Online Safety Bill 2024: Enhancing online safety in Malaysia

6 January 2025

On 16 December 2024, the Dewan Negara passed the Online Safety Bill 2024 (“Bill”). The Bill is part of Malaysia’s ongoing regulation of cyberspace, with the overall aim of improving online safety with regard to the rapid advancement of technology and the ease with which information is disseminated.

When the Bill comes into force at a later date, the then Online Safety Act (“Act”) will complement the regulatory framework for social media and internet messaging service providers set out by the Communications and Multimedia Act 1998 (“CMA”).

This Alert sets out the key takeaways of the Bill.

Scope

The Bill applies to the following:

• Applications services which utilise the internet to enable communications between users (e.g. social media services and internet messaging services);
• Content applications services which utilise internet access services to provide content (e.g. internet web casting and streaming videos); and
• Network services.

It does not apply to private messaging in applications services and content applications services. “Private messaging” is defined in the Bill as a feature that allows users to share content with a specific and limited number of recipients as determined by the user. The function may also contain any other characteristics as may be prescribed by the Minister of Communications (“Minister”).

The Bill has extraterritorial application where a user outside Malaysia provides any applications services, content application services, or network services in Malaysia and is a licensee under the CMA.

Duties of ASPs and CASPs

Licensed applications service providers (“ASPs”) and licensed content applications service providers (“CASPs”) (collectively, “Providers”) must comply with certain duties to mitigate the risk of exposure to harmful content including:

• implementing measures specified in the code of practice (“Code”) to be issued under the Online Safety Act or alternative measures approved for use by the Malaysian Communications & Multimedia Commission (“MCMC”);
• issuing user guidelines, which must (a) include a description of the measures implemented by the Providers and terms of use for their services, and (b) be easily accessible, understood, and regularly updated. Compliance with this requirement will likely involve publishing the guidelines on the relevant websites and/or applications;
• making available sufficient tools and settings to enable users to manage online safety, including tools to prevent or limit other users from identifying, locating, or communicating with them on the service platform;
• making available a mechanism for users to report harmful content to the Providers;
• making available a mechanism for user assistance which is easily accessible and responsive, allowing users to raise concerns relating to online safety, obtain other information on online safety mechanisms, and make inquiries;
• implementing measures as specified in the Code, or alternative measures approved for use by the MCMC to ensure safe use of their services by child users including methods to ensure the safe design and operation of the services likely to be accessed by child users;
• establishing a mechanism to make priority harmful content inaccessible to all users; and
• preparing an online safety plan setting out the measures put in place in compliance with the Act (“Online Safety Plan”) within the period and in the form to be prescribed by the Minister with a copy submitted to the MCMC. It must also be made available on the relevant services, be easily accessible, and regularly updated.

 “Harmful content” and “priority harmful content”

The Bill distinguishes between “harmful content” and “priority harmful content”, with the latter subject to a higher standard of care.

“Harmful content” refers to the content specified in the First Schedule of the Bill which currently includes:

• child sexual abuse material (“CSAM”);
• content on financial fraud;
• obscene content;
• indecent content;
• content that may cause harassment, distress, fear or alarm by way of threatening, abusive or insulting words or communication or act;
• content that may incite violence or terrorism;
• content that may induce a child to cause harm to himself;
• content that may promote feelings of ill-will or hostility amongst the public or may disturb public tranquillity; and
• content that promotes the use or sale of dangerous drugs.

What may be considered “harmful content” may be open to interpretation as the current list is broadly worded.

“Priority harmful content” refers to the content specified in the Second Schedule of the Bill which currently only includes CSAM and content on financial fraud.

The Minister has the power, on the recommendation of the MCMC, to amend the Schedules noted above.

Reporting of harmful content

The Bill outlines the step-by-step procedure for reporting harmful content:

• Report to ASP or CASP and/or the MCMC: When a user encounters any content made available online which he believes to be harmful content, the user may either make a report to the relevant Provider and/or the MCMC.
• If the user makes a report to the ASP or CASP: The ASP or CASP must, among other things, acknowledge receipt of the report and perform an assessment. Further to the assessment:
  • if the report is dismissed, the ASP or CASP must notify the relevant user of such dismissal, and the user may request to inquire into the dismissal;
  • if the report is not dismissed and the ASP or CASP is of the opinion that the content involves priority harmful content, it must immediately make the content inaccessible on its service for a period to be prescribed by the Minister. Before the prescribed period expires, the ASP or CASP must determine on reasonable grounds if the content made inaccessible is indeed priority harmful content:
    
    • if yes, the ASP or CASP must make the content permanently inaccessible;
    • if no, access to the content may be restored.
      
      
• If the user makes a report to the MCMC: The MCMC must, among other things, acknowledge receipt of the report and perform an assessment. Further to the assessment:
  
  • if the report is dismissed, the MCMC must notify the user and the user may request to inquire into the dismissal;
  • if the report is not dismissed and the MCMC determines, on reasonable grounds, that the content is harmful content, the MCMC must issue a written instruction to the relevant ASP, CASP or to the network services provider (“NSPs”) (in cases where the content is available online other than on the service of an ASP or CASP) to make the content permanently inaccessible.

Powers of MCMC

The MCMC will be empowered under the Online Safety Act to, among other things:

• issue written directions to ASPs, CASPs and NSPs to comply with the provisions of the Online Safety Act;
• direct any person to produce or give any evidence and information relevant to the performance of the MCMC’s functions and powers;
• issue a notice of non-compliance to an ASP or CASP if it has reasonable grounds to believe that the ASP or CASP has failed to comply with any of its duties;
• impose a financial penalty on an ASP or CASP for non-compliance with any of its duties; and
• issue any guidelines and the Code for purposes set out under the Online Safety Act.

Establishment of bodies

Online Safety Committee

An Online Safety Committee will be established to advise and provide recommendations to the MCMC on matters related to online safety, such as determining the types of harmful content and priority harmful content.

Online Safety Appeal Tribunal

An Online Safety Appeal Tribunal (“Tribunal”) will be established to review any written instruction, determination, direction, or decision made or issued by the MCMC under the Online Safety Act, including appeals against the same. The decision of the Tribunal will be final and binding and may be enforced in the same manner as a judgment or an order of the High Court.

Next steps for the Providers

As immediate next steps and in compliance with the Online Safety Act, the Providers should consider:

• conducting internal audits and due diligence on existing processes and tools to assess whether necessary measures and mechanisms are in place (e.g. terms of use, tools to enable users to manage online safety, and reporting mechanisms);
• implementing measures and mechanisms that are not yet in place;
• establishing a system for monitoring and responding to harmful content reports;
• training relevant personnel on compliance protocols, including understanding their obligations under the Online Safety Act and how to implement them effectively;
• reviewing and complying with the Code once issued by the MCMC; and
• preparing an Online Safety Plan.

Cyberspace regulation framework

The Bill is the latest addition to Malaysia’s framework for cyberspace regulation which include:

• the enactment of the Cyber Security Act 2024, which came into force on 26 August 2024, and implements an overarching legal framework for cyber security;
• the introduction of a new licensing requirement for social media and internet messaging service providers under the CMA;
• two tranches of amendments to the Penal Code, with the first tranche in effect from 30 October 2024 and the second passed by the Dewan Negara but not yet in force, to address the rising incidents of online financial fraud and cyberbullying respectively; and
• amendments to the CMA which were recently passed by the Dewan Negara but are not yet in force to deter the misuse of online platforms and enhance protections for online users especially children.

Conclusion

The introduction of online safety laws in Malaysia may be viewed as overregulation of industry players in cyberspace. However, it remains crucial to establish regulations to protect users from online harm, especially vulnerable groups such as children. Some jurisdictions, such as Australia, have implemented more stringent measures, including social media platforms being required to prevent users under the age of 16 from accessing their services.

Further information

This article has been prepared with the assistance of Senior Associate Ng Hong Syuen and Associate Yung Jia Heng.