India wants to monitor, intercept and track WhatsApp messages in a bid to curb the spread of misinformation. As you can imagine, this has caused quite the furore but you might be interested to know that some good could also come from the move.

Produced by: Sumitra Selvaraj
Presented by: Tee Shiao Eek, Sumitra Selvaraj, Sharmilla Ganesan

BFM Takeaway 2019 – Brainstorming F&B Matters

I will be speaking at the BFM Takeaway 2019 on 4 November 2019 together with Derek Cheong, Managing Director of Xing Fu Tang Malaysia and Catherine Goh, General Manager of Santan & T&Co under the topic “License to Feed”

Maybe you’ve perfected a family recipe, innovated your very own signature snack or you’re running a restaurant and it’s thriving. Now it’s time to share your business with the rest of Malaysia, perhaps even the world! In this session, we’ll hear from entrepreneurs who have successfully transformed humble home-grown businesses into internationally recognised brands that have put Malaysia on the map. You’ll gain insights into how to master a method of doing business that can be scaled for success and we’ll explore the advantages to licensing your brand or product. We’ll even have a licensing lawyer on board to help you through the nuances of expanding your business.

Wong Shou Ning of BFM will be moderating the Session.

– Download the Agenda here.
– Get your tickets here

We are looking for interns!

As an intern, you will be exposed to matters relating to cyberlaw, intellectual property, franchise and data protection laws.

Law students and graduates are encouraged to apply.

Please send your CV to mail@fcl-co [dot] com.

Malindo Air’s Data Breach

I was asked to comment on Malindo Air’s latest data breach incident by South China Morning Post, Malaysian Reserves and Global Data Review.

Malindo Air, a subsidiary of low-cost airline Lion Air, has suffered a massive data breach, resulting in the information of millions of passengers – including passport details, home addresses and phone numbers – being leaked onto data exchange forums last month.

In South China Morning Post’s article title ” Malindo Air confirms data breach, exposing millions of passengers’ personal data“, it was reported-

Cyber law and technology lawyer Foong Cheng Leong said that companies in breach of Malaysia’s Personal Data Protection Act are not under any legal obligation to notify the authorities, the public, or the victim of the leak, although this lacuna is being reviewed.

There is no data breach notification rule in Malaysia under this Act. However, there is of course a moral obligation on the part of the company to notify the subject and the public,” said Foong.

Unfortunately in Malaysia these data breaches happen often, but if nobody knows about it nothing happens. During past breaches, there were some investigations but no prosecutions and no repercussions.

In the Malaysian Reserve’s article titled “Experts call for tougher law on data breach as Malindo Air becomes latest victim“, I said-

“There should be a data breach notification law. Data subjects have the right to know that their information has been compromised and take steps to secure the data,” Bar Council’s information technology and cyber laws committee deputy chairman Foong Cheng Leong told The Malaysian Reserve in an earlier report.

He added that the Personal Data Protection Commissioner had introduced a consultative paper to propose the mandatory disclosure, but the progress has been muted so far.

Currently, parties suffering from a data leak in Malaysia are not obliged to notify the authorities or the victims.

“In Europe, under the general data protection regulation, any companies including foreign firms with an office and/or serve the European region are required to lodge a report of any data breach within 72 hours.

“Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach,” Foong said.

Lastly, in Global Data Review’s article titled “Lion Air Group data breach affects more than 30 million customers“, it was reported-

Foong Cheng Leong, a partner at Foong Cheng Leong & Co in Kuala Lumpur, said Malindo Air may have fallen foul of the country’s Personal Data Protection Act. This can attract criminal sanctions: a fine up to 300,000 ringgit (€65,000) and prison sentences of up to two years.

In spite of this, Leong said enforcement may not be forthcoming. He said that the government has yet to make a prosecution under the law for a data breach in spite of “numerous high-profile data breaches” in Malaysia since the law came into force.


Leong said Malindo Air might be liable under other data protection laws in the region. “However, it is not known if the data protection authorities will take or have the power to take any action against Malindo Air”, he said.

Leong said that the issue has drawn attention to the absence of notification requirements in Malaysia’s data protection law.


I was interviewed by BFM Radio over a statement by Parti Sosialis Malaysia Chief Dr Jeyakumar Devaraj regarding a warning notice by Biotropics Malaysia Berhad which has taken out a patent for the bioactive component of Tongkat Ali (Patent No. MY-134867-A – corresponding patent can be seen here). In gist, Dr Jeyakumar said that patent laws have been misused to create monopolies over a natural product like Tongkat Ali which has been used for its medicinal properties “for centuries”.

I was asked to explain what this patent is about and the scope of it.

MESTECC and Massachusetts Institute of Technology (MIT) have joint ownership of a Tongkat Ali extract- what does that mean and will this impact communities that harvested the traditional herb for centuries? We speak to an IP lawyer.

Produced by: Tasha Fusil
Presented by: Kelvin Yee, Kam Raslan, Aiman Rashad


With the rise of Android TV boxes in Malaysia, content developers as well as local film bodies are keen on shifting responsibility to users to curb piracy. Finas is taking it a step further by proposing a new paper that would hold homeowners accountable for pirated content that’s streamed on their property, regardless if they’re the tenants.

Produced by: Christine Wong
Presented by: Richard Bradbury, Arvindh Yuvaraj, & Audrey Raj

Pay just RM150 for details of 200,000 people, RM350 for 10 million

I was interviewed by Free Malaysia Today on the issue of the unlawful sale of personal data in Malaysia which is an offence under the Personal Data Protection Act 2010 (PDPA), in particular, s. 130 of the PDPA.

A lawyer told FMT that the sale of personal data is not surprising.

Foong Cheng Leong, who chairs the Kuala Lumpur Bar’s information technology committee, said while the sale of data is common, it is no longer done as openly as before due to PDPA which came into force in 2013.

But he said enforcement has been poor.

Despite media reports on data breaches such as the leakage of millions of mobile phone numbers two years ago, no action has been taken, Foong said.

In 2017, mobile phone numbers, identification card numbers, home addresses, IMEI and SIM card data of 46.2 million customers of at least 12 Malaysian mobile phone operators were leaked online.

“We do not know why there has been no prosecution. Perhaps due to the difficulty of conducting a data leakage investigation, data may be held by numerous data processors and rogue employees may have accessed them without permission,” said Foong.

E-hailing firms must protect data

I was interviewed by The Star and Free Malaysia Today on an e-hailing firm’s new user requirement to submit “selfie” for verification purposes.

In The Star’s article titled “E-hailing firms must protect data“, it was reported-

Weak enforcement of the Personal Data Protection Act (PDPA) has made it vital for e-commerce firms and e-hailing providers to protect such information, according to the Bar Council.

Its Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong said there had not been much news on the enforcement of the Act .

There were cases of companies being fined, but high-profile cases such as the data breach involving telecommunications companies two years ago have yet to be resolved,’’ he said.

Welcoming the requirement of selfie verification on e-hailing passengers as an effective mechanism to protect the drivers, he said those concerned with data privacy breaches could not do much if they wanted to use the service.

Foong’s comments were in light of the concerns over data privacy following a law introduced by the Transport Ministry in July last year, requiring passengers to submit their identity credentials upon registration with any e-hailing platform

While in Free Malaysia Today’s article titled “Password better than selfie for Grab driver safety, says consumer group“, it was reported-

Foong Cheng Leong, a lawyer, says the requirement does not run afoul of the Personal Data Protection Act 2010 as it involved obtaining the user’s consent.

“The use of Grab or any ride-hailing service is optional. Those who do not wish to submit their picture may opt not to use the service.”

In addition to the above, I would like to add that the submission of “selfie” can be a concern if there is a high risk that the data is misused. The selfie can be paired with other data for profiling purposes. Such data can be used for surveillance purpose, matching with other data, etc.

Perhaps such providers should announce how, in detail, personal data is protected, where exactly it will be stored, what measures are taken to ensure data is safe, and report whenever there is a data leakage or third party request. Most data users publish such information on their privacy policy. However, most data users publish very general information and the bare minimum, as required by the Notice & Choice Principle provided by the Personal Data Protection Act 2010.

Since it is mandatory for e-hailing users, the only choice available for users now is to not use such e-hailing services unless there is a change in policy. Users should consider filing a complaint to the Personal Data Protection Commissioner or Transport Ministry over the new rules.

Bread & Kaya: 2018 Malaysia Cyber-law and IT Cases PT4 – Commercial cases

By Foong Cheng Leong
May 10, 2019

– 2018 saw the first decision on the liability of online marketplace providers
– Damages can be granted in the case of a software delivery delay

IN THIS last of a four-part series, I will focus on commercial cases in 2018.

Short-term lodging – the Airbnb Effect

An online marketplace for accommodation and hospitality such as Airbnb enables people to lease or rent short-term lodging including vacation and apartment rentals, homestays, hostel beds and hotel rooms.

Currently, there are no specific laws to govern the conduct of these online marketplace providers.  However, joint management bodies and management corporations have taken action to stop apartment owners from operating short-term lodging by, among others, imposing rules to stop this practice.

In Salil Innab & Anor v Badan Pengurusan Bersama Seti Sky Residences & 5 Ors (Kuala Lumpur High Originating Summons No: WA-24NCVC-776-04/2018), the 1st Defendant, the Joint Management Body of Setia Sky Residences, took steps to stop the Plaintiffs’ services of short term rentals. The Plaintiffs, tenant and landlord of an apartment unit at a building, filed an action against the Joint Management Body to stop them from interfering or stopping any owners, tenants of any short term rental and/or any person representing the Plaintiffs from operating a short term rental at Setia Sky Residences.

The 1st Plaintiff is also a director of a company called Innab Trade Sdn Bhd. Through Innab Trade Sdn Bhd, the 1st Plaintiff had also rented other units in Setia Sky Residences for the purposes of sub-letting the same to members of the public.

The 1st Defendant contended that the business operated by the 1st Plaintiff, through Innab Trade Sdn Bhd, at Setia Sky Residences is in reality a hotel business and not merely the business of letting out short-term tenancies.

In so contending, the 1st Defendant made reference to how bookings for the short-term tenancies were made through the internet, how the units were described and marketed by using the name “KL Suites” and how they were portrayed in Innab Trade Sdn Bhd’s website, including the contention that these “KL Suites” could be booked through other websites. It is contended that all of these are similar to and in effect, the management of a hotel service.

The High Court granted an interlocutory injunction to stop the Defendants from interfering or stopping any owners, tenants of any short term rental and/or any person representing the Plaintiffs from operating a short term rental at Setia Sky Residences.

The High Court held that the 1st Plaintiff’s short-term tenants will be adversely affected and they are in reality victims of the conflict between the Plaintiffs and the Defendants. In addition, the continued interference with or obstruction of the 1st Plaintiff’s short-term tenants would also be likely to cause irreparable damage to the goodwill that the 1st Plaintiff would have built in his business.

However, the Court of Appeal allowed the Defendants’ appeal (Civil Appeal No. W-02(IM)(NCVC)-1811-09/2018) on the ground that the injunction order was too wide and damages is an adequate remedy.

In Verve Suites Mont’ Kiara Management Corporation v Innab Salil & 8 Ors (Kuala Lumpur High Originating Summons No: WA-22NCVC-461-09/2017), the Plaintiff, the Management Corporation of Verve Suites Mont Kiara, passed and adopted a resolution in an Extraordinary General Meeting to prohibit the use of residential units in the Verve Suites for business, including paid short-term rentals. The prohibition was then incorporated into the House Rule 3.

House Rule 3.0 states that any unit for short term rental is prohibited. House Rule 3.1(i) states any stay for which a booking was made through services/applications/websites etc, such as AirBnb,,, and other similar services is considered as a short-term rental agreement.

The Defendants had allegedly caused their respective residential units in Verve Suites to be turned into a hotel room with large numbers of guests coming to check in and check out with a flurry of activities interfering with the security, quiet enjoyment and overall wellbeing of the residents in the Verve Suites.

The Plaintiff then initiated an action against the Defendants compelling them to abide by all times and not violate the House Rule and be restrained from advertising, contracting for, booking and/or allowing, dealing with the residential units to be used for business including paid short term rental and/or transient use for tourist, or hotels, among others.  

The High Court held that the Plaintiff can enforce House Rule 3 and prohibited the Defendants from running the short-term rental business.

E-commerce – Suing online marketplace operators

We saw the first decision on the liability of online marketplace providers.

In Nexgen Biopharma Research & Innovation SARL v Celcom Planet Sdn Bhd (Kuala Lumpur High Court Suit No. WA-22IP-3-01/2018), the Intellectual Property High Court had to decide whether an online marketplace provider is liable for trademark infringement for the sale and advertisements of its Merchants’ products published on its website.

The brand owner was granted an order for summary judgement against the Defendant that operates an online marketplace by the name of “11Street” for infringing their trade mark “MFIII”. 11Street had published the MFIII trade marks and numerous sellers had posted unauthorised MFIII products for sale on 11Street. Besides, 11Street had also advertised the MFIII trade mark together with products bearing the MFIII trade marks on various third-party websites.

Similarly, in Jeunesse Global Sdn. Bhd. v Ecart Services Malaysia Sdn Bhd (Kuala Lumpur High Court Suit No. WA-22IP-16-02/2018), the Plaintiffs, who are in the direct selling business of skin care products and supplements, sued the operator of online marketplace operator, Lazada, for trade mark infringement, passing off, copyright and unlawful interference with their business, among others. The Plaintiffs discovered that Lazada had been selling products bearing the 1st Plaintiff’s registered trade marks and publishing the 1st Plaintiff’s copyright works. However, the parties settled the matter amicably and the matter was withdrawn.

