Since the coming into force of Malaysia Cyber Security Act 2024 (“CSA”) on 26 August 2024, there have been substantial developments in the landscape in the past few months.

The Malaysian Communications and Multimedia Commission (MCMC) has announced that it is holding a public consultation on the draft Code of Conduct (Best Practice) for Internet Messaging Service Providers and Social Media Service Providers (“Draft Code of Conduct”).
The objective of the public consultation is to collect public opinion on the Draft Code of Conduct, which outlines the best practices for applications service provider class licence holders who offer Internet messaging and social media services in Malaysia to address harmful online content and other relevant conduct requirements.

Malaysia’s Cyber Security Bill 2024 was passed by both houses of the Malaysian Parliament on 27 March 2024 (Dewan Rakyat) and 3 April 2024 (Dewan Negara) respectively. Subsequent to its Royal Assent on 18 June 2024 and publication in the Official Gazette on 26 June 2024, the Malaysia Cyber Security Act 2024, together with four subsidiary regulations, came into force on 26 August 2024.

Following the passing of the Personal Data Protection (Amendment) Bill 2024 by the Malaysian Parliament in July 2024, three public consultation papers have been issued in relation to the implementation of the following impending new legal obligations:

• Notifying the Personal Data Protection Commissioner and affected data subjects for personal data breach.
• Appointing data protection officer(s).
• Effecting the data subject’s right to data portability.

The deadline to provide feedback is 6 September 2024 (Friday).

The Malaysian Communications and Multimedia Commission (“MCMC”) has announced its intention to introduce a new licensing regime for social media services and internet messaging services on 1 August 2024, with enforcement effective from 1 January 2025 onwards.

Under the current licensing framework, social media services and internet messaging services are exempted from the licensing requirement under the Communications and Multimedia Act 1998 (“CMA”) pursuant to the Communications and Multimedia (Licensing) (Exemption) Order 2000.

The long-awaited Personal Data Protection (Amendment) Bill 2024 has now been made publicly available. Among the key changes it seeks to introduce are: direct obligations for data processors, mandatory data breach notification, requirement to appoint data protection officer(s), new data subject rights on data portability, an expanded definition of sensitive personal data, and a general legal basis for cross-border transfers.

The Malaysia Cabinet has approved the proposed amendments to the Personal Data Protection Act 2010 (Act 709). These amendments are expected to be tabled in the current Parliamentary session taking place up until 18 July 2024.

Proposed licensing of social media and internet messaging services providers and a new draft bill on digital safety – these are some of the recent updates in the online content space for Malaysia.

The new Cyber Security Bill 2024 (“Bill”) was tabled for first reading at the Malaysian Parliament on 25 March 2024. The Bill aims to provide a regulatory framework for the safeguarding of Malaysia’s cyber security landscape by requiring national critical information infrastructure entities to comply with certain measures, standards and processes in the management of the cyber security threats and cyber security incidents. To achieve such objectives, the Bill provides for, among others, the establishment of the National Cyber Security Committee, the duties and powers of the Chief Executive, the appointment of national critical information infrastructure sector leads, the designation of national critical information infrastructure entities and the licensing of cyber security service providers.

The new Cyber Security Bill 2024 (“Bill”) was tabled for first reading at the Malaysian Parliament on 25 March 2024. The Bill aims to provide a regulatory framework for the safeguarding of Malaysia’s cybersecurity landscape by requiring national critical information infrastructure entities to comply with certain measures, standards and processes in the management of the cybersecurity threats and cybersecurity incidents. To achieve such objectives, the Bill provides for, among others, the establishment of the National Cyber Security Committee, the duties and powers of the Chief Executive, the appointment of national critical information infrastructure sector leads, the designation of national critical information infrastructure entities and the licensing of cybersecurity service providers.