Code of Conduct (Best Practice) for Internet Messaging Service Providers and Social Media Service Providers in Malaysia

Code of Conduct (Best Practice) for Internet Messaging Service Providers and Social Media Service Providers in Malaysia

On October 22, 2024, the Malaysian Communications and Multimedia Commission (MCMC) launched a public consultation for its draft Code of Conduct (Best Practice) for Internet Messaging Service Providers and Social Media Service Providers (“Code of Conduct”). This draft Code invites feedback from the public and industry stakeholders, with submissions open until November 5, 2024.

The draft Code mandates Internet messaging service providers and social media service providers (“Service Providers”) to implement user safety measures, child protection protocols, risk assessments, and accountability practices like regular audits and public reporting on online safety efforts.

Background

The Malaysian Communications and Multimedia Commission (MCMC) established a regulatory framework that required Service Providers with eight (8) million or more users in Malaysia to apply for the Applications Service Provider (ASP(C) Licence).

The said framework is the Communications and Multimedia (Licensing) (Amendment) (No. 2) Regulations 2024[1] and the Communications and Multimedia (Licensing) (Exemption) (Amendment) Order 2024[2] which were gazetted on 1 August 2024.

Applications must be made before 31 December 2024, as the framework will come into full force on 1 January 2025. During this period, MCMC is required to establish guidelines that the Service Providers must adhere to. The Code of Conduct is one of the guidelines.

Scope and Application of the Code of Conduct

The draft Code is designed to provide clear guidelines for Internet Messaging and Social Media Service Providers, reinforcing their obligations under Malaysian law to create safer online environments. A core focus of the Code is on managing “harmful content“—materials that violate the Communications and Multimedia Act 1998 (CMA 1998) or other relevant Malaysian laws. Harmful content is defined as:

  • Child Sexual Abuse Material (CSAM)
  • Non-consensual Sharing of Intimate Content
  • Financial Scams (such as phishing or investment scams)
  • Bullying and Hate Speech
  • Content Inciting Violence, Extremism, or Terrorism
  • Content Likely to Harm Children Physically or Psychologically
  • Manipulated Media (like deepfakes)[3]

This broad definition of harmful content allows the Code to address a wide range of online risks. By doing so, it prioritizes user safety while addressing specific issues unique to Malaysia’s digital landscape, ultimately aiming to protect all users, particularly vulnerable groups like children.

Best Practices Mandated for Service Providers

To effectively address the risks and responsibilities outlined in the Code, a set of best practices have been developed. These practices serve as actionable guidelines for Service Providers, ensuring they meet the required standards for user protection, content management, and compliance under Malaysian law.

This includes:

  • User Safety Measures
  • Child Safety Provisions
  • Risk Mitigation Protocols
  • Accountability

Each of the above will be explored below.

  1. User Safety Measures

To ensure user safety, Service Providers are required to adopt robust systems for identifying and removing harmful content swiftly.

  • establishing robust systems for the timely identification, assessment, and removal of harmful content;
  • regularly reviewing and updating these systems to maintain their effectiveness;
  • maintaining a dedicated local content moderation team;
  • promptly reporting harmful content to relevant law enforcement authorities;
  • enforcing actions against users who violate platform guidelines; and
  • cooperating fully with law enforcement requests.[4]

Service Providers should enable users to proactively counter online harm by offering tools and settings for managing their safety. This includes setting clear, transparent guidelines, timelines, and processes for reporting and appealing harmful content. Providers must also respond to reports of harmful content, particularly CSAM, within 24 hours to ensure swift action.[5]

These practices are designed to support a proactive, responsive approach to online safety, empowering users with tools to control their privacy and report harmful content effectively.

  1. Child Safety Provisions

Given the unique vulnerabilities of child users, the Code enforces specific child safety measures. Service Providers must implement:

  • Age Verification Mechanisms: To prevent minors from accessing harmful content.
  • Parental Controls: Tools allowing parents to monitor and control their child’s online activity.
  • Self-Protective Tools for Children: Features to help children avoid harmful content and interactions.
  • Regular Reviews and Audits: Continuous improvements to child safety protocols based on emerging risks.[6]

These child-centered provisions align with global standards, prioritizing a safe environment for young users while educating them on safe digital practices.

  1. Risk Mitigation Protocols

Furthermore, Service Providers are expected to actively identify and address risks on their platforms. The Code calls for:

  • Systemic Risk Assessments: Conducted regularly by qualified teams.
  • Risk Assessment Updates: To account for demographic changes and new platform features.
  • Collaborative Efforts: Encourages partnerships with regulatory bodies, law enforcement, and other stakeholders to mitigate risks effectively.[7]

These measures promote a preventive approach, reducing the chances of harmful content or interactions occurring.

  1. Accountability and Compliance Requirements

Service Providers are required to uphold accountability through several measures to ensure a safer online environment, with a focus on protecting children and vulnerable users. This includes:

  • Record-Keeping: Maintaining detailed records of harmful content removals, including the process and rationale, as required by Malaysian law.
  • Regular Audits: Conducting audits to assess compliance with the Code of Conduct, platform guidelines, and laws, including a “Safety by Design” assessment to incorporate safety features into platform design, and audits focused on accessibility and child safety.
  • Bi-Annual Safety Reports to MCMC: Submitting reports twice a year to MCMC, covering risk assessments, safety measures (such as moderator training and automated tools), compliance challenges, and the peak number of Malaysian users.
  • Public Annual Safety Report: Publishing a yearly public report detailing online safety practices, including handling of harmful content (especially for child safety), moderator support, automated content management, and management of user reports and data requests.[8]

Next Steps for Service Providers

As the consultation phase progresses, Service Providers should review the draft Code and assess their capacity to meet these standards. Providers should voice any concerns to MCMC promptly, as the draft may undergo adjustments before implementation. Feedback must be submitted by November 5, 2024, ensuring Service Providers’ concerns and suggestions are considered in finalizing the Code.

Conclusion

The draft Code of Conduct presents a clear, structured approach to ensuring safer, more accountable digital environments for Malaysians. Through child safety provisions, user empowerment tools, and risk mitigation strategies, the Code aligns Malaysia with global standards in online safety and regulatory compliance. Service Providers play a pivotal role in this effort and are encouraged to proactively integrate these practices to foster trust and protect users in Malaysia.

If you have any questions or queries, please email us at general@nzchambers.com.

Authors:

  1. Alif Mustaqim
  2. Wan Tasnima

References:

[1] [P.U.(A) 205/2024]

[2] [P.U.(A) 206/2024]

[3] Malaysian Communications and Multimedia Commission, DRAFT Code of Conduct (Best Practice) for Internet Messaging Service Providers and Social Media Service Providers, Section 3.2, October 2024. Accessed from Malaysian Communications and Multimedia Commission: https://mcmc.gov.my/skmmgovmy/media/General/pdf2/DRAFT_Code-of-Conduct_211024-RPD.pdf.

[4] ibid, Section 4.2

[5] Ibid, Section 4.3-4.4

[6] Ibid, Section 5.2

[7] Ibid, Section 6.2 and 6.3.

[8] Ibid, Section 7.2