Author name: Edwin Lee

I was invited to speak at Tech In Asia Conference in Singapore in May 2015. Tech In Asia Conference is one of Asia’s largest conferences organised for entrepreneurs, investors, media and friends in the technology and startup community across the Asia region. The topic of my talk was “Startups and the Laws in Malaysia”. The other 2 speakers speaking on the same panel were Warren Leow (Executive Director at MaGIC) and Ng Wan Peng (Chief Operating Officer at MDeC). In line with the theme of the conference “Connecting Asia’s Tech World”, the conference brought more than 2,500 participants, 200 tech startups and 100 investors (mostly venture capital companies and angel investors) from all over the world to gather at one place. It was certainly an eye-opener event for me and I was thrilled to see so many innovative and promising tech startups coming up from all over Asia. MaGIC (Malaysian Global Innovation and Creativity Centre) and MDeC (Multimedia Development Corporation of Malaysia) shared about the work that these 2 government agencies have been doing in creating and promoting a vibrant and sustainable ecosystem for tech startups and ICT companies in Malaysia. MDeC manages the Multimedia Super Corridor (MSC) project, which aims to boost the ICT sector in Malaysia while MaGIC is entrusted to develop Malaysia’s tech startup ecosystem, with the vision of making Malaysia the tech startup capital of Asia. It was during the talk that MDeC announced that it was collaborating with MaGIC to launch a new programme called “MSC Malaysia for Technology Startups”. MDeC also receives support from some other major startups ecosystem players such as StartupMalaysia.org, the New Entrepreneurship Foundation (MyNEF), Cradle, Cyberview, National Incubator Network Association (NINA), 500 Startups, Technopreneur Association of Malaysia (TeAM) and Founder Institute (FI). As we all know, MSC Malaysia was an initiative conceptualised and launched by the Malaysian government in 1996 to drive the growth and development of the ICT industry in Malaysia. MSC Malaysia status offers multi-tiered incentives to ICT companies that develop or use multimedia and digital technologies to produce and enhance their products and services. It serves as a recognition of world-class service and achievement, while opens access to a host of privileges granted by the Malaysian government to qualified business entities. So what is MSC Malaysia for Technology Startups programme (“Programme”) all about? The Programme provides an alternative for tech startups to attain MSC Malaysia status without being tied to any location requirements (i.e. the tech startup does not have to be located in any of the MSC Malaysia Cybercities and Cybercentres). Prior to the Programme, MSC Malaysia status companies must be located in designated premises within MSC Malaysia Cybercities/Cybercentres (Tier-1 Companies) or commercial premises within MSC Malaysia Cybercities/Cybercentres (Tier-2 Companies) for them to enjoy the various incentives offered under the MSC Malaysia status. The Programme now creates a third category for MSC Malaysia status companies that are located outside of MSC Malaysia Cybercities/Cybercentres (Tier-3 Companies). The Tier-3 Company status is the one that is designed for tech startups. One primary concern before the Programme was launched was that tech startup that wanted to enjoy MSC Malaysia status but cannot afford to move to designated premises or a commercial premises within MSC Malaysia Cybercities/Cybercentres missed out from the MSC Malaysia status incentives. MDeC recognises that tech startups at different growth cycles have different needs and affordability. Bearing that in mind, MDeC therefore decided to launch the Programme for tech startups and it hopes that “the Programme will position Malaysia as the Entrepreneur Hub for Southeast Asia,” said MDeC’s CEO, Dato’ Yasmin Mahmood. For a tech startup to enjoy the incentives under the Programme, it must first apply for an MSC Malaysia status from MDeC. The Programme was launched on 12 May 2015 and it is only applicable to MSC Malaysia status companies approved from 1 January 2015 onwards. MSC Malaysia status companies approved after 1 January 2015 and have not activated their pioneer status incentive are eligible to apply for Tier-3 Company status. A Tier-3 Company can apply to move up to Tier-1 or Tier-2 Company status after 5 years of pioneer status incentive or it can choose to remain as a Tier-3 Company as long as the company is still active. However, such company will be liable to the applicable taxation laws after 5 years of pioneer status incentive. In other words, the company will have to upgrade to Tier-1 or Tier-2 Company status in order for it to enjoy another 5 years of pioneer status incentive. MSC Malaysia status companies approved prior to 1 January 2015 (i.e. Tier-1 or Tier-2 Companies) will still need to adhere to the location requirements as stated in their Conditions of Grant. If they move outside the designated location, it will be considered a breach of the Conditions of Grant. These companies are not eligible to migrate to Tier-3 Companies status and participate in the Programme but will continue to enjoy the full suite of incentives offered under MSC Malaysia status. Some of the main incentives offered to Tier-3 Companies under the Programme are as follows: flexibility in choosing the location of operation; ease of hiring foreign talents (they can hire up to 20 foreign knowledge workers in key positions); competitive financial incentives i.e. 70% tax exemption of statutory income for 5 years and no duties on the import of multimedia equipment; benefits such as networking opportunities, capability building programs and market access programs; and other MSC Malaysia Bill of Guarantees. For a comparison of the different incentives offered to Tier 1-3 Companies, please refer to MDeC’s website here. There are currently 3,600 MSC Malaysia status companies comprising global and local companies across multiple sectors. MDeC expects a further expansion of 8,000 potential ICT companies to participate in MSC Malaysia in the years to come. “Technology is making the world borderless and advancing rapidly; if Malaysian entrepreneurs do not leverage it to grow and scale their ventures quickly, global competitors will take our market share away. We have the

