Malaysia readies AI-era legal overhaul for contracts, evidence, and cyber crime
Malaysia is moving on a wide set of legal and policy updates to keep pace with AI. Digital Minister Gobind Singh Deo outlined new bills, revisions to legacy statutes, and guidance that will touch investigations, contracts, data protection, and online safety.
Responding to a query from Roy Angau Gingkoi (GPS-Lubok Antu), he confirmed work on a risk-based framework and a dedicated AI governance bill to set clear duties for developers, deployers, and operators across sectors.
Core legislative moves
Cyber Crimes Bill: The National Cyber Security Agency (NACSA) is drafting a replacement for the Computer Crimes Act 1997. The bill will address deepfakes and other AI-enabled offenses that threaten trust and public safety. NACSA
Evidence and contracts: Putrajaya is reviewing the Evidence Act 1950 and the Contracts Act 1950 to clarify how AI affects contract formation and execution, and how digital content, including manipulated media, should be treated as evidence.
Cyber Security Act 2024 and Online Safety Act 2024: These will be used to curb harmful content and protect critical digital infrastructure.
Governance and policy direction
Data protection and ADM: Authorities will enforce data processor duties under the Personal Data Protection Act 2010 and issue guidelines on automated decision-making and profiling. See the Personal Data Protection Department for current obligations under PDPA. Personal Data Protection Department
AI governance bill (draft): A cross-sector bill is in development to manage risks and embed responsible practices.
National Artificial Intelligence Office: Preparing a proposal for an AI regulatory framework covering risk classes, harms, incident reporting, and ethical principles. The intent is a risk-based approach that sets clearer expectations without freezing useful innovation.
What government and legal teams should do now
- Map exposure: list AI use cases across your agency or company (procurement, analytics, citizen services, HR, investigations) and identify where decisions are automated or materially influenced by models.
- Update contracts: add AI-specific clauses on training data provenance, model and vendor warranties, audit and logging rights, bias testing, security controls, and incident notification timelines.
- Evidence readiness: create SOPs for deepfake detection, source verification, and chain-of-custody for synthetic and mixed-media exhibits. Document tools, thresholds, and expert qualifications.
- ADM governance: require impact assessments for automated decisions that affect rights or benefits. Define review, contestability, and human escalation paths.
- PDPA compliance: refresh data processing agreements; clarify processor/sub-processor roles, cross-border transfers, and retention for model training and fine-tuning.
- Risk classification: categorize AI systems by use and harm potential. Tie controls (testing, monitoring, human oversight) to the risk level.
- Incident playbook: set triggers for AI-related incidents (model drift, harmful outputs, data leakage), reporting routes, and disclosure windows to align with expected regulatory requirements.
- Security integration: align AI systems with your CSIRT and vulnerability management processes; require logging that supports forensic reconstruction.
- Procurement checks: add AI-specific due diligence to vendor onboarding, including security posture, model lineage, evaluation results, and red-teaming summaries.
- Training: brief legal, procurement, audit, and security teams on deepfakes, ADM rules, and PDPA processor duties to speed compliance once the bills land.
What to watch
Text of the Cyber Crimes Bill and the AI governance bill will set the real compliance bar: offense definitions, thresholds for "high-risk" systems, audit requirements, and penalties. Expect more detailed guidance on profiling, explainability, human oversight, and evidence handling for manipulated media.
Practical next step: run a short gap assessment against the points above and begin updating your playbooks and templates. That prep work will save months once the bills are tabled.
Need structured upskilling?
If you're standing up an AI governance program or training legal and procurement teams, see focused learning paths here: AI courses by job.
Your membership also unlocks:
