Yong Shih Han.jpg

Yong Shih Han


Practice Area:

Technology, Media & Telecommunications
Data Protection

LL.B (Hons), University of Malaya
Advocate & Solicitor, High Court of Malaya

T +60 3 2273 1919 / +60 3 2267 2703
E shih.han.yong@christopherleeong.com

Shih Han practices exclusively in the areas of Technology, Media and Telecommunications (TMT), and Data Protection. She is part of the firm’s TMT and Data Protection practice group.

She has been listed by The Legal 500 Asia Pacific as a Next Generation Lawyer in the area of IT and Telecommunications in 2019, and more recently as a Rising Star for TMT in 2020 and 2021.

Shih Han obtained her Bachelor of Laws (LL.B) from the University of Malaya, and was admitted to the Malaysian Bar in 2012. Prior to joining the firm, she was a dispute resolution associate in a reputable firm handling primarily civil and corporate litigation matters. Since joining the firm and making the transition to corporate practice, she has been involved in the areas of corporate commercial, mergers & acquisitions, and general corporate advisory. She currently focuses on the areas of technology, media, telecommunications and data protection, with data protection being her specialist area.

She now regularly advises clients on a wide range of matters relating to information and communications technology, information security and data protection, telecommunications, and media and advertising laws. This ranges from the preparation and drafting of technology-related contracts and policies to advising clients on matters potentially leading to dispute resolution. She also regularly advises clients on technology- and media-related regulatory and compliance matters.

  • Advised a Malaysian financial institution on its proposed acquisition, by way of a collaboration or joint venture for the development or for the exclusive licensing or use, of a novel software program in Malaysia which comprises the use of principally open source software together with certain proprietary software as constituent parts, in particular advised the client on open source software licenses and its potential implications to the client, as well as provided recommendations to mitigate risks in this regard.
  • Prepared and advised on “Build, Operate and Transfer” contracts for the procurement or development and implementation of large-scale IT systems and solutions for a multi-national telecommunications company, with presence in many countries throughout Asia.
  • Advised several financial institutions and financial services group on the proposed digitalisation of their functions relating to the provision of their banking and financial services.
  • Advised an established multi-national insurance company, which is part of a global investment holding company based in London, on its proposed e-insurance initiative, in relation to the use of electronic signature / digital signature and compliance with the requirements prescribed under the relevant legislation and regulations.
  • Advised a global provider of enterprise software support products and services on the implications of the digital service tax regime in Malaysia.
  • Advised a multinational telecommunications company based in the United Kingdom in a multi-jurisdictional assessment on the regulatory, security, data protection and reporting requirements for providing cloud services and reselling cloud services in several jurisdictions including Malaysia, including specific issues such as applicable licensing or approval requirements, legality of interception of communications, potential liability in hosting illegal content.
  • Assisted clients from various industries in the public consultation exercise conducted by the Ministry of Domestic Trade, Co-operatives and Consumerism (MDTCC) in respect of a comprehensive review of the Electronic Commerce Act 2006 (ECA) and preparation of feedback to the proposed ECA amendments in the review exercise.
  • Advised on proposed roll-out of a transportation aggregation platform in Malaysia pursuant to e-hailing licensing and regulatory requirements.
  • Reviewed the master service agreement in relation to the provision of Dedicated Internet Access services and Managed Services for an established applications service provider in Malaysia.
  • Reviewed the provision of service agreements and end-user license agreement in relation to the roll-out of an information management online system for a statutory body.
  • Reviewed the terms and conditions for the provision of business internet banking services for an international banking institution.
  • Prepared, drafted and reviewed various technology-related contracts, including contracts relating to the implementation of IT system, IT projects, software development, mobile app development, maintenance and support services, service levels, etc.
  • Advised a government-linked company on potential breach of an IT agreement for the subscription and provision of maintenance services relating to a cloud system.
  • Advised a global retail chain on the legal compliance requirements relating to the implementation of WiFi services in its Malaysian stores, in particular, restrictions relating to content publications and data privacy issues.
  • Advised a multinational supply chain management company on its company's guidelines and policies relating to the use of social media.
  • Advised a governmental agency / statutory body on the preparation of a mobile application development contract, including the scope of work and technical and business requirements to be considered in such contracts.
  • Conducted due diligence exercises in respect of and advised various clients on ISO27001 information security management systems certification.
  • Advised clients on dispute resolution matters involving technology contracts, including matters involving potential breach of contract, and rights to recourse under the terms of the contracts such as step-in rights.
  • Advised an established video game developer and publisher based in South Korea on the proposed use of tokens for their gaming platform, including legal issues relating to the legal expiration date for the use of the client’s gaming tokens by end users in Malaysia.
  • Advised clients on general legal and regulatory requirements on FinTech matters, including legal and regulatory obligations of digital asset exchanges (DAX), merchant acquiring services, money remittance businesses, e-money issuers, etc.
  • Advised companies on technology-related policies, such as information security, bring your own devices (BYOD), use of social media, mobile computing and teleworking policies.
  • Advised clients on potential legal and regulatory implications pursuant to proposed roll-out of new technologies and incorporation of technologies in products and services to the Malaysian market, including artificial intelligence, Internet of Things (IoT), etc.
  • Advised clients on various technology-related topics, including cybersecurity, information security, electronic commerce, consumer protection in electronic transactions, etc.
  • Advised one of the largest American-based multinational technology companies on its proposed roll out of a new TV application service in Malaysia and expansion of the services, on a wide range of issues including general broadcasting laws and regulations, Malaysian content standards including rules on ratings and gating technology, UX requirements, laws on intellectual property, publicity rights, and data protection.
  • Advised global media clients on legal and regulatory requirements in respect of their proposed launch of online video-on-demand streaming services in Malaysia.
  • Advised clients on content restrictions and regulations in Malaysia.
  • Advised clients on the use of social media, including regulatory and compliance restrictions relating to online content publication.
  • Advised clients on laws and regulations relating to online advertising and marketing in Malaysia.
  • Advised a Fortune 500 multinational technology company on cybersecurity laws and regulations applicable to the use of the cloud version of its services by companies specifically in the telecommunications and media sector in Malaysia.
  • Advised a local telecommunications business services company, which is part of a larger telecommunications group with extensive operations and presence throughout Asia, on the consolidation of the group’s IP transit (internet) traffic system.
  • Advised a multinational business process outsourcing business on regulatory and compliance matters relating to cross-jurisdictional call centre, from the perspective of Malaysian communications and multimedia laws (the Communications and Multimedia Act 1998) and data protection laws (the Personal Data Protection Act 2010).
  • Assisted in advising a large telecommunications operator regarding compliance with the mandatory determinations and standards issued by Malaysian Communications and Multimedia Commission (MCMC).
Personal Data Protection
  • Assisted various industries and clients in respect of the public consultation exercise on the review of the Malaysian Personal Data Protection Act 2010 (PDPA) and advised clients on their submission of feedback to the Personal Data Protection Commissioner on the proposed amendments to the PDPA, based on each client’s business and operational needs.
  • Assisted various industries and clients in respect of the public consultation exercise on the proposed introduction of a mandatory data breach notification regime in Malaysia and advised the clients on their submission of feedback to the Personal Data Protection Commissioner on the proposed introduction of the data breach notification regime, based on each client’s business and operational needs.
  • Assisted various industries and clients to conduct review and assessment on the applicability and impact of the EU General Data Protection Regulation (GDPR), including represented the clients in liaising with EU GDPR counsel to address the issues of applicability of the GDPR to Malaysian businesses.
  • Assisted a Fortune 500 oil and gas company in the implementation of the group-wide data protection compliance framework, including liaised and worked closely with the company’s ad hoc data protection working committee, appointed management consultant, and several EU data protection legal counsel to develop and implement a bespoke data protection compliance framework for the client and its group of companies, comprising hundreds of operating companies and subsidiaries worldwide.
  • Advised and assisted clients in response to data breach incidents, including prepared formal communications to be submitted to the data protection regulator, and represented the clients in further discussions with the data protection regulator.
  • Assisted one of the largest power and utilities companies in Southeast Asia to develop their intra-group data transfer framework agreement and template data protection clauses and advised on their obligations to comply with EU General Data Protection Regulation (GDPR) pursuant to its presence in EU and intra-group data transfers.
  • Assisted a Fortune 500 multinational technology company to prepare a comprehensive briefing paper to seek qualifying foreign government status for the purpose of the US Clarifying Lawful Overseas Use of Data Act (US CLOUD Act), which essentially authorises the US government to compel disclosure of electronic communications or data upon request if stored by a US-based company, regardless of the data location.
  • Advised one of the largest e-commerce platforms in Southeast Asia on data protection considerations in respect of a proposed collaboration with one of the largest commercial banks in Malaysia to launch a co-branded credit card.
  • Advised on the laws and regulations relating to protection of confidential information, data privacy and personal data protection.
  • Advised and drafted the codes of practice for several industries and sectors, including the banking and finance, insurance and takaful, telecommunications, and legal services industries, pursuant to the requirements of the Personal Data Protection Act 2010.
  • Represented various associations and industries in engaging the Personal Data Protection Commissioner on issues relating to compliance with the Personal Data Protection Act 2010 and its relevant subsidiary legislation, from the associations' and industries' business and operations perspectives.
  • Conducted and assisted in end-to-end data protection audit and compliance exercises for clients from a wide range of industries (including regulated industries such as banking and finance, insurance, telecommunications, etc).
  • Prepared standard forms, including compliance manuals and frameworks, privacy notices, internal privacy policies, to ensure compliance with the Personal Data Protection Act 2010.
  • Reviewed agreements relating to data processing and data transfer activities, as well as policies and documents relating to information security and data protection standards.
  • Advised on sector-specific personal data protection laws including related regulations, enactments, industry codes of practice and guidelines.
General Corporate/ Corporate Commercial
  • Assisted in several legal due diligence exercises on the proposed acquisitions of Malaysian corporations in IT industry, private healthcare, quarrying and mining, and other sectors.
  • Assisted in advising, drafting and negotiations of documents on behalf of a multinational logistics engineering company on the disposal of its shares, and its equity restructuring exercise.
  • Assisted an oil and gas service provider on the formulation of best practices in tender and procurement processes and documentation.
  • Assisted a multinational oil and gas corporation on its proposed capital reduction exercise.
  • Assisted in drafting, reviewing and commenting on transaction documents for proposed joint ventures.
  • Advised Malaysian and foreign companies on general legal and compliance issues applicable to the specific industry, including the applicable regulatory guidelines, policies and legal requirements in Malaysia.
  • Assisted in reviewing and advising an established credit reporting agency on its collaboration agreement to establish a fraud bureau database and considered the implications of data protection laws.
  • Reviewed various other commercial agreements and corporate documents, including contracts for sale of goods, employment contracts, consultancy agreements, non-disclosure agreements.
Memberships / Directorships
  • Member, Malaysian Bar 
  • Co-Author, Malaysian Chapter of the International Comparative Legal Guides (ICLG), Cybersecurity 2020, 3rd Edition (2020 Edition), published by Global Legal Group Ltd (URL: https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/malaysia).
  • Co-Author, Malaysian Chapter of the International Comparative Legal Guides (ICLG), Data Protection 2019, 6th Edition (2019 Edition), published by Global Legal Group Ltd (URL: https://iclg.com/practice-areas/data-protection-laws-and-regulations/malaysia).
  • Co-Author, Malaysian Chapter of the International Comparative Legal Guides (ICLG), Cybersecurity 2019, 2nd Edition (2019 Edition), published by Global Legal Group Ltd.
  • Contributor, Global Cyber Incident Response and Data Breach Notification Toolkit: Cyber Incident Response and Data Breach Notification (Malaysia) and Information Security Considerations (Malaysia), 2020 Edition, Practical Law Data Privacy Advisor, published by Thomson Reuters (Professional) UK Limited.
  • Contributor, Malaysian Chapter of the Data Protection & Privacy: Jurisdictional Comparisons (part of the European Lawyer Reference International Series), 3rd Edition (2016 Edition), published by Thomson Reuters (Professional) UK Limited.
  • Co-Author, Data Privacy Asia Newsletter, "Data Protection Recent Developments: The "Minimum" Standards for the Security, Retention and Integrity of Personal Data and the Compounding Regulations", April 2016.
  • Author, TheSun, Legally Speaking column, "The "Minimum" Standards for the Security, Retention and Integrity of Personal Data", 7 March 2016.
  • Contributor, Chapters on "Legal Background and Judicial System", "Investment Incentives", "Capital Markets", and "Personal Data Protection" in the Doing Business in Malaysia guide (as at July 2016), published by the firm at https://www.christopherleeong.com/authored-publications.
  • Contributor, LexisNexis Mergers & Acquisition Guide, 2016 edition, which is a contributing publication by the firm.
  • Contributor, Malaysian Civil Procedure (White Book), 2013 edition, published by Sweet & Maxwell Asia.
  • Contributor, Evidence in Malaysia and Singapore, Cases, Materials and Commentary, 3rd edition (2013), published by LexisNexis.