In Malaysia, the digital economy is not governed by a single legal framework. Instead, its regulation spans various statutes, subsidiary legislation, case laws, guidelines and industry codes relating to matters such as data protection, communications, media, consumer protection, electronic transactions and cybersecurity, some of which are discussed below.

The Electronic Commerce Act

The Electronic Commerce Act 2006 (ECA), which aims to enable and facilitate commercial transactions through the use of electronic means, effectively serves as a statutory recognition of contracts formed by electronic means. It provides that a contract shall not be denied legal effect, validity or enforceability on the ground that an electronic message is used in its formation.

Communications and Multimedia Act

Online communications and contents play a significant role in the digital economy. In this regard, communications are primarily regulated by the Communications and Multimedia Act 1998 (CMA). The CMA provides for, among others, the regulation of content, and the licensing of providers of network facilities, network services, applications services and content applications services. Services such as internet access, cloud, social media, messaging (including internet messaging) – all of which are intrinsically linked to the digital economy, would fall within the purview of the CMA.

The CMA prohibits certain types of content and communications, such as indecent and offensive content and communications, which would limit the types of digital activities and services that can be offered or conducted within the digital economy. Content is also regulated through the Malaysian Communications and Multimedia Content Code (Third Edition, 2022) (the “Content Code”), issued and administered by the Communications and Multimedia Content Forum of Malaysia (the “Content Forum”), and registered as a voluntary industry code under the CMA. This means that, unless otherwise subject to any direction by the Malaysian Communications and Multimedia Commission to comply with it, compliance with the Content Code is voluntary.

However, compliance with the Content Code shall be a defence against any prosecution, action or proceeding of any nature. In this connection, the Content Code provides guidelines on various types of contents including online contents and advertisements.

Other Legislation

Other relevant legislation includes the Penal Code, Financial Services Act 2013, the Consumer Protection Act 1999 (CPA) including the Consumer Protection (Electronic Trade Transactions) Regulations 2012 (CPETTR), Strategic Trade Act 2010, Computer Crimes Act 1997, Digital Signature Act 1997, and Copyright Act 1987.

Challenges

As the internet serves as the backbone for most activities within the digital economy, the inherent reliance on the internet brings about significant challenges, particularly in the realm of cybersecurity and data protection, where vulnerabilities to hacking, data breaches and cyber-attacks pose risks to businesses and consumers alike. Additionally, the vast amount of data generated, collected and processed raises critical concerns regarding data protection and privacy, especially when data flows across jurisdictions and may end up at a place without adequate legal protection. In an effort to address these challenges, the Cyber Security Act 2024 (CSA) was recently introduced, followed by amendments to the Personal Data Protection Act 2010 (PDPA).

CSA

The CSA came into force on 26 August 2024 alongside subsidiary regulations relating to the notification of cybersecurity incidents, risk assessments, licensing of cybersecurity service providers, etc. Public and private entities (including private businesses) that are designated as national critical information infrastructure entities (“NCII Entities”) and cybersecurity service providers will be expected to comply with the regulatory requirements under the CSA and the above-mentioned regulations.

One of the main focuses of the CSA is the protection of national critical information infrastructure (NCII), defined to mean a “computer or computer system which the disruption to or destruction of the computer or computer system would have a detrimental impact on the delivery of any service essential to the security, defence, foreign relations, economy, public health, public safety or public order of Malaysia, or on the ability of the Federal Government or any of the state governments to carry out its functions effectively”. The CSA identifies the following 11 sectors as NCII sectors, and any person or entity operating within such sectors may potentially be designated as an NCII Entity if the relevant sector lead tasked to carry out the designation is satisfied that such person or entity owns or operates an NCII:

• government;
• banking and finance;
• transportation;
• defence and national security;
• information, communication and digital;
• healthcare services;
• water sewerage and waste management;
• energy;
• agriculture and plantation;
• trade, industry and economy; and
• science, technology and innovation.

The CSA imposes various duties on an NCII Entity, including those relating to the implementation of measures, standards and processes, cybersecurity risk assessments, cybersecurity audits and notification of cybersecurity incidents.

PDPA

Where processing of personal data in commercial transactions is involved, the PDPA, which is the primary legislation governing the processing of personal data, will apply. The PDPA requires, among others, compliance with the seven Personal Data Protection Principles, namely the General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle, and the Access Principle, as well as other requirements such as those for the cross-border transfer of personal data.

Amendments to the PDPA pursuant to the Personal Data Protection (Amendment) Act 2024 (the “PDP Amendment Act”) aim to strengthen the data protection framework, including the introduction of data processors’ obligations, data portability rights, the requirement to a appoint data protection officer and mandatory data breach notifications, and they are being implemented in phases over the first half of 2025. This means that businesses that process personal data, including those in the digital economy sector, will have to adapt their business operations to align with the amended PDPA requirements. These adjustments may include reviewing data processing practices, updating internal policies, enhancing data security measures, and ensuring adequate training for personnel to meet the new legal standards.

The advent of digital economy also brings about concerns on online safety, which is sought to be addressed by the Online Safety Bill 2024 (OSB). The OSB seeks to enhance and promote online safety and regulate harmful content by providing for duties and obligations of the applications service providers (ASPs), content applications service providers (CASPs) and network service providers, while strengthening regulatory oversight in the digital space. Upon receiving Royal Assent and being gazetted, the OSB will take effect on a date specified by the Minister of Communications.

Service Tax

For purposes of the Service Tax Act 2018 (STA), “digital service” refers to “any service that is delivered or subscribed over the internet or other electronic network and which cannot be obtained without the use of information technology and where the delivery of the service is essentially automated”. 

“Digital service” is prescribed as a taxable service, meaning that 8% service tax is chargeable under the STA upon any digital service provided in Malaysia by a registered person in carrying on their business.

“Digital service” also includes the provision of an electronic medium that allows suppliers to provide supplies to customers or transactions for provision of digital services on behalf of any person.

The service provider will be required to be registered under the STA and charge service tax if the total value of its taxable services in a particular month and the 11 months immediately preceding that month has exceeded MYR500,000 or, where there are reasonable grounds for believing that the total value of all its taxable services in that month and the 11 months immediately succeeding that month will exceed MYR500,000, whichever is earlier.

Imported digital services are also subject to the 8% service tax on digital services acquired by any person in Malaysia from any person who is outside Malaysia in B2B transactions. The recipient of the imported services must account for and pay the service tax to the Royal Malaysian Customs Department (“Customs”).

The 8% service tax is also applicable where a foreign service provider provides any digital service to consumers. “Consumer” means any person who fulfils any two of the following:

• makes payment for digital services using credit or debit facility provided by any financial institution or company in Malaysia;
• acquires digital services using an internet protocol address registered in Malaysia or an international mobile phone country code assigned to Malaysia; or
• resides in Malaysia.

Such foreign service providers will be required to register under the STA within the stipulated period if the total value of all its digital services to consumers in a particular month and the 11 months immediately preceding that month has exceeded MYR500,000 or where there are reasonable grounds to believe that the total value of all its digital services in the next 12 months will exceed MYR500,000, whichever is earlier. They will also have to file the relevant service tax returns and account for the service tax to Customs, among other reporting obligations.

Digital services provided in relation to matters outside Malaysia are exempt from service tax as are those provided by a company to any company within the same group of companies provided certain conditions are met.

Withholding Tax

A 10% withholding tax (subject to any exemption or reduced tax rate available under the applicable double tax treaty (DTA)) is also levied on payments to a non-resident in consideration of any advice given, or assistance or services rendered, in connection with the management or administration of any scientific, industrial or commercial undertaking, venture, project or scheme which are derived or deemed derived from Malaysia. However, no withholding tax applies if such technical advice, assistance or services are rendered outside of Malaysia.

Where the provision of the digital service or product involves a royalty payment, withholding tax obligations may arise upon the payment of “royalties” derived from Malaysia to a non-resident person (unless attributable to a business of the non-resident carried on in Malaysia). The payer must deduct and withhold tax at 10% of the gross amount (subject to any exemption or reduced tax rate available under the applicable DTA).

Royalties would be deemed to be derived from Malaysia if, among other things, responsibility for payment lies with a person who is tax-resident in Malaysia for that basis year.

“Royalty” is given a very broad definition under the Income Tax Act 1967 (ITA), being deemed to include any sums paid as consideration for, or derived from:

• the use of, or the right to use in respect of, any copyrights, software, artistic or scientific works, patents, designs or models, plans, secret processes or formulae, trade marks or other like property or rights;
• the use of, or the right to use, know-how or information concerning technical, industrial, commercial or scientific knowledge, experience or skill;
• the alienation of any property, know-how or information mentioned in the foregoing paragraphs.

Where a DTA has been concluded between Malaysia and the jurisdiction in which the non-resident is tax-resident, the treaty provisions will prevail over the ITA in the event of a conflict. That is to say, the treaty definition of “royalty” will apply in such circumstances rather than the broad definition of the same under the ITA so that the payment in question may not be subject to Malaysian withholding tax.

Challenges

One of the challenges is the differing views which the payer and service provider may take with regard the characterisation of the payment as royalty or a payment for services.

As the withholding tax liability (if any) is imposed upon the payer, some payers may subject payment of the fees for such digital services or goods to withholding tax since the Malaysian Inland Revenue Board is likely to regard payments relating to software as constituting royalty and will penalise the payer if the payments to the non-resident are not subjected to withholding tax. 

As such, parties should ensure that the contracts are clearly drafted and indicate who should bear the withholding tax, in the event it is applicable.

Advertising service, including digital advertising, is prescribed as a taxable service, meaning that, 8% service tax is chargeable under the STA upon any advertising service provided in Malaysia by a registered person in carrying on their business.

Similarly, imported advertising services are also subject to the 8% service tax if such services are acquired by any person in Malaysia from any person who is outside Malaysia in B2B transactions. The recipient of the imported services must account for and pay the service tax to Customs.

The 8% service tax is also applicable where a foreign service provider provides any digital service to consumers, as explained in 1.2 Digital Economy Taxation. 

Service tax is not chargeable on advertising services provided for promotion outside Malaysia or on advertising services provided by a company to any company within the same group of companies if the relevant conditions are met.

A 10% withholding tax may also apply, as discussed in 1.2 Digital Economy Taxation. However, no withholding tax applies if the advertising services were wholly rendered outside of Malaysia.

The CPA is the key legislation governing consumer rights in Malaysia, including those relevant to digital goods and services. Although not drafted with online transactions in mind, its scope has expanded to cover online transactions, particularly after the introduction of the CPETTR. Key features of the CPA include protections against misleading conduct, false representations and unfair practices, along with guarantees for acceptable quality, fitness for purpose, and the right to redress.

The CPETTR in turn requires the supply of goods and services through websites or online marketplaces to be accompanied by disclosure of mandatory information such as the full price of the goods or services including transportation costs, taxes and any other cost, and mandates online marketplace operators to maintain records of the sellers and service providers trading on their platform. These provisions ensure comprehensive consumer protection in the evolving digital economy.

Please note that other laws such as the Sale of Goods Act 1957, Contracts Act 1950, Trade Descriptions Act 2011 and the Price Control and Anti-Profiteering Act 2011 also contain provisions that may be relevant to consumer protection within the digital economy.

The Securities Commission Malaysia (SC) is the primary regulator of the digital asset industry in Malaysia and has developed a regulatory framework that treats certain digital currencies and digital tokens as securities for the purposes of securities law. The SC has issued the Guidelines on Digital Assets and Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019, which was recently amended by Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) (Amendment) Order 2025.

Any person intending to issue digital assets or operate a platform that hosts such digital currency or digital token will be subject to the approval and registration requirement of the SC.

However, both the Central Bank of Malaysia (BNM) and the SC have emphasised that, currently, cryptocurrency is not a payment instrument regulated by BNM. Therefore, cryptocurrencies are not considered as legal tender in Malaysia.

CMA

Cloud computing is regulated in Malaysia primarily by the CMA and the Communications and Multimedia (Licensing) Regulations 2000 (the “Licensing Regulations”).

Pursuant to the Information Paper on Regulating Cloud Services published by the Malaysian Communications and Multimedia Commission (MCMC) on 17 December 2021 and updated on 30 September 2024 (the “Information Paper”), the provision of cloud services, defined as “any service made available to end users on demand via the internet from a cloud computing provider’s server”, is considered as the provision of applications services under the CMA. The provision of applications services is one of the categories of licensable activities under the CMA, alongside the provision of network facilities, network services and content applications services. Unless otherwise exempted from the CMA licensing requirements, the conduct of the foregoing activities requires the facility or service provider to be licensed.

Noting that cloud services could generally be categorised as either software-as-a-service, platform-as-a-service and infrastructure-as-a-service, the Information Paper clarifies that providers of software and solutions which rely on other cloud services platform and infrastructure, known as “pure software providers”, are not subject to the foregoing cloud service licensing requirement.

The licensing framework under the CMA imposes the requirement of local presence in the provisioning of the licensable activities. As such, the regulation on cloud services will be based on this premise, whereby a person with local presence would be required to be registered as an ASP class licensee. Pursuant to Ministerial Direction No 2 of 2024 issued on 24 July 2024, CMA class licensees providing cloud services are required to take part in the contribution of universal service provision fund, in accordance with the provision under the Communications and Multimedia (Universal Service Provision) Regulations 2002, for the return of net revenue for the calendar year 2025 onwards.

PDPA

To the extent personal data is processed in the context of cloud and edge computing, the requirements of the PDPA shall be fulfilled.

The obligations under the PDPA are generally imposed on data users (to be known as “data controllers” from 1 April 2025). From 1 April 2025, data processors will also assume certain obligations under the PDPA. This means that, in the context of cloud and edge computing, both the users of cloud and edge computing and the providers may directly be subject to the PDPA, depending on the roles they assume.

The principles and other requirements enumerated in the PDPA must therefore be meticulously assessed within the framework of cloud and edge computing. This includes examining their interplay with the unique characteristics and challenges of these technologies, such as data transfer, storage and processing across distributed networks. Particular attention must be given to the requirements to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction, and to not keep personal data longer than is necessary.

The Security Standard for personal data processed electronically, as contained in the Personal Data Protection Standard 2015 (PDPS), is of especial relevance to cloud computing:

• the transfer of data through cloud computing services requires the written consent of an officer authorised by the top management of the data user organisation;
• any transfer of data through cloud computing services must be recorded; and
• the transfer of data through cloud computing services must comply with the personal data protection principles in Malaysia and the personal data protection laws of other countries.

According to the Public Consultation Paper No 04/2024 (Personal Data Protection Standards), in an effort to bring the PDPS in line with international best practices, a revised set of standards is being developed by the Personal Data Protection Commissioner. In light of the PDP Amendment Act, both providers and users of cloud and edge computing shall monitor the implementation of the PDPA amendments, and the regulations, standards and guidelines that may be introduced, to ensure ongoing compliance.

Other Data Sharing Laws

It is crucial that other laws and regulations are also considered, such as the Strategic Trade Act 2010 pursuant to which information and data have the potential of being considered as strategic technology controlled by the legislation.

The use by public sector agencies of cloud and edge computing solutions may also have to take into account the upcoming requirements under the Data Sharing Bill 2024, which aims to regulate data sharing between public sector agencies, once it comes into force.

CSA

As the “information, communication and digital” sector is among the NCII sectors under the CSA, providers of cloud and edge computing may potentially be designated as NCII Entities which will be subject to the CSA obligations applicable to NCII Entities.

On the other hand, entities designated as NICC Entities (whether from the information, communication and digital sector or any of the ten other listed sectors) that adopt cloud and edge computing shall also ensure that their use of cloud and edge computing is in a manner compatible with the requirements of the CSA, including any code of practice issued thereunder. 

Sectoral Requirements

The provision and use of cloud and edge computing shall also have regard to sector-specific laws. For example, the use of technology including the use of cloud and edge computing by financial institutions is subject to stricter requirements imposed by BNM mainly through various policy documents, including the following.

Policy Document on Risk Management in Technology

The Policy Document on Risk Management in Technology, issued 1 June 2023 (RMiT PD), requires risk assessment to be conducted prior to cloud adoption (including risks associated with migration of existing systems, location of cloud infrastructure, exposure to cyber-attacks, termination of cloud service providers), consultations with BNM prior to public cloud adoption for critical systems (including demonstrating readiness to adopt public cloud for critical systems, and measures mitigate identified risks based on Appendix 10 of the RMiT PD), notifying BNM on the subsequent adoption of public cloud for critical systems (including providing assurance on enhanced incident response due to adverse events), and inclusion of a roadmap for cloud adoption (for both critical and non-critical systems) in the annual outsourcing plan submitted to BNM.

The RMiT PD also prescribes requirements on the management of third-party service providers, defined to include cloud computing software, platform and infrastructure service providers, and would presumably also include providers of edge computing solutions. Among others, service level agreements must be in place when engaging such providers, and must contain the mandatory terms required by the RMiT PD, some of which are specific to the use of cloud services.

Note that revision to the RMiT PD may be underway, in light of the Exposure Draft on Risk Management in Technology released by BNM on 7 November 2024, opened for public feedback until 31 January 2025.

Policy Document on Outsourcing

The Policy Document on Outsourcing, issued 23 October 2019 (the “Outsourcing PD”), requires outsourcing arrangements which qualify as material outsourcing (which would include outsourcing relating to cloud and edge computing that is material) to be approved by BNM in writing before the financial institution enters into such arrangements or makes significant modification to such existing arrangements, and all planned outsourcing arrangements (whether material or otherwise) to be notified to BNM through the submissions of the yearly outsourcing plan. 

Specifically for material outsourcing for the use of cloud service providers, in an application for the aforementioned BNM’s approval, details of the cloud service, deployment model, nature of data to be held and locations (eg, city and country) where such data is stored, including back-up locations, must be provided. Some of such information is also required to be included in a register of all of the financial institution’s outsourcing arrangements.

Due to the oft-cross-border nature of cloud service delivery, the requirements on outsourcing outside Malaysia(ie, where the service provider is located or performs the outsourced activity outside Malaysia), including those relating to the due diligence process and the financial institution’s business continuity plan, shall also be carefully considered.

Effective measures to address risks associated with data accessibility, confidentiality, integrity, sovereignty, recoverability and regulatory compliance should be taken, particularly due to the geographically dispersed cloud computing infrastructure.

The Outsourcing PD requires outsourcing arrangements to be governed by written agreements containing the mandatory terms stipulated therein, some of which are specifically related to cloud services, for example to address the right of the financial institution to conduct audits and inspections on the cloud service provider, including reliance on third party certifications and reports made available by cloud service providers, and the testing of a cloud service provider’s business continuity plan.

Policy Document on Business Continuity Management

The Policy Document on Business Continuity Management, issued 19 December 2022 (BCM PD), aims to, among others, facilitate the development and implementation of a robust business continuity management framework by financial institutions and strengthen the capacity and preparedness of financial institutions to respond and recover from operational disruptions.

To this end, the BCM PD prescribes policy requirements on matters such as business impact analysis, recovery strategy, crisis management plan, business continuity plan and disaster recovery plan, crisis communication, interdependencies, alternate site and recovery site, and testing. Such requirements are not limited in their application to cloud and edge computing adopted by financial institutions.

However, the interplay between such requirements and the operational and technical aspects of cloud and edge computing must be considered. In the context of cloud services, for example, if a cloud solution is chosen in connection with the requirement to have an alternate and recovery site in the event any infrastructure or systems supporting critical business functions of the financial institution becomes unavailable, the financial institution must consider various issues identified in the BCM PD, including the distance of the cloud infrastructure from the primary site, the use of separate of alternative telecommunications network and power grid from the primary site, and the use of IT systems compatible with the primary site.

Similar to the RMiT PD and Outsourcing PD, the BCM PD requires mandatory contractual terms to be included in outsourcing and contractual arrangements with key service providers, which would include providers of cloud and edge computing if their services support the financial institution’s critical business functions.

Policy Document on Management of Customer Information and Permitted Disclosures

The Policy Document on Management of Customer Information and Permitted Disclosures, issued 3 April 2023 (MCI PD), sets out BNM’s requirements and expectations regarding financial service providers’ measures and controls in handling customer information. Like the BCM PD, the MCI PD does not contain provisions specific to cloud and edge computing, but the provisions therein are nevertheless crucial given their common use for managing, storing and transmitting customer information.

Other BNM policy documents of general application shall also similarly be considered.

Regulated subjects in other sectors may also be subject to sectoral requirements similar to those imposed by BNM on financial institutions. For instance, for the communications and multimedia sector, the Technical Code for Information and Network Security - Cloud Service Providers Selection (First Revision), which was developed pursuant to Section 185 of the CMA, specifies requirements for organisations to select cloud service providers using a risk-based approach that is structured to be generic but tailored for the communications and multimedia industry.

There is no dedicated legislation on AI in Malaysia as that of the EU’s Artificial Intelligence Act. The development and use of AI is nevertheless subject to compliance with existing laws, including those on consumer protection, data protection and protection of intellectual property rights.

Intellectual Property

As is often the case with AI, computer programs are involved in the creation of products or processes, which has given rise to issues concerning their creation and ownership as regards intellectual property laws, including patent and copyright.

While courts in the past have held that an author under Section 3 of the Copyright Act 1987 may also include a body corporate (eg, the company that developed the AI), the other provisions of the Copyright Act 1987 may not seem to align with this interpretation, for example, the duration of copyright in relation to literary, artistic and musical works extends for a period of 50 years after the death of the author. This inherently suggests that an author in relation to these types of works would need to be a natural person capable of expending a certain level of skill, judgement or effort. Further, the human element here arguably is confined to the input of ideas or concepts (eg, input, descriptions or instructions by the user, which are not protectible by copyright) and not the ultimate expression of the work generated by the AI. For these reasons, it is likely that AI would not qualify as an author of its generated works, nor would the human users whose input may simply be confined to ideas or concepts. By extension therefore, it is arguable that copyright may not subsist in these AI-generated works.

As regards patents, the treatment of AI contributions in the invention process gives rise to conceptual difficulties, particularly due to the Patents Act 1983’s definition of an “inventor” which suggests that inventors must be natural persons. This is supported by Section 18, which assigns the right to apply for a patent to the inventor. Moreover, the Patents Regulations 1986 require patent applications to include either the personal identification of inventors or signed written declarations when anonymity is sought. Therefore, it is unlikely in Malaysia for AI inventions to be patentable.

Apart from authorship and inventorship, it is also crucial to ensure that AI-generated works do not infringe the intellectual property rights of third parties, as the use of infringing materials may nevertheless entail liabilities under the relevant intellectual property laws, regardless of the fact that such materials were generated by AI.

Liability

To date, there is no specific legislation to address the liability for personal injury or commercial harm resulting from AI-enabled technologies.

Consumer Protection

From a consumer protection perspective, AI-related products and services may be regarded as consumer products and services that are subject to the consumer protection laws discussed in 1. Digital Economy.

Data Protection

AI technologies can potentially process a vast amount of personal data, which requires the design and use of AI to comply with the relevant laws on personal data protection discussed in 1. Digital Economy and 2. Cloud and Edge Computing. As personal data shall generally not be processed without the consent of the relevant data subjects, this poses a challenge to the use of AI, where certain datasets and information are automatically scrapped from the internet, potentially without the consent and knowledge of the data subjects involved. The PDPA is also silent on how consent may be obtained and how privacy notice may be given to the relevant data subjects under such circumstances where the data user may not have means to directly communicate with the data subjects involved. 

AI-Related Initiatives

The National Guidelines on AI Governance & Ethics (the “AI Guidelines”) were launched by the Ministry of Science, Technology and Innovation on 20 September 2024. The AI Guidelines are part of Malaysia’s response to the global calls on the ethics of AI, including UNESCO’s Recommendation on the Ethics of AI and ASEAN’s AI Governance and Ethics Guidelines. Given the dynamic nature of AI, the AI Guidelines may be amended from time to time to reflect technological progress and the changing ethical norms.

The objectives of the AI Guidelines are as follows:

• supporting the implementation of the Malaysian National AI Roadmap 2021-2025;
• facilitating the implementation of responsible AI according to the seven AI Principles;
• building trustworthiness in AI, which is emphasised by responsible AI;
• managing risks caused by the development and deployment of AI technology; and
• maximising the benefits of AI to enhance national productivity, economic growth and competitiveness.

On 12 December 2024, Malaysia launched the National Artificial Intelligence Office, aimed at shaping policies intended to centralise AI policymaking and address regulatory issues. This move positions Malaysia as a key player in AI governance, with the office expected to serve as a focal agency.

There is no dedicated legislation governing Internet of Things (IoT) in Malaysia. That said, the CMA’s framework on the governance of communications would apply to the design of IoT and the use thereof.

In particular, the design of IoT and IoT devices must be in accordance with the technical standards imposed by the CMA, to the extent the IoT devices are communications equipment. Under the Communications and Multimedia (Technical Standards) Regulations 2000 (the “Technical Standards Regulations”), it is an offence to intentionally design, install, operate, maintain or modify any communications equipment in a manner which, among others, is contrary to the applicable standards or likely to cause non-interoperability between any communications equipment.

In this regard, several technical codes (which are voluntary industry codes) concerning IoT have been registered under the CMA, including without limitation the Technical Code on Internet of Things (IoT) ‒ Baseline Security Requirements for Consumer Devices, and the Technical Code on Industrial Internet of Things (IIoT) Connectivity And Communication Framework.

Other generally applicable laws on privacy, secrecy and data protection, shall also be considered based on the capabilities and operations of the IoT solution and devices used.

IoT devices are highly susceptible to cyber-attacks due to their widespread deployment, limited security features and constant connectivity. In this regard, compliance and governance within an organisation shall focus on the security requirements pursuant to the PDPA, and if used by an NCII Entity, the requirements under the CSA. An organisation’s internal governance shall address the use of IoT and the safeguards to be adopted.

It is also crucial that the use by an organisation of IoT devices which qualify as communications equipment have been properly certified and bear the relevant certification mark or label as the Technical Standards Regulations makes it an offence for a person to, among others, use or sell any communications equipment which is contrary to the standards, not certified as required, or does not bear a certification mark or label. Such requirements shall be incorporated into an organisation’s internal policies.

In terms of data sharing for IoT, the relevant legal considerations are similar to those outlined in 1. Digital Economy and 2. Cloud and Edge Computing, although the assessment shall also focus on the pertinent aspects of IoT, eg, the reliance on decentralised edge data processing and what the legal requirements such as the PDPA may mean in such circumstances, including whether such processing is necessary and not excessive. 

Given the prevalent use of IoT in the medical and healthcare sector, such use shall also be assessed based on the applicable requirements relating to medical and healthcare data and records. For instance, the PDPA considers information as to the physical or mental health or condition of a data subject to be sensitive personal data, the processing of which generally requires the explicit consent (as opposed to mere consent) of the data subject. Therefore, the use of IoT in the medical and healthcare sector may, for instance, require the explicit consent of the patients for the processing of their medical and healthcare data for the purposes to be achieved by the use of medical IoT devices.

Whether the use of IoT within the medical and healthcare sector is compatible with the medical record keeping and retention requirements, such as those under the Private Healthcare Facilities and Services (Private Hospitals and Other Private Healthcare Facilities) Regulations 2006, shall also be considered.

Licensing

The provision of audiovisual media services is generally subject to the regulatory framework under the CMA. Generally, a network service provider licence or a CASP licence may be required, depending on the services involved:

• the provision of broadcasting distribution services requires a network service provider individual licence; and
• the provision of satellite broadcasting, subscription broadcasting, terrestrial free to air TV and terrestrial radio broadcasting requires a CASP individual licence.

Other audiovisual media services may also be subject to the CMA licensing requirements (eg, a content applications service of limited appeal or which is targeted to a special interest group and available through subscription by persons using equipment specifically designed for receiving the said service, which requires a CASP class licence), although the provision of internet content applications services, defined to mean a content applications service which is delivered by means of the internet, is exempted from such licensing requirements.

Therefore, the provision of audiovisual media services online, such as through video streaming platforms, will generally not be subject to the CMA requirement for licence. Note, however, that where such services allow the sharing of user-generated contents, it is nevertheless possible for the provision of such services to require a licence, if such services also fall within the scope of social media services, as discussed under 10. Social Media.

Content

The regulation of content from the perspective of the CMA and the Content Code has been addressed in 1. Digital Economy. Specifically for audiovisual media services, the sections within the Content Code on online contents and broadcasting will also be of relevance. For instance, where a service provider allows user-generated content to be shared, but has neither control over the composition of such content nor any knowledge of such content, the Content Code considers such service provider an innocent carrier who is not responsible for the content provided. Nonetheless, this has to also be considered in light of the Federal Court’s decision in Peguam Negara Malaysia v Mkini Dotcom Sdn Bhd & Anor [2021] 3 CLJ 603.

Specifically for broadcasting, the Content Code recognises that viewers need adequate information about content to make informed viewing choices based on their personal tastes and standards. The Content Code recommends that broadcasters provide an indication as to the type of content shown by adopting the classifications issued by the Film Censorship Board and any amendments thereto from time to time.

Other areas of law may also regulate contents provided through audiovisual media services. For example, film censorship is regulated by the Film Censorship Act 2002 and prohibits, among others, film or film-publicity material which is obscene or is otherwise against public decency. Audio recordings, or anything which by its form, shape or in any manner is capable of suggesting words or ideas (which presumably include videos), may also be gazetted as prohibited publication under the Printing Presses and Publications Act 1984. The production, distribution and exhibition of films are also subject to the Perbadanan Kemajuan Filem Nasional Malaysia Act 1981, which establishes the National Film Development Corporation Malaysia to spearhead the development of the Malaysian film industry. Separately, seditious contents are prohibited by the Sedition Act 1948.

The primary legislation governing the telecommunications industry in Malaysia is the CMA. Both the CMA and the Licensing Regulations establish the licensing framework for the sector and regulate areas such as spectrum allocation, consumer protection, content regulation, competition and investigatory powers.

Licensing

As discussed in 2. Cloud and Edge Computing, there are four categories of licensable activities under the CMA, namely the provision of network facilities, network services, applications services and content applications services.

• Network facilities refer to physical infrastructure used principally for, or in connection with, the provision of network services, excluding customer equipment. Examples of network facilities are fixed links and cables, radio communications transmitters and links, submarine cable landing centres, etc. These represent the fundamental building blocks of the convergence model upon which network, applications and content services are provided. Network services involve the transmission of communications by means of guided and/or unguided electromagnetic radiation, including bandwidth services, broadcasting distribution services, cellular mobile services and switching services. Network services provide the basic connectivity and bandwidth to support a variety of applications.
• Applications services are services provided by means of, but not solely by means of, one or more network services. They include public cellular services, IP telephony, messaging services, internet messaging services and social media services. Applications services are essentially the functions or capabilities which are delivered to end-users. These are retail services.
• Content applications services are applications services which provide content, such as satellite broadcasting, and services such as online publishing (currently exempt from licensing requirements).

Under the CMA, there are two types of licences.

• An individual licence requires a high degree of regulatory control for a specified person to conduct a specified activity and may include special licence conditions. The MCMC also has the power to modify, vary, revoke or impose further special or additional conditions at any time.
• A class licence is a “light-handed” form of regulation designed to promote industry growth and development with easy market access. Unlike an individual licence, a class licence requires merely registration with the MCMC, which is an administrative process.

A provider will have to assess whether its provision of facilities or services falls within any of the categories of licensable activities above, and thereafter determine, based on the Licensing Regulations, if an individual or class licence is required for the specific facilities or services it provides. It may also be the case that its provision of facilities or services is exempted from the licensing requirements by virtue of the Communications and Multimedia (Licensing) (Exemption) Order 2000 (the “Exemption Order”). Examples of exempted activities include the provision of Internet content applications services and web hosting services.

Certification of Communications Equipment

The Technical Standards Regulations provide for certain matters concerning communications equipment, such as the certification of communications equipment, and standards applicable to such equipment. Some aspects of the Technical Standards Regulations have been discussed in 4. Internet of Things.

“Communications equipment” means any network facilities, customer equipment or radiocommunications equipment, and would include equipment or device using wireless technologies such as laptop or tablet. Regulation 14 of the Technical Standards Regulations states that all communications equipment which is required to be certified under the Regulations shall so be certified. Therefore, to the extent the provision of telecommunications products and services would involve any communications equipment (including operational infrastructure such as network facilities and consumer devices, eg, smartwatches), such equipment shall properly be certified.

The registered certifying agency under Section 186 of the CMA for purposes of certifying communications equipment is SIRIM QAS International Sdn Bhd.

Security

The MCMC has also released the Guidelines on Information and Network Security for the Communications and Multimedia Industry (INSG, dated 29 October 2024), which provide best practice recommendations to enhance the information and network security and resiliency of the communications and multimedia industry in the country. The INSG serves as a best practices framework and is not mandatory at this point, based on a media statement issued by the MCMC on 8 December 2024.

To date, Malaysia does not have specific legislation enforcing net neutrality.

The rapid adoption of 5G, IoT and AI is reshaping Malaysia’s telecommunications sector, driving both technological advancements and regulatory considerations. As Malaysia expands its 5G ecosystem, the government has decided to transition from a Single Wholesale Network to a Dual Wholesale Network model. While this shift aims to enhance competition and network resilience, it has raised key concerns particularly regarding network slicing capabilities for private 5G, coverage differentiation, network automation and AI-driven efficiencies and ESG considerations.

These factors are influencing policy decisions, infrastructure development and regulatory approaches within the telecommunications sector. In response to emerging technologies and the rapidly evolving digital landscape, Malaysia has introduced significant legislative changes to address emerging challenges, including the CSA, PDP Amendment Act and OSB as discussed in 1.1 Key Challenges, as well as other legislative initiatives as discussed in the chapter on Trends and Developments.

One of the main legal challenges encountered by organisations entering into a technology agreement is data protection, given the complexities of data protection requirements. The contractual negotiations may be made more challenging if foreign data protection laws apply, which may mandate the inclusion of model or standard contractual clauses which are not required by the PDPA. The contracting parties should carefully navigate the interaction between the domestic and foreign data protection frameworks. Contention may revolve around contractual clauses on the cross-border transfer of data and the technical and organisational measures to be adopted.

Some other challenges in the contracting process may relate to contractual clauses on intellectual property, liability and risk allocation, eg, indemnification issues.

Contracting parties from certain regulated industries may also face additional layers of challenges when negotiating technology contracts. As discussed in 2. Cloud and Edge Computing, financial institutions are subject to more stringent requirements imposed by BNM through various policy documents, including the RMiT PD, Outsourcing PD, BCM PD, and MCI PD (collectively the “BNM Policies”). The BNM Policies typically require financial institutions to include certain mandatory clauses in their contracts with third parties, where the contract or arrangement involves the use of technology, engagement of external service providers and handling of customer information, etc.

Apart from the inclusion of mandatory contractual provisions required by the BNM Policies, financial institutions must also ensure that the other contractual clauses are not inconsistent with other requirements of the BNM Policies (eg, uptime or other service level requirements).

In the context of technology service agreements and telecommunications interconnection agreements, which are typically technical in nature, contracting parties should carefully consider the key definitions. The scope of the services or interconnection arrangement (as the case may be), shall also be clearly defined, including implementation plans, service levels, deliverables, and remedies for service or connection failures. Other essential terms cover fees, termination, responsibilities, security, data protection, intellectual property, exclusion of liability, indemnification and dispute resolution. Clear modification procedures and force majeure clauses ensure adaptability while safeguarding both parties’ interests.

While many such provisions may appear commonplace, it is crucial to assess the effect of each provision with reference to the contemplated technology service or interconnection arrangement at hand. For instance, although it is common for technology service agreements to exclude the service provider’s liability for loss of data, this may appear unreasonable to a customer in an agreement for the provision of data storage service, since the secure storage of data is essentially what the customer requires in this situation. The parties may therefore have to consider a compromise that is reasonable in the context of data storage, although this does not necessarily mean that there must be no exclusion of liability for loss of data. Such tailored approach should similarly be adopted when negotiating other key provisions.

Electronic signatures are addressed in the following statutes in Malaysia.

• The ECA provides for legal recognition of electronic messages in commercial transactions and the conditions for use of the electronic messages to fulfil the requirements and to enable and facilitate commercial transactions through the use of electronic means and other matters connected therewith. “Commercial transaction” is defined in the ECA to mean a single or multiple communication of a commercial nature, whether contractual or not, which includes any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
• The Digital Signature Act 1997 (DSA) provides for, and regulates the use of, digital signature as defined in the DSA and to provide for matters connected therewith.
• The Electronic Government Activities Act 2007 (ECGA) provides for legal recognition of electronic messages in dealings between the government of Malaysia and the public, the use of electronic messages to fulfil the requirements and to enable and facilitate commercial transactions through the use of electronic means and other matters connected therewith. The ECGA will apply to federal laws which are designated in accordance with Section 6 therein.

Malaysian law recognises different concepts of “electronic signature” and “digital signature” based on its respective definitions:

• “electronic signature” means any letter, character, number, sound or any other symbol or any combination thereof created in an electronic form adopted by a person as a signature;
• “digital signature” means a transformation of a message using an “asymmetric cryptosystem” (as defined in the DSA) such that a person having the initial message and the signer’s public key can accurately determine:
1. whether the transformation was created using the private key that corresponds to the signer's public key; and
2. whether the message has been altered since the transformation was made.

The ECA recognises the use of an electronic signature where the conditions prescribed therein are met. The ECA does not apply to the following transactions or documents:

• power of attorney;
• the creation of wills and codicils;
• the creation of trusts; and
• negotiable instruments.

Where an electronic signature is a digital signature as defined in the DSA, the provisions of the DSA must be complied with for that digital signature to be effective. The Digital Signature Regulations 1998 sets out a mandatory licensing scheme for certification authority (being the issuers of digital certificates), recognised repositories and recognised date/time stamp authority in respect of digital signatures. Certification authorities licensed under the DSA issue certificates which are computer-based records which:

• identify the certification authority issuing it;
• name or identify its subscriber;
• contain the subscriber’s public key; and
• are digitally signed by the certification authority.

There are several pieces of legislation that regulate gaming in Malaysia, the purpose of which being more to regulate gambling activities in Malaysia. While some forms of gambling are permitted (eg, licensed lottery under the Lotteries Act 1952), gambling activities (including those taking place online) are generally prohibited.

Common Gaming Houses Act

The Common Gaming Houses Act 1953 (CGHA) sets out offences relating to, among others, common gaming houses, gaming machines and public lottery. Under Section 2(1) of the CGHA, gaming is defined as the “playing of any game of chance or of mixed chance and skill for money or money’s worth and includes the playing of any game specified in Column 1 of the First and Second Schedules and the playing or operation of any gaming machine”. A “gaming machine” is defined to mean “any mechanical, electrical or electronic machine or device (including any computer program used in such machine or device), whether wholly or partly mechanically, electrically or electronically operated, that is so designed or that has been so adapted that:

• it may be used for the purpose of playing a game of chance or a game of mixed chance and skill; and
• as a result of the playing or operation of the machine or device, winnings in money or money’s worth may become payable”.

Section 4B of the CGHA prohibits the dealing in gaming machines, including among others the importation, manufacture, assembly, supply, sale, lease and repair of gaming machines or part thereof. Dealing in gaming machines in contravention of Section 4B is an offence punishable by fine and imprisonment.

One of the key challenges with the CGHA is that it does not have any specific provisions on online gambling. This was because the CGHA was enacted before the rise of digital technology and amendments relating to online gambling have yet to be made.

CMA

As for gaming in general (whether involving gambling or otherwise), the discussions on content regulations in 1. Digital Economy and 5. Audiovisual Media Services would similarly apply.

The CMA considers “content” to mean any sound, text, still picture, moving picture or other audio-visual representation, tactile representation or any combination of the preceding which is capable of being created, manipulated, stored, retrieved or communicated electronically. As such, contents within the gaming industry would potentially fall within the purview of the CMA.

Section 233 of the CMA prohibits the use of any network facilities, network service or applications service to knowingly make, create or solicit, and initiate the transmission of, any comment, request, suggestion or other communication which is obscene, indecent, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass another person. Section 211 of the CMA also provides that no CASP, or other person using a content applications service, shall provide content which is indecent, obscene, false, menacing, or offensive in character with intent to annoy, abuse, threaten or harass any person.

Further, the Content Code which has been discussed above is expressly applicable to all CASPs, which may potentially include providers of gaming contents depending on context. Under the Content Code, the material disseminated must not include anything which offends good taste or decency, is offensive to public feeling, is likely to encourage crime or lead to disorder, or is abusive or threatening in nature. The standards by which content is measured, given the requirements, will be viewed in the context of the country’s social, religious, political and educational attitudes and observances as well as the need to accommodate global diversity in a borderless world. Part 2 of the Content Code elaborates on the various types of content which is either prohibited or restricted, such as indecent, obscene, violent, menacing, offensive and false content.

Such prohibitions and restrictions must be carefully considered in the development of online games. For example, in relation to indecent content, the Content Code provides that the depiction of nudity is not allowed other than exceptions for non-sexual content nudity based on art, information and/or sciences, and even then such depictions shall not be excessive or explicit in nature (ie, not too prolonged, close up or gratuitous). Whereas, in relation to violence, the Content Code provides that it shall be portrayed responsibly and not exploitatively.

While Malaysia has no content rating or classification system specifically for digital games, reference could be made to the discussions on content classification in 5. Audiovisual Media Services, albeit in the context of broadcasting.

There is no regulatory body tasked specifically to oversee the gaming industry in Malaysia.

Communications and multimedia activities are under the purview of the MCMC. The Content Code is enforced by the Content Forum.

The enforcement of the CGHA is under the jurisdiction of the Royal Malaysia Police. Criminal prosecutions against online gambling have been instituted under the CGHA, although it does not have any specific provisions on online gambling.

The Federal Court in Lei Meng v Inspektor Wayandiana Abdullah & Ors And Other Appeals [2022] 3 CLJ 177; [2022] MLJU 141 held that whilst the term “online gambling” was not specifically defined in the legal dictionaries, it “envisages a gambling service accessed remotely, ie, online, through the internet where the participants gamble by depositing funds and playing games of chance, like sports betting, online poker, etc.” In the case of PP v Multi Electrical Supply & Services & Ors [2022] 5 CLJ 113, the High Court observed that it was quite obvious that, despite the government’s ongoing war against illegal gambling, both the CGHA and the Betting Act 1953 have not caught up with the times and they have not been updated to include express provisions for making online gambling illegal. Notwithstanding the position taken in these cases, the Court of Appeal ruled in October 2023 that online gambling was an offence under the CGHA.

Some of the key IP challenges faced by game developers in Malaysia will be that relating to copyright infringement stemming from unauthorised copying and distribution of games. User-generated content (UGC) also poses a challenge with regards to issues of ownership in IP rights. Other challenges will be those relating to the sale of unauthorised digital goods, which broadly include selling game accounts, in-game assets or currency, or offering account “boosting” services to users.

UGC platforms should have a clear notice and take-down policy implemented to ensure that potentially infringing UGC can be reported by platform users and that rights holders can request the withdrawal of specific content with ease. Further, UGC platform operators should have a filtering system to remove offensive or defamatory content because there is a presumption that the platform or portal provider must assume responsibility for taking the risk of facilitating a platform.

A person whose name, photograph or pseudonym appears on any publication depicting themself as the owner, host, administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the content of the publication unless the contrary is proved, pursuant to Section 114A of the Evidence Act 1950. Creators can rely on copyright to protect the artistic elements of games, such as drawings of the characters. Trade marks on the other hand can be relied on to protect distinctive logos, game titles and branding elements.

Lastly, patents protection may be relied on to safeguard technological innovations, including game mechanics, software algorithms and virtual reality features.

There is currently no specific Malaysian legislative framework governing social media.

CMA

As noted from 6. Telecommunications, the provision of social media services is a licensable activity under the CMA, because it is considered as the provision of applications services which requires the provider to be registered as an ASP class licensee. The same applies to the provision of internet messaging services, which are often provided alongside social media services. “Social media service” is defined by the Licensing Regulations to mean an applications service which utilises internet access service that enables two or more users to create, upload, share, disseminate or modify content; whereas, “internet messaging service” refers to an applications service which utilises internet access service that enables a user to communicate any form of messages with another user.

The requirement for providers of social media and internet messaging services to be licensed under the CMA came into effect on 1 January 2025. Notwithstanding the foregoing, pursuant to the Exemption Order, a provider who has less than eight million users in Malaysia is exempted from that requirement.

Following a public consultation and the eventual release of the Public Consultation Report on the draft Code of Conduct (Best Practice) for Internet Messaging Service Providers and Social Media Service Providers on 18 December 2024, the MCMC has on 20 December 2024 published the Code of Conduct (Best Practice) for Internet Messaging Service Providers and Social Media Service Providers, which sets out the best practice for adoption by internet messaging service providers and social media service providers licensed under the CMA in addressing harmful content online, as well as other relevant conduct requirements. The Code of Conduct aims to ensure that service providers uphold online safety and security, particularly for children and vulnerable groups. This introduction precedes the coming into force of the OSB discussed below.

OSB

The OSB was recently passed to govern, among others, any applications service which utilises internet access service that enables communications between users. As noted above, social media services are a type of applications service, and hence within the purview of the OSB.

The proposed legislation assigns duties to ASPs licensed under the CMA (which include social media service providers), some of which are as follows:

• duty to implement measures to mitigate risk of exposure to harmful content;
• duty to enable the user to manage online safety;
• duty to protect online safety of child user;
• duty to establish a mechanism for making priority harmful content inaccessible; and
• duty to prepare an online safety plan.

The MCMC is entrusted with administering the OSB, pursuant to which the MCMC’s powers include:

• issuing directions in writing to any licensed ASPs, CASPs and network service providers regarding their compliance with the provisions of the OSB;
• directing a person to give any information, particulars or document that is relevant to the MCMC if the MCMC has reasonable grounds to believe that such information, particulars or document is relevant to the performance of the MCMC’s functions;
• taking and retaining for as long as is necessary, possession of a document produced or given under the OSB; and
• issuing notices of non-compliance and/or a financial penalty to licensed ASPs, CASPs and network service providers where the MCMC has reasonable grounds to believe that the licensed providers have failed to comply with any of their duties.