The PDP is still a step in the right direction and a good beginning, although it lacks the right to claim for compensation in the case of breaches that cause damage or distress. After a decade of delay, the Personal Data Protection Bill 2009 (PDP) has finally been tabled and passed by Parliament. This is a very important piece of legislation as it would affect almost everyone in the country. Generally, the enactment of the PDP is laudable. Prior to this, Malay­sia adopted the sectoral approach in protecting personal data but this approach proved inadequate It is time to have a comprehensive legislation to cover all aspects of personal data protection. The PDP will apply to anyone who processes or who has control over or authorises the processing of any personal data in respect of commercial transactions. The person who processes any personal data is called “data user” and the person whose personal data is being processed is known as “data subject”. The PDP imposes many obligations on the data user. It requires that the data user comply with the seven PDP principles, failing which he can be fined not exceeding RM300,000 or be jailed for a term not exceeding two years, or both. Buying and selling of personal data is a criminal offence. Besides, any individual who feels annoyed with direct marketing will be able to prevent this from happening. The PDP principles require that a data user not process personal data unless with consent from the data subject, and it must be processed for a lawful purpose directly related to an activity of the data user. However, it is not stated whether the consent must be express or can be implied. It also states that a data user has the duty to inform a data subject about the processing of his personal data by way of written notice, and such notice must be given as soon as practicable by the data user. In the absence of consent from the data subject, personal data shall not be disclosed to any party other than the purpose for which the personal data was to be disclosed at the time of collection or for a purpose directly related to that purpose. The data user must also take practical steps to implement security measures to protect and safeguard the personal data. In addition, personal data shall not be kept longer than is necessary and the data must be destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed. There is, however, no time frame given and the PDP leaves it to the discretion of the data user, who must also take reasonable steps to ensure that the personal data is accurate, complete, not misleading and up-to-date. The PDP also provides the data subject with the right to have access to his personal data held by a data user. If the personal data is inaccurate, incomplete, misleading or not up-to-date, the data subject can request that the data be corrected. Although the PDP confers many rights on individuals and imposes liabilities on those who breach the law, the Act is far from perfect due to its unique features and its narrow application. Here are a few of its shortcomings. The PDP does not apply to the Federal and state governments (an earlier draft of the Bill read: this Act shall bind the Government), although massive amounts of personal data are stored with government departments. For example, the National Registration Department processes most of our personal data; the Inland Revenue Board processes our income tax returns which contain our financial records and sources of income; the DNA Identification Act 2009 allows the Government to keep DNA profiles of individuals in the DNA databank. As such, to exclude the Government from the application of the PDP would be contrary to the objective underlying the PDP in protecting the personal data of its citizens. It is not clear whether local authorities established under the Local Government Act 1976 and those agencies and statutory bodies established under their respective Acts of Parliament to perform specific public functions are also considered as part of the Government. The PDP only applies to the processing of personal data in respect of commercial transactions. The Oxford English Dictionary defines the term “commercial” to mean “engaged in, or connected with, commerce and having profit as a primary aim rather than artistic etc. value”. The Government has repeatedly emphasised that the PDP is critical in this age of e-commerce and it will solve such problems as credit card fraud, identity theft and selling of personal data without customers’ consent. However, personal data protection is not just about safeguarding personal data in the commercial world. It is equally important to protect personal data such as medical and health records, employee records, financial records, and even criminal records. These personal data may be used for employment, educational, professional, taxation, social security and welfare etc. For example, someone may have submitted his personal data in a contest or enquiry form. The use of personal data in these situations may not necessarily involve a “profit-making” element and it is hardly to be considered as “use in respect of commercial transactions”. The effect of this restrictive limitation is that the PDP applies to, and within, the private sector, and then further narrows down to organisations which process personal data in commercial transactions. It is unclear whether civil remedies are available under the PDP. In many other jurisdictions such as Britain and Hong Kong, breaches of data protection law are punishable under both criminal and civil law. Any individual who suffers any damage (which include injury to feelings) or distress by reason of a contravention of the provision of the PDP shall be entitled to file a civil suit and claim compensation for such damage or distress. A similar provision was found in an earlier draft but omitted in the PDP. This is ironic because while the PDP provides

With about 2 blogs created each second every day, blogging is growing at a speed faster than any other web activities on the Internet. Bloggers are not immune from legal consequences, be it civil or criminal liabilities. The relevant IP right in a blogging environment concerns mainly issues of copyright and sometimes, trademarks. In this article, we will focus on the rights and liabilities under copyright laws in Malaysia. One of the greatest challenges posed by the Internet is the ease with which copyrighted materials may be freely and quickly disseminated, reproduced and modified. Copyright in Blog Contents Works placed on a blog are equally protected by copyright, a blog being merely a medium of a sufficiently permanent nature in which thoughts and even images are expressed. The texts posted in a blog are protected as literary works; the images (pictures or videos) are protected as artistic works or films, and sounds and music are protected as sound recordings and musical works. Some blogs are purely full of text, but some blogs consist of multiple multimedia works which involve a combination of several separate and distinct types of works in an integrated form. In this case, different forms of copyright may subsist in one blog simultaneously, and the design and the layout of a blog as a whole may also be entitled to a separate copyright. The law gives the original authors the right to exclude others from copying their works or claiming them as their own. Copyright in URL? One may wonder whether copyright would subsist in Uniform Resource Locators (“URL”), the electronic addresses of websites on the Internet. In Exxon Corp v Exxon Insurance Consultants, it was held that the invented word “Exxon” was not entitled to copyright because the word “Exxon” did not instruct nor convey any information, instruction or pleasure in the form of literary enjoyment. URLs being a string of alphanumeric notation, would unlikely enjoy copyright protection as such. Posting of copyrighted materials Contents found on the search engines such as Google and Yahoo! may be in the public domain but it does not mean that they are free to be copied or downloaded. Most of the time, they are proprietary and copyrighted materials. Posting of pictures, videos or songs on a blog without the permission of the copyright owner is an act of infringement because it reproduces a work in digitized form and it infringes the copyright owner’s exclusive right to control the communication of such works to the public. There is also the issue of moral rights of the authors. Our copyright law confers moral rights to authors. These rights include the right to be identified as the author of the work and the right to object to derogatory treatment of his work such as distortion, mutilation or other types of modification of the work which significantly alters the work and might adversely affect the author’s honour and reputation. Defences on Copyright One particular important defence to works placed on the Internet is that of fair dealing. If the act is for purposes of non-profit research, private study, criticism, review or the reporting of current events, it does not tantamount to copyright infringement. However, it must be accompanied by sufficient acknowledgement and attribution of the title of the work and its authorship. There are no fast and hard rules in determining whether a certain use of a work amounts to “fair use”. However, the following factors are to be taken into consideration: the purpose and character of the use, such as whether such use is of commercial nature or for non-profit purposes; the nature of the copyrighted work; the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and the effect of the use upon the potential market for or value of the copyrighted works. For example, if only small portions of the original work or short quotations were copied or cited which are de minimis (bearing in mind that substantial reproduction is judged qualitatively rather than quantitatively in the assessment of infringement), or commenting or criticizing an item someone else has posted, these will likely be fair dealing. Blogs will usually fall under non-profit use or for purposes of criticism and review. However, in recent times, some bloggers have started to make profit out of their blogs by earning advertising revenue, engaging in blogs as a marketing strategy for their companies, and some are being paid for doing product review or endorsement. For these types of blogs, it might be argued that use of copyrighted materials can hardly be for non-profit use or would have otherwise exceeded the acceptable standards of “fair dealing” (however nebulous and subjective these standards may be). The law further requires an acknowledgement of the title of the work and authorship if the work is used in public, which would be applicable in a blog environment. Inline linking and Thumbnails – Fair Use? Copyright Infringement? The issue as to whether inline linking is copyright infringement has been decided in the United States. The first of such decision could be found in the case of Kelly v Arriba Soft Corp. The defendant is an image search engine company. It operates an Internet search engine that displays its result in the form of small pictures called thumbnails rather than the more usual form of text. To provide this service, the defendant developed a computer program that “crawls” the web looking for images to index. The crawler then downloads full-sized copies of the images onto the defendant’s server. The program then uses these copies to generate smaller, lower-resolution thumbnails of the images. Once the thumbnails are created, the program deletes the full-sized original images from its server. By clicking on one of these thumbnails, the user can then view a large version of that same image within the plaintiff’s website. This is called “inline linking”. As a result, although the images of the plaintiff came directly from the plaintiff’s website and were not

The Personal Data Protection Act 2010 (“the PDP Act”), a much-awaited piece of legislation finally made its way through the Malaysian Parliament after a delay of more than a decade. The first draft of the Personal Data Protection Bill (“PDP Bill”) was released in 1998 for public consultation but was not tabled in Parliament until November 2009. The earlier drafts of the PDP Bill have since been redrafted to reflect public feedback as well as the Government’s approach towards personal data protection. The redrafted PDP Bill was tabled for first reading in November 2009 and passed by the Parliament in May 2010. It received Royal Assent and was gazetted in June 2010. The PDP Act will come into force on a date to be notified by the Minister. The PDP Act has generally been well received by the public and the Malaysian Government is to be commended for its commitment to granting more protection to the people in respect of their personal data. Prior to this, Malaysia had adopted a sectoral approach in protecting personal data but this approach proved to be inadequate. Other than this, personal data was only protected in the form of confidential information through contractual obligations or common law. It is therefore timely for a legislation of general application to be introduced to regulate the processing of personal data. Having said that, the PDP Act is by no means a perfect piece of legislation. This article will examine some of the shortcomings of the PDP Act. NARROW APPLICATION OF THE PDP ACT Federal and State Governments The draft of the PDP Bill explicitly stated that “This Act shall bind the Government”. However, in a complete turnaround, Section 3(1) of the PDP Act now reads “This Act shall not apply to the Federal and State Governments”. The Government did not explain the reason behind this drastic change. Substantial amounts of personal data are processed by the government departments and agencies for various reasons and purposes. For example, the National Registration Department holds the personal data of nearly every citizen in Malaysia and our income tax returns which contain detailed records of our financial affairs and sources of income are well within the knowledge of the Inland Revenue Board. All this information is valuable personal data which ought to be protected in the interest of every individual. The Government, being one of the biggest data users in the country, ought to be bound by the PDP Act to prevent any form of abuse of personal data of its citizens. One of the objectives behind the PDP Act is to safeguard personal data by requiring the data user to comply with certain obligations and conferring certain rights to the data subject in respect to his personal data. There is currently no legislation