ARTICLE 19, CIJ and Sinar Project raise rights concerns over Malaysia’s Cybercrimes Bill 2026

ARTICLE 19, the Centre for Independent Journalism and Sinar Project have called for further parliamentary scrutiny of Malaysia’s Cybercrimes Bill 2026. Their joint analysis argues that the proposed law grants broad investigative and surveillance powers without sufficient judicial oversight, privacy protections or safeguards for journalists and online expression.

ARTICLE 19, CIJ and Sinar Project raise rights concerns over Malaysia’s Cybercrimes Bill 2026

ARTICLE 19, the Centre for Independent Journalism (CIJ) and Sinar Project have raised concerns that Malaysia’s proposed Cybercrimes Bill 2026 could restrict freedom of expression, privacy and media freedom.

In a joint analysis published on 30 June 2026, the three organisations said the Bill contains broadly defined offences and extensive enforcement powers without adequate judicial authorisation, independent oversight or procedural safeguards. They called on the Malaysian government to suspend the Bill’s second reading and refer it to a parliamentary select committee for further examination.

The Cybercrimes Bill was introduced for its first reading in Parliament on 22 June by Deputy Prime Minister Datuk Seri Dr Ahmad Zahid Hamidi. It would replace the Computer Crimes Act 1997 and establish offences covering identity theft, computer-related fraud and forgery, interference with computer systems, manipulated content and the dissemination of intimate images.

The organisations acknowledged the need for legislation addressing cybercrime. However, they argued that the current text does not contain sufficient safeguards to prevent the proposed powers from being used against journalists, human rights defenders, whistleblowers and other internet users.

They also said the Bill does not adequately reflect the human rights safeguards contained in the United Nations Convention against Cybercrime. Malaysia has signed the Convention, which requires states to implement cybercrime measures consistently with their international human rights obligations.

Broad enforcement and search powers

A central concern in the analysis relates to the Bill’s definition of an ‘authorised officer’. Under the proposed legislation, investigative powers could be granted to police officers, public officials or officers of the Malaysian Communications and Multimedia Commission, based on a ministerial decision.

The organisations said the Bill does not clearly establish the qualifications, training requirements, codes of conduct or accountability procedures that would apply when non-police officials exercise police powers.

They also criticised a provision allowing searches and seizures without a warrant when an authorised officer believes that obtaining judicial approval could adversely affect an investigation. According to the analysis, the Bill does not establish an independent process for reviewing an officer’s decision to use this exception.

Another provision would allow authorised officers conducting searches to demand passwords, encryption keys, decryption codes or other tools needed to access information. Failure to comply could result in a fine of up to RM100,000, imprisonment for up to three years, or both.

ARTICLE 19, CIJ and Sinar Project argued that such powers require clear legal thresholds and independent judicial supervision. They said compelled access to encrypted communications could affect journalistic sources, confidential legal communications, whistleblowers and people who face retaliation for their online activities.

Data preservation and interception

The Bill would allow officers to order the preservation or disclosure of user data when they consider it necessary for an investigation. Recipients of these orders would generally be prohibited from revealing their existence or content.

The organisations said these provisions do not require prior judicial approval and do not provide an explicit right of appeal. They also questioned whether the confidentiality requirements could prevent recipients from consulting legal counsel.

The Bill would further require service providers to assist with the real-time collection of traffic data and the interception of communications when requested by the Public Prosecutor. Non-compliance could result in fines of up to RM1 million.

The joint analysis warned that these obligations could encourage telecommunications companies, internet service providers and social media platforms to collect excessive amounts of user data or restrict content to reduce their legal exposure.

The organisations also expressed concern that the interception provisions could enable access to confidential communications, metadata and personally identifiable information without external review. They argued that the proposed framework could create broader surveillance capabilities rather than limiting interception to specific and proportionate investigations.

Manipulated and intimate content

Section 23 of the Bill would criminalise the distribution or publication of visual or audio content that has been generated or manipulated through a computer system. The maximum penalty would be a fine of RM500,000, imprisonment for up to seven years, or both.

ARTICLE 19, CIJ and Sinar Project said manipulated media can cause serious harm, including through deceptive deepfakes. However, they argued that the provision is too broadly worded and could also cover satire, artistic works, journalism or political commentary.

Section 24 addresses the distribution of intimate images. The organisations said the provision does not clearly distinguish between child sexual abuse material, non-consensual intimate images and consensually produced adult material. They argued that these categories should be defined separately because they involve different forms of harm and require different legal responses.

Risks for journalists and media organisations

The analysis identified several provisions that could affect journalists and their sources. Search, interception, data preservation and disclosure powers could be used to access confidential communications or identify anonymous sources, according to the organisations.

They also raised concerns about corporate and vicarious liability. The Bill would allow directors, managers, compliance officers and other company representatives to be held criminally responsible for offences committed by a company. Employers could also be held responsible for the actions of employees or agents.

The organisations warned that these provisions could expose editors and senior media executives to prosecution for reporting produced by their organisations. They also criticised a provision under which company officers may be presumed responsible unless they demonstrate that an offence occurred without their knowledge or consent and that they took reasonable steps to prevent it.

Oversight and procedural safeguards

The Bill would establish a Committee on Combating Cybercrimes, chaired by the Chief Secretary to the Government. The Malaysian Communications and Multimedia Commission would serve as its chief executive and secretariat.

ARTICLE 19, CIJ and Sinar Project said the Committee would be dominated by government bodies and would lack sufficient institutional independence. They noted that the Bill does not establish term limits, external oversight arrangements or clear procedures for reviewing the Committee’s decisions.

The organisations also criticised the absence of explicit protections for privileged communications, limits on data retention and public-interest defences. They argued that several offences do not require proof of dishonest or malicious intent, or evidence that serious harm occurred.

Call for further review

The three organisations urged the government to halt the Bill’s second reading and refer it to the Parliament Special Select Committee on Human Rights, Elections and Institutional Reform.

They called for clearer judicial authorisation requirements, independent oversight, proportionate sanctions and explicit protections for privacy, freedom of expression, journalists’ sources and due process.

They also recommended a broader public consultation involving civil society organisations, human rights groups, technical experts, media representatives and other affected stakeholders before the legislation proceeds.

The concerns represent the assessment of ARTICLE 19, CIJ and Sinar Project. The Bill’s final legal and practical effects would depend on its wording when adopted, any amendments made during the parliamentary process and how its provisions are subsequently interpreted and enforced.

Go to Top