Legal Issues for Application Service Providers

Background
Content Liability
Security
Licensing Framework

Background

Malaysia is no different from other countries as its IT-intensive businesses (especially small to medium-sized enterprises) struggle to determine the most suitable IT solutions for their businesses in the face of an ever-increasing array of products. This factor, coupled with the difficulty in finding and keeping skilled IT personnel to operate and maintain IT solutions business experience, has contributed to the emergence of application service providers (ASPs) in Malaysia.

This update outlines the most salient legal issues that ASPs should consider before providing application services in Malaysia.

The Malaysian ASP market is still in its infancy and, as such, ASP contracts are usually vague unless the providers are established foreign players in the industry. Best practices in the industry have yet to emerge. Contracts are seen as the primary damage limitation mechanism for the ASP services vendor.

In determining the type of damage limitation mechanisms that should be incorporated into its service contracts, the ASP vendor should consider the following issues.

Content Liability

ASPs in Malaysia must recognize the potential risks and liabilities associated with hosting and transmitting their customers' data. It would be virtually impossible to monitor the millions of bits of data that are generated and channelled daily through an ASP's network by their customers. The law regarding the liability of online intermediaries is still uncertain in Malaysia. There is no decided case law to determine whether online service providers (under which some application services such as internet data centre facilities or application hosting services would fall) are liable for unwittingly transmitting or hosting illegal, offensive or objectionable content generated by the customer.

Unlike the legal position adopted in the United States, Singapore or Australia, Malaysian law has yet to provide expressly for a defence or exemption from liability for innocent online intermediaries for transmitting or hosting content that is defamatory or seditious, or infringes IP rights. In particular, ASPs that host applications which are content and data-intensive should be aware of potential liabilities arising out of offences stipulated in the following legislation:

• the Printing Presses and Publications Act 1984;

• the Defamation Act 1950;

• the Sedition Act 1948;

• the Communications and Multimedia Act 1998;

• the Copyright Act 1987;

• the Trade Marks Act 1976;

• the Betting Act 1953;

• the Internal Security Act 1960;

• the Common Gaming Houses Act 1953;

• the Penal Code; and

• the Computer Crimes Act 1997.

For example, under Section 211 of the Communications and Multimedia Act 1998 a provider or user of a 'content application service' (defined as an application service which provides content) is prohibited from providing material that is indecent, obscene, false, menacing or offensive in character with intent to annoy, abuse, threaten or harass any person. Contravention of this provision attracts a maximum fine of M$50,000 and/or one year's imprisonment. A further fine of M$100,000 per day is payable if the offence continues after conviction.

While Section 211 provides the overarching standard in relation to content, the regulatory trend is moving towards industry self-regulation. Towards this end, the Malaysian Communications and Multimedia Commission (MCMC) has designated an industry body to be the content forum for the preparation of a Content Code.

Among other things, the Content Code is intended to address:

• restrictions on the provision of unsuitable content;

• the methods of classifying content;

• the procedures for handling public complaints and reporting information about complaints to the MCMC;

• the representation of Malaysian culture and national identity;

• public information and education regarding content regulation and technologies for end user control of content;

• other matters of public concern; and

• model procedures for dealing with offensive or indecent content.

As reported by the local media in August 2001, the Content Code is anticipated to be published in September 2001 and is expected to be registered with the MCMC by the end of 2001. In formulating the code, the Communications and Multimedia Content Forum has been reported to be looking into issuing 'innocent carrier status' for internet access service providers or web-hosting service providers that may not be responsible for the creation of content which is deemed to be indecent or offensive. ASPs whose services generate or transmit a high volume of data would be advised to comply with the Content Code once it is registered, in order to enable the ASP to be better protected against serious offences such as defamation or sedition. While compliance with a registered content code is not mandatory, ASPs that conform with the code are provided with a defence under Section 98(2) of the Communications and Multimedia Act against any prosecution, action or proceeding regarding a matter dealt with in the code.

Security

Internet access providers, voice-over internet protocol service providers and messaging service providers are some examples of application services that are commonly found in the Malaysian ASP sector. These providers should be mindful of Section 234 of the Communications and Multimedia Act. This provision prohibits the interception of communications, disclosure of the contents of intercepted communications and use of the same by ASPs (among others) unless they are necessary for the rendering of their services or the protection of the rights or property of the service provider.

This provision is likely to cover cases where an ASP hires a third party to intercept deliberately the data in its network to test the integrity of its security system. However, Section 234(4) expressly prohibits ASPs from observing or conducting random monitoring of communications transmitted through their services unless it is for monitoring mechanical or service quality control checks. A breach of Section 234 is a criminal offence punishable by a maximum two years' imprisonment and/or a fine of M$100,000.

Licensing Framework

The common meaning of 'application service provider' includes the outsourcing of software applications and the provision of internet access services. However, the term has a different meaning under the Communications and Multimedia Act. The act specifies the types of application service that require a licence before they can be legally provided in Malaysia. Under the Communications and Multimedia (Licensing) (Exemption) Order 2000, application services such as interactive and electronic transaction services are exempt from the act's licensing requirement. 'Interactive transaction service' is defined as "an electronic transaction service that involves end user interaction and where information may be customized according to end-user specifications", while 'electronic transaction service' is defined as "an application service which utilizes network services and information processing to conduct and achieve or support end user or third-party transactions".

ASPs that require an individual licence under the Communications and Multimedia Act (Overview (November 2000)) are subject to standard licence conditions which include a requirement that the licensee comply with foreign investment restrictions in Malaysia. The permitted level of foreign investment in a Malaysian company is 30%; anything more usually requires approval from the Foreign Investment Committee (FIC).

However, in its efforts to promote the development of Malaysia into an IT hub, the government has granted a general exemption from the requirement of FIC approval for companies that are eligible for Multimedia Super Corridor (MSC) status. To apply for MSC status, the entity should be either a Malaysian-incorporated company or a branch of a foreign company registered with the Malaysian Registrar of Companies. A company seeking MSC status and eligibility must:

• be an intensive user of multimedia products and services;

• employ a substantial number of knowledge workers; and

• specify how it will transfer technology and/or knowledge to Malaysia, or otherwise contribute to the development of the MSC and the Malaysian economy.

MSC status may be an option worth considering for foreign-based ASPs, if the level of foreign investment contemplated in the local company exceeds 30%.

For further information on this topic please contact Sharon Suyin Tan at Zaid Ibrahim & Co by telephone (+603 257 9999) or by fax (+603 254 4888) or by e-mail ([email protected]).