Tay Partners

LegalTAPS (August 2018)


Malaysia – Personal Data Protection Briefing

Impact of European Union General Data Protection Regulation on Malaysian Businesses

In this briefing, we highlight the key differences between the EU General Data Protection Regulation (GDPR) which comes into force on 25 May 2018 and the Malaysian Personal Data Protection Act 2010 (PDPA), the impact the GDPR has on Malaysian organisations with operations within and outside the EU, spotlighting its extra-territorial application, the creation of new rights for data subjects, new safeguards imposed on data controllers and data processors, imposition of data breach notification, appointment of data protection officers, introduction of the right to be forgotten, data portability and safeguards against automated decision making and profiling.

Key highlights

    1. Non-EU impact
      The GDPR marks a significant expansion of the territorial scope of the EU data protection regime enabling the long arm of the law to reach beyond its borders. Unlike the PDPA which only applies to personal data which is processed within Malaysia, the GDPR applies extra territorially to anywhere where personal data of individuals in the EU (including EU residents and non-EU nationals who are visiting the EU) is processed or monitored. It applies not only to processing carried out by data users operating within the EU, it also extends to processing carried out by data users based outside the EU to the extent that the individuals concerned (including EU nationals) are physically present in the EU.

      The GPDR applies to Malaysian data users if:-

      1. they have a subsidiary or a branch in the EU;
      2. they offer goods or services to individuals in the EU (regardless of whether it involves a financial transaction or payment); or
      3. they monitor individual behaviour as far as the behaviour takes place within the EU.

      Whether Malaysian data users are offering goods or services to individuals in EU is a matter of business intention. It depends on whether it is apparent that an offer to individuals in EU was envisaged. Mere accessibility of a website, an email address or other contact details from the EU and the mere use of an EU language which is used in Malaysia (e.g. English) is insufficient. However, if the website is in an EU language, is offering goods or services in an EU currency or is explicitly targeting customers or consumers in the EU, this may be proof that the data user envisages offering of goods or services to individuals in the EU.

      “Monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to take decisions to analyse or predict personal preferences, behaviours and attitudes, for example the use of cookies and IP addresses.

      It is perhaps compelling to note that the Malaysian federal government and state governments would be subject to the GDPR in the same way as all other Malaysian data users who fall within any of the specific categories as public authorities and bodies are not exempted from compliance with the GDPR. This is an important change as the PDPA specifically excludes its application to the Malaysian federal government and state governments.

      Malaysian organisations subject to the jurisdictional reach of the GDPR must appoint an EU-based representative.

    1. Data breach notification

      Whilst there is no data breach notification obligations under the PDPA, the GDPR requires a data user to report data breaches to supervisory authorities without undue delay or within 72 hours and to communicate the data breaches to data subjects without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons.

      Under the GDPR, a data breach notification to supervisory authorities must contain the name and contact details of the data protection officer (DPO) and must describe the nature of the breach, the likely consequences and the measures for addressing the breach. Where the notification to the supervisory authority is not made within 72 hours, the data user must provide reasons for the delay.

      The communication to data subjects who are affected by data breaches must contain the same information as a data breach notification to the supervisory authorities except for the nature of the breach which is not required.

    1. Appointment of data protection officer (DPO)

      Whereas there is no obligation on data users or data processors to appoint a DPO under the PDPA, the GDPR mandates that data users and data processors appoint a DPO to oversee data security strategy and advise and monitor compliance of the GDPR where:-

      1. they are a public authority or body (except for courts acting in their judicial capacity);
      2. their processing operations require regular and systematic monitoring of data subjects on a large scale; or
      3. they process on a large scale of special categories of data and personal data relating to criminal convictions and offences.

      A single DPO may be appointed by a group of undertakings provided that a DPO is easily accessible from each establishment.

      In all other cases, data users and data processors may, at their option, designate a DPO.

    1. Introduction of the right to data erasure or the right to be forgotten

      The GDPR introduces the right to erasure or the right to be forgotten which allows data subjects to request erasure of personal data on any of the following grounds:-

      1. the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
      2. the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
      3. the data subjects objects to the processing and there are no overriding legitimate grounds for the processing;
      4. the personal data has been unlawfully processed;
      5. the personal data has to be erased for compliance with a legal obligation in the EU or Member State law to which the data user is subject; and
      6. the personal data has been collected in relation to the offer of information society services.

