All questions

Intellectual property

i Brand search

Registration of intellectual property rights (IPRs) such as, trademarks, patents, industrial designs and geographical indications is administered by MyIPO. Prior to filing an application to register marks, it is prudent for franchisors seeking to enter into the Malaysian market to undertake trademark searches against the databases maintained by MyIPO to ascertain whether there are any conflicts, potential or otherwise. Similar searches may be conducted with regard to other IPRs, such as industrial designs and patents.

Following the launch of an online search portal by MyIPO in 2010, all trademark searches are now conducted online. However, as the online search portal is limited in its field of searches, the search results may not be comprehensive. It is, therefore, advisable to conduct searches using the online facilities provided at the Registry of Trade Marks. Such searches will be subject to official fees but will provide more comprehensive search results.

MyIPO also maintains databases for granted patents and registered industrial designs, which are open to public search and inspection and which may similarly be searched using the MyIPO online search portal. As with trademarks, however, it is advisable to conduct searches at the Registry of Patents and the Industrial Designs Registration Office to obtain more comprehensive search results.

Franchisors should also perform further searches against the database for registered companies and businesses maintained by the Companies Commission of Malaysia (CCM). The CCM is charged with approving applications for, and maintaining the registration of, companies and businesses in Malaysia. As the CCM does not, as a matter of practice, conduct any cross-reference searches with MyIPO, a registered trademark may well be registered by a third party as a company name. In such an instance, and in the absence of any direct settlement with the company or business concerned, the only recourse available to a trademark owner is to commence court proceedings for the alteration of the registered company or business name.

ii Brand protection

Section 24 of the Act requires a franchisor to register any trademarks relevant to his or her franchise prior to applying for registration with the Franchise Registry. Trademark applications take time to mature to registration. Hence, it is important to file the applications for registration of the marks early, before the franchise commences operation and, wherever possible, as soon as practicable after the franchisor has made a decision to expand its franchise in Malaysia. The Franchise Registry usually accepts proof of filing for registration in place of a certificate of registration of the marks.

The trademark filing process involves two main stages. After the trademark application is filed, it will be examined for compliance with formalities and substantive requirements. If the requirements were met, the Registrar would issue a request for publication of the application, which essentially means that the application is accepted for registration, subject to third-party oppositions. The application would then be published in the Government Gazette for opposition purposes by third parties. If there are no oppositions, the certificate of registration will be issued. The entire process takes between nine and twelve months from the filing date to registration. If the requirements were not met, the Registrar would issue an office action containing the objection to the application. The applicant would be required to submit a response to the objection by filing written submissions and evidence of use. Thereafter, if the application is accepted, a request for advertisement is issued. If the application were not accepted, the applicant would be given an opportunity to submit oral arguments at an ex parte hearing. If the applicant is successful at the ex parte hearing, a request for advertisement would be issued and the steps indicated above are followed until the certificate of registration is issued. If the applicant is unsuccessful at the ex parte hearing, the application will be refused registration. An applicant may appeal to the High Court against a decision by the Registrar refusing an application and, thereafter, there is a final recourse by way of an appeal to the Court of Appeal.

The initial period of registration is 10 years from the date of application, which is deemed to be the date of registration. The trademark may be renewed every 10 years before the expiry date. If it is not renewed before the expiry date, late renewal may be filed within one month of the expiry date. If late renewal is not filed, an application to restore and renew the registration may be filed within one year of the expiry date. Failure to do either of these will result in the registration being removed from the Register.

A registered trademark is also vulnerable to cancellation on the grounds that: (1) the trademark was registered without an intention in good faith to use the trademark in relation to the goods or services and, in fact, there has been no use in good faith of the trademark up to one month prior to the date of the application seeking the cancellation of the registration; or (2) there has been no continuous use of the trademark, in good faith, for a period of three years up to one month prior to the date of the application seeking the cancellation of the registration.

iii Enforcement

The main IPRs applicable to a franchise are trademarks, confidential information or trade secrets, know-how and copyright. In certain businesses, other IPRs such as industrial designs and patents may also be applicable.

A registered proprietor has recourse under the relevant legislation or common law to seek relief for the infringement of any of its IPRs. Infringement actions in respect of trademarks, copyright, industrial designs and patents are generally initiated in the High Court. Other rights such as breach of confidentiality or trade secrets or passing off may also be initiated in the Sessions Court (a subordinate court) if the claim for damages does not exceed 1 million ringgit. Both the High Court and the Sessions Court have jurisdiction to grant interim or permanent injunctive and specific reliefs. The reliefs ordinarily sought in civil actions for infringement are permanent injunctive orders prohibiting further infringing acts, orders for the delivery of the infringing articles, damages or an account of profits and legal costs.

Where a trademark is infringed, a registered proprietor or an exclusive licensee of the trademark may commence a civil action pursuant to the Trade Marks Act 1976 (TMA), and where the mark has been used in Malaysia such that there is goodwill and reputation associated with it, there is additional recourse under common law for passing off. The standard reliefs are usually available in such actions.

A registered proprietor may also have recourse to administrative relief, in the form of border protection measures to prevent the importation of counterfeit goods under the TMA, and criminal remedies pursuant to the Trade Descriptions Act 2011 whereby the Enforcement Division of the MDTCC may be moved to initiate a raid, seize infringing or counterfeit goods and prosecute the persons responsible.

Know-how, trade secrets and confidential information are protected through contract law and under the common law tort of breach of confidential information. In the case of a franchise business model, Section 26 of the Act provides that a franchisee is required to provide the franchisor with a guarantee that the franchisee, including its directors, their spouses and immediate family, and its employees, may not disclose any information contained in the training or operation manual or information obtained from the franchisor during the term of the franchise agreement. Failure to provide such a guarantee is tantamount to an offence under the Act.

Where these obligations of confidence are set out in the franchise agreement or a confidentiality agreement or undertaking, a franchisor will also have recourse to a civil action for breach of confidentiality under contract and common law.

While there is no compulsory registration system for copyright in Malaysia, it is possible to provide voluntary notification of copyright ownership to the MyIPO. A work is eligible for copyright protection upon the fulfilment of certain conditions, which include labour, skill and judgement to make the work original, where the work is reduced in material form, written down or recorded and the author is a Malaysian or the work is produced or made in Malaysia. Works that are protected under copyright include literary, musical artistic or dramatic works.

When a copyright work is infringed, the proprietor of the copyrighted work may initiate a civil action and seek injunctive reliefs similar to the standard reliefs and, in addition, may seek statutory damages of not less than 25,000 ringgit for each work and not more than 500,000 ringgit on aggregate. The copyright owner may also have recourse to criminal remedies provided under the Copyright Act 1987 by lodging a complaint with the Enforcement Division of the MDTCC to request that a seizure action be carried out in respect of the infringing activities.

Similarly, if other IPRs, such as patents or industrial designs, registered in Malaysia are concerned, the registered proprietor will have similar recourse to the civil remedies discussed above for such infringements.

iv Data protection, cybercrime, social media and e-commerce

The Personal Data Protection Act 2010 (PDPA) and regulations made thereunder, including the Personal Data Protection Regulations 2013, regulate personal data that is processed and maintained in relation to commercial transactions.

Personal data encompasses information in relation to commercial transactions that relates directly or indirectly to a data subject who is identified or identifiable from that information or other information in the possession of the data user, and includes any expressions of opinion relating to the data subject. 'Data subject' refers to an individual who is the subject of the personal data.

Commercial transactions are defined as any transaction of a commercial nature, whether contractual or otherwise, which includes any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance. The PDPA applies to the operation of a franchise, as personal information of the franchisors' employees, customers, clients, suppliers and contractors that is collected will be in relation to a commercial transaction.

'Processing', in relation to personal data, means collecting, recording, holding or storing personal data or carrying out any operation or set of operations on personal data, including organisation, adaptation or alteration; retrieval, consultation or use; disclosure by transmission, transfer, dissemination, or otherwise making available; and alignment, combination, correction, erasure or destruction of personal data.

Although the personal data may be processed outside Malaysia, the PDPA will apply to such processing if the personal data is intended to be further processed in Malaysia. Accordingly, the PDPA may also apply to the foreign franchisor as a joint data user if it is involved in and has some form of control over the processing of such data by its Malaysian franchisee.

A data user who belongs to any of the following class of data users as specified in the Schedule to the Personal Data Protection (Class of Data Users) Order 2013 is required to be registered under the PDPA:

  1. communications;
  2. banking and financial institutions;
  3. insurance;
  4. health;
  5. tourism and hospitality;
  6. transportation;
  7. education;
  8. direct selling;
  9. services;
  10. real estate;
  11. utilities;
  12. pawnbroker; and
  13. moneylender.

To process personal data, a data user must comply with the following Personal Data Protection Principles (collectively, the PDP Principles):

  1. General Principle;
  2. Notice and Choice Principle;
  3. Retention Principle;
  4. Disclosure Principle;
  5. Security Principle;
  6. Data Integrity Principle; and
  7. Access Principle.

    The General Principle requires a data user to obtain the consent of its data subjects, which in this case would include the franchisor's employees, customers, clients, suppliers and contractors, prior to processing their personal data. There is no specific form in which the consent must be obtained as long as the consent is capable of being recorded and maintained properly by the franchisor.

    Under the Notice and Choice Principle, franchisors must give written notice in Malay and English to the data subjects with the following information when they first collect, or before they use, personal data:

    1. a statement that personal data of the data subject are being processed by or on behalf of the franchisor and a description of the personal data;
    2. the purposes for which the personal data are being or is to be collected and further processed;
    3. the sources of the personal data;
    4. the data subject's right to request access to and correction of the personal data, and how to contact the franchisor with any enquiries or complaints in respect of the personal data (i.e., by providing the designation of the contact person, phone number, fax number (if any), email address (if any) and such other related information);
    5. the class of third parties to whom the franchisor discloses or may disclose the personal data;
    6. the choices and means the franchisor offers the data subject for limiting the processing of personal data;
    7. whether it is obligatory or voluntary for the data subject to supply the personal data; and
    8. where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he or she fails to supply the personal data.

    Under the Disclosure Principle, franchisors are prohibited from disclosing the personal data of their employees, customers, clients, suppliers and contractors for any purpose or to any party other than for the purposes that were made known to the data subjects at the time the personal data were collected, unless further consent is obtained.

    The Security Principle requires franchisors to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Franchisors must develop and implement a security policy that complies with the security standard set out in the Personal Data Protection Standard 2015 (the Standard). If the franchisor engages a third party (data processor) to process the personal data on its behalf, it must ensure that the data processor provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and takes reasonable steps to ensure compliance with those measures.

    Under the Retention Principle, franchisors must not keep personal data longer than is necessary for the fulfilment of the purposes for which they were collected. If the personal data are no longer required, the franchisor must take reasonable steps to ensure that the personal data are permanently deleted. There is no specific retention period or destruction timeline under the PDPA for the storage of personal data and this may be subject to requirements of other legislation, such as employment laws, company laws and tax laws, which may require personal data to be retained for a specific period. The data retention must comply with the Standard.

    The Data Integrity Principle requires franchisors to take reasonable steps to ensure that the personal data of their employees, customers, clients, suppliers and contractors are accurate, complete, not misleading and kept up to date, and this must be carried out in accordance with the Standard.

    The Access Principle gives data subjects the right to access and correct their personal data where the personal data are inaccurate, incomplete, misleading or not up to date. Franchisors should implement a system that allows their employees, customers, clients, suppliers and contractors controlled access to their personal data for purposes of updating the personal data.

    The PDPA allows a data subject to withdraw his or her consent to the processing of personal data by written notice to the data user. Accordingly, data users must, upon receiving such notice, cease processing the personal data. Failure to comply is an offence and, on conviction, the data user is liable to a fine of up to 100,000 ringgit or imprisonment for a term not exceeding one year, or both. In view of the fact that processing includes storage, a request to delete arguably amounts to a withdrawal of consent to process personal data. Therefore, a request to delete must be complied with.

