24 February 2021
As many are already aware, following the change of government in Myanmar on February 1, 2021, a draft Cyber Security Law was proposed which attracted widespread criticism.
However, less attention has been paid to significant amendments to two existing laws, some of which have a similar effect to parts of the draft Cyber Security Law. In other words, while the draft Cyber Security Law has not progressed further and is under public scrutiny, significant elements of it have found their way into law in Myanmar by other routes. Because these amendments are already law, it is very important that individuals and businesses in Myanmar understand their implications.
Amendments to the Law Protecting the Privacy and Security of Citizens
The Law Protecting the Privacy and Security of Citizens (2017), or the “Privacy Law,” was amended on February 13, 2021, less than two weeks after the military government came into power. These amendments chiefly address the power of the government to conduct searches, seizures, and arrests; to extend detention without judicial oversight; and to carry out broad surveillance and investigation activities that could intrude on individual privacy. The amendments accomplish this by suspending various sections of the Privacy Law for as long as the State Administration Council (the military body now governing Myanmar) is in power. The suspended sections include the following:
-
Section 5: Search, seizure, and arrest without civilian observation
The relevant part of Section 5 of the Privacy Law states, “The responsible authorities shall … when acting in accordance with existing law, not enter into a person’s residence or a room used as a residence, or a building, compound or building in a compound, for the purpose of search, seizure, or arrest, unless accompanied by minimum of two witnesses who should comprise Ward or Village Tract Administrators…”.
The suspension of this section means that government agents can now enter people’s homes for the purposes of search, seizure, and arrest without civilian witnesses.
-
Section 7: Indefinite detention (habeas corpus)
Section 7 of the Privacy Law states that “No one shall be detained for more than 24 hours without permission from a court unless the detention is in accordance with existing law.”
The suspension of this section means that individuals in Myanmar may now be detained in prison indefinitely without the intervention of court proceedings.
-
Section 8: Wide-ranging individual privacy rights
Section 8 of the Privacy Law is the most wide-ranging and covers arrest, search and seizure of property, interception of telecommunications without proper authority, and various other issues of personal privacy:
“In the absence of an order, permission, or warrant issued in accordance with existing law, or permission from the Union President or the Union Cabinet, a Responsible Authority:
-
Shall not enter into a citizen’s private residence or a room used as a residence, or a building, compound or building in a compound, for the purpose of search, seizure, or arrest.
-
Shall not surveil, spy upon, or investigate any citizen in a manner which could disturb their privacy and security or affect their dignity.
-
Shall not intercept or disturb any citizen’s communication with another person or communications equipment in any way.
-
Shall not demand or obtain personal telephonic and electronic communications data from telecommunication operators.
-
Shall not open, search, seize or destroy another person’s private correspondence, envelope, package or parcel.
-
Shall not unlawfully interfere with a citizen’s personal or family matters or act in any way to slander or harm their reputation.
-
Shall not unlawfully seize the lawfully owned movable or immoveable property of a citizen, or intentionally destroy it either directly or by indirect means.”
Because of the suspension of this section, any of the above actions by governmental authorities now appear to be lawful in Myanmar.
Amendments to the Electronic Transactions Law
On February 15, 2021, the Electronic Transactions Law (2004)—the “ET Law”—was amended to introduce a broad exception allowing government confiscation of personal data, and a prohibition on sharing various types of information online. It is interesting to note that previously—in the draft of the Cyber Security Law—the administration intended to repeal the ET entirely, but this approach appears to have changed, as detailed below.
-
Government access to personal data
The data protection elements of the draft Cyber Security Law have essentially been incorporated into the new Chapter 10 of the amended ET Law. These provisions are brief and not comparable to the standards achieved by personal data protection regimes in other modern legal frameworks.
This chapter provides a new exception (Section 27-C) to the safe management of personal data in the case of “detecting, investigating, organizing of information, verifying the information conducted in accordance with management power on the cyber security and cybercrime matters relating to stability, tranquility, national security of the state.” “Stability,” “tranquility,” and “national security” are not defined in the legislation, but a wide enough interpretation would allow the government sweeping authority to obtain the personal data of any individual in Myanmar whenever it considers it necessary to do so.
-
Internet posts
Posting information on the internet is dealt with in Section 38-C of the amended law: “Whoever, at the cyber space, commits creating false news or fake news with the intention to cause public panic, to lost trust, to lower the dignity by public or to destroy the unity of any association, on conviction shall be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years or with a fine not exceeding ten million Kyats or with both.”
This legislation does not define “false news,” “fake news,” “public panic,” “lost trust,” “lower dignity,” or “destroy unity” which leaves room for wide interpretation and use.
The combined effect of these amendments is that government agents may, without court intervention:
-
Arrest and indefinitely detain anybody in Myanmar;
-
Seize or destroy property;
-
Intercept communications whether electronic or postal;
-
Access personal data wherever located;
-
Demand information from telecommunications service providers; and
-
Arrest and detain individuals for online posting of content deemed undesirable.
As these legal developments represent potentially significant shifts in the legal landscape for Myanmar, all individuals and businesses in Myanmar need to be fully aware of the changes.
Key Points for foreign investors to note
Foreign investors with businesses and entities in Myanmar often share data between their Myanmar businesses and entities and their group companies outside of Myanmar. Such foreign investors are also typically subject to data protection and other privacy laws in other countries. We would advise such foreign investors to review their existing operations and data handling protocols in the context of both such extraterritorial laws and the aforesaid legislation giving the Myanmar military government broad powers of access to data, and adjust their operations and handling of data, in order to ensure that they are not in breach of their such extraterritorial obligations relating to data protection and privacy.
For further information, please contact:
Justin Tan, Partner, Clyde & Co
justin.tan@clydeco.com