The Man-Hours Math Is a Policy Argument
When Malaysia's Communications Minister Fahmi Fadzil told Parliament on July 2 that MCMC had processed 345,712 harmful content takedown requests in the first six months of 2026 — requiring the equivalent of 19.7 years of staff working time — he framed it as a staffing problem. It is better understood as a design problem.
Averaging 30 minutes per takedown application, MCMC has functioned as a manual content arbiter for the Malaysian internet at a scale no government agency can sustainably maintain. Ninety-one percent of that load consisted of online gambling and scam-related content — material that is unambiguously harmful, unambiguously recurring, and being uploaded faster than any regulator can catalogue manually.
This is precisely the argument underpinning the Online Safety Act 2025 (ONSA, Act 866), which received Royal Assent on May 6, 2025, was gazetted on May 22, and entered force on January 1, 2026. The Act's core logic — shift primary duty from regulators to platforms — is validated by MCMC's own data. The question raised by July's regulatory developments is whether that logic will be applied proportionately as it extends toward private messaging.
What ONSA Actually Does
ONSA applies to Application Service Providers and Content Application Service Providers exceeding eight million Malaysian users, deeming them licensed under the Communications and Multimedia Act 1998 without requiring affirmative registration. This captures WhatsApp, Facebook, TikTok, YouTube, Instagram, and Telegram in a formal compliance regime for the first time.
Platforms must implement eight prescribed duties: reducing user exposure to harmful content, issuing user guidelines, providing safety tools, operating reporting mechanisms, protecting child users, and publishing Online Safety Plans. Response timelines are legally binding — priority content (child sexual abuse material and financial fraud) must be made inaccessible immediately and confirmed within one hour; standard harmful content within four to twelve hours. Penalties reach RM10 million for breaching statutory duties.
The case for steelmanning this approach is strong. Platforms have consistently shown that voluntary action on harmful content — particularly scam material — is inadequate when there is no legal consequence for inaction. Harris Zainul of Malaysia's Institute of Strategic and International Studies assessed ONSA as "a bold move," noting that platforms "showed their hand throughout the past year by not registering for a licence." The 91 percent scam-and-gambling concentration in MCMC's backlog supports the conclusion that the Act's priority categories are calibrated to genuine, large-scale harm rather than political convenience.
A Staggered Framework Now Reaching Full Force
ONSA launched with four subsidiary instruments on January 1, 2026 — covering fees, undertaking forms, appeals tribunal procedures, and response-period requirements. Two further regulations took effect on July 1: the Online Safety (Compounding of Offences) Regulations 2026 and the Online Safety (Online Safety Plan) Regulations 2026, completing the core enforcement architecture.
The Online Safety Plan regulations are the more significant of the two. They require platforms to document and submit risk management approaches, converting safety governance from a checkbox exercise into a live accountability mechanism that MCMC can examine and require revision of. Minister Fahmi's announcement that the commission is evaluating agentic AI to automate detection and filing — reducing the per-case burden from 30 minutes to a fraction of that — suggests MCMC expects the Plan framework to surface systemic patterns that manual review cannot track at scale.
The Private Messaging Consultation Is the Real Test
The more consequential development runs through July 20. MCMC opened consultation on June 19 on rules governing private messaging features — the last of ten planned subsidiary instruments and the one ONSA's drafters most carefully ring-fenced. In the Act's current form, private messaging features are explicitly excluded from its principal obligations. The Minister retains authority to extend the framework by regulation; this consultation exercises that authority.
The rationale for extension is understandable. If 91 percent of harmful content flows through ad-supported public surfaces, coordinated fraud also uses encrypted channels to recruit money mules and deceive victims. Regulators in the UK, EU, and Australia have all confronted the same dilemma. But the proposed scope demands scrutiny on two dimensions.
First, technical scope. Any obligation requiring platforms to scan or report on private message content is incompatible with end-to-end encryption — and end-to-end encryption is not a convenience feature but security infrastructure relied upon by journalists, activists, businesses, and abuse survivors. A compliance requirement that mandates content visibility into encrypted messages forces a choice between compliance and encryption that no global platform can resolve by jurisdiction.
Second, definitional scope. Freedom House's 2025 Freedom on the Net report rated Malaysia 60 out of 100 — "Partly Free" — and documented MCMC exercises of removal authority against political commentary alongside the scam content that dominates today's backlog. ARTICLE 19, the Centre for Independent Journalism, and Sinar Project collectively flagged that ONSA's "harmful content" definition is broad enough to reach speech international human rights law would protect, including content framed as promoting "ill-will" or "disturbing public tranquility." Extending those definitions into private messaging — where users have a heightened expectation of confidentiality — would represent a qualitative escalation the takedown statistics do not justify.
The Right Lesson From 19.7 Years of Backlog
MCMC's data makes the argument for platform accountability, and that argument is correct. ONSA's shift of moderation responsibility to platforms is the right structural response; its concentration on financial fraud and CSAM as priority categories reflects genuine harm calibration.
The private messaging regulations should be anchored to two principles: no requirement for decryption or backdoor access, and no extension of "harmful content" categories beyond the clearest cases — CSAM and provable financial fraud — into vague, speech-adjacent territory. The July 20 deadline is a narrow window for civil society, industry, and legal practitioners to shape rules that will govern private communication for millions of Malaysians.
Platform accountability and encryption integrity are not opposites. The private messaging consultation is where Malaysian law must prove they can coexist.