in Malaysia to regulate how personal data is processed and stored by governmental bodies. To exclude the Government from the PDP Act is contrary to the objectives of the PDP Act and would severely curtail its full effect. It also means that there is nothing to prevent the Government from processing personal data of its citizen in whatever manner it deems fit. Of even greater concern is that there are no sanctions to prevent civil servants from abusing such personal data other than the risk of disciplinary action. The exclusion of the Federal and State Governments from the application of the PDP Act is inconsistent with jurisdictions such as Australia, Hong Kong and member countries of the European Union (“EU”) where governments are bound by their respective data protection legislation. Non-commercial transactions Section 2(1) provides that the PDP Act applies to the processing of any personal data in respect of commercial transactions. In other words, the PDP Act does not apply to personal data processed in non-commercial transactions. Although the term “commercial transactions” is widely defined to include “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services”, the full effect of this term remains uncertain. The limitation of the application of the PDP Act to “commercial transactions” makes the Malaysian legislation unique. This limitation was not found in the earlier draft of the PDP Bill. The personal data protection laws of most other jurisdictions do not have similar restrictions. However, it is interesting to note that the Personal Information Protection and Electronic Documents Act of Canada applies to every organization that collects, uses or discloses personal information in the course of commercial activities. Cases suggest that “commercial activities” must involve some profit making element or attract certain monetary value. Personal data is not only processed in commercial transactions. They are also processed for educational, professional, taxation, social security and welfare purposes. An individual may submit his personal data in a contest or survey without consideration being given by any party. He may also submit his personal data as part of the subscription to various free online services such as online newspapers and magazines. Personal data may also be submitted to social networking websites such as Facebook or MySpace. Processing of personal data in these situations may not necessarily involve any “profit-making” element and is hardly to be considered as “use in respect of commercial transactions”. It will be interesting to see how the courts will interpret “commercial transactions” in the context of the PDP Act. The combined effect of these two limitations is that the PDP Act only applies to the private sector and within the private sector, it is narrowed down to organizations which process personal data in commercial transactions. It is undesirable to have such a narrow application of the PDP Act. No provisions for civil remedies As mentioned earlier, the PDP Act imposes various obligations on data users and confers certain rights on data subjects. Data users who fail to comply with the provisions of the PDP Act may be subject to fines or imprisonment or both. There are, however, no provisions in the PDP Act that allow

The Royal Malaysian Police Force is in talks with the Attorney-General’s Chambers to monitor the movements and whereabouts of certain accused persons released on bail by tagging them with an electronic monitoring device (“EMD”), which is a new technological security measure introduced by the Security Offences (Special Measures) Act 2012 (”SOSMA”) and the Criminal Procedure Code (“CPC”). The police are expected to start using the EMD in October 2013. Both the SOSMA and the CPC also introduce new provisions that allow interception of communications by the authorities. The SOSMA was enacted to replace the archaic and draconian Internal Security Act 1950. It provides for special measures relating to security offences for the purpose of maintaining public order and internal security. The CPC, on the other hand, sets out rules relating to criminal procedure in Malaysia for matters such as the mode of arrest; a search of body, property or premises; police investigation of a case; prosecution of an accused person; procedure for trial, etc. The police claim that this is part of their on-going efforts in utilising all the existing laws and technology available to combat serious and organised crimes, in light of the spate of high-profile shootings and the surge in crime rates in the country. This article focuses on the two new technological security measures introduced by the SOSMA and the CPC, namely, the use of EMD and the interception of communication by the authorities. The use of EMD Under the law, a court may, after taking into account the nature of the offence and the circumstances of the case as being sufficient to secure an accused person’s attendance at court, order for an EMD to be attached to the accused person while he is released on bail. Before an accused person is to be attached with an EMD, he will be given an opportunity to be heard as to why he should not be attached with an EMD. Failing to comply with the electronic monitoring requirement will result in the bail being revoked by the court. Any person who tampers or destroys the EMD shall be liable to a fine not more than RM5,000 or to imprisonment, not more than 3 years, or both, as well as to pay for any damage to the EMD arising from his action. The EMD can be either a device which is attached to a person (usually attached to the person’s wrist or ankle); a portable tracking device or a site monitoring device. These devices with built-in Global Positioning System (GPS) are linked to a receiving centre by means of a fixed line, radio frequency, satellite or other technology. They are capable of transmitting to the receiving centre information relating to the particular place at which the device is located at a particular time and the functioning of the device and capable of detecting any tampering with the device and transmitting to the receiving centre information relating to such tampering. Using EMD to track the movements and whereabouts of accused persons has proven to be quite effective in many jurisdictions around the world. It is said that the EMD will act as a restraint on recidivists (convicted criminals who return to crime after they are released from prison) as gangs are unlikely to rely upon or re-engage with those who are being monitoring. EMD can be used to ensure that the accused person remains in a designated place or does not enter prescribed areas or approaches certain people such as the complainants or the witnesses. The police will be immediately alerted if the accused person ignores or goes against the court’s order. It will also be easier for the police to track down the location of the accused person if he jumps bail. Interception of Communication of the EMD by the Authorities Under the