By: Sonny Zulhuda

Introduction

Malaysia regards electronic commerce as a powerful driver for the national development and economic growth. This belief has be reinforced by the setting up of national policies and laws seeking to ensure that processes, tools and technologies are put in place to facilitate the electronic commerce. Among those laws is the Payment Systems Act (‘PSA’) 2003 (Act 627) which came into force on 1st November 2003). It is a principal legislation which provides for the framework for the regulation and supervision of the payment systems and payment instrument in Malaysia.

When anticipating the birth of this law, the Central Bank Governor emphasized that the study on the legal and regulatory framework was undertaken to enhance the efficiency of payment system and to specifically provide the mandate to the Central Bank of Malaysia to effectively oversee and facilitate greater development of such system in the country.

Basic Features

‘Payment system’ is defined as any system or arrangement for the transfer, clearing or settlement of funds or securities (Section 2). It, however, excludes a payment system operated by the Bank under the Central Bank of Malaysia Act 1958; a clearing house recognized under the Securities Industry Act 1983; a clearing house licensed under the Futures Industry Act 1993; an in-house payment system operated by a person solely for his own administrative purposes that does not transfer, clear or settle funds or securities for third parties; a system that solely facilitates the initiation of payment instructions; and such other systems or arrangements as may be prescribed by the Bank.

Meanwhile, also provided in the same section, ‘payment instrument’ means any instrument, whether tangible or intangible, that enables a person to obtain money, goods or services or to otherwise make payment. It therefore includes credit cards, charge cards, debit cards, and e-money.

The definition of both payment systems and payment instruments makes the application of PSA wide and goes beyond financial entities. It was noted that this Act can even apply to communications service providers licensed under the Communications and Multimedia Act 1998 such as those services offered by way of pre-paid cards and commercial transactions using the mobile phones.

The Role of BNM

The ultimate objectives of PSA 2003 are reflected in its preamble as “to promote monetary stability and a sound financial structure.” This was also to promote a reliable, efficient and smooth operation of the national payment and settlement systems and for ensuring that the national payment and settlement systems policy is directed to the advantage of Malaysia. This noble task will be spearheaded by the Central Bank or Bank Negara Malaysia (BNM).

The task of implementing PSA is not only important but also very urgent. As digital transactions have become widespread, alternative payment methods would essentially be issued and used by variety of institutions. Some would even extend beyond the reach of national boundaries. The Central Bank Governor noted that e-cash and e-commerce will make it increasingly difficult to define and measure monetary aggregates, national income and wealth. Thus, it was noted that capacities and capability of institutions need to be enhanced, while financial infrastructure needs to be put in place and consumers and markets educated accordingly. This Payment Systems Act, it is argued, would provide essential remedies to offer in this new financial environment.

Designated Payment System

By virtue of section 6(1) of this Act, BNM as the governing body is authorised to designate a payment system as a ‘designated payment system’ (‘DPS’) if that payment system poses a systemic risk, or that such designation is necessary to protect the interest of public. ‘Systemic risk’ is defined in section 2 as the risk that “the failure of a participant or operator to meet his payment or settlement obligations will cause another participant to be unable to meet his payment or settlement obligations when due; or the risk that the failure of a participant or operator to meet his payment or settlement obligations may cause significant liquidity or credit problems that might threaten the stability of financial markets.”

The effect of this designation, as prescribed in section 7(1) is to oblige the operators of DPS governance and risk management compliance prescribed by Chapter 2 of the Act. This compliance covers issues of internal management, qualification and appointment of directorship, governance as well as operational arrangements.

Until recently, it is noted that BNM has so far designated two payment systems as DPS, namely the ‘Real Time Electronic Transfer of Funds and Securities System’ or ‘RENTAS’, a real time gross settlement system for the transfer and settlement of funds and book-entry scripless debt securities; and the ‘Sistem Penjelasan Informasi Cek Kebangsaan secara Elektronik’ or ‘eSPICK’, a cheque clearing system for the clearing of cheques.

Designated Payment Instrument

Another important facet of the Act is on the designation of payment instruments at the authority of the BNM. The Central Bank may prescribe any payment instrument as a ‘designated payment instrument’ (‘DPI’) provided that such instrument may be of widespread use as a mean of making payment and may affect the payment systems of Malaysia; and that it is necessary to protect the interest of the public or it is necessary to maintain the integrity, efficiency and reliability of a payment instrument (section 24). Once so prescribed, the DPI operators would have to comply with certain requirements as prescribed in section 25 of the PSA 2003 as well as governance and operational arrangements in sections 27 and 28 respectively.

Under this provision, three types of payment instrument have been so far designated by BNM as DPI, namely (1) charge cards; (2) credit cards; and (3) electronic money which stores funds electronically in exchange of funds paid to the issuer and is able to be used as a mean of making payment to any person other than the issuer.

Safety, Security and Operational Reliability

Given the mandate of this Act, the Central Bank of Malaysia or BNM does assume a huge oversight responsibility for the payment and settlement systems in the country considering the high numbers of usage in Malaysia. As of year 2007, the number of users and subscribers of payment instruments (including credit cards, charge cards, debit cards and e-money) was over 85 million usage with a total value of transaction reaches RM 4.6 million, including Interbank Giro. For this purpose, too, in 2003 BNM requires that each of the DPS and DPI operator to identify, document and submit measures that ensure the safety, security and operational reliability of the payment system/instrument, respectively, including contingency arrangements.

As payment systems are fundamental to the functioning of the economy, it is just natural that the Bank’s oversight activities are directed towards ensuring the reliability of the major payment and settlement systems and mitigating risks in these systems. That is why in practice, the role played by the BNM is not only on systemic risk reduction, but also is extended to promoting an efficient payment and settlement infrastructures and services. This also includes fostering payment innovations and driving towards enhancing safety, security and efficiency of the payment systems. The ultimate objective is to sustain and enhance public confidence in promoting electronic payments.

