Introduction: How a RM100 Fine Changed the Conversation

Malaysia’s Online Safety Act 2025 did not come out of nowhere. One case that pushed the issue into public discussion was the 2024 case involving Hindu rights activist and social media influencer Rajeswary Appahu, who was also known as Esha. Many people were shocked when one offender linked to the case was fined only RM100 under the Minor Offences Act, mainly because there was still no specific cyberbullying law that properly fitted the situation (The Star). For the public, the fine felt almost too small compared with the harm people can face online. More importantly, it showed that Malaysia’s law had not kept up with the way social media is now used.

Before ONSA, victims often carried most of the burden. They were usually told to block the account, report the post, collect screenshots, or go to the police after the damage had already been done. ONSA tries to change that. Instead of treating online safety as only the user’s personal problem, it places duties on licensed applications service providers, content applications service providers, and network service providers. In simple terms, platforms can no longer hide behind the excuse that they are only hosting content. They are expected to have proper reporting channels, safety tools, and systems that reduce exposure to harmful content (Malaysia, Online Safety Act secs. 13-20).

That is the main shift behind the new law. Malaysia is moving away from a model where users are simply expected to protect themselves, and toward a model where large platforms also carry responsibility. Of course, users still need to behave responsibly online. But the companies that design our feeds, private messages, and recommendation systems also have a much bigger role to play.

The “16 Is the New 13” Rule: Why You Might Get Logged Out from Instagram

For a long time, many social media platforms treated 13 as the normal minimum age. In Malaysia, that number is now being pushed higher. The Online Safety Act itself defines a child as a person under 18, and section 18 requires providers to put in place measures that allow child users to use their services safely (Malaysia, Online Safety Act sec. 18). The specific under-16 restriction, however, is not written as one simple sentence in the main Act. It is being developed through subsidiary legislation and the Child Protection Code.

Government statements in late 2025 and early 2026 make the direction quite clear. Under the planned rules, platform providers are expected to stop users below 16 from accessing social media platforms, while content shown to users under 18 must be suitable for their age (Bernama, ‘MCMC Develops Subsidiary Laws’). In February 2026, Deputy Communications Minister Teo Nie Ching said the age-verification mechanism was expected to be finalised through subsidiary legislation under ONSA. She also said the responsibility for making sure users aged 16 and below do not operate social media accounts would fall on the platform providers (Bernama, ‘Age Verification Mechanism’).

This is why some Malaysians may eventually be asked to prove their age, re-confirm their account, or accept limits on certain features. It is not only about stopping fake birthdays. The bigger concern is whether underage users are being pushed into adult-level content, risky private messaging, addictive scrolling, or harmful recommendations before they are ready for it.

The Mandatory eKYC Verification: No More Fake Birthdays

The tricky part is age verification. How can a platform check a user’s age without making everyone feel like they are giving away too much personal information? In April 2026, Communications Minister Fahmi Fadzil said MCMC was close to completing engagement sessions with major platforms and stakeholders on electronic Know-Your-Customer, or eKYC, verification. According to him, the plan was to use MyKad, passports, and MyDigital ID to confirm age, and new social media accounts would only be allowed for users aged 16 and above (Bernama, ‘Engagement Sessions’).

The government has also said that MCMC is testing the approach through a Regulatory Sandbox with platform providers. Teo explained that the testing covers age verification, entity validation, and the use of AI to detect high-risk content. This is not only a technical issue. The government has also mentioned concerns such as personal data protection, privacy, and whether the system fits with existing laws (Bernama, ‘Age Verification Mechanism’).

This part of ONSA is probably where many users will have mixed feelings. On one hand, age verification can stop a 12-year-old from signing up by typing a fake birthday. On the other hand, a badly designed system could create new problems, such as identity leaks, too much personal data being collected, or real identity being permanently linked to online activity. A better approach should only verify what is needed, for example whether a person is above 16, instead of exposing full IC numbers or document copies to every platform. In the end, ONSA will only feel safe if the technical rules protect both children and user privacy.

Cyberbullying Beware: From a Slap on the Wrist to Real Criminal Liability

Although ONSA mainly focuses on platform duties, Malaysia’s response to online harm also includes changes to criminal law. The Penal Code (Amendment) Act 2025, Act A1750, added new sections 507B to 507G into the Penal Code. These sections cover threatening, abusive, or insulting words, communications, or acts that cause harassment, distress, fear, or alarm. For example, section 507B can carry imprisonment of up to three years, a fine, or both. Section 507C deals with similar behaviour when it is likely to make a person feel harassed or alarmed (Malaysia, Penal Code (Amendment) Act sec. 2).

The amendments also cover situations where online behaviour makes a person believe that harm will happen, or where someone provokes another person in a way that may lead to self-harm. The most serious punishment applies when the person who is provoked attempts suicide or dies by suicide. In that situation, the offender may face imprisonment of up to ten years, a fine, or both (Malaysia, Penal Code (Amendment) Act sec. 507D). This is a major change from the old impression that cyberbullying is just a small online argument.

