Myanmar Cyber Security Bill seeks to regulate online activity and access to information

11 May 2022

The Myanmar Ministry of Transport and Communications (“MOTC”) has circulated a new draft Cyber Security Bill (“Bill”) among stakeholders for consultation. The Bill is intended to replace the Electronic Transactions Law 2004 (“ETL”) and sets out measures for protecting cyberspace, personal information and critical information infrastructures as well as licensing requirements for providing cyber security and digital platform services.

The Bill applies to Myanmar residents, including Myanmar citizens and foreigners temporarily or permanently residing in Myanmar, and any matters of communications made with anyone either directly or indirectly with regards to cyber resources within the national cyberspace. The Bill seeks to have extraterritorial applicability, noting that offences can be committed under the Bill both domestically and internationally.

The Bill was circulated for consultation in January 2022 and there is currently no clear timeline for its introduction as law. This Article sets out the key highlights of the Bill at this stage.

Power to inspect computers

The Bill provides the authorities responsible for the protection of cyberspace with the power to inspect, and intervene with, the computer or computer system of persons who are suspected of security threats, cyberattacks or cyber fraud and those related to such persons. MOTC is also empowered, with the approval of the Union Government, to temporarily control devices related to the provision of digital platform services. The Bill also requires prior approval for the establishment or use of virtual private networks (VPNs) and similar tools on networks licensed under the Telecommunications Law 2013.

Disclosure of personal information

The term “personal information” includes any information relating to an individual which has been verified or is capable of being verified. Under the Bill, those responsible for managing and maintaining personal information requires consent from the relevant individual or organisation to disclose or distribute personal information. This definition is set out in section 27A of the ETL.

Licensing framework

Key features of the licensing framework set out in the Bill include the following:

  • Electronic certification services: In order to validate the authenticity and integrity of an electronic or digital certificate, service providers must obtain authorisation to provide such services from the Electronic Communications Supervision Committee, together with the Cyber Security Steering Committee (“CSSC”).
  • Cyber security services: An individual or entity seeking to provide cyber security services is required to apply for the approval of the CSSC through the Department of Information Technology and Cyber Security (“DITCS”). The Bill defines “cyber security services” as security services provided via cyber sources or similar systems or materials with regard to information technology systems.
  • Digital platform services: The Bill requires digital platform service providers to obtain a licence from the CSSC through the DITCS. The term “digital platform service” is defined in the Bill as an over-the-top service that can provide data, information, images, voices, texts and video online by using cyber resources and similar systems or materials. A digital platform service provider with more than 100,000 users in Myanmar must:
    • store users’ data in accordance with the prescribed data classification rules;
    • register the company in accordance with the Myanmar Companies Law 2017; and
    • pay taxes in accordance with the relevant tax laws.

Administrative and criminal liability

Failure to comply with the provisions under the Bill will attract administrative and criminal liability. Offences under the Bill are recognised as cognisable offences and punishable by imprisonment for a term ranging from one month to three years or a fine not exceeding MMK10,000,000 or both.