Malaysia’s Online Safety Act 2024: A New Era for Digital Regulation
Malaysia is on the cusp of a significant transformation in its approach to online safety and digital governance. The Online Safety Act 2024, recently passed by Parliament and awaiting full enforcement, is designed to address the growing threats of online harm—especially to children—while also reshaping the responsibilities of digital platforms, parents, and regulators. However, the law’s sweeping provisions have sparked a national debate: Can Malaysia protect its most vulnerable internet users without undermining digital rights, privacy, and freedom of expression?
This article explores the key features of the Online Safety Act 2024, the rationale behind its introduction, the concerns raised by experts and civil society, and the broader implications for Malaysia’s digital future.
What Does the Online Safety Act 2024 Aim to Achieve?
The Online Safety Act 2024 is part of a broader legislative push to modernize Malaysia’s digital laws in response to rising cyber threats, online scams, and the proliferation of harmful content. The Act’s primary objectives are:
- To safeguard children and vulnerable users from online harm, including sexual exploitation, cyberbullying, and exposure to illegal or dangerous content.
- To hold online service providers and social media platforms accountable for the content they host and the safety features they provide.
- To empower authorities with new regulatory and enforcement powers to act swiftly against unlawful or harmful online activities.
Communications Minister Datuk Fahmi Fadzil and Minister in the Prime Minister’s Department (Law and Institutional Reform) Datuk Seri Azalina Othman Said have both emphasized that the Act is intended to create a safer digital environment, particularly for children, and to ensure that digital platforms uphold a defined duty of care.
Key Provisions: How Will the Act Work?
The Online Safety Act 2024 introduces a range of new requirements and mechanisms affecting multiple stakeholders:
- Obligations for Service Providers: Applications Service Providers (ASPs), Content Applications Service Providers (CASPs), and Network Service Providers (NSPs) must implement robust mechanisms for reporting and handling harmful content, publish user guidelines, and provide tools for users to manage their online safety.
- Reporting and Removal of Harmful Content: Platforms must allow users to report harmful content—such as child sexual abuse material, financial fraud, obscene or indecent content, harassment, and content inciting violence. Service providers are required to review reports and, if necessary, make harmful content permanently inaccessible.
- Parental and Guardian Responsibilities: Proposed amendments would make it compulsory for parents and guardians to monitor their children’s online activities and attend formal training in online safety. This is a response to high-profile incidents, such as the arrest of a 16-year-old in Johor for selling deepfake pornographic images using AI.
- Regulatory Oversight: The Malaysian Communications and Multimedia Commission (MCMC) is empowered to enforce the Act, issue directives, and, if service providers fail to comply, restrict access to harmful content. An Online Safety Committee will advise the MCMC, and an Online Safety Appeal Tribunal will handle disputes.
- Penalties: Non-compliance can result in substantial financial penalties—up to RM10 million for service providers—and daily fines for continued violations.
Notably, the Act does not apply to private messaging features, and it includes some exceptions for content related to education, science, or public awareness.
Social Media Licensing and Platform Accountability
In tandem with the Online Safety Act, Malaysia has introduced a new licensing framework for social media platforms with over eight million users. Platforms must now obtain an Applications Service Provider Class Licence, comply with content moderation requirements, and contribute a portion of their revenue to expanding internet access in underserved communities. This marks a shift from previous hands-off regulation to a more interventionist approach, with the government arguing that self-regulation by platforms has been insufficient to curb digital threats.
Expert and Civil Society Concerns: Risks of Overreach and Unintended Consequences
While the government frames the Act as a necessary step to protect children and the public, cybersecurity experts, digital rights advocates, and civil society organizations have raised several concerns:
1. Widening the Digital Divide and Straining Family Ties
Cybersecurity analysts warn that making parental monitoring compulsory—without first addressing digital literacy gaps—could backfire. Dr. Azree Shahrel Ahmad Nazri, a cybersecurity analyst, cautions that enforcement is fraught with privacy risks, technical gaps, and ethical concerns:
“It’s not as simple as telling parents to monitor their children. From a cybersecurity standpoint, enforcement is fraught with privacy risks, technical gaps and ethical concerns.”
He emphasizes that well-meaning legislation could have unintended consequences if it overlooks the realities of households with minimal digital literacy or access to appropriate tools. Without robust educational support, such as free parental control apps and accessible training, the law risks widening the digital divide and straining family relationships.
Dr. Azree also points to research from the Pew Research Centre and Oxford Internet Institute, noting that children tend to withdraw when parents rely on surveillance, but thrive when supervision is transparent and built on communication.
2. Freedom of Expression and Privacy Risks
Human rights groups, including ARTICLE 19 and the Centre for Independent Journalism, argue that the Act and related amendments to the Communications and Multimedia Act (CMA) 1998 grant excessive powers to the MCMC and the Minister of Communications. These powers include:
- The ability to order surveillance, search, and seizure without a warrant or judicial oversight.
- The authority to compel service providers to disclose user data and remove content deemed “harmful,” even if it is not illegal.
- Broad and vague definitions of “harmful content,” which could lead to over-censorship and the removal of lawful speech, satire, or criticism of the government.
Critics warn that these provisions could be used to silence dissent, stifle open discourse, and erode privacy rights. Zaid Malek, director of Lawyers for Liberty, highlights the dangers of vague language in the law:
“The inclusion of ‘confusion’ and ‘incomplete’ in the definition of falsehood here massively widens the offence. It will put fear upon the public and prevent them from participating in discussions regarding matters of public interest.”
Media freedom advocates point to Malaysia’s declining position on the World Press Freedom Index and the country’s high rate of government takedown requests to platforms like TikTok and Meta as evidence of growing censorship.
3. Regulatory Independence and Accountability
Another major concern is the lack of independent oversight. The MCMC, which enforces the Act, is not independent in law or practice and is subject to ministerial direction. Civil society groups recommend establishing an independent Online Safety Commission, free from government interference, to ensure transparency and accountability in content regulation.
4. Impact on Creators, Innovation, and the Digital Economy
Content creators and digital entrepreneurs worry that the new regulations could stifle innovation and limit opportunities. The blocking of platforms like ArtStation, increased content takedown requests, and the threat of heavy penalties have already led to self-censorship and reduced job opportunities for artists and creators. Industry groups, such as the Asia Internet Coalition, warn that the licensing rules are “unworkable” and could adversely impact Malaysia’s digital economy.
Government Response: Balancing Safety, Access, and Rights
In response to criticism, government officials have stressed that the Act is not intended to criminalize legitimate expression or impose blanket age restrictions on internet access. Communications Minister Fahmi Fadzil has stated that Malaysia will adopt a “balanced approach,” taking into account the country’s socio-cultural context and legal landscape. He has also emphasized the importance of public awareness campaigns and education, rather than relying solely on enforcement.
Fahmi Fadzil explains:
“Balancing access and safety is important, but users must also be educated about the basic safety measures they need to practice. This is what we will implement through our online safety awareness campaign.”
The government has launched nationwide roadshows to raise awareness about online safety, the new licensing requirements, and the amendments to the CMA and Online Safety Act.
How Does the Act Fit into Malaysia’s Broader Digital Governance?
The Online Safety Act 2024 is part of a larger wave of digital regulation in Malaysia, which includes:
- The Cybersecurity Act 2024, establishing a national compliance framework for critical infrastructure and rapid incident notification requirements.
- Amendments to the Personal Data Protection Act (PDPA), introducing mandatory data breach notifications, the appointment of Data Protection Officers, expanded definitions of sensitive data, and increased penalties for non-compliance.
- The new social media licensing regime, requiring platforms to obtain licenses, moderate content, and contribute to universal internet access funds.
These measures reflect Malaysia’s ambition to strengthen its digital economy, protect users, and align with international standards. However, they also raise questions about the balance between security, innovation, and fundamental rights.
Regional and International Context: A Global Push for Online Safety
Malaysia’s regulatory overhaul mirrors global trends, as countries grapple with the challenges of online harm, misinformation, and the responsibilities of digital platforms. For example, Australia recently passed a law setting a minimum age for social media access, while Singapore and Hong Kong have introduced new cybersecurity and data protection laws. The Asia-Pacific region is experiencing a surge in cyber regulation, with stricter obligations for incident reporting, risk assessments, and penalties for non-compliance.
However, Malaysia’s approach is notable for its emphasis on platform accountability, parental responsibility, and the centralization of regulatory power. The success of these measures will depend on transparent enforcement, independent oversight, and ongoing engagement with stakeholders—including parents, educators, industry, and civil society.
In Summary
- The Online Safety Act 2024 is Malaysia’s most ambitious effort yet to regulate digital platforms, protect children, and combat online harm.
- The Act imposes new obligations on service providers, parents, and regulators, with significant penalties for non-compliance.
- Experts and civil society warn that the law could widen the digital divide, strain family relationships, and undermine freedom of expression and privacy if not implemented with care.
- Concerns center on the broad powers granted to the MCMC, vague definitions of harmful content, and the lack of independent oversight.
- The government insists it is pursuing a balanced approach, prioritizing education and awareness alongside enforcement.
- The Act is part of a broader regulatory shift in Malaysia, including new data protection and cybersecurity laws, and a licensing regime for social media platforms.
- Malaysia’s experience highlights the global challenge of balancing online safety, digital rights, and innovation in an increasingly connected world.
