Applicable Laws/Regulations/Industry Codes of Conduct

Given the nascent stage of the metaverse, there is no specific regulatory framework that addresses the metaverse at this juncture. Applicable legislation governing certain activities carried out via the metaverse would depend on the technologies employed for operation and the various functionalities arising therefrom.

Applicable key legislation and codes are as follows.

Contracts Act 1950 (CA)

The CA provides that all agreements are contracts if they are entered into with the free consent of contracting parties, for a lawful consideration, with a lawful object, and are not expressly declared void.

A contract is formed under the CA when the traditional essential elements (ie, offer, acceptance, consideration, and intention to create legal relations) are met. No documentary formalities are required thereunder.

With the advent of blockchain and the adoption of smart contracts for transactions within the metaverse, smart contracts and other metaverse-based contracts may potentially be enforceable under the CA if said elements are satisfied and there are no vitiating factors (eg, coercion, misrepresentation, undue influence, illegality, fraud) rendering the contracts void/voidable.

Electronic Commerce Act 2006 (ECA)

The ECA recognises the formation of contracts by way of information exchanged in the form of “electronic messages”, which is broadly defined under the ECA and could extend to information exchanged via the metaverse.

Such contracts are legally valid, binding, and enforceable against the contracting parties (see 9.1 Trust Services and Electronic Signatures (Electronic signatures)), subject to formalities required under other written laws.

Personal Data Protection Act 2010 (PDPA)

The PDPA and its subsidiary legislation regulate the processing of personal data (PD) and apply to anyone who processes and controls or authorises the processing of PD in commercial transactions.

The PDPA establishes seven principles (PDP Principles) that a data user (DU) (distinguished from data processors (DP) under the PDPA) must comply with when processing PD.

• General Principle – consent for processing a data subject’s (DS) PD must be obtained unless exempted under the PDPA. Such processing must be for lawful purposes directly related to or necessary for the DU’s intended activity and adequate and not excessive for the relevant processing purpose. DUs must obtain the explicit consent of DSs to process their sensitive PD.
• Notice and Choice Principle – written privacy notices incorporating relevant information required by the PDPA must be made available to DSs by DUs. In January 2022, the Personal Data Protection Commissioner (PDPC) issued a Guide to Prepare Personal Data Protection Notices to aid DUs in the preparation of privacy notices.
• Disclosure Principle – disclosure of PD without the DS’s consent is prohibited, except for such purposes and to such parties identified in the DU’s privacy notice or as exempted by the PDPA.
• Security Principle – DUs must take practical steps to protect PD from loss, misuse, modification, unauthorised/accidental access or disclosure, alteration or destruction.
• Retention Principle – DUs may only retain PD for as long as is necessary to fulfil the purpose of processing and must thereafter destroy the PD.
• Data Integrity Principle – DUs must take reasonable steps to ensure that the PD is accurate, complete, not misleading and up to date.
• Access Principle – DSs have the right to request access to their PD and to correct any inaccurate, incomplete, misleading, or outdated PD.

DUs are prohibited from transferring PD extraterritorially unless sent to a permitted place (although such permitted places are yet to be confirmed, a proposed list has been issued) or if other exceptions apply.

DUs must have adequate security and indemnity measures to inhibit theft, loss, misuse, unauthorised/accidental access or disclosure, alteration, or destruction of PD under their care and must ensure that any DPs they use also take reasonable steps to employ such measures and provide sufficient guarantees.

Where a person is established locally and processes PD (directly or indirectly) or is not established locally but uses locally-based equipment to process PD (other than for transit purposes), compliance with the PDPA is necessary. Vis-à-vis the metaverse’s global coverage, potential challenges may arise in applying the PDPA to global DUs due to the “establishment” and “transit” criteria above.

Content Code 2022 (Content Code)

The Communications and Multimedia Content Forum, established by the Malaysian Communications and Multimedia Commission (MCMC), introduced the Content Code as an industry self-regulatory guideline to identify objectionable content and provide for content requirements based on local social, cultural, and religious values. The MCMC can direct anyone to comply with the Content Code. Failure to comply with this directive may result in a fine of up to MYR200,000. Users who publish content in the metaverse may draw the applicability of the Content Code towards such publishing activities.

The Content Code focuses on regulating advertisements to increase consumer protection. The Content Code regulates advertisement claims, testimonials, and pricing information. Material information must not be omitted or presented in a misleading way and content that could offend any group is prohibited. The Content Code also addresses advertising content on religion, the rights of children and disabled persons, advertisements by gambling/betting companies, and reports on sensitive issues such as suicide.

“Virtual influencers” are recognised in the Content Code and defined as computer-generated characters or avatars with realistic characteristics, features, and personalities that behave similarly to human influencers. Users acting as “virtual influencers” would also need to disclose paid advertisements to avoid misleading customers.

While the MCMC has jurisdiction over locally-based individuals and entities, prosecution and enforcement against extraterritorial offenders are significantly limited, with the MCMC only being able to block offensive content from extraterritorial offenders from being accessed within Malaysia.

Other legislation

The legislation in 2.1 Digital Economy (Applicable Laws/Regulations/Industry Codes of Conduct) could apply to transactions within the metaverse, subject to jurisdictional considerations and relevant coverage elements therein.

Key Legal Challenges

Jurisdiction

Presently, no legislative provisions address cross-border jurisdictional issues concerning the metaverse.

Access to the metaverse would generally be governed by terms of use and/or end-user licence agreements (collectively EULAs) between end users and the platform operators who provide access thereto. In such instances, the governing law of the EULAs could ascertain applicable jurisdiction vis-à-vis end-users’ conduct in relation to the EULAs.

