In October 2021, the Malaysian Communications and Multimedia Commission (“MCMC”) announced that it would be implementing light touch regulations on cloud services[1] (“Cloud Regulations”) with effect from 1 January 2022 (see our LHAG Update, Cloud Service Regulation to Come into Effect January 2022, published on 22 October 2021).
As it stands, the MCMC will not be introducing a new standalone regulation for cloud services but will instead leverage on the existing regulatory framework (for details, please see below).
Following the October 2021 Advisory Notice (FAQs) on the Cloud Regulations, the MCMC has subsequently issued the following updates dated 17 December 2021:
The Updated FAQs and Information Paper offer further clarification on the regulatory framework for cloud services under the light touch regulations and include additional guides on enforcement not previously dealt with in the October 2021 Advisory Notice.
Cloud service providers will need to be licensed under the Applications Service Provider Class licence (“ASP (C) licence”), which typically regulates end-consumer activities involving voice services, data services, Internet access and electronic commerce.
Among the salient updates provided by the MCMC in the Updated FAQs and Information Paper are that:
(a) The Cloud Regulations come into effect from 1 January 2022. This notwithstanding, a grace period from 1 January 2022 until 31 March 2022 will be given and registration during this period will be accepted by the MCMC. The Cloud Regulations (i.e. the requirement for certain cloud service providers to register for an ASP (C) licence) will be fully enforced beginning 1 April 2022.
(b) There will be no changes or introduction of a new regulatory provision to the existing legal framework to regulate the licensing of cloud services. Instead, the MCMC will rely on Regulation 30(1)(j) of the current Communications and Multimedia (Licensing) Regulations 2000 (issued pursuant to the Communications and Multimedia Act 1998 (“CMA”)) to implement the licensing regime for cloud services.
(c) The requirement to be licensed is dependent on whether a cloud service provider has local presence. In this respect, local presence will be determined in the following manner:
(i) A person that is locally incorporated/established in accordance with applicable laws. This notwithstanding, a local branch of a foreign person will not qualify as being locally incorporated/established as branches of a foreign person will still be regarded as part of such foreign person.
(ii) A person that is locally incorporated/established in accordance with applicable laws and provides cloud services that originates from a foreign cloud service provider, through its local data centre. In this situation, the provisioning of foreign cloud services would be undertaken by the local data centre which has control over the cloud services offered to end users.
The following are updated illustrations as to what constitutes “local presence”:
• Scenario 1: Company A is a locally incorporated company providing cloud services to end users. Company A is required to be registered under the ASP (C) licence for providing the said services.
• Scenario 2: Company B is not a locally incorporated company but provides cloud services through a local data centre, Company C, to end users. Company C is required to be registered under the ASP (C) licence for providing the foreign cloud service provider’s services through its local data centre.
• Scenario 3: Company D is not a locally incorporated company and does not provide cloud services through any local data centres to end users. Company D is not required to be registered under the ASP (C) licence.
• Scenario 4: Company E is not a locally incorporated company, but has a local branch. As the branch is not considered as having local presence, it need not be registered under the ASP (C) licence.
(d) The following persons or activities will not be subjected to the licensing requirement:
(i) Pure software providers, e.g. persons only providing software and solutions with reliance on other cloud computing platform and infrastructure.
(ii) Cloud computing resellers, e.g. local companies reselling cloud services or products provided by large cloud service providers and do not have any control over the cloud services or products.
(e) In respect of cloud services offered to “end users”, these shall refer to natural persons (individuals) or artificial persons (corporations).
(f) There will not be any restriction on foreign shareholding and licensees are allowed to be 100% foreign-owned.
(g) Web hosting and client server activities will remain as exempted applications services under the Communications and Multimedia (Licensing) (Exemption) Order 2000.
(h) As previously indicated, a waiver on the Universal Service Provision (“USP”) fund contribution will be applicable and revenue generated from the cloud service activity will not be subjected to the contribution for the USP fund.
(i) For existing ASP (C) licensees that are providing cloud services, such persons may continue providing cloud services under the existing ASP (C) licence, but would be required to include cloud service activities as one of the activities undertaken (where applicable), during the re- registration of the same licence for the following year.
(j) Providing cloud services without a licence will now amount to an offence pursuant to the CMA (subject to the prescribed grace period). Service providers are advised to obtain the required licences before commencing operations.
With the above updates in place, cloud service providers are reminded to register for the ASP (C) licence within the allocated grace period to avoid any service disruptions and potential enforcement action being taken by the MCMC. For better compliance and risk management, end-user organisations and cloud service providers may refer to the MCMC’s Technical Code on Information and Network Security ― Cloud Service Providers Selection (First Revision) (registered August 2021), which specifies the relevant security requirements that should be taken into account by organisations when selecting a cloud service provider.
REFERENCES:
1 Pursuant to the Updated FAQs and Information Paper, “cloud services” means any “service made available to end users on demand via the Internet from a cloud computing provider’s server.”
Learn more about our partners who specialize in this area