Online safety & content laws in Malaysia (2026)

The Federal Court partly reversed the Court of Appeal's August 2025 ruling, holding that the words 'offensive' and 'annoy' in Section 233(1)(a) of the CMA 1998 are constitutional within Malaysia's multiracial context, while setting a higher prosecutorial threshold of proven intent to annoy. Critics including ARTICLE 19 condemned the ruling as a blow to online free speech.

The Online Safety Act 2025 (Act 866) entered into force, imposing binding risk-based duties on licensed platform operators to address nine categories of harmful content — including CSAM, fraud, harassment, and incitement to violence — with fines up to RM 10 million for non-compliance. Simultaneously, a Deeming Provision automatically licensed major platforms including Meta and TikTok.

In Heidy Quah Gaik Li v Government of Malaysia, the Court of Appeal unanimously ruled that 'offensive' and 'annoy' in Section 233(1)(a) of the CMA 1998 violated Articles 8 (equality) and 10 (freedom of speech) of the Federal Constitution, finding the terms so vague that any speech could be criminalised if one person finds it offensive. The ruling was subsequently appealed by the government.

After Parliament passed the Online Safety Bill in December 2024, the Act received Royal Assent on 6 May 2025 and was published in the Federal Gazette on 22 May 2025. It is Malaysia's first standalone online safety statute, applying extraterritorially to any platform accessible in Malaysia regardless of where it is based.

Mandatory class-licensing for social media and internet messaging platforms with 8 million or more Malaysian users took effect. ByteDance (TikTok) and Tencent (WeChat) were the first to obtain licences; Meta's platforms, X, Telegram, and YouTube were initially non-compliant, risking fines up to RM 500,000 or five years' imprisonment under Section 126 of the CMA.

Passed by a narrow margin of 59 to 40 votes, the CMA amendments substantially expanded MCMC's powers to order platform content removal, compel user-data disclosure without a court order, and suspend licences for non-compliance. Civil society groups including ARTICLE 19 and Amnesty Malaysia condemned the law as incompatible with Article 10 of the Federal Constitution and the CMA's own Section 3(3) no-censorship pledge.

Malaysia's first standalone cybersecurity legislation came into force, establishing a National Cyber Security Committee chaired by the Prime Minister, mandatory annual risk assessments and 6-hour incident-notification requirements for National Critical Information Infrastructure (NCII) entities across 11 sectors, and a licensing regime for cybersecurity service providers administered by NACSA.

Amendments to the Communications and Multimedia (Licensing) (Exemption) Order 2000 removed the licensing exemption for social media and internet messaging platforms with 8 million or more Malaysian users, giving platforms five months — until 1 January 2025 — to obtain a class licence from MCMC. This was Malaysia's first direct licensing requirement targeting major global online platforms.

The Federal Court found independent online news portal Malaysiakini guilty of contempt of court for failing to remove reader comments critical of the judiciary, imposing a fine of RM 500,000. The landmark case tested online intermediary liability under Malaysian law and was widely condemned by press-freedom organisations as a precedent that could hold publishers responsible for third-party user content.

The Evidence (Amendment) (No. 2) Act 2012 inserted Section 114A into the Evidence Act 1950, creating a rebuttable presumption that any person whose name appears on an online publication, or who owns or controls the device from which a publication originates, is deemed to have published the content. The law prompted an 'Internet Blackout Day' protest and was criticised internationally for inverting the presumption of innocence.

The CMA 1998 (Act 588) replaced the Telecommunications Act 1950 and Broadcasting Act 1988 with a single technology-neutral framework, establishing the MCMC as Malaysia's converged communications regulator. Section 3(3) explicitly stated that 'nothing in this Act shall be construed as permitting the censorship of the Internet', honouring MSC Malaysia's Bill of Guarantees; Section 233 simultaneously made offensive, false, or menacing online communications a criminal offence.

The Computer Crimes Act 1997 (Act 563) received Royal Assent on 18 June 1997 and was gazetted on 30 June 1997, criminalising unauthorised computer access, access with intent to commit further offences, and unauthorised modification of computer contents. Modelled on the UK Computer Misuse Act 1990, it was among the earliest cybercrime laws in Asia and was enacted as a cornerstone of the Multimedia Super Corridor (MSC) cyber-law package.