To date, there is no specific or standalone legislation that governs the metaverse. Instead, existing laws govern activities within this evolving digital realm, and their applicability depends on the technologies used and the functionalities they enable.

Contracts and Digital Assets

The metaverse is increasingly becoming a platform for complex interactions and transactions. These transactions often involve digital assets, which can include cryptocurrencies, non-fungible tokens (NFTs) and other virtual property. Understanding the relationship between contracts and digital assets in the metaverse is crucial, as it defines the legal framework for how these assets are traded, owned and managed.

Under the Malaysian Contracts Act 1950 (Contracts Act), transactions within the metaverse, including those concerning digital assets, would be enforceable as long as the essential contractual elements like offer, acceptance, consideration and intention to create legal relations are satisfied without specific documentary requirements. The Electronic Commerce Act 2006 (ECA) (see 9.1 Trust Services and Electronic Signatures/Digital Identity Schemes) further recognises the validity of electronic messages for contract formation, which could extend to transactions in the metaverse due to the broad definition given under the ECA.

Digital assets in the metaverse may also fall under financial and securities regulations. For instance, in the Malaysian capital markets and securities sector, blockchain-based digital assets could qualify as a “digital currency” or “digital token” as defined under the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 (Prescription Order), and be deemed as securities under the Malaysian Capital Markets and Services Act 2007. This classification subjects them to the oversight of the Securities Commission of Malaysia (SC), and the offering and trade of these digital assets, along with the operation of the platform that hosts these digital assets, will be subject to the approval and registration requirements of the SC. They may also be subject to anti-money laundering/counter-financing of terrorism (AML/CFT) controls. However, the decentralised and often borderless nature of the metaverse poses challenges in regulation enforcement and transaction monitoring.

Intellectual Property

Malaysian intellectual property law may also protect digital creations and innovations within the metaverse. In this context, end-user licence agreements or terms of service serve as a vital mechanism for defining and protecting intellectual property rights. Clear and enforceable terms in these agreements lay the groundwork for safeguarding digital creations. For instance, trade mark rights, copyright protections and other intellectual property considerations can be expressly outlined, guiding users on the lawful usage, reproduction or distribution of virtual assets.

However, the metaverse’s unique nature also introduces complex jurisdictional challenges, particularly when addressing infringement claims. The metaverse operates with a degree of anonymity, allowing users to interact with greater privacy than in the physical world, making it challenging to identify infringers and establish concrete jurisdiction.

Data Protection and Cybersecurity

The Personal Data Protection Act 2010 (PDPA) regulates the processing of personal data in commercial transactions, which can extend to the processing of personal data within the metaverse where vast amounts of personal data will be processed. Data users in the metaverse must comply with the PDPA's data protection principles but the metaverse’s borderless nature introduces complexities in applying and enforcing data protection laws, including the PDPA.

The seven data protection principles are set out below:

• General Principle – prohibits a data user from processing a data subject’s personal data unless consent (or “explicit consent”, for sensitive personal data) has been obtained from the data subject or where an exception applies. The General Principle also sets out certain parameters for the processing of personal data. It provides that personal data shall not be processed unless:
1. it is for a lawful purpose directly related to the activity of the data user;
2. it is necessary for or directly related to that purpose; and
3. the data is adequate and not excessive for that purpose.
• Notice and Choice Principle – the PDPA requires a data user to inform a data subject by written notice of certain prescribed matters. It is also mandatory under the PDPA that the written notice (usually issued in the form of a data protection notice or privacy policy) is provided in both English and the national language (Malay).
• Disclosure Principle – prohibits the disclosure, without the data subject’s consent, of personal data:
1. for any purpose other than that for which the data was disclosed at the time of collection, or a purpose directly related to it; and
2. to any party other than a third party of the class notified by the data user.
• Security Principle – the PDPA imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
• Retention Principle – personal data must not be kept longer than is necessary for the fulfilment of the purpose for which it is processed. The data user has a duty to take reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was processed.
• Data Integrity Principle – the data user must take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up to date, having regard to the purpose (and any directly related purpose) for which it was collected and processed.
• Access Principle – the data subject must be given the right to access their own data and to correct it where the personal data is inaccurate, incomplete, misleading or outdated. The PDPA provides grounds on which the data user may refuse to comply with a data access or data correction request from the data subject.

Each of these principles is subject to certain exceptions and conditions. Furthermore, there are specific standards set out in the Personal Data Protection Standard 2015 (PDP Standard) for the security, retention and data integrity principles.

The PDPA generally prohibits the transfer of personal data out of Malaysia, except where it is to a permitted place (although no permitted place has been gazetted at the time of writing), or where certain exceptions apply – eg, where data subjects have consented to the transfer.

Consumer Laws

Consumer protection laws remain applicable, safeguarding consumer rights in the context of digital transactions and services. Again, however, there will be difficulties in determining which jurisdiction’s laws apply to activities in the metaverse, which is inherently decentralised.

The digital economy lacks a singular legislative framework explicitly governing its operations but businesses must comply with various laws, regulations, guidelines and industry codes of conduct that are broadly applicable, as follows.

Consumer Protection

The Consumer Protection Act 1999 (CPA) extends to any trade transaction conducted through electronic means, and the Consumer Protection (Electronic Trade Transactions) Regulations 2012 also mandate the disclosure of specific information by any person who operates a business for the purpose of supplying goods or services through a website or in an online marketplace on the website where the business is conducted.

The Price Control and Anti-Profiteering Act 2011, along with its subsidiary legislation, aims to control the prices of goods and charges for services, and to prohibit profiteering, regardless of the method of supply. It applies to the supply of goods and services, including through electronic methods.

Electronic Commerce Act

The ECA legally recognises contracts formed through electronic communications, facilitating online business relationships.

Data Protection

Inevitably, the digital economy involves the processing of personal data, which is governed by the PDPA – see 1.1 Laws and Regulation (Data Protection and Cybersecurity).

Content

Online content is primarily under the purview of the Malaysian Communications and Multimedia Commission (MCMC), which regulates the communications and multimedia industry in Malaysia. Depending on the type of content, it can be subject to a host of laws, including the Communications and Multimedia Act 1998 (CMA), which inter alia prohibits offensive content.

The Malaysian Communications and Multimedia Content Code (Content Code) issued pursuant to the CMA also applies to content made available in the networked medium, including advertisements and marketing, and is administered by the Communications and Multimedia Content Forum of Malaysia (CMCF). Compliance with the Content Code is voluntary unless the content provider is a member of the Content Forum, has voluntarily agreed to be bound by the Content Code, or is specifically directed by MCMC. However, the CMCF may impose sanctions on those subject to the Content Code following a complaint, and compliance is a defence against any prosecution, action or proceeding of any nature.

In aiming to facilitate self-governance for online curated content, the CMCF introduced its inaugural supplementary guidelines in December 2023: the Guidelines for Online Curated Content (OCC) Service Providers, which cover recommendations and best practices for OCC service providers. The Guidelines encompass the overarching principles of public and national interest, racial and religious sensitivities, and improvement of accessibility standards for disabled persons.

Payment

Electronic money (e-money) is governed by the Financial Services Act 2013 and the Islamic Financial Services Act 2013, and is recognised as a payment instrument under said Acts. E-money issuers must be approved by the Central Bank of Malaysia (BNM) and must adhere to the Policy Document on Electronic Money issued by BNM. For digital currencies and digital tokens, see 1.1 Laws and Regulation.

Key Legal Challenges

While offering numerous opportunities for innovation and growth, the digital economy presents several key legal challenges. One of the biggest challenges is ensuring privacy and data protection, given the vast amounts of personal data collected and processed. Laws like the GDPR set stringent standards but compliance and enforcement can be complex, especially for global businesses. In Malaysia, while there are laws on data protection, there are plans to strengthen the regulatory framework, including by amending the PDPA and introducing a new cybersecurity law. Balancing the regulation of digital content to prevent the spread of offensive and harmful content while respecting freedom of expression also poses a significant challenge for regulators.

Laws and Industry Codes of Conduct

In Malaysia, cloud and edge computing services are regulated through various legislative provisions, technical codes and guidelines. The primary legislation is the CMA, enforced by the MCMC.

CMA

Under the CMA, providers of cloud and edge computing services may require the following types of licences, depending on the exact service offerings, technical set up and network topology, as the requirement for a licence depends on whether the activities fall within a “licensable activity”.

• Applications Service Provider (ASP) Licence: for providing end-user services through network services, including cloud services and internet access services. Notably, cloud services have been regulated as a licensable activity requiring an ASP licence since 1 January 2022.
• Network Facilities Provider (NFP) Licence: for the ownership and provision (including maintenance, installation, operation and establishment) of network facilities or physical infrastructure – eg, fixed links and cables.
• Network Service Provider (NSP) Licence: for providing network services for basic connectivity and bandwidth supporting various applications – eg, bandwidth services, switching services, access applications service and gateway services.

These licences are available to local entities and are issued as either individual or class licences (ASP licences are only issued as class licences). If a CMA licence is required, the CMA imposes a host of obligations, including mandatory contributions to the universal service provision fund and compliance with the access regime.

Whilst not specific to companies providing cloud or edge computing services, any company intending to import, use or offer communications equipment for sale must ensure that such equipment has been certified in accordance with the relevant technical standards/codes.

Technical codes and guidelines set out additional standards for specific types of equipment and service offerings. For instance, the Technical Code on Information and Network Security – Cloud Service Provider Selection provides selection criteria for cloud service providers based on risk assessment, industry standards and certification capabilities.

PDPA

The PDPA is the main framework for personal data protection in Malaysia, imposing obligations on data users (those who either alone or jointly, or in common with other persons, process any personal data or have control over or authorise the processing of any personal data) when using cloud and edge services. Key requirements include:

• ensuring – for the purpose of protecting personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction – that data processors (eg, a cloud and edge computing service provider) who process personal data on their behalf provide sufficient guarantees in respect of the technical and organisational security measures governing the processing of such personal data, and that the data processor takes reasonable steps to ensure compliance with those measures;
• prohibitions on transferring personal data outside Malaysia, subject to certain exceptions; and
• adherence to the PDP Standard, which imposes obligations on data users to ensure that, inter alia, transfers of personal data through cloud and edge computing services are recorded and that the written consent of an officer authorised by the top management of the data user organisation is obtained before such a transfer is made. Personal data transferred through a cloud and edge computing service must comply not only with the personal data protection principles in Malaysia but also with the personal data protection laws of other countries.

CMA licensees must register as data users with the Personal Data Protection Commissioner and comply with a specific code of practice for personal data protection.

Currently, the PDPA does not contain direct obligations for data processors and does not provide for a general data localisation requirement, although there has been a public consultation paper suggesting that these might be introduced in the future.

Greater Restrictions for Certain Industries

Financial services laws

Certain regulated industries, like banking and insurance, face stricter regulations when utilising data processing and other technological services from third parties, including cloud and edge computing services.

BNM has issued policy documents on risk management, outsourcing and customer information management. Among other stipulations, financial institutions (FIs) must consult with BNM before using a public cloud for critical systems, and must notify BNM prior to the use of cloud services for non-critical systems. In respect of outsourcing arrangements, which includes outsourcing arrangements with cloud and edge service providers, the Policy Document on Outsourcing requires, among other things, that FIs obtain BNM’s approval before entering into an outsourcing arrangement, and that FIs that use cloud services maintain a register containing additional particulars of the arrangement – ie, the nature of the data held and the locations where it is stored.

The Policy Document on Management of Customer Information and Permitted Disclosures outlines requirements for FIs regarding measures and controls in handling customer information throughout the information life cycle, covering the collection, storage, use, transmission, sharing, disclosure and disposal of customer information. Among other things, FIs must ensure that the service-level agreement between them and the provider adequately reflects the FI’s obligation to safeguard customer information.

Specifically on cloud services, the Policy Document on Risk Management in Technology requires FIs to conduct comprehensive risk assessments prior to utilising cloud services and to implement safeguards to protect customer information. The Policy Document also includes specific guidance for assessing the key risks and control measures when utilising cloud services.

Government entities

Where cloud and edge computing services are provided to government entities, policy documents may mandate specific security measures, such as infrastructure and traffic segregation when handling official secrets, as well as access controls. Although there is no overarching mandate for data centres to be designated as “protected areas” or “protected places”, facilities and data centres of cloud and edge service providers that handle or store official secrets are subject to stricter regulations. These facilities may need to be classified areas, potentially being designated as prohibited areas to which access is heavily restricted.

Healthcare laws

Government approval may be required for the use and provision of cloud computing services in public hospitals and institutions. Healthcare providers may also be subject to separate data localisation requirements or requirements to maintain patient data within the healthcare facilities.

Others

Data localisation requirements may also vary by industry – eg, e-money licences may impose this requirement as a licence condition.

While there is growing acceptance of the implications of artificial intelligence (AI), Malaysia has not yet established specific legislation or guidelines dedicated exclusively to regulating AI. The Ministry of Science, Technology and Innovation (MOSTI) is exploring the regulation of AI applications and a proposed ethics and governance code for AI, which aims to address issues such as data privacy, public awareness of AI, transparency, accountability and cybersecurity. The code may also incorporate guidelines for educating the public about AI and promoting research in the field, and is being drafted based on the Recommendation on the Ethics of AI adopted by the United Nations Educational, Scientific and Cultural Organisation (UNESCO) in November 2021.

The Minister of Economy has also referred to the Malaysian government’s plan to transform Malaysia into a regional AI hub by implementing new strategies and improvements of the AI ecosystem that will be contained in the Kuala Lumpur (KL20) action plan.

Complementing these initiatives, the Malaysian Standards Department has formed a National Mirror Committee to draft national AI standards. This committee, chaired by MIMOS Berhad (a research and development centre under MOSTI), comprises representatives from the industry, academia and government ministries and agencies, ensuring a comprehensive approach to AI standardisation.

The Malaysia National AI Roadmap 2021–2025 (AIRmap) further outlines the government’s vision for AI development, proposing to establish an AI Coordination and Implementation Unit (AI-CIU) to be responsible for institutionalising existing cybersecurity policies and best practices for AI incorporation and establishing clear guidelines for data sharing within government to enable AI implementation.

It was reported in June 2023 that ministers from the ASEAN nation members agreed in February 2023 to develop an “ASEAN Guide on AI Governance and Ethics”, although details on what this guide would entail are not available at the time of writing.

Some of the key issues which could be relevant are discussed below.

Liability and insurance

In the absence of specific legislation, liability resulting from AI-enabled technologies would have to be addressed under the existing legal framework. This includes the CPA and the Sale of Goods Act 1957 (SOGA) (although AI or its output may not be classified as “goods”), along with established principles of contract and tort law.

Contract law, particularly the Contracts Act, would be relevant in evaluating liability for defective AI. Contractual provisions specific to AI usage may be incorporated to apportion liability for AI defects, but the effectiveness of such clauses has not been tested and, in the absence of case law, claimants may argue breaches of the implied terms under statutes such as the CPA and SOGA, which contain implied terms (eg, guarantees and conditions regarding title, quality, fitness for purpose, price and repairs) that cannot be contractually excluded. The manufacturer or supplier of AI technologies may be liable for malfunctions that breach these implied terms, depending on the extent of non-compliance with representations and guarantees made by the supplier regarding the technology. Product liability claims for AI under the CPA may, however, be particularly challenging due to the difficulties in pinpointing when defects occur and, unlike some jurisdictions like the European Union, there is no specific framework for AI liability in Malaysia.

Claims for damages in the context of AI-related incidents may also be framed in negligence. Central to the law of negligence is the concept of the foreseeability of loss, requiring a claimant to establish a direct chain of causation between their loss and the actions of the defendant. However, there are distinct challenges in applying traditional negligence principles (such as foreseeability and causation), given the unique characteristics of AI, particularly its ability to evolve and learn over time through machine learning. Similarly, vicarious liability – a legal principle governing accountability for one person's actions by another in a legal relationship – becomes complex when applied to AI. Associated with the relationship between a principal and an agent, such as employer and employee, vicarious liability may be argued in instances where AI, operating within designated tasks, causes harm. Here, the AI may be viewed as an intellectual agent whose actions are assigned to a principal but not recognised as a full legal person.

Nevertheless, vicarious liability comes with constraints, dictated by the scope of the agent's activity. Not every action of AI may be ascribed to its owner or operator, and deviations from defined responsibilities can introduce a responsibility gap, disrupting the chain of causation.

Evidently, each case will need to be meticulously examined on its individual merits, factoring in the complex interplay between AI's autonomous capabilities and the responsibilities of those who create and deploy these systems.

Data protection

There are challenges in safeguarding sensitive and confidential information in the process of using AI, since input data can serve as ongoing training material for the AI model. The machine learning aspect of AI would require large amounts of data for AI training and operation, which can trigger the applicability of the PDPA where personal data is involved. Organisations must ensure that all data and information processed by AI is compliant with applicable data protection laws, including the PDPA. There are no specific rules under the PDPA on AI but, in general, data users must ensure they are transparent about the use of AI and how data subjects’ personal data is being collected, used and processed.

Organisations must ensure that they have obtained the necessary consent from individuals for the processing of their personal data for the specific purposes for which it is being collected, and must make sure that such data is processed securely and safely. This becomes a challenge where “data scraping” is utilised to extract large datasets which are then used to “train” AI models – ensuring that each data subject whose personal data was “scraped” has consented to the use of their personal data in this way would be practically impossible.

Future legal developments, such as the forthcoming Profiling and Automated Decision-Making Guideline announced by the Minister of Digital, may introduce additional requirements and restrictions relevant to the processing of personal data in AI applications, so it is crucial for organisations to stay abreast of these developments as AI regulation evolves.

Intellectual property (IP)

The current IP statutory regime in Malaysia presents ambiguities when it comes to extending protection to AI-generated IP. This uncertainty arises due to the lack of specific provisions addressing AI's role in IP creation under existing laws.

In essence, AI can be conceptualised as a compilation of software algorithms operating on computer systems. These algorithms execute mathematical methods to emulate the problem-solving and decision-making abilities of humans. However, seeking patent protection for AI becomes challenging, as it may infringe upon what is traditionally deemed non-patentable or excluded subject matter in many jurisdictions, including Malaysia. This contention is exemplified in Section 13(1) of the Patents Act 1983 (PA), which expressly deems mathematical methods per se as being non-patentable.

When assessing the existing patent framework, particularly in the PA and the Patents Regulations 1986, the lack of an explicit definition of an “inventor” and the absence of provisions addressing AI involvement in the invention process leave room for ambiguity. The inclination in the language of these statutes suggests that AI may be excluded from coverage thereunder, and that inventors are expected to be natural persons. This expectation is notably reinforced by Section 18 of the PA, which vests the right to apply for a patentable invention in the inventor. Furthermore, according to the Patents Regulations, patent applications must include personal identification of the inventors, or signed written declarations where anonymity is sought.

Similar perspectives have emerged internationally. In the United Kingdom, both the High Court and the Court of Appeal have agreed that an inventor must be a natural person and cannot include an AI system. In addition, the Federal Court in Australia overturned its previous decision, stating that the “inventor” listed in an application for a patent under the Patents Act must be a natural person. However, it is crucial to note that the Federal Court in Australia clarified that its ruling does not preclude the possibility of granting a patent to an invention created by an AI system. Instead, it underscores the necessity to identify a human “inventor” for the patent application, such as the developer of the AI system. Therefore, an invention devised by an AI system may still receive patent protection, provided a human “inventor” is identified.

The situation is similarly unclear under the Copyright Act 1987 concerning AI-created works. The ongoing discussion as to whether AI-generated work is protected by the Copyright Act revolves around its language, which primarily focuses on the rights of individuals and legal entities. For instance, Section 10 of the Copyright Act grants copyright to works eligible for protection, requiring the author to be a qualified person at the time of creation. A “qualified person” is defined as follows:

• in relation to an individual, a person who is a citizen of, or a permanent resident in, Malaysia; and
• in relation to a body corporate, a body corporate established in Malaysia and constituted or vested with legal personality under the laws of Malaysia.

While untested in Malaysian courts, the existing legal framework suggests that AI-created works may not qualify for copyright protection. The argument stems from the notion that AI-created works are essentially computer-generated, and the AI creator does not neatly fit the definition of a “qualified person” under the law.

Examining the current UK legislative framework reveals that a natural person would be the author for copyright ownership for the purposes of computer-generated works; this would therefore exclude an AI system. This position has recently been affirmed by the UK Supreme Court in Thaler (Appellant) v Comptroller-General of Patents, Designs and Trade Marks (Respondent) 2023 UKSC 49. The UK courts have consistently held that it is likely necessary for a human to have at least exercised some degree of control over the creative process that resulted in the work in question to attract copyright protection. This approach aligns with the principle that copyright should be tied to human agency in the creative process, raising similar questions about the attribution of authorship and copyright eligibility in AI-generated works. Malaysia has yet to provide explicit guidance on these matters, but the UK decision sets a precedent that could influence future rulings in common law jurisdictions such as Malaysia.

Another consideration would be when a user edits AI-generated output, transforming it into their independent creation. This action may arguably meet the criteria set forth in Section 7 of the Copyright Act, requiring sufficient effort to render the work original and reducing it to material form. Such a transformation raises questions about the eligibility of this modified creation for copyright protection. This scenario prompts inquiries into the interplay between AI and human creativity, potentially signalling the need for copyright law to evolve and adapt to these emerging dynamics. Other key considerations include the duration of copyright in AI-created works, moral rights related to AI, and the enforcement of copyright for such works.

The above highlights the need for clear regulatory guidelines and legal frameworks to address the intricacies of AI involvement in IP creation. As AI technology continues to evolve, establishing clear parameters and legal clarity becomes essential to navigate the intricate intersections of AI and intellectual property rights.

At present, Malaysia lacks a dedicated statute specifically addressing the internet of things (IoT). However, regulation is achieved through existing sector-specific guidelines and a suite of laws that possess sufficient breadth to encompass IoT projects. Key examples of such encompassing laws, regulations and guidelines are outlined below.

Telecommunications Regulations

In the implementation of IoT initiatives, adherence to the licensing and regulatory framework of the CMA is mandatory. This framework, inclusive of spectrum usage requirements, is particularly pertinent when engaging in licensable activities specified in the CMA and its subsidiary legislation; see 7.1 Scope of Regulation and Pre-marketing Requirements. Procuring the necessary licence is obligatory, accompanied by compliance with diverse obligations stipulated in the CMA. Notably, projects involving spectrum usage must align with assignments by MCMC, in harmony with the Spectrum Plan and relevant Standard Radio System Plans. In addition, communications equipment, integral to IoT, must obtain certification from the certifying body designated by MCMC, namely SIRIM QAS International Sdn Bhd, ensuring adherence to safety and technical standards, including the Technical Code on Short Range Devices.

Various technical codes also contribute to the regulatory framework for IoT, covering areas such as application security requirements, high-level functional architecture, security management and short-range device specifications.

Cybersecurity

Despite the absence of a dedicated cybersecurity law, Malaysia has adopted a proactive stance in addressing emerging threats. The Minister of Communications, Fahmi Fadzil, disclosed plans for an upcoming Cybersecurity Bill, spearheaded by the National Cyber Security Agency (NACSA). This initiative signifies a critical step in reinforcing Malaysia's digital resilience, and underscores Malaysia's commitment to swift adaptation to evolving cyber threats. The bill aims to establish a legal structure promoting proactive governance, effective response mechanisms and continuous improvement in cybersecurity.

Organisations undertaking IoT projects are advised to consider existing legislation with potential relevance to cybersecurity, including laws such as the Computer Crimes Act 1997, the Penal Code, the Copyright Act, the Digital Signature Act 1997, the Strategic Trade Act 2010 and the Official Secrets Act 1972. Furthermore, the Guidelines for Secure Internet of Things, released in 2020 by CyberSecurity Malaysia (an agency under the purview of MCMC), offer valuable yet non-binding insights. These guidelines serve as a practical resource, outlining security requirements and controls for stakeholders, with the objective of establishing a robust IoT security framework and enhancing awareness of existing threats and vulnerabilities.

Data Protection

As IoT initiatives extend into machine-to-machine communications, the relevance of data protection and communications secrecy comes to the forefront. Cross-border data flows between IoT devices necessitate a nuanced approach, considering compliance requirements, especially regarding the consent of data subjects for cross-border transfers of personal data via IoT devices. This entails a commitment to key data protection principles under the PDPA.

The IoT Guidelines provide a comprehensive set of security controls, facilitating the development of secure IoT systems. These controls include risk mitigation measures related to communications encryption, cloud security, authentication, access control, data protection and privacy, operation and maintenance, among others. This holistic approach aims to navigate the complexities of data protection and communications security in the evolving landscape of IoT projects in Malaysia.

Regulation of the Media Sector

In Malaysia, content is governed by a host of laws, depending on the type of content. Online content/content in the networked medium, which would include video channels, is primarily under the purview of MCMC, which also regulates licensing requirements for the provision of content in general. Specifically on censorship, the Film Censorship Board (FCB) regulates traditional media outlets and content on TV and in cinemas. The National Film Development Corporation Malaysia (FINAS) has prerogative over film production, distribution and exhibition activities in Malaysia. Note that the likelihood of enforcement by FINAS and FCB may differ for over-the-top content, including video-sharing platform services.

Licensing Requirements – CMA

Under the CMA, providers of content applications services are required to obtain a Content Applications Service Provider (CASP) licence, unless specifically exempted under the CMA. The CMA provides exemptions from licensing requirements for providers of “closed” content applications services (ie, services that are not accessible to the general public) and “incidental” content applications services (ie, services that provide content in a manner entirely incidental to the service provided). Internet content applications services (such as over-the-top services and online video-sharing platforms) are also exempted under the Communications and Multimedia (Licensing) (Exemption) Order 2000.

CASP licences may be issued as either individual licences or class licences (see 7.1 Scope of Regulation and Pre-marketing Requirements). CASPs that meet the following criteria are likely to require an individual licence, on the basis that the content:

• is made available to the general public and is likely to be of broad appeal; and
• can be received by commonly available consumer equipment or is likely to exert a high degree of influence in shaping community views in Malaysia.

CASP individual licences are typically required for entities involved in the traditional broadcasting industry, such as terrestrial radio broadcasting, satellite broadcasting, terrestrial free-to-air TV and subscription broadcasting. On the other hand, CASPs providing limited content applications services are not required to hold an individual licence and are exempted from the requirement to be licensed, unless a class licence is applicable. A CASP of a limited content applications service is regulated by a class licence if it falls within the following categories:

• a content applications service of limited appeal or one that is targeted at a special interest group and available through subscription by persons using equipment specifically designed for receiving said service;
• a content applications service restricted to a particular geographic area;
• a content applications service for distance-learning purposes; or
• a content applications service specifically linked to or associated with a sporting, cultural or other one-off event.

As an industry regulated under the CMA, licences for the provision of content applications services are subject to the same fees and eligibility requirements as telecommunications services, and the applicable fees and eligibility requirements would depend on whether the licence is an individual licence or class licence (see 7.1 Scope of Regulation and Pre-marketing Requirements). Applications for licences are to be made to MCMC in the prescribed forms.

Other Licences/Approvals

Depending on the facts, additional licensing requirements may apply. For example, the production, distribution or exhibition of films may require a licence from FINAS. Such films may also require the approval of the FCB.

Content Requirements and Restrictions

As set out above, content is subject to a host of laws, depending on the type of content, with the main laws being:

• the CMA;
• the Printing Presses and Publications Act 1984;
• the Sedition Act 1948;
• the Penal Code;
• Sharia; and
• advertisement laws, codes and guidelines.

For example, the CMA generally prohibits the provision of content that is indecent, obscene, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass any person via a content applications service, and content that is deemed seditious will contravene the Sedition Act. Additional laws may also apply, depending on the specific facts, such as the Copyright Act for content that infringes copyright.

To aid the regulation of the content industry, the CMCF issued the Content Code, which contains obligations and restrictions relating to content, and guidelines for a variety of different content platforms, including advertising guidelines, specific broadcasting guidelines and specific online guidelines.

Of relevance to providers of video-sharing platform services, the Content Code stipulates that providers of access to content that have neither control over the composition of such content nor any knowledge of such content are deemed innocent carriers, and are not responsible for the content provided, although there is also case law suggesting that an online intermediary platform may still be liable for third-party content.

The regulatory and licensing framework under the CMA is sufficiently extensive to cover a wide range of technologies and services, even in the absence of specific references to individual technologies and services. Specific technologies and services may also be addressed through various regulations, guidelines, technical codes and other voluntary codes issued by MCMC and/or other industry forums.

Licensing

Under the current telecommunications regime, there are four categories of licensable activities.

• NFP for the provision of network facilities such as infrastructure – eg, satellite earth stations, fixed links and cables.
• NSP for the provision of network services for basic connectivity and bandwidth to support a variety of applications – eg, switching services, bandwidth services, access applications service, gateway services and cellular mobile services.
• ASP for the provision of particular functions, such as voice services, data services, content-based services, electronic commerce and other transmission services. Applications services are essentially the functions or capabilities that are delivered to end-users. Examples include PSTN telephony, public cellular services, IP telephony, public switched data services, directory services, internet access services and messaging services.
• CASP for the provision of application services that provide content, such as satellite and subscription broadcasting.

Spectrum

Aside from telecommunications licences, the use of spectrum is regulated and an assignment of spectrum is required in order to use any part of the spectrum. The use of the spectrum is prohibited without one of the following:

• a spectrum assignment, which confers rights on a person to use one or more specified frequency bands for any purpose consistent with the assignment conditions set by MCMC;
• an apparatus assignment, which confers rights on a person to use the spectrum to operate a network facility of a specified kind at a specified frequency at a specified frequency band or bands; or
• a class assignment (CA), which confers rights on any person to use the frequency(ies) for a list of devices. The usage of devices under a CA is subject to conditions provided in the CA issued under Section 169 of the CMA. A CA is valid until it is cancelled by MCMC.

If the technology or device falls under any of the Schedules under the latest CA document, and use thereof complies with the requirements (including any conditions attached to the CA), no fees or application will be required. The use of device and frequency/frequency band for any purpose other than specified in the Schedules requires approval from MCMC.

The devices must also be certified by MCMC or its registered certifying agency (ie, SIRIM) either with a compliance approval, which is granted to a specific model of a device that has been certified as compliant with the specified standards or technical codes, or by way of a special approval. Special approvals are only granted to equipment that is used exclusively by the applicant for specific purposes.

Other Issues

Aside from the licensing and spectrum requirements outlined above, there may potentially be other issues, like numbering requirements, technical standards, etc, depending on the specific facts and services.

A variety of challenges that apply generally to contracts will also apply to technology agreements, but there may be unique challenges posed, especially when contracting with Malaysian government or customers from highly regulated industries such as finance and healthcare. Some of the key challenges that organisations may face when entering into a technology agreement are outlined below.

IP Rights

One of the critical aspects of technology agreements is the handling of IP rights, and common challenges include ambiguity as to the ownership of IP rights and joint ownership issues (note that in the absence of an agreement, joint ownership may also arise by operation of law when the IP is jointly developed or created by two or more persons). If IP is jointly owned, there are certain risks (eg, in relation to granting a licence) and, in certain circumstances, a joint decision by both parties is required, depending on the type of IP involved. Therefore, it is advisable to expressly stipulate the rights and obligations of the respective parties under the agreement, as well as whether there are restrictions imposed on the parties. Furthermore, parties should negotiate and define who bears the responsibility for enforcing the IP rights against an infringer, who will pay for and control the enforcement process, and how costs and expenses are allocated among the parties.

Scope of Work

Aside from ownership of the technology in question and IP licensing, disputes also typically revolve around the scope of work and non-payment. A well-defined scope of work and clear deliverables are crucial to prevent such disputes, which includes detailing project timelines, performance criteria and service level obligations, milestones, change of control and project governance.

Confidentiality, Data Protection and Cybersecurity

With the increasing importance of data in the digital economy, technology agreements must sufficiently address confidentiality, data protection and cybersecurity. The role of confidential information is especially critical where IP law does not offer adequate safeguards. Agreements must also ensure compliance with applicable laws like the PDPA. Furthermore, in highly regulated sectors, there tend to be stricter requirements on data protection and cybersecurity, which must be catered for in the agreement. For instance, health data that is categorised as “sensitive personal data” under the PDPA may be subject to localisation requirements, particularly in the private healthcare sector.

Sector-Specific Requirements

Where the technology agreement is with an organisation in a regulated industry, the organisation should be aware that it may also be subject to other regulations or guidelines.

For instance, FIs in Malaysia are subject to guidelines issued by BNM and some of BNM’s Guidelines – in particular, the Risk Management in Technology Guidelines – set out certain requirements concerning engaging third-party service providers. For example, where an FI’s IT system is managed by third-party service providers, the FI is required to ensure, including by way of contractual obligations, that the relevant third-party service providers give sufficient notice before any changes that may impact the IT system are undertaken. Furthermore, an FI or financial service provider may be required to include specific provisions in its contract with the organisation and certain contracts/arrangements may require approval from BNM, pursuant to the requirements under the relevant BNM Guidelines.

Overview

In Malaysia, contracts formed electronically are recognised pursuant to the ECA. The ECA provides for legal recognition of electronic messages in commercial transactions and the use of electronic messages to fulfil legal requirements, and enables and facilitates commercial transactions through the use of electronic means.

As long as there is compliance with the requirements for an “electronic signature” or “digital signature”, as set out below, the general rule is that acceptance by electronic means will be legally recognised and enforceable, unless the document is subject to a specific statutory form requirement.

Note that there is a distinction between electronic signatures and digital signatures under Malaysian laws, whereby the latter is a sub-set of the former and uses certificate-based digital IDs to authenticate each signer’s identity. There are two separate statutes governing both types of signatures, namely the ECA and the Digital Signature Act 1997 (DSA). The legal requirements under both statutes are set out below.

Electronic Signatures

The ECA recognises the use of an electronic signature (defined as “any letter, character, number, sound or any other symbol or any combination thereof created in an electronic form adopted by a person as a signature”), provided that certain conditions are met, as follows:

• it is attached to or is logically associated with the electronic message;
• it adequately identifies the person and adequately indicates the person’s approval of the information to which the signature relates; and
• it is as reliable as is appropriate given the purpose for which, and the circumstances in which, the signature is required.

An electronic signature will be considered “as reliable as is appropriate” if it can be shown that the means of creating the electronic signature is linked to and under the control of that person only, and that any alteration made to the electronic signature or document after the time of signing is detectable.

There has not been much guidance as to the exact measures that must be taken to ensure that an electronic signature complies with these requirements. The case of Yam Kong Seng & Anor v Yee Weng Kai [2014] 4 MLJ 478 provides some guidance, wherein an SMS was deemed to have fulfilled the requirements of an electronic signature under the ECA as the sender was adequately identified with the telephone number representing the caller or the sender of the electronic message. However, as this case appears to apply a very liberal interpretation, it remains to be seen whether this would continue to be upheld.

The following types of documents cannot be signed or executed electronically if they are intended to be legally binding:

• power of attorney;
• the creation of wills and codicils;
• the creation of trusts; and
• negotiable instruments.

Depending on the documents to be executed, other laws may come into play when determining whether an electronic signature would be legally binding – eg, certain types of documentation may be required to be notarised (statutory declarations, money lending agreements, etc) and therefore having the document electronically signed may not be sufficient. Furthermore, where any law requires a seal to be affixed to a document, an electronic signature will not suffice as the ECA states that the requirement of the law would only be fulfilled, if the document is in the form of an electronic message, by a digital signature as defined under the DSA.

The ECA is complemented by the Electronic Government Activities Act 2007, which provides for legal recognition of electronic messages in dealings between the Malaysian government and the public.

Digital Signatures

Under the DSA, “digital signature” is defined as “a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine –

• whether the transformation was created using the private key that corresponds to the signer’s public key; and
• whether the message had been altered since the transformation was made.”

Furthermore, under the DSA, where a rule of law requires a signature or provides for certain consequences in the absence of a signature, that rule shall be satisfied by a digital signature where:

• that digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
• that digital signature was affixed by the signer with the intention of signing the message; and
• the recipient has no knowledge or notice that the signer:
1. has breached a duty as a subscriber; or
2. does not rightfully hold the private key used to affix the digital signature.

The DSA further provides that a document signed with a digital signature that meets these requirements for validity is as legally binding as a document signed with a handwritten signature, or an affixed thumbprint or any other mark.

Digital Identity Scheme

In pursuit of enhancing Malaysia’s digital service and economy, the Malaysian government has unveiled the National Digital Identity Initiative as a verifiable platform of trust to verify internet identities or individual virtual identities in the cyber realm. Following this, Prime Minister Datuk Seri Anwar Ibrahim announced in August 2023 that the development of the National Digital Identity (IDN) will be fast-tracked to boost digital transformation in the public sector.

The Prime Minister added that the government will further implement initiatives to strengthen the ecosystem and boost involvement for start-up companies.