Stay updated
  • Expert Opinion

Shaping the Digital Future: Regulatory Updates from Malaysia

In the fifth part of our 6-part series on Tech Governance in Southeast Asia, Farlina Said, Fellow in the Cyber and Technology Policy Programme at the Institute of Strategic and International Studies (ISIS) Malaysia, and Ariane Yasmin, an independent analyst and research consultant, examine Malaysia’s tech governance landscape in the first half of 2024.

This article is also available in Bahasa Melayu, click here to read.

Interested to read the full summary of our Tech Regulation insights across Southeast Asia? Subscribe to our mailing list here.

By Farlina Said, Fellow in the Cyber and Technology Policy Programme, Institute of Strategic and International Studies (ISIS) Malaysia; and Ariane Yasmin, independent analyst.

The year 2024 is rife with activity for Malaysia’s digital governance. There are updates on Malaysia’s regulation and policymaking environment, which are primarily focused on online safety, cybersecurity, data protection and talent development. The timespan between the end of 2023 and mid 2024 also saw Malaysia’s governance institutions shift. In November 2023, for instance, it was announced that the Ministry of Communications and Digital would be separated into two ministries – the Ministry of Digital and the Ministry of Communications. This would further rearrange other agencies such as the Malaysian Administrative Modernisation and Management Planning Unit, Cybersecurity Malaysia, Personal Data Protection Department (PDPD) and the Malaysia Digital Economic Corporation. The year also saw two crucial bills passed – the Cybersecurity Act and the Personal Data Protection Act amendment – both meant to increase the nation’s cybersecurity and data protection efforts.


The Evolving Regulatory Landscape

Much as many nations have to grapple with governing digitisation, Malaysia’s institutional history too struggled to navigate the cross-cutting digital sector. Malaysia hard-launched security legislations with the Computer Crimes Act as well as Communications and Multimedia Act 1998 (CMA 1998) at the cusp of the millennium. These technology-agnostic legislation focus on the misuse of networks, whether they may be crimes or obligations for the telecommunications sector. The CMA also endowed enforcement powers to the Ministry of Communications and the Malaysian Communications and Multimedia Commission (MCMC). Later, came the National Cyber Security Policy in 2008 oriented on protecting critical national information infrastructure (CNII) via executive orders issued by the National Security Council (NSC). This policy structures cybersecurity standards for CNII operators and reporting mechanisms in times of national crisis. The Personal Data Protection Act 2010 was another digital legislation that spawned the formation of the Personal Data Protection Department (PDPD).

Despite a number of laws – 31 stated in the National Cyber Security Strategy in 2020 – bodies responsible for its enforcement are few. In a light touch regulation environment, enforcement powers for Malaysian laws on digital and cyber were in the hands of the Royal Malaysian Police (RMP), MCMC or the PDPD. The RMP has the jurisdiction to enforce all laws in Malaysia with a propensity for investigating cybercrime. Meanwhile, MCMC and PDPD enforces their respective laws while producing guidelines and voluntary standards.

Developments in the year 2024 saw NACSA empowered with the mandate to compound or penalise cybersecurity infringements for National Critical Information Infrastructure (NCII) operators. This would be operationalised through obligations on Malaysia’s 11 NCII sectors. Additionally, NACSA, housed in the National Security Council, would serve as the secretariat for the multi-government agency National Cybersecurity Committee. The Committee will be chaired by the Prime Minister with memberships from six ministers and two persons experienced in cybersecurity appointed by the committee.

Further, 2024 saw the separation of the Ministries of Communications and Digital, which perhaps cleaved responsibilities in ways that could be efficient. Prior to the separation in November 2023, the Ministry was tasked with building infrastructure, stimulating the digital ecosystem while regulating content. This would mean that the Ministry has jurisdiction over issues such as data protection, misinformation, cyber crime and extremism. The separation into two separate entities could allow clearer mandates for regulations related to communications and those specific to digital governance. Thus, the Ministry of Communications housing the Malaysian National News Agency, National Film Development Corporation Malaysia, MCMC in addition to MyCreative Ventures, could lead to focus on the content and information-related environment. Meanwhile, the Ministry of Digital may have the task of building Malaysia’s digital ecosystem while addressing data or cybersecurity-related concerns. As the year unfolded, there were greater clarity on the task and responsibilities of the two ministries, especially where the Ministry of Communications have focused on social media governance while the Ministry of Digital addresses the digital ecosystem. PDPD for instance has shifted to the Ministry of Digital where Digital Minister Gobind Sing Deo has mooted the idea of a Personal Data Protection Commission. However, some issues will overlap between the two bodies. For example, AI falls mainly under the Ministry of Digital, as it involves data, industry, talent, and growth policies. At the same time, addressing the risks and harms of AI requires ethical frameworks and the involvement of R&D players, like the Ministry of Science, Technology, and Innovation. Additionally, the potential misuse of computer networks related to AI, covered under the CMA 1998, falls within MCMC’s jurisdiction. At its current pace, the government as a whole is moving tacitly to navigate existing authority, while cultivating a safe digital ecosystem.    


