A close-up of Malaysia’s regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.
The “DPA Digital Digest” series provides concise summaries of each economy’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.
Malaysia's digital economy is experiencing significant growth. In 2022, it contributed 23% to the nation's GDP, with expectations to surpass 25% by 2025, driven by the rise of electronic wallet payments and 5G infrastructure. Malaysia was the first country to establish a Digital Free Trade Zone in 2016 to support e-commerce and small and medium enterprises (SMEs) and continues to prioritise the growth of the digital economy. The MyDIGITAL blueprint launched in 2021 includes strategies to enhance digitalisation and support SMEs in developing their digital capabilities.
But what do Malaysia’s digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Malaysia-specific points of emphasis.
Data governance: Malaysia updated its Personal Data Protection Act and adopted cybersecurity rules for critical infrastructure.
Content moderation: Malaysia expanded its content moderation rules to large social media and messaging providers and pursued enforcement against online platforms to strengthen their content moderation practices.
Competition policy: Malaysia launched a market inquiry to assess the impact of the digital economy and identify policies to address challenges.
Artificial intelligence: Malaysia issued voluntary guidelines on the implementation of principles such as fairness, reliability and privacy.
Jump directly to the section that interests you most:
Discover the details of Malaysia's regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Maria Buza and Saskia von Mutius. Edited by Tommaso Giardini.
In June 2024, Malaysia amended the Personal Data Protection Act (PDPA), expanding its scope and obligations. The amendment requires entities to appoint a data protection officer, introduces the right to data portability for individuals, and increases penalties for data breaches. Additionally, the term "data users" is replaced with "data processors," who now have direct obligations to meet security requirements and follow a mandatory breach notification system. The amendment further classifies biometric data as sensitive personal data.
The amendments will take effect on a date set by the Minister of Digital. Meanwhile, authorities have begun consultations on secondary legislation and related guidelines. In August 2024, the Personal Data Protection Department (PDPD) ran consultations regarding data portability, breach notification, and the appointment of data protection officers. Until the enactment of the new amendments, data users have to comply with the PDPA’s principles, data subjects rights and registration requirements if they fall under a specified class. Additionally, data users have to comply with the general code of practice and PDP’s regulations.
In August 2024, Malaysia implemented the Cyber Security Act, establishing the National Cyber Security Committee with the authority to create a centralised cyber control system and issue enforcement directives. The Act details procedures for identifying critical sectors, regulating cyber security service providers, and managing security incidents. It also mandates that cyber security service providers must obtain a licence to operate.
Malaysia does not impose data localisation requirements. Regarding cross-border data transfers, the upcoming amendment to the PDPA establishes several legal bases. Transfers will be allowed to jurisdictions that provide an adequate level of protection, requiring data controllers to assess whether the jurisdiction’s data protection laws offer “substantially similar” or “equivalent” protection to the PDPA. Alternatively, transfers can occur based on the data subject’s consent, necessity, or if the data controller has taken “reasonable precautions” to prevent PDPA violations. Such precautions may include binding corporate rules, standard contractual clauses, or certifications such as the Asia Pacific Economic Cooperation Cross-Border Privacy Rules. In October 2024, the PDPD ran a consultation on guidelines that clarify the conditions for using each legal basis and specify the records data controllers must keep. Until the amendment is implemented, the PDPA permits data transfers to jurisdictions listed by the PDPD as having adequate data protection, data subject's consent, contract performance, legal proceedings, or for other reasonable reasons.
The Personal Data Protection Department, established in December 2013 under the Ministry of Communications and Digital, is tasked with issuing guidelines and overseeing compliance with the PDPA. Currently, there are no public official sources on the enforcement or guidelines.
In August 2024, the Minister of Communications adopted a regulation requiring social media and internet messaging service providers with more than 8 million users to obtain a licence under the Communications and Multimedia Act (CMA). It takes effect in January 2025. Until then, the Communications and Multimedia Commission (MCMC) will establish guidelines and adopt standards on data protection, age verification, online harm mitigation, and content moderation.
Previously, licensing requirements applied to network facilities, network services, or application services. The new regulation expands this to content providers, requiring them to comply with the CMA's prohibition of offensive content, including material that is indecent, obscene, false, or intended to harass. Providers must prevent illegal activities on their platforms, cooperate with authorities, and comply with MCMC directives. Malaysia's government is currently working on expanding and clarifying these obligations. In July 2024, a special committee was formed to address cyberbullying. Also, in August 2024, the Minister of Communications announced plans to amend the CMA and the Communications and Multimedia Commission Act to address malicious content and fraudulent online behaviour.
Malaysia's approach to combating fake news has evolved over the years. Initially, the Anti-Fake News Act of 2018 was introduced to counter false information but was repealed within a year due to its overlap with existing laws. In March 2021, a new ordinance was enacted to address fake news specifically related to COVID-19 and the state of emergency, reflecting the earlier Act’s intent but focusing solely on pandemic-related content. This ordinance was also revoked once the emergency period concluded.
The MCMC has the authority to participate in the development of voluntary codes and register them, issue directives, and conduct investigations.
In May 2022, the MCMC registered a content code, which outlines self-regulation procedures and specifies standards for content dissemination. The code advises against posting indecent, false, menacing, or offensive content and prohibits discriminatory comments. It also stresses that, despite the regulations, there should be no censorship of the Internet. The Communications and Multimedia Content Forum is responsible for administering and enforcing the code.
The MCMC conducted several investigations into social media platforms, leading to the blocking of websites or their sharing.
