Articles

Note: Barring any further amendments to the law, this article should be read in the context of the Bill being passed in its current form as at the time of writing as of 11 July 2024. The Personal Data Protection (Amendment) Act 2024 (“PDPA Amendments in 2024“) is currently at the 1st reading stage in the Malaysian Parliament. It will proceed through further readings and must be approved by both Houses of Parliament before being presented for Royal Assent by His Majesty The Yang di-Pertuan Agong. Therefore, it may take some time before the Bill legally comes into force. Malaysia’s Personal Data Protection Act (PDPA) 2010 (“PDPA”) is set to undergo significant updates aimed at aligning with international standards and strengthening the protection of personal data. Here is an overview of the key proposed changes, comparisons with the current provisions, and our insights on these proposed amendments: Terminology Update Current Position: The term “data user” is used throughout the PDPA. Proposed PDPA Amendments in 2024: The term “data user” will be replaced with the term “data controller”. This proposed amendment aligns Malaysia’s data protection terminology with global standards, such as those used in the General Data Protection Regulation (GDPR), ensuring consistency and facilitating international data protection compliance. New Definitions Current Position: The PDPA currently does not explicitly define “biometric data” or “personal data breach.” Proposed PDPA Amendments in 2024: These amendments aim to provide better clarity in the PDPA, ensuring specific categories of sensitive data and incidents are clearly identified and adequately protected. Enhanced Responsibilities of Data Processors Current Position: Data processors are not explicitly required to comply with the security principle. Proposed PDPA Amendments in 2024: Data processors, who process data on behalf of data controllers, must now comply with the security principle under the PDPA. This amendment requires data processors to implement appropriate technical and organizational measures to protect personal data, thereby ensuring accountability and enhancing overall data protection practices. Increased Penalties Current Position: Penalties for non-compliance include fines up to RM300,000 and imprisonment up to two years. Proposed PDPA Amendments in 2024: The fines for breaches are increased to RM1,000,000, and the maximum imprisonment term is extended to three years. These heightened penalties underscore the seriousness of compliance and aim to deter violations by imposing more severe consequences. Data Protection Officers (DPOs) Current Position: There is no mandatory requirement for the appointment of DPOs. Proposed PDPA Amendments in 2024: Data controllers and processors must appoint one or more DPOs responsible for ensuring compliance with the PDPA. This requirement aligns with international best practices, ensuring that organizations have dedicated personnel to manage and safeguard personal data effectively. Data Breach Notification Current Position: There is no explicit requirement for data breach notifications. Proposed PDPA Amendments in 2024: Data controllers must notify the Personal Data Protection Commissioner of any data breaches as soon as practicable. If the breach causes or is likely to cause significant harm to the data subject, data controllers must notify the affected data subjects promptly. Failure to comply can result in fines up to RM250,000 or imprisonment for up to two years. The form and manner of notification will be further determined by the Personal Data Protection Commissioner. Introducing mandatory data breach notifications ensures timely awareness and response to data breaches. This requirement aligns with international best practices, enhancing transparency and accountability in data protection. Rights to Data Portability Current Position: The PDPA does not currently provide a right to data portability. Proposed PDPA Amendments in 2024: Data subjects can request their personal data to be transferred to another data controller, subject to technical feasibility and compatibility of the data format. This right enhances data subject control over their personal data and facilitates smoother transitions between service providers. Cross-Border Data Transfers Current Position: Section 129 of the PDPA prohibits the transfer of personal data to a place outside Malaysia unless such place is specified by the Minister by notification in the Gazette. No such whitelist has been issued and gazetted thus far. Proposed PDPA Amendments in 2024: Data controllers can transfer personal data to countries that provide adequate protection equivalent to the PDPA. The requirement for the Minister to specify places for data transfers is removed. The amendment shifts the authority from the Minister to the data controller, allowing the data controller to decide on data transfers based on adequacy standards. This change aims to streamline cross-border data flows while ensuring that data transferred internationally is adequately protected. Miscellaneous Amendments Various amendments are proposed to enhance clarity and consistency within the PDPA. These include updates to definitions, procedural changes, and adjustments to ensure the Act remains coherent. Conclusion These Proposed PDPA Amendments in 2024 represent a significant step forward in strengthening Malaysia’s data protection framework. By aligning with international standards and addressing emerging data protection challenges, the amendments aim to provide robust safeguards for personal data and enhance trust in the digital ecosystem. Immediate Action Required Given the significant amendments, it is high time for companies and organizations in Malaysia to look into PDPA compliance seriously. Companies and organizations that already have a PDPA compliance framework will need to update and revise their framework, while those who do not yet have one will need to start implementing these practices within their organization.

The Malaysian Personal Data Protection Act (PDPA), effective since November 15, 2013, governs the processing of personal data within Malaysia. It applies to all businesses involved in commercial transactions. However, as Malaysian enterprises increasingly expand their operation across international horizons, a pressing question arises: does compliance with the PDPA seamlessly align with the stringent requirements of GDPR (General Data Protection Regulation)? Indeed, the GDPR is relevant to Malaysian companies if they either provide goods or services to, or monitor the activities of, individuals within the European Union – Article 3 of GDPR[1]. Failure by Malaysian companies to adhere to GDPR standards when collecting or processing personal data of EU citizens may result in the imposition of hefty fines of up to 4% of global annual turnover or €20 million, whichever is greater, for non-compliance[2]. To introduce GDPR briefly, it is a regulation in EU law, since May 25, 2018, on data protection and privacy in the European Union (EU) and the European Economic Area (EEA) which aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business through harmonised regulation within the EU. Complying with PDPA the same with GDPR? While both the PDPA and GDPR share the common goal of safeguarding an individual’s right to their personal data, however, GDPR provides individuals within the European Union with more extensive rights in relation to their personal data. GDPR stands as a more comprehensive and rigorous data protection law compared to the PDPA. It grants individuals greater control over their personal data and places stricter obligations on organisations engaged in personal data processing. Nevertheless, the detailed comparison between PDPA and GDPR merits a separate discussion. Should a Malaysian companies adopt GDPR standards? The Golden Standard. GDPR’s inception was driven by the aim of advancing the Digital Single Market[3] strategy, seeking to establish a unified set of regulations in the digital realm while encouraging innovative thinking in areas pivotal to competitiveness and future technological growth. GDPR’s comprehensiveness is geared towards establishing leadership in the global digital economy. By offering enhanced protection, it bolsters fundamental societal rights. GDPR, notably, mandates that individuals must provide explicit consent – Recital 32 of GDPR[4][LPP1]  before data processing is permitted and enables individuals to request for deletion of their data (the right to be forgotten – Article 17 of GDPR[5]), these are provisions which are absent in PDPA [LPP2] and grant individuals greater control over their own data. One Set of Regulations for Eeveryone. The GDPR is the unified legislation on personal data protection throughout the European countries. It provides similar benefits and rights for all individuals regardless of the company size. This means that Malaysian companies that adopt GDPR standards will only have to comply with one set of regulations, rather than multiple sets of regulations in different countries. Modern Personal Data Protection Framework. GDPR introduces innovative concepts that are absent in the PDPA, like data portability and streamlined data transfer mechanisms, which are vital components of its modernity, aligning with the borderless nature of the digital age. Data portability – Article 20 of GDPR[6], a hallmark of GDPR, empowers individuals by allowing them to request their personal data in a machine-readable format. This facilitates easy transfer of their data to another service provider (data controller), ensuring modern data practices align with user-centric principles. Additionally, GDPR’s approach to international data transfers – Article 44 of GDPR[7] is noteworthy. It offers a range of mechanisms, such as mandates data protection impact assessments[8][LPP3]  ,Standard Contractual Clauses[9] (SCCs) and Binding Corporate Rules[10] (BCRs), to facilitate secure and compliant cross-border data flows (contrast with the default position on transfer under PDPA[11]). [LPP4] The GDPR reflects the modern reality of global data transfer requirements and ensures that individuals’ personal data remains protected regardless of geographical boundaries. By adopting GDPR standards, Malaysian companies can embed data protection principles into the earliest stages of product development emphasis on “privacy by design and default”. Stricter Personal Data Legislation. GDPR stands out as notably stricter than PDPA in safeguarding personal data. It enforces significantly higher fines for non-compliance, imposes rapid data breach notification requirements, and sets a higher standard for obtaining and recording consent. As consumers are increasingly aware of their data privacy rights and are more likely to do business with companies that they trust to protect their data. Adopting GDPR standards not only shows that a company is committed to protecting its customers’ data privacy but a strategic move that positions companies favourably in the global marketplace. Conclusion In conclusion, while Malaysian companies are inherently bound by the PDPA, the adoption of GDPR standards, which represent a more comprehensive and rigorous data protection regime, presents an array of advantages, particularly for companies venturing into the European market. However, it is crucial to acknowledge that embracing GDPR standards necessitates meticulous deliberation by companies, as it entails significant shifts in data collection practices and often requires substantial technological investments. [1] https://gdpr-info.eu/art-3-gdpr/ [2] https://gdpr-info.eu/art-83-gdpr/ [3] https://edps.europa.eu/data-protection/our-work/subjects/digital-single-market_en [4] https://gdpr-info.eu/recitals/no-32/ [5] https://gdpr-info.eu/art-17-gdpr/ [6] https://gdpr-info.eu/art-20-gdpr/ [7] https://gdpr-info.eu/art-44-gdpr/ [8] https://gdpr-info.eu/art-35-gdpr/ [9] https://gdpr-info.eu/recitals/no-168/ [10] https://gdpr-info.eu/art-47-gdpr/ [11] https://www.azmilaw.com/insights/data-protection-limits-to-the-lawfulness-of-transborder-flow-of-personal-data-outside-malaysia/

In general, the directors of a company have the power and authority to make decisions pertaining to the business of the company. However, it is essential to note that certain transactions require approval from the company’s shareholders, as stipulated by the Companies Act 2016 (“Act”). An instance of this is when the company engages in substantial property transactions with its directors, substantial shareholders, or persons connected with them. This requirement is defined in Section 228 of the Act. Rationale for Section 228 Section 228 is designed to prevent potential abuses, such as self-dealing and asset-stripping, by directors and controlling shareholders. This often occurs through transactions involving acquisition of assets for the company or sale of the company’s assets at non-market rates or on less favourable terms than the company would have received from a bona fide third party. Such actions can be detrimental to the interests of shareholders, given that they are unfairly structured to shift wealth from the company to the interested individuals involved. To address these risks, Section 228 introduces specific procedures that must be observed and complied with by a company when a transaction falls within its scope. Essentially, this section requires shareholders’ approval to be obtained for transactions involving related parties as defined by its provisions. Transactions entered into by a company in contravention of Section 228 shall be void. Identifying Transactions Falling under Section 228 To fall under the umbrella of Section 228, there are 3 elements that must be present: Element 1: Type of arrangements or transactions The type of arrangements or transactions falling under Section 228 contains in two limbs – Section 228(1)(a) and (b). Such arrangements or transactions can take any of the following forms between the company and a related party: “Non-cash asset” means any property or interest in property other than cash. Furthermore, it is clear from Section 228(1)(a) and (b) that the acquisition or disposal of shares or non-cash assets shall be made with the company (Kam Thai Eng Linda & Anor v Tan Sri Dato’ Kam Woon Wah & Ors [2020] 1 LNS 2124). Element 2: Categories of Related Parties                                  Section 228 applies where transactions made by the company are with any of the following related parties: (a) a director (as defined in Section 210 of the Act) of the company or its holding company; or (b) a substantial shareholder (as defined in Section 136 of the Act); or (c) a person connected with the director or substantial shareholder. A “person connected with a director” is defined in Section 197 and includes: This same definition also applies to persons connected with a substantial shareholder. Element 3: Requisite Value Section 228 only applies where the transactions meet the requisite value threshold stated under this section. For public listed companies and their subsidiaries, requisite value shall mean the value as defined in the listing requirements of the stock exchange where shareholders’ approval at a general meeting is required. On the other hand, for private or unlisted public companies, it depends on the value of non-cash assets involved in the transaction. The table below summarises when the prior approval of shareholders is required to be obtained to comply with Section 228: Threshold Value Shareholders’ Prior Approval  Less than RM50,000   No More than RM50,000 and less than 10% of the company’s net assets No More than RM50,000 and more than 10% of the company’s net assets Yes More than RM250,000   Yes The value of the company’s net assets is determined based on the accounts prepared in accordance with Section 245 of the Act for the last financial year preceding the transaction. In cases where no accounts have been prepared prior to the transaction, the value is determined based on the company’s called-up share capital. Exempted Transactions There are exceptions to Section 228. Section 229 identifies various transactions that do not qualify as related party transactions. These exceptions include: For transactions falling within these exceptions, the approval of shareholders is not a prerequisite. When all 3 elements mentioned above are satisfied, the approval of the company’s shareholders in a general meeting must be obtained before the said arrangement or transaction can be carried into effect and valid in law, unless the transaction comes under one of the exceptions provided under Section 229 (Omega Securities Sdn Bhd v. Yeo Lee Hoe [2003] 1 CLJ 276). How is prior approval obtained? If a transaction or arrangement falls within the ambit of Section 228, it must be approved through a resolution passed by the shareholders at a general meeting. The resolution required is an ordinary resolution, and Section 228(1)(A) or (B) specifies that the approval must occur at a general meeting. This means that a member’s resolution in writing is not an option for the purpose of compliance with Section 228. As for the reading of Section 228(1)(A) and (B), the High Court in Kam Thai Eng Linda held that Section 228 only requires shareholders’ prior approval before an arrangement or transaction is ‘carried into effect’, rather than before the transaction is “entered into,” which can be made subject to the shareholders’ approval. The implication is that shareholders are required to provide their approval before the transaction is executed or implemented. However, it is possible for initial negotiations or discussions about the transaction to occur or for the parties to enter into the arrangement before seeking shareholders’ approval, as long as approval is obtained for the company to formally proceed with the transaction and become legally bound by the terms of the arrangement. If the transaction or arrangement benefits a director or substantial shareholder of the company’s holding company, or a person connected with such a director or substantial shareholder, it also necessitates prior approval through a resolution of the holding company (Section 228(2)(b)). In cases where the company involved in the acquisition or disposal is an unlisted subsidiary of a publicly listed company, approval for the same transaction or arrangement is required from the shareholders of the unlisted subsidiary at a

Introduction In the dynamic world of business, the Letter of Intent (“LOI”) often plays a critical role in shaping major deals. Serving as a foundational tool in business negotiations, it bridges the gap between informal discussions and formal contracts. This article explores the significances of the LOI, its legal standing and its application across various business contexts. What is an LOI? An LOI is a preliminary document outlining proposed key terms and intentions for a business deal. For instance, an LOI might outline the basic terms of a merger before the parties negotiate the details. Generally, it is non-binding, but specific clauses such as confidentiality can be made binding to safeguard sensitive information exchanged during business negotiations. Key Elements of an LOI: An effective LOI encompasses key elements that lay the groundwork for successful negotiations. These include: Benefits of Using an LOI: Using an LOI in business negotiations offers several benefits: Legal Interpretation of an LOI – Insights from a Landmark Malaysian Case The 1994 Malaysian Supreme Court case, Ayer Hitam Tin Dredging Malaysia Bhd v. Y C Chin Enterprises Sdn Bhd [1994] 3 CLJ 133 provides crucial insights into the legal interpretation of LOI in Malaysia. In essence, this landmark case illustrates that the binding nature of an LOI hinges on the specific terms used and the intentions behind the LOI. Nature of an LOI Parties’ Intentions Details of LOI and Financial Commitments Potential for Compensation Practical Application of the LOI: The LOI plays a crucial role in commercial transactions and business negotiations, as seen in various business scenarios. The examples as provided below underscore the importance of an LOI as a preliminary but pivotal step in formalising intentions and terms in various high-stake business dealings: Conclusion In business negotiations, an LOI is more than just a preliminary step; it is a strategic tool. By clearly outlining the terms of a proposed deal, it leads to smoother negotiations and stronger partnerships. Its effective use can significantly enhance the success and efficiency of business transactions.