MCRB, together with other stakeholders, is concerned about the latest amendments to the draft Cybersecurity Law circulated for comment to Ministries, Central Bank, Union of Myanmar Chambers of Commerce and Industry, Myanmar Computer Federation, telecoms licence holders, and banking and financial institutions by the Ministry of Transport and Communications on 13 January 2022.

Since 2014, MCRB has advocated for Myanmar to develop a cybersecurity legal and policy framework which includes safeguards consistent with international standards of human rights protection. Read a summary of our previous advocacy. A safe and secure digital environment, based on international standards on data protection, rule of law and international human rights, is important to the Myanmar’s sustainable development, including the development of the digital economy.

The following is a summary of the latest developments and statements, MCRB’s own views, and inputs from a range of business and NGO stakeholders which we will update over the coming weeks.

Current Status of the Draft Cybersecurity Law

The covering letter circulated with the January 2022 draft states that the E-Government Steering Committee  decided in November 2019 that the CyberLaw Drafting committee and the Cyber Security Sub-committee should jointly prepare a draft Cybersecurity Law. (This Steering Committee was established on 24 January 2018 and chaired by then Vice-President-1, Myint Swe, with the then Minister of Transport and Telecommunications, and the Union Government Minister, as Deputy Chairs. Daw Aung San Suu  Kyi was Patron).

The covering letter says that a first draft was sent to relevant departments and organisations on 8 February 2021. Comments received from a variety of stakeholders in February 2021 were considered by the e-Government Implementation Working Committee on 15 September 2021 and amendments made to the draft law.  The revised draft was considered by  the CyberLaw Drafting committee and the CyberSecurity sub-committee  on 13 October 2021 and 13 December 2021.

Analysis of the draft shows that provisions concerning privacy and data protection, which were originally included in the February 2021 draft cybersecurity law but instead adopted in the form of an amended Electronic Transactions Law, have been reintegrated into the January 2022 draft Cybersecurity law. The draft law states that the Electronic Transactions Law will be amended if and when this law is adopted.

Impacts of the draft Cybersecurity Law

A range of organisations has responded to the draft Cybersecurity Law highlighting deep concerns about the impact that the draft law would have on all sizes of business, Myanmar and international, organisations, and individuals across the country.

Digital Rights NGO Free Expression Myanmar (FEM) have prepared an unofficial EN translation which is annotated to show changes from the February 2021 draft and conducted an extensive analysis of the impact of the 2022 draft law on human rights.  They note that all of the previous concerns from the February 2021 draft remain, , including internet shutdown and specific website blocks, with the lack of any safeguards to these controls; extraterritoriality;  an increase in criminalisation and long prison terms for a variety of free speech ‘offences’; making internet intermediaries criminally liable for content; weaknesses in data protection, and data localisation requirements without detailed explanation of the data classification process.

FEM identify new elements in the January 2022 draft which:

• Criminalise the use of Virtual Private Networks (VPN) with a punishment of up to three years imprisonment and a fine (Art. 90). In the current circumstances this would effectively criminalise access to Facebook, which has been blocked by the military since 4 February 2021. Given that VPNs are needed to access Facebook, any individual or business that posted on Facebook could in effect be creating evidence of a crime.    Businesses also use VPNs to exchange data securely, but could potentially apply for a waiver to the ban (Art. 62). Any individual that encouraged the use of VPNs could also face a punishment of up to three years imprisonment and a fine (Art. 89c which covers ‘(c) Encouraging or assisting access to cyber source in violation of the regulations prescribed by the law’. This could include businesses which used Facebook to communicate with customers, phone shops that install VPNs, media outlets and civil society organisations who promote VPN use, or digital rights defenders who give security training.

• Undermine judicial due process, regarding the right of those accused of crimes to be confronted with the evidence against them; instead courts must defer to findings of a proposed State-run “National Digital Forensic Laboratory” (Art. 63–67). There are also a variety of provisions which give the government legal authority to check and take over the systems of digital businesses, order content deleted, block digital platforms, revoke business licences, and seize individuals’ computers or phones, all without judicial oversight (Arts. 60, 61b, 35, 61c, 71-78, 55, 57).