In-metaverse jurisdiction is a grey area. Arguably, if there are contractual terms and conditions within the metaverse which stipulate the governing law of a particular real-world territory, then the applicable courts may apply relevant real-world laws in relation to contractual issues pertaining to the same.

Where cybercrimes are concerned, it remains to be seen whether any real-world prosecution and enforcement may be commenced and sustained. The legislative framework for cybercrimes is mainly governed by the Computer Crimes Act 1997 (CCA) and supplemented by other legislation. The CCA has effect within and outside the country, regardless of the nationality or citizenship of the offenders. However, the CCA has yet to be revised to consider the rapid development of the metaverse and ancillary legal issues.

Anti-money laundering

In-metaverse transactions typically involve the usage of cryptocurrencies and Non-Fungible Tokens (NFTs) as the form of consideration. NFTs are digital assets with unique identifiers that can be traded and sold.

Following the issuance of the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 (Prescription Order) and the Guidelines on Recognised Markets 2019 (GRM) by the Securities Commission (SC), NFTs could potentially fall within the purview of the SC and be subject to anti-money laundering/counter-financing of terrorism (AMLCFT) controls. However, there are significant challenges in enforcing AMLCFT oversight over transactions within the metaverse due to the layers of identity protection and anonymity afforded to users, which hinders the ability of institutions with AMLCFT reporting obligations to effectively police transactions within the metaverse.

Intellectual property (IP)

There are several potential IP risks in the metaverse, including copyright infringement, trade mark infringement, and patent infringement. These may be difficult to ascertain and prosecute due to the anonymity of individuals within the metaverse.

Additionally, there may be issues with counterfeit NFTs, patent infringement in technology development, and trade secret misappropriation.

Risks of trade mark infringement may also arise in virtual transactions, and proactive trade mark registration may help to guard against such risks.

The metaverse comprises interconnected online networks and services, which may have host servers outside the jurisdiction where infringement occurs, making enforcement difficult. This may be further complicated by the disparities in legislation and practices in different jurisdictions. For instance, IP enforcement may need to be done via administrative procedures in some jurisdictions, whereas in others, such as Malaysia, court injunctions are more commonly used.

Data protection

Data protection is another primary concern. Organisations that operate the metaverse can use augmented reality/virtual reality technologies and devices that collect an immense amount of information, including a wide range of PD. This could lead to novel data privacy issues for users due to the collected information’s scope, scale, and sensitivity. DUs or third parties could misuse these various categories of data.

A significant gap in enforcement arises where PD is processed extraterritorially via the metaverse due to the limited applicability of the PDPA, see 1.1 Laws and Regulation (Personal Data Protection Act 2010 (PDPA)).

Applicable Laws/Regulations/Industry Codes of Conduct

No single piece of legislation explicitly governs the digital economy. There are, however, laws, regulations, and industry codes of conduct of general application to the digital economy, including the following.

• The Communications and Multimedia Act 1998 (CMA) regulates the communications and multimedia industry, including applications service providers (ie, providers of applications services that deliver specific functions such as voice services, data services, internet access, and electronic commerce to end-users) (ASPs) and content applications service providers (ie, a subset of ASPs that provide content, such as television and radio broadcast services, and the provisioning of information services) (CASPs).
• The CCA, see 1.1 Laws and Regulation (Jurisdiction).
• The Consumer Protection Act 1999 (CPA) applies to all goods and services offered to consumers in trade (including via electronic trade transactions) which are primarily purchased, used, or consumed for personal, domestic or household purposes.
• The Digital Signature Act 1997 (DSA), see 9.1 Trust Services and Electronic Signatures (Digital signatures).
• The ECA, see 9.1 Trust Services and Electronic Signatures (Electronic signatures).
• The Electronic Government Activities Act 2007 imposes analogous regulations to the public sector as the ECA.
• The Financial Services Act 2013 (FSA) and Islamic Financial Services Act 2013 recognise electronic money as a payment instrument.
• The PDPA, see 1.1 Laws and Regulation (Personal Data Protection Act 2010 (PDPA)).
• The Price Control and Anti-Profiteering Act 2011 generally addresses price display and product labelling.
• The Sale of Goods Act 1957 (SGA) governs contracts for the sale of goods.
• The Trade Descriptions Act 2011 outlaws fraudulent trade descriptions and false or misleading statements, conduct, and practices concerning the supply of goods or services (including through electronic means).
• The Capital Markets and Services Act 2007 governs the adoption and use of digital currencies and digital tokens which satisfy elements to be deemed as “securities” by virtue of the Prescription Order, and regulates Digital Asset Exchange (DAX) operators.
• The Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 governs reporting obligations for entities carrying out prescribed activities which could broadly cover various digital economy elements, particularly where the use of digital currencies is concerned.
• The Interoperable Credit Transfer Framework (ICTF) is a policy document issued by the Central Bank of Malaysia (BNM) under the FSA which requires registered merchant acquirers (RMAs) to ensure that any inter-bank credit transfer transactions are processed locally through an operator of shared payment infrastructure. The ICTF also prescribes steps to be taken by RMAs concerning credit transfer services offered to its customers.
• The Content Code, see 1.1 Laws and Regulation (Content Code 2022 (Content Code)).
• The General Consumer Code of Practice for the Communications and Multimedia Industry (Consumer Code), see 7.1 Scope of Regulation and Pre-marketing Requirements (Local Regulatory Coverage of Technologies and Services).
• The Digital Economy Blueprint, launched in 2021, has identified the need to review and amend laws on IP, competition, and internet infrastructure, among other areas.

Key Legal Challenges

Regulatory requirements to conduct business can be challenging for digital businesses operating within the digital economy. Entities engaging in commerce that intend to establish a local corporate presence must apply for licences and registrations with various authorities to conduct business. Licensing and registration conditions or restrictions may also be imposed. These often come with lengthy application processes and, where applicable, strict compliance with directorship and equity stipulations by the relevant authorities.

The slowness of regulatory clock speeds may hinder novel digital economy developments where no governing regulatory frameworks are in place.

While cryptocurrencies are unregulated and not considered legal tender, cryptocurrency exchanges are regulated under the Guidelines on Prevention of Money Laundering and Terrorism Financing for Capital Market Intermediaries 2014 and the GRM. To operate, these exchanges must register with the SC. Once registered, cryptocurrency exchanges must abide by a set of AMLCFT obligations, which include implementing suitable customer due diligence measures and reporting suspicious customer transactions to the SC. The SC has also warned investors about the potential risks involved in initial coin offerings (ICOs), including limited legal protection and high exposure to fraud, money laundering, and terrorism financing. The recent scandal involving the FTX cryptocurrency exchange (FTX Scandal) has revealed various risks of hacking and fraud associated with such exchanges. In the wake of the FTX Scandal and with neighbouring country Singapore in the midst of tightening rules around retail investment in cryptocurrencies, it is expected that Malaysia will likely also follow suit with additional regulatory oversight to prevent similar incidents from happening in the future.

While cybercrimes have seen an uptick in recent years due to increased digital economy participation and technological developments, enforcement of the same remains challenging due to the speed at which cybercrimes have been developing and the lack of regulatory updates to keep pace.

Electronic transactions are often subject to the threat of fraud as credit card and payment account details and other pieces of information are typically required for online transactions. Ensuring secure networks and systems and developing security solutions to prevent exposure of customers’ PD to malicious third parties in compliance with the PDPA and other applicable legislation, such as the European General Data Protection Regulation (GDPR), can be challenging. The PDPA is currently more limited in scope than data protection laws of other jurisdictions, such as the GDPR, and has gaps in data protection coverage.

The Malaysia Digital Economy Corporation (MDEC), an agency under the Ministry of Communications and Digital, is expected to launch its ESG framework for the digital economy ecosystem by the second quarter of 2023, in view of their aspirations to achieve a target of MYR49billion worth of digital investments in the country by 2025. The MDEC has indicated that the framework will be based on the United Nations Global Compact (UNGC) standard.

Applicable Laws/Regulations/Industry Codes of Conduct

CMA

Cloud service providers (CSPs) are subject to the CMA. Effective 1 January 2022, CSPs must obtain an ASP Class (ASP(C)) licence with annual renewal requirements. The provision of cloud services without a licence is an offence and is punishable upon conviction with a fine not exceeding MYR100,000 and/or imprisonment for a term not exceeding two years.

Organisations or parties using cloud services (CSSs) may be subject to technical codes and guidelines, such as the Technical Code on Information and Network Security – Cloud Service Provider Selection, which specifies requirements for selecting a CSP. The CSS must conduct a risk assessment and select a CSP based on risk tolerance, industry standards, and the CSP’s ability to provide certification and a third-party audit report. It also requires CSSs to collaborate with CSPs to ensure the safety and security of cloud services and to enter into formal agreements outlining responsibilities in the event of security incidents. These agreements must be comprehensible, harmless to the organisation, and include specific provisions for service delivery, availability, indemnification, and protection of IP rights. The CSS should also confirm that the CSP is certified or adheres to industry best practices.

PDPA

The PDPA contains obligations that must be adhered to where PD is processed through cloud services. See 1.1 Laws and Regulations (Personal Data Protection Act 2010 (PDPA)) for an overview of obligations under the PDPA.

The Personal Data Protection Standard 2015 (PDP Standard) requires DUs to ensure that transfers of PD through cloud computing services are recorded and that written consent from an officer authorised by the DU organisation’s top management is obtained before any transfer is made.

PD transferred through a cloud computing service must comply with the PDPA and PD protection laws of other countries.

The PDPA does not contain direct obligations on DPs, and there is no requirement for data localisation, but there have been discussions by way of a public consultation paper suggesting implementation in future.

Regulated Industry Restrictions

Financial institutions (FIs) face the highest level of regulatory oversight vis-à-vis the use of cloud services by virtue of policy documents issued by BNM requiring mandatory compliance. Additionally, various industry-specific codes of practice have been issued under the PDPA, which prescribe bespoke requirements for applicable industries. Below is a brief outline of said industry-specific regulatory requirements for the use of cloud services.

FIs

The BNM has issued several policy documents that contain specific requirements related to the use of cloud services by FIs. These policies require FIs to consult with the BNM before using a public cloud for critical systems and to notify the BNM before using cloud services for non-critical systems.

The Policy Document on Outsourcing also requires FIs to obtain the BNM’s approval before entering into an outsourcing arrangement, including arrangements with CSPs, and to maintain a register containing details of the data held and the locations in which it is stored.

The Policy Document on Management of Customer Information and Permitted Disclosures also includes requirements for FIs in handling customer information throughout the information lifecycle, covering collection, storage, use, transmission, sharing, disclosure, and disposal.

FIs must also ensure that the service-level agreement with the CSP adequately reflects the FI’s obligation to safeguard customer information.

Private hospitals

If PD is stored via cloud storage, then secure encrypted communications protocols must be implemented when transmitting and retrieving PD from such locations. The choice of the CSP and communication protocols must also be secure.

Where a DP processes PD on behalf of a DU, the DU shall ensure that:

• sufficient guarantees are provided by the DP for technical and organisational security measures; and
• the DP complies with such measures by taking reasonable steps.

DUs should take several steps before engaging a DP, such as conducting a pre-agreement vetting of the DP to ensure that it has adequate policies and procedures in place to keep PD secure, stringent access controls, secure premises, back-up protocols, and technical and electronic safeguards to protect PD.

The DU should also enter into a formal agreement with the DP that covers non-disclosure provisions, current anti-virus and firewall software, the right to audit security systems, inspect policies, encryption in all transmissions, back-up and restoration functions, the right to claim compensation for loss of PD, and an obligation to report data breaches within an hour of becoming aware of a breach.

Aviation sector

DUs should ensure that they have obtained the written consent of their top management to transfer PD via cloud computing services.

In December 2022, the PDPC issued the General Code of Practice of Personal Data Protection, applicable to classes of DUs who do not have existing PD codes of practice. It places the same obligations in this section.

Personal Data Processing Issues (Cloud Computing Context)

Presently, the PDPA only places PD protection obligations on DUs, as opposed to DPs who are not subject to similar requirements. See 1.1 Laws and Regulations (Personal Data Protection Act 2010 (PDPA)) for an overview of obligations under the PDPA.

As there is a gap in legislative oversight on DPs at this juncture, PDPA breaches by DPs are not strictly actionable against the DPs themselves, which brings about difficulties in enforcement efforts.

The government is considering amendments to the PDPA to extend its applicability to DPs, to better align with international data protection legislation. However, these proposed amendments have yet to be legislated at the time of writing and regulatory initiatives to pursue cohesive reforms to the PDPA are exceedingly slow, notwithstanding that numerous instances of data breaches have taken place since its inception in 2010. It has been reported, which took place in that from 2017. to date, 25 companies have been imposed with fines or penalties under the PDPA. Malaysian courts have, however, also decided on various aspects of the PDPA. Notably, in the landmark case of Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors (2022) 11 MLJ 898, the Court determined that the provisions of the Income Tax Act 1967 cannot be used to override protections offered under the PDPA to undertake a fishing expedition for the PD of a business’s customers. 

Applicable Laws/Regulations/Industry Codes of Conduct

Although no statute directly addresses the use of artificial intelligence systems/technologies (AI) and big data, legislation and industry codes of conduct of general application may apply to various facets of AI and big data usage. These include but are not limited to the law of torts, the CPA, the PDPA, the SGA, and the CA, as further described in 4.1 Liability, Data Protection, IP and Fundamental Rights (Relevant Elements).

The government is attempting to enhance existing legislation and formulate a national framework to regulate such technologies, which includes the following initiatives.

The National Artificial Intelligence Roadmap was created through collaboration between the government and various stakeholders and covers the period from 2021-25. It includes initiatives such as developing an AI Governance Framework, implementing a cybersecurity policy, collaborating with industries to establish privacy, security, and ethics guidelines, and creating an AI Code of Ethics.

The MDEC is tasked with spearheading the National Big Data Analytics Framework, which aims to establish a national big data analytics ecosystem for economic growth across all industries. The MDEC is also developing a national AI framework. The MCMC has previously stated that the government is considering adopting a national data-sharing and AI policy.

Relevant Elements

Liability

AI-enabled software would be treated similarly to other consumer products. AI malfunctions would be addressed under the SGA, the CPA and tort law, which address product safety and consumer protection. The SGA and CPA contain implied terms such as guarantees and conditions regarding title, quality, fitness for purpose, price, and repairs that cannot be contractually excluded. The manufacturer or supplier of AI software would be liable for malfunctions arising from breaches of these implied terms, depending on the extent of non-compliance with representations and guarantees made to the supplier and consumer regarding the software.

The CA, which addresses the rights and liabilities of contracting parties, would be relevant in evaluating liability for AI malfunctions. Contractual provisions for AI usage may be incorporated to apportion liability for AI malfunctions.

Data protection

Big data analytics and AI collect and analyse vast volumes of data, which may raise concerns about the consent of DSs. Larger data sets are susceptible to significant breaches, which can lead to unauthorised access and disclosure of significant amounts of PD. Adequate security measures, such as those outlined in the PDPA and the PDP Standard, would be essential.

Data protection issues relating to big data analytics and AI can also be extended to other PDP Principles, such as PD being kept for longer than necessary or disclosed to parties unknown to the DS and without the DS’s consent, see 1.1 Laws and Regulations (Personal Data Protection Act 2010 (PDPA)).

The machine learning (ML) subset of AI requires large amounts of data for AI training and operation and triggers the applicability of the PDPA where PD is involved. With the growing use of data analytics, big data and the IoT, adherence to the PDPA is critical when individuals can be identified from the data exchanged or processed. This can be challenging as a DS’s written consent is required for processing PD and automated ML systems could fail to consider such consent requirements before processing the data.

IP

Whether the current IP regulatory regime extends protection to AI-generated IP is questionable.

For example, while the term “inventor” is not defined in patent legislation, the language adopted in the Patents Regulations 1986 (Patents Regulations) and the Patents Act 1983 (PA) indicates that AI may be excluded from coverage thereunder. According to the Patents Regulations, patent applications must include personal identification of the inventors, or signed written declarations where anonymity is sought. The implication here is that the inventors must be natural persons. Various jurisdictions such as the United Kingdom, the European Union, Australia, and Germany have refrained from allowing patent applications where humans are not listed as inventors. The United States case of Thaler v Vidal, No 21-2347 (Fed Cir 2022) elucidated that inventors in patent applications must be limited to natural persons. It is anticipated that a similar position may be adopted locally due to similarities in such formalities.

