Public Consultation Papers Issued for Upcoming Guidelines on Data Protection Impact Assessment, Data Protection by Design, and Automated Decision Making and Profiling under the Personal Data Protection Act 2010
The Personal Data Protection Commissioner (“Commissioner“) issued three new public consultation papers to seek feedback on the following upcoming Guidelines:
- Data Protection Impact Assessment Guideline;
- Data Protection by Design Guideline; and
- Automated Decision Making and Profiling Guideline.
These public consultation papers and the forthcoming Guidelines form part of the suite of subsidiary Guidelines announced by the Minister of Digital last year, intended to supplement the changes introduced by the Personal Data Protection (Amendment) Act 2024.
The public consultation period for these guidelines is until 19 May 2025.
Click here to read our Legal Update, which provides a brief overview of the key information and issues addressed in the consultation papers. These insights offer a valuable preview of what may be expected in the finalised Guidelines, as well as their potential implications for organisations’ data protection compliance frameworks moving forward.
New Guidelines Regarding Solar Photovoltaic Installations for Self-Consumption and Electric Vehicle Charging Systems
In the first quarter of 2025, the Energy Commission (“EC“) issued several Guidelines, including the following:
- the Guidelines and Revised Guidelines for Solar Photovoltaic Installation for Self-Consumption in Peninsular Malaysia: The initial version of these Guidelines, which regulate the installation and use of solar photovoltaic (PV) systems for self-consumption, came into effect on 1 January 2025. In response to market concerns over the rising costs of compliance under the initial version, EC subsequently issued the revised Guidelines on 27 March 2025;
- the Guidelines on Electric Vehicle Charging System (“EVCS”): Issued on 24 February 2025, this Guideline regulates the installation of EVCSs. Among other matters, they set out safety standards and clarify the roles of various parties involved in the design, installation, operation, and maintenance of EVCSs, to ensure the safety of all stakeholders in the use and operation of electric vehicles and charging infrastructure; and
- the Revised Guidelines for Corporate Renewable Energy Supply Scheme (“CRESS”): Following the Government’s recent announcement on several enhancements to the CRESS, EC issued a revised Guideline, which came into effect on 1 March 2025. Key changes include (i) an expansion of the categories of corporate consumers permitted to participate in the CRESS; (ii) the purchase green energy from renewable energy developers (“REDs“); and (iii) increased clarity about the system access charges that may be imposed by REDs.
To recap, the CRESS is part of the Malaysian Government’s broader initiatives to support the national energy transition agenda, particularly in high-priority sectors. It allows REDs to gain third-party access to the grid system to deliver renewable energy directly to corporate consumers in Peninsular Malaysia.
For more information on these guidelines issued by EC, click on the following links to read our Legal Updates on this topic:
- Guidelines for Solar Photovoltaic Installation for Self-Consumption in Peninsular Malaysia – A Step Forward or Backward?
- Revised Guidelines for Solar Photovoltaic Installation for Self-Consumption in Peninsular Malaysia
- Energy Commission Issues Guidelines on Electric Vehicle Charging System (EVCS)
- Revised Guidelines for Corporate Renewable Energy Supply Scheme (CRESS)
Launch of Personal Data Protection Guidelines for Appointment of Data Protection Officer and Mandatory Data Breach Notification
In February 2025, the Personal Data Protection Commissioner (“Commissioner“) launched two new guidelines: (i) the Personal Data Protection Guideline: Data Protection Officer (“DPO“) (“DPO Guideline“) and (ii) the Personal Data Protection Guideline: Data Breach Notification (“DBN“) (“DBN Guideline“) (collectively, “Guidelines“).
These Guidelines are to be read with Circular of the Personal Data Protection Commissioner No. 1/2025 (Appointment of Data Protection Officer) and Circular No. 2/2025 (Data Breach Notification), which have also been issued by the Commissioner.