      Under the PDPA, any notion of a right to erasure may emanate from the data subject’s right to withdraw consent to processing personal data and the requirement to destroy or delete personal data that is no longer required for the purpose for which it was to be processed. However, this is limited in scope and unlike the GDPR, may be insufficient to compel the erasure of publicly available personal data on websites.

    1. Introduction of right to data portability

      The right to data portability under the GDPR is a further enhancement of data subject’s right to request access to personal data under the PDPA. The GDPR not only allows data subjects to obtain a copy of their personal data in a structured, commonly used and machine-readable format, it further allows data subjects to transmit (where the processing is based on consent and carried out by automated means) or have the data transmitted directly from the data user to another data user.

    1. Introduction of the rights related to automated decision making and profiling

      The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Data subjects will have the right not to be subject to a decision when it is based on automated processing and which produces a legal effect or a similarly significant effect on the data subjects.

      Data users must implement suitable measures to ensure that data subjects are able to obtain human intervention, express their point of view and obtain an explanation of the decision and challenge it.

    1. Consent

      The GDPR requires consent to be freely given, specific, informed and unambiguous. The GDPR makes it harder to obtain consent as it does not allow implied consent at all unlike the PDPA. Under the PDPA, apart from sensitive personal data where explicit consent is required, there is no specific form in which consent must be obtained provided that such consent can be properly recorded and maintained by data user and hence implied consent may be acceptable and is often the case applied.

    1. Special categories of personal data

      “Special categories of personal data” under the GDPR is broadly similar to “sensitive personal data” under the PDPA but it further includes philosophical beliefs, racial or ethnic origin, trade union membership, genetic data, biometric data, sex life and sexual orientation. Under the PDPA, “sensitive personal data” means personal data consisting of information on physical or mental health or condition of a data subject, political opinions, religious beliefs or other beliefs of a similar nature, commission or alleged commission of any offence or other personal data which may be determined by the Minister from time to time.

      Personal data relating to criminal convictions and offences are not included but extra safeguards apply to its processing which may only be carried out under the control of official authority or when it is authorised by law. Consent in processing such information will not be relevant.

    1. Privacy notice

      Although the GDPR covers all level of information required for a privacy notice under the PDPA, it is more elaborate and comprehensive as it also requires the following additional information to be included:-

      1. contact details of the data user or its representative (if the data user is not established in the EU), where applicable;
      2. contact details of the DPO, where applicable;
      3. the legal basis for processing the personal data;
      4. the legitimate interests pursued by the data user or a third party (where the processing is based on legitimate interests);
      5. where applicable, details of the transfer of personal data to a third country or international organisation including whether there is an adequacy decision by the Commission or reference to the appropriate or suitable safeguards and means by which to obtain a copy of them or where they have been made available;
      6. the period for which the personal data will be stored or if that is not possible, the criteria used to determine that period;
      7. the existence of the right to erasure and the right to data portability;
      8. right to withdraw consent;
      9. right to lodge a complaint with a supervisory authority;
      10. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; and
      11. the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
    2. Data protection by design and by default

      Organisations must be able to demonstrate their compliance with the GDPR principles by adopting certain “data protection by design” measures such as use of pseudonymisation techniques, implementing staff training programmes and adopting specific data processing policies and procedures.

      Measures must be implemented to ensure that by default, only personal data which are necessary for each specific purpose of the processing are processed. This applies to the amount of personal data collected, the extent of the processing, the storage period and their accessibility, and significantly, the measures must ensure that personal data must not by default be accessible without the individual’s intervention to an indefinite number of natural persons.

      Where organisations are engaging in “high risk” processing which affect the rights and freedom of data subjects such as (1) systematic and extensive evaluation of data subjects by automated processing, including profiling, leading to decisions which carry with it legal implications concerning the data subjects; (2) processing on a large scale special categories of data or data on criminal convictions and offences or (3) systematic monitoring activities of publicly accessible data on a large scale, a detailed privacy impact assessment (PIA) must be undertaken and documented.

      Where a PIA results in the conclusion that there is a high and unmitigated risk for data subjects, controllers must notify the supervisory authorities and obtain its view on the adequacy of the measures proposed by the PIA to reduce the risks of processing.

    1. Data processors

      Another key change the GDPR will bring is the direct responsibilities and obligations processors will have under the GDPR which goes beyond the terms of their data processing contracts with controllers. Unlike the PDPA where processors are not subject to data protection principles or its requirements, processors under the GDPR may be liable to fines and payment of compensation for non-compliance with specific processor obligations or where they act outside or contrary to the lawful instructions of the controller. However, controllers retain the ultimate responsibility for ensuring that data is processed in a compliant manner even if they appoint a processor to process data on their behalf. Controllers and processors will only be exempt from liability under the GDPR if they prove that they were “not in any way responsible for the event giving rise to the damage” resulting from non-compliant processing.

      The GDPR requires a written contract to be in place between the controller and its processors with mandatory provisions to be included in the contract, in particular:

      • the subject matter and duration of the processing;
      • the nature and purpose of the processing;
      • the type of personal data and categories of data subjects;
      • the obligations and rights of the controller;
      • the obligations of the processor to:


      • only act on the written instructions of the controller;
      • ensure that persons processing the data are subject to a duty of confidence;
      • take appropriate measures to ensure the security of processing;
      • only engage sub-processors with the prior consent of the controller and under a written contract;
      • assist the controller in responding to data subject requests to exercise their rights under the GDPR;
      • assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
      • delete or return all personal data to the controller at its request at the end of the contract;
      • comply with audits and inspections by and provide the controller with any information to demonstrate compliance with its processor obligations under the GDPR. Processors must inform the controller if the instructions to the processor infringes the GDPR or other data protection law.

      It is likely that Malaysian data user and processor contracts will not cover all of these points, so it is imperative that existing contracts be reviewed and updated to address these requirements.

  1. Remedies and liabilities

    Under the PDPA, individuals who have suffered loss and damage as a result of an infringement of the PDPA do not have the right to receive compensation from the data users and data processors.

    Under the GDPR, individuals who have suffered loss and damage as a result of an infringement of the GDPR are entitled to bring a claim against the controllers and processors for compensation for monetary and non-monetary losses. The judicial remedies and liability for compensation under the GDPR extend to both controllers and processors who infringe the GDPR.

    Individuals have the following rights against controllers and processors:

    • the right to lodge a complaint with supervisory authorities where their data have been processed in a way that does not comply with the GDPR;
    • the right to an effective judicial remedy where a competent supervisory authority fails to deal properly with a complaint;
    • the right to compensation from the relevant controller or processor for material or immaterial damage resulting from infringement of the GDPR.

    Natural and legal persons have the right of appeal to national courts against a legally binding decision concerning them which is made by a supervisory authority.

What to do now?

While businesses with a physical presence in the EU will need to abide by the GDPR, it may also apply to Malaysian businesses or organisations with no physical presence with customers or clients who are based in the EU. This would be the case for e-commerce-based businesses operating internationally, as well as businesses that serve a significant number of EU tourists, visitors or expatriates where personally identifiable information (PII) is processed. Some examples of sectors that will be affected by the GDPR are life sciences and healthcare, financial services, retail and tourism.

Organisations should run a GDPR compliance gap analysis audit to identify areas of non-compliance most material to the organisation and prioritise the mitigating measures to be implemented, particularly, in areas of high risk processing activities, such as processing of special categories of data. What constitutes “high risk” is measured by reference to the risk of infringing a natural person’s rights and freedoms.

The responsibility and budget for data protection compliance process within the organisation should be assigned and steps taken to ensure a full compliance program is designed for the organisation by incorporating features such as PIAs, regular audits, HR policy reviews, and updates and training and awareness raising programs. Supplier arrangements with processors should be reviewed and updated to ensure that the contracts reflect the data processors’ obligations under the GDPR.

A toothless tiger?

Malaysia is in some ways well placed for the impending coming into force of the GDPR as the PDPA which has been in effect from November 2013 upholds data protection principles which echo the standards and ideals postulated under the GDPR.

Under the GDPR, the maximum monetary penalties that can be imposed by EU data protection regulators for serious breaches have been increased to a maximum of: (i) €20,000,000; or (ii) 4% of an undertaking’s global annual turnover, whichever is the greater. This is far greater that the maximum fine of RM 500,000 imposed under the PDPA, although the PDPA also imposes a imprisonment sentence of up to a maximum of 3 years.