There is also uncertainty as to whether the Copyright Act 1987 (Copyright Act) affords protection to AI-created works. Potential issues on copyright ownership, potential perpetual subsistence of copyright in AI-created works, the accordance of moral rights towards AI, and whether enforcement of copyright protection is available for AI-created works is a grey area considering that the nomenclature adopted in the Copyright Act appears only to encompass rights of natural and legal persons. Local courts have yet to take a stance on whether AI-created works are eligible for copyright protection. However, case law from other jurisdictions may be persuasive. For example, in Australia, the case of Acohs Pty Ltd v Ucorp Pty Ltd (2012) FCAFC 16 determined that works created with the aid of a computer are not protected under copyright laws as they are not considered to have been created by a human. The Court of Justice of the European Union has consistently stated that copyright applies only to original works that are the product of the author’s own intellectual creation and reflect the author’s personality, implying that a human author is necessary for a work to be eligible for copyright protection, as seen in the case of C-5/08 Infopaq International A/S v Danske Dagbaldes Forening.

Presently, if an AI is tasked with creating content and incorporates third-party works protected by copyright in such content without authorisation, the creator of the AI would appear to be liable for such infringement under the SGA, CPA, CA, and tort law, subject to any contractual provisions addressing liability between the creator and the user of the AI for such infringement caused by the AI.

Fundamental rights

With the rapid advancement of AI, AI may no longer be a mere product but one capable of human mimicry, consciousness, personhood, authorship, and autonomy. Myriad issues regarding whether AI should be granted rights in connection with these types of capacity and the potential resulting ramifications are bound to arise and have not yet been legislatively addressed. 

The European Data Protection Supervisor recently published an opinion on 13 October 2022 about the need for a Council of Europe convention on AI, human rights, democracy and the rule of law. The opinion includes recommendations such as prohibiting AI that poses unacceptable risks to individuals, monitoring the usage of AI and implementing compliance and control mechanisms from a cross-border co-operative perspective. Similar proposals have yet to be proposed or implemented in the local context.

Applicable Laws/Regulations/Industry Codes of Conduct

Existing sector-specific guidelines address the IoT and additional laws may have general application towards IoT projects notwithstanding the lack of specific legislation. Examples of such laws, regulations and guidelines are as follows.

CMA

The licensing and regulatory framework under the CMA, including spectrum usage requirements, must be adhered to by parties implementing IoT projects in the telecommunications sector.

A licence would be required if the IoT project involves licensable activities under the CMA, see 6.1 Requirements and Authorisation Procedure (Applicable Procedures) and 7.1 Scope of Regulation and Pre-marketing Requirements.

If an IoT project involves spectrum usage, it would be subject to authorisation by the MCMC and would need to conform with the Spectrum Plan, and any related Standard Radio System Plans issued by the MCMC. Communications equipment used for IoT would need appropriate product certification from the relevant certifying organisation appointed by the MCMC and SIRIM QAS International Sdn Bhd, which certifies equipment for safety and compliance with set technical standards.

Various technical codes related to the IoT have been established to provide guidelines and requirements for the secure and efficient use of IoT technology, including codes on IoT application security requirements, high-level functional architecture, security management, and short-range device specifications. Additionally, other relevant technical codes are pending registration, such as codes on industrial IoT connectivity and communication framework and the IoT interoperability framework.

Where an IoT project involves the processing of PD, compliance with the PDPA is required.

In 2020, CyberSecurity Malaysia, an MCMC-affiliated agency, issued the Guidelines for Secure Internet of Things (IoT Guidelines). The IoT Guidelines detail security requirements and controls that manufacturers, providers, and consumers must implement to have a secure IoT system. These guidelines are non-binding but aim to assist stakeholders by establishing an IoT security framework and outlining existing IoT threats and vulnerabilities.

Relevant Elements

Data protection

Cross-border data flows between IoT devices engaged in machine-to-machine communications are particularly relevant. The PDPA generally prohibits extraterritorial PD transfers subject to certain exceptions, see 1.1 Laws and Regulations (Personal Data Protection Act 2010 (PDPA)). Of particular relevance would be considerations as to whether the relevant compliance requirements vis-à-vis consent of DSs are obtained for the cross-border transfer of PD via IoT devices.

Communications secrecy

The IoT Guidelines provide security controls for adoption in developing secure IoT systems, including risk mitigation measures pertaining to communications encryption, cloud, authentication, access control, data protection and privacy, operation and maintenance, amongst others.

Main Requirements

A variety of laws govern content. The MCMC is primarily responsible for regulating online and networked content. The Film Censorship Board (FCB) regulates traditional media outlets and content on television and in cinemas. The National Film Development Corporation Malaysia (FINAS) is responsible for regulating film production, distribution, and exhibition activities.

Licensing requirements under the CMA

CASPs are required to obtain a CASP licence unless specifically exempt. Exemptions include providers of “closed” content application services, which are not accessible to the public, and “incidental” content application services, which provide content as an incidental part of the service. Internet content application services such as over-the-top and online video-sharing platforms are also exempt.

CASP licences are issued as individual licences or class licences, see 7.1 Scope of Regulation and Pre-marketing Requirements (Local Regulatory Coverage of Technologies and Services). CASPs that provide publicly available content of broad appeal, and which can be received by commonly used consumer equipment or have a significant impact on shaping community views, will likely require an individual licence.

Entities involved in traditional broadcasting, such as terrestrial radio broadcasting, satellite broadcasting, terrestrial free-to-air television, and subscription broadcasting, generally require a CASP individual licence. Entities that provide limited content application services are not required to hold individual licences unless they fall under a class licence. A CASP will be regulated by a class licence if the service is limited to a specific interest group, restricted to a particular geographic area, for distance-learning purposes, or specifically linked or associated with sporting, cultural, or other one-off events.