The law also deals with doxing. Sections 507E and 507F criminalise publishing, circulating, or making available someone’s identity information when it is done with harmful intent or knowledge. Identity information is defined broadly as information that identifies, or claims to identify, a person (Malaysia, Penal Code (Amendment) Act sec. 507G). So, doing a ‘deep search’ or ‘meat-searching’ (肉搜) on someone by digging up their IC number, address, school, workplace, family details, or private photos and then sharing it online can become a criminal matter if the aim is to cause distress, fear, or harm. In everyday language, exposing someone’s private details is not harmless gossip just because it happens on Telegram, TikTok, X, or Instagram.

The Content Removal Strategy: How Malaysia Makes Big Tech Hit ‘Delete’

One of the most practical parts of ONSA is the idea that harmful content should not be left online while everyone argues about who is responsible. The First Schedule lists categories of harmful content, including child sexual abuse material, financial fraud, obscene or indecent content, harassment that may cause distress, fear or alarm, incitement to violence or terrorism, content that may induce a child to self-harm, hostility that may disturb public tranquillity, and promotion of dangerous drugs (Malaysia, Online Safety Act First Schedule). The Second Schedule gives special priority to two categories: child sexual abuse material and financial fraud (Malaysia, Online Safety Act Second Schedule).

For normal users, this should mean that reporting harmful content becomes clearer and less random. Licensed providers must give users a way to report harmful content and get assistance. These systems are supposed to be easy to access and responsive at all times (Malaysia, Online Safety Act secs. 16-17). MCMC’s FAQ, as reported by Bernama, also says users can expect clearer safety information, easier reporting, more responsive assistance, and better tools to control who can search for, contact, or interact with them (Bernama, ‘ONSA FAQ Unveils’).

The strongest rule is for priority harmful content. Under section 22, once a provider decides that reported content is priority harmful content, it must immediately make the content inaccessible to all users for the prescribed period. The Online Safety (Period) Regulations 2025 make the process more specific: reports must be acknowledged quickly, priority harmful content such as child sexual abuse material and financial fraud must be made temporarily inaccessible for 24 hours, and if confirmed, permanently inaccessible within one hour of determination (Rahmat Lim & Partners).

The fines are also serious enough to get attention. If licensed applications service providers or content applications service providers fail to follow their duties under Part III, MCMC may impose a financial penalty of up to RM10 million (Malaysia, Online Safety Act sec. 39). This is what makes ONSA different from ordinary platform community guidelines. Ignoring reports is no longer just bad service. For platforms, it can become a legal and regulatory problem.

Conclusion: A Safer Feed for a Smarter Generation

The Online Safety Act 2025 is not just about banning phones or blaming teenagers. It is more about changing who is responsible when harm happens online. Users still need digital literacy. Parents still need to guide their children. Schools still need to teach respectful online behaviour. But platforms also need to take responsibility for the systems they build, especially when those systems shape what people see, who can contact them, and how quickly harmful content spreads.

If ONSA works well, Malaysia’s online space should become less passive when serious harm appears. A scam post, child exploitation material, doxing thread, or harassment campaign should not remain online for days while victims try to get help. The law gives users and MCMC clearer ways to demand action, and it pushes platforms to think about safety before a situation becomes another headline.

Still, the law will also need public trust. Age checks and eKYC may protect children, but they also raise fair questions about privacy. Malaysians will need to see whether the final rules collect only the data that is really necessary, protect identity records properly, and avoid turning online safety into unnecessary surveillance. A safer internet should protect both dignity and privacy. Whether ONSA becomes a trusted shield or just another rule people try to bypass will depend on how carefully that balance is handled.

References

Bernama. "Age Verification Mechanism for Social Media Users to Be Finalised in Q2 This Year - Teo." Bernama, 25 Feb. 2026, www.bernama.com/en/news.php?id=2527418.

Bernama. "Engagement Sessions for eKYC Implementation Almost Completed - Fahmi." Bernama, 30 Apr. 2026, bernama.com/en/news.php?id=2551255.

Bernama. "MCMC Develops Subsidiary Laws to Strengthen Online Child Protection." Bernama, 4 Dec. 2025, www.bernama.com/en/news.php/?id=2498778.

Bernama. "ONSA FAQ Unveils Stricter Safety Guidelines, Streamlined Reporting of Harmful Content." Bernama, 1 Jan. 2026, bernama.com/en/news.php?id=2507843.

Malaysia. Online Safety Act 2025, Act 866. Laws of Malaysia, 2025.

Malaysia. Penal Code (Amendment) Act 2025, Act A1750. Laws of Malaysia, 2025.

Rahmat Lim & Partners. "Online Safety in Malaysia: What You Should Know about the Online Safety Act 2025 and Its Subsidiary Legislation." Rahmat Lim & Partners, 23 Jan. 2026, www.rahmatlim.com/perspectives/articles/32091/mykh-online-safety-in-malaysia-what-you-should-know-about-the-online-safety-act-2025-and-its-subsidiary-legislation.

The Star. "RM100 Fine since There's No Specific Law for Cyberbullying." The Star, 18 July 2024, www.thestar.com.my/news/nation/2024/07/18/rm100-fine-since-theres-no-specific-law-for-cyberbullying.