In August 2024, the MCMC reported blocking over 10,000 websites between January 2022 and August 2024, primarily targeting online gambling, pornography, copyright infringement, scams, and prostitution. Between 2020 and late 2022, the MCMC blocked 6,381 online gambling websites and, before that, more than 400 websites displaying child sexual abuse content.
In May 2024, the Communications and Digital Ministry, together with the MCMC, Islamic Development Department, and state religious councils, announced that they will monitor and block viral social media videos promoting “deviant” teachings.
In April 2024, the MCMC required TikTok and Meta to strengthen their content moderation practices. They were directed to adopt a more proactive approach in monitoring and moderating content related to race, religion, and royalty, as well as to address scams and illegal online gambling.
In June 2023, the MCMC sued Meta for failing to remove harmful content from its platform. The content in question included issues related to race, nobility, religion, defamation, impersonation, online gambling, and deceptive advertising.
In May 2023, the MCMC required service providers to block the sending and receiving of URLs via text messages, with the aim of reducing online scams.
Malaysia has not adopted specific rules for digital competition and instead relies on the 2012 Competition Act. The Act prohibits the abuse of a dominant market position, such as unfair pricing. It also addresses anti-competitive agreements, both vertical and horizontal, which are further penalised under the Communications and Multimedia Act.
The Competition Commission (CC) has the authority to conduct market inquiries and ensure compliance with the Competition Act.
In August 2024, the CC launched a market review to assess the impact of the digital economy, focusing on mobile payment systems, e-commerce platforms, and online advertising services. It will also address data protection concerns such as switching costs, data misuse, and control.
In June 2022, the Malaysian Competition Commission (CC) found eight enterprises guilty of anti-competitive practices in the procurement of IT services.
In February 2021, the CC ruled against Dagang Net for imposing exclusivity clauses that restricted other software providers from offering similar services.
Malaysia does not have a specific law or regulation that directly addresses artificial intelligence (AI). The current regulatory framework, such as the Copyright Act and its amendment, as well as data protection rules, apply to developers and providers of AI.
In September 2024, the Ministry of Science, Technology and Innovation issued guidelines on AI governance and ethics. The guidelines set out voluntary measures addressed to AI developers and providers on how the principles of fairness, reliability, privacy, inclusiveness, transparency, accountability, and pursuing human benefit can be implemented. Additionally, the guidelines outline the rights and responsibilities of end users of AI, as well as the consumer protection principles that should be followed. The guidelines were issued in line with the AI roadmap released in December 2021. The roadmap outlines measures focused on supporting innovation and AI infrastructure while promoting ethical practices and sectoral integration. It notes plans for increased global collaboration on AI and the intention to adopt policies to attract investment and position Malaysia as a regional AI and data centre hub. In May 2024, the AI Nexus initiative was launched to further drive AI development and collaboration across sectors, including the establishment of AI education programs and a Consortium aimed at building a sustainable AI ecosystem.
Previously, in February 2024, Malaysia, as part of the Association of Southeast Asian Nations (ASEAN), endorsed the Guide on AI Governance and Ethics. Aimed at ensuring trustworthy AI systems, the non-binding guide is addressed to AI developers, users, expanders, and policymakers across the ASEAN region. It outlines risk assessments for human involvement, emphasises iterative lifecycle management, and provides a risk impact assessment template. The guide includes 7 principles fundamental to the responsible design, development, and deployment of AI technologies. Namely, transparency and explainability, fairness and equity, security and safety, robustness and reliability, human-centricity, privacy and data governance and accountability and integrity. Finally, it recommends establishing an AI Ethics Advisory Board to oversee governance and ensure ethical adherence.
In January 2020, Malaysia extended its service tax to cover foreign providers of electronic and digital services to Malaysian businesses and consumers. The expansion also applied to local platforms, digital service providers, and those involved in distributing or reselling IT and digital services. A subsequent regulation clarified that foreign service providers offering digital services within the same corporate group are exempt from service tax. In March 2024, the service tax to be charged was set at a rate of 8% (it was set at 6% in 2020).
The Prescription Order of 2019 classifies digital assets into two main categories: digital currencies and digital tokens, both of which may be regarded as securities under certain conditions. Providers of these digital assets must register as securities to operate. A digital currency qualifies as a security if it is regularly traded in a market, offers potential returns through trading, and is not issued or guaranteed by a government or central bank. Similarly, a digital token is classified as a security if it represents a right or interest in an arrangement where the holder provides consideration and income or returns are pooled and generated from asset management or business activities. Companies involved with digital assets must determine whether they deal with digital currencies or tokens. Based on this classification, they may fall into one of three categories: recognised market operators for digital asset exchanges, digital asset custodians responsible for safeguarding investors' assets, or initial exchange offering providers, which facilitate fundraising through digital tokens.
The Securities Commission oversees compliance and has the power to issue guidelines to clarify obligations. In August 2024, the Securities Commission updated its guidelines on digital assets issued first in 2020 and released a guide on recognised markets.
In June 2024, the Ministry of Domestic Trade initiated an inquiry to evaluate and update the legal framework governing e-commerce, aiming to align it with technological advancements and enhance user protections online. Previously, in September 2021, the Central Bank adopted regulations that required e-commerce providers to clearly outline their service requirements and improve risk management practices. Currently, e-commerce providers can use the National Digital Identity platform, which was launched to establish a secure, centralised digital identification system. The platform facilitates online identity verification for various services, including e-government, e-commerce platforms and telecommunications companies. E-commerce providers are also subject to the 2013 regulation that mandates online marketplace operators to disclose specific information on their websites. Furthermore, the Communications and Multimedia Act requires effective management of consumer complaints and compliance with the consumer code developed by the industry.