Laws in Motion

Evidence gathering and compliance by the tech sector are among the challenges for Malaysia’s digital governance. To address this, Malaysia proposes several hard laws and regulation mechanisms.

The Cybersecurity Bill was passed in the Dewan Rakyat and the Dewan Negara on 27 March and 3 April respectively. With the aim of enhancing Malaysia’s cybersecurity, the Bill states the cybersecurity standards expected of the NCII operators and includes provisions for licensing cybersecurity service providers to help regulate incidents involving these providers in Malaysia. It also certifies NACSA as the National Cyber Security Lead agency and endows the agency with legislative power to perform its functions. The Bill outlines the powers of NACSA’s Chief Executive that includes delivering executive orders on specific cybersecurity guidelines as well as addressing contestations for the appointment of CNII. The Bill and role highlight a wider scope of compliance, especially among newer sectors or new sector leads.

On the issue of data protection and security management, the crux of the problem lies in whether the Personal Data and Protection Act (PDPA) 2010 is sufficient to address the challenges and risks posed by biometric data, and if it can safeguard users in the event of data breaches, violations, or disputes. The proposed amendments to the PDPA approved by the Cabinet in July mandatory 2024 include personal data breach notifications, additional compliance responsibilities for data processors, the appointment of Data Protection Officers, data subjects’ right to data portability and the removal of the white-list regime for cross-border data transfers. The amendments address biometric data as data regulated under the amended PDPA though ownership of inferences derived from data and data portability of these inferences are not mentioned. Additionally, fines for breaches of the PDPA are increased to reflect current burdens.

The Online Safety Bill, which covers legislation relating to children, sexual-related offences, and online scams and slanders, is projected to be tabled at the end of 2024. It will work in tandem with a licensing framework that requires social media and internet messaging providers to adhere to Malaysian law. This would, for instance, result in compelling social media platforms to restrict social media use for those below 13 years old, or to provide standard operating procedures to obtain information and conduct investigations on online security issues. Precise details of the Bill are still hidden. However, details of a social media platform licensing regime was published on 1 August by the Malaysian Communications and Multimedia Commission.

Malaysia’s content and media environment are also getting updates. An AI Portal is being developed to help expose scams and defamatory news, functioning as added support to existing platforms like SEBENARNYA.MY and MyCheck.My. Other developments related to online content include the Malaysian Media Council Bill, the Malaysian Code of Ethics for Journalists and the Online Harms and Information Security Committee – all of which will be utilised to tackle the challenges of digital media such as fake news and online anonymity, as well as the legal responsibilities of social media platforms and digital service providers in relation to such challenges.

Meanwhile, artificial intelligence is boosted through talent development and governance frameworks conversations. First, AI for Rakyat was launched in January 2024 to help bridge the digital gap in Malaysia. Two self-learning online modules – AI Aware and AI Appreciate – provide a brief overview of AI technology to help propel the country towards becoming a digitally-driven economy by 2030, one that is adept for both the opportunities and challenges that come with a digital future. Second, the Artificial Intelligence Governance and Ethics (AIGE) is now in the stages of mainstreaming, and was launched by the Ministry of Science, Technology and Innovation and the Ministry of Digital in September. It provides a framework on the Do’s and Don’ts of AI development, deployment and utilisation for users, policymakers and AI developers.

Moreover, as Malaysia’s gig workers constitute a growing portion of the labour market, protecting and developing rights have become a government and political concern. The Gig Workers Act – expected to be tabled in late 2024  – is set to define gig workers, introduce a grievance mechanism, and increase the monitoring of industry law. Additionally, the Gig Workers Commission offers a more secure and supportive environment for gig workers via guidelines for gig economy platforms and employers on issues like social protection, managing contract disputes, and career development. The Commission and its operational framework are currently in the implementation phase.


Moving Forward    

For observers of the region, these shifts could indicate commitment to address cybersecurity and cyber safety challenges. The organisational restructuring may be necessary to match current contexts especially where technology has developed but enforcement slowed by uncertain roles and responsibilities of government agencies. These delays are captured in ITU’s Global Cybersecurity Index where the 2024 iteration has Malaysia placed in a role-modelling Tier 1 yet scored lower than Thailand and Singapore on organisation measures. Furthermore, elevating cybersecurity standards among CNII players could strengthen trust in the resilience and availability of Malaysia’s critical services. This could impact sectors tied to ASEAN’s future ambitions such as food security or shared energy grid. However, compliance may impose costs for small and medium enterprises which would impact their services in these sectors.