CASP licences are subject to similar fees and eligibility criteria as telecommunications services under the CMA. Applicable fees and eligibility requirements vary between individual and class licences, see 6.1 Requirements and Authorisation Procedures (Applicable Procedures)and 7.1 Scope of Regulation and Pre-marketing Requirements (Market Entre Requirements).

Other licences/approvals

Depending on the facts and circumstances of each particular licence application, additional licensing requirements may apply. For instance, the production, distribution or exhibition of films may necessitate a licence from FINAS. These films may also require the FCB’s approval.

Content requirements and restrictions

Content is subject to various laws depending on its nature. These are mainly:

• the CMA;
• the Content Code;
• the Printing Presses and Publications Act 1984;
• the Sedition Act 1948;
• the Penal Code;
• Shariah law; and
• advertisement laws, codes and guidelines

The CMA prohibits the publication of content that is indecent, obscene, false, menacing, or offensive in nature, with the intent to annoy, abuse, threaten or harass any person via a content application service. Content that is deemed seditious will also violate the Sedition Act 1948. Other laws may also apply depending on the specific circumstances, such as the Copyright Act for copyright-infringing content.

The Content Code also applies to audio-visual media services and content platforms, see 1.1 Laws and Regulations (Content Code 2022 (Content Code)).

Applicable Procedures

Individual licences

Applicants must submit completed forms and an application fee of MYR10,000, along with documents from a checklist provided on the MCMC website. The MCMC may also request additional information or documents. The CMA requires the MCMC to process the application and provide a recommendation to the Minister of Communications and Digital (Minister) within 60 working days. If the Minister agrees with the recommendation, the licence will be granted upon payment of an approval fee of MYR50,000. If the application is rejected or refused, the Minister must inform the applicant in writing and provide the reason for the rejection within 30 working days.

Class licences

Applicants must submit completed forms, a registration fee of MYR2,500, and documents from a checklist provided on the MCMC website. The MCMC may also request additional information or documents. The MCMC will process and register the licence within 14 working days of the applicant providing all relevant and complete information.

Local Regulatory Coverage of Technologies and Services

The CMA and its subsidiary legislation regulate communications networks and services. The regulatory and licensing framework thereunder broadly covers most technological applications, even if there are no specific references to individual applications. Service-specific issues may be addressed through regulations, guidelines, technical codes, and other voluntary codes issued by the MCMC and/or other industry forums.

There are four categories of providers that are required to be licensed under the CMA.

• Network Facilities Providers (NFPs) ‒ Owners or operators of network facilities such as broadband fibre optic cables, satellite earth stations, telecommunications lines and exchanges, radio-communications transmission equipment, mobile communications base stations, and broadcasting transmission towers and equipment.
• Network Services Providers (NSPs) ‒ Providers supplying basic connectivity and bandwidth to support a wide range of applications. Network services enable connectivity or transmission between networks. Typically, an NSP also owns the network facilities. These services, however, may also be provided by a person utilising network facilities owned by another.
• ASPs ‒ See 2.1 Key Challenges (Applicable Laws/Regulations/Industry Codes of Conduct).
• CASPs ‒ See 2.1 Key Challenges (Applicable Laws/Regulations/Industry Codes of Conduct).

CMA licences for licensable activities can be issued as “individual” or “class” licences, except for ASP licences, which are only issued as class licences. An individual licence imposes a high degree of regulatory control, is specific to a person conducting a particular activity, and may include special application conditions. A class licence, on the other hand, is a less restrictive form of regulation designed for easy market access and only requires registration.

The CMA requires all NFPs, NSPs, ASPs and CASPs (save for those who are exempted from licence requirements) to deal with consumers reasonably and adequately address their complaints, or face upon conviction, a fine not exceeding RM20,000 and/or six months imprisonment.

All CMA licensees are bound by the Consumer Code, which provides model procedures for reasonably meeting consumer requirements, handling customer complaints and disputes, using alternative dispute resolution, compensating customers if the Consumer Code is violated, and protecting consumer information, among others.

Consumers of telecommunications services would also be protected under the CPA and the Consumer Protection (Electronic Trade Transactions) Regulations 2012, which impose disclosure requirements on the goods and services offered by a business and the identification details of that business and prohibits businesses from engaging in misleading practices and representations to consumers.

Voice over Internet Protocol (VoIP) and instant messaging may be considered licensable applications services, specifically under the IP telephony and messaging services categories, necessitating an ASP licence. However, this is still dependent on the specific facts and whether applicable exceptions apply. Presently, VoIP services that operate solely on the internet and messaging services that send and receive communications entirely over the internet do not usually require a licence.

The Communications and Multimedia (Licensing) Regulations 2000 (Licensing Regulations) and the MCMC’s Guideline on the Provisioning of VoIP Services indicates that “the provision of PC to PC based internet telephony is not subject to licensing”.

Spectrum assignment

The usage of spectrum is restricted unless the following are obtained.

• Spectrum assignment (SA) grants the authority to use one or more specified frequency bands for any purpose consistent with the MCMC’s assignment requirements.
• Apparatus assignment (AA) grants the right to utilise the spectrum to operate a network facility of a specified type at a specific frequency and frequency band or bands.
• Class assignment grants the permission to utilise the frequencies for a list of devices, and is valid until cancellation. The use of devices under class assignments are subject to the conditions set forth therein.

If the technology or device falls under any of the schedules in Class Assignment No 1 of 2021, and its use complies with the assignment conditions and requirements therein, no fees or applications will be necessary.

It should be noted that, according to the MCMC’s Licensing Guidebook (Licensing Guidebook), certain types of activities, such as online publishing and other internet content applications services, are exempt from licence requirements.

The Licensing Regulations provides that an individual or a class licence holder must adhere to certain standard requirements. This includes taking proper and adequate safety measures to protect life and property in relation to all equipment and installations used under the licence, including exposure to electrical emissions or radiation. Additionally, the licence holder must take reasonable precautions to ensure that the charging mechanism used in conjunction with any network facilities and/or services is accurate and reliable.

The CMA and the Licensing Regulations provide for standard conditions that all licence holders must comply with, regardless of whether they have individual or class licences. Compliance with numbering and electronic addressing plans, spectrum plans, consumer codes and content codes are among these conditions.

Market Entry Requirements

Companies that are locally incorporated are eligible to hold an individual licence, while a locally incorporated company, local partnership, local sole proprietorship, or Malaysian resident can hold a class licence.

See 6.1 Requirements and Authorisation Procedures (Application Procedures) in respect of fees payable for individual and class licences. For spectrum, an SA application may only be submitted to the MCMC after an Applicant Information Package (AIP) is issued. The fees for an AA application include both fixed fees, which are determined by the type of equipment, and variable fees, which are based on the amount of bandwidth used. The application fee is MYR60 per application and the process and associated fees can be found on MCMC’s website and in the Guidelines for Apparatus Assignment.

The Licensing Guidebook provides that certain organisations or persons are not eligible for a class or individual licence. For individual licences, these include foreign companies, individuals or sole proprietorships, partnerships, and other persons as decided by the Minister. For class licences, foreign individuals who are not permanent residents, and foreign companies are not eligible.

The government liberalised the telecommunications services sector in 2012 by permitting up to 100% foreign equity participation for ASPs. However, NSPs and NFPs are restricted to 70% foreign equity participation.

Main Challenges

Some of the main challenges and areas of risk when contracting with local organisations in technology agreements include the following.

Data security

In order to comply with the data security requirements under the PDPA, organisations that engage third-party technology service providers as DPs must include certain security measures in their technology agreements. This may include contractually binding the third party to operate and carry out data processing activities, and addressing relevant warranty and indemnity provisions. The PDP Standard also sets out specific security measures that organisations must comply with when engaging DPs.

Organisations that are not based locally but are considered to be DUs and which use locally-based equipment for processing PD, other than for transit purposes, must also comply with the PDPA, see 1.1 Laws and Regulations (Personal Data Protection Act 2010 (PDPA)).

Data localisation

There is currently no mandatory rule for data to be stored locally under the PDPA, but specific industries or types of data may have their own localisation requirements.

There are restrictions concerning the cross-border transfer of data, see 1.1 Laws and Regulations (Personal Data Protection Act 2010 (PDPA)). Organisations must comply with the requirements of the PDPA when transferring PD extraterritorially in technology agreements. The technology service providers should also ensure that the data transfer by the organisation is PDPA-compliant.

IP rights

Patents

Patents protect products or processes resulting from an idea, not the idea itself. Certain types of inventions, such as discoveries, scientific theories, mathematical methods, and methods of doing business, are not eligible for patent protection. Obtaining a software patent is also difficult because it is considered as a set of instructions or method of data processing, which resembles mathematical methods. The PA rules out the patentability of computer software, but the Intellectual Property Corporation of Malaysia (MYIPO) has provided guidance that the product or process of the practical application of software may be patentable if it makes a technical contribution to art.

Copyright

The Copyright Act recognises computer programs as literary works and they are therefore entitled to copyright protection. Copyright is the main form of protection for the rights of the owner of computer programs and software. For a computer program or software to be protected by copyright, it must be original, created by a qualified person, and made or first published in Malaysia. Copyright is automatically conferred on computer programs once the work is created and all statutory requirements are met. No registration is required for copyright protection, but ownership can be difficult to establish in cases of infringement by third parties.

Trade marks

Brands are used by companies to distinguish their software or computer programs from others and as a marketing tool for customers to recognise the products. It is important for technology companies to protect their brands by registering their trade marks, as consumers perceive trade marks as an indicator of a product’s source. While registration of trade marks is not mandatory, it provides proprietors with the right to sue for trade mark infringement and for passing off under common law. The proprietor can apply to the Registrar to register the trade mark in the manner prescribed by the trade marks Act 2019. Once the Registrar approves the application and there is no opposition, the trade mark will be registered. Registration is considered prima facie evidence of trade mark ownership. The period of protection is ten years, which is renewable for another ten years. Foreign applicants will have to file through registered trade mark agents, while local applicants can file on their own.

Layout design of an integrated circuit

The Layout-Designs of Integrated Circuits Act 2000 (LDICA) ensures comprehensive protection for layout-designs. To be eligible for protection, the layout-design must be an original work resulting from the creator’s own intellectual effort and not commonly used among creators and manufacturers of integrated circuits, the right-holder must be a qualifying person at the time of creation, and the layout-design must be fixed in a material form or incorporated into an integrated circuit. Protection is automatically granted to the creator once the layout-design is created and all statutory requirements are met. Owners can submit an affidavit to assert ownership and enforce rights under the LDICA. The duration of protection is ten years from the date of commercial exploitation or 15 years from the date of creation if not commercially used.

Specific Local Legal Framework Features

Data storage

There are no restrictions on specific data storage locations under the PDPA. However, the PDPA generally prohibits the transfer of data extraterritorially unless the exceptions thereunder apply, see 1.1 Laws and Regulations (Personal Data Protection Act 2010 (PDPA)).

Price revision restrictions

Price revision restrictions for technology agreements vary depending on the specific agreement and industry. Generally, the government may place restrictions on price revisions to protect consumers and prevent monopolies.

Excluded rules

No legislation excludes applicability to technology agreements specifically.

Mandatory laws

While there are no mandatory laws for technology agreements specifically, such agreements would need to comply with legislation of broad application, eg, the legislation outlined in 2.1 Key Challenges(Applicable Laws/Regulations/Industry Codes of Conduct), where applicable.

Regulated Industry Restrictions

There may be other requirements or considerations depending on the particular facts. When entering into a technology service agreement with an organisation in a regulated industry, additional regulations or guidelines may apply to the organisation, such as those set out by the BNM for FIs, which include specific requirements for engaging third-party service providers.

When an external service provider handles a FI’s information technology system, the FI must ensure (including via contractual arrangements) that the service provider will notify the FI in advance of any changes that could affect the system.

FIs must have a service-level agreement in place and may be required to include specific provisions in their contracts with a service provider. Additionally, some contracts may need to be approved by the BNM based on the guidelines set out in the BNM’s Outsourcing and Management of Customer Information and Permitted Disclosures Guidelines.

Applicable Laws/Regulations/Industry Codes of Conduct

Trust services

The government launched the Government Public Key Infrastructure Services (GPKI) project to centralise digital certificate management across all government institutions and to secure and expedite online transactions for e-government services. The GPKI is a security service that uses digital certificates that comply with the DSA and the Digital Signature Regulations 1998 (DSR).

The GPKI consists of hardware, software, people, policies, and processes to maintain security and usually requires enabling at the user’s end via Public Key Infrastructure (PKI) services, which can be delivered through various methods, such as Application Programming Interface (API). PKI services have three essential security criteria:

• identity verification (authentication);
• data encryption; and
• digital signature.

The e-filing system of the Malaysian Courts (ekehakiman) is an example of an application that uses GPKI for the authentication and filing of court documents for legal proceedings.

The GPKI is a mandatory ICT security service that enhances the data and information security for government ICT applications in accordance with the DSA and DSR. Government personnel who use GPKI services can use the GPKI Portal for centralised digital certificate application and maintenance.

Electronic signatures

The ECA applies to any commercial transaction concluded through electronic means, and states that information in electronic form, wholly or in part, will not be deprived of legal effect, validity, or enforceability solely because it is in electronic form.

Traditional “wet-ink” signatures are not required for contracts to be valid and enforceable. The ECA acknowledges that the communication of proposals, acceptance of proposals, and revocation of proposals may be conveyed in an electronic message.

The ECA also recognises that electronic signatures may be used to form a legally binding contract and defines an “electronic signature” as “any letter, character, number, sound or any other symbol or any combination thereof created in an electronic form adopted by a person as a signature”.

A document in electronic form will be validly executed if it bears an electronic signature that adequately identifies and demonstrates the signer’s approval and is “as reliable as is appropriate” for the purpose for which it is required. The signature will be considered “as reliable as is appropriate” if the mechanism of establishing the signature is linked to and controlled by that person alone and any alteration made to the signature or document after the time of signing is discernible.

The ECA does not apply to:

• powers of attorney;
• creation of wills and codicils; and
• creation of trusts and negotiable instruments.

For such documents to be legal and enforceable, additional formal criteria such as notarisation or attestation may apply.

Digital signatures

Digital signatures may also be used as electronic signatures. This is expressly provided for in the ECA and regulated by the DSA.

A digital signature is formed by procuring a digital certificate from a licensed certification authority (LCA) and is created by matching/pairing two keys (commonly referred to as a “public” key and a “private” key). Before obtaining such a certificate, the LCA will verify the applicant’s identity and is responsible for certifying the identity of the signer who holds the digital certificate.

Under the DSA, a digital signature is legitimate if it is verified by a public key listed in a valid certificate, the signatory intended to attach the digital signature, and the recipient has no knowledge or notice that the signer has breached their obligation as a certificate holder or is not the proper person to attach the digital signature.

Where the recipient has reservations about the legitimacy of the signer, the recipient must promptly notify the signer of their decision not to rely on the signature and the reasonings for doing so.

Provided that the requirements above are fulfilled, a document will be considered valid and effective as if it were written on paper if:

• it bears in its entirety a digital signature; and
• the digital signature is verified by the public key listed in a certificate issued by an LCA and valid at the time of creation.

Relevant Elements

Differences between electronic signatures and digital signatures

While both an electronic signature and a digital signature allow for the electronic execution of documents, they differ in several respects. Digital signatures are based on a cryptosystem with two keys, public and private keys, and digital signature certificates are issued by the respective LCAs. The digital certificates will allow the signer to validate their identity or right to access information or services online, as the LCAs will carry out identity verification before issuing the certificate. Accordingly, using a digital signature would be more secure and would also assure customers that the businesses they are dealing with are authentic.

Electronic signatures are less strictly regulated and may be less secure than digital signatures. It should be emphasised that electronic signatures are versatile in that they apply to the signing of documents (where electronic signing is applicable) and to e-commerce transactions. In contrast, digital signatures are employed in transactions based on the needs of the parties involved.

Acceptance requirements of relevant authorities

Although electronic signatures and digital signatures are recognised, certain types of legal documents must be notarised or attested, see 9.1 Trust Services and Electronic Signatures (Electronic signatures).

Instruments effecting dealings with real property, for example, must be signed using the traditional wet-ink method under the National Land Code. Agreements governed by the Housing Development (Control And Licensing) Act 1966 also require wet-ink signatures unless specifically permitted.

In practice, certain government departments, such as the stamp and land offices, typically only accept documents with wet-ink signatures.