    Franchisors are prohibited from transferring any personal data to places outside Malaysia except to places specified by the Minister of Communications and Multimedia and notified in the Gazette or unless it meets one of the conditions set out below:

    1. the data subject has given consent;
    2. the transfer is necessary for the performance of a contract between the data subject and the franchisor;
      • the transfer is necessary for the conclusion or performance of a contract between the franchisor and a third party that:
        • is entered into at the request of the data subject; or
        • is in the interests of the data subject;
      • the transfer is for the purpose of any legal proceedings, for obtaining legal advice, or exercising or defending legal rights;
      • the franchisor has reasonable grounds to believe that in all circumstances of the case:
        • the transfer is for the avoidance or mitigation of adverse action against the data subject;
        • it is not practicable to obtain the consent in writing of the data subject to that transfer; and
        • if it were practicable to obtain that consent, the data subject would have given his or her consent;
      • the franchisor has taken all reasonable precautions and exercised due diligence to ensure that the personal data will not, in that place, be processed in any manner that, if that place is Malaysia, would be a contravention of the PDPA;
      • the transfer is necessary to protect the vital interests of the data subject; and
      • the transfer is necessary as being in the public interest.

        In addition to obtaining the general consent for the processing of personal data, franchisors should also obtain consent from their employees, customers, clients, suppliers and contractors to transfer the personal data to places outside Malaysia. Alternatively, franchisors may transfer the personal data if they are able to show that they have taken all reasonable precautions and exercised all due diligence to ensure that the personal data of the data subjects will not, in that place outside Malaysia, be processed in any manner that, if that place were Malaysia, would contravene the PDPA. In this connection, data users may consider entering into an agreement with the recipient of the personal data outside Malaysia and conducting regular audits to ensure that the recipient complies with the PDPA.

        A data user who transfers personal data outside Malaysia in breach of the PDPA commits an offence that carries a fine of up to 300,000 ringgit or imprisonment of up to two years, or both.

        The Malaysian Personal Data Protection Commissioner has issued a public consultation setting out jurisdictions that it is considering recommending to be approved under the PDPA as places to which personal data may be transferred outside Malaysia. If the proposed jurisdictions are specified by the Minister under the PDPA, franchisors may transfer personal data to the following places: the European Economic Area (EEA) member countries; the United Kingdom; the United States; Canada; Switzerland; New Zealand; Argentina; Uruguay; Andorra; Faeroe Islands; Guernsey; Israel; Isle of Man; Jersey; Australia; Japan; Korea; China; Hong Kong; Taiwan; Singapore; Philippines; and Dubai International Financial Centre (DIFC).

        There is no requirement under the PDPA to appoint a designated data protection officer to oversee compliance and administration of the PDPA within the organisation. However, under the Notice and Choice Principle, the written notice must specify how the data subject can contact the data user with any inquiries or complaints in respect of the personal data. For this purpose, franchisors must provide in the written notice at least the designation of the contact person, with phone number and fax number, if any; email address, if any; and such other related information.

        In addition to the PDPA, franchisors should generally be aware of other Malaysian legislation that regulates matters relating to cybercrime, e-commerce and social media. In brief:

        1. the Computer Crimes Act 1997 sets out offences relating to the misuse of computers, including unauthorised access to a computer, unauthorised access with intent to commit other crime and also the communication of information, such as passwords, to unauthorised persons;
        2. the Electronic Commerce Act 2006 provides a legal framework for and recognises the use of electronic messages in commercial transactions and the use of such messages to fulfil legal requirements and to enable and facilitate legal transactions; and
        3. the Communications and Multimedia Act 1998 and the Malaysian Content Code regulate the provision of content, including online content, and apply to persons within and outside Malaysia if the content is made available in Malaysia. Compliance with the Content Code is generally voluntary unless the Communications and Multimedia Commission issues mandatory compliance directions.