law, the Public Prosecutor, if he considers that it is likely to contain any information relating to the commission of an offence, may authorize any police officer – (a) to intercept, detain and open any postal article in the course of transmission by post; (b) to intercept any message transmitted or received by any communication; or (c) to intercept or listen to any conversation with any communication. The Public Prosecutor also has the power to require a communication service provider to intercept and retain communication and authorise a police officer to enter any premises to install any interception devices. Any information obtained from such interception shall be admissible in evidence at trial. Interestingly, the SOSMA even gives power to a police officer not below the rank of Superintendent of police to perform the interception without the authorization of the Public Prosecutor in urgent and sudden cases where immediate action is required leaving no moment of deliberation. What this means is that the authorities can “eavesdrop” or “wiretap” any telephone lines, emails, letters or even web surfing habits without a warrant, as long as the Public Prosecutor considers that it is likely to contain any information relating to the commission of an offence. Provisions relating to the interception of communication by the authorities are not something very new in Malaysia. Similar provisions are already found in other legislation such as the Communications and Multimedia Act 1998, Malaysian Anti-Corruption Commission Act 2009, the Strategic Trade Act 2010, Copyright Act 1987, etc. However, do note that the laws cited above are restricted to communication data only. If the data does not form part of the communication, as far as the law is concerned, the authorities have no power to intercept/access or conduct surveillance on those data unless they have obtained a warrant to access such data. Many have criticised that the Public Prosecutor should not be given such a broad power to intercept communication. While it is true that in certain circumstances, interception of communication may be effective in preventing planned crimes and collecting evidence, it should be dealt within the parameter of natural justice coupled with adequate checks and balances by an independent body. For example, in the

Personal data such as customer database has become so valuable that is now being traded as a form of commodity. The European Consumer Commissioner described personal data as the new oil of the Internet and the new currency of the digital world. The Economist said that personal data is becoming a new type of raw material that is on par with capital and labour. It was reported that a list of 1,000 entries containing names, phone numbers, types of credit cards owned and even place of works can be bought for a mere RM100, while a list containing the personal data of Datuks and Tan Sris can be bought for RM4 for each individual. How many of you are tired of receiving spam emails and unsolicited cold-calls from banks, property agents, insurance agents who try to sell you more insurance products, properties, or offer you more credit cards/personal loans? This has escalated to a stage where even politicians were sending out SMSes and emails begging for votes during the recent 13th General Election. Have you always been wondering how or where these people get hold of your personal data? Would you wish to have a say on how your personal data should be handled? The solution is finally here. Very soon, we will have legal protection to cover those unwanted activities. The Personal Data Protection Department of Malaysia (“PDPD”) has intimated that the Personal Data Protection Act 2010 (“PDPA”), which was passed in June 2010, will come into force in the next 1-2 months. The advancement of technology, the growing problems of misuse of personal data and the lack of comprehensive data protection law were amongst the reasons that pushed the Malaysian Government to finally enact and pass the PDPA. The objective of the PDPA is to regulate the processing of personal data in commercial transactions and to safeguard the rights and interests of individuals. What this means is that anyone who processes personal data in commercial transactions, be it online or offline, must comply with the PDPA once it comes into force. The consequences for breaching the PDPA are severe. Aside from the negative publicity, penalties for non-compliance with the PDPA include fines for companies and/or fines and imprisonment for directors and officers of the company. Application of the PDPA The PDPA applies to anyone who processes personal data (“data user”) of an individual (“data subject”) in commercial transactions. Essentially, data user must comply with the seven (7) personal data protection principles, which form the fundamental backbone of the PDPA, as well as other relevant provisions of the PDPA. Non-compliance with any of the principles is an offence. An overview of the principles is set out as follows: General principle – a data user must only process personal data with the consent of a data subject, for a lawful purpose and the personal data collected must not be excessive or beyond that is required for the purpose it was collected; Notice and choice principle – a data user must inform the data subject that his personal data is being processed and provide a description of the personal data, the purpose of collection and choice for him to decide whether he wants to provide his data; Disclosure principle – a data user must only disclose personal data for purposes or to another third party to which the data subject has consented to; Security principle – a data user must take practical steps to protect personal data from loss, misuse, modification, unauthorized or accidental access or disclosure; Retention principle – a data user must not retain personal data longer than it is necessary to fulfil the purpose for which it was collected; Data integrity principle – a data user must take reasonable steps to ensure that all personal data is accurate, complete, not misleading and kept-up-to-date; and Access principle – a data user must allow data subject to have access to his own personal data and to correct it if it is inaccurate, incomplete, misleading or outdated. The PDPA also confers a number of rights to a data subject, as set out below: a data subject is entitled to be informed by a data user whether his personal data is being processed by or on behalf of the data user; a data subject is entitled to correct his personal data it if it is inaccurate, incomplete, misleading or outdated; a data subject is entitled to withdraw his consent to the processing of personal data; a data subject is entitled to request the data user to cease or not begin the processing of his personal data based on the reasons that the processing of that personal data is causing or likely to cause substantial damage or substantial distress to him or to another; and the damage or distress is or would