Ambiguity in enforcement could also create market uncertainty especially if guidelines detailing obligations, responsibilities and definitions shift. An example is the governance of platforms taking shape with the Online Safety Bill and social media licensing framework which have yet to define scope and parameters. Enforcement can take varying practices, especially given Malaysia’s DNS web traffic incident which allegedly began with quiet instruction in February but was made mandatory in September before public backlash halted its deployment. The reason behind such edicts is to ensure safer cyber spaces while curbing access to harmful sites. Yet, shifting sands of enforcement without sufficient stakeholder consultation may present precarious business environments for local and regional players.

With the Digital Economy Framework Agreement at the horizon for ASEAN, there is much pressure to enhance enforcement capacity and operationalise the agreement’s promise. Malaysia’s open digital economy approach may be affected by regulatory details creating trade barriers. Malaysia’s approach to personal data protection for instance is      debating residency for the role of data protection officers, obligations for data processors as well as technical guidelines to ensure data portability. This could slow down regional trade, especially if they are not in line with other practices in the region.

Meanwhile, questions still remain on whether the legislations and its corresponding processes are equipped to address artificial intelligence, quantum or cross border cybersecurity collaboration. Despite passing the laws, meeting challenges from new technologies may require developing targeted policies for governance and added responsibilities to current ministries and agencies, or the formation of newer departments. These discussions still have yet to result in concrete outcomes for Malaysia’s AI industry or quantum adoption.

As a significant propagator of digital economy and cybersecurity in ASEAN, there may be expectations for Malaysia to move regional discussions on cyber and digital forward. The recent developments prepares Malaysia as the nation undertakes the chairmanship of ASEAN in 2025. However, with ongoing technology developments and national ambitions, Malaysia’s update of legislation may not be over yet.     


The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.

 

About the writer:

Farlina Said is a Fellow in the Cyber and Technology Programme at the Institute of Strategic and International Studies (ISIS) Malaysia. Her expertise lies in responsible state behaviour in cyberspace, governance of emerging technologies as well as peaceful and meaningful use of cyber and digital tools.

Ariane Yasmin is an independent analyst and research consultant. She is also Editor at TIA Editors and Project Manager at Stratsea. Ariane was previously an Analyst in Foreign Policy & Security Studies at the Institute of Strategic and International Studies (ISIS) Malaysia.

Download Report

Download Report

Latest Updates

  • Articles

Navigating AI Governance and Ethics Across ASEAN

Latest Updates​
  • Articles
Navigating AI Governance and Ethics Across ASEAN

Tag(s):

, ,

Follow us on Linkedln

Interested in learning more about our work? Get the latest.

Contact Us
3 Media Close Singapore 138498 Republic of Singapore
The Institute
Legal Terms​
Connect with us
Thank you for your interest in the Tech for Good Institute. Follow us on social media to stay updated with our latest events, reports and insights.
Linkedin Youtube
Contact us

All rights reserved. © 2021 Tech For Good Institute​

Connect with us​

Linkedin Youtube
Stay updated
Linkedin Youtube

Keep pace with the digital pulse of Southeast Asia!

Never miss an update or event!

Subscribe now ➞

Mouna Aouri

Programme Fellow

Mouna Aouri is an Institute Fellow at the Tech For Good Institute. As a social entrepreneur, impact investor, and engineer, her experience spans over two decades in the MENA region, South East Asia, and Japan. She is founder of Woomentum, a Singapore-based platform dedicated to supporting women entrepreneurs in APAC through skill development and access to growth capital through strategic collaborations with corporate entities, investors and government partners.

Dr Ming Tan

Founding Executive Director

Dr Ming Tan is founding Executive Director for the Tech for Good Institute, a non-profit founded to catalyse research and collaboration on social, economic and policy trends accelerated by the digital economy in Southeast Asia. She is concurrently a Senior Fellow at the Centre for Governance and Sustainability at the National University of Singapore and Advisor to the Founder of the COMO Group, a Singaporean portfolio of lifestyle companies operating in 15 countries worldwide.  Her research interests lie at the intersection of technology, business and society, including sustainability and innovation.

 

Ming was previously Managing Director of IPOS International, part of the Intellectual Property Office of Singapore, which supports Singapore’s future growth as a global innovation hub for intellectual property creation, commercialisation and management. Prior to joining the public sector, she was Head of Stewardship of the COMO Group and the founding Executive Director of COMO Foundation, a grantmaker focused on gender equity that has served over 47 million women and girls since 2003.

 

As a company director, she lends brand and strategic guidance to several companies within the COMO Group. Ming also serves as a Council Member of the Council for Board Diversity, on the boards of COMO Foundation and Singapore Network Information Centre (SGNIC), and on the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

In the non-profit, educational and government spheres, Ming is a director of COMO Foundation and Singapore Network Information Centre (SGNIC) and chairs the Asia Advisory board for Swiss hospitality business and management school EHL. She also serves on  the Council for Board Diversity and the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

Ming was educated in Singapore, the United States, and England. She obtained her bachelor’s and master’s degrees from Stanford University and her doctorate from Oxford.