The Guidelines set out the implementation requirements for the new DPO appointment and mandatory DBN obligations specified in the Personal Data Protection (Amendment) Act 2024 (“PDPA Amendment Act“), which comes into force in stages from 1 January 2025. Our News Alert on the official dates for the commencement of the PDPA Amendment Act is accessible here.
The Guidelines are the first two documents in a suite of guidelines currently being developed by the Commissioner, with the remaining guidelines expected to be released progressively throughout 2025. The Guidelines will come into effect on 1 June 2025.
For further information on the key provisions and requirements outlined in the Guidelines, click here to read our Legal Update.
Coming into Force of Changes to the Communications and Multimedia Act 1998
At the December 2024 Malaysian parliamentary sitting, a flurry of legislative developments took place. Multiple bills, primarily focused on online safety and harms, were introduced and swiftly passed by the Malaysian Parliament. Among them was the Communications and Multimedia (Amendment) Bill 2024 (“CMA Amendment Bill“), which introduced significant amendments to the Communications and Multimedia Act 1998.
The CMA Amendment Bill was gazetted on 7 February 2025 as the Communications and Multimedia (Amendment) Act 2025 (“CMA Amendment Act“). Most of its provisions officially came into force on 11 February 2025, save for the following, which will only take effect on a later date to be notified by the Communications Minister:
- the new section 233A on the sending of unsolicited commercial messages; and
- the new sections 252A and 252B governing the preservation and disclosure of communications data.
For a summary of the key changes introduced by the CMA Amendment Act, click here to read our Legal Update.
Malaysia and Singapore Launch Patent Prosecution Highway (PPH) Pilot Programme
On 18 January 2025, the Intellectual Property Corporation of Malaysia (“MyIPO“) and the Intellectual Property Office of Singapore (“IPOS“) launched a Patent Prosecution Highway (“PPH“) pilot programme to allow patent applicants to request expedited examination of their applications at either office. The pilot programme runs for a period of two years until 18 January 2027.
PPH is a work-sharing programme whereby a patent application is examined by referencing examination results from another intellectual property office. By relying on the examination results from one office to accelerate the examination process by the other, the patent prosecution becomes faster and more efficient.
The commencement of the MyIPO and IPOS PPH pilot programme marks a significant step towards strengthened patent cooperation between the two offices.
Employer's Liability in Copyright Infringement: When an Employee's Action Becomes a Corporate Risk
In the recent case of Siemens Industry Software Inc v KB Engineering Coatings Sdn Bhd [2024] MLJU 2638, an employee’s unauthorised use of licensed software gave rise to allegations of vicarious liability against the employer. This case raised a critical question before the Court of Appeal: can a company be held vicariously liable for an employee’s copyright infringement, even if it had no knowledge of the infringing act?
The Court of Appeal allowed the Plaintiff’s application for summary judgment, and held that the Plaintiff had successfully established a claim for copyright infringement, with the Defendant being vicariously liable. The Court found that there were no triable issues, based on, among others, the following findings:
- Plaintiff’s prima facie ownership of copyright: The Plaintiff was able to prove ownership of the software’s copyright by submitting the required affidavit and certified extracts under the Copyright Act 1987;
- Evidence of unlicensed use of software: There was clear evidence of copyright infringement, including a tampered software licence file, which enabled unauthorised access to all modules of the software. This was discovered on the work laptop of the Defendant’s employee;
- Vicarious liability: The Court held that an employer may be vicariously liable if an employee’s unauthorised act is closely connected to his/her duties. The Defendant’s claim that the software was downloaded for personal educational use was unsubstantiated. As the software was found on the employee’s work laptop and used during employment, the Court found the Defendant vicariously liable; and
- Defendant’s lack of knowledge: Copyright infringement is a strict liability offence. As such, the Defendant’s knowledge, intent, or lack thereof was deemed irrelevant in determining liability.
