Shih Han is a Partner in Christopher & Lee Ong’s Technology, Media & Telecommunications and Data Protection Practice Group.

She has been listed by The Legal 500 Asia Pacific as a Rising Star for TMT in 2020, 2021 and 2022 and more recently as a Next Generation Lawyer for TMT (including Fintech) in 2023 and 2024.

Shih Han obtained her Bachelor of Laws (LL.B) from the University of Malaya, and was admitted to the Malaysian Bar in 2012. Prior to joining the firm, she was a dispute resolution associate in a reputable firm handling primarily civil and corporate litigation matters. Since joining the firm and making the transition to corporate practice, she has been involved in the areas of corporate commercial, mergers & acquisitions, and general corporate advisory. She currently focuses on the areas of technology, media, telecommunications and data protection, with data protection being her specialist area.

She now regularly advises clients on a wide range of matters relating to information and communications technology, information security and data protection, telecommunications, and media and advertising laws. This ranges from the preparation and drafting of technology-related contracts and policies to advising clients on matters potentially leading to dispute resolution. She also regularly advises clients on technology- and media-related regulatory and compliance matters.

EXPERIENCE

Technology

  • Appointed by one of the world’s most valuable start-up in commerce, content, entertainment, gaming and enterprise services, to assist with a cross-border internal investigation into unauthorised recharge services and fraudulent purchases of in-game tokens by unauthorised third parties in their highly popular and successful Gaming App.
  • Appointed by a globally renowned social media platform operator to render comprehensive regulatory and compliance legal advice for a range of products across various sectors, while also advising on liability and enforcement risks for the client as an online marketplace provider. Additionally, we also provided regulatory and compliance advice for foreign-sourced products, addressing challenges related to liability for sellers.
  • Advised a Malaysian financial institution on its proposed acquisition, by way of a collaboration or joint venture for the development or for the exclusive licensing or use, of a novel software program in Malaysia which comprises the use of principally open source software together with certain proprietary software as constituent parts, in particular advised the client on open source software licenses and its potential implications to the client, as well as provided recommendations to mitigate risks in this regard.
  • Assisted and provided responses for a multi-jurisdictional questionnaire, legal advice and due diligence work concerning the launch of a highly confidential product, by a globally recognised technology manufacturer, in Malaysia (amongst other jurisdictions).
  • Prepared and advised on “Build, Operate and Transfer” contracts for the procurement or development and implementation of large-scale IT systems and solutions for a multi-national telecommunications company, with presence in many countries throughout Asia.
  • Advised several financial institutions and financial services group on the proposed digitalisation of their functions relating to the provision of their banking and financial services.
  • Advised an established multi-national insurance company, which is part of a global investment holding company based in London, on its proposed e-insurance initiative, in relation to the use of electronic signature / digital signature and compliance with the requirements prescribed under the relevant legislation and regulations.
  • Advised a global provider of enterprise software support products and services on the implications of the digital service tax regime in Malaysia.
  • Assisted clients from various industries in the public consultation exercise conducted by the Ministry of Domestic Trade, Co-operatives and Consumerism (MDTCC) in respect of a comprehensive review of the Electronic Commerce Act 2006 (ECA) and preparation of feedback to the proposed ECA amendments in the review exercise.
  • Advised a multinational telecommunications company based in the United Kingdom in a multi-jurisdictional assessment on the regulatory, security, data protection and reporting requirements for providing cloud services and reselling cloud services in several jurisdictions including Malaysia, including specific issues such as applicable licensing or approval requirements, legality of interception of communications, potential liability in hosting illegal content.
  • Advised on proposed roll-out of a transportation aggregation platform in Malaysia pursuant to e-hailing licensing and regulatory requirements.
  • Reviewed the master service agreement in relation to the provision of Dedicated Internet Access services and Managed Services for an established applications service provider in Malaysia.
  • Reviewed the provision of service agreements and end-user license agreement in relation to the roll-out of an information management online system for a statutory body.
  • Reviewed the terms and conditions for the provision of business internet banking services for an international banking institution.
  • Advised a multinational supply chain management company on its company’s guidelines and policies relating to the use of social media.
  • Prepared, drafted and reviewed various technology-related contracts, including contracts relating to the implementation of IT system, IT projects, software development, mobile app development, maintenance and support services, service levels, etc.
  • Advised a government-linked company on potential breach of an IT agreement for the subscription and provision of maintenance services relating to a cloud system.
  • Advised a global retail chain on the legal compliance requirements relating to the implementation of WiFi services in its Malaysian stores, in particular, restrictions relating to content publications and data privacy issues.
  • Advised a governmental agency / statutory body on the preparation of a mobile application development contract, including the scope of work and technical and business requirements to be considered in such contracts.
  • Conducted due diligence exercises in respect of and advised various clients on ISO27001 information security management systems certification.
  • Advised clients on dispute resolution matters involving technology contracts, including matters involving potential breach of contract, and rights to recourse under the terms of the contracts such as step-in rights.
  • Advised an established video game developer and publisher based in South Korea on the proposed use of tokens for their gaming platform, including legal issues relating to the legal expiration date for the use of the client’s gaming tokens by end users in Malaysia.
  • Advised clients on general legal and regulatory requirements on FinTech matters, including legal and regulatory obligations of digital asset exchanges (DAX), merchant acquiring services, money remittance businesses, e-money issuers, etc.
  • Advised companies on technology-related policies, such as information security, bring your own devices (BYOD), use of social media, mobile computing and teleworking policies.
  • Advised clients on potential legal and regulatory implications pursuant to proposed roll-out of new technologies and incorporation of technologies in products and services to the Malaysian market, including artificial intelligence, Internet of Things (IoT), etc.
  • Advised clients on various technology-related topics, including cybersecurity, information security, electronic commerce, consumer protection in electronic transactions, etc.
  • Advised and briefed their operations representatives across the organisation on ensuring the adoption of electronic signatures under the Electronic Commerce Act 2006 (“ECA”) and digital signatures under the Digital Signature Act 1997 (“DSA”) as a means of getting around the reduced physical interaction between customers and the bank in the short term and also to aid the bank’s long term digitalisation drive.
  • Advised on the possible use of electronic bills of lading in Malaysia, from a Malaysian legal perspective as well as our understanding and insights of the current Malaysian industry practices, indicating an important milestone in the global shipping industry wherein there is a move from conventional bills of lading to a fully electronic system of e-bills of lading which would revolutionise the global shipping industry.
  • Appointed by the Malaysian subsidiaries of a Fortune 500 company providing end-to-end network services, IT solutions and data centres for multinational corporations, to advise on data transfer requirements and restrictions that may impact the intended outsourcing exercise of its back-end functions.

Media

  • Advised one of the largest American-based multinational technology companies on its proposed roll out of a new TV application service in Malaysia and expansion of the services, on a wide range of issues including general broadcasting laws and regulations, Malaysian content standards including rules on ratings and gating technology, UX requirements, laws on intellectual property, publicity rights, and data protection.
  • Advised global media clients on legal and regulatory requirements in respect of their proposed launch of online video-on-demand streaming services in Malaysia.
  • Advised clients on content restrictions and regulations in Malaysia.
  • Advised clients on the use of social media, including regulatory and compliance restrictions relating to online content publication.
  • Advised clients on laws and regulations relating to online advertising and marketing in Malaysia.

Telecommunications

  • Advised a Fortune 500 multinational technology company on cybersecurity laws and regulations applicable to the use of the cloud version of its services by companies specifically in the telecommunications and media sector in Malaysia.
  • Advised a local telecommunications business services company, which is part of a larger telecommunications group with extensive operations and presence throughout Asia, on the consolidation of the group’s IP transit (internet) traffic system.
  • Advised a multinational business process outsourcing business on regulatory and compliance matters relating to cross-jurisdictional call centre, from the perspective of Malaysian communications and multimedia laws (the Communications and Multimedia Act 1998) and data protection laws (the Personal Data Protection Act 2010).
  • Assisted in advising a large telecommunications operator regarding compliance with the mandatory determinations and standards issued by Malaysian Communications and Multimedia Commission (MCMC).

Personal Data Protection

  • Advised on a multi-jurisdictional fundraising exercise for a subsidiary of a prominent airline group, involving the utilization of contractual rights over data (including personal data) as collateral for a substantial USD loan. We also conducted extensive research to guide the client on the feasibility of assigning contractual rights over personal data under the Malaysian PDPA 2010.
  • Assisted various industries and clients in respect of the public consultation exercise on the review of the Malaysian Personal Data Protection Act 2010 (PDPA) and advised clients on their submission of feedback to the Personal Data Protection Commissioner on the proposed amendments to the PDPA, based on each client’s business and operational needs.
  • Appointed by an English manufacturer of luxury sports cars and grand tourers intending to roll-out connected cars in Malaysia to advise on the regulatory requirements and approvals in relation the PDPA 2010 and personal data which may be collected, transferred, stored, and processed by the connected cars. We also advised on the applicability of telecommunications licences and certification requirements in relation to the provision of certain telecommunication components of the connected cars.
  • Advised the operator and provider of centralised information sharing platforms and services for conventional insurers and takaful operators (Islamic insurers) in Malaysia on the legal feasibility of a proposed integration project that aimed to integrate an existing database maintained by a trade association in Malaysia for life insurers and takaful operators with the Client’s centralised automated claims and underwriting exchange, from a data protection perspective.
  • Advised one of the largest online payment gateway service providers in Malaysia, who had fallen victim to a cybersecurity breach, orchestrated by an unidentified perpetrator, on the risk exposure and potential liability arising from the outsourcing of functions and agreements entered in, as well as their regulatory exposure under the Personal Data Protection Act 2010.
  • Assisted a multinational Fortune 500 oil & gas company in rendering legal advice pertaining to the management and containment of several separate incidents involving personal data breaches and on its notification obligations to the Personal Data Protection Commissioner, the Royal Malaysia Police and affected individuals
  • Assisted various industries and clients in respect of the public consultation exercise on the proposed introduction of a mandatory data breach notification regime in Malaysia and advised the clients on their submission of feedback to the Personal Data Protection Commissioner on the proposed introduction of the data breach notification regime, based on each client’s business and operational needs.
  • Assisted various industries and clients to conduct review and assessment on the applicability and impact of the EU General Data Protection Regulation (GDPR), including represented the clients in liaising with EU GDPR counsel to address the issues of applicability of the GDPR to Malaysian businesses.
  • Assisted a Fortune 500 oil and gas company in the implementation of the group-wide data protection compliance framework, including liaised and worked closely with the company’s ad hoc data protection working committee, appointed management consultant, and several EU data protection legal counsel to develop and implement a bespoke data protection compliance framework for the client and its group of companies, comprising hundreds of operating companies and subsidiaries worldwide.
  • Advised and assisted clients in response to data breach incidents, including prepared formal communications to be submitted to the data protection regulator, and represented the clients in further discussions with the data protection regulator.
  • Assisted one of the largest power and utilities companies in Southeast Asia to develop their intra-group data transfer framework agreement and template data protection clauses and advised on their obligations to comply with EU General Data Protection Regulation (GDPR) pursuant to its presence in EU and intra-group data transfers.
  • Assisted a Fortune 500 multinational technology company to prepare a comprehensive briefing paper to seek qualifying foreign government status for the purpose of the US Clarifying Lawful Overseas Use of Data Act (US CLOUD Act), which essentially authorises the US government to compel disclosure of electronic communications or data upon request if stored by a US-based company, regardless of the data location.
  • Advised one of the largest e-commerce platforms in Southeast Asia on data protection considerations in respect of a proposed collaboration with one of the largest commercial banks in Malaysia to launch a co-branded credit card.
  • Advised on the laws and regulations relating to protection of confidential information, data privacy and personal data protection.
  • Advised and drafted the codes of practice for several industries and sectors, including the banking and finance, insurance and takaful, telecommunications, and legal services industries, pursuant to the requirements of the Personal Data Protection Act 2010.
  • Appointed by a leading global tech conglomerate to conduct a third country transfer risk assessment on the adequacy of Malaysia’s data protection laws, pursuant to the European Union Court of Justice’s decision in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18), also known as the Schrems II case.
  • Represented various associations and industries in engaging the Personal Data Protection Commissioner on issues relating to compliance with the Personal Data Protection Act 2010 and its relevant subsidiary legislation, from the associations’ and industries’ business and operations perspectives.
  • Conducted and assisted in end-to-end data protection audit and compliance exercises for clients from a wide range of industries (including regulated industries such as banking and finance, insurance, telecommunications, etc).
  • Prepared standard forms, including compliance manuals and frameworks, privacy notices, internal privacy policies, to ensure compliance with the Personal Data Protection Act 2010.
  • Reviewed agreements relating to data processing and data transfer activities, as well as policies and documents relating to information security and data protection standards.
  • Advised on sector-specific personal data protection laws including related regulations, enactments, industry codes of practice and guidelines.

General Corporate/ Corporate Commercial

  • Assisted in several legal due diligence exercises on the proposed acquisitions of Malaysian corporations in IT industry, private healthcare, quarrying and mining, and other sectors.
  • Assisted in advising, drafting and negotiations of documents on behalf of a multinational logistics engineering company on the disposal of its shares, and its equity restructuring exercise.
  • Assisted an oil and gas service provider on the formulation of best practices in tender and procurement processes and documentation.
  • Assisted a multinational oil and gas corporation on its proposed capital reduction exercise.
  • Assisted in drafting, reviewing and commenting on transaction documents for proposed joint ventures.
  • Advised Malaysian and foreign companies on general legal and compliance issues applicable to the specific industry, including the applicable regulatory guidelines, policies and legal requirements in Malaysia.
  • Assisted in reviewing and advising an established credit reporting agency on its collaboration agreement to establish a fraud bureau database and considered the implications of data protection laws.
  • Reviewed various other commercial agreements and corporate documents, including contracts for sale of goods, employment contracts, consultancy agreements, non-disclosure agreements.

MEMBERSHIP

  • Member, Malaysian Bar 

Location(s)

Practice Area(s)

Qualifications

  • LL.B (Hons), University of Malaya
  • Advocate & Solicitor, High Court of Malaya

Scan for vCard