be unwarranted; and a data subject is entitled to request the data user to cease or not begin processing his personal data for purposes of direct marketing. Compliance with the PDPA As the PDPA will come into force very soon, data users must understand the PDPA and its legal and commercial implications on their businesses. They should begin reviewing their policies, processes, contractual rights and obligations as well as standard forms and notices which relate to processing of personal data in order to ensure that they are in compliance with the PDPA. It is no longer “business as usual”. If companies do not have any data protection policies yet, they must put in place sound policies that are consistent with the provisions of the PDPA, and make sure that the policies are actually implemented accordingly. There is no “one-size-fits-all” type of policies, and each policy will need to be drafted according to the specific business nature and operations. Conclusion The PDPA has commercially far-reaching implications and severe penalties in the event of non-compliance. However, one should note that the intent of the PDPA is not to inhibit business or to stifle the legitimate use of personal data, but rather it

The Personal Data Protection Act 2010 (“PDPA”) finally came into force on 15 November 2013 and marks the introduction of a data privacy regime in Malaysia. The objective of the PDPA is to regulate the processing of personal data and to safeguard the data privacy rights of  individuals. It applies to anyone who processes personal data (“data user”) of an individual (“data subject”) in commercial transactions. Data users have until 14 February 2014 to comply with the PDPA. Essentially, a data user must comply with the 7 personal data protection principles, which form the backbone of the PDPA. The 7 principles are; General – consent is required before personal data can be processed Notice & Choice – individuals must be notified of the purpose their data is processed Disclosure – personal data cannot be disclosed without consent Security – data users must take practical steps to protect the security of personal data Retention – personal data can only be retained for as long as it is required Data Integrity – personal data that is collected must be accurate, complete and updated Access – all individuals have the right to view and correct their personal data Aside from the negative publicity, penalties for violation of data privacy or non-compliance or  with the PDPA include fines of up to RM500,000 for companies and/or fines and imprisonment of up to 3 years for officers of the offending company. The Regulations Several new regulations have also been issued. These are: Personal Data Protection Regulations 2013; Personal Data Protection (Class of Data Users) Order 2013; Personal Data Protection (Registration of Data User) Regulations 2013; and Personal Data Protection (Fees) Regulations 2013. Personal Data Protection Regulations 2013 These regulations provide some clarification on the 7 principles, which can be summarised as follows: General Principle – consent obtained by data users from data subjects must be capable of being recorded and maintained properly. It appears that implied consent is not acceptable. Notice & Choice Principle – data users must give data subjects information on how to contact them for inquiries or complaints, such as the designation of the contact person, phone and fax numbers, email address and any other related information (if any). The notice must also be given in Malay. Security Principle – data users must develop and implement a security policy that will comply with the security standards prescribed by the Personal Data Protection Commissioner (“Commissioner”). Data users must also ensure that these security standards are complied with by data processors who process personal data on their behalf. Retention Principle – data users must ensure that personal data of their data subjects are retained in accordance with the standards prescribed by the Commissioner. Data Integrity Principle – data users must ensure that the processing of personal data is in accordance with the data integrity standards prescribed by the Commissioner. Personal Data Protection (Class of Data Users) Order 2013 This order provides that the following classes of data users must register with the Commissioner in the next 3 months: Communications Banking and financial institutions InsuranceHealth (e.g. private hospitals, clinics, dental clinics and pharmacies) Tourism and hospitalities (e.g. tour operators, travel agents tourist guides, tourist accommodation premises) Transportation (all Malaysian airlines) Education (e.g. private higher education institutions, private schools) Direct selling Services (e.g. lawyers, auditors, accountants, engineers, architects, retail and wholesale dealings and employment agencies) Real Estate (e.g. housing developers) Utilities The other two regulations deal with the fees payable under the PDPA and the registration process for data users. Registration fees range from RM100 to RM400, depending on the category of the data user. Appointment of the Commissioner The Minister of Communications and Multimedia has also announced the appointment of Tuan Haji Abu Hassan bin Ismail as the Commissioner. It is also expected that the Personal Data Protection Department (“PDPD”) will be converted into an independent Personal Data Protection Commission, which is consistent with the provisions of the PDPA and in line with international practice. Implementation Phases The writer understands that the PDPA will be implemented in 3 phases: Phase 1 will focus on the registration of data users and creating awareness; Phase 2 will see enforcement teams carrying out inspections for compliance; and Phase 3 will see the Commissioner undertake audits and commence a prosecution for non-compliance. Concluding Words Whilst individuals will rejoice in knowing there is a law that now protects their personal data, there remain numerous points which require clarification as the PDPA has not issued comprehensive guidelines on how the PDPA will be enforced. Nevertheless, given the severe penalties under the PDPA, and potential reputational damage for non-compliance or violation of data privacy, it is unlikely companies will not comply. If not already in place, businesses should immediately review their processes, contracts and standard forms, and implement sound internal policies on personal data processing to ensure compliance with the PDPA. ***** About the author: This article was written by Edwin Lee Yong Cieh, Partner of LPP Law – law firm in Kuala Lumpur, Malaysia (+6016 928 6130, [email protected]). Feel free to contact him if you have any queries. This article was first published in CHIP Magazine Malaysia. The view expressed in this article is intended to provide a general guide to the subject matter and does not constitute professional legal advice. You are advised to seek proper legal advice for your specific situation.