This case is a timely reminder to companies that pleading ignorance is no defence. Employers may be vicariously liable for copyright infringements committed by their employees, even where they were unaware of such act(s). The legal and financial consequences of such liability can be significant.
To mitigate these risks, companies must go beyond merely having policies in place. Robust enforcement of software usage policies, along with regular training and awareness programmes, is essential to educate employees on their software compliance and copyright obligations.
For more information, click here to read our Legal Update.
Malaysian Court of Appeal Affirms Recognition and Enforcement of ICSID Arbitral Award
On 28 March 2025, the Malaysian Court of Appeal, in the case of Republic of Zimbabwe v Elisabeth Regina Maria Gabriele Von Pezold & Ors [unreported], unanimously upheld the decision of the Kuala Lumpur High Court to recognise and enforce a foreign arbitral award under the Convention on the Settlement of Investment Disputes between States and Nationals of Other States (“ICSID Arbitral Award“) as if the ICSID Arbitral Award was a judgment made by the Malaysian High Court. This landmark ruling is the first time the Malaysian Court of Appeal has recognised an ICSID Arbitral Award.
In dismissing the appeal, the Court of Appeal held, among others:
- Section 3 of the Malaysian ICSID Act confers substantive jurisdiction to the High Court to recognise and enforce an ICSID Arbitral Award as if it is a judgment of the High Court;
- Bearing in mind the substantive jurisdiction conferred, the lack of a specified procedural framework under the ICSID Act or otherwise does not preclude the recognition and enforcement of an ICSID Award in Malaysia. This approach also confirms with Malaysia’s treaty obligation as a contracting state to the ICSID Convention;
- A holder of an ICSID Arbitral Award goes through a two-stage process:
- Stage One: Recognition and Enforcement – Under Article 54(1) of the ICSID Convention, each contracting state is obliged to recognise an ICSID Arbitral Award as binding and enforce the same accordingly. Refusal to recognise such an award is not an option, even on grounds of sovereign immunity.
- Stage Two: Execution – Article 54(3) of the ICSID Convention provides that the execution of the ICSID Arbitral Award is governed by laws concerning the execution of judgments in force in the state in whose territory such execution is sought.
In other words, contracting states may be said to have waived their immunity from jurisdiction in relation to recognition and enforcement of an ICSID Arbitral Award but not any immunity that they may have from the process of execution.
Christopher & Lee Ong acted for the respondents in this matter.
Malaysian Apex Court Confirms Immunity of Asian International Arbitration Centre
In Asian International Arbitration Centre v One Amerin Residence Sdn Bhd & Ors and Another Appeal [2025] 3 MLRA 83, the Malaysian Federal Court held that the Asian International Arbitration Centre (“AIAC“) is immune from judicial review for its acts and decisions when acting in its capacity as the domestic and statutory adjudication authority under the Construction Industry Payment & Adjudication Act 2012 (“CIPAA“).
A dispute had arisen for payment for construction works done by the Third Respondent, Ragawang Corporation Sdn Bhd (“Ragawang“), for the First Respondent, One Amerin Residence Sdn Bhd (“One Amerin“). Ragawang then commenced an adjudication claim under the CIPAA against One Amerin.
In September 2018, the Director of AIAC appointed Mr Choon Hon Leng to act as the Adjudicator (“Adjudicator“). However, One Amerin objected to the appointment and filed an application for leave to commence judicial review proceedings (“JR“) in the High Court seeking among others, (i) an order of certiorari to quash the decision of AIAC to appoint the Adjudicator; and (ii) a declaration that the notice issued by AIAC compelling One Amerin and Ragawang to deposit the full sum of the Adjudicator’s fee with AIAC was illegal, unlawful, invalid and of no effect in law.
AIAC applied to strike out the JR (“Striking Out“) on the grounds that AIAC was an international organisation which was conferred immunity from any court proceedings pursuant to the International Organizations (Privileges and Immunities) Act 1992 (“IOPA“) and section 34 of the CIPAA.
