The Perils of Poorly Drafted Contracts
Principle of Estoppel The Principle of Estoppel prevents a party from going back on their word if someone else has relied on that word to their detriment. It is fundamentally about fairness. In general terms, estoppel applies when: One party (e.g., the IRB) makes a representation or promise, either through words or conduct. The other party (e.g., a taxpayer) relies on that representation. As a result of that reliance, the taxpayer changes their position or suffers detriment. It would be unfair or unjust to allow the IRB to go back on its original representation. However, in public law and especially tax law, estoppel is applied more narrowly. Courts are cautious about letting estoppel override legal obligations or statutory duties. For example, the IRB cannot be estopped from collecting taxes just because a prior officer made an incorrect statement, unless exceptional circumstances apply. Principle of Legitimate Expectation The Principle of Legitimate Expectation protects a person’s reasonable and justified expectation that a public authority will act in a certain way, especially when: There has been a clear and unambiguous representation by the authority (e.g., consistent tax treatment or a promise). That representation has been relied upon by the taxpayer. The expectation is legitimate and reasonable in the circumstances. Legitimate expectation can be: Procedural: Expecting a fair process before a decision is changed (e.g., the right to be heard). Substantive: Expecting a benefit or treatment to continue (e.g., a tax exemption or relief). While procedural legitimate expectation is more readily accepted by courts, substantive legitimate expectation (expecting a particular outcome) is more difficult to enforce, especially when it conflicts with statutory powers or duties. In this landmark case, the Federal Court’s (FC) in Ketua Pengarah Dalam Negeri (IRB) v Kind Action (M) Sdn Bhd (KASB)[2025] CLJU 539, clarified the application of the Principles of Estoppel and Legitimate Expectation in Malaysian tax law, particularly in the context of double taxation disputes between the Inland Revenue Board (IRB) and taxpayers. Case brief In 2004, KASB, a plantation company, acquired land (Mengkibol Estate) and consistently treated it as a fixed asset, paying income tax on its plantation income. From 2007 to 2017, KASB sold the land in ten transactions, paid Real Property Gains Tax (RPGT) and received RPGT assessments and certificates of clearance from IRB. In 2019, IRB conducted a tax investigation and stated that proceeds from these sales should have been taxed as income under the Income Tax Act 1967 (ITA) and not as capital gains under the Real Property Gains Tax Act 1976 (RPGTA). IRB then issued additional income tax assessments totaling over RM81 million, without revoking its previous RPGT assessments. KASB challenged these new assessments in the High Court (HC), arguing that IRB’s actions amounted to unlawful double taxation and violated the principles of estoppel and legitimate expectation. KASB sought judicial review to quash the additional assessments and confirm IRB’s binding recognition of the transactions as capital gains. Decisions of the Courts A DPO provides much-needed oversight of your organization’s personal data handling processes. They conduct regular audits to map out where data is stored, how it flows across systems, and whether it’s being used according to lawful and transparent purposes. This structured oversight helps uncover gaps, reduce the risk of data breaches, and establish accountability across departments. It ensures your business can answer key questions like: Who has access to the data? Is it adequately secured? Is it being retained longer than necessary? 🧑🏫 Training & #awareness High Court : Dismissed KASB’s application, holding that IRB had the authority to issue additional assessments and that KASB should have appealed to the Special Commissioners of Income Tax (SCIT) for factual determinations. Court of Appeal : Reversed the HC’s decision, finding IRB’s actions unlawful for failing to revoke the RPGT assessments before issuing income tax assessments, resulting in double taxation. The COA held that estoppel applied against IRB, as the RPGT assessments and certificates were final and conclusive, and IRB was bound by its prior actions. Federal Court : Upheld the COA’s decision, emphasizing the finality of RPGT assessments under Section 20(1) of the RPGTA and the prohibition against double taxation. The FC rejected IRB’s argument that it could later reassess the nature of the gains after issuing RPGT clearances, highlighting that tax statutes must be strictly interpreted in favor of taxpayers. The FC also recognized that IRB’s repeated assurances and clearances created a legitimate expectation for KASB that the transactions would not be taxed again under the ITA. Key Legal Principles Principle of Estoppel:Prevents a party (including public authorities) from contradicting previous actions or representations if another party has relied on them to their detriment. Here, IRB’s issuance of RPGT certificates and clearances estopped it from subsequently imposing income tax on the same transactions. Doctrine of Legitimate Expectation:Arises when a public authority’s conduct or statements create a reasonable expectation of certain treatment. IRB’s actions led KASB to expect that the tax treatment was settled, and changing this position without revoking previous assessments was deemed unfair and an abuse of power. Conclusion FC’s decision reinforces that IRB’s powers are not absolute and that taxpayers are protected against inconsistent and unfair tax treatment through the principles of estoppel and legitimate expectation. This case sets an important precedent for the protection of taxpayers, especially SMEs, from double taxation and arbitrary shifts in tax authority position. Implications for Taxpayers and SMEs Taxpayers are entitled to consistency and reliability in tax treatment from authorities. Official tax assessments and certificates can create binding expectations and protections under estoppel. Courts will guard against double taxation on the same transaction under different laws. Judicial review remains a remedy for challenging unlawful or inconsistent tax authority actions, even when alternative appeal mechanisms exist.