Starting from 1 July 2013, all online businesses have to comply with the new requirements set out in the Consumer Protection (Electronic Trade Transactions) Regulations 2012 (“Regulations”) made by the Ministry of Domestic Trade, Co-operatives and Consumerism (“MDTCC”) under Section 150 of the Consumer Protection Act 1999 (“CPA”). The Regulations apply to individual person and business that supplies goods or services via a website (for e.g. blog shop, online store) or an online marketplace (for e.g. Groupon, Lelong, eBay, Mudah, Zalora, Lazada)(“Online Business Supplier”), as well as operator of online marketplace (“Online Marketplace Operator”). An ‘online marketplace’ is defined as a website where goods or services are marketed by third parties for the purpose of trade. This definition is so wide that arguably it covers websites that charge the Online Business Supplier a fee or commission as well as those that provide such platform for free. Online Business Supplier The main objective of the Regulations is to promote transparency through full and frank disclosure. An Online Business Supplier needs to disclose the following information on the website or online marketplace where the business is conducted: the business name (either the name of the owner, business or company); the registration number of the business or company, if applicable; the email address and telephone number, or address of the Online Business Supplier; a description of the main characteristics of the goods or services; the full price of the goods or services, including transportation costs, taxes and any other costs; the method of payment; the terms and conditions of the sale; and the estimated time of delivery of the goods or services to the buyer. It is an offence if the Online Business Supplier fails to disclose any of the above information, or if he/it provides false or misleading information. In addition, the Online Business Supplier also needs to provide appropriate means to enable the buyer to rectify any errors prior to the confirmation of the order made by the buyer; and he/it should acknowledge receipt of the order to the buyer without undue delay. Online Marketplace Operator As for the Online Marketplace Operator, he/it is required to take reasonable steps to keep and maintain a record of the names, telephone numbers and addresses of the Online Business Suppliers for a period of two years. Failure to keep and maintain such record is an offence. The intention of this is to make it easier for a buyer to track down the identity of the Online Business Suppliers in the event of loss or fraud. Privacy, Unfair Contract Terms, False or Misleading Advertisement In addition, if the Online Marketplace Operator collects and processes personal data of the online buyers and the Online Business Suppliers, he/it must also comply with the Personal Data Protection Act 2010 (which may come into force by the end of 2013). In this respect, the Online Marketplace Operators are encouraged to have in place privacy policy, privacy statement, notice and consent form on their websites and online marketplaces that are drafted in compliance with the requirements under the Personal Data Protection Act 2010. It should be noted that there is no “one size fits all” type of privacy policy, privacy statement, notice and consent form. Online Marketplace Operators must refrain from slavishly copying privacy policy, privacy statement, notice and consent form found in other websites and online marketplaces without having regard to their specific business nature and needs. Although the Regulations does not define what should be included in the “terms and conditions” of the sale, the terms and conditions must not contain unfair terms, otherwise, the terms and conditions may be declared as unenforceable or void under the CPA. Any Online Business Supplier or Online Marketplace Operator who put up false or misleading advertisement in relation to their goods or services will also be liable under the CPA. A Rising Trend in Online Businesses and Online Frauds Online businesses have been gaining popularity in recent years as they present an alternative choice for shopping for consumers in Malaysia. The proliferation of the Internet, the wider broadband penetration, the growing prevalence of smartphones as well as the convenience of online shopping are amongst the driving forces behind the growth of online businesses. According to the MDTCC’s statistics, 1.1 million people in Malaysia carried out online transactions with businesses worth more than RM1.8 billion in 2010 and the figure is expected to grow to RM5 billion by 2014. There are 600 online companies and 16,405 online businesses currently registered with the Companies Commission of Malaysia. Unfortunately, incidents of online fraud have also been on the rise. The number of online frauds reported in 2011 rose to 1,879 cases as compared to 511 cases in 2009. It has been reported that online fraud is one of the factors that deter people from actively engaging in online transactions. Offences and Penalties Any Online Business Supplier or Online Marketplace Operator who fails to comply with the Regulations will, upon conviction, be fined up to RM50,000 or jail up to 3 years or both, and for a second or subsequent offence the person will be liable to a fine of up to RM100,000 or to imprisonment up to 5 years or both, and for a second or subsequent offence the person will be liable to a fine of up to RM100,000 or to imprisonment up to 5 years or both. If the offence is committed by a company, it will, upon conviction, be liable to a fine of up to RM100,000, and for a second or subsequent offence a fine of up to RM200,000. In addition to the criminal penalties, an aggrieved consumer may also lodge a claim with the Tribunal for Consumer Complaints about civil remedies against unscrupulous online traders. Conclusion The enactment of the Regulations shows the growing concerns that the Government has towards strengthening consumer protection in online business transactions. In fact, in conjunction with the Regulations, the MDTCC has also launched an e-commerce guideline for consumers to avoid the pitfalls