Final Remarks

As mentioned earlier, this law seeks to enhance the efficiency of payment system and to specifically provide the mandate to the Central Bank of Malaysia to effectively oversee and facilitate greater development of such system in the country. Indeed, the ultimate goal of PSA 2003 is to enhance the efficiency of payment system and to specifically provide the mandate to the banking regulator to effectively oversee and facilitate greater development of such system in the country. Even though the law is only in force for about five years, the law is proven to be influential in facilitating the electronic commerce in Malaysia, particularly its electronic banking practices.

References

• Bank Negara Malaysia, Financial stability and payment system report, (Kuala Lumpur: published by author, 2007)
• Zeti Akhtar Aziz, “Electronic Banking: The Way Forward,” from the Website of Bank Negara Malaysia.
• Zety Akhtar Aziz, “Impact of E-Banking and E-Commerce on Central Banking Functions,” from the Website of Bank Negara Malaysia.
• Payment Systems Act 2003 (Act 627)

By: Sonny Zulhuda*

Malaysia has over a decade regarded the Information and Communications Technology (ICT) as a powerful tools and engine for growth in future. Related investments and development projects are dramatically boosted and other industrial and social infrastructures also gained the attention.

The consumer side, however, has a different story. While many of consumer concerns were addressed and gradually solved with the coming into force of the Consumer Protection Act (CPA) 1999, one major aspect of consumer protection is somehow lagging behind. The Malaysia’s CPA 1999 makes it clear that its provisions do not apply to those transactions effected by the electronic means. This is in turn resulting in an absurd situation. As one scholar noted, there is absurdity to find that while one can be compensated for a loss due to defective goods or services he or she took from normal transaction, the same cannot be guaranteed for the transaction he or she entered into electronically. What is then the protection offered by law in Malaysia for the e-transaction consumers? The truth is that, there is currently no comprehensive legal framework for protecting e-transaction consumers. It is argued that the law is in changing and developing mode.

Against this background and thesis, this paper investigates the present state of legal and regulatory framework for consumer protection in the electronically-effected transactions/trade in Malaysia. It seeks to examine possible remedies that one can get from other legal instruments such as the recently-enacted Electronic Commerce Act 2006, the Communications and Multimedia Act 1998, the MCMC-supervised General Consumer Code (MCMC) and other related laws.

Latest case law is also discussed to show current direction that the e-transaction consumer protection takes. Proposals on how the situation could be improved will also be considered in this paper. And for that matter, this paper will also make attempts to compare the situation in Malaysia with some other jurisdictions such as Australia and New Zealand.

*) This paper was presented at the 6^th International Conference of Corporate Social Responsibility, 11-14 June 2007, Kuala Lumpur, jointly with Mr. Md. Fazlul Karim.

By: Sonny Zulhuda *

Like other ICT inventions that promise both unprecedented benefits and scaring risks, Internet banking has been received by both excitement and worries. While it offers high level of effectiveness such as online fund transfer as easy as from customers’ home desktop, it also haunts many as reflected in incidents involving theft of personal access code, tracing of online footprints and intrusion of online activities of other customers.

In Malaysia, Internet banking is still at its infancy though the number of service providers is increasing. Unfortunately, some crucial areas are left unclear for Internet banking consumers. This includes issues of distribution of liability between Internet banking stakeholders, use of personal data of bank customers, and low level of consumer protection provided by Internet banking operators. Furthermore, serious risks are awaiting consumers since the country’s consumer protection law statute is not applicable to commercial activities effected by information and communications technologies (ICT).

The thrust of this paper is to highlight general condition of Internet banking services in Malaysia from legal perspective, discuss its weaknesses and recommend measures to fill the flaws. Reference will be made to several pieces of legislation that apply to Internet banking services. On top of that it seeks to critically analyze the guidelines of Internet banking services issued by Malaysian central bank.

Besides, the paper pursues discussion on those various legal issues reflected in the laws, guidelines and practices in Malaysia against international regime and practices from other countries. From the various associated risks to issues of prudential regulations and supervision in Internet banking. The message to be forwarded in this paper is that if the Internet banking services can be safely delivered and well risk-managed, the whole process would be able to achieve better corporate governance in Malaysian e-banking institutions, and in turn it would deliver maximum business effectiveness and efficiency.

* This paper abstract was prepared for the 3^rd World Congress of International Society of Business, Economics and Ethics (ISBEE), 14-17 July 2004, Melbourne, Australia, jointly with Prof. Abu Bakar Munir.

By: Sonny Zulhuda *

The information economy derives its name from the fact that information has become a powerful source of wealth for today’s corporations. Understandably there comes the rising demand to ensure this promised wealth is not unnecessarily missed. For this, today’s corporate world witnesses a great evolution in terms of the way they run the business by adopting the advantage of information and communications technologies (ICT). These tools have been increasingly exploited in order to secure the wealth as promised by the information age.

The controversial part that pursues, however, centers at the clash of demands from the two different ends of the business: corporations and consumers. In one hand, corporations wish to secure as many informational assets as possible that include consumers’ personal information. On the other hand, consumers have now demanded for higher protection on their privacy right including right to control the flow and use of their own personal information. Because of this apparent controversy, in some part of the world, businesses are forced to make some adjustments on their dealing with personal data and information. This appears to be very crucial for them in order to win the consumers’ confidence.

The objective of this paper is to highlight the issue of privacy and personal data protection in the current setting of electronic business. Even though this is a global and trans-border issue, the paper seeks to limit its scope into the position in Asia Pacific region. It therefore seeks to identify legal regimes in countries like Malaysia, Singapore, Australia and other countries in the region that may have initiated certain protection on personal data. Along this line, relevant European Directive will also be touched due to its far-reaching impact on regional legal development.

Clear understanding of these issues will determine the next questions to be resolved in this paper: can businesses survive and significantly grow with the increasing demand to restrict the use and flow of personal information? How to reach the synergy between the two with the help of existing legal regimes? Or is it just impossible for the two to synergize and reconcile? The thesis of this paper is that the two should preserve and enhance each other by adopting business best practices that is inline with the requirements of law and consumers alike.

* This paper abstract was prepared for the 3^rd World Congress of International Society of Business, Economics and Ethics (ISBEE), 14-17 July 2004, Melbourne, Australia, jointly with Prof. Abu Bakar Munir.

By: Sonny Zulhuda *

The internet hits us like the storm and its implosion is truly phenomenal. It’s a forum to retrieve, communicate and disseminate information. Last but not least, it’s the best place to advertise goods without being restrained by conventional/traditional modes of transaction and costly advertisements.

What is Electronic Commerce?

Electronic commerce (e-commerce) means all forms of commercial activities that are carried out through electronic networks including the promotion, marketing, supply, order or delivery of goods or services. Internet is the most common medium used for e-commerce worldwide.

The advantages of e-commerce are among others the following:

1. Cost saving
2. Increase in productivity
3. Increase in profitability
4. Accessibility to customers anywhere at any time.
5. Accessibility  to a huge market (there are approximately. 420 million net users)

E-commerce is conducted between various entities namely:

1. Business-to-business (B2B)
2. Business-to-consumers (B2C)
3. Government-to-business (G2B)
4. Government-to-consumers (G2C)

Recent worldwide figures show that e-commerce is experiencing rapid growth. More services and products are offered online, in turn, more individuals find it irresistible to shop online. MATRADE in 2001 reports that 80% of US internet users have purchased online at least once. Furthermore, one third of European internet users transacted online, most commonly purchasing books, magazines, music and travel-related products and services.

In Hong Kong there is a 40%  increase in commercial websites visitors, 4% of  such visitors subsequently purchased online. Although the percentage seems minute it should be noted that the number of sales is increasing. Similar  growth is noted in other parts of Asia such as Taiwan (5% of internet users purchase online), Singapore (9%), South Korea (12%), Australia  and New Zealand (14%).

E-Commerce in Malaysia

The launch of MSC requires a reinvention of trade practices vis a vis e-commerce. There is a plethora of Malaysian information and business websites. However, surprisingly not many Malaysian internet users purchase online. Malaysia has approximately 1.6 million internet subscribers. Electronic business to consumers (B2C) is modest, with an estimated 50,000 subscribers making online purchases. As at June 2002, only 3% of  Malaysian netizens/consumers shopped online in 2002 in contrast with 4% in 2001.  This means that a significant number of our netizens/consumers felt that making transaction in brick and mortar world is much safer than that made in cyberspace. Why this reluctance?  Online consumers are beset by legal concerns which are the following:

Consumer Concerns on E-Commerce

Here is the summarized note on common consumer concerns relating to many aspects of e-commerce:

On contractual aspect:

• Does a website advertisement legally constitute an offer?
• How are the offer and acceptance effected and confirmed?
• What would be the mechanism of payment? And to what extent is it safe?
• What would be the mode of delivery of  the goods ordered?
• What would be the mechanism to lodge complaints?
• How accurate is the information on business identity and activities provided online?
• What if a fraud is committed? (e.g. online ‘get-rich’ scheme; ‘Nigerian’ advance-fee scam)
• In the event of dispute, which law and court will determine the online transaction?

On privacy issue:

• What is the privacy policy adopted by an e-commerce site? How is it brought to the notice of any website visitor?
• Does the privacy policy comply with the existing law on data protection?
• What kind of personal data are collected for a website?  What is the purpose of such data collection?
• Does a data subject i.e. the online consumer  have the rights to access, update, and remove his/her data?

On unsolicited commercial emails:

• Does the e-commerce site install ‘cookies’? How well is it being informed to the consumer?
• Does a consumer have the right to opt out from receiving the commercial messages?
• Is there any proper mechanism to stop the receipt of such unsolicited commercial e-mails?

On banking aspect:

• What are the privacy policies adhered by a provider of Internet banking service?
• Is the customer being adequately informed in regard to these policies?
• What would be the policy of notice in case of variation of any terms or conditions?
• How secure is the Internet banking service for the customers?

Survey on E-Commerce Websites

It is noted that over 700 international e-commerce web sites were examined by The International Marketing Supervision Network (IMSN), an organization consisting  trade practices law enforcement authorities of 25 countries). The outcome of the research is the following:

• More than half businesses failed to outline their payment security mechanisms
• 62% provided no refund or exchange policies
• 75% had no privacy policy
• 78% failed to explain how to lodge a complaint
• 90% failed to advise customers which law is applied in their transactions
• 25% showed no physical address

Legal and Regulatory Framework

It must be noted that there are two approaches available  in protecting online consumers namely:

• Legislative Approach: By drafting and enacting the comprehensive legislation on consumer protection in the electronic commerce.
• Self-Regulatory Approach: By drafting a model code or guidelines on e-commerce consumer protection to be adopted by e-commerce entities and consumer associations.

OECD GUIDELINES

The OECD adopted Guidelines for Consumer Protection in the Context of Electronic Commerce on 9 December 1999.It provides basic principles for consumers as they determine what fair business practices to expect online. This guideline is intended for both the private sector as it develops self-regulatory schemes as well as governments as they formulate and implement consumer protections for electronic commerce.

EUROPEAN UNION

The European Union e-commerce legislation, known as ‘the Brussels I regulation’, is enforced within the EU territories in March 2001. This new law requires traders to conform to the laws of all member states of the EU when they go online. It allows cross-border disputes between consumers and online retailers to be settled in the courts of the consumer’s country. This means that a European consumer who orders goods or services via the Internet from a vendor can sue the vendor in his/her own national courts if the transaction reaches a difficulty or deadlock.

It is noteworthy to highlight that the Australian government has adopted in 2000 a guideline entitled: “Building Consumer Sovereignty in Electronic Commerce: A Best Practice May Model for Business”. Furthermore, New Zealand adopted in October 2000 the “Model Code for Consumer Protection in Electronic Commerce”. On the other hand, Singapore, which has yet to develop a comprehensive law or code concerning consumers nevertheless covers pertinent legal aspects in its very own  Electronic Transactions Act 1998.

The Position in Malaysia

The Consumer Protection Act 1999 does not apply to any trade transactions by electronic means (CPA section 2(g)). [note: this position has changed in 2009]. At the time the Act was being debated the Multimedia Commission Act 1999 was not yet in place and  the Ministry presumed erroneously that electronic commerce will be regulated by that agency and consequently excluded it from Consumer Protection Act 1999.  Only some aspects of legal protection for online consumers are found in some scattered pieces of legislation. The existing Malaysian Cyberlaws do not comprehensively deal with the protection of online consumers. Personal data protection is to be covered by the present Personal Data Protection Bill, but is  yet to be tabled in parliament. The Contracts Act 1950 may be referred by consumers on issues of formation of contract, but the Act is too general and does not specifically address the special characteristics of e-commerce. Furthermore, there is so far no law to govern the issue of unsolicited commercial e-mails. Last but not least, Bank Negara provides minimum guidelines on consumer protection in  Internet banking. However this is not comprehensive enough to address related issues. To add salt to wound,  compliance by commercial banks is notably poor.

Urgent Need for Online Consumer Protection Law

In conclusion it is urged that there need to be a specific legislation protecting online consumers and time is a luxury in which legislators could ill afford. It is pertinent to quote YAB Datuk Seri Dr. Mahathir Mohamad on Economists Roundtable in Electronic Communities in Asia, KL, January 1998 who eloquently remarked that “The development in Information and Communication Technology without parallel development of laws (ICT Laws) can result in destructive abuses. Cyberlaws should address the issues of assignment of liability of those involved in e-commerce transactions, consumer protection, and consumer privacy..”

*) This brief note was prepared and provided for the 7^th National Seminar of Malaysian Consumer and Family Economics Association (MACFEA) hosted by UITM, 18 February 2003, Shah Alam, Malaysia, jointly with Ms. Yasmin Bahari. The law as stated in this note was valid at that presentation time. Readers are advised to update for any amendments.

By: Sonny Zulhuda

(This article first appears in the E-Security Bulletin vol. 18 – (Q1-2009), published by CyberSecurity Malaysia in 1st Quarter of Year 2009, under the title ‘The requirement of information availability in the E-Commerce Act 2006′)

One of the key components in information security is the information availability, which seeks to ensure that authorized users have access to information and associated assets whenever required. This availability factor is so important to the extent that its deficiency can adversely affect other aspects of information security, namely the integrity and confidentiality of information.

This significance cannot be seen bigger in the area of electronic commerce. Imagine if the security of an information system used by an e-payment service provider is compromised by a denial-of-service (DOS) attack thus affects the availability of service, not only are the commercial data and the electronic processing thereof being jeopardised, but also the whole supposedly-trusted system can fail miserably.

Given its popularity and inter-dependence in today’s economic and business activities, electronic commerce (e-commerce) is a battlefield worth trying and fighting for. For ordinary people, it is an avenue to intensify their economic power. For business, this is a free channel to more than one billion potential market on the planet.

It is therefore understandable that the Government is strongly interested to see e-commerce succeeds. In a regional workshop in 2005, the Malaysian Minister of Domestic Trade and Consumer Affairs, Datuk Hj Mohd Shafie Apdal (as he then was), was quoted as saying: ‘it is not going to be acceptable or in any national interest to have a growing section of commercial activity operating outside the law. If there is no law then we have to create new laws, for e-commerce is not a transitory phenomenon. E-commerce is here now, it is growing and I see nothing to slow its exponential development.’

The Government is due to provide a legal framework which facilitates, instead of halts, this growth. At the same time, such framework shall ensure that the e-commerce it seeks to promote is resilient, sustainable and secure. In this short article, we will see how the law on e-commerce in Malaysia recognizes the issue of information security, especially the information availability aspect, and makes it an incentive for the e-commerce players.

Electronic Commerce Act 2006

The Electronic Commerce Act (ECA) 2006 (Act 658) provides for legal recognition of electronic messages in commercial transactions, the use of the electronic messages to fulfil legal requirements and to enable and facilitate commercial transactions through the use of electronic means and other related matters. The Act applies to any commercial transaction conducted through electronic means including commercial transactions by the Federal and State Governments. Nevertheless, the use of such means is not made mandatory. From the outlook of this Act, one can see that it is modelled to a great extent on the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce (Model Law) 1996. Certain legal principles adopted including the principles of functional equivalence and technology neutrality.

With the passing of ECA 2006, e-commerce in Malaysia is not what or how it was before the existence of this statute. One fundamental task is fulfilled, namely, providing legal certainty as to the validity and legality of electronic transactions. IT users and the owners of information assets ought to get some assurance that their activities are lawful, their communications and transactions valid and their transactions are protected.

Information Security Standards under ECA 2006

It is note-worthy that ECA 2006 sets up certain information security standards to be applied on the e-commerce activities, among others, on legal recognition of electronic message, writing, and originality of document. The effect of this is indirectly making an information security best practice as an incentive for the legality of e-commerce itself.

Many legal concepts are being tied with the requirement of accessibility of the information or the information system. For example, for the purpose of granting legal recognition of an electronic message, section 6(2) of the Act expressly provides that:

‘Any information shall not be denied legal effect, validity or enforceability on the ground that the information is not contained in the electronic message that gives right to such legal effect, but is merely referred to in that electronic message, provided that the information being referred to is accessible to the person against whom the referred information might be used’ [emphasis added].

