When Malaysia's Communications and Multimedia Commission (MCMC) served TikTok with a statutory demand under Section 39 of the Online Safety Act 2025 on May 21, 2026, the incident that triggered it was genuinely serious. An account falsely linked to King Sultan Ibrahim was spreading AI-generated videos and manipulated images across TikTok — content MCMC described as "grossly offensive, false, menacing and insulting in nature." This was not a grey-area judgment call about acceptable political speech. It was AI-assisted impersonation of a sitting head of state, and TikTok had been warned through three separate regulatory engagement sessions without providing satisfactory numerical data on what it was doing to stop it.
The demand is the first visible enforcement action under the ONSA, which entered force on January 1, 2026 after passing Malaysia's parliament in December 2024. It is worth understanding what it requires — and what it risks normalizing.
What Section 39 Actually Does
Section 39 of the ONSA gives MCMC authority to issue a statutory demand when a licensed service provider fails to meet its prescribed duties. Non-compliance can result in a financial penalty of up to RM10 million, recoverable as a civil debt. The Act applies to platforms with eight million or more Malaysian users, a threshold that captures TikTok, Facebook, Instagram, WhatsApp, YouTube, and Telegram — all automatically deemed licensed as of January 1, 2026.
The ONSA's underlying architecture is system-based, not speech-based. It does not criminalize individual users or target specific posts in the first instance. Instead, it imposes governance obligations on platforms: conducting annual harmful-content risk assessments, maintaining user reporting mechanisms, implementing proportionate moderation systems, and publishing online safety plans. The Act explicitly excludes private messaging from its principal obligations — a meaningful concession to communications privacy that distinguishes the Malaysian framework from blunter regional alternatives.
This design philosophy aligns Malaysia more closely with the EU's Digital Services Act than with simple national content-licensing regimes. The Act sets outcome targets and gives platforms flexibility on implementation methods. The Risk Mitigation Code, which took effect June 1, 2026, extends this logic: it requires labeling of synthetic and manipulated media — addressing AI-generated content at the design layer rather than solely through post-hoc removal. That is a legitimate regulatory design choice worth preserving.
The Case for the Demand
Before interrogating the remedy, the harm must be taken seriously. AI-generated deepfakes impersonating heads of state pose risks distinct from ordinary harmful content: they are harder to identify as synthetic, they exploit the virality mechanics of short-form video platforms, and — in Malaysia's constitutional context, where the monarchy carries significant legal and social weight — they carry real destabilization potential.
The MCMC's own enforcement record provides context. Between January and August 2025, MCMC requested removal of 86,732 TikTok videos and recorded an 86% compliance rate — meaning 10,730 flagged videos were not removed. The impersonation content at issue persisted despite three rounds of prior regulatory engagement, and Communications Minister Fahmi Fadzil publicly warned of potential legal action as early as September 2025. A statutory demand — with its formal documentation trail and civil recovery mechanism — is a measured escalation, not an overreach. On the specific facts, the MCMC's response is defensible.
The Headcount Problem
Where the demand becomes analytically concerning is in what it requires of TikTok going forward. Beyond removing the specific content, TikTok must file a formal moderation plan with measurable headcount commitments — including specific numerical data on Tamil-language and Malay-language moderators reviewing TikTok Live and short-form content.
Headcount is the wrong unit of measurement for platform safety outcomes. A platform with 500 trained moderators using well-calibrated AI-assisted detection tools may remove harmful content faster and more accurately than a platform with 2,000 undertrained human reviewers. Malaysia's own enforcement data illustrates the disconnect: that 86% removal rate suggests TikTok's infrastructure responds reasonably to formal MCMC requests — the failure is on the front end, detecting and acting on content that never enters the formal request pipeline at all. More Tamil-language moderator headcount, reported as a number, does not fix that detection gap.
Mandating specific moderator counts by language creates a compliance checkbox that TikTok can satisfy without demonstrably improving safety outcomes. It also establishes a template where regulators, in future enforcement cycles, can demand staffing data as a control lever over content categories that may extend well beyond AI impersonation.
The Broader Enforcement Aperture
Malaysia's ONSA operates over a landscape shaped by the country's long-standing legal sensitivity around the "3Rs" — race, religion, and royalty. These categories have historically been enforced through Section 233 of the Communications and Multimedia Act 1998, which criminalizes communications deemed "obscene, indecent, false, menacing, or offensive." The same CMA 1998 framework is cited alongside the ONSA in the TikTok demand itself. In 2023, Malaysia topped global government TikTok content removal requests with 2,202 demands covering more than 6,000 pieces of content — a 29-fold increase from the year before, largely targeting 3R-adjacent material.
The ONSA's Risk Mitigation Code explicitly designates electoral periods as "situations of heightened risk," requiring platforms to implement additional safeguards during elections. This is a reasonable safety provision in isolation — but its interaction with Malaysia's contested political media environment warrants scrutiny. Civil society observers have consistently noted that content takedown regimes, even when individually justified, can be operationalized to suppress legitimate political commentary as election cycles approach.
This does not invalidate the May 21 enforcement action — AI deepfakes of the King are not political commentary. But the enforcement template being built here will be available for uses that are less clearly bounded.
What Good Looks Like
The ONSA has genuine architectural strengths: its system-based approach, its exclusion of private messaging, its proportionate penalty ladder, and its allowance for platforms to propose alternative compliance measures. What would strengthen the framework is an explicit shift from headcount commitments to verifiable outcome metrics — removal rates measured against the ONSA's own mandatory timeframes (priority harmful content must be made inaccessible within 24 hours; other harmful content within four hours), AI-generated content detection error rates, and mandatory transparency reporting against MCMC's takedown request data.
These are measurable, technology-agnostic, and directly connected to the harms the Act identifies. They are also harder to game than a staffing spreadsheet.
The MCMC's first Section 39 action was proportionate on the facts it confronted. Whether it remains proportionate as the enforcement template expands will depend on whether the Commission measures what actually matters — and resists the administrative comfort of counting heads.