Introduction to the Online Safety Bill 2024

 

1. Introduction

 

The Online Safety Bill 2024 (“the Bill“) was passed by the Dewan Rakyat (House of Representatives) and the Dewan Negara (Senate) on 11 and 16 December 2024 respectively. The Bill will now be presented for Royal Assent by the Yang di-Pertuan Agong and become law upon it being gazetted and will come into operation on a date to be appointed by the Minister of Communications.

 

2. Purpose

 

The Bill aims to:

• enhance and promote online safety in Malaysia;
• reduce harmful content available online (as listed under 4 below) and mitigate its potential detrimental effects; and
• impose duties and obligations on online service providers (as defined in 3(a) below).

 

3. Scope of Application

 

• Who Are Online Service Providers?: The Bill will apply to licensed Network Service Providers (“NSPs“), Application Service Providers (“ASPs“), and Content Application Service Providers (“CASPs“) under the Communications and Multimedia Act 1998 (“the CMA“), specifically when they offer application services or content application services.
• Not Applicable to Private Messaging Applications: However, it will not extend to private messaging features of any application service or content application service, defined as “a feature that allows a user to communicate a content to a specific and limited number of recipients determined by the user and may contain any other characteristics as may be prescribed”.
• Extraterritorial Application: The Bill will have extraterritorial effect, applying to the above service providers outside Malaysia that offer application services, content application services, or network services within Malaysia. These provisions fall under the authority of the Minister and will be enforced by the Malaysian Communications and Multimedia Commission (“MCMC“).

 

4. Harmful Content and Priority Harmful Content

 

(a) The Bill regulates two main categories of content, i.e. (i) harmful content and (ii) priority harmful content. Priority harmful content is a subset of harmful content and is subject to stricter regulation under the Bill.

(b) “Harmful content“, as defined in the Bill, includes the following specific types of content:

(i)     content on child sexual abuse material as provided for under section 4 of the Sexual Offences against Children Act 2017 [Act 792];

(ii)    content on financial fraud;

(iii)   obscene content including content that may give rise to a feeling of disgust due to lewd portrayal which may offend a person’s manner on decency and modesty;

(iv)   indecent content including content which is profane in nature, improper and against generally accepted behaviour or culture;

(v)    content that may cause harassment, distress, fear or alarm by way of threatening, abusive or insulting words or communication or act;

(vi)   content that may incite violence or terrorism;

(vii)  content that may induce a child to cause harm to himself;

(viii) content that may promote feelings of ill-will or hostility amongst the public at large or may disturb public tranquillity; and

(xi)   content that promotes the use or sale of dangerous drugs.

 

Notes:

• For the purposes of item 4(b)(ii), content that promotes awareness or education relating to financial fraud is not content on financial fraud.
• For the purposes of items 4(b)(iii) and (iv), content that portrays private parts for education, scientific or medical purposes is not an obscene or indecent content.
• For the purposes of item 4(b)(ix), content that promotes awareness or education relating to drug abuse is not content that promotes the use or sale of dangerous drugs.

 

(c) “Priority harmful content” is defined as the first two types of harmful content listed above, namely (i) content involving child sexual abuse material, and (ii) content related to financial fraud.

 

5. Duties of ASPs and CASPs

 

The Bill introduces comprehensive obligations for ASPs and CASPs (“Service Providers“) to enhance online safety and mitigate risks associated with harmful content. These duties aim to create a safer online environment for all users, with particular emphasis on protecting vulnerable groups like children and addressing priority harmful content more stringently. Key requirements include:

(a)  Mitigating Exposure to Harmful Content: Service Providers must implement measures to reduce the risk of users encountering harmful content, either as outlined in the Code of Conduct (Best Practice) for Internet Messaging and Social Media Service Providers issued by the MCMC or through alternative, proven-effective measures.

(b)  User Guidelines: Service Providers are required to provide users with clear guidelines on implemented safety measures and terms of use of their services.

(c)  Online Safety Tools: Service Providers must offer tools and settings that allow users to manage their online safety, such as limiting or preventing interactions with others who may identify, locate, or communicate with them.

(d)  Reporting Mechanisms: Mechanisms must be in place for users to report harmful content and to seek responsive assistance for online safety concerns or inquiries about safety measures.

(e)  Blocking Priority Harmful Content: Service Providers are obligated to establish systems that make priority harmful content inaccessible on their platforms.

(f)  Child Safety Measures: Specific protections for children must be implemented, including preventing access to harmful content, limiting communication with adults, controlling personalised recommendations, reducing features that encourage prolonged use, and safeguarding personal information.

(g)  Online Safety Plan: Service Providers must develop, submit to the MCMC, and publicly share an Online Safety Plan detailing compliance with these obligations.

MCMC is empowered to impose a financial penalty of up to RM10 million on Service Providers that fail to comply with any of the aforementioned duties.

 

6. Reporting Mechanisms to Service Providers

 

The Bill mandates that Service Providers implement a reporting mechanism to allow users to flag content they believe to be harmful. Upon receiving a report, the Service Provider must follow these steps:

(a)  Dismissal of Unmeritorious Reports: Reports deemed frivolous, vexatious, made in bad faith, trivial, or duplicative of previous reports shall be dismissed by the Service Providers.

(b)  Processing Valid Reports: If a report is not dismissed, the Service Providers must assess whether the content qualifies as “priority harmful content” or “harmful content”.

(c)  Content Restriction: If the content is determined to be “priority harmful content” or “harmful content,” the Service Providers are required to make the content permanently inaccessible to all users.

(d)  Enforcement by MCMC: If a Service Provider fails to restrict access to harmful content as required, the MCMC can issue a written directive instructing the Service Provider to restrict access. Non-compliance with this directive constitutes an offence, subject to a financial penalty of up to RM1 million, with an additional daily fine of RM100,000 for continued non-compliance after conviction.

(e)  Notification to Reporting Users: Service Providers must notify the reporting user in writing of any decision made regarding the reported content

 

7. Reporting Mechanism of MCMC

 

Users may also directly report harmful content to MCMC, which will handle such reports as follows:

(a)  Dismissal of Unmeritorious Reports: Similar to Service Providers, MCMC will dismiss reports that are frivolous, vexatious, made in bad faith, trivial, or duplicative of previous reports.

(b)  Content Restriction Directives: If MCMC determines the content is “priority harmful content” or “harmful content,” it will issue a written directive to the Service Providers to make the content permanently inaccessible. Non-compliance with this directive may result in penalties of up to RM1 million, with an additional fine of RM100,000 for each day the offence continues after conviction.

(c)  Notification of Actions Taken: Service Providers must notify both MCMC and the user who reported the harmful content about the actions taken in response to MCMC’s directive.

This dual reporting mechanism ensures users have multiple avenues to address harmful content while imposing clear obligations on Service Providers and MCMC to take action.

 

8. Powers of MCMC

 

The Bill empowers the MCMC with a range of authorities, including but not limited to the ability to:

(a)  issue directions and written instructions to ASPs, CASPs and NSPs to ensure their compliance with the Bill;

(b)  collect, retain, and request relevant information, documents, or evidence necessary to perform its functions and exercise its powers under the Bill;

(c)  issue notices of non-compliance and impose financial penalties on Service Providers for failing to meet their obligations under the Bill; and

(d)  where harmful content is found online, but not on the services of the Service Providers, direct relevant NSPs to restrict access to the specific parts of their network to block access to the harmful content.

 

9. Establishment of Online Safety Committee

 

The Bill establishes an Online Safety Committee, comprising, among others, the Minister, the Police, relevant ministries, and Service Providers, to advise and make recommendations to the MCMC on online safety matters. The Committee’s functions include determining the types of harmful and priority harmful content and providing guidance on best practices to promote accountability among ASPs, CASPs, and NSPs.

 

10. Undertaking, Notice of Non-Compliance, and Review by MCMC

 

Service Providers may submit an undertaking to MCMC before a notice of non-compliance is issued. If MCMC has reasonable grounds to believe that a Service Provider has failed to meet its obligations under the Bill, it will issue a notice of non-compliance. The Service Provider can either pay the prescribed fines or request a review by MCMC. The decision made by MCMC can be appealed to the Online Safety Appeal Tribunal.

 

11. Establishment of Online Safety Appeal Tribunal

 

The Bill establishes an Online Safety Appeal Tribunal to review any written instructions, determinations, directions, or decisions made by the MCMC under the Bill. Any person (including users who have reported content to Service Providers), who is aggrieved by such actions, may appeal to the Tribunal for further review.

 

12. Judicial Review Process

 

After all statutory remedies have been exhausted, any person who is aggrieved or whose interests are negatively impacted by a decision or action of the Minister or MCMC may apply to the High Court for a judicial review.

 

13. Enforcement Powers under the Bill

 

The Bill grants a range of enforcement powers, including the authority to investigate, conduct searches, access computerised data, seize and preserve information, as well as disclose communications data as needed.

 

Conclusion

 

All affected parties, especially ASPs, CASPs, and NSPs are encouraged to stay informed about the evolving regulatory landscape and proactively review their existing policies and practices related to online safety and content regulation. By doing so, they can ensure alignment with the forthcoming obligations under the Bill. It is crucial for affected parties to assess the potential impact of the new law on their operations and liabilities, preparing accordingly to ensure compliance once the legislation comes into effect.