As a practical illustration, people who are parties to an e-transaction such as online auction are bound by the terms of contract stipulated in an electronic format such as those on the auction provider’s website, as long as that information (i.e. the online terms) are accessible and available for subsequent reference. This requirement of ‘accessibility’, it is submitted, indicates that the purported user of electronic message must make sure that there is in place and under his control a system from which an electronic message at issue can be accessed and provided. This is exactly what the principle of information availability is all about. Therefore in order to achieve the protection under these provisions, efforts must be made to ensure the information system is neither intruded nor compromised so that access not denied whenever it is required.

Similar information availability principle can be found in the provision on the originality of a document, albeit that it also imposes other measures on information integrity and confidentiality. Section 12(1) of ECA 2006 provides that:

‘Where any law requires any document to be in its original form, the requirement of the law is fulfilled by a document in the form of an electronic message, if –

(a)    There exists a reliable assurance as to the integrity of the information contained in the electronic message from the time it is first generated in its final form [emphasis added]; and

(b)    The electronic message is accessible and intelligible so as to be usable for subsequent reference [emphasis added].

Section 12(2) went on saying that the integrity of the information depends very much on whether the information has remained complete and unaltered; and the standard of reliability shall be assessed in the light of the purpose for which the document was generated and in the light of all other relevant circumstances.

Reading the whole provisions would enable us to suggest that the standard of information security required for ascertaining the originality of an electronic message will vary according to the context of every given communications and can also depend on the nature of harm and threats to any electronic message in any given information system. Thus, the more sensitive communication and information system is, the higher level of measures will be required to achieve a reliable assurance of an information integrity. This particular provision is arguably very central to the idea of setting information security standard for the e-commerce to work effectively.

To conclude, it is noted that ECA 2006 has paid a serious attention to information availability being a central prerequisite for e-commerce players in Malaysia. While the Act may not be a comprehensive ‘masterpiece’, it could arguably play vital role for the information security legal framework in Malaysia.

(An excerpt from the Interview between Shom -the reporter, with me as published in The Star Daily, 6 October 2005)

WHAT prevents people from driving recklessly, forging signatures, breaking into homes, kidnapping or stealing? Ideally, conscience should be enough but it’s more likely because people don’t want to pay the penalties for these crimes. And thanks to law enforcement, people are compelled to conduct themselves properly so the rest of us can go about our daily affairs with peace of mind.

So, if laws are essential to communities in the conventional world, what of the Internet – a networked world in which more and more of us dwell in each day?

“It is a myth that cyberlaws are ‘high profile’ legal matters that concern only techies, computer scientists and information security professionals,” said Sonny Zulhuda, a cyberlaws researcher at the International Islamic University of Malaysia (IIUM).

“In fact, cyberlaws deal with very practical and daily life matters such as our data, creativity, privacy, PCs, mobile phones as well as online activities that most of us indulge in, like chatting,” he says.

There have always been arguments about regulating the Internet.

Advocates say it stifles creativity and goes against the very ideals of the Internet especially in terms of freedom of expression.

“I believe the debate is no longer if these laws or regulations are needed but instead it is about who and how to regulate. Cyberspace needs to be regulated,” he says.

“For individual netizens, one should understand that cyberspace is no different from the space you live in.

“In this sense, I think the term cyber-neighbourhood’ is more useful,” says Sonny.

“If we do not condone criminals in our conventional neighbourhoods, then why not do the same in our online environment?”

If that is the case, what can netizens do to prevent cybercrimes?

“Awareness at minimum level should become our collective priority now. Ignorance of the law is not an excuse for anyone to infringe or injure others,” says Sonny.

In many countries, including Malaysia, the law is slowly gaining gravity in the virtual realm, in spite of much resistance from idealists who believe in a free, unregulated Internet.

The Malaysian Government was among the first in South-East Asia to create and adopt cyberlaws. Cyberlaws have existed in Malaysia since 1997 with the passing of three acts – the Computer Crimes Act 1997 (CCA), the Digital Signature Act 1997 (DSA) and the Telemedicine Act 1997. The CCA deals largely with offences related to misuse of computers, such as hacking, while the DSA helps to enable e-commerce by regulating the use of digital signatures in online transactions. The Telemedicine Act has yet to be enforced. Another law, the Communications and Multimedia Act 1998 (CMA) was passed and came into effect in 1999.

In line with it, the Malaysian Communications and Multimedia Commission (MCMC) was established to implement provisions of the CMA, which include licensing and a self-regulatory framework for licensed members, comprising players from the multimedia and content industries.

Several traditional laws have also been revised or amended address cybercrimes.

For instance, the Evidence Act 1950 has been amended several times since 1994 to adapt to the needs of the online environment. In 1999, the Copyright Act 1997 was amended to the effect that unauthorised transmission of copyright works over the Internet is considered infringement of copyright. Other laws, which may apply online as well, include the Internal Security Act 1960, Defamation Act 1957, Sedition Act 1948 and the Anti-Money Laundering Act 2001.

The Government is also in the process of finalising three new laws – the Personal Data Protection (PDP) Bill, the Electronic Transaction (ETA) Bill and the Electronic Government Bill. Of great interest to the public, particularly consumers, is the PDP Act which will regulate the collection, possession, processing and the use of personal data.

Leave the details to the lawyers, but there are some basics that every netizen should be aware about cyberlaws.

Deepak Pillai, a lawyer who practices cyberlaw, explains: “For instance, a person wrote on a piece of paper ‘I took drugs’. Another person told a friend ‘I took drugs’ while a third wrote on his website ‘I took drugs.’

“Legally speaking, all three could be charged in court for using drugs, subject of course to the police fulfilling the relevant evidentiary requirements.”

Indeed, it is a common misconception among the public that the Internet is a legal vacuum.

“Cyberlaws are essentially created to fill the gaps in existing laws to address new types of activities made possible by the advancement of technology.”

Deepak finds it disconcerting that many people unwisely reveal information about themselves online especially via weblogs or blogs.

“Internet users should understand that whatever they say or do on the Internet may be admissible in court and as such, may be the basis of a legal action against them.

“Therefore, don’t simply publish your personal history online if you don’t want it to be used against you.”

“The bottom line is: Whatever is illegal in the real world, is also illegal online.” – SHOM TEOH

By: Sonny Zulhuda

The recall of Malaysia’s existing legal landscape related to electronic business (see my previous posting here on ‘Legal Landscape of Malaysian E-Business Environment’) may result in impression that the country has done good enough. True, Malaysia should take the pride of among the regional leader in enacting legal framework for e-business. But surely enacting rules alone is not sufficient. Not only they need to be implemented, but also they need to prove their effectiveness.

In order to look into this matter, it is possible to create certain benchmarks to measure against when we assess the e-business legal landscape. Those benchmarks are represented in the following issues:

1. Have the laws helped promote the country’s economic growth through improved e-business revenues? This requires certain statistical analysis that this study is not doing. Thus, while it recommends further study to be done on this, perhaps one can learn from the symptoms; that our e-business is ever growing.
2. Second issue to consider is to what extent the existing legal framework has eradicated infringement of intellectual property rights, both of its own nationals’ and foreigners’? This measure should be addressed seriously by our policymakers so that we do not jeopardize our own pledge to become the leader of IP protection as declared in the MSC pledge and bill of guarantees.
3. How good and satisfied our e-business consumers feeling protected and given their rights? Are they any more unfortunate with their counterparts in the offline trading environment? This takes us by suspicion for some reasons. First, because while offline consumers can rely on the Consumer Protection Act (CPA) 1999, the online community does not have any law to turn to for remedies, at least for now. The CPA expressly excludes its application for electronic commercial activities. Thus, consumers may be left in a very disadvantageous situation. Secondly, in Malaysia not only people suffer from the haze over the air, but also from the worrying poor level of personal data protection. There are still recurrent stories and claims around on the misuse of personal information by certain entities, including some government agencies (It was reported in 2005 that a government agency allegedly sold people’s confidential information to some private colleges to attract potential new students. However the claim was denied by the Ministry, The Star, 6/8/2005).
4. Another important benchmark to pose here is how our corporate entities have –both private and public ones– enhanced their good corporate governance practice in relation with their preparedness for e-business environment. A traditionally good corporation, for instance, may have yet overlooked to establish policies on their information assets, security and website uses. With the surrounding potential legal liabilities, corporations should enhance their own awareness and create sound corporate online policy.

Given these benchmarks, so where is Malaysia with its ‘bunch’ of Legislation in this area? Let’s first wonder and ponder, but surely one would like to see it heading positive way.

By: Sonny Zulhuda

The need to enact, pass and thus implement e-business-related laws has been closely linked to assurance of having smooth and secure e-commerce activities and thus it is closely associated with a country’s determination to speed up development in this information era. The Malaysian Government has indeed reaffirmed this link. They include in their pledge to the international community when initiating Multimedia Super Corridor (MSC) project that Malaysia would become a regional leader in intellectual property protection and cyberlaws. This is because Malaysia believes (like other countries supposedly do) that the existence of cyberlaws in the country means guarantee for the invention, e-commerce as well as consumer protections. This is why cyberlaw is important for country’s growth and development.

Based on the nature of the scope of the legislation, e-business-related law can be categorized into two distinctive categories, firstly, those legislations that address solely the specific electronic environment and applications. Secondly, those legislations that do not solely address on electronic environment, instead they apply as a general law but applicable, in part or in totality, to the cyberspace and online environment. On the ground of these categorization, this paper makes an attempt to assess the current legal landscape of Malaysia’s e-business environment.

Since their enactment in 1997, specific set of Malaysia’s cyberlaws provided ground for establishing legal frameworks for country’s e-commerce and information security. Besides, there are other laws that have been identified as providing important grounds for the effective and efficient operation of electronic business.

1. Digital Signature Act 1997

The Digital Signature Act 1997 (enforced on the 1st of October 1998) is an enabling law that allows for the development of, amongst others, e-commerce by providing an avenue for secure on-line transactions through the use of digital signatures. The Act provides a framework for the licensing and regulation of Certification Authorities, and gives legal recognition to digital signatures.

What is the impact of this Act to the e-business environment? The background behind the rise of electronic signatures is that in online commercial activities, authentication is seen very crucial. The nature of e-business allows anonymous communications and non-physical engagement of the sales and purchases. Therefore, in order to obtain some assurance that you are who you said you are’, the engaging parties need to authenticate each others. Digital signature is one way to accomplish this task: it employs private and public keys which are certified by a trusted third party called a certification authority. So, with the use of digital signature, there is a verification of the genuineness and authentication of the sender’s identity by a trusted third party, furthermore, this process will help secure the information exchanged between the trading parties (Julian Ding, 1999).

2. Computer Crimes Act 1997

The Computer Crimes Act 1997 (effective as of the 1st of June 2000) created several offences relating to the misuse of computers. Among others, it deals with unauthorized access to computer material and computer systems (section 3), unauthorized modification of computer contents (s.5), wrongful communication of means of access (s.6) and also the abetment and attempt of the said offences (s.7). It also makes provisions to facilitate investigations for the enforcement of the Act.

How does e-business environment benefit from this Act? Basically this Act had the objectives of enlisting new criminal offences. As a general principle, criminal law aims at preserving the public by punishing the offenders. Having a criminal law in the first place would also serve as deterrent for future offenders. One could reckon that if there is any trading activity with the most risks of being interrupted by wrongdoers, it would be those in e-business environment. Because in e-business the medium used (i.e. computer and Internet systems) are always subject to people who make them as playground, and eventually to gain at the expense of others. The priceless data that are transmitted online may be subject to interception and intruders. The sophistication of technology does not prevent them from trying and eventually winning the technological race by coming up with a more sophisticated skill and device to break the system. Therefore technology alone is not sufficient and law is expected to add into this barrier for potential culprit. By imposing heavy punishment of jail and fines, the Act should serve as a deterrent instrument.