Last year, I reported that a luxury watches brand owner sued a web hosting company for trademark infringement for hosting websites that sold counterfeit products (Officine Panerai AG v Shinjiru Technology Sdn Bhd (Kuala Lumpur High Court Suit No. WA-22IP-2-01/2018)). The interesting question in this case is whether a webhoster is liable for trade mark infringement for what their subscribers do. However, the parties also settled the matter amicably and the matter was withdrawn. 

Contractual matters – Software delivery delay and online agreements

This is an important case for the software industry. Delay in delivering a software is a common occurrence in the industry and in the High Court case of Tex Cycle Technology (M) Berhad v Fact System (Malaysia) Sdn Bhd (Kuala Lumpur High Court Suit No. WA-22NCVC-379-06/2016) provides what a customer can do if there is such delay.

In this case, the Plaintiff sued the Defendant for failing to install a software which could cater for the implementation of Goods and Services Tax (GST) required by the Government within the date of enforcement of GST.

The Defendant had allegedly represented to the Plaintiff in meetings and exchanges of emails that the Defendant could meet the enforcement date of GST and also that two important service requirements of the contract entered into could be fulfilled.

The Plaintiff claimed that due to the Defendant’s failure, they had no alternative but to switch to manually entering the data and generating documents manually and, in the process, incurring significant costs and expenses.

The Plaintiff sued for the loss and damages and the refund of the sum of RM191,572 paid by the Plaintiff to the Defendant for the software. The High Court found in favour of the Plaintiff and ordered the refund of the money paid plus general damages of RM100,000.

On appeal (Civil Appeal No. W-02(NCvC)(W)-1297-06/2018), the Court of Appeal allowed the appeal in part and disallowed the general damages of RM100,000. The Court of Appeal held that the High Court Judge is plainly wrong in allowing RM100,000 as general damages as there were no evidential basis.

In Wong Wei Pin v Malayan Banking Berhad [2018] 6 AMR 933, the High Court dealt with an interesting point whether general terms and conditions published on a website can be incorporated into an agreement.

In this case, the Plaintiff had accumulated credit card points via business and commercial purposes which ran foul of the Defendant’s terms and conditions of the credit card which provides that the cardmember can only use the credit card for purposes of personal consumption only, i.e. non-business and non-commercial related consumption. The Plaintiff argued that the Defendant’s Product Disclosure Sheet (PDS) which did not explicitly state that the terms and conditions of the Credit Card can be found at

The learned Judge held that although the PDS did not set out that the general terms and conditions are set out at Maybank’s website, it is accordingly the obligation of the Plaintiff to ascertain what the general terms and conditions are as she will be bound by them in the usage of the Credit Card. Accordingly, the High Court held that the Plaintiff is bound by the terms and conditions found on the Defendant’s website, and even if the Plaintiff chose not to read them, she is bound by them by her usage of the card.

In closing

In 2019, we can expect more interesting developments in the cyberlaw and IT sphere –

  1. The Council of Auctioneers Malaysia is challenging a decision by the High Court Registrar to implement electronic bidding or e-Lelong in all courts in West Malaysia (Majlis Pelelong Malaysia v. Pendaftar Mahkamah Tinggi Malaya (Kuala Lumpur Judicial Review Application No. WA-25-313-10/2018). Leave to challenge the High Court Registrar’s decision has been granted by the High Court. The High Court will now hear the substantive application in due course;
  2. Pursuant to the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019, digital currencies and digital tokens which are not issued or guaranteed by any government body or central bank, and fulfils other specific features, are prescribed as securities. The effective result of this order is that the digital currencies and digital tokens will now be primarily regulated by the Securities Commission. The Securities Commission’s Guidelines on Recognised Markets has now been amended to regulate digital asset exchange operator;  
  3. The Government will be taxing digital services beginning from Jan 1, 2020 at 6% per annum. Pursuant to the Service Tax (Amendment) Bill 2019, foreign registered persons providing digital services to consumers in the country will need to pay service tax;
  4. The introduction of the new Legal Profession Act 2018 to replace the old Legal Profession Act 1976 will see the introduction of the legal technology provision. S. 35 seeks to regulate the provision of legal technology by legal technology service provider. Legal technology is defined as any technological product or service used or to be used, (1) in the provision of any service or any act which is within any function or responsibility of any advocate and solicitor, or (2) places at the disposal of any other person the services of an advocate and solicitor. The Bar Council is given the power to regulate legal technology; and
  5. Across the causeway, Singapore has introduced the Protection from Online Falsehood and Manipulation Bill 10/2019. This new law seeks to, among others, criminalise false statements, control inauthentic behaviour and other misuses of online accounts and bots and regulate blocking orders. This new law also introduced a new way to punish persons who disseminates false statements i.e by cutting their income and starving them financially.

First published on Digital News Asia on 10 May 2019.

1 2 3 4 5 33  Scroll to top