Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations (ASEAN) [UNCTAD/DTL/STICT/2013/1]


[ Galexia Dots ]

In Brief


Malaysia boasts a comprehensive suite of e-commerce laws in place, based on a combination of the Electronic Commerce Act 2006 and the Electronic Government Activities Act 2007. With the introduction of the Personal Data Protection Act in 2010, Malaysia also became the first ASEAN member country to pass privacy legislation. The Government considers that some provisions of its e-commerce legislation may need to be updated in view of technological change and the emergence of social networking and mobile applications.

Malaysia has a very high number of mobile subscriptions per 100 inhabitants (127 in 2011), and is also equipped with a moderate level of fixed broadband connectivity. Overall Internet use in Malaysia stood at 61 per cent of the population in 2011, one of the highest rates in the region.

Electronic transactions law

The Electronic Commerce Act 2006 is the key source of electronic commerce regulation for the private sector. It is complemented by the Electronic Government Activities Act 2007, which applies similar rules to the public sector. The Electronic Commerce Act 2006 closely mirrors the United Nations Electronic Communications Convention.

Malaysia also has specific legislation for digital signatures – the Digital Signature Act 1997. The legal framework of the Act was strengthened to encourage future use, by way of the Digital Signature (Amendment) Act 2001. In addition, the Electronic Commerce Act 2006 contains broad (technology-neutral) provisions on electronic signatures.

Consumer protection

Malaysia’s general consumer legislation, the Consumer Protection Act 1999 protects consumers against a range of unfair practices and enforces minimum product standards. Recent years have seen amendments made to the Act – in 2007 to widen its scope to cover electronic commerce transactions and in 2010 to introduce, among others, a new provision on general safety requirement for services and the protection to consumers from unfair terms in a standard form contract.

Malaysia has also introduced Consumer Protection (Electronic Trade Transactions) Regulations 2012, to be enforced in 2013. These Regulations impose certain obligations on online traders and online marketplace operators, with the objective to increase the consumers’ confidence to shop and trade online, which will further spur the growth of e-commerce in the country.

There are also some limited consumer provisions incorporated into part 8 of the Communications and Multimedia Act 1998. Part 8 deals with the relationship between consumers and licensees under the Act, and applies regardless of whether the transaction is electronic or not. Subsection 188(1) provides that all licensed service providers must deal reasonably with consumers and adequately address consumer complaints. Part 8 also contains provisions on the handling of consumer complaints.

A voluntary consumer protection code has also been created in accordance with the provisions of the Act. It deals with the provision of information to consumers, the handling of personal information and complaints handling.

Privacy and data protection

The Personal Data Protection Act 2010 covers the private sector only – government agencies are exempt. The Personal Data Protection Act 2010 closely mirrors the principles in the European Union directive, with some variations that appear to adopt parts of the APEC Privacy Framework. However, the Act does not contain any European Union style registration requirements.

A new government department has been established to facilitate the implementation of Malaysia’s Personal Data Protection Act – the Personal Data Protection Department.

The Act came into full force on 1 January 2013.

Online content regulation

The Communications and Multimedia Act 1998 established the Malaysian Communications and Multimedia Commission (MCMC),[2]8 which is empowered to regulate the information technology and communications industries. The Act empowers the Commission with broad authority to regulate online speech, providing that “no content applications service provider, or other person using a content applications service, shall provide content which is indecent, obscene, false, menacing, or offensive in character with intent to annoy, abuse, threaten or harass any person”. Publishers of media content in violation of this provision may face criminal penalties.

The Act also enabled the establishment of the Communications and Multimedia Content Forum of Malaysia[2]9, which formulates and implements the Content Code – voluntary guidelines for content providers concerning the handling of content deemed offensive or indecent.

In practice, the Malaysian Government has pledged not to censor the Internet. There is no evidence of technological Internet filtering in Malaysia. However, state controls on traditional media spill over to the Internet at times, leading to self-censorship and occasional investigation of bloggers and online commentators.

Cybercrime and cybersecurity

The Computer Crimes Act 1997 prohibits 4 categories of activities related to unauthorized entry into computer systems, which are:

  • Section 3: acts committed with intent to secure unauthorized access to programs or data stored in any computer;
  • Section 4: acts committed with intent to secure unauthorized access to programs or data stored in any computer in order to commit an offence involving fraud or dishonesty;
  • Section 5: acts committed with the knowledge that the act will cause unauthorized modification of the contents of any computer;
  • Section 6: wrongful communication of any password, code or means of access to a computer to any person who is not authorized to receive the same.

These provisions are more aligned with computer crimes, rather than cybercrimes. However, provisions contained in e-commerce laws and copyright laws (updated and amended in 2012) complement Malaysia’s cybercrime legislation and make it more compatible with international standards.

Online dispute resolution and domain-name regulation

Three sections have been incorporated into Malaysia’s Communication and Multimedia Act to deal with the regulation of domain names.

Section 179 of the Act specifies that the MCMC is responsible for the planning, control and administration of electronic addresses (i.e., domain names). Section 180 gives the MCMC the power to develop a numbering and electronic addressing plan, which among other things sets out the rules for assigning and transferring electronic addresses.

The functions contained in sections 179–181 appear to be delegated to MYNIC, the registrar of Malaysia’s country code top-level domain (ccTLD). In addition to acting as registrar, MYNIC is the registry and administrator of the .my domain.

During the workshop in Cebu, delegates mentioned that the government faces some challenges with the coordination of law and policy in this field, as they have four different agencies with a role in the promotion of e-commerce.

[28] Malaysian Communications and Multimedia Commission,

[29] Communications and Multimedia Content Forum of Malaysia,