On 26 April every year, the intellectual property community around the world celebrates the World Intellectual Property Day (“World IP Day”). World IP Day is celebrated every year to “promote discussion of the role of intellectual property (“IP”) in fostering and encouraging innovation and creativity, and to celebrate the contribution made by innovators and creators to the development of societies across the world”. The World Intellectual Property Organization (WIPO) has named the theme of this year’s World IP Day as “Creativity: The Next Generation”, as it wishes to highlight the role that the next generation of visionary innovators and creators will play in shaping and improving the world. “What is the next big thing to come?” has become the hottest technology phrase. It is a known fact that technology moves so fast that today’s technology could become outdated by the time we master it. Some people cannot wait to get their hands on the latest gadgets, some are curious to find out every new development in the market, many want to know how the world will look like in future, what the new innovations that lie beyond us are, and who would create a song that would become the next online sensation after “Gangnam Style”, which went viral and took the world by storm by hitting 1.5 billion views on YouTube. No one would have thought that a mobile phone can actually function as a computer, combining phone, camera, video camera, music player, GPS, word processing and Internet browsing functions into a little device now widely known as a smartphone. Who would have thought that an online social networking website, Facebook, that was developed and launched from a Harvard dormitory room, would become the most visited website attracting more than 1 billion users worldwide. Google recently introduced Google Wallet, which turns your phone into an electronic wallet, where you can make a payment just by tapping your phone against a Near Field Communication (NFC) point of sale terminal at checkout. By 2015, Google plans to launch Google Glass, an eyeglasses-like wearable computer that can interact with the Internet through voice commands. It is also expected that, by 2025, Google driverless cars will hit the road in many major countries. What used to be science fiction that we see in Hollywood movies will soon become reality. The successful take-off of all these inventions and creations can partly be attributed to the protection given to IP rights. IP rights play an important role in stimulating creativity and innovation, which in turn leads to economic, cultural and social advancement. IP protection also encourages the dissemination of knowledge and provides a guarantee of source and quality to consumers. Different types of IP are protected in different ways, for example, literature and arts such as books, music, films and software are protected as copyright; technological inventions are protected by patent rights; distinctive brands that distinguish one product or service from another are protected through trademark rights; while the unique design or external appearance of objects are protected via industrial design rights. The IP rights framework provides incentives and motivation to innovators and creators to invest time, resources and creative thinking into producing new inventions. Without IP protection, there would be no incentives for film makers to make excellent movies; for artists to produce vibrant music; for inventors to invent new innovative products; or for scientists to develop life-saving drugs that can improve and save millions of lives. Exclusive patent rights are granted to the inventors for a certain period of time in exchange for full disclosure of their inventions and technologies which in turn encourage others to continue to innovate and develop existing products. Studies have also shown that countries with strong IP frameworks and protection experience the greatest innovation, creativity and economic growth. South Korea is a good example. Samsung has now become a household name and a dominant player in the electronic industry. There are millions of fans of K-Pop culture around the world. According to the World Bank’s statistics, South Korea’s GDP per capita has grown from USD$2,000 in 1970 to USD$32,000 in 2012. Ideas matter. Thomas Edison invented and developed, amongst others, the phonograph, motion picture camera and a long lasting electric light bulb that greatly influenced life around the world. Vaccinations have saved the lives of hundreds of millions of people. Music now forms an integral part of our lives. Today, some 2 billion people are connected on the Internet for work, play, communication and entertainment. All these technologies, inventions and creations have had a profound impact on many peoples’ lives. They all stem from someone having a visionary or creative idea to shape and improve the world The future, therefore, lies in the hands of the next generation, and it is hoped that the next generation will make the best use of all these technologies to change the world for the better, and the benefit of humanity. ***** About the author: This article was written by Edwin Lee Yong Cieh, Partner of LPP Law – law firm in Kuala Lumpur, Malaysia (+6016 928 6130, [email protected]). Feel free to contact him if you have any queries. This article was first published in CHIP Magazine Malaysia. The view expressed in this article is intended to provide a general guide to the subject matter and does not constitute professional legal advice. You are advised to seek proper legal advice for your specific situation.