Time and Contracts: A Deep Dive into CERAMTEC v ICONIC MEDICARE
Time and Contracts: A Deep Dive into CERAMTEC v ICONIC MEDICARE The High Court’s (HC) recent decision in CERAMTEC INNOVATIVE CERAMIC ENGINEERING (M) SDN BHD (CICE) v ICONIC MEDICARE SDN BHD (IMSB) [2025] CLJU 686 provides crucial insights for Small and Medium-sized Enterprises (SMEs) navigating the complexities of commercial contracts, particularly concerning the often-disputed concept of “time is of the essence.” The HC disagreed with CICE’s argument that time was not critical in their agreement to supply ceramic formers to IMSB, despite IMSB’s initial tolerance of delays and eventual acceptance of the goods. CICE argued that IMSB’s conduct implied acceptance of revised timelines, rendering the “time is of the essence” argument an afterthought. This analysis delves into the specifics of the HC’s decision, exploring the factual background, the legal principles applied, and the significant implications for SMEs in understanding the importance of timely performance in their contractual obligations. Unpacking the Case: The Core Dispute CICE, a manufacturer of ceramic formers essential for medical glove production, contracted with IMSB, a company venturing into PPE manufacturing during the COVID-19 pandemic. In December 2020, IMSB ordered 366,000 formers for their planned 12 glove manufacturing lines, with deliveries scheduled to commence in July and October 2021 for Phase 1 and Phase 2 respectively. CICE confirmed their capacity and issued proforma invoices reflecting these timelines. IMSB placed two purchase orders (POs) and paid a 10% deposit. Delays ensued, starting with IMSB’s April 2021 inquiry about a potential delay in the July delivery. IMSB subsequently revised one PO, reducing the quantity but maintaining the original timeline. CICE proposed a revised delivery schedule, which IMSB did not explicitly agree to. Faced with delays, IMSB sourced formers from another supplier at a higher cost. While IMSB consistently emphasized the importance of the original delivery schedule, CICE cited various reasons for their inability to meet these timelines. Deliveries were significantly delayed and partial. IMSB eventually terminated one PO and reduced the quantity of the other. CICE sued IMSB for scrapping costs related to the reduced order, while IMSB counterclaimed for the increased cost of sourcing alternative formers and lost profits due to the delays. Key Legal Principles Considered The HC reiterated the burden of proof and the balance of probabilities in contractual disputes. Importantly, it addressed the principle of “time is of the essence,” clarifying that an explicit clause is not always necessary. Drawing upon Section 11 of the Sale of Goods Act 1957 and the Federal Court case of Damansara Reality Bhd v Bungsar Hill Holdings Sdn Bhd & Anor (2011) 9 CLJ 257, the HC emphasized that whether time is of the essence depends on the contract’s terms and the parties’ conduct. HC’s Findings and Implications The HC dismissed CIME’s claim and partially allowed IMSB’s counterclaim. Liability for Scrapping Costs: The court found that time was of the essence due to the contract terms and the context of the pandemic-driven demand for gloves. CICE’s repeated failures to meet agreed timelines constituted a breach of contract. IMSB’s reluctant acceptance of delayed and reduced deliveries did not equate to acquiescence to the revised schedules. Consequently, CICE was not entitled to claim scrapping costs. Loss Incurred Due to Alternative Sourcing: The court ruled that CICE’s delays and request for order reduction forced IMSB to source elsewhere at a higher cost. CICE’s suggestion for IMSB to find alternative suppliers further supported the claim that this loss was foreseeable. IMSB successfully proved the additional expense incurred due to CICE’s breach, and the court awarded IMSB the difference in cost. Claim for Loss of Profits: IMSB’s claim for lost profits was rejected as being too remote and speculative. The lack of confirmed purchase orders from their intended customer and the fact that the customer had already engaged another supplier before IMSB was ready to produce weakened their claim of a direct causal link between CICE’s delays and the alleged losses. Implications for SMEs The CERAMTEC v ICONIC MEDICARE decision offers critical lessons for SMEs: Express Clauses are Not Always Mandatory: While a clear “time is of the essence” clause is advisable, the court will examine the surrounding circumstances and conduct to determine its importance. Context is Crucial: In time-sensitive industries or situations with urgent market demands, timely performance is more likely to be considered essential, even without an explicit clause. Communication Matters: While IMSB did not always provide immediate written objections, their consistent communication emphasizing the need for timely delivery was crucial in establishing the importance of time in the contract. This case underscores the need for SMEs to clearly define delivery timelines in their contracts, promptly communicate any concerns regarding delays, and understand that their conduct can significantly influence how a court interprets the importance of time in their agreements. Even without explicit clauses, a clear understanding of the context and consistent communication regarding timelines are vital to protecting their interests.
CYBER SECURITY ACT 2024 (ACT 854)
On 26 June 2024, Malaysia\’s Cyber Security Act 2024 (\”Cyber Security Act\”) was gazetted to enhance national cyber security in Malaysia. The Cyber Security Act is not in force yet, pending implementation regulations to be issued by the National Cyber Security Agency (\”NACSA\”). The Cyber Security Act was first contemplated in the Malaysia Cyber Strategy released in October 2020. Objectives of the Cyber Security Act Similar to Singapore’s Cybersecurity Act (\”Singapore CSA\”), the Cyber Security Act aims to enhance cybersecurity of national critical information infrastructure (\”NCII\”). NCIIs include any computer or computer system which, if disrupted, would impact national security, economy, public health, public safety, or government functionality. The Cyber Security Act also introduces measures to manage cyber security threats and a licensing regime for cyber security service providers. Territorial Scope Of The Cyber Security Act The Cyber Security Act has extra-territorial application. Offences related to an NCII that is wholly or partly located in Malaysia are within the scope of the Cyber Security Act. Notably, this approach aligns with Singapore CSA\’s original scope before its recent amendments in early 2024. Singapore CSA was amended to regulate computer systems which are wholly located outside Singapore if (i) the owner of such computer systems is in Singapore; and (ii) such computer systems would have been designated as CIIs had they been located in Singapore (see our previous article). Understanding NCIIs The Cyber Security Act designates the following sectors as NCII sectors: Government Banking and finance Transportation, defence, and national security Information, communication, and digital Healthcare services Water, sewerage, and waste management Energy Agriculture and plantation Trade, industry, and economy Science, technology, and innovation NCII sector leads NCII sector leads are government entities or persons which own or operate NCIIs in each NCII sector as designated by the minister charged with the responsibility for cyber security (\”Minister\”). The name of the NCII sector leads will be published on NACSA’s website. Each NCII sector lead is responsible for designating NCII entities (as defined below) and formulating sector-specific codes of practice that set out the measures, standards and processes regarding cyber security management. NCII entities NCII entities are government entities or persons appointed by a NCII sector lead as the entity or person which owns or operates a NCII. NCII entities are responsible for providing information about their NCIIs to the NCII sector leads upon request and notify them of any change, acquisition, or disposal of such NCIIs. Any material change relating to the NCII must be notified to the relevant NCII sector lead within 30 days; implementing the codes of practice issued by the relevant NCII sector lead; conducting cyber security risk assessments to ensure compliance with the codes of practice and arranging for external audits to verify their adherence to the Cyber Security Act; and reporting incidents or potential incidents in respect of their NCIIs to NACSA\’s Chief Executive and NCII sector leads promptly. While the Cyber Security Act mirrors Singapore\’s approach by requiring NCIIs to comply with codes, risk assessments, and incident reporting obligations, unlike Singapore, the Cyber Security Act does not extend reporting requirements to cyber incidents involving third-party vendors and the supply chains of critical information infrastructure owners. Licensing Of Cyber Security Service Providers The Cyber Security Act introduces a licensing regime for cyber security service providers. No entity or person can offer any cyber security service or advertise itself as a cyber security service provider unless it holds a valid licence. The aim of this licensing regime is to ensure cyber security services, especially those provided to NCIIs, meet international standards. Whilst the definition and scope of \”cyber security services\” remain unclear and will be determined by the Minister in the future, it is clear that the licensing regime does not apply to cyber security services provided by a company to its related company. Providing a cyber security service without a licence is a criminal offence punishable by (i) a fine of MYR 500,000 (approximately USD 106,000); (ii) imprisonment of up to ten years; or (iii) both. For comparison, the penalty under the Malaysia Cyber Security Act is more severe than the penalty under the Singapore CSA for a similar offence, which includes (i) SGD50,000 (approximately USD 37,000); (ii) imprisonment of up to two years; or (ii) both. Penalties Under The Cyber Security Act Penalties for non-compliance with the Cyber Security Act vary based on the type and severity of the violation. For general non-compliance by NCII entities such as failing to conduct additional cyber security risk assessments, failing to rectify audit reports upon NACSA Chief Executive\’s request, or failing to notify NCII sector leads of any material changes relating to the NCII, the penalties include (i) a fine of up to MYR100,000 (approximately USD 21,744) or MYR200,000 (approximately USD 43,549), depending on the offence; (ii) imprisonment of up to three years; or (iii) both. For more serious violations of the Cyber Security Act, such as failing to implement the applicable codes of practice, failing to notify a cyber security incident or non-compliance with the licensing requirements, the penalties are more severe with (i) fines up to MYR 500,000 (approximately USD 106,000); (ii) imprisonment of up to ten years; or (iii) both. The liabilities under the Cyber Security Act also extend to the employees and agents of an offending entity. Conclusion The Cyber Security Act is a pivotal step taken by the Malaysian government to strengthen Malaysia\’s cyber security resilience. NCII entities and cyber security providers which support NCII entities should revisit their business processes to identify compliance gaps and implement necessary measures to comply with the new obligations under the Cyber Security Act.
How Time Flies! SMEs, Watch Out!!
How Time Flies! SMEs, watch out!! Wow, it’s 2025! If you don’t buck up, you might land up in hot soup unless you keep abreast with evolving trends and regulatory changes. The business landscape in 2025 is evolving rapidly, presenting both challenges and opportunities for businesses. To stay competitive and compliant, SMEs must navigate key regulatory changes across labor laws, sustainability practices and data protection. Amendment to the Employment Act (EA) 1955 The recent amendments to Malaysia’s Employment Act (EA) 1955, effective from January 2023, have significantly impacted workplaces. Key changes include a reduction in weekly working hours from 48 to 45 hours, expanded maternity and paternity leave, and increased protection for contract workers. These reforms aim to enhance work-life balance and fair treatment for all types of employees. SMEs should pay close attention to these updates, particularly as discussions on the Gig Economy Bill progress. This bill, if passed, will mandate social security contributions for gig and platform workers, creating new obligations for businesses that rely on flexible or project-based labor. As these shifts unfold, SMEs must update employment contracts, work policies, and benefits to remain compliant and foster a positive work environment. Environmental, Social, and Governance (ESG) Reporting Sustainability is becoming increasingly important with Bursa Malaysia’s introduction of enhanced Sustainability Reporting in its Main Market Listing Requirements. Listed companies must now provide detailed reports on climate risks, carbon emissions, and social impacts. While ESG reporting is mandatory for listed firms, non-listed companies are also expected to voluntarily adhere to frameworks like the Malaysian Code on Corporate Governance (MCCG). Adopting ESG principles can enhance SME’s reputation with investors, customers and stakeholders, demonstrating a commitment to transparency and responsible corporate practices. As environmental and social governance continues to gain traction, SMEs that neglect ESG reporting could miss out on potential investment opportunities and consumer trust. Data Privacy, Cybersecurity, and OSHA Compliance The Personal Data Protection (Amendment) Act (PDPA) 2024 introduces stricter regulations such as mandatory and prompt data breach notifications and extends compliance requirements to foreign companies processing Malaysian data. SMEs need to ensure they are up-to-date with PDPA to avoid penalties. Simultaneously, cybersecurity has emerged as a critical focus, with the Cybersecurity Act 2024 imposing additional obligations on businesses to strengthen IT infrastructure and report breaches. Cybersecurity investments will be essential for SMEs to protect against increasingly sophisticated cyber threats. Occupational Safety and Health Act (OSHA) compliance remains crucial. As workplaces evolve, SMEs must ensure safety regulations, conduct regular training, and implement effective safety protocols to safeguard employees and avoid legal consequences. Conclusion The evolving regulatory environment in 2025 requires SMEs to stay agile and proactive. Legal changes in labor laws, ESG reporting, and data protection are not only about compliance but also about positioning for long-term success. By responding to these shifts, SMEs can enhance stakeholder relationships, reduce legal risks and gain a competitive edge. Time is of the essence, and those who fail to keep pace with these changes may find themselves at a disadvantage in the fast-moving business landscape.
Small Business Owners (SBO) and the SIX biggest challenges?
SBOs face unique challenges particularly in tough economic times. As every SBO knows, the reality is that there are there are numerous issues to overcome in order to sustain a business on daily basis. However, the SIX key challenges consistently affecting SBOs and where definite action can be taken to conquer these challenges are:- Overcoming Cash Flow Challenges Delayed payments from clients, high overheads and unexpected expenses, such as non-compliance penalties and hefty litigation costs often causing huge financial strain to cashflow. Besides managing cash flow by using financial management apps to track expenses, create budgets, automate payments, set up automatic invoicing and reminders to reduce the risk of delayed payment, measures taken to ensure Compliance with the relevant laws and regulation to save on penalties will also help ease cashflow for small businesses. Managing Owner Fatigue SBOs often burnout due to taking on too much burden upon themselves resulting in low productivity. Outsourcing time-consuming mundane activities is key to overcoming fatigue. By identifying non-revenue generating back office processes such as Human Resources, Legal, Finance and Contact Center Services, business owners can focus on productivity whilst taking regular breaks and establishing a balanced schedule which is essential to maintain work-life balance. Finding and Retaining Profitable Customers Attracting and retaining profitable customers is crucial for small business success. By outsourcing back room processes, SBOs have more time to analyze their current customer base, identify profitable segments, engage in marketing efforts and tailor their business offerings to suit customer needs as well as engage with existing customers through feedback and personalized services to maintain strong relationships for repeat business. Motivating Employees In today’s fast-paced business environment, managing HR responsibilities in-house can be daunting task to SBOs. Employee engagement is vital for small businesses, where every employee’s contribution is significant. By outsourcing HR processes, small businesses can be assured to maintain clear communication with employees and foster a positive work environment that can boost staff morale. Reducing Overheads High overhead costs can quickly drain a small business’s resources. Outsourcing back-office functions, especially to regions with lower labor costs, can significantly reduce operational expenses. SBOs can save on salaries, benefits, and overhead costs associated with maintaining in-house teams. Outsourcing also eliminates the needs to invest in expensive software, equipment and office space for back-office operations. Staying Current in Your Industry SBOs are often so busy with day-to-day operations that they neglect to stay informed about industry trends and competitors. Outsourcing enables SBOs to focus on research industry developments, read relevant blogs, networking, attend conferences which can help to keep business owners ahead of the curve. In conclusion, overcoming the challenges faced by small businesses requires strategic action, delegation, and the use of modern tools and outsourcing time consuming chores. By outsourcing their backroom processes SBOs can keep overheads low and stay focused on high-value customers, motivating employees, cutting unnecessary costs and they can also keep up with industry trends to navigate tough times and achieve sustained success.
What Small And Medium Enterprises (SMEs) Must Look Out For In The Occupational Safety & Health Act (OSHA) 1994 & The Amendment Act 2022?
The OSHA 1994 is the principal legislation in Malaysia that ensures workplace safety, health, and welfare. It outlines the legal duties of Employers, Employees, and other Stakeholders to create a safe working environment. In 2022, OSHA was amended to apply to ALL workplaces, extending beyond the original industries listed in the 1994 Act. The amendments highlight several key elements that SMEs must adhere to for workplace safety. Employer’s Duty (Section 15): Employers must maintain a hazard-free and safe work environment by conducting risk assessments, offering necessary training, ensuring equipment is safe, and providing personal protective equipment (PPE) and safety devices. Employee’s Duty (Section 24): Employees are responsible for their own safety and health and that of others, must cooperate with Employers on safety measures, use PPE, and report unsafe practices or conditions. Safety and Health Committees (Section 30): Workplaces with 40 to 100 Employees must establish a Safety and Health Committee (OSHC) with 2 representatives each from both Management and Employees. For businesses with over 100 Employees, the Committee must include 4 representatives each. The Committee addresses safety issues and advises Employers on safety concerns. Safety and Health Coordinator (Section 29A): From 1st June 2024, Employers with 5 or more Employees must appoint a Safety and Health Coordinator (SHC) from their workforce. The SHC is responsible for coordinating safety issues, maintaining a safe work environment, conducting inspections, and reporting non-compliance. Failure to appoint an SHC can result in fines and /or imprisonment. Training (Section 31A): Employers must ensure that their appointed SHC completes a Certified Occupational Safety and Health Coordinator training Failure to comply results in fines and /or imprisonment. Risk Assessment and Hazard Control (Section 18A & 18B): Employers must regularly assess and control workplace hazards, including physical, chemical, biological, and ergonomic risks, and implement safety measures to mitigate them. Accident and Disease Reporting (Sections 32): Employers are required to report serious accidents, dangerous occurrences, and occupational diseases to the Department of Occupational Safety and Health (DOSH), facilitating the prevention of future incidents. Workplace Inspections (Section 27E & 27F): DOSH conducts unannounced inspections to ensure compliance, issuing notices for improvement or prohibition and enforcing penalties for non-compliance. Right to Refuse Dangerous Work (Section 26A): Employees have the right to refuse unsafe work. Employers must address the hazard before the work resumes. Occupational Health and Safety Regulations: Specific regulations address various workplace hazards, including machinery safety, chemical handling, fire safety, and manual handling, ensuring comprehensive protection for workers. In summary, OSHA 1994 and its Amendment Act 2022 impose critical safety responsibilities on both Employers and Employees. By mandating risk assessments, the formation of OSHC, and the appointment of SHC, it seeks to foster a safe and healthy working environment in Malaysia. Non-compliance with these regulations can result in severe penalties, emphasizing the importance of adherence to workplace safety standards.
Amendments to the Personal Data Protection Act (PDPA) 2010
More importantly come 1st June 2025, enforcement of the Sections 6 and 9 of PDPA 2024(A) operations will significantly impact how personal data is handled in Malaysia. PDPA 2010 aims at protecting individual privacy and personal data, and PDPA 2024(A) further strengthens this protection by introducing stricter rules and higher penalties for non-compliance. Section 6 (Duties of Data Users) revises the obligations of “Data Controllers (DC)” or those who process personal data for commercial, research, or employment purposes. The amendments introduce several new responsibilities, including: Accountability and Transparency: DC must be transparent about their data processing practices. They are required to provide individuals with clear privacy policies, outlining how data is collected, used, and shared, along with details on retention periods and recipients of the data. Data Protection Impact Assessment (DPIA): DC must conduct a Data Protection Impact Assessment (DPIA) for activities that pose high risks to individuals’ rights and freedoms. This assessment helps identify and mitigate potential risks before proceeding with data processing activities. Data Security Measures: It is mandatory for DC to implement robust technical and organizational measures to protect personal data from unauthorized access, alteration, or destruction. These measures ensure the integrity and security of data throughout its lifecycle. Breach Notification: In case of a data breach that threatens individuals’ privacy, DCs are required to notify both the affected individuals and the Personal Data Protection Commissioner (PDPC) within a specified time frame. Mandatory Appointment of Data Protection Officer: Companies must appoint a Data Protection Officer (DPO) to ensure compliance with the law and report any breaches to the PDPC. Section 9 (Penalties for Non-Compliance) outlines the penalties for failure to comply with the regulations, which are designed to deter non-compliance and ensure businesses take their data protection obligations seriously. Key aspects of these penalties include: Monetary Penalties: DCs who violate Section 6 PDPA2024(A) face hefty fines, which can range from RM 300,000 to RM 3 million, depending on the severity of the breach, the scale of non-compliance, and the harm caused to individuals. Imprisonment: In cases of serious violations, such as deliberate misuse of personal data or severe data breaches, individuals found guilty may face imprisonment for up to three years. Liability of Directors and Officers: Senior officers or directors of companies who fail in their duties regarding personal data protection can be held personally liable. This includes potential fines or imprisonment for negligence or violations under their watch. Reputational Damage: Apart from the legal penalties, businesses may suffer significant reputational harm from data breaches. Such incidents can lead to consumer distrust, damaging the company’s image and causing long-term financial losses. Conclusion Sections 6 and 9 PDPA 2024 marks a clear shift towards greater accountability and more rigorous enforcement for data protection in an increasingly digital world. The new obligations for DCs coupled with severe penalties for non-compliance, are expected to enhance public trust and encourage businesses to adopt more responsible data management practices. As the 2025 implementation date approaches, SMEs must prepare to comply with these new regulations to avoid costly penalties and protect their reputation.
Is Compliance a headache for the Small and Medium Enterprise (SME) especially during holiday seasons?
Yes, indeed. Whilst festive seasons and celebrations is something everyone looks forward to, it can be daunting for companies who not only have to endure reduced profits due to closure of business on long holidays but must also be wary of compliance and penalties that may occur during this period. Compliance therefore can be a significant challenge for SMEs, especially during holiday seasons as the festive periods are often filled with long weekends and celebrations shifting both employees focus and business priorities. While the festive season is a time for celebration, it often brings risks that SMEs may overlook due to reduced staffing, altered schedules, and an overall shift in priorities. During this time, businesses are at a higher risk of neglecting important compliance obligations, potentially leading to penalties arising from non-compliance. One of the primary challenges during the holiday season is managing compliance around gifts and client entertainment. Giving and receiving gifts is common during festive times, but it can breach anti-bribery and corruption laws. Extravagant gifts or hospitality could be seen as conflicts of interest or attempts at bribery, risking non-compliance with anti-corruption regulations. Data security becomes a critical concern during this period. With the rise of remote work, employees may access company systems through personal devices or public Wi-Fi networks, which is insecure. This increases the risk of cyber attacks and data breaches which could lead to privacy violations or costly security breaches. Another issue is financial reporting, especially during year-end holidays. Financial reporting requires accuracy, but irregular holiday schedules can lead to rushed work, causing mistakes or overlooked tasks. Such errors could trigger regulatory scrutiny or compliance violations, potentially harming SME’s reputation and financial position. In-house legal teams play a crucial role in mitigating these risks. They can help by reminding employees about policies regarding gifts, hospitality, and ethical conduct, reducing the chance of violating anti-bribery laws. Legal teams maintain oversight of high-risk activities, like procurement and financial reporting, even during the holiday seasons to ensure compliance standards are met. Strengthening Cyber Security practices by educating employees about secure online behavior and providing training on protecting sensitive data are equally important. Ensuring adequate coverage within the compliance team during holiday is another key strategy. Having temporary coverage or on-call resources in place can help address compliance issues even when staff members are away. While SMEs should view the holiday season as an opportunity to reinforce a culture of compliance and integrity, emphasizing ethical behavior and the importance of compliance should be continuously monitored and kept on guard. In-House legal team will have your back by maintaining vigilance and ensuring compliance to protect company reputation at all times. In conclusion, while the holiday season offers a chance for businesses to unwind, compliance should remain a top priority always. A strong compliance program is undoubtedly a valuable asset, safeguarding SME’s business from potential risks and ensuring its long-term success.
What if there is an absence of a contractual relationship? Will it hold water in the court of law?
In a recent case heard at the Kuala Lumpur High Court, a supplier of faulty intraocular lenses is absolved of liability for damage caused to the vision of 2 cataract patients as there was no contractual relationship between the parties on which an action can be founded. The Plaintiffs, that is the 2 cataract patients, in this case claimed that the Defendant, Swissmed, who was the agent of a Dutch-based manufacturer, Oculentis BV, had supplied advanced Mplus X intraocular lenses with implied guarantees that the lenses were of acceptable quality, fit for purpose, and reasonably safe for use. The Plaintiffs claimed that as a result of the failure of the lenses, they had suffered from permanent eyesight problems including visual haze, blurry vision, loss of vision acuity, poor night vision and tiredness when reading. The Plaintiffs sought damages, including aggravated, exemplary and special damages, and costs. The High Court Judge in his ruling said that the 2 Plaintiffs in their respective suits, had failed to show they had a valid and enforceable contract against the Defendant. The Dutch-based manufacturer, Oculentis BV was originally named as the second Defendant. However, the High court in an earlier judgment struck out Oculentis BV as a Defendant in the suit, after the firm, which has faced multiple suits relating to its faulty lenses over the last seven years, was found to have been bankrupt. The Plaintiffs however maintained their respective suits against the Defendant, Swissmed, seeking compensation after their vision deteriorated following the insertion of lenses which the manufacturer later admitted were faulty. The court decided to hear both suits together, as the facts and subject matter were identical. In its broad grounds of judgment released last week, the High Court dismissed the Plaintiffs’ claim for three causes of action based on Contract, the Consumer Protection Act 1999, and the Law of Negligence. The High Court stated that the Plaintiffs could not bring a case for breach of contract as neither of them had a contract with Swissmed to begin with. According to the High Court, lack of a contract also means the Plaintiffs cannot bring an action founded on the Consumer Protection Act. Under the Consumer Protection Act, the first thing a claimant must establish is a contractual relationship between the parties. Only then can the consumer come forward and claim the protection under the Act. The claim founded in negligence also failed as the Plaintiffs had failed to identify what duty the supplier of the lenses had owed to the Plaintiffs. The High Court ordered the Plaintiffs to pay costs to the Defendant, Swissmed. It is understood that the Plaintiffs intend to appeal the decision to the Court of Appeal.
What is Unjust Enrichment?
Unjust enrichment is a legal doctrine that arises when one party unfairly benefits at the expense of another. It occurs in situations where retaining the benefit would be inequitable without compensating the disadvantaged party. The key elements of unjust enrichment are: Enrichment – One party must receive a benefit or an increase in value. At the expense of another – The benefit must come at the expense of another party. Unjustness – The retention of the benefit must be unjust, implying that the enriched party should compensate the other party to avoid unfairness. The principle of unjust enrichment is vital in maintaining fairness in business and legal transactions. It ensures that one party does not unfairly gain from another\’s actions without a legitimate legal basis, preventing situations where enrichment is derived from wrongful or inequitable conduct. Although the Malaysian Contracts Act 1950 does not provide a standalone provision specifically titled \”unjust enrichment” its principles are nevertheless embedded in the legal system, particularly in relation to quasi-contracts (also known as implied contracts). Quasi-contracts arise in situations where there is no formal agreement between parties but where one party is nonetheless enriched at the expense of another, thus necessitating compensation. A clear legal foundation addressing unjust enrichment is in Section 70 of the Contracts Act 1950 that requires a person who benefits from something received by mistake or under duress to return the benefit or repay it. Section 70 states: \”A person to whom money has been paid, or anything delivered, by mistake or under coercion, must repay or return it.\” This provision helps address unjust enrichment in cases where there is no formal contract but where one party benefits at another\’s expense due to circumstances like error or force. Application in Court Malaysian courts have recognized unjust enrichment principles in a variety of cases, particularly those involving transfer of money or property without an agreement, or situations where one party wrongfully gains an advantage over the other. In such cases, the courts ensure that restitution is made, aiming to restore the aggrieved party to their original position and prevent the unjust retention of benefits. In such cases, the courts will look for situations where: A benefit was conferred on the defendant. The benefit was conferred by mistake, duress, or without the plaintiff’s consent. The goods/services were provided out of necessity and the defendant unjustly retains the benefit The defendant is aware of the situation, and it would be inequitable to allow him to retain the benefit. In conclusion, while unjust enrichment is not specifically named in Malaysian law, it is firmly integrated into the legal system through Section 70 of the Contracts Act 1950 and recognized case laws. This doctrine ensures fairness and prevents inequitable enrichment, even in situations without formal contracts. By providing restitution, Malaysian law upholds fairness and prevents one party from unjustly benefiting at the expense of another, reinforcing equity in legal transactions.