It appears that Malaysia aims to regulate data centres (DC) and cloud service providers (CSP) as early as next year via the Malaysian Communications and Multimedia Commission (MCMC). However, the proposed move has raised concerns as the relevant industry players and associations were not properly consulted on the matter. Similar to the ongoing cabotage issue, the move may potentially put MyDigital goals at risk.
As reported by The Vibes last week, the Communications and Multimedia Ministry aims to regulate DC and CSP from 1st January next year as part of the government’s digital push. They were told by the MCMC that the current Communications and Multimedia Act (CMA) 1998 provided an exemption for web hosting and client-server providers from being licensed. However, due to the current focus towards digitalisation, the MCMC said there’s now a need to regulate DC and CSP to ensure quality and consumer protection in terms of privacy and security as well as operational governance.
Why the need to regulate?
As demand for cloud solutions and services continues to grow, the Malaysian government felt there was a need to strengthen the digital ecosystem with a regulated environment. Under the MyDigital plan, the government aims to migrate 80% of its data to a hybrid cloud system by the end of 2022.
It is said that the objective of regulating DC and CSP is to provide a complete regulatory oversight via licensing over the whole chain of networks from service provides to end-users. As a result, any introduction of policies and best practices can be better addressed as it will be able to take into consideration the interest of both service providers and consumers.
Licensing concerns from the industry
With about 6 months left in the year, the MCMC has not conducted a public consultation session with the respective stakeholders and it seems that the government is bulldozing this policy through. According to an industry source close to the matter, without clear guidelines, the move to regulate may deter foreign players from investing in Malaysia and this may impact the growth of the digital economy.
If DC and CSP are to be licensed under the MCMC, this means they would be required to contribute a portion of their revenue to the Universal Service Provision (USP) Fund like any other telco. The USP funds are typically used to improve connectivity in underserved areas which include erecting new mobile towers or deploying fibre connectivity.
A major concern is that the MCMC license may require all data centres and CSP to comply with search and seizure orders by law enforcement agencies. If this is true, international players may not be keen to comply with such demands.
The industry source also questioned if the current CMA 1998 is legally able to cover data disclosures as SOPs for law enforcement agencies come from different Acts and mandates. It isn’t clear if the Attorney General Chambers have been consulted on the approach.
It is also speculated that the new regulation may potentially require a minimum bumiputra shareholding for any foreign player to invest in Malaysia. However, the requirement isn’t clearly stated in the CMA 1998.
An industry source also said that most countries do not regulate or license their data centres and cloud services sector. In Indonesia, it is said that the Government Regulation No. 71 of 2019 (GR71/2019) and Minister of Communication and Informatics (MOCI) Regulation No. 5 of 2020 (MR5/2020) do not actually regulate the industry but it provided clarity and processes to streamline the gaps.
The industry players hope that the MCMC will initiate a proper consultation with all stakeholders and ensure that the regulatory oversight complies with industry best practices.