For Malaysian organisations that have a physical presence (establishment) in the EU, the GDPR can be enforced directly against them. However, in the absence of clear provision on appropriate enforcement mechanism, there may be difficulties in enforcing the GDPR against Malaysian organisations that do not have an establishment in the EU. Although the GDPR may be enforced against representatives based in the EU who are appointed by Malaysian organisations, there is yet to be any clarity on how EU data protection regulators will take action against non-EU parties who infringe the GDPR.

If you have any queries or require more information, please feel free to get in touch with us.

Lee Lin Li
Tay & Partners


An overview of the Employment Insurance System (EIS)

What is it?
EIS is an insurance scheme managed by the Social Security Organisation (SOSCO) which is aimed at helping employees who were laid off, including those who were made redundant due to business restructuring or closure and those whose employers have become wound-up/insolvent. It is meant to provide these employees with monetary fund until they find new employment. In addition, EIS will provide assistance to the employees to search for new jobs, career counseling and training.

Has it been enforced?
Yes, the EIS came into force on 1 January 2018 and is governed by the Employment Insurance System Act 2017 (“Act”).

What are the contribution rates?
Contributions are made by employers and employees based on the employees’ monthly wages at the rates specified in the Second Schedule of the Act. It is an equal contribution for both the employer and employee. The maximum contribution rate is currently capped at RM15.80 (i.e. employer and employee’s contributions of RM7.90 each) as per the Second Schedule of the Act.

What are the responsibilities of the employer?
Every employer shall register his industry to which the Act applies with SOCSO1. An employer which has registered his industry with SOCSO before 1 January 2018 shall be deemed to have registered his industry under the Act2. In addition, Section 16 of the Act further stipulates that all employees in the industries (irrespective of the amount of their monthly wages) to which the Act applies shall be registered and insured by the employers –

  1. in the case of employees who are employed on or before the date the industries are registered, on the date the industries of the employers are so registered; and
  2. in the case of employees who are employed after the date the industries are registered, within 30 days from the date the employees enter into employment.


The employer shall not in any way reduce the wages of any employee, or discontinue or reduce the benefits payable to the employee in response to its EIS duties3. If the employer is found to have reduced the wages or benefits payable to the employee, upon conviction, the employer could face a fine up to RM10,000 or up to two years’ imprisonment, or both4.

An employee is deemed to be registered under EIS if he/she has been registered with SOCSO before this Act came into force5.

Who is excluded from the EIS?6

  1. Any person whose employment is of casual nature and who is employed otherwise than for the purposes of the employer’s industry;
  2. Any domestic servant in connection with work of a private dwelling house e.g. cook, house servant, waiter, butler, child’s or baby’s nurse, valet, footman, gardener, washer man or washer woman, watchman, groom, driver or cleaner of vehicle;
  3. Any person who is permitted to win minerals or produce any kind from or on the land of another and who, in consideration of such permission, gives a proportion of the minerals or produce so won to that other person or pays him the value of such proportion;
  4. Spouse of an employer;
  5. Any person detained in any prison, Henry Gurney School, approved school, place of detention, mental hospital or leper settlement;
  6. Government servant;
  7. Any employee who has not attained the age of 18 years or has attained the age of 60 years;
  8. Any employee who has attained the age of 57 and in respect of whom no contributions were payable under the Act before he attained the age of 57.


When to submit claim for benefits?
If the employee considers that he has lost his employment, he shall submit an application to SOSCO to claim for benefits within 60 days from the date he considers that he has lost his employment7.

When does loss of employment occur?
Loss of employment occurs if the contract of service of an insured person is terminated or becomes void to any reason other than the following8:

  1. Voluntary resignation;
  2. Expiry of contract of service;
  3. Termination of contract of service by mutual consent without terms and conditions;
  4. Completion of the work in accordance with the terms of the contract of service;
  5. Retirement;
  6. Termination of contract due to misconduct.


Note: Voluntary separation scheme by mutual consent of the employer and employee, constructive dismissal, resignation due to willful breach of the terms of contract of service, resignation due to threat or sexual harassment towards the employee, resignation due to command by employer to perform work outside of the job scope which endangers the health and safety of the employee, closure of workplace due to natural disaster or the workplace becoming unsafe due to fire, gas leak or other similar situation are NOT considered as voluntary resignation under the Act.

What will SOCSO look at in respect of a claim for benefits?
If SOCSO determines that there is a loss of employment, SOCSO will look at whether the employee fulfills the contributions qualifying conditions as specified in the Fourth Schedule of the Act and whether the employee has attained the minimum retirement age on the date he lost his employment9.

What are the claimable allowances under the Act?

    1. Job search allowance
      Job search allowance means a monthly payment for a period of 3 to 6 consecutive months to assist the insured person who has lost his employment during the period he is seeking for employment. It will be paid at the following rates10:
      • 80% of the assumed monthly wages for the 1st month;
      • 50% of the assumed monthly wages for the 2nd month;
      • 40% of the assumed monthly wages for the 3rd and 4th month;
      • 30% of the assumed monthly wages for the 5th and 6th month

      Note: “Assumed monthly wages” are specified in the Third Schedule of the Act based on the total contributions paid by the employer and employee. Since the maximum contribution is RM15.80, the corresponding assumed monthly wages is capped at the maximum amount of RM3,950.

      However, the claimable period for the job search allowance is subject to the contribution qualifying conditions as specified in the Fourth Schedule of the Act.

      An insured person shall not be in any employment during the period of receiving the job search allowance11.

    1. Early re-employment allowance
      Early re-employment allowance means an incentive paid in lump sum to the insured person for accepting an offer of employment from any employer and commencing the employment within the waiting period i.e. 7 days from the date of the approval of a claim of benefit or the period receiving job search allowance at the rate specified in the Third Schedule of the Act.
    1. Reduced income allowance
      Reduced income allowance means a lump sum payment to assist an insured person who has 2 or more employments and has lost 1 or more of his employments.

      The rates for the reduced income allowance are stipulated under the Third Schedule of the Act whereas the claimable period for the reduced income allowance is subject to the contribution qualifying conditions as specified in the Fourth Schedule of the Act.

      Note: the insured person shall not be entitled to a job search allowance, a training allowance or an early re-employment allowance.

  1. Training allowance and training fee
    Training allowance means a monthly payment to the insured person for a period of not more than 6 months for attending any training in Malaysia provided by a training provider i.e. any person who has a training facility to carry out trainings for the purposes of re-employment placement program. The maximum amount of the training fee shall be RM4,000.


When would be the first pay-out?
The contribution to EIS has begun in January 2018 and the first payment was initially scheduled to be made from 1 January 2019 onwards. However, in March 2018, the Government had allocated RM122 million to ensure that the EIS system would be effective and SOCSO has paid out RM802,800 in the first month of the implementation of EIS12.

If you have any queries or require more information, please feel free to get in touch with us.

1Section 14 (1) of the Act.
2Section 15 of the Act.
3Section 24 (1) of the Act.
4Section 24 (2) of the Act.
5Section 17 of the Act.
6First Schedule of the Act.
7Section 28 of the Act.
8Section 30 of the Act.
9Section 32 of the Act.
10Section 34 (1) of the Act; Third and Fourth Schedule of the Act.
11Section 34 (4) of the Act.

Chen Mei Quin
Tay & Partners



Our team at Tay & Partners led by Lee Lin Li, partner and Shawn Voon, associate successfully enforced the plaintiff’s rights to the geographical indication Tequila against local distillery.

Protection of Geographical Indications in Malaysia

A geographical indication is a sign which identifies goods as originating in a country or territory or a region or locality in that country or territory where a given quality, reputation or other characteristic of the goods is essentially attributable to their geographical origin. Since the quality, reputation and characteristic of the goods depend on the geographical place of origin, there is a clear link between the product and its geographical place of origin. Products bearing a geographical indication benefit in terms of quality and authenticity in the marketplace.

In Malaysia, protection of geographical indications comes under the purview of the Geographical Indications Act, 2000. Recently, the Malaysian high court heard an application for the protection of the geographical indication Tequila in Consejo Regulador del Tequila AC v Pelican Winery (M) Sdn Bhd (Kuala Lumpur High Court Civil Suit No. WA-24IP-17-08/2017). A case was brought against a local manufacturer and distributor of alcoholic beverages, Pelican Winery, for use of the geographical indication “Tequila” upon alcoholic beverages alleged to be unlawful in Malaysia.

Facts of the Case

The United Mexican States acting through the Mexican Institute of Industrial Property (“IMPI”) is the owner of the geographical indication “Tequila”. IMPI appointed the plaintiff to register the geographical indication “Tequila” around the world. In Malaysia, the plaintiff is the registered proprietor of the geographical indication “Tequila” bearing Geographical Indication No. GI2015-00002 for alcoholic beverages in Class 1. Apart from obtaining protection of the geographical indication, the plaintiff is the only organisation accredited to certify the production and marketing of the alcoholic beverage, Tequila. The certification emphasises the mandatory compliance of the Mexican official standard.

On or around 2013, the plaintiff discovered that the defendant was distributing a product named “AGAWA Tequila Gold”. On 24 August 2017, a civil action was instituted against the defendant on the following grounds:

  1. the plaintiff is an “interested person” within the meaning of Section 5(1) of the Act as it is a competent authority, being a statutory body carrying out the functions on behalf of the United Mexican States;
  2. the plaintiff is entitled to the protection of its geographical indication “Tequila” under section 3 of the Act and the defendant has committed unlawful acts set out in section 5(1)(a) and (d) of the Act. The Court is empowered to grant an injunction to prevent any unlawful use of the geographical indication and award any damages and any other legal remedy or relief as it deems fit;
  3. Agawa Tequila Gold is distilled and bottled by the defendant at the defendant’s business address which is outside the municipality of the 5 Mexican states in which the manufacturing facilities of an authorised producer are located and the composition of the Agawa Tequila Gold and its label are not in accordance with the specification mandated by the Mexican official standard;
  4. the defendant’s use of the word “Tequila” on the Agawa Tequila Gold is unlawful as it is being used in a manner suggesting that the geographical origin of the Agawa Tequila Gold is in a geographical area other than the true place of origin. The word “Tequila” is being used in the course of trade as identifying a spirit not originating in the place indicated by the geographical indication in question.

The plaintiff argued that it suffered damage as a result of the defendant’s unlawful use of the geographical indication and that the principles relating to damage to goodwill in passing off cases would be relevant to be considered herein, namely, the two fundamental kinds of damage to goodwill; firstly, the destruction, damage or depreciation of the Plaintiff’s goodwill; and secondly, the goodwill as such may not initially be damaged but the claimant is deprived of its benefit. The plaintiff relied on English and Indian authorities on the point. In particular, in Barnsley Brewery Company Ltd v RBNB (1997) IP & T Digest 46, the English High Court reaffirmed that a remedy in passing off may be available to protect a geographical name for a beer. In India, the common law right to sue in passing off in respect of unregistered geographical indications is preserved under section 20(2) of the Indian Geographical Indications of Goods (Registration and Protection) Act, 1999. It is stated by Indian authorities that the right in respect of geographical indications is an intellectual property right and is protected in the same manner as a right in a trade mark. The principles laid down in a passing off action based on a right in a trade mark would be equally applicable in protecting an action based on a right in a geographical indication.

The damage to the plaintiff’s goodwill resulting from the defendant’s unlawful acts would, it was contended, arise where relevant members of the trade such as authorised producers, distillers, blenders, bottlers, wholesalers, retailers and traders and consumers of “Tequila” would believe or would be led to believe that the plaintiff had failed to carry out its functions as the sole certification body for the production and marketing of “Tequila” in failing to control the use of the geographical indication “Tequila” by unauthorised persons or the plaintiff discriminates or had discriminated in the application of its standards by allowing the defendant to unlawfully use the geographical indication “Tequila”. The plaintiff argued that the defendant’s unlawful acts expose or would expose the geographical indication “Tequila” to the risk of becoming generic due to uncontrolled and unauthorised used. Further, damage may be caused by injurious association with the plaintiff where none exists, the risk of litigation to the plaintiff and the diversion of business away from the authorised producers of “Tequila”.

In its defence, the defendant argued that the tequila in the defendant’s products is legally imported from authorised producers in the United Mexican States. Hence, it was argued that the plaintiff’s application was filed in bad faith as the plaintiff was aware that the tequila used in the defendant’s products are legally imported from these producers. The defendant also argued that the plaintiff’s claim is academic as the defendant will cease using the label Agawa Tequila Gold in view of new labeling regulations under the Malaysian food regulations. It denied that there was any form of deception practiced upon members of the trade and public since it has complied with regulations under the Ministry of Health and had obtained certificates certifying that the Agawa Tequila Gold is safe for consumption.

The defendant sought to distinguish their case from Maestro Swiss Chocolate Sdn Bhd & Ors v Chocosulsse Union Des Fabricants Suisses De Chocolat (a co-operative society formed under title XXIX of the Swiss Code of Obligations) & Ors and another appeal [2016] 2 MLJ 359 by arguing that tequila content used in its products were legally imported from authorised producers, and thus, there was no unlawful use of the geographical indication “Tequila”.

On the issue of legal imports, the plaintiff did not dispute that the defendant had entered into several joint responsibility agreements with authorised producers of the alcoholic beverage Tequila. However, it was pointed out that the joint responsibility agreements only permitted the import of Tequila for the purpose of bottling alcoholic beverages exclusively for the trade marks “TRES REYES” (expired in 2008), “Pelican Long Island T” and “INNOMINADA”, and no others. The clear language in the agreements prohibiting use of “Tequila” outside the scope permitted under the agreements, demonstrates the defendant’s knowledge that any use of “Tequila” not covered under the agreements such as use upon its Agawa Tequila Gold products is unlawful and a flagrant breach of the agreements. Accordingly, the defendant’s contention that use of the geographical indication “Tequila” on Agawa Tequila Gold is permitted since the tequila is obtained from authorised producers is misconceived.

Whether the Plaintiff is protected under the Geographical Indications Act 2000

The parties entered into a consent judgment wherein the defendant consented to be restrained from using the geographical indication “Tequila” upon its products, acknowledged that the plaintiff is the only certification body of the Official Mexican Standard including instituting legal proceedings for the unauthorised use of the geographical indication, the defendant will not interfere with the plaintiff’s ownership of the geographical indication, the defendant will cease manufacturing and distributing the AGAWA Tequila Gold products, the defendant will recall and inform its customers to cease distribution of the AGAWA Tequila Gold products.

Notwithstanding and without prejudice to the consent judgment, the court proceeded to render its decision and grounds citing that the relative novelty of the matter calls upon the court to do so. It reiterated Section 5(2) which provides that the court may grant an injunction to prevent any unlawful use of the geographical indication and award any damages including general, special and exemplary damages and other remedy or relief as its deems fit. The court was of the view that there was unlawful use of the geographical indication “Tequila” by the defendant for the following reasons:

  1. the court reviewed the certificate of registration of Tequila as a geographical indication admitted by the plaintiff, and was satisfied that “Tequila” falls within the ambit of Section 2 because it identifies an alcoholic beverage as originating from 181 municipalities in the 5 United Mexican States, where a given quality, reputation or specified characteristics of Tequila are essentially attributable to its geographical origin as stated in the affidavits and exhibits and accepted it as prima facie evidence under Section 20(2);
  2. the plaintiff, an interested person by virtue of being the registered proprietor of the registered geographical indication under the Act, may institute court proceedings to prevent, in respect of the geographical indication, use in the course of trade of any means in the designation or presentation of any goods;
  3. as the name “Tequila” and the ingredients “Tequila” were found in the products of the defendant, it naturally falls within a prohibited act under unfair competition within Article 10bis of the Paris Convention to constitute a statutory cause of action.

The court noted that the only defence recognised in the Act is the exception for prior use and the exception for use of a personal name which the court held do not apply to the defendant. The defendant’s defence of lawful import of the “Tequila” as an ingredient in its product was not a defence in the Act.

The court also rejected the defendant’s reliance on the Food Regulations 1985 and the food safety certificates issued by Ministry of Health as a defence in its case. It noted that compliance with Food Regulations 1985 and food safety certificates do not constitute a defence to Section 5(1). Any contravention of the Food Regulations 1985 is a separate offence under Regulation 397(1) and (2) of the Food Regulations 1985. Such a defence has also been rejected in the tort of extended passing off in The Scotch Whisky Association & Anor v. Ewein Winery (M) Sdn Bhd [1999] 6 MLJ 280. In any event, the Food Regulations 1985 which is a subsidiary legislation cannot be inconsistent with a parent act.

The court further noted that unlawful use extended to use of the geographical indication as part of the description of an ingredient of the product and this constituted an act of unfair competition as being an indication or allegation which is liable to mislead the public as to the nature, manufacturing process, characteristics, suitability for their purpose or the quality of the goods.

Lee Lin Li partner, appeared for the plaintiff. She was assisted by associate Shawn Voon.