This article is an extract from Lexology Panoramic Next: Artificial Intelligence 2023. Click here for the full guide.
1 What is the current state of the law and regulation governing AI in your jurisdiction? How would you compare the level of regulation with that in other jurisdictions?
To date, Malaysia has not enacted specific legislation that regulates or deals specifically with AI. However, there are other existing pieces of legislation that may be broad enough to govern AI. As AI is premised very much on computer programming, provisions related to computer programs or programming within current laws could be construed to govern the operations and applications of AI.
Existing laws relating to data protection, intellectual property, contract, employment, product liability and computer crimes may apply to AI, though its complexity and applicability might give rise to debate. For example, in the context of copyright laws, as is often the case with AI, computer programs are involved in the creation of products or processes, which has given rise to issues concerning their creation and ownership as regards intellectual property laws, including patent and copyright. For completeness, some examples of existing statutes that are relied upon are the Personal Data Protection Act 2010 (PDPA), Consumer Protection Act 1999, Sale of Goods Act 1957, Contracts Act 1950 and the Computer Crimes Act 1997.
In terms of case laws relating to AI and its definition, so far, no response has been provided in this jurisdiction. Beyond legislation, the Ministry of Science, Technology, and Innovation (MOSTI) is establishing a set of artificial intelligence (AI) governance and code of ethics and government for AI, in conjunction with Universiti Teknologi Malaysia, representatives from government agencies, higher education institutions and industry participants. The code of ethics and governance is expected to form the foundation for AI regulations in the country and is expected to be ready by the first quarter of 2024.
On the global AI stage, Malaysia was ranked 44th in the Global AI Index. Further, according to a press release released by MOSTI on 14 December 2023, Malaysia’s ranking in the Government AI Readiness Index 2023 climbed to 23 and compared to 29th in 2022 out of 181 countries. Malaysia currently exhibits a comparatively lower adoption of explicit AI policies, frameworks or strategies in the East Asia region in contrast to nations such as the US, UK, Singapore, Japan, South Korea and China.
Despite the above, Malaysia is making strides in enhancing its AI implementation. Notably, within the ASEAN region, Malaysia has emerged as one of the frontrunners in this regard. However, like other countries, Malaysia requires further enactment and development of legislation and regulations to address the usage and implications of AI. The government has indicated they would propose changes to three pieces of legislation to facilitate AI, namely amending the PDPA, introducing a new cybersecurity bill and enacting the Omnibus Data Protection Act, which is intended to cover the government side largely and help regulate data portability between government agencies.
2 Has the government released a national strategy on AI? Are there any national efforts to create data sharing arrangements?
MOSTI initiated the National Artificial Intelligence Roadmap 2021–2025 (AI Roadmap) as a national strategy on AI, with the goal of cultivating an enduring AI ecosystem in Malaysia that supports employment, innovation, competitiveness and growth by 2025. MOSTI has been entrusted with establishing AI governance for AI, promoting research and development in the AI domain, and augmenting digital infrastructure to facilitate the integration of AI. The National Artificial Intelligence Roadmap 2021–2025 contains the Seven Principles of Responsible AI, which is a guideline for the development of trusted and responsible AI that can further protect the rights and privacy of individuals.
This AI Roadmap’s strategy relies on fostering a quadruple helix partnership, encompassing the government, academia, industry and society to propel collaborative progress. Regarding national initiatives to foster data sharing agreements, the AI Roadmap proposes the formulation of clear guidelines for data sharing within the government. This approach aims to facilitate the effective implementation of AI by providing a structured framework for sharing data resources.
The targets, among others, is to achieve a 100 per cent ministry-agencies implementation of data sharing collaboration. Malaysia also recently launched the Central Database Hub, branded as Padu, as the national repository of socioeconomic data, as part of a collaboration among the Ministry of Economy, the Department of Statistics, and the Malaysian Administrative Modernisation and Management Planning Unit, with the intention of housing comprehensive information on Malaysia citizens and permanent residents that can be accessed by all government agencies. The development of Padu is intended to allow for data-driven policymaking and decision-making while enabling targeted policy implementation to support accurate and transparent distribution of targeted subsidies and assistances in addressing socioeconomic issues at individual household level, under the Big Bold Targeted Subsidies.
3 What is the government policy and strategy for managing the ethical and human rights issues raised by the deployment of AI?
Currently, there are no dedicated legislation specifically addressing ethical and human rights concerns, including the technical and legal dimensions of algorithmic bias in AI deployment. Malaysia began piloting AI sentencing tools in two states, Sabah and Sarawak since February 2020. The Sabah and Sarawak courts’ have been aiming to move towards machine learning-based AI.
The impetus behind this push to utilise AI in the judicial system was to achieve greater consistency in sentencing, and to allow the courts to clear case backlogs efficiently, thus preventing stressful and lengthy legal proceedings. The AI tool is currently used for possession of drugs under section 12(2) of the Dangerous Drug Act 1952 (DDA) punishable under section 12(3) of the DDA. The algorithm analyses data from cases under this offence that are registered in Sabah and Sarawak between 2014 and 2019 and identifies patterns to be applied to present-day cases before producing sentencing recommendations that judges can choose to adopt or deviate from.
The Al requires critical information referred to as ‘parameters’ for analysis and to make recommendations on sentencing, such as the relevant statutory provision, age, employment and socio-economic data. This boils down to the purpose and object of AI (ie, to provide a recommendation based on selected parameters). The parameters of the AI are then made known to all users, magistrate and lawyers or stakeholders before the AI is implemented during the proceedings.
If the AI does not consider a certain aspect, the judge must factor that when deciding a sentence. At the end of the day, the ultimate sentence imposed by the judge should be one that is a result of an exercise of his or her discretion after taking into account all the surrounding relevant circumstances, in which the recommendation from the AI is merely one of them. In other words, the sentencing judge is not bound to follow the AI’s recommendation.
The judge is expected to recognise that sentencing requires human intuition and that not everything can be reduced into the form of data.
4 What is the government policy and strategy for managing the national security and trade implications of AI? Are there any trade restrictions that may apply to AI-based products?
The government’s strategy for managing national security implications of AI is twofold, namely through cybersecurity and border security.
With regard to cybersecurity, the Malaysian government, through the National Cyber Security Agency (NACSA), has initiated the Malaysia Cyber Security Strategy 2020–2024 to counter cyber threats and shape the future trajectory of cybersecurity in the country. NACSA, established under the National Security Council, is a dedicated agency overseeing all national cybersecurity functions. The comprehensive Malaysia Cyber Security Strategy 2020–2024 embodies the government’s vision to formulate a practical cybersecurity strategy, fostering a secure, trusted and resilient cyberspace while concurrently promoting economic prosperity and citizen well-being. The strategy delineates several pillars, encompassing effective governance and management, as well as the education of the next generation of cybersecurity defenders.
Furthermore, in accordance with the Malaysian Public Sector Management of Information and Communications Technology Security Handbook, security controls should be integrated into AI-based application systems. These controls include establishing a maximum limit on the automatic decision-making ability of AI systems or AI sub-systems within conventional applications, monitoring the stability of neural network-based applications for effectiveness, and refraining from employing a completely automated mode in AI systems designed for highly sensitive decision-making.
Regarding border security, in 2021, the Ministry of Home Affairs introduced the National Integrated Immigration System project, designed to replace the Malaysian Immigration System (MyIMMs). The upgrade became necessary for MyIMMs to be substituted with a more sophisticated, integrated and holistic immigration system incorporating cutting-edge technologies such as AI, IoT and BDA. The revamped immigration system will feature a Risk Assessment Engine, integrating AI and BDA technologies cohesively with data from other security agencies.
On the other hand, the trade implications of AI have yet to be specifically addressed by the government at present. For completeness, Malaysia has an export control regime that is primarily aimed at ensuring national security, preventing the proliferation of Weapons of Mass Destruction, and complying with international non-proliferation obligations. In Malaysia, export controls on strategic items are regulated by the Strategic Trade Act (STA) 2010 (STA), which was enacted to provide for control over the export, trans-shipment, transit and brokering of strategic items, including arms and related material, and other activities that will or may facilitate the design, development and production of weapons of mass destruction and their delivery systems and to provide for other matters connected therewith, consistent with Malaysia’s national security and international obligations.
Pursuant to section 2 of the STA, ‘items’ includes goods and technology. Technology has been defined as information and data in any form for the design, development, production or use of another item and includes technical data, technical assistance and software. AI-based products may be subject to trade export law if the products are considered as ‘strategic items’ pursuant to the Strategic Trade (Strategic Items) List 2023 issued by the Strategic Trade Secretariat under the Ministry of Investment, Trade and Industry.
It is an offence under the STA to export, trans-ship or bring in transit strategic item without a valid permit from the relevant authority.
5 How are AI-related data protection and privacy issues being addressed? How will these issues affect data flows and data sharing arrangements?
AI-related data protection would fall under the purview of the Personal Data Protection Act 2010 (PDPA) as AI usage generally requires collection and processing of vast amounts of personal data. The PDPA applies to the processing of personal data in commercial transactions, where such data is: (1) being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (2) recorded with the intention that it should wholly or partly be processed by means of such equipment; and (3) recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system. It follows that information about a data subject in relation to commercial transactions being processed by AI, whether wholly or partly automatically in response to instructions given, would be subjected to the PDPA.
In terms of data flows and data-sharing arrangement, the PDPA sets out seven Personal Data Protection Principles with which a data user must comply. Hence, personal data processed by a data user using AI will have to be processed in line with such principles.
6 How are government authorities enforcing and monitoring compliance with AI legislation, regulations and practice guidance? Which entities are issuing and enforcing regulations, strategies and frameworks with respect to AI?
MOSTI aims to create a specialised Policy and Regulation Committee with a specific focus on overseeing AI. This committee will be entrusted with the review of existing laws, policies, regulations and guidelines, as well as issuing standards for the responsible development of AI in Malaysia, including the implementation of Risk Management Systems by 2024. The Policy and Regulation Committee will form part of the AI Coordination and Implementation Unit, which will be the central hub for all things related to AI.
The Science, Technology and Innovation Minister also announced that the National Standards and Accreditation Body (the Malaysian Standards Department) has taken proactive measures by establishing a National Mirror Committee to draft national AI standards. It was said that the committee comprised officials from the ministry, agencies, academia and industry participants and was chaired by MOSTI’s applied research and development unit. However, it remains to be seen on how and by whom the laws, policies and standards would be enforced at this early stage of developing AI governance, as the current focus is mainly on drafting and implementation.
A rethinking of the roles and functions of existing government entities, research institutes and organisations related to AI is anticipated in the years to come. Nonetheless, in the context of capital market, the Securities Commission, which is the Malaysian capital market regulator, has, in recent years, begun addressing the impact of AI in the realm of capital markets, particularly robo-investing or innovative technology employed in the context of investment by digital investment management companies, including algorithms.
7 Has your jurisdiction participated in any international frameworks for AI?
Within regional intergovernmental bodies and forums, the Association of Southeast Asian Nations (ASEAN) countries have released the ASEAN Guide for the ethical and governance considerations regarding the use of AI applications, which was released on 2 February 2024 at the Fourth ASEAN Digital Ministers’ Meeting, held in Singapore, and Malaysia will be one of the countries endorsing the guide. Further, it is reported that the global standard on AI ethics titled the ‘Recommendation on the Ethics of Artificial Intelligence’ issued by the United Nations Educational, Scientific and Cultural Organisation has been adopted by all 193 member states, which, among others, include Malaysia.
8 What have been the most noteworthy AI-related developments over the past year in your jurisdiction?
The Malaysian government is actively working towards introducing the Cybersecurity Bill and reinforcing its defences through the Malaysian Cyber Security Strategy to combat evolving cyber threats. The Budget 2024 allocated an initial fund of 20 million ringgit, to set up the first AI faculty in Malaysia at Universiti Teknologi Malaysia. Malaysia also recently formed the Digital Ministry, which will focus on digital-transformation issues, including personal-data protection and artificial intelligence.
The new ministry, which was split from the former Communications and Digital Ministry, will have under its purview the Department of Personal Data Protection, the Malaysia Digital Economy. The Digital Minister has announced that the Department of Personal Data Protection is currently developing seven guidelines under the PDPA through the Personal Data Protection Commissioner and a company under the Ministry of Finance, namely Futurise Sdn Bhd. These guidelines include the Notification of Data Breach Guidelines, Data Protection Officers Guidelines, Data Portability Guidelines, Cross Border Data Transfer Guidelines and Mechanism; Data Protection Impact Assessment Guidelines; Privacy by Design Guidelines; and Profiling and Automated Decision Making Guidelines. It is hoped that once these additional guidelines are established, Malaysia will have a more robust framework to protect personal data.
9 Which industry sectors have seen the most development in AI-based products and services in your jurisdiction? Are there any emerging industry or non-governmental standards governing the development and use of AI-related technologies?
The key sectors that have seen the most development in AI-based services include finance and banking, e-commerce, healthcare and manufacturing.
Taking healthcare as an example, hospitals in Malaysia have integrated diagnostic tools driven by AI, aiding physicians in enhancing the precision of diagnoses and treatment suggestions. Additionally, the utilisation of AI-powered telemedicine platforms has broadened the availability of healthcare services, particularly in rural and underserved regions. Meanwhile, the finance and e-commerce sector have seen an increase of the use of AI-driven chatbots for customer service, risk assessment and fraud detection.
It is interesting to note that in the agriculture sector, there is an initiative called the eLadang/Digital AGTech, which is driven by the Malaysian Digital Economy Corporation in collaboration with ecosystem partners to infuse Industrial Revolution 4.0 (4IR) technologies, such as internet of things, big data analytics and even AI to increase yield productivity, increase revenue, reduce operational costs and manpower, plantation optimisation, increasing participation to sustain and scale digital adoption across the agriculture sector.
10 Are there any pending or proposed legislative or regulatory initiatives in relation to AI?
The Science, Technology, and Innovation Minister recently declared that MOSTI is actively evaluating the need for creating an AI legal framework and the AI Act. One of the areas of regulation that they are looking into revolves around the labelling of products generated by generative AI, with a focus on designating them as either ‘AI-generated’ or ‘AI-assisted’. However, as of now, no concrete developments or actions have transpired beyond this announcement.
AI has gained much traction in the public domain with the advent of programs such as ChatGPT by OpenAI. For completeness, there has been an advisory document titled ‘ChatGPT and Security Best Practices’ outlining best practices in using ChatGPT, issued by the Malaysia Computer Emergency Response Team, which operates under the Ministry of Communications and Digital. It delves into topics encompassing security concerns, privacy considerations and the potential misuse of ChatGPT.
Further, the Malaysian Qualifications Agency has issued an advisory note on the use of generative AI in higher education. The advisory note recommends that educational institutions establish explicit guidelines for both academic staff and students regarding the utilisation of generative AI applications in teaching, research and scientific writing. Additionally, institutions are urged to consistently monitor and reassess policies, guidelines and practices pertaining to the application of generative AI. This ongoing review process is crucial for enhancing academic quality and reinforcing management frameworks.
11 What best practices would you recommend to assess and manage risks arising in the deployment of AI-related technologies, including those developed by third parties?
Effective evaluation and mitigation of risks associated with the deployment of AI-related technologies are no doubt the most important thing that comes to mind in order to ensure effective, safe and responsible use of these technologies. Organisations should conduct thorough risk assessments, understand the intricacies of the AI technology and prioritise data governance to ensure the quality and security of data. Further, regular audits, security measures and human oversight should be implemented, along with contingency planning for potential failures.
In regulating risks associated with AI, it is worth looking at the AI Roadmap (https://airmap.my/). The document outlines the seven principles of responsible AI, serving as a guide for the creation of trustworthy and responsible AI that safeguards the rights and privacy of individuals. The seven principles are: fairness, reliability, safety and control, privacy and security, inclusiveness, transparency, accountability and pursuit of human benefit and happiness.
The Inside Track
What skills and experiences have helped you to navigate AI issues as a lawyer?
I believe that, as a lawyer who navigates AI issues, it is important to have the desire to learn and keep oneself up to date with new technology and more importantly the risks associated with the use of new technology solutions.
Which areas of AI development are you most excited about and which do you think will offer the greatest opportunities?
As AI continues to develop, AI systems will continue to collect and process large amounts of data, raising concerns about how data is being used and protected. I think privacy, cybersecurity and data governance will continue to offer the greatest opportunities.
What do you see as the greatest challenges facing both developers and society as a whole in relation to the deployment of AI?
I believe balancing between privacy concerns and ethical considerations and embracing the transformative opportunities of AI will be some of the greatest challenges.
