Regional Round-Up: Malaysia Q1 2022

New Licensing Requirement on the Provision of Cloud Services Comes into Force

Pursuant to the the Advisory Notice on Cloud Service Regulation Introduced to Increase Accountability for User Data Security and Sustainability of Services“, as well as the “Information Paper on Regulating Cloud Services” issued by the Malaysian Communications and Multimedia Commission (“MCMC“), the new licensing requirement on the provision of cloud services has come into force with effect from 1 April 2022.

Under the new licensing requirement, the following cloud service providers are required to be registered under the Applications Service Providers Class (“ASP(C)“) licence:

  1. a local data centre assisting foreign cloud providers to provide their Platform-as-a-Service (“PaaS“) or Infrastructure-as-a-Service (“IaaS“) cloud services to end users in Malaysia; or
  2. a locally incorporated company providing PaaS or IaaS cloud services to end users in Malaysia.

Where an ASP(C) licence is required, cloud service providers should immediately apply for an ASP(C) licence and put in place the relevant measures to ensure compliance with all such instruments, guidelines, technical standards, or regulatory policies as may be imposed by MCMC from time to time. Any failure by a cloud service provider to obtain an ASP(C) licence is an offence under the Communications and Multimedia Act 1998 and such service provider shall, on conviction, be liable to a fine not exceeding RM500,000 (where US$1.00 = RM4.20, approximately), or to imprisonment for a term not exceeding five years, or both. Such service provider shall also be liable to a further fine of RM1,000 for every day or part of a day during which the offence is continued after conviction.

For more information, click here to read our Legal Update.

Latest Guidelines on Personal Data Protection Notices under the Personal Data Protection Act 2010 (PDPA)

Pursuant to Section 7 of the Personal Data Protection Act 2010 (“PDPA“) (Notice and Choice Principle), the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi or “JPDP“) has recently issued a Guide to Prepare Personal Data Protection Notice (“Guidance Note“). The Guidance Note guides data users in preparing simple but comprehensive personal data protection notices (“privacy notices“) which are aligned with the current business ecosystem and the personal data protection landscape in Malaysia.

This update provides a brief summary of the Guidance Note, which among others, clarifies the existing requirements on privacy notices under the PDPA, and provides for additional requirements for the preparation and implementation of privacy notices. While it has not been expressly stated whether the requirements under the Guidance Note are compulsory or recommended best practices, all data users should review and reassess their existing privacy notices and make any necessary amendments to ensure they are in compliance with the Notice and Choice Principle as well as the Guidance Note.

High Court Issues Key Decisions on Schemes of Arrangement

The recent decision of the Malaysian High Court in Re Top Builders Capital Bhd & Ors [2022] MLJU 1 reaffirms some key principles about schemes of arrangement (“SOA“). These include:

  1. the classification of creditors in the SOA is to be based on the similarity of legal rights;
  2. the contents of the explanatory statement(s) should be clear, complete, and not misleading, and there is a need to be selective with the facts;
  3. that the proceedings of scheme meeting held virtually are valid;
  4. the scheme Chairman could extend the deadline for the submission of proof of debt forms for the SOA without a Court order;
  5. there must be some prima facie evidence of impropriety to allow scheme creditors to inspect the proof of debt forms of other scheme creditors; and
  6. the issue of whether to discount or to disregard the votes of wholly-owned subsidiary creditors is a matter of discretion for the Court based on several discretionary factors.

For more information, click here to read our Legal Update.

Climate Risk Management and Scenario Analysis (Exposure Draft)

In late 2021, Bank Negara Malaysia (“BNM“) issued an exposure draft on Climate Risk Management and Scenario Analysis (“Exposure Draft“). The Exposure Draft sought to address the challenges to financial stability posed by climate change by laying out principles and requirements that financial institutions must comply with in its management of climate-related risks.

Since the submission period for feedback to the Exposure Draft has passed, it remains to be seen whether the policy document will come into effect on 1 June 2022 as proposed. There could also be further developments to the policy document following the public feedback, although it is highly likely that the overarching principles are here to stay.

For more information, click here to read our Legal Update.

Extension of Part IV of AMLA to IEOs, Digital Custodians and Digital Asset Advisors; Explicit Broadening to Equity Crowdfunding, Crowdfunding, P2P and other Recognised Market Operator Platforms

On 24 December 2021, the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities (Invocation of Part IV) Order 2021 and the Anti-Money Laundering, Anti-Terrorism Financing And Proceeds of Unlawful Activities (Amendment of First and Second Schedules) Order 2021 came into effect. These extend the application of Part IV of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (“AMLA“) to various fintech players.

Part IV of the AMLA deals with reporting obligations of reporting institutions, including the duties of record-keeping, customer due diligence, having a compliance programme, and other requirements related to disclosure, tip-off, and investigation or protection of reporting persons and institutions.

For digital asset players (i.e. digital asset exchanges (DAX) and initial exchange operators (“IEOs“), the language has been widened to include intermediaries and those involved in the provision of advisory services relating to the offer or sale of digital currencies or digital tokens. There is now explicit clarity that digital tokens are also included – previously reference was only made to digital currencies – meaning that digital asset custodians are also now bound by Part IV of the AMLA.

The amendments also affect the definition of a “reporting institution” bringing other fintech players such as equity crowdfunding (ECF), peer-to-peer (P2P), property crowdfunding and e-services platforms into the fold. IEOs which facilitate the issuance of digital tokens are now also included. The amendments are unlikely to cause much operational concern for these players as they already have to comply with AMLA requirements via guidelines imposed by the Securities Commission of Malaysia and Bank Negara Malaysia. However, this is now more clearly grounded in primary legislation.

For more information, click here to read our Legal Update.

Determining the Extent of the Inland Revenue Board’s Powers to Request for Disclosure of Personal Information: Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors.

The recent case of Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors is significant as it is the first time the Malaysian courts heard a challenge to the powers of the Director General of the Inland Revenue Board (“DGIR“) to request for disclosure of personal data under the Income Tax Act 1967 (“ITA“). Here, one of the grounds of the challenge was based on the protection afforded under the Personal Data Protection Act 2010 (“PDPA“).

The High Court ruled in favour of Genting Malaysia Berhad (“GMB“) and held that the PDPA does not allow the DGIR to make blanket requests for access to personal data of all GMB’s customers, based on the following reasons:

  1. The blanket demand made by the DGIR is an infringement of the right to life and personal liberty under Article 5(1) of the Federal Constitution, which guarantees the fundamental liberties of every person including the right to privacy.
  2. The DGIR cannot use the ITA as an instrument of fraud to conduct “fishing expeditions” to gain bulk access to the personal data of GMB’s customers.
  3. The exemptions under Section 39 and 45 of the PDPA cannot be relied upon by the DGIR, but may be relied upon by the data user (i.e. GMB).
  4. To the extent of any conflict between the ITA and the PDPA, the PDPA shall prevail as it is a specific and more recent legislation enacted for the protection of personal data.
  5. Notwithstanding Section 3(1) of the PDPA, which exempts the Federal Government and the State Government from the PDPA, regulatory authorities that are statutorily incorporated body corporates (e.g. the Inland Revenue Board) are still bound by the PDPA.

For more information, click here to read our Legal Update.

Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice

CONTACTS

Partner
+60 3 2273 1919 /+60 3 2267 2699
Malaysia,
Partner, Head of Dispute Resolution, Co-Head of Restructuring & Insolvency
+603 2273 1919 / +603 2267 2626
Malaysia,
Partner, Head of Antitrust & Competition, Co-Head of Capital Markets
+603 2273 1919 / +603 2267 2647
Malaysia,
Partner
+601 7362 3459 / +603 2267 2669
Malaysia,
Partner, Head of Technology, Media & Telecommunications and Data Privacy & Protection
T +603 2273 1919
Malaysia,
Partner
+603 2273 1919 / +603 2267 2616
Malaysia,
Partner, Head of Projects & Infrastructure, Energy & Natural Resources
+60 3 2273 1919
Malaysia,
Partner, Head of Sustainability
T +60 3 2273 1919 / +60 3 2267 2729
Malaysia,

Country

EXPERTISE

Share