MCMC NEW LICENSING REQUIREMENTS

New Regulatory Framework for Internet Messaging Service and Social Media Service Providers – Creating safer online environment and protecting individuals online 

In the wake of Malaysian Tik Tok influencer, Esha’s tragic death linked to online harassments and death threats,1 Malaysia is now poised to enact new laws to combat cyberbullying including introducing new licensing requirements for internet messaging and social media platforms. Esha’s case was the third case of cyberbullying that led to deaths in the span of 3 years. Malaysian Communications and Multimedia Commission (“MCMC”) has also received 9,483 reports of cyberbullying from January 2022 until July 2024.2 Following the foregoing as well as to combat the increasing cases of cybercrimes including sexual crimes against children, online fraud and gambling, Malaysian Government has moved to place responsibilities on internet messaging and social media platforms to tackle harmful contents and cyberbullying. 

On 1st August 2024, the regulatory framework for internet messaging service and social media service (“Regulatory Framework”) was gazetted and will come into effect on 1 January 2025. The Regulatory Framework aims to address the proliferation of online harm and foster a safer online environment for all Malaysians. Previously, social media service and internet messaging service providers (“Service Providers”) were exempted from the licensing requirement under the Communications and Multimedia Act 1998 (“CMA 1998“) pursuant to the Communications and Multimedia (Licensing) (Exemption) Order 2000. With the introduction of the Regulatory Framework, all Service Providers with at least 8 million users in Malaysia will need to apply for a licence from the MCMC. In this article, we explore the key aspects of this Regulatory Framework to assist the Service Providers in complying with the same and its implications for Service Providers and users. 

Key Aspects of the Regulatory Framework3

  1. Type of Licence and Requirements 

There are two (2) key types of licences under the CMA 1998 which are Individual Licence and Class Licence. The applicable licence for the Service Providers is Applications Service Provider Class Licence (“ASP (C)”) which allows for a light-touch regulatory approach to these services. The validity period for ASP (C) is one (1) year from the registration date and re-application is required every year provided that the threshold of having at least 8 million users in Malaysia is met. 

Service Providers may refer to the MCMC Licensing Guidebook4 for detailed information on the licensing requirements and process which include registration fees, application by a locally incorporated company, and submission of the documents required as per class licence application checklist (i.e. application form, company profile, information of the service and others). 

There will be no restriction on foreign shareholding under ASP (C), allowing locally incorporated foreign-owned companies to enter the Malaysian market.

  1. Compliance with CMA 1998

Service Providers are obligated to comply with MCMC directions issued pursuant to section 51 in relation to compliance with the CMA 1998, subsidiary legislation, or any licence condition. Additionally, Service Providers are also required to adhere to the general duties of licensees pursuant to section 263 and the standard licence conditions for ASP (C). 

  1. Data Protection and Privacy 

The newly introduced framework places a strong emphasis on the protection of user data as well. Service providers must comply with the Personal Data Protection Act 2010, which governs the collection, storage, and processing of personal data. Among others, Service Providers are required to implement robust security measures to protect user data from unauthorized access, breaches, and misuse and will be expected to incorporate child safety measures and adopt strategies to address risks associated with deepfakes and AI generated content. 

  1. Timeline 

Service Providers are given a grace period of 5 months from 1 August 2024 to 31 December 2024 to apply for the ASP (C) licence and comply with the licensing requirements. In the meantime, the Service Providers must use their best efforts to combat online harm on their platforms such as cyberbullying, online scams and gambling, and child sexual abuse material. 

MCMC through a public consultation will also develop guidelines detailing the conduct requirements and key obligations for the Service Providers within the grace period. 

  1. Enforcement and Penalties 

Service Providers operating without a licence from 1 January 2025 onwards will be subject to actions under section 126 of the CMA 1998. If convicted, the Service Providers shall be liable to a fine not exceeding RM500,000 or 5 years imprisonment, or both, and shall also be liable to a further fine of RM1,000 for every day or a part of a day during which the offence is continued after conviction. 

For any breach of licence conditions and/or the conduct requirements, MCMC can initiate actions ranging from administrative warning, issuance of compliance direction to rectify the breach, impose civil penalty or compound offences to proportionately deal with the breach. MCMC may also suspend access to said Service Provider’s platform; de-register of the ASP (C) licence; or commence prosecution in the most severe and grave nature of breach. 

Implications of the Regulatory Framework 

  1. For Service Providers 

The introduction of this Regulatory Framework marks a significant shift in how internet messaging and social media platforms operate in Malaysia. Service providers must now adopt a more proactive approach to compliance, ensuring that their operations align with local laws and regulations. This may require investing in enhanced data protection measures, developing more sophisticated content moderation tools, and increasing transparency in their operations. 

For smaller Service Providers, the cost and complexity of compliance may pose challenges, potentially leading to market consolidation as they seek partnerships or acquisitions to meet regulatory demands. On the other hand, the framework also creates opportunities for Service Providers that prioritize user safety, data protection, and compliance, as they can differentiate themselves in a market that increasingly values these attributes. 

  1. For Users 

For users, the new framework offers greater protection of their personal data and more robust mechanisms for addressing grievances. There will be clear channels of complaint and legal action against the Service Providers as they are required to have a local presence in Malaysia. 

It is also expected that MCMC will ensure the Service Provider to comply with the following key requirements which include having robust: 

  • policies and measures for the protection of user data; 
  • child safety measures including age assurances to restrict users under 13 years old from accessing the platforms operated by the Service Providers; 
  • policies and measures to address online harm including cyberbullying, online scams and sexual grooming activities; 
  • content moderation policies and measures in place; 
  • transparency in advertising and restriction of advertisement promoting scams; 
  • measures to safeguard minors from harmful content and misleading advertisements; 
  • measures to simplify complaint procedures for users and response time; 
  • measures to manage deepfakes and harmful AI generated content; and 
  • regular reporting measures on Service Providers’ compliance with Malaysian laws and conduct requirements. 

As a result, users can expect a safer online environment with more stringent controls on harmful content. However, the increased regulatory oversight may also lead to changes in how they interact with these platforms, such as more frequent data consent requests or content moderation notices. 

Conclusion 

Malaysia’s new regulatory framework for Service Providers represents a comprehensive effort to address the challenges posed by the digital age. By introducing stringent registration, data protection, content moderation, and transparency requirements, the framework seeks to create a safer and more accountable online environment. While it imposes new obligations on the Service Providers, it also enhances the rights and protections for users, ultimately contributing to a more secure and trustworthy digital ecosystem in Malaysia. As the framework continues to evolve, it will be crucial for both Service Providers and users to stay informed and adapt to the changing regulatory landscape. 

If you have any questions or queries, please contact our Advisory & Compliance Partner, Mr. Fakhrul Fadzilah (fakhrul@nzchambers.com). 

 Author; Fakhrul Fadzilah

References:  

1 https://www.channelnewsasia.com/asia/malaysia-esha-rajeswary-appahu-cyberbullying-tiktok-social- media-death-4466926 

2 MCMC Information Paper – Regulatory Framework for Internet Messaging Service and Social Media Service Providers dated 1 August 2024 < https://mcmc.gov.my/skmmgovmy/media/General/pdf2/Info- Paper-for-Regulatory-Framework.pdf> 

3 Ibid 

4 MCMC Licensing Guidebook 

<https://mcmc.gov.my/skmmgovmy/files/attachments/ASP%20Class%20Licence%20ASP.C.2005.3.p df>