As many are already aware, following the change of government in Myanmar on February 1, 2021, a draft Cyber Security Law was proposed which attracted widespread criticism.
However, less attention has been paid to significant amendments to two existing laws, some of which have a similar effect to parts of the draft Cyber Security Law. In other words, while the draft Cyber Security Law has not progressed further and is under public scrutiny, significant elements of it have found their way into law in Myanmar by other routes. Because these amendments are already law, it is very important that individuals and businesses in Myanmar understand their implications.
The Law Protecting the Privacy and Security of Citizens (2017), or the “Privacy Law,” was amended on February 13, 2021, less than two weeks after the military government came into power. These amendments chiefly address the power of the government to conduct searches, seizures, and arrests; to extend detention without judicial oversight; and to carry out broad surveillance and investigation activities that could intrude on individual privacy. The amendments accomplish this by suspending various sections of the Privacy Law for as long as the State Administration Council (the military body now governing Myanmar) is in power. The suspended sections include the following:
The relevant part of Section 5 of the Privacy Law states, “The responsible authorities shall … when acting in accordance with existing law, not enter into a person’s residence or a room used as a residence, or a building, compound or building in a compound, for the purpose of search, seizure, or arrest, unless accompanied by minimum of two witnesses who should comprise Ward or Village Tract Administrators…”.
The suspension of this section means that government agents can now enter people’s homes for the purposes of search, seizure, and arrest without civilian witnesses.
Section 7 of the Privacy Law states that “No one shall be detained for more than 24 hours without permission from a court unless the detention is in accordance with existing law.”
The suspension of this section means that individuals in Myanmar may now be detained in prison indefinitely without the intervention of court proceedings.
Section 8 of the Privacy Law is the most wide-ranging and covers arrest, search and seizure of property, interception of telecommunications without proper authority, and various other issues of personal privacy:
“In the absence of an order, permission, or warrant issued in accordance with existing law, or permission from the Union President or the Union Cabinet, a Responsible Authority:
Because of the suspension of this section, any of the above actions by governmental authorities now appear to be lawful in Myanmar.
On February 15, 2021, the Electronic Transactions Law (2004)—the “ET Law”—was amended to introduce a broad exception allowing government confiscation of personal data, and a prohibition on sharing various types of information online. It is interesting to note that previously—in the draft of the Cyber Security Law—the administration intended to repeal the ET entirely, but this approach appears to have changed, as detailed below.
The data protection elements of the draft Cyber Security Law have essentially been incorporated into the new Chapter 10 of the amended ET Law. These provisions are brief and not comparable to the standards achieved by personal data protection regimes in other modern legal frameworks.
This chapter provides a new exception (Section 27-C) to the safe management of personal data in the case of “detecting, investigating, organizing of information, verifying the information conducted in accordance with management power on the cyber security and cybercrime matters relating to stability, tranquility, national security of the state.” “Stability,” “tranquility,” and “national security” are not defined in the legislation, but a wide enough interpretation would allow the government sweeping authority to obtain the personal data of any individual in Myanmar whenever it considers it necessary to do so.
Posting information on the internet is dealt with in Section 38-C of the amended law: “Whoever, at the cyber space, commits creating false news or fake news with the intention to cause public panic, to lost trust, to lower the dignity by public or to destroy the unity of any association, on conviction shall be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years or with a fine not exceeding ten million Kyats or with both.”
This legislation does not define “false news,” “fake news,” “public panic,” “lost trust,” “lower dignity,” or “destroy unity” which leaves room for wide interpretation and use.
The combined effect of these amendments is that government agents may, without court intervention:
As these legal developments represent potentially significant shifts in the legal landscape for Myanmar, all individuals and businesses in Myanmar need to be fully aware of the changes.
Foreign investors with businesses and entities in Myanmar often share data between their Myanmar businesses and entities and their group companies outside of Myanmar. Such foreign investors are also typically subject to data protection and other privacy laws in other countries. We would advise such foreign investors to review their existing operations and data handling protocols in the context of both such extraterritorial laws and the aforesaid legislation giving the Myanmar military government broad powers of access to data, and adjust their operations and handling of data, in order to ensure that they are not in breach of their such extraterritorial obligations relating to data protection and privacy.
We wish to keep you informed of the current state of affairs in Myanmar. For more information about any aspect of doing business in Myanmar, please contact Justin Tan of Clyde & Co at Justin.Tan@clydeco.com or Ross Taylor of Tilleke & Gibbins at firstname.lastname@example.org.