To date, there is no specific or standalone legislation that governs the metaverse. Instead, existing laws govern activities within this evolving digital realm, and their applicability depends on the technologies used and the functionalities they enable.
Contracts and Digital Assets
The metaverse is increasingly becoming a platform for complex interactions and transactions. These transactions often involve digital assets, which can include cryptocurrencies, non-fungible tokens (NFTs) and other virtual property. Understanding the relationship between contracts and digital assets in the metaverse is crucial, as it defines the legal framework for how these assets are traded, owned and managed.
Under the Malaysian Contracts Act 1950 (Contracts Act), transactions within the metaverse, including those concerning digital assets, would be enforceable as long as the essential contractual elements like offer, acceptance, consideration and intention to create legal relations are satisfied without specific documentary requirements. The Electronic Commerce Act 2006 (ECA) (see 9.1 Trust Services and Electronic Signatures/Digital Identity Schemes) further recognises the validity of electronic messages for contract formation, which could extend to transactions in the metaverse due to the broad definition given under the ECA.
Digital assets in the metaverse may also fall under financial and securities regulations. For instance, in the Malaysian capital markets and securities sector, blockchain-based digital assets could qualify as a “digital currency” or “digital token” as defined under the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 (Prescription Order), and be deemed as securities under the Malaysian Capital Markets and Services Act 2007. This classification subjects them to the oversight of the Securities Commission of Malaysia (SC), and the offering and trade of these digital assets, along with the operation of the platform that hosts these digital assets, will be subject to the approval and registration requirements of the SC. They may also be subject to anti-money laundering/counter-financing of terrorism (AML/CFT) controls. However, the decentralised and often borderless nature of the metaverse poses challenges in regulation enforcement and transaction monitoring.
Intellectual Property
Malaysian intellectual property law may also protect digital creations and innovations within the metaverse. In this context, end-user licence agreements or terms of service serve as a vital mechanism for defining and protecting intellectual property rights. Clear and enforceable terms in these agreements lay the groundwork for safeguarding digital creations. For instance, trade mark rights, copyright protections and other intellectual property considerations can be expressly outlined, guiding users on the lawful usage, reproduction or distribution of virtual assets.
However, the metaverse’s unique nature also introduces complex jurisdictional challenges, particularly when addressing infringement claims. The metaverse operates with a degree of anonymity, allowing users to interact with greater privacy than in the physical world, making it challenging to identify infringers and establish concrete jurisdiction.
Data Protection and Cybersecurity
The Personal Data Protection Act 2010 (PDPA) regulates the processing of personal data in commercial transactions, which can extend to the processing of personal data within the metaverse where vast amounts of personal data will be processed. Data users in the metaverse must comply with the PDPA's data protection principles but the metaverse’s borderless nature introduces complexities in applying and enforcing data protection laws, including the PDPA.
The seven data protection principles are set out below:
Each of these principles is subject to certain exceptions and conditions. Furthermore, there are specific standards set out in the Personal Data Protection Standard 2015 (PDP Standard) for the security, retention and data integrity principles.
The PDPA generally prohibits the transfer of personal data out of Malaysia, except where it is to a permitted place (although no permitted place has been gazetted at the time of writing), or where certain exceptions apply – eg, where data subjects have consented to the transfer.
Consumer Laws
Consumer protection laws remain applicable, safeguarding consumer rights in the context of digital transactions and services. Again, however, there will be difficulties in determining which jurisdiction’s laws apply to activities in the metaverse, which is inherently decentralised.
The digital economy lacks a singular legislative framework explicitly governing its operations but businesses must comply with various laws, regulations, guidelines and industry codes of conduct that are broadly applicable, as follows.
Consumer Protection
The Consumer Protection Act 1999 (CPA) extends to any trade transaction conducted through electronic means, and the Consumer Protection (Electronic Trade Transactions) Regulations 2012 also mandate the disclosure of specific information by any person who operates a business for the purpose of supplying goods or services through a website or in an online marketplace on the website where the business is conducted.
The Price Control and Anti-Profiteering Act 2011, along with its subsidiary legislation, aims to control the prices of goods and charges for services, and to prohibit profiteering, regardless of the method of supply. It applies to the supply of goods and services, including through electronic methods.
Electronic Commerce Act
The ECA legally recognises contracts formed through electronic communications, facilitating online business relationships.
Data Protection
Inevitably, the digital economy involves the processing of personal data, which is governed by the PDPA – see 1.1 Laws and Regulation (Data Protection and Cybersecurity).
Content
Online content is primarily under the purview of the Malaysian Communications and Multimedia Commission (MCMC), which regulates the communications and multimedia industry in Malaysia. Depending on the type of content, it can be subject to a host of laws, including the Communications and Multimedia Act 1998 (CMA), which inter alia prohibits offensive content.
The Malaysian Communications and Multimedia Content Code (Content Code) issued pursuant to the CMA also applies to content made available in the networked medium, including advertisements and marketing, and is administered by the Communications and Multimedia Content Forum of Malaysia (CMCF). Compliance with the Content Code is voluntary unless the content provider is a member of the Content Forum, has voluntarily agreed to be bound by the Content Code, or is specifically directed by MCMC. However, the CMCF may impose sanctions on those subject to the Content Code following a complaint, and compliance is a defence against any prosecution, action or proceeding of any nature.
In aiming to facilitate self-governance for online curated content, the CMCF introduced its inaugural supplementary guidelines in December 2023: the Guidelines for Online Curated Content (OCC) Service Providers, which cover recommendations and best practices for OCC service providers. The Guidelines encompass the overarching principles of public and national interest, racial and religious sensitivities, and improvement of accessibility standards for disabled persons.
Payment
Electronic money (e-money) is governed by the Financial Services Act 2013 and the Islamic Financial Services Act 2013, and is recognised as a payment instrument under said Acts. E-money issuers must be approved by the Central Bank of Malaysia (BNM) and must adhere to the Policy Document on Electronic Money issued by BNM. For digital currencies and digital tokens, see 1.1 Laws and Regulation.
Key Legal Challenges
While offering numerous opportunities for innovation and growth, the digital economy presents several key legal challenges. One of the biggest challenges is ensuring privacy and data protection, given the vast amounts of personal data collected and processed. Laws like the GDPR set stringent standards but compliance and enforcement can be complex, especially for global businesses. In Malaysia, while there are laws on data protection, there are plans to strengthen the regulatory framework, including by amending the PDPA and introducing a new cybersecurity law. Balancing the regulation of digital content to prevent the spread of offensive and harmful content while respecting freedom of expression also poses a significant challenge for regulators.
Laws and Industry Codes of Conduct
In Malaysia, cloud and edge computing services are regulated through various legislative provisions, technical codes and guidelines. The primary legislation is the CMA, enforced by the MCMC.
CMA
Under the CMA, providers of cloud and edge computing services may require the following types of licences, depending on the exact service offerings, technical set up and network topology, as the requirement for a licence depends on whether the activities fall within a “licensable activity”.
These licences are available to local entities and are issued as either individual or class licences (ASP licences are only issued as class licences). If a CMA licence is required, the CMA imposes a host of obligations, including mandatory contributions to the universal service provision fund and compliance with the access regime.
Whilst not specific to companies providing cloud or edge computing services, any company intending to import, use or offer communications equipment for sale must ensure that such equipment has been certified in accordance with the relevant technical standards/codes.
Technical codes and guidelines set out additional standards for specific types of equipment and service offerings. For instance, the Technical Code on Information and Network Security – Cloud Service Provider Selection provides selection criteria for cloud service providers based on risk assessment, industry standards and certification capabilities.
PDPA
The PDPA is the main framework for personal data protection in Malaysia, imposing obligations on data users (those who either alone or jointly, or in common with other persons, process any personal data or have control over or authorise the processing of any personal data) when using cloud and edge services. Key requirements include:
CMA licensees must register as data users with the Personal Data Protection Commissioner and comply with a specific code of practice for personal data protection.
Currently, the PDPA does not contain direct obligations for data processors and does not provide for a general data localisation requirement, although there has been a public consultation paper suggesting that these might be introduced in the future.
Greater Restrictions for Certain Industries
Financial services laws
Certain regulated industries, like banking and insurance, face stricter regulations when utilising data processing and other technological services from third parties, including cloud and edge computing services.
BNM has issued policy documents on risk management, outsourcing and customer information management. Among other stipulations, financial institutions (FIs) must consult with BNM before using a public cloud for critical systems, and must notify BNM prior to the use of cloud services for non-critical systems. In respect of outsourcing arrangements, which includes outsourcing arrangements with cloud and edge service providers, the Policy Document on Outsourcing requires, among other things, that FIs obtain BNM’s approval before entering into an outsourcing arrangement, and that FIs that use cloud services maintain a register containing additional particulars of the arrangement – ie, the nature of the data held and the locations where it is stored.
The Policy Document on Management of Customer Information and Permitted Disclosures outlines requirements for FIs regarding measures and controls in handling customer information throughout the information life cycle, covering the collection, storage, use, transmission, sharing, disclosure and disposal of customer information. Among other things, FIs must ensure that the service-level agreement between them and the provider adequately reflects the FI’s obligation to safeguard customer information.
Specifically on cloud services, the Policy Document on Risk Management in Technology requires FIs to conduct comprehensive risk assessments prior to utilising cloud services and to implement safeguards to protect customer information. The Policy Document also includes specific guidance for assessing the key risks and control measures when utilising cloud services.
Government entities
Where cloud and edge computing services are provided to government entities, policy documents may mandate specific security measures, such as infrastructure and traffic segregation when handling official secrets, as well as access controls. Although there is no overarching mandate for data centres to be designated as “protected areas” or “protected places”, facilities and data centres of cloud and edge service providers that handle or store official secrets are subject to stricter regulations. These facilities may need to be classified areas, potentially being designated as prohibited areas to which access is heavily restricted.
Healthcare laws
Government approval may be required for the use and provision of cloud computing services in public hospitals and institutions. Healthcare providers may also be subject to separate data localisation requirements or requirements to maintain patient data within the healthcare facilities.
Others
Data localisation requirements may also vary by industry – eg, e-money licences may impose this requirement as a licence condition.
While there is growing acceptance of the implications of artificial intelligence (AI), Malaysia has not yet established specific legislation or guidelines dedicated exclusively to regulating AI. The Ministry of Science, Technology and Innovation (MOSTI) is exploring the regulation of AI applications and a proposed ethics and governance code for AI, which aims to address issues such as data privacy, public awareness of AI, transparency, accountability and cybersecurity. The code may also incorporate guidelines for educating the public about AI and promoting research in the field, and is being drafted based on the Recommendation on the Ethics of AI adopted by the United Nations Educational, Scientific and Cultural Organisation (UNESCO) in November 2021.
The Minister of Economy has also referred to the Malaysian government’s plan to transform Malaysia into a regional AI hub by implementing new strategies and improvements of the AI ecosystem that will be contained in the Kuala Lumpur (KL20) action plan.
Complementing these initiatives, the Malaysian Standards Department has formed a National Mirror Committee to draft national AI standards. This committee, chaired by MIMOS Berhad (a research and development centre under MOSTI), comprises representatives from the industry, academia and government ministries and agencies, ensuring a comprehensive approach to AI standardisation.
The Malaysia National AI Roadmap 2021–2025 (AIRmap) further outlines the government’s vision for AI development, proposing to establish an AI Coordination and Implementation Unit (AI-CIU) to be responsible for institutionalising existing cybersecurity policies and best practices for AI incorporation and establishing clear guidelines for data sharing within government to enable AI implementation.
It was reported in June 2023 that ministers from the ASEAN nation members agreed in February 2023 to develop an “ASEAN Guide on AI Governance and Ethics”, although details on what this guide would entail are not available at the time of writing.
Some of the key issues which could be relevant are discussed below.
Liability and insurance
In the absence of specific legislation, liability resulting from AI-enabled technologies would have to be addressed under the existing legal framework. This includes the CPA and the Sale of Goods Act 1957 (SOGA) (although AI or its output may not be classified as “goods”), along with established principles of contract and tort law.
Contract law, particularly the Contracts Act, would be relevant in evaluating liability for defective AI. Contractual provisions specific to AI usage may be incorporated to apportion liability for AI defects, but the effectiveness of such clauses has not been tested and, in the absence of case law, claimants may argue breaches of the implied terms under statutes such as the CPA and SOGA, which contain implied terms (eg, guarantees and conditions regarding title, quality, fitness for purpose, price and repairs) that cannot be contractually excluded. The manufacturer or supplier of AI technologies may be liable for malfunctions that breach these implied terms, depending on the extent of non-compliance with representations and guarantees made by the supplier regarding the technology. Product liability claims for AI under the CPA may, however, be particularly challenging due to the difficulties in pinpointing when defects occur and, unlike some jurisdictions like the European Union, there is no specific framework for AI liability in Malaysia.
Claims for damages in the context of AI-related incidents may also be framed in negligence. Central to the law of negligence is the concept of the foreseeability of loss, requiring a claimant to establish a direct chain of causation between their loss and the actions of the defendant. However, there are distinct challenges in applying traditional negligence principles (such as foreseeability and causation), given the unique characteristics of AI, particularly its ability to evolve and learn over time through machine learning. Similarly, vicarious liability – a legal principle governing accountability for one person's actions by another in a legal relationship – becomes complex when applied to AI. Associated with the relationship between a principal and an agent, such as employer and employee, vicarious liability may be argued in instances where AI, operating within designated tasks, causes harm. Here, the AI may be viewed as an intellectual agent whose actions are assigned to a principal but not recognised as a full legal person.
Nevertheless, vicarious liability comes with constraints, dictated by the scope of the agent's activity. Not every action of AI may be ascribed to its owner or operator, and deviations from defined responsibilities can introduce a responsibility gap, disrupting the chain of causation.
Evidently, each case will need to be meticulously examined on its individual merits, factoring in the complex interplay between AI's autonomous capabilities and the responsibilities of those who create and deploy these systems.
Data protection
There are challenges in safeguarding sensitive and confidential information in the process of using AI, since input data can serve as ongoing training material for the AI model. The machine learning aspect of AI would require large amounts of data for AI training and operation, which can trigger the applicability of the PDPA where personal data is involved. Organisations must ensure that all data and information processed by AI is compliant with applicable data protection laws, including the PDPA. There are no specific rules under the PDPA on AI but, in general, data users must ensure they are transparent about the use of AI and how data subjects’ personal data is being collected, used and processed.
Organisations must ensure that they have obtained the necessary consent from individuals for the processing of their personal data for the specific purposes for which it is being collected, and must make sure that such data is processed securely and safely. This becomes a challenge where “data scraping” is utilised to extract large datasets which are then used to “train” AI models – ensuring that each data subject whose personal data was “scraped” has consented to the use of their personal data in this way would be practically impossible.
Future legal developments, such as the forthcoming Profiling and Automated Decision-Making Guideline announced by the Minister of Digital, may introduce additional requirements and restrictions relevant to the processing of personal data in AI applications, so it is crucial for organisations to stay abreast of these developments as AI regulation evolves.
Intellectual property (IP)
The current IP statutory regime in Malaysia presents ambiguities when it comes to extending protection to AI-generated IP. This uncertainty arises due to the lack of specific provisions addressing AI's role in IP creation under existing laws.
In essence, AI can be conceptualised as a compilation of software algorithms operating on computer systems. These algorithms execute mathematical methods to emulate the problem-solving and decision-making abilities of humans. However, seeking patent protection for AI becomes challenging, as it may infringe upon what is traditionally deemed non-patentable or excluded subject matter in many jurisdictions, including Malaysia. This contention is exemplified in Section 13(1) of the Patents Act 1983 (PA), which expressly deems mathematical methods per se as being non-patentable.
When assessing the existing patent framework, particularly in the PA and the Patents Regulations 1986, the lack of an explicit definition of an “inventor” and the absence of provisions addressing AI involvement in the invention process leave room for ambiguity. The inclination in the language of these statutes suggests that AI may be excluded from coverage thereunder, and that inventors are expected to be natural persons. This expectation is notably reinforced by Section 18 of the PA, which vests the right to apply for a patentable invention in the inventor. Furthermore, according to the Patents Regulations, patent applications must include personal identification of the inventors, or signed written declarations where anonymity is sought.
Similar perspectives have emerged internationally. In the United Kingdom, both the High Court and the Court of Appeal have agreed that an inventor must be a natural person and cannot include an AI system. In addition, the Federal Court in Australia overturned its previous decision, stating that the “inventor” listed in an application for a patent under the Patents Act must be a natural person. However, it is crucial to note that the Federal Court in Australia clarified that its ruling does not preclude the possibility of granting a patent to an invention created by an AI system. Instead, it underscores the necessity to identify a human “inventor” for the patent application, such as the developer of the AI system. Therefore, an invention devised by an AI system may still receive patent protection, provided a human “inventor” is identified.
The situation is similarly unclear under the Copyright Act 1987 concerning AI-created works. The ongoing discussion as to whether AI-generated work is protected by the Copyright Act revolves around its language, which primarily focuses on the rights of individuals and legal entities. For instance, Section 10 of the Copyright Act grants copyright to works eligible for protection, requiring the author to be a qualified person at the time of creation. A “qualified person” is defined as follows:
While untested in Malaysian courts, the existing legal framework suggests that AI-created works may not qualify for copyright protection. The argument stems from the notion that AI-created works are essentially computer-generated, and the AI creator does not neatly fit the definition of a “qualified person” under the law.
Examining the current UK legislative framework reveals that a natural person would be the author for copyright ownership for the purposes of computer-generated works; this would therefore exclude an AI system. This position has recently been affirmed by the UK Supreme Court in Thaler (Appellant) v Comptroller-General of Patents, Designs and Trade Marks (Respondent) 2023 UKSC 49. The UK courts have consistently held that it is likely necessary for a human to have at least exercised some degree of control over the creative process that resulted in the work in question to attract copyright protection. This approach aligns with the principle that copyright should be tied to human agency in the creative process, raising similar questions about the attribution of authorship and copyright eligibility in AI-generated works. Malaysia has yet to provide explicit guidance on these matters, but the UK decision sets a precedent that could influence future rulings in common law jurisdictions such as Malaysia.
Another consideration would be when a user edits AI-generated output, transforming it into their independent creation. This action may arguably meet the criteria set forth in Section 7 of the Copyright Act, requiring sufficient effort to render the work original and reducing it to material form. Such a transformation raises questions about the eligibility of this modified creation for copyright protection. This scenario prompts inquiries into the interplay between AI and human creativity, potentially signalling the need for copyright law to evolve and adapt to these emerging dynamics. Other key considerations include the duration of copyright in AI-created works, moral rights related to AI, and the enforcement of copyright for such works.
The above highlights the need for clear regulatory guidelines and legal frameworks to address the intricacies of AI involvement in IP creation. As AI technology continues to evolve, establishing clear parameters and legal clarity becomes essential to navigate the intricate intersections of AI and intellectual property rights.
At present, Malaysia lacks a dedicated statute specifically addressing the internet of things (IoT). However, regulation is achieved through existing sector-specific guidelines and a suite of laws that possess sufficient breadth to encompass IoT projects. Key examples of such encompassing laws, regulations and guidelines are outlined below.
Telecommunications Regulations
In the implementation of IoT initiatives, adherence to the licensing and regulatory framework of the CMA is mandatory. This framework, inclusive of spectrum usage requirements, is particularly pertinent when engaging in licensable activities specified in the CMA and its subsidiary legislation; see 7.1 Scope of Regulation and Pre-marketing Requirements. Procuring the necessary licence is obligatory, accompanied by compliance with diverse obligations stipulated in the CMA. Notably, projects involving spectrum usage must align with assignments by MCMC, in harmony with the Spectrum Plan and relevant Standard Radio System Plans. In addition, communications equipment, integral to IoT, must obtain certification from the certifying body designated by MCMC, namely SIRIM QAS International Sdn Bhd, ensuring adherence to safety and technical standards, including the Technical Code on Short Range Devices.
Various technical codes also contribute to the regulatory framework for IoT, covering areas such as application security requirements, high-level functional architecture, security management and short-range device specifications.
Cybersecurity
Despite the absence of a dedicated cybersecurity law, Malaysia has adopted a proactive stance in addressing emerging threats. The Minister of Communications, Fahmi Fadzil, disclosed plans for an upcoming Cybersecurity Bill, spearheaded by the National Cyber Security Agency (NACSA). This initiative signifies a critical step in reinforcing Malaysia's digital resilience, and underscores Malaysia's commitment to swift adaptation to evolving cyber threats. The bill aims to establish a legal structure promoting proactive governance, effective response mechanisms and continuous improvement in cybersecurity.
Organisations undertaking IoT projects are advised to consider existing legislation with potential relevance to cybersecurity, including laws such as the Computer Crimes Act 1997, the Penal Code, the Copyright Act, the Digital Signature Act 1997, the Strategic Trade Act 2010 and the Official Secrets Act 1972. Furthermore, the Guidelines for Secure Internet of Things, released in 2020 by CyberSecurity Malaysia (an agency under the purview of MCMC), offer valuable yet non-binding insights. These guidelines serve as a practical resource, outlining security requirements and controls for stakeholders, with the objective of establishing a robust IoT security framework and enhancing awareness of existing threats and vulnerabilities.
Data Protection
As IoT initiatives extend into machine-to-machine communications, the relevance of data protection and communications secrecy comes to the forefront. Cross-border data flows between IoT devices necessitate a nuanced approach, considering compliance requirements, especially regarding the consent of data subjects for cross-border transfers of personal data via IoT devices. This entails a commitment to key data protection principles under the PDPA.
The IoT Guidelines provide a comprehensive set of security controls, facilitating the development of secure IoT systems. These controls include risk mitigation measures related to communications encryption, cloud security, authentication, access control, data protection and privacy, operation and maintenance, among others. This holistic approach aims to navigate the complexities of data protection and communications security in the evolving landscape of IoT projects in Malaysia.
Regulation of the Media Sector
In Malaysia, content is governed by a host of laws, depending on the type of content. Online content/content in the networked medium, which would include video channels, is primarily under the purview of MCMC, which also regulates licensing requirements for the provision of content in general. Specifically on censorship, the Film Censorship Board (FCB) regulates traditional media outlets and content on TV and in cinemas. The National Film Development Corporation Malaysia (FINAS) has prerogative over film production, distribution and exhibition activities in Malaysia. Note that the likelihood of enforcement by FINAS and FCB may differ for over-the-top content, including video-sharing platform services.
Licensing Requirements – CMA
Under the CMA, providers of content applications services are required to obtain a Content Applications Service Provider (CASP) licence, unless specifically exempted under the CMA. The CMA provides exemptions from licensing requirements for providers of “closed” content applications services (ie, services that are not accessible to the general public) and “incidental” content applications services (ie, services that provide content in a manner entirely incidental to the service provided). Internet content applications services (such as over-the-top services and online video-sharing platforms) are also exempted under the Communications and Multimedia (Licensing) (Exemption) Order 2000.
CASP licences may be issued as either individual licences or class licences (see 7.1 Scope of Regulation and Pre-marketing Requirements). CASPs that meet the following criteria are likely to require an individual licence, on the basis that the content:
CASP individual licences are typically required for entities involved in the traditional broadcasting industry, such as terrestrial radio broadcasting, satellite broadcasting, terrestrial free-to-air TV and subscription broadcasting. On the other hand, CASPs providing limited content applications services are not required to hold an individual licence and are exempted from the requirement to be licensed, unless a class licence is applicable. A CASP of a limited content applications service is regulated by a class licence if it falls within the following categories:
As an industry regulated under the CMA, licences for the provision of content applications services are subject to the same fees and eligibility requirements as telecommunications services, and the applicable fees and eligibility requirements would depend on whether the licence is an individual licence or class licence (see 7.1 Scope of Regulation and Pre-marketing Requirements). Applications for licences are to be made to MCMC in the prescribed forms.
Other Licences/Approvals
Depending on the facts, additional licensing requirements may apply. For example, the production, distribution or exhibition of films may require a licence from FINAS. Such films may also require the approval of the FCB.
Content Requirements and Restrictions
As set out above, content is subject to a host of laws, depending on the type of content, with the main laws being:
For example, the CMA generally prohibits the provision of content that is indecent, obscene, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass any person via a content applications service, and content that is deemed seditious will contravene the Sedition Act. Additional laws may also apply, depending on the specific facts, such as the Copyright Act for content that infringes copyright.
To aid the regulation of the content industry, the CMCF issued the Content Code, which contains obligations and restrictions relating to content, and guidelines for a variety of different content platforms, including advertising guidelines, specific broadcasting guidelines and specific online guidelines.
Of relevance to providers of video-sharing platform services, the Content Code stipulates that providers of access to content that have neither control over the composition of such content nor any knowledge of such content are deemed innocent carriers, and are not responsible for the content provided, although there is also case law suggesting that an online intermediary platform may still be liable for third-party content.
The regulatory and licensing framework under the CMA is sufficiently extensive to cover a wide range of technologies and services, even in the absence of specific references to individual technologies and services. Specific technologies and services may also be addressed through various regulations, guidelines, technical codes and other voluntary codes issued by MCMC and/or other industry forums.
Licensing
Under the current telecommunications regime, there are four categories of licensable activities.
Spectrum
Aside from telecommunications licences, the use of spectrum is regulated and an assignment of spectrum is required in order to use any part of the spectrum. The use of the spectrum is prohibited without one of the following:
If the technology or device falls under any of the Schedules under the latest CA document, and use thereof complies with the requirements (including any conditions attached to the CA), no fees or application will be required. The use of device and frequency/frequency band for any purpose other than specified in the Schedules requires approval from MCMC.
The devices must also be certified by MCMC or its registered certifying agency (ie, SIRIM) either with a compliance approval, which is granted to a specific model of a device that has been certified as compliant with the specified standards or technical codes, or by way of a special approval. Special approvals are only granted to equipment that is used exclusively by the applicant for specific purposes.
Other Issues
Aside from the licensing and spectrum requirements outlined above, there may potentially be other issues, like numbering requirements, technical standards, etc, depending on the specific facts and services.
A variety of challenges that apply generally to contracts will also apply to technology agreements, but there may be unique challenges posed, especially when contracting with Malaysian government or customers from highly regulated industries such as finance and healthcare. Some of the key challenges that organisations may face when entering into a technology agreement are outlined below.
IP Rights
One of the critical aspects of technology agreements is the handling of IP rights, and common challenges include ambiguity as to the ownership of IP rights and joint ownership issues (note that in the absence of an agreement, joint ownership may also arise by operation of law when the IP is jointly developed or created by two or more persons). If IP is jointly owned, there are certain risks (eg, in relation to granting a licence) and, in certain circumstances, a joint decision by both parties is required, depending on the type of IP involved. Therefore, it is advisable to expressly stipulate the rights and obligations of the respective parties under the agreement, as well as whether there are restrictions imposed on the parties. Furthermore, parties should negotiate and define who bears the responsibility for enforcing the IP rights against an infringer, who will pay for and control the enforcement process, and how costs and expenses are allocated among the parties.
Scope of Work
Aside from ownership of the technology in question and IP licensing, disputes also typically revolve around the scope of work and non-payment. A well-defined scope of work and clear deliverables are crucial to prevent such disputes, which includes detailing project timelines, performance criteria and service level obligations, milestones, change of control and project governance.
Confidentiality, Data Protection and Cybersecurity
With the increasing importance of data in the digital economy, technology agreements must sufficiently address confidentiality, data protection and cybersecurity. The role of confidential information is especially critical where IP law does not offer adequate safeguards. Agreements must also ensure compliance with applicable laws like the PDPA. Furthermore, in highly regulated sectors, there tend to be stricter requirements on data protection and cybersecurity, which must be catered for in the agreement. For instance, health data that is categorised as “sensitive personal data” under the PDPA may be subject to localisation requirements, particularly in the private healthcare sector.
Sector-Specific Requirements
Where the technology agreement is with an organisation in a regulated industry, the organisation should be aware that it may also be subject to other regulations or guidelines.
For instance, FIs in Malaysia are subject to guidelines issued by BNM and some of BNM’s Guidelines – in particular, the Risk Management in Technology Guidelines – set out certain requirements concerning engaging third-party service providers. For example, where an FI’s IT system is managed by third-party service providers, the FI is required to ensure, including by way of contractual obligations, that the relevant third-party service providers give sufficient notice before any changes that may impact the IT system are undertaken. Furthermore, an FI or financial service provider may be required to include specific provisions in its contract with the organisation and certain contracts/arrangements may require approval from BNM, pursuant to the requirements under the relevant BNM Guidelines.
Overview
In Malaysia, contracts formed electronically are recognised pursuant to the ECA. The ECA provides for legal recognition of electronic messages in commercial transactions and the use of electronic messages to fulfil legal requirements, and enables and facilitates commercial transactions through the use of electronic means.
As long as there is compliance with the requirements for an “electronic signature” or “digital signature”, as set out below, the general rule is that acceptance by electronic means will be legally recognised and enforceable, unless the document is subject to a specific statutory form requirement.
Note that there is a distinction between electronic signatures and digital signatures under Malaysian laws, whereby the latter is a sub-set of the former and uses certificate-based digital IDs to authenticate each signer’s identity. There are two separate statutes governing both types of signatures, namely the ECA and the Digital Signature Act 1997 (DSA). The legal requirements under both statutes are set out below.
Electronic Signatures
The ECA recognises the use of an electronic signature (defined as “any letter, character, number, sound or any other symbol or any combination thereof created in an electronic form adopted by a person as a signature”), provided that certain conditions are met, as follows:
An electronic signature will be considered “as reliable as is appropriate” if it can be shown that the means of creating the electronic signature is linked to and under the control of that person only, and that any alteration made to the electronic signature or document after the time of signing is detectable.
There has not been much guidance as to the exact measures that must be taken to ensure that an electronic signature complies with these requirements. The case of Yam Kong Seng & Anor v Yee Weng Kai [2014] 4 MLJ 478 provides some guidance, wherein an SMS was deemed to have fulfilled the requirements of an electronic signature under the ECA as the sender was adequately identified with the telephone number representing the caller or the sender of the electronic message. However, as this case appears to apply a very liberal interpretation, it remains to be seen whether this would continue to be upheld.
The following types of documents cannot be signed or executed electronically if they are intended to be legally binding:
Depending on the documents to be executed, other laws may come into play when determining whether an electronic signature would be legally binding – eg, certain types of documentation may be required to be notarised (statutory declarations, money lending agreements, etc) and therefore having the document electronically signed may not be sufficient. Furthermore, where any law requires a seal to be affixed to a document, an electronic signature will not suffice as the ECA states that the requirement of the law would only be fulfilled, if the document is in the form of an electronic message, by a digital signature as defined under the DSA.
The ECA is complemented by the Electronic Government Activities Act 2007, which provides for legal recognition of electronic messages in dealings between the Malaysian government and the public.
Digital Signatures
Under the DSA, “digital signature” is defined as “a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine –
Furthermore, under the DSA, where a rule of law requires a signature or provides for certain consequences in the absence of a signature, that rule shall be satisfied by a digital signature where:
The DSA further provides that a document signed with a digital signature that meets these requirements for validity is as legally binding as a document signed with a handwritten signature, or an affixed thumbprint or any other mark.
Digital Identity Scheme
In pursuit of enhancing Malaysia’s digital service and economy, the Malaysian government has unveiled the National Digital Identity Initiative as a verifiable platform of trust to verify internet identities or individual virtual identities in the cyber realm. Following this, Prime Minister Datuk Seri Anwar Ibrahim announced in August 2023 that the development of the National Digital Identity (IDN) will be fast-tracked to boost digital transformation in the public sector.
The Prime Minister added that the government will further implement initiatives to strengthen the ecosystem and boost involvement for start-up companies.
Level 8
Wisma Uoa Damansara
50 Jalan Dungun
Damansara Heights
50490 Kuala Lumpur
Malaysia
+603 2081 3999
+603 2094 3211
www.skrine.comTMT in Malasia: An Introduction
In a year marked by pivotal advancements, the TMT sector has witnessed significant regulatory shifts that signal a clear intent by the government to strengthen oversight in the TMT sector. These changes, driven by the need to balance innovation with responsible governance, have garnered considerable attention in Malaysia. This article will spotlight the key regulatory developments that have dominated the headlines in the TMT sector throughout the year.
Content regulation
With the ever-increasing popularity of content-driven social media platforms and online content, the Malaysian government has been increasingly active in its regulation of content, with reports indicating that it has issued a record number of requests to certain popular social media platforms to remove or restrict content deemed divisive or provocative. Legal and regulatory developments in this space also indicate the government’s increasing scrutiny of content.
In November 2023, it was reported that the government is considering mandatory registration for all social media platform service providers with the Malaysian Communications and Multimedia Commission (MCMC). The Minister of Communications, Fahmi Fadzil, said this move is deemed appropriate to ensure all such providers understand and comply with the country’s legislation.
Furthermore, the Malaysian Media Council Bill aims to regulate Malaysia’s media industry and will, inter alia, address issues related to advertising revenue for media organisations and include a grievance mechanism to enable any party to lodge complaints to the council on their dissatisfaction about any news. Deputy Minister of Communications, Teo Nie Ching, emphasised the bill’s role in promoting responsible media practices and stated that the council will serve as an authoritative body to decide whether a news report has violated journalistic ethics (eg, whether the contents of an article are ethical or unethical) or whether the article is using clickbait headlines to invoke emotional reactions in readers. At the time of writing, the bill's content is under scrutiny, with discussions reportedly focused on definitions, enforcement powers and other key issues, with the aim of reaching a consensus among all stakeholders.
In December 2023, the Communications and Multimedia Content Forum of Malaysia (Content Forum) published the Guidelines for Online Curated Content (OCC) Service Providers, which set out recommendations and best practices for OCC service providers. The guidelines encompass overarching principles of public and national interest, racial and religious sensitivities, and the improvement of accessibility standards for disabled persons. They also address other key points, such as:
Developments in Malaysia’s 5G landscape
In recent years, Malaysia has taken proactive measures to adequately integrate 5G technology. The roll-out began in late 2021 through a Single Wholesale Network (SWN) model led by Digital Nasional Berhad (DNB), the special-purpose vehicle established by the Malaysian government to drive the development of 5G infrastructure in Malaysia, in which the government was initially the sole shareholder. Since then, there have been notable developments in Malaysia’s 5G landscape.
Shortly after its formation, equity stakes in DNB were offered to major Malaysian mobile network operators (MNOs); as of 1 December 2023, five major MNOs have each signed share subscription agreements (SSA) with DNB. Under their respective SSAs, the MNOs will each subscribe for 100,000 shares in DNB and make an advance of MYR233,333,333 to DNB as prepayment for 5G products and services. The SSAs give effect to the MNOs’ total subscription of 70% equity in DNB, with each MNO obtaining a 14% stake. The remaining 30% of DNB’s share capital will be held by the Minister of Finance Inc. of Malaysia, which will, in addition, hold a “special share” that confers certain rights involving national interests, as well as the right to appoint a director to DNB’s board of directors to represent the Malaysian government’s interests. The five MNOs are CelcomDigi Berhad (via its wholly-owned subsidiary, Infranation Sdn Bhd), Maxis Berhad (via its wholly-owned subsidiary, Maxis Broadband Sdn Bhd), U Mobile Sdn Bhd, Telekom Malaysia Berhad and YTL Power International Bhd (the holding company of YTL Communications Sdn. Bhd.).
In May 2023, after a five-month review, the government decided to transition from the SWN model to a Dual Wholesale Network (DWN) model, where a new entity (Entity B) will be selected to build Malaysia’s second 5G network. This decision was reportedly made by the government considering the sustainability of Malaysia’s telecommunications industry ecosystem and the benefits of a competitive 5G landscape. The Minister of Communications has stated that the transition to the DWN model would take place once 5G network coverage in populated areas reaches 80%, which has reportedly been achieved as of 31 December 2023, with coverage reaching 80.2%. According to news reports, a mutual agreement will have to be reached among the MNOs as to which will make a jump to Entity B, with the MCMC having the discretion to make a final decision if no deal is reached.
Communications and Digital Ministry split to meet growing demands of portfolio
To address the growing demands in the communications and digital sectors, the Malaysian government restructured the Communications and Digital Ministry, dividing it into the Ministry of Communications and the Ministry of Digital. The new Ministry of Digital is primarily dedicated to spearheading the country’s digital transformation, particularly in response to the increase in demand for data centres and artificial intelligence.
It was reported in mid-December 2023 that the Minister of Digital, Gobind Singh Deo, will take over several agencies that were previously under the now-defunct Ministry of Communications and Digital, such as the Malaysia Digital Economy Corporation (MDEC), MYNIC and the Personal Data Protection Department; it was further announced in early January 2024 that DNB, CyberSecurity Malaysia and the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU) are also among the other agencies placed under the new Ministry of Digital. The MCMC will remain under the Ministry of Communications.
Developments in Malaysia’s AI landscape
The Malaysian government has previously made known its intention to transform Malaysia into one of the top AI infrastructure and technology hubs in the region, and is actively looking to cultivate the use of AI in the country and to implement appropriate instruments to regulate use thereof. Key recent developments on AI in Malaysia include the following.
Malaysia Digital Status – an initiative for the digital economy
In a significant stride towards advancing Malaysia's digital landscape, the Malaysia Digital (MD) initiative was launched on 4 July 2022, replacing the longstanding Multimedia Super Corridor initiative. The MD initiative aims to fortify Malaysia's digital capabilities and propel the national digital economy to new heights towards accomplishing its goal of becoming a regional data centre hub.
The MD initiative concentrates on nine key growth sectors:
The Guidelines on Malaysia Digital Status, issued on 30 June 2022, delineate crucial aspects of MD Status, including eligibility criteria, conditions, benefits, application processes and ongoing obligations. To be eligible for MD Status, a company must be incorporated under the Companies Act 2016, must be resident in Malaysia, and must carry out, or propose to carry out, one or more of the MD Approved Activities. The MD Approved Activities encompass a spectrum of technologies, including big data analytics, artificial intelligence, financial technology, internet of things, advance telecommunications technology, data centre and cloud.
MD Status companies are obliged to comply with certain conditions as set out in the Guidelines on Malaysia Digital Status within 12 months, including requirements to:
MD Status companies enjoy an array of incentives, rights and privileges outlined in the Malaysia Digital Bill of Guarantees. These include access to world-class infrastructure, employment flexibility, freedom from local ownership requirements (subject to the requirements and discretion of the relevant regulatory authority), global capital sourcing and competitive financial incentives.
The application process involves assessment by MDEC and approval by a committee of government representatives. Successful applicants receive an MD Status Digital Certificate, with the status being perpetual and contingent on continued compliance with the conditions attached to the MD Status. MD Status companies can apply to add new MD Approved Activities under their MD Status, subject to meeting the original conditions. MD Status companies must notify MDEC of certain changes to the company, such as changes in the paid-up capital and name of the company; they are also required to submit annual reports, verified by an independent auditor, detailing the progress of the company in carrying out the relevant MD Approved Activity(ies) and compliance with the conditions attached to the MD Status. MDEC may also request additional information for monitoring purposes.
MD Status may be revoked in case of non-compliance with any of the conditions attached to the MD Status, leading to the withdrawal of granted incentives. Surrender requests are accepted if the company has complied with the conditions attached to its MD Status, with the surrender taking effect upon approval by the Approval Committee. Notably, companies with Multimedia Super Corridor status will automatically transition to MD Status without reapplication, with benefits continuing, subject to compliance with the applicable conditions.
The introduction of MD Status marks a pivotal moment in Malaysia's digital journey, offering enhanced privileges and incentives. The successful transition of this rebranding from the Multimedia Super Corridor demonstrates Malaysia's commitment to furthering its position in the global digital economy.
Level 8
Wisma Uoa Damansara
50 Jalan Dungun
Damansara Heights
50490 Kuala Lumpur
Malaysia
+603 2081 3999
+603 2094 3211
www.skrine.com