Malaysia's communications regulator, the Malaysian Communications and Multimedia Commission (MCMC), released a public consultation paper on June 10, 2026, proposing 18 amendments to the Communications and Multimedia Act 1998 (CMA). The feedback deadline is July 10. Three proposals in particular should command close attention from platforms, legal practitioners, and civil society.
Three Proposals That Reshape the Enforcement Landscape
The consultation's headline item is a private right to sue for CMA breaches, independent of criminal proceedings. Under the current framework, enforcement runs almost entirely through MCMC or the Attorney General. The proposed amendment would allow any person who suffers loss or damage from a specified CMA offence to bring civil proceedings against the alleged offender — regardless of whether criminal charges have been filed or a conviction obtained.
Second, MCMC is seeking explicit statutory authority for undercover operations, providing a formal legal basis for deploying agent provocateurs during investigations. This is paired with a new sampling power: rather than examining each item in a seized collection individually, regulators could test a representative sample and extrapolate compliance status.
Third, the consultation proposes to refine the deemed-registration framework — clarifying which fees, penalties, and compliance obligations apply to platforms enrolled as Class Licence holders by operation of law rather than formal application.
Malaysia's Rapidly Layered Digital Regulatory Stack
The June 2026 proposals do not emerge in a vacuum. Malaysia has assembled substantial digital regulatory infrastructure at unusual speed over the past 18 months.
The Communications and Multimedia (Amendment) Act 2025 — passed in December 2024 and effective February 11, 2025 — already tightened the framework considerably. It changed the Section 233(1) content offence from "offensive" to "grossly offensive," raised the maximum penalty from RM 50,000 to RM 500,000 (with up to two years' imprisonment), added a spam prohibition under Section 233A, and introduced a limited civil right of action at Section 236A — but only for network sabotage and access device fraud, not CMA offences generally.
Simultaneously, a deemed-registration declaration took effect January 1, 2026, automatically enrolling platforms with 8 million or more Malaysian users — WhatsApp, Telegram, Facebook, Instagram, TikTok, and YouTube — as Class Licence holders under the CMA. The Online Safety Act 2025 also took effect that date, requiring licensed platforms to implement user safety tools and content reporting mechanisms, with fines of up to RM 10 million for non-compliance.
The Strongest Case for These Powers
Proponents of the new enforcement tools have a credible argument. Malaysia faces acute online harms that existing criminal and regulatory pathways struggle to address at scale: financial fraud over digital channels has caused severe losses to ordinary Malaysians, and MCMC's enforcement resources are finite. A private right to sue in appropriate cases gives victims a direct route to compensation that does not depend on prosecutorial priority. Undercover operations and sampling powers are standard investigative tools in most comparable jurisdictions for organised cybercrime. The deemed-registration refinements address a genuine gap — clarity about what compliance means for platforms that did not choose to register.
Where the Architecture Creates Risk
The problem is not the goals; it is the architecture.
The private right to sue, as described in the consultation, is not scoped to fraud or access device abuse. It extends to any specified CMA offence. Section 233 has historically been the statute most frequently used against critics, journalists, and civil society in Malaysia. A civil litigation pathway layered on top of that history could replicate the same chilling effect in the courts rather than the police station — at lower cost to the complainant and without the Attorney General's gatekeeping function.
This concern has particular force given the unresolved constitutional status of Section 233 itself. On August 19, 2025, the Court of Appeal unanimously ruled in Heidy Quah Gaik Li v The Government of Malaysia that the words "offensive" and "annoy" in the pre-amendment Section 233(1)(a) were unconstitutional — finding they "lacked objective standards, were overly broad, and risked arbitrary enforcement" in breach of Articles 8 and 10 of the Federal Constitution. The government obtained Federal Court leave to appeal in November 2025; that appeal is unresolved. The 2025 Amendment Act substituted "grossly offensive" for "offensive," but that language is untested in court. Extending a private right of action to Section 233 offences before this constitutional uncertainty is settled is a structural risk the consultation paper does not acknowledge.
The undercover operations proposal similarly lacks articulated limits. Authorising agent provocateurs without explicit requirements for judicial prior authorisation, proportionality thresholds, or minimum offence-severity triggers — in a jurisdiction where communications law has been applied against peaceful activists — is precisely the kind of open-ended power that invites mission creep.
The Deemed-Registration Gap
The deemed-registration refinement is the consultation's most procedurally sensible proposal, but it surfaces a deeper problem: the consultation focuses on procedural clarity — fees, penalties, obligations — without revisiting the substantive content standards that deemed licensees must actually enforce. Without clear, published, and appealable standards for what a CMA-compliant content governance policy looks like, platforms are pushed toward over-removal as the safest compliance posture — an outcome that harms users without benefiting regulators.
What Stakeholders Should Push For
The July 10 deadline is a genuine opportunity for substantive engagement. Three specific reforms would meaningfully improve the package:
- Scope the private right to sue to offences involving concrete, measurable harm — fraud, access device abuse, extortion — rather than the full Section 233 catalogue.
- Require judicial prior authorisation for undercover deployments, with minimum offence-severity thresholds articulated in statute rather than left to administrative discretion.
- Publish substantive content standards for deemed licensees — clear, reviewable benchmarks that reduce the structural incentive to over-remove.
Malaysia's ambition for a CMA that is "relevant, clear, effective and fit-for-purpose" — MCMC's own framing — is achievable. The current package, however, extends enforcement reach before sharpening substantive precision. That ordering is where proportionate regulation tends to go wrong.