While the High Court allowed the Striking Out filed by AIAC, the Court of Appeal overturned the High Court decision, finding that the immunities provided to AIAC under the IOPA were restricted to acts carried out by AIAC in the exercise of its functions as mandated under international agreements, and did not apply to judicial review proceedings relating to the acts of AIAC in its capacity as the statutory adjudication authority under the CIPAA.
The Federal Court’s decision, published on 13 February 2025, set aside the decision of the Court of Appeal and confirmed that AIAC is immune from judicial review for acts and decisions made in its capacity as the domestic and statutory adjudication authority under the CIPAA. The Federal Court rationalised the grant of immunity to AIAC on the basis of protecting its independence to ensure its ability to function autonomously and effectively; and to enable the institution to accomplish its objective of promoting and facilitating alternative dispute resolution (ADR) services in Malaysia.
Malaysian High Court Rules QR Code Itself Not IP-Protectable, but Underlying System Warrants Protection
The Malaysian High Court in Nestle Products Sdn Bhd v Mad Labs Sdn Bhd & Anor [2025] MLJU 292 examined whether intellectual property (“IP“) rights could arise in a QR code used by Nestle on its “MAGGI Hot Cup” products. The QR code had been developed by Mad Labs for a six-month trial period but Nestle continued using it beyond that timeframe without Mad Labs’ authorisation.
The High Court held that Mad Labs did not own any proprietary or IP rights in the QR code itself. QR codes, originally developed by Denso Wave, are not protected by patents or other IP rights, as Denso Wave had intentionally chosen not to patent the technology. The Court took judicial notice of the fact that QR codes are universally free to generate, use, and duplicate.
However, Mad Labs argued that its QR code was unique due to its dynamic features, which allowed the modification of target URLs and digital content even after the code was printed. While the QR code itself was not protectable, the Court acknowledged that Mad Labs did hold rights over this functionality. Specifically, during the trial period, the QR code hosted on Mad Labs’ servers redirected users to campaign content selected by Nestle. Nestle had open access but not full ownership of this dynamic infrastructure.
The Court found that Nestle’s continued use of the QR code post-trial period, without acquiring the rights to the underlying dynamic functionality, amounted to unauthorised use of Mad Labs’ proprietary system. Accordingly, Mad Labs was entitled to compensation, and a permanent injunction was granted to restrain Nestle from further using the QR code on its products.
Malaysian High Court Accepts Online Commercial Activity as Sufficient Presence for Enforcing Foreign Judgment
The Malaysian High Court in the recent case of Reflex Media, Inc & Anor v Endeavor Standard Sdn Bhd & Anor [2025] MLJU 844 considered whether a United States (“US“) court judgment for trademark infringement could be enforced against Malaysian defendants. The Defendants were the operator and director of a dating website known as Sugar Book. A US court had awarded a default judgment, including statutory damages of US$4 million, after the Defendants failed to defend the action. As the US is not listed in the First Schedule of the Reciprocal Enforcement of Judgments Act 1958, the Plaintiff sought to enforce the judgment in Malaysia under common law.
The central issue was whether a party could be considered present in a foreign jurisdiction through online commercial activities, in the absence of a physical presence. Courts have traditionally required a fixed place of business to establish such presence. However, the High Court recognised that this standard is outdated in the context of modern digital commerce.
Relying on jurisprudence from Australia, Canada, and Hong Kong, the Court held that online commercial conduct, such as offering services to foreign residents, accepting local currency, using local servers, and targeting local consumers, can constitute sufficient presence. This aligned with the “real and substantial connection” test applied in Malaysia.
The Court also rejected the argument that US statutory damages were penal and contrary to Malaysian public policy. It held that the damages were compensatory in nature, awarded in a civil suit between private parties, and consistent with Malaysia’s own intellectual property regime and international obligations under the Trade-Related Aspects of Intellectual Property Rights (TRIPS) Agreement.
Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice
