On 22 May 2026, the Malaysian Communications and Multimedia Commission (MCMC) published two codes under the Online Safety Act 2025 (Act 866): the Child Protection Code (CPC) and the Risk Mitigation Code (RMC). Both take effect on 1 June 2026. Together they require large platforms to block under-16s from registering for social media, verify ages against government records, label manipulated content, vet advertisers, and tighten content-removal systems — with non-compliance penalties of up to RM10 million.
The strongest case for the codes
Malaysia's concern is not invented. The Online Safety Act was passed in response to a documented rise in cyberbullying, sextortion, and AI-generated non-consensual imagery, and child sexual abuse material (CSAM) is a genuine harm that no serious analyst defends. The CPC's framing — "child-safety-by-design" and age-appropriate restrictions on high-risk features — borrows from a real policy consensus that products aimed at, or used by, children should be built with their vulnerabilities in mind. MCMC has also tried to leave room for flexibility: it describes the framework as outcome-based, lets providers choose how to meet duties, and has promised a "reasonable grace period" before enforcing the verification requirement. A regulator that wanted to be maximally coercive would not have done either.
What 1 June actually requires
The codes apply to the platforms already swept into Act 866's licensing net. Under the statute — which received Royal Assent on 6 May 2025 and came into force on 1 January 2026 — any internet messaging or social media service with at least eight million users in Malaysia is deemed an Applications Service Provider class licensee. That captures the major global platforms, not small forums.
The CPC's headline rule is that children under 16 may not register for social media accounts, and platforms must implement age verification against government-issued records — in practice, identity cards or passports — "in a manner that is secure, practical and respectful of users' privacy," per MCMC. The RMC layers on systemic obligations: risk assessments, content governance, reporting-and-response systems, advertiser verification, and labelling of manipulated (including AI-generated) content. These sit atop the removal timetables already set by Act 866's subsidiary regulations, under which priority harmful content such as CSAM and financial fraud must be made permanently inaccessible within one hour of confirmation, and other harmful content within twelve hours.
Where proportionality breaks
The problem is not the goal but the chosen instrument. Mandating identity-document checks as the gateway to lawful adult speech is a heavy tool for a child-safety problem, and it imposes costs on everyone, not just children. During MCMC's own consultation — open from 12 February to 31 March 2026 — industry respondents warned that tying access to government IDs raises privacy and cybersecurity risks and would exclude age-eligible adults who lack official identification or face accessibility barriers. Those objections are not special pleading. Centralising the upload of national IDs to global platforms creates exactly the kind of honeypot that breach after breach has shown to be unsafe, and it conditions ordinary speech on surrendering identity — a structural shift the open internet has historically resisted for good reason. A proportionate regime would treat ID verification as one option among several privacy-preserving age-assurance methods, not the default benchmark.
The takedown machinery and over-blocking
The second proportionality concern is the removal apparatus. A one-hour permanent-removal clock for confirmed priority content is defensible for CSAM, where the harm is unambiguous. But the broader "harmful content" category, paired with RM10 million penalties, creates a powerful incentive to over-remove. When the cost of leaving lawful content up is a multimillion-ringgit fine and the cost of taking it down is nothing, rational platforms will err toward deletion. Respondents to MCMC's consultation flagged precisely this: overly broad definitions could capture legitimate journalism and socially valuable expression — including survivors documenting their own abuse or bullying — and aggressive moderation risks over-blocking lawful speech. The RMC's manipulated-content labelling duty compounds the difficulty, because, as platforms noted, current detection tools cannot reliably identify all AI-generated material and labels can be stripped by bad actors. A mandate that outruns the available technology invites either compliance theatre or defensive over-enforcement.
A narrower path was available
None of this argues for inaction. It argues for matching the instrument to the harm. The pieces of these codes that target unambiguous, illegal content — CSAM removal, fraud takedowns, functioning reporting channels — are the parts most worth keeping and the parts platforms can implement without collateral damage to lawful speech. The pieces that condition all access on identity documents, and that threaten heavy fines against broadly defined "harmful" but lawful content, are where Malaysia risks trading an open, pseudonymous internet for marginal safety gains it has not demonstrated.
MCMC's promised grace period and outcome-based framing leave room to course-correct: accept multiple privacy-preserving age-assurance methods rather than ID-only checks, narrow the harmful-content definitions so journalism and survivor testimony are not caught, and calibrate penalties to bad-faith non-compliance rather than to the existence of any lawful-but-borderline post. Child safety and a free internet are not opposing goals. The codes that take effect on 1 June would serve both better if Malaysia kept the parts aimed at illegal content and reconsidered the parts that put a checkpoint in front of legal speech.