ARTICLE 19 is concerned about the threat that the Malaysian Cyber Security Bill 2024 presents to the right to freedom of expression online as well as to media and broadcast organisations in Malaysia. Any legislation on ‘cybercrime’ must fully comply with international human rights standards, in particular those on the right to freedom of expression and privacy.
On 3 April 2024, the upper house of the Parliament (Dewan Negara) unanimously passed the Cyber Security Bill 2024 after the third reading. On 27 March 2024, the Dewan Rakyat, the lower house of the Malaysian Parliament, passed the Bill after its second reading. The Bill was tabled for the first reading on 25 March 2024, in a surprise move to civil society. The speedy passing of such a problematic law reflects the Malaysian government’s poor commitment to upholding freedom of expression. Next, upon assent by the King (Yang di-Pertuan Agong), the law will take effect once it is published in the Government Gazette.
ARTICLE 19 is gravely concerned about the speedy passing of the Bill, as it will be a mechanism for government censorship of online expression. It will give the government unaccountable control of computer-related activities, as well as nearly unlimited search and seizure powers. Its criminal provisions do not require any actual intent to violate, effectively introducing many strict liability offences. As such, it is part of the alarming regional trend toward increasingly repressive cyber security regulations, which must be reversed.
Against the backdrop of existing censorship and an increasingly repressive environment for journalists, human rights defenders, and land rights defenders in Malaysia under the Communication and Multimedia Act 1998 (CMA), the broad language of the Bill will likely be abused to further restrict online freedom of expression and dissent in the country.
In our analysis, ARTICLE 19 points out the following issues:
- The Bill will create a system for broad control of digital services in Malaysia. Although labelled as a ‘cybersecurity’ instrument, it fails to be narrowly tailored to address data breaches causing serious harm, and it does not resemble other computer-related legal instruments. The Bill deems “communications”, and hence the media, to qualify as “critical information infrastructure” that are potentially subject to disproportionate reporting and regulation under threat of criminal sanctions.
- The broad scope of key terms under the Bill could capture journalistic activities and target whistleblowers. The Bill would conflate any disclosure of information in the public interest with the intentional infringement of security measures with dishonest intent. The framing of “cyber security” includes the phrase “unauthorized access” to a computer. A “cyber security incident” could therefore describe journalistic activities such as reporting on “unauthorized” leaked evidence of corruption provided by a whistleblower. It can even imperil cybersecurity researchers and professionals doing routine pen testing to actually improve network security. Such a concern is far from hypothetical; journalists in Malaysia have previously faced harassment for publishing evidence from whistleblowers in the public interest.
- The Bill would require prior licensing of a wide range of expressive activities. Anyone providing “cyber security services” in Malaysia will require pre-approval under arbitrary standards subject to change or revocation at any time under threat of up to ten years imprisonment. The scope of “cyber security services” is vague and goes well beyond any common conception of the phrase. It would require licensing those who exercise their right to expression by publishing or distributing source code online in the public interest, engaging in academic research, or disseminating free digital security tools to journalists and human rights defenders.
- The Bill will provide for search and seizure powers not subject to judicial or other independent review. The chief executive of the Committee may appoint anyone to be a so-called “authorized officer” with the same powers as police. These powers include the ability to execute searches and seizures of persons and places without any need for a warrant. While it might appear at first that the Bill requires such warrants, it provides a broad exception that an authorized officer can skip obtaining a warrant so long as they claim (without independent checks or other review) there is “reasonable cause” for not needing one. Further, the “Chief Executive” established under the Bill may issue production demands with no warrant requirement.
These broad powers are particularly concerning as Malaysia has seen an increasingly repressive climate in recent years. 444 cases had been opened under CMA Section 233 from 2020 through January 2023, including 38 prosecutions, 31 convictions, and several ongoing trials. ARTICLE 19 has previously warned that the CMA is often combined with other criminal laws to levy severe criminal sanctions as an intimidation tactic to chill freedom of expression. There has also been an alarming use of police powers against online expression, including against journalists, in recent years. These include:
- In August 2020 authorities raided Al Jazeera’s office and seized two computers. Numerous journalists of the outlet also faced police questioning and investigation.
- On February 2021, Fahmi Reza was charged twice under Section 233 of CMA for publishing satire; the charges eventually led to acquittal. As part of the investigation, police seized his laptop and smartphone.
- In February 2023, two secondary school students were arrested and detained for criticising history exam papers via a TikTok video.
- In January 2024, two filmmakers, Tan Meng Kheng and Khairi Anwar Jailani were criminally charged for producing the film Mentega Terbang; members of the cast and crew were summoned by the police.
ARTICLE 19 further questions the necessity of the Bill when nations are debating an international convention on cybercrime at the UN level, in a process Malaysia is actively participating in. While ARTICLE 19 and numerous human rights organizations have taken serious issue with the UN negotiations and current draft text of the proposed convention, we note that the Bill falls far short of even that standard.
ARTICLE 19 believes the Bill to be unnecessary and flawed in its current state. We urge the government to withdraw the Bill before the royal accent to address the shortcomings identified above to ensure the compatibility of any cybercrime legislation with international standards of freedom of expression. We also encourage the proposal to be tabled in anticipation of any outcomes of the ongoing UN cybercrime convention negotiations. We stand ready to provide further assistance in this process.
We repeat our urgent call for Malaysia to renew its commitment to human rights by signing and ratifying the International Covenant on Civil and Political Rights (ICCPR) as well as other major international human rights treaties, as well as to repeal or amend all laws restricting freedom of expression in Malaysia.
For further information
Nalini Elumalai, Senior Malaysia Programme Officer [email protected]