3. Communications and Multimedia Act 1998

The Communications and Multimedia Act 1998 which came into effect on the 1st of April 1999, provides a regulatory framework to cater for the convergence of the telecommunications, broadcasting and computing industries, with the objective of, among others, making Malaysia a major global centre and hub for communications and multimedia information and content services. For the implementation of this Act, there is the Communications and Multimedia Commission Act 1998 that establishes the Malaysian Communications and Multimedia Commission (MCMC) on the 1st November 1998 as the sole regulator of the new regulatory regime. Apart from the licensing regime, another cornerstone of this Act is the establishment of new self-regulatory frameworks by the communications and multimedia industries on various aspects including the content and consumer protection.

How this law helps e-business environment? This Act regulates the licensing of various multimedia services including the provision of network facilities, Internet services, content, and application as well as infrastructure services. All these services are known as the backbone of the e-business activities. Thus the Act is dealing with something very fundamental, i.e. the gateway of e-business applications. Meanwhile, the Act also creates new offences relating to the offensive content (s.211), fraudulent and improper use of network facilities (ss.232 and 233), and illegal interception of communications (s.234). These latter sections seek to achieve a secure network that provides confidence for the users of e-business services.

4. Payment Systems Act 2003

The Payment Systems Act is the principal legislation which provides for the framework of the payment systems and payment instrument. Among its objectives is to promote a reliable, efficient and smooth operation of the national payment and settlement systems and for ensuring that the national payment and settlement systems policy is directed to the advantage of Malaysia. According to the Act, this noble task will be spearheaded by the Central Bank itself (BNM).

How is this Act strengthening the environment of e-business? This can be answered in many ways. First, the description in its definition section (s.2) that payment instrument includes tangible and intangible payment methods, thus this strengthens the legality and reliability of electronic business environment. In other parts of this Act it is required for every issuer of designated payment instruments to ensure adequate operational arrangements including measures to ensure prudent management of funds. This is all in order to guarantee the safety and reliability of the payment instrument itself (s.28). This provision absolutely emphasizes on the need to have strong corporate governance and risk management especially for the institutions that operate the payment instrument as designated by the Act.

5. Electronic Commerce Act 2006

In line with the development of international electronic commerce law, Malaysia has stepped up efforts to lure increasingly huge market for online business by enacting the Electronic Commerce Act recently. The Act mentions in its title that it provides for legal recognition of electronic messages in commercial transactions, the use of the electronic messages to fulfill legal requirements and to enable and facilitate commercial transactions through the use of electronic means and other matters connected therewith.

What is the benefit of this Act to the e-business environment? The enactment of this law would provide the public the needed assurance that the law is ready to equip e-business with legal remedies similar to what it gave to the traditional business environment, thus it creates certainty and reliability. The Act further removes the uncertainties about the application of writing and signature requirements. This is akin to unblocking the psychological barrier that tends to prevent both industries and consumers from maximizing their transactions online.

6. Minimum Guidelines on the Provision of the Internet Banking Services by Licensed Institutions

This guideline was issued by Bank Negara Malaysia (BNM). It sets out minimum guidelines that licensed banking institutions in Malaysia should observe in providing Internet banking services. It also states that banking institutions are free to adapt more stringent measures and are expected to keep abreast not only with technological developments, but also the needs of their customers. The guideline explains, among other things, types of Internet banking and risks. It also provides various aspects of corporate governance such as prudential regulations and supervisions, risks management practices, security requirements, consumer protection and compliance with other requirements (Abu Bakar Munir, 2004).

What Malaysia’s e-business can gain from this administrative guideline? In the e-business ecosystem, banks play vary important role. Too fit in with the new challenges, banking system today has also transformed itself into survival by engaging in online operation. With borderless nature of business today, Internet banking is a panacea for traditional bureaucracies that had previously defined bank’s operations. Thus, in order not to loose this important momentum, the central bank’s initiative to issue this guideline is just timely and imperative, that is to ensure the bank plays its traditionally important role in a new ecosystem.

7. Other Laws Applicable for Online Environment

In this section, we are looking at other laws that can be used to apply on e-business environment. These laws include the Penal Code, the Copyright 1987 and the Evidence Act 1950.

The Penal Code stipulates primary criminal offences in Malaysia and their punishments. These offences apply in general circumstances in so long there is no exception to such generality. For that matter, some provisions of Penal Code do apply for online environment. This type of provisions include the offences of fraud (s.415), e.g. for cases such as online fraud; impersonation (s.416); extortion (s.383), distributing obscene materials (s.292), as well as criminal defamation (s.499), which was used to charge the defaming email involving popular singer Siti Nurhaliza in a 2005 case (the case was discharged but not amounting to acquittal). More interestingly, the Penal Code has also recognized that the meaning of ‘document’ is to include a matter recorded, stored, processed, retrieved, or produced by a computer (s.29(1)(c)). This definition has aptly accommodated the need for secure online environment.

Meanwhile, the Evidence Act has experienced several amendments so as to adapt to online environment. It lays down rules for the admissibility of computer-generated document and of statements contained therein. These rules apply to criminal and civil proceedings (s.90A, 90B and 90C). The Act provides that the document is admissible if it was produced by the computer in the course of its ordinary use. It nevertheless requires the person responsible for the management of the computer, or for the conduct of the activities for which that computer was used, to sign a certificate proving that the document was produced by a computer in the ‘course of its ordinary use’.

Last but not lest, an appraisal is also due to another important piece of legislation, i.e. the Copyright (Amendment) Act 1997, which makes unauthorized transmission of copyright works over the Internet an infringement of copyright. It is also an infringement of copyright to circumvent any effective technological measures aimed at restricting access to copyright works. These provisions are aimed at ensuring adequate protection of intellectual property rights for companies involved in content creation in the ICT and multimedia environment. This Act clearly imposes stricter rule in relation to copyright in the course of e-business environment. This is necessary because the nature of e-business makes it so much easy to transmit copyrighted materials and make unlimited copies of similar quality in a very short time.

(Note: More to come is the Electronic Government Activities Act 2007

By Sonny Zulhuda

The increasing numbers of transactions in both international and local trade are carried out by means of electronic data interchange and other means of communication, commonly referred to as electronic commerce (e-commerce). This e-commerce seeks at the use of alternatives to paper-based methods of communication and storage of information (Chissick & Kelman, 2000). This substitution is increasingly phenomenal today where more and more applications are used to eventually turn the Internet as a virtual business sphere. Nevertheless this initiative is more technologically advanced rather that its other aspects. If the traditional trading activities are already well equipped with traditional sets of laws and regulatory frameworks, its new electronic environment is not the same. Certainly this was the motives that pushed the United Nations Commission on International Trade Law (UNCITRAL), an international body under the United Nations, to look at possible model laws that seek to equip this new environment.

In an electronic business environment, a good law is supposed to provide a conducive framework in which the compliance would eventually serve as facilitator instead of barrier to the business (Lallana, 2004). Thus, the first and utmost function of the law here is to legitimize the use of electronic tools and methods for the purpose of contract and commercial transactions. Furthermore, there are general principles that ought to be considered by the policymakers and lawgivers in this country in respect with the law of electronic commerce, which include: preservation of national interest, harmony with national legal system and international initiatives, a balance between potential conflicting interests such those of industry and public consumers, and last but not least, being technology neutral, and anticipative of future challenges, given the evolving nature of the Internet and information technology.

One of the important pillars of an e-business legal framework is the preservation of national interest. It follows that all legal and regulatory frameworks to be put for facilitating the e-business would have to observe the objectives of national comprehensive development program, be it economic, educational, social, cultural and political goals. Thus any measures of adopting principles of any international or foreign laws and practices shall not contradict this first requirement.

Another crucial work to do in providing e-business laws is that they need to ensure a harmonious framework within the existing national legal system and in accordance with current international initiatives and expectation, given the borderless nature of the e-business (The United Nations, 2004). Thus, the e-business legal framework should not undermine the existing legal and regulatory framework on commercial activities such as existing laws on contracts, sales of goods, banking, and property as well as consumer protection. Unless this principle is given sufficient care, we would only end up having clashing laws and therefore obsolete and inapplicable.

While keeping the harmony of national legal system is very important task yet not an easy one, the policymakers should also bear in mind the current initiatives of the international community which reflect their expectation when it comes to trans-border electronic commercial trades. This approach is imminent because e-commerce and Internet are both global and trans-border. Constructive adoption and comparison needs to be looked at, either from international legal instruments or other foreign jurisdictions.

This international community may be represented in the UNCITRAL who had come up with a series of model laws such as e-commerce model law and e-signature model law. These model laws, amid their non-binding nature, provide very useful guidelines of certain benchmark acceptable by international community. Besides, Malaysia should also be mindful of their trading partners’ expectation specifically on certain issues. Fro example, the European partners’ strict expectation on trans-border data flow that is required on their international trading activities. This requirement, envisaged in the EU Directives 1995 on Personal Data Protection, had created some lengthy debates between the EU and their trading partners especially from the US and Australia (Abu Bakar Munir & Siti Hajar, 2002). Other than this issue, others such as intellectual property requirements (under the TRIP/WTO Agreements) and information security and privacy requirements under the APEC Privacy Framework, US’ Sarbanes-Oxley Law or Cybercrime Convention 2001 (which Malaysia, however, is not a member yet). It is noteworthy that the international regulatory framework has experienced its fastest change lately especially due to the increasing worry over global terrorism and dramatic increase of trans-border cybercrime.

Apart from the above principles, any initiative to lay down the legal and regulatory framework on e-business should always remember that the aim of such law is to facilitate the business and encourage the industry and technology developers, not to slow down them. Technology is by nature insensitive about laws and rules. Thus law is needed to keep the technology in track, benefiting everybody not only the industry but also the consumers at large. These two interests, though often conflict each other, were necessary to keep the e-business and the country’s economy alive. Therefore no one should be ever sacrificed for the sake of another. This is another balance that has to be taken care of. The laws and regulations should provide solutions instead of problems.

Another fundamental principle for e-business legal and regulatory framework is that the law, regulation or accompanying policy must be technology neutral. That means that the law and regulations to be produced should not limit themselves to one specific technology and thus close the way to adopt other technologies. This is more crucial in dealing with the information and communications technologies that are fast evolving and ever-changing. Thus, the law and regulation shall be technology neutral, making it applicable to adapt into ever-evolving technological environment and infrastructures.

This anticipative objective is essential in order for the proposed legal and regulatory framework to accommodate future problems and challenges surrounding the protection of national information infrastructure. On this basis, the proposed legal and regulatory framework being sought should be practicably workable, feasible and enforceable.

References:

Abu Bakar Munir & Siti Hajar Mohammad Yasin. (2002). Privacy and data protection: a comparative analysis with special reference to the Malaysian proposed law. London: Sweet & Maxwell.

Chissick, M. & Kelman, A. (2000). Electronic commerce: law and practice. 2^nd Ed. London: Sweet & Maxwell.

Lallana, I.C. (2004). An overview of ICT policies and e-strategies of select Asian economies. (UNDP-APDIP). New Delhi: Elsevier.

United Nations. (2004). Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific: current challenges and capacity-building needs. New York: UN.