Myanmar’s Legal Framework For Cybersecurity Needs To Be Built To International Standards
This week, a draft ‘Cybersecurity Law’ (English translation to follow shortly) has been sent by some Ministries to certain types of business in Myanmar (ICT, banks) for urgent comments by 15 February.
The military State Administration Council appears to intend rapidly to adopt this law. MCRB has prepared a document analysing elements of the law from the perspective of human rights, including the rights privacy and freedom of expression which are both contained in Myanmar’s constitution, as well as international practices, in support of organisations who intend to do advocacy on the draft law.
Democratic oversight by the Parliament elected in November 2020 is not possible due to the military’s declaration of a State of Emergency. Over 150 civil society groups have expressed their opposition to the legitimacy of such a wide-ranging law being adopted the SAC, and particularly one which fails to adhere to the state duty to protect human rights.
Adopting a cybersecurity law in the form currently proposed will not only impact on civil society. It will greatly increase the risk for companies in Myanmar, to the extent that some responsible international investors, particularly in the ICT sector, may exit the market altogether, or delay or terminate plans to invest or supply services.
The law’s focus on ‘data localization’ i.e. storage of data in sites determined by the government (Article 28) will also increase the vulnerability and reduce the competitiveness of Myanmar companies, such as banks, e-commerce providers and any other type of company operating in Myanmar making significant use of data, since they will be unable to make use of the security and efficiency offered by international cloud-based service.
Myanmar’s chances of creating jobs and becoming a location for offshored data-based services such as call centres or shared services centres will be undermined as this law is incompatible with international data protection regulation such as the EU’s General Data Protection Regulation (GDPR).
Finance sources such as private equity, international finance institutions, and banks, will also identify this cybersecurity law, if adopted, as a major ESG risk. If they are unable to mitigate it, they will be unwilling to fund companies in Myanmar at a time when businesses badly needs investment to recover from the COVID recession.
The draft law has been criticised by:
a large number of foreign chambers of commerce/business associations in Myanmar including EU, France, Germany, UK, Italy, Greece, New Zealand
The Asia Internet Coalition (AIC), whose members include Facebook, Grab, Google and Twitter, is deeply concerned with the devastating law consequences. Individual companies have spoken out including Telenor, and a number of banks.
In 2016 MCRB published a ICT Sector Wide Impact Assessment which covered many of the human rights risks in the existing Myanmar legal framework. These were updated in 2019 in an MCRB Policy Brief: The Legal and Policy Framework for Information Communication Technology (ICT) In Myanmar: Implications For Human Rights.
MCRB’s 2019 Policy Brief on Cyber Security and Cyber Crime identified specific issues for Myanmar and policies which would build an effective cybersecurity framework compatible with international standards:
1. Establish a cyber security framework rather than one law in isolation
2. Prioritise protecting and defending individuals, devices, and networks as the core objective of any cyber security strategy / policy
3. Adopt and implement a comprehensive data protection law – with further detailed address in a separate policy brief on how to achieve a Myanmar Data Protection Law That Protects Privacy
4. Identify and prioritise the security of the country’s critical infrastructure
5. Establish incident response teams
6. Undertake a proper threat assessment and develop recovery plans
These studies and briefs highlighted that of particular concern for privacy is the existing lack of human rights safeguards for surveillance or ‘Lawful Interception’, currently only addressed in vague powers in Article 75 of the Telecommunications law. As Annex 1 of the recommendations of the 2016 ICT SWIA, MCRB proposed a Rights-Respecting Lawful Interception Framework. The provisions in the SAC’s draft cybersecurity law sections 47-50 fail to meet any of the elements of this framework:
47. The State Administration Council shall grant the right to the relevant person or organization in order to intercept as prescribed in any existing law.
48. The companies and organizations providing services as prescribed in the Telecommunication Law shall make arrangements and preparations in advance so that the relevant person or organization authorized under Section 47 can intercept.
49. A relevant person or organization authorized to intercept subject to Section 47 shall conduct any of the following interventions without interfering the fundamental rights of the citizens:
Preventing any actions that can harm the sovereignty and territorial integrity of the State;
Performