,若购买的房产尚未颁发个别或分层产权地契,该房产仍在整个项目发展的主产权地契下持有。在此阶段,购房者在法律上被视为房产的实际所有者但项目发展主产权地契上登记的所有者仍然是开发商。根据《国家土地法典》第340条规定,产权地契对其被登记的所有者具有无可辩驳的效力。土地登记是产权人所有权和权益的确凿证据。但若该产权地契或权益是通过欺诈或伪造等手段获得,其产权地契或权益可被撤销。第340(2)(a)条规定,若产权人或其代理是欺诈的一方或与欺诈有关, 该产权地契或权益可被撤销。第340(2)(b)条规定, 若该土地登记涉及伪造,该产权地契或权益可被撤销。这与产权人或受让人是否在获得产权地契或权益时是否出于善意并提供了有价值的考虑无关。  若转权登记和抵押的程序尚未完成,购房者在将房产出售至第三方的买卖交易将面临额外的延迟。这是因为该程序需要开发商确认所述房产详细信息,并获得开发商同意直接将房产转让至第三方。此外,大多数金融机构不愿意批准贷款以融资尚未完善产权地契的房产,尤其是在个别/分层产权地契已颁发的情况下。因此, 潜在购房者在申请贷款购买房产时可能会面临一些困难。开发商也有可能在转权登记程序尚未完成前被清盘或清算。在这种情况下,购房者需要与指定的清算人合作,以完成转权登记和抵押。这个过程不仅会浪费时间,购房者还需要支付额外的费用给指定的清算人,以进行转权登记程序。此外,若购房者未能对转权登记和抵押的通知作出回应,购房者的贷款金融机构可能会根据与购房者签署的授权书行使其权利,作为购房者的代理签署转权登记和抵押所需的文件。在这种情况下,该贷款金融机构将会把所有费用和成本计入贷款人现有的融资中,这将影响贷款期限和贷款利息。综上所述,购房者需在收到开发商的通知后及时办理转权登记和抵押,以保护其在房产中的权益,防范任何对房产的不利主张。如需了解更多详细信息,可随时与我们的团队联系。作者简介Goh Li Fei吴丽斐伙伴律师(房地产,银行与金融)Halim Hong & Quek 翰林律务所lfgoh@hhq.com.my Details

马来西亚: 2024财政预算案

马来西亚首相兼财政部长安华(Dato' Seri Anwar Ibrahim)于10月13日提交了以“改革经济,强化人民”(Economy Reforms, Empowering the People) 为主题的2024年马来西亚财政预算案。第二份昌明预算案(Madani Budget)彰显了团结政府提升国民经济和人民福利的决心。2024年财政预算案是马来西亚史上规模最大的财政预算案,拨款高达3938亿令吉。其中,3038亿令吉用于行政开销,发展开销为RM900亿。以下是2024年马来西亚政府财政预算案的主要内容:资本利得税- 自2024年3月1日起,脱售本地非上市公司的股份所得的净盈利将被征收10%资本利得税。- 对于2024年3月1日之前收购的股份,脱售本地非上市股份的净盈利将被征收10%的资本利得税;或者,总销售额的2%。- 政府正在考虑特定的投资活动如首次公开发行 (IPO),内部重组和符合特定条件的风险投资公司将豁免资本利得税。服务税服务税率从6%提高至8%(不包括餐饮和电讯等服务),并扩大至物流、经纪、承保以及卡拉OK。奢侈品税政府将在明年成立新法令对高价位的奢侈品,包括珠宝与手表等,将征税5%至10%。全球最低税政府预计在2025年对全球收入至少7亿5000万欧元(37亿4000万令吉)的公司实施全球最低企业税 (GMT)。电子发票的实施从2024年8月1日起,对年收入或销售额超过1亿令吉的纳税人强制实施电 发票。对于其他类别的纳税人则分阶段落实,并于2025年7月1日全面实施。豁免制造辅助设备的进口税和销售税从2024年1月1日起,对符合条件的制造商在进口和本地采购的制造辅助设备(用于特定行业和商品)将获得进口税和销售税的豁免。《1967年所得税法》第44(6)条款根据《1967年所得税法》第44(6)条款获得批准的机构、组织或基金,可选择将其累积资金使用限额从25%提高至35%,条件是将其慈善活动支出门槛从至少50%提高至60%;或者维持现状(即累计资金使用限额保持在25%,但仍需要至少花费50%用于慈善活动支出)。新工业大蓝图(NIMP)成立投资与贸易行动协调委员会成立投资与贸易协调行动委员会(JTPPP),其职责是直接向由财政部长担任主席的国家投资委员会(MPN)汇报。新工业大蓝图资金新工业大蓝图总投资额的10% 将用于推动该蓝图,并在2024年提供2亿令吉的启动资金。高新技术产业区将在霹雳州北部的吉辇建立高科技工业区,以在北马的的电子与电气 (E&E)产业构建更广泛的生态系统。新工业大蓝图的分级再投资税务优惠期望提高生产能力并投资于高价值活动但已充分消耗再投资津贴的现有公司,可以在2024年1月1日至2028年12月31日期间向马来西亚投资发展局(MIDA)申请分级再投资税收优惠 - 第 1层级:100% 合格资本支出( QCE)抵销 100% 法定收入(SI);第 2 层级:即60%合格资本支出抵销70%法定收入。净零碳排放的税收措施自愿碳排放交易市场的额外税收减免公司在发展碳项目相关的监测、报告与核查(MRV)支出,可享有高达30万令吉额外税务减免。电动汽车(EV)租赁租赁电动车的公司享有最高300,000令吉的扣税优惠延长至2027年。电动汽车充电设施购买电动车设施可享有2500令吉个人所得税减免的政策延长4年至2027年。环境、社会与监管(ESG)的税收减免与环境、社会与监管而产生的相关开销可享有5万令吉的扣税优惠。优惠有效期从2024年到2027年的课税年。大马森林研究院(FRIM)认证项目的税收减免根据1967年所得税法案第34(4)(6)条款,将给予为树木种植项目或受到大马森林研究院认证的环境保护和保育意识项目的私人领域,将能够享受税收减免。申请应于2024年1月1日至2026年12月31日期间提交至财政部。娱乐业税收措施对在马来西亚拍摄电影的电影制作公司、外国电影演员、和电影剧组,设定0%至10%的特别所得税。联邦直辖区的豁免娱乐税:- 本地艺术家所进行的舞台表演完全豁免娱乐税;- 主题乐园、家庭娱乐中心、室内游乐场或虚拟游戏的娱乐税从25%减至5%。- 国际艺人的舞台表演、电影放映、体育节目和游戏节目等其他娱乐节目的娱乐税从25%减至10%。如需了解更多详细信息,可随时与我们的团队联系。 作者简介Desmond Liew Zhi Hong 廖智鸿伙伴律师(税务,企业与制造业海外投资)Halim Hong & Quek 翰林律务所电话:+603 2710 3818电邮:desmond.liew@hhq.com.my

马来西亚: 非马来西亚公民和外国公司购置房地产需知的法律规定

在购置马来西亚的房地产时,非马来西亚公民和外国公司应留意并遵守以下规定:(a) 必须获得《2020年修订国家土地法典》相关的购置批准;(b) 必须符合由州政府规定的房地产最低购买价格门槛和房地产类型要求;(c) 必须遵守首相署经济策划组(EPU)发布的购置房地产指南。以下是《2020年修订国家土地法典》第433A条规定的非马来西亚公民和外国公司的定义:(a) 非马来西亚公民- 指的是非马来西亚国籍的个人;(b) 外国公司- 包括根据《2016年公司法》在马来西亚注册的外国公司,或者在马来西亚注册的公司,其50%或更多的表决股由非马来西亚公民持有。根据《2016年公司法》第2条的规定,外国公司被定义为在马来西亚以外注册的公司、法人、社团、协会或其他组织,或者是根据其原籍地法律具备在法律下起诉或被起诉权利的未注册社团、协会,且其主要办公处或主要经营地点不在马来西亚。《2020年修订国家土地法典》根据第433B条的规定,非马来西亚公民或外国公司购置马来西亚房地产时,必须向相关州政府提交书面申请,以获得该州政府的购置许可。获得州政府的许可后,可能需遵守该州政府规定的条款和条件,并支付规定的征费(levy)(除非获得国家土地委员会的豁免)。房地产最低购买价格门槛和房地产类型要求在本文中,我们将探讨在吉隆坡联邦直辖区、雪兰莪、彭亨和柔佛购置房地产的最低购买价格门槛、非马来西亚公民和外国公司可购置的房地产类型,以及是否需要向非马来西亚公民和外国公司征收征费。 EPU发布的购置房地产指南自2014年3月1日起,非马来西亚公民或外国公司需要在以下情况下获得EPU的事前书面批准:(a) 房地产购置价格超过2000万令吉,且可能导致土著权益和/或政府机构持有的房地产土著拥有权的稀释;以及(b) 通过股权收购间接取得房地产,导致土著权益和/或政府机构持有的公司控制权发生变化,且该公司拥有房地产总额超过其总资产的50%并且房地产价值超过2000万令吉。此外,外国公司还需留意,EPU对其在马来西亚购置房地产实施了一些限制,如外国公司必须拥有至少30%的土著权益股份,并且外国权益持有的本地公司的实收资本必须不低于250,000令吉。EPU也对非马来西亚公民和外国公司在马来西亚购置以下类型的房地产施加了限制,包括:(a) 每单位房地产价值低于1百万令吉;(b) 由州政府确定为低成本和中低成本(low and low-medium cost)住宅单元;(c) 建筑位于马来人保留土地上的房地产;以及(d)州政府确定的任何产业开发项目中分配给土著权益的产业。上述规定反映了截至2023年的情况。如需了解最新的法律和政策,建议您咨询马来西亚相关的法律部门或寻求专业律师的帮助,以获取准确和最新的信息。如需了解更多详细信息,可随时与我们的团队联系。Lim Yoke Wah 林玉华伙伴律师 (企业房地产、产业园、租赁、银行与金融)Halim Hong & Quek 翰林律务所电话:+603 2710 3818电邮:yokewah@hhq.com.my

马来西亚:如何设立私人医疗机构

在马来西亚设立且运营私人医疗设施及服务需遵守多项法律条规与要求。我们在下文中列出一些必须遵从的基本事项:医疗服务公司注册在马来西亚,公司的注册和设立皆由马来西亚公司委员会(CCM)监管。外国公司必须在马来西亚公司委员会注册,以便在本地合法运营业务。根据《2016年马来西亚公司法》的定义,”外国公司” 包括在马来西亚以外注册成立的公司、法人、协会、组织或其他机构, 且该协会、组织或其他机构并没有在马来西亚设立其总公司或主要营业场所。因此,若在马来西亚设立私人医疗或保健相关设施及服务,须依据马来西亚公司法的规定,在公司委员会注册分支机构,注册合伙人业务实体,或设立一家本地公司。医疗服务许可证尽管在马来西亚有多项法规规范着私人医疗设施的建立与运营,但主要的相关许可证是根据《1998年私人医疗设施与服务法》所批准及颁发,并由马来西亚卫生局监管。在马来西亚设立和经营私人医疗设施或服务,例如私人医院或私人疗养院(除了私人医疗诊所和私人牙科诊所以外),首先需获得卫生局局长的事先批准。在决定是否批准在马来西亚设立私人医疗设施或提供服务时,卫生局局长将综合考虑以下相关事项:(i)所提供的医疗设施或服务的性质(ii)该医疗设施或服务是否已在某个区域实施以及其实施的范围和程度(iii)该医疗设施或服务在某个区域的现阶段需求性(iv)该医疗设施或服务在某个区域的未来需求性申请私人医院许可证的程序和要求: 注册私人医疗诊所和私人牙科诊所与私人医院和其他私人医疗设施和服务不同,在马来西亚设立、经营或提供私人医疗诊所或私人牙科诊所,须根据《1998年私人医疗设施与服务法》申请注册,并以规定的形式和方式提交给卫生局长。其他相关机构除了卫生部的批准,在马来西亚设立私人医疗设施和服务也涉及其他不同的监管机构**,例如: **具体涉及的机构会依据医疗设施的类型、提供的服务和地点而有所差异。建议咨询法律专业人士、顾问和医疗法规专家,以确保全面遵守所有相关的法律和法规。外国股权与参与为促进本地企业和外国投资者之间更多的合资,马来西亚政府已经在某些服务领域放宽了外国股权参与限制,其中包括以下医疗服务领域:(i)私人医院服务(ii)专业医疗诊所服务(iii)专业牙科诊所服务(iv)兽医服务(v)(通过居住机构)提供给老年人,残障人士或儿童的的社会救济服务(vi)儿童日托服务,包括残障儿童的日托服务(vii)职业性的残障人士康复服务虽然马来西亚已放宽了外国股权的限制,但任何涉及外国股权参与的医疗服务机构,仍需向卫生部外国股权参与特别委员会申请批准。其他相关要求(i)维护患者基本人权与安全《1998年私人医疗设施与服务法》和《2006年私人医疗设施与服务法规》规定了设立,维持及运营私人医疗设施与服务的最低标准,以确保本地医疗消费者的医疗可及性,并规范了私人医疗提供者须维护患者安全和权利的法规。(ii)遵守马来西亚就业法律,包括遵从雇佣,聘请或解雇医疗专业人员等的相关法规。(iii)遵守马来西亚数据保护法,确保患者信息及数据的机密性。如需了解更多详细信息,可随时与我们的团队联系。作者简介Tan Lee Weei 陈莉惟伙伴律师(公司/并购、就业与劳工、监管与合规)Halim Hong & Quek 翰林律务所电话:+603 2710 3818电邮:lwtan@hhq.com.my

马来西亚:物业租赁简介

马来西亚:物业租赁简介; 马来西亚:物业租赁简介

马来西亚劳动法概述:雇主的关键要点

{:en}马来西亚劳动法概述:雇主的关键要点{:}{:zh}马来西亚劳动法概述:雇主的关键要点{:}

马来西亚:设立有限责任公司结构

{:en}了解马来西亚设立有限责任公司结构{:}{:zh}了解马来西亚设立有限责任公司结构{:}

实用指南: 建筑文件管理

{:en}了解建筑文件管理的实用指南{:}{:zh}了解建筑文件管理的实用指南{:}

马来西亚土地法律简介

{:en}了解马来西亚土地法与房地产体系以及其影响。{:}{:zh}了解马来西亚土地法与房地产体系以及其影响。{:}

Federal Court rejects Purchaser's leave application to appeal on issue of "ready for connection"

INTRODUCTION On 22.6.2023, the Federal Court in the case of Govindan Kumar A/L Muniandy & Anor v Eco Green City Sdn Bhd [Civil Application No.: 08(f)-521-11/2022(B)] unanimously dismissed the Purchaser’s application for leave to appeal to the Federal Court against the Court of Appeal’s decision dated 17.10.2022 [Civil Appeal No.: B-01(A)-467-09/2020], which held that the phrase “ready for connection” found in the Sale and Purchase Agreement (Schedule G) entered between the Developer and Purchaser shall be interpreted to mean that the electrical points and water fittings and fixtures have been installed and supply is available for tapping i.e. ready for connection of supply, and does not mean that supply is actually connected. The Developer, Eco Green City Sdn Bhd was represented by our partner, Ankit R Sanghvi and our associate, Chew Jin Heng. . FACTS On 28.10.2015, the Developer and the Purchaser entered into a Sale and Purchase Agreement for the purchase of the Property for a purchase price of RM663,800.00 (“SPA”). The SPA (Schedule G) is prescribed under the Housing Development (Control and Licensing) Regulations 1989 (“HDR”) and Housing Development (Control and Licensing) Act 1966 (“HDA”). Pursuant to Clause 22 of the SPA, vacant possession of the Property is to be delivered to the Purchaser in the manner stipulated in Clause 23 within 36 months from the date of the SPA. Liquidated damages (“LD”) shall be calculated from day to day at the rate of 10% per annum of the purchase price, from the expiry date of the delivery of vacant possession until the date the Purchaser takes vacant possession of the Property. Clause 23 of the SPA reads: (1)     The Vendor [Developer] shall let the Purchaser into possession of the said Property upon the following: (a)  … (b) water and electricity supply are ready for connection to the said Building;  . Clause 31 (e) of the SPA reads: “ready for connection” means electrical points and water fittings and fixtures have been installed by the Vendor [Developer] and tested and commissioned by the Appropriate Authority or its authorised agent and supply is available for tapping into individual building units; Time for the delivery of vacant possession of the Property was 36 months, which started from 28.10.2015 and ended on 27.10.2018. Notice of delivery of vacant possession of the Property was issued on 15.11.2018 by the Developer to the Purchaser. The electricity meter of the Property was installed on 6.3.2019. . TRIBUNAL On 12.3.2019, the Purchaser filed a claim in the Tribunal against the Developer for LD. On 2.5.2019, the Tribunal decided in favour of the Purchaser and awarded LD in the sum of RM23,642.19, calculated from 27.10.2018 to 6.3.2019 (date of installation of electricity meter) (“Award”). . HIGH COURT On 26.7.2019, the Developer filed a judicial review application to seek for an order of certiorari to quash the Tribunal’s Award. On 19.8.2020, the High Court in Eco Green City Sdn Bhd v Tribunal Tuntutan Pembeli Rumah & Anor [2020] MLJU 1670 allowed the judicial review and held that: (1) Vacant possession of the Property was delivered on 5.2018 upon the issuance of the notice. Therefore, LD shall be calculated from 27.10.2018 to 11.5.2018 (date the notice of vacant possession of the Property was issued). (2) The Tribunal had committed an error in law by concluding that vacant possession was delivered when the electricity meter was installed. (3) The Tribunal failed to give effect to the clear and unambiguous provision in the SPA, and over-stretched the meaning of the words “ready for connection”. . COURT OF APPEAL Aggrieved by the decision of the High Court, the Purchaser appealed to the Court of Appeal for the determination of one principal issue – What is the correct cut-off date for the calculation of LD i.e. (a) date the notice of vacant possession of the Property was issued; or (b) date of installation of electricity meter. On 17.10.2022, the Court of Appeal unanimously dismissed the Purchaser’s appeal and upheld the High Court’s decision. The Court of Appeal held that: (1) “Ready for connection” does not mean that the unit in question must be installed with actual supply and it does not require actual connection. (2) There is no such requirement for meter installation by the Developer in Clause 31(e). This provision only compels the Developer to install the electrical points, and not the electrical meters. . FEDERAL COURT On 16.11.2022, the Purchaser filed a leave application to appeal to the Federal Court against the Court of Appeal’s decision. The Purchaser relied on the Federal Court’s recent decision in the case of Remeggious Krishnan v SKS Southern Sdn Bhd (formerly known as MB Builders Sdn Bhd) [2023] 3 MLJ 1 which made a finding on the interpretation of “ready for connection” under the statutory agreement (Schedule H) prescribed under the HDR and HDA. During the hearing before the Federal Court on 22.6.2023, the Developer submitted that the case of SKS Southern is distinguishable from the facts in this case: (1) Unlike the developer in SKS Southern that made an application to Tenaga Nasional Berhad (“TNB”) after vacant possession was delivered, the Developer in this case made an application to TNB 3 months BEFORE vacant possession was delivered to the Purchaser. Therefore, the Developer in this case had carried out its obligation to ensure the property was “ready for connection” before the notice of vacant possession was issued. (2) The developer in SKS Southern was early and delivered vacant possession of the property before the expiry of the time to do so. However, the developer was found to be liable for “compensatory damages” due to its breach on the manner of delivery of vacant possession. (3) This is different from the facts in this case as the Purchaser in this case is claiming from additional liquidated damages due to the late installation of the electricity meter after vacant possession was already delivered. . After hearing the submissions from both parties, the Federal Court unanimously dismissed the Purchaser’s application for leave with costs of RM30,000.00, as the questions posed by the Purchaser did not meet the threshold and requirements for leave to be granted under Section 96 of the Courts of Judicature Act 1964. . COMMENTS With the decision of the Federal Court, the decision of the Court of Appeal dated 17.10.2022 remains final. The cut-off date for the calculation of LD shall be date the notice of vacant possession of the Property was issued, NOT the date of installation of electricity meter. However, it is important to highlight that since the Purchaser’s leave application was dismissed, the Federal Court did not make any findings or delve into the issues and merits of this case, including the interpretation of the phrase “ready for connection”. As such, the Federal Court’s decision in SKS Southern remains to be the leading authority and law on the phrase “ready for connection” in relation to the supply of electricity and water which is present in all the SPAs (Schedules G, H, I & J) prescribed under the HDR and HDA. This decision, much to the dismay of developers, appears to be a new added burden placed on the heads of developers to ensure that there is actual supply of water and electricity to the property in question at the point of time the notice for delivery of vacant possession is given. Failure to ensure the same would result in the delivery of vacant possession to be deemed invalid and a developer similarly circumstanced would be exposed to compensatory damages, even if the developer actually delivery the notice for delivery of vacant possession within the prescribed time permitted under the SPA in question.    Please do not hesitate to get in touch with the authors of the article and/or the firm if you have any queries on how this recent decision may impact your business or if you require legal advice on this issue.   This article is intended to be informative and not intended to be nor should be relied upon as a substitute for legal or any other professional advice. About the author Ankit R Sanghvi Partner Arbitration & Adjudication, Asset & Debt Recovery, Banking Litigation, Commercial & Corporate Litigation, Insurance Law, Land Law Litigation, Liquidation & Insolvency, Tort & Negligence Halim Hong & Quek ankit.sanghvi@hhq.com.my . Chew Jin Heng Associate Arbitration & Adjudication, Debt Recovery & General Litigation, Construction Disputes, Contractual Disputes, Land Disputes, Family Law Halim Hong & Quek jhchew@hhq.com.my

马来西亚公司设立:当地法律顾问的重要性与必要性

{:en}探讨企业法律顾问的重要性与必要性,为您在马来西亚设立公司的旅程中驾驭法律要点。{:}{:zh}探讨企业法律顾问的重要性与必要性,为您在马来西亚设立公司的旅程中驾驭法律要点。{:}

The Real Estate Law Review: Malaysia

A person owns real estate by registering his or her ownership or interest in the issue document of title. Generally, there are two types in real estate ownership, which can be categorised according to their respective land tenure, namely leasehold and freehold. A freehold title vests ownership of real estate in perpetuity for an indefinite period within the bounds of Malaysian law. On the other hand, a leasehold title vests the right to real estate for a term not exceeding 99 years. Commonly granted leasehold tenures are for a period of 30 years, 60 years or 99 years, depending on the state authority's policies then in place. A leasehold title may require a lengthier process to acquire and dispose as compared to a freehold title as the state authority's consent is usually required prior to the title registration. Leasehold tenures are mostly renewable with payment of a premium to the state authority. As such, generally, the transaction price of freehold real estate is higher as compared to leasehold real estate due to the land tenure and the conditions on the title required prior to real estate acquisition and disposal. In Malaysia, we have adopted the Torrens System for a record of ownership and dealings of real estate. Under the Torrens System, registration of title is everything and the indefeasibility of title is guaranteed to the proprietor whose name is registered on the document of title. The Torrens System allows a proprietor to hold the document of title officially issued by the land authority, with the details accurately described via a proper land survey. The boundaries and exact size of the property will be marked on a plan attached together with the document of title. The registration of all dealings is done via the statutory forms prescribed under the National Land Code. Consequently, any person who wishes to look for the details of a title, including the ownership, may conduct searches through the respective local land office. Click here to read more.

Amendments to the Employment Act of Malaysia

BACKGROUND All eyes are on the Employment (Amendment) Act 2022 (“Amendment Act”) and the Employment (Amendment of First Schedule) Order 2022 (“Amendment Order”) which will be in force from 1 September 2022 to amend the Employment Act 1955 (“Employment Act”). The Employment Act (as amended by the Amendment Act and the Amendment Order) are only applicable to Peninsular Malaysia (being the states of Johore, Kedah, Kelantan, Malacca, Negeri Sembilan, Pahang, Perak, Perlis, Selangor and Terengganu and the Federal Territory of Kuala Lumpur and Putrajaya[1]) and Labuan, excluding Sabah and Sarawak which are governed by separate laws.   WHAT ARE THE KEY AMENDMENTS MADE TO THE EMPLOYMENT? (1) The Employment Act will apply to all employees regardless of their monthly wages subject to certain exceptions The Employment Act will apply to all employees regardless of their monthly wages, except that the following provisions will not apply to employees whose monthly wages exceed RM4,000: (a) Section 60(3) of the Employment Act which provides the rates of payment to employees who are required to work during their rest days; (b) Section 60A(3) of the Employment Act which provides the rate of payment to employees who work overtime during a normal working day; (c) Section 60C(2A) of the Employment Act which gives the power to the Minister of Human Resource to make regulations relating to the entitlement of allowance during the employees’ shift work; (d) Section 60D(3) of the Employment Act which provides the rates of payment to employees who are required to work during a public holiday; (e) Section 60D(4) of the Employment Act which provides that if any holiday that falls on a half working day, the ordinary rate of pay shall be that of a full working day; and (f) Section 60J of the Employment Act which provides for termination, lay-off and retirement benefits[2].   “wages” means basic wages and all other payments in cash payable to an employee for work done in respect of his contract of service but does not include: (a) the value of any house accommodation or the supply of any food, fuel, light or water or medical attendance, or of any approved amenity or approved service; (b) any contribution paid by the employer on his own account to any pension fund, provident fund, superannuation scheme, retrenchment, termination, lay-off or retirement scheme, thrift scheme or any other fund or scheme established for the benefit or welfare of the employee; (c) any travelling allowance or the value of any travelling concession; (d) any sum payable to the employee to defray special expenses entailed on him by the nature of his employment; (e) any gratuity payable on discharge or retirement; (f) any annual bonus or any part of any annual bonus; or (g) any payment by way of commission, subsistence allowance and overtime payment[3].   (2) Paid Maternity Leave will be increased Paid maternity leave will be increased from 60 days to 98 days[4]. - What happens if employers fail to comply? Any employer who terminates the service of a female employee during the period in which she is entitled to maternity leave commits an offence provided that such termination shall not include termination on the ground of closure of the employer's business[5]. Any employer who fails to grant maternity leave to a female employee commits an offence, and shall also on conviction, be ordered by the court before which he is convicted to pay the female employee the maternity allowance to which she may be entitled in respect of every day on which the female employee had worked during the eligible period, the payment so ordered being in addition to the wages payable to her, and the amount of maternity allowance so ordered by the court to be paid shall be recoverable as if it were a fine imposed by such court[6]. Further, any condition in a contract of service whereby a female employee relinquishes or is deemed to relinquish any right under Part IX of the Employment Act (which includes the paid maternity leave above) shall be void and of no effect and the right conferred thereunder shall be deemed to be substituted for such condition[7]. Please also refer to the implications highlighted in the conclusion section below. - (3) Termination of Pregnant Female Employee because of Her Pregnancy or Illness arising out of Pregnancy will be prohibited Where a female employee is pregnant or is suffering from an illness arising out of her pregnancy, it shall be an offence for her employer to terminate her services or give her notice of termination of service, except on the grounds of: (a) wilful breach of a condition of the contract of service; (b) misconduct; or (c) closure of the employer's business. Where the service of a female employee above is terminated, the burden of proving that such termination is not on the ground of her pregnancy or on the ground of illness arising out of her pregnancy, shall rest on the employer[8]. - What happens if employers fail to comply? Any condition in a contract of service whereby a female employee relinquishes or is deemed to relinquish any right under Part IX of the Employment Act (which includes the termination of pregnant female employees due to her pregnancy or illness arising out of her pregnancy above) shall be void and of no effect and the right conferred thereunder shall be deemed to be substituted for such condition[9]. Please also refer to the implications highlighted in the conclusion section below.   (4) Weekly Working Hour will be reduced The weekly working hour of an employee will be reduced from 48 hours in one week to 45 hours in one week[10]. Overtime rates (at least one and half times the employee’s hourly rate) will therefore be charged for any hours in excess of the revised total 45 hours per week[11]. Please note that overtime rates will not apply to employees whose monthly wages exceed RM4,000. - What happens if employers fail to comply? Any employer who fails to pay to any of his employees any overtime wages as provided under the Employment Act or any subsidiary legislation made thereunder commits an offence, and shall also, on conviction, be ordered by the court before which he is convicted to pay to the employee concerned the overtime wages due, and the amount of overtime wages so ordered by the court to be paid shall be recoverable as if it were a fine imposed by such court[12]. Please also refer to the implications highlighted in the conclusion section below.   (5) Paid Sick Leave (when hospitalisation is not necessary) will be excluded when using 60 days of Paid Hospitalisation Leave Employees will not be required to use any of their paid sick leave entitlement (when hospitalisation is not necessary) when using their 60 days of paid hospitalisation leave in each calendar year[13]. The paid sick leave (when hospitalisation is not necessary) in each calendar year under the Employment Act depend on the length of service as follows: (a) 14 days if the employee has been employed for less than 2 years; (b) 18 days if the employee has been employed for 2 years or more but less than 5 years; or (c) 22 days if the employee has been employed for 5 years or more[14]. - What happens if employers fail to comply? Any employer who fails to grant sick leave, or fails to pay sick leave pay, to any of his employees, commits an offence, and shall also, on conviction, be ordered by the court before which he is convicted to pay to the employee concerned the sick leave pay for every day of such sick leave at the rate provided under the Employment Act, and the amount so ordered by the court to be paid shall be recoverable as if it were a fine imposed by such court[15]. Please also refer to the implications highlighted in the conclusion section below. - (6) Paid paternity leave of 7 consecutive days per confinement limited to 5 confinements will be introduced Married male employee will have the right to 7 consecutive days of paid paternity leave per confinement up to a maximum of 5 confinements irrespective of the number of spouses. To qualify such paternity leave, a married male employee is required to fulfil the following requirements: (a) he has been employed by the same employer at least 12 months immediately before the commencement of such paternity leave; and (b) he has notified his employer of the pregnancy of his spouse at least 30 days prior to the expected confinement or as early as possible after the birth[16].   What happens if employers fail to comply? Please refer to the implications highlighted in the conclusion section below.   (7) Employers to obtain prior approval from the Director General of Labour before employing foreign employees Employers shall obtain the prior approval from the Director General of Labour before employing foreign employees. An application for the approval shall be made in the form and manner as may be determined by the Director General of Labour. Upon approval of the Director General of Labour, an employer shall, within 14 days from the date of the employment of a foreign employee, furnish the Director General of Labour with the particulars relating to the foreign employee in such manner as the Director General of Labour may direct. The Director General of Labour may, subject to any written law, approve an application if the employer complies with the following conditions: (a) the employer satisfies the Director General of Labour that on the date on which he makes the application: (i) he has no outstanding matter relating to any decision, order or directive issued under the Employment Act; or (ii) he has no outstanding matter or case relating to any conviction for any offence under the Employment Act, the Employees' Social Security Act 1969, the Employees' Minimum Standards of Housing, Accommodations and Amenities Act 1990 or the National Wages Consultative Council Act 2011; or (b) the employer has not been convicted of any offence under any written law in relation to anti-trafficking in persons and forced labour[17]. - What happens if employers fail to comply? Employers who contravene commits an offence and shall, on conviction, be liable to a fine not exceeding RM100,000 fine and/or 5 years imprisonment[18]. Please also refer to the implications highlighted in the conclusion section below.   (8) Employers to inform the Director General of Labour of the Termination of Employment of Foreign Employees If the service of a foreign employee is terminated: (a) by his employer; (b) by reason of the expiry of the employment pass issued by the Immigration Department of Malaysia to the foreign employee; or (c) by reason of the repatriation or deportation of the foreign employee, the employer shall, within 30 days of the termination of service, inform the Director General of Labour of the termination in the manner as may be determined by the Director General of Labour. On the other hand, if a foreign employee terminates his service or absconds from his place of employment, the employer shall, within 14 days of the termination of service or after the foreign employee's absence, inform the Director General of Labour in the manner as may be determined by the Director General of Labour[19]. - What happens if employers fail to comply? Please refer to the implications highlighted in the conclusion section below.   (9) Flexible Working Arrangement (subject to the discretion of the Employers) will be introduced Employees can apply for flexible work arrangement with their employers to vary the hours of work, days of work or place of work in relation to his employment. Where there is a collective agreement, any application made by the employee above shall be consistent with the terms and conditions in the collective agreement[20]. Further, the employee shall make an application for flexible working arrangement above in writing and in the form and manner as may be determined by the Director General of Labour. Upon the application, an employer shall, within 60 days from the date such application is received, approve or refuse the application. The employer shall inform the employee in writing of the employer's approval or refusal of the application above and in the case of a refusal, the employer shall state the ground of such refusal[21]. - What happens if employers fail to comply? Please refer to the implications highlighted in the conclusion section below.   (10) Director General of Labour has the power to inquire on Complaints relating to Discrimination The Director General of Labour is given the power to inquire into and decide any dispute between an employee and his employer in respect of any matter relating to discrimination in employment, and the Director General of Labour may, pursuant to such decision, make an order[22]. What amounts to “discrimination” is however not provided for in the Employment Act. - What happens if employers fail to comply? Employers who fail to comply with the Director General of Labour’s order commit an offence and shall on conviction, be liable to a fine not exceeding RM50,000 and for continuing offence, a daily fine not exceeding RM1,000 for each day the offence continues[23]. Please also refer to the implications highlighted in the conclusion section below.   (11) Exhibit of Notice of Sexual Harassment at the Workplace Employers must exhibit conspicuously a notice to raise awareness on sexual harassment at the workplace[24]. - What happens if employers fail to comply? Please refer to the implications highlighted in the conclusion section below.   (12) Prohibition of Forced Labour Any employer is prohibited from forced labour, i.e. threatening, deceiving or forcing an employee to do any activity, service or work and prevents that employee from proceeding beyond the place or area where such activity, service or work is done[25].   What happens if employers fail to comply? Employers shall commit an offence and shall, on conviction, be liable to a fine not exceeding RM100,000 or to imprisonment for a term not exceeding 2 years or to both[26].- Please refer to the implications highlighted in the conclusion section below.   Conclusion It was reported that the Malaysian Employers Federation has urged the government to delay implementing the amendments to the Employment Act 1995 from 1 September 2022, which it estimates will cost employers nationwide an extra RM110.99 billion per year which derived from the following: (a) increase in overtime costs to RM4,000 per month from RM2,000 (RM80.87 billion); (b) reduction of hours of work to 45 hours per week, from 48 hours (RM26.88 billion); (c) increase maternity leave to 98 days, from 60 days (RM2.97 billion); and (d) paternity leave of seven continuous days per birth (RM275 million).[27] - With the above Amendment Act and Amendment Order that are going to bring about more protection and advantages for the employees with effect from 1 September 2022, all employers should get themselves prepared and consider engaging their lawyers to review their existing employment contracts and employment handbook/policies to ensure that they comply with the Employment Act taking into account that: (a) Any term or condition of a contract of service or of an agreement, whether such contract or agreement was entered into before or after the coming into force of the Employment Act, which provides a term or condition of service which is less favourable to an employee than a term or condition of service prescribed by the Employment Act or any regulations, order or other subsidiary legislation whatsoever made thereunder shall be void and of no effect to that extent and the more favourable provisions of the Employment Act or any regulations, order or other subsidiary legislation whatsoever made thereunder shall be substituted therefor[28]. (b) Further, apart from the specific penalties highlighted above, any person who commits any offence under, or contravenes any provision of, the Employment Act, or any regulations, order, or other subsidiary legislation whatsoever made thereunder, in respect of which no penalty is provided, shall be liable, on conviction, to a fine not exceeding RM50,000[29]. (c) Where an offence under the Employment Act has been committed by, amongst others, body corporate, any person who is a director, manager, or other similar officer of the body corporate at the time of the commission of the offence shall be deemed to have committed the offence and may be charged jointly or severally in the same proceedings as the body corporate[30]. (d) If any person fails to comply any decision or order of the Director General of Labour pursuant to an enquiry, such person commits an offence and shall be liable, on conviction, to a fine not exceeding RM50,000; and shall also, in the case of a continuing offence, be liable to a daily fine not exceeding RM1,000 for each day the offence continues after conviction[31]. (e) Where an employer has been convicted of an offence relating to the payment of wages or any other payments payable to an employee under the Employment Act, the court before which he is convicted may order the employer to pay any payment due to the employee in relation to that offence. Where an employer fails to comply with an order, the court shall, on the application of the employee, issue a warrant to levy the employer's property for any payments due in the following manner: (i) by way of distress and sale of employer's property in accordance with the same procedure of execution under the Rules of Court 2012 and this execution shall apply mutatis mutandis notwithstanding the amount in the order; or (ii) in the same manner as a fine as provided under section 283 of the Criminal Procedure Code[32]. - - - [1] Section 2 of the Employment Act and Section 3 of the Interpretation Acts 1948 and 1967. [2] Section 2 of the Amendment Order (as incorporated in the First Schedule of the Employment Act). [3] Section 2(1) of the Employment Act and First Schedule of the Employment Act. [4] Section 12 of the Amendment Act (as incorporated in Section 37(1)(d)(ii) of the Employment Act). [5] Section 37(4) of the Employment Act. [6] Section 94 of the Employment Act. [7] Section 43 of the Employment Act. [8] Section 13 of the Amendment Act (as incorporated as a new Section 41A of the Employment Act). [9] Section 43 of the Employment Act. [10] Section 20 of the Amendment Act (as incorporated in Section 60A(1)(d) of the Employment Act). [11] Section 60A(3) of the Employment Act. [12] Section 100(2) of the Employment Act. [13] Section 22 of the Amendment Act (as incorporated in Section 60(F)(1) of the Employment Act). [14] Section 60(F)(1)(aa) of the Employment Act. [15] Section 100(5) of the Employment Act. [16] Section 23 of the Amendment Act (as incorporated as a new Section 60FA of the Employment Act). [17] Section 24 of the Amendment Act (as incorporated as a new Section 60K of the Employment Act). [18] Section 24 of the Amendment Act (as incorporated as a new Section 60K(5) of the Employment Act). [19] Section 25 of the Amendment Act (as incorporated as a new Section 60KA of the Employment Act). [20] Section 27 of the Amendment Act (as incorporated as a new Section 60P of the Employment Act). [21] Section 27 of the Amendment Act (as incorporated as a new Section 60Q of the Employment Act). [22] Section 30 of the Amendment Act (as incorporated as a new Section 60F of the Employment Act). [23] Section 30 of the Amendment Act (as incorporated as a new Section 60F(2) of the Employment Act). [24] Section 36 of the Amendment Act (as incorporated as a new Section 81H of the Employment Act). [25] Section 41 of the Amendment Act (as incorporated as a new Section 90B of the Employment Act). [26] Section 41 of the Amendment Act (as incorporated as a new Section 90B of the Employment Act). [27] https://www.theedgemarkets.com/article/mef-urges-govt-delay-enforcing-employment-act-amendments-estimated-cost-rm111-bil-year [28] Section 7 of the Employment Act. [29] Section 99A of the Employment Act. [30] Section 101B of the Employment Act. [31] Section 69 of the Employment Act. [32] Section 40 of the Amendment Act (as incorporated as a new Section 87A of the Employment Act). . About the Author Maple Chieng Hea Fong Partner Halim Hong & Quek maple.chieng@hhq.com.my This article dated 19 August 2022 is contributed by Maple Chieng for general information/guidance only and is not meant to be exhaustive, and it is not a substitute for legal advice.
<12345678>

© 2000 – 2024 Halim Hong & Quek