• Allow for blocks to digital businesses and social media on arbitrary grounds  and without safeguards or judicial due process (Chapter 15) in violation of the right to freedom of expression

• Criminalise platforms like Facebook for hosting criticism. The previous 2021 draft would have made digital businesses, such as Facebook and YouTube, criminally liable for hosting any expression that the authorities decided fell under five vague categories (Arts. 29 and 61). The five categories included expressions that were vital for democratic debate and were lawful offline.   The 2022 draft adds a sixth vague category of expression that the authorities could order deleted: “expressions that damage an individual’s social standing and livelihood” (Art. 35f). This sixth category does not use any of the common Burmese language descriptions of defamation, and there is no requirement that the expression needs to be true, or needs to be an assertion of fact, or that it should create serious harm.  Instead, it would best be described as simple criticism. Any international businesses operating outside of Myanmar could ignore the order. However, they would still face the risk of their employees being charged in absentia, or their services being blocked (Art 86, 100, 101)

• Removal of provisions criminalising the specific crime of seeking, receiving, or imparting content showing sexual abuse of children (Art. 69). However the crime of sharing sexually explicit content (Art. 96) is retained in the 2022 draft. The provision is vague and could be used to violate the right to freedom of expression and access to information. For example, people, including teachers and civil society workers, could be criminalised for providing sex education, discussing women’s bodies, or raising awareness of LGBTIQ issues.

Digital rights NGO Access Now also released a 27 January statement highlighting the shortcomings of the draft.

On May 2, 2022 The Centre for Law and Democracy (CLD) provided its assessment of the draft Law which reflects the above-mentioned concerns and explains how the draft Law breaches international human rights guarantees.

From the private sector perspective, the Global Network Initiative, a multistakeholder coalition that brings together major ICT companies and others, in a statement on 31 January 2022 called for withdrawal of the draft law and  identified its ‘vague and overbroad’ approach to the prohibition and regulation of content, prosecution of cybercrime, data retention, and the use of virtual private networks (VPNs) as being out of line with international law, business expectations, and the SAC’s stated intentions to enable safety and security, protect personal information, support the digital economy, and “protect the authenticity and integrity of electronic information.”   More specifically it identified:

• Vague and Overbroad Prohibitions of content, all of which are “either too vague or described too broadly to comport with international standards related to freedom of expression (Art. 35)” and  “new provisions criminalizing  vaguely-defined forms of content and conduct online, including troubling penalties for misinformation and disinformation (Art. 91).”

• Overbroad Authorities that could severely interrupt or block digital commerce without rule of law protections.

• Data localisation and retention GNI notes that ‘the draft law would require digital platform service providers with over 100,000 users in Myanmar to store user data “in a place designated by” the Ministry of Transport and Communications, in addition to registration requirements for internet service providers.  These companies would also be obligated to retain the unique user-identifying information such as “telephone number, identification card number and address of the service users” and “any other information directed by [the authorities]” (Art. 37), and to provide such information to any “assigned person or authorized organization” that requests it “under any existing law”(Art 38). These provisions are out of line with regional and global standards and expectations and would create significant costs and burdens on covered companies. Taken together, they create a serious risk that these companies would be required to hand over sensitive user data to the government in violation of users’ privacy and expectations, without any due process or independent oversight.

• Prohibitions on VPNs.  Like FEM, GNI draws attention to the prohibitions on VPNs and notes how important VPNs are for business and individuals.  The GNI statement challenges the SAC assumption that disruptions to businesses using VPNs can be addressed through waivers:  it notes that despite the possible waiver for business “given the fact that their use is being criminalized, it is unrealistic to expect any significant number of individuals or businesses to request or receive such waivers (Art. 62)”

A joint statement on 28 January 2022 by the US, EU, Australian, British, French, German, Greek, and Italian Chambers of Commerce in Myanmar and the US ICT Council for Myanmar, and Myanmar Private Equity & Venture Capital Association (PEVCA) expressed deep concern about the draft law and focussed on the provisions concerning Virtual Private Networks (VPNs), non-social media digital platform services, and business use of social media, noting that access to information, technology and services is essential to operations and a healthy national digital economy, and that if adopted and enforced, this would disrupt the free flow of information and directly impact businesses’ abilities to operate legally and effectively in Myanmar.  This statement is open to other chambers to align to (contact Eurocham).

The Asia Internet Coalition an alliance of 16 leading internet companies in Asia issued a similar statement on 14 February noting that the draft law undermines user privacy, limiting freedom of expression and creating undue burdens on domestic and foreign businesses. Adoption of the draft law as written would make compliance by international companies impractical, and the coalition urges the Myanmar authorities to reconsider.  The AIC comments that:

"Digital economy ecosystems depend on cross-border exchange of knowledge, technical know-how, scientific and commercial information across transnational IT networks, as well as access to digital tools and global market opportunities that help sustain economies, expand literacy, and raise global living standards. The draft law is, therefore, contrary to the digital economy goals of Myanmar, and will disrupt business continuity, reduce opportunities for digital innovation, including various missed opportunities for inclusive development, thereby causing wider economic losses, less predictable investment climate, reduced foreign direct investment. The draft law, which is not aligned with international best practices, would deprive users and businesses of products and services that digital platforms offer".

Individual companies such as Telenor have also issued public statements, and law firms have issued analyses.

The Union of Myanmar Chambers of Commerce and Industry submitted comments which cover issues such as the impact of the VPN user ban, and encourage the Ministry to undertake wider consultation on a number of the problematic issues in the draft. The Myanmar Computer Federation is also believed to have provided a limited response.

MCRB View

MCRB shares the above analyses, and in particular, the view of UMFCCI and other organisations that the proposed ban on VPNs and similar technologies would pose a significant burden to the country and wider society, and that Articles 62 and 90 relating to VPN usage should be dropped.

Taken with the current SAC-imposed blocks on many social media sites, particularly Facebook, these provisions would mainly criminalise those who use Facebook to communicate, since VPNs are needed to access Facebook and other blocked sites provided by the internet services which are obeying the Ministry’s instructions.

Since 2013, MCRB has worked with a wide range of partners including large and small businesses, local civil society organisations and international NGOs, and government departments to promote responsible, sustainable and inclusive business in Myanmar.  We have co-hosted four Myanmar Digital Rights Forums, four national conferences on Communities and Tourism  and many other events and dialogues across the country on topics as diverse as disability inclusive business,   policy and regulatory frameworks for sustainable gold mining, and environmental impact assessments.  The common thread across all of these activities has been the importance of social media, and in particular Facebook, as a means to build ‘communities of practice’ across Myanmar who stay in touch and learn from one another and from the wider world, including similar interest groups in ASEAN and beyond.

Furthermore, businesses, particularly small businesses such as community-based tourism initiatives and F&B outlets, use Facebook and other digital services to connect to customers.  Environmental groups use Facebook to raise awareness of issues such as waste, climate change and deforestation, and to encourage sustainable practices and organise for volunteer trash collection.  Business schools and associations use it to communicate with students, and promote continuous learning and access to good practice.  Social media and digital service providers can be used as a tool for public participation, to provide updates on regulation, investments, and as channel for feedback and complaints about public services or companies. State institutions such as the Ministry of Health use it for updating COVID-19 information.

MCRB believes that adoption of this draft law would jeopardise the building of a digital economy domestically and internationally, with ASEAN and as part of the Regional Comprehensive Economic Partnership agreement (RCEP) between ASEAN, China, India, Japan, Republic of Korea, Australia, and New Zealand. Article 12.10 of the RCEP agreement, on the Domestic Regulatory Framework, notes that

“Each Party shall endeavour to avoid any unnecessary regulatory burden on electronic transactions”.

The draft law would undermine the ability of a digitally connected society to work in support of responsible business and sustainable development. It would also further undermine the ability of businesses to operate responsibly since compliance with the law would undermine their responsibility to respect human rights.

MCRB looks forward to working with others to build a policy and legal framework for cybersecurity and data protection that protects human rights, including the right to privacy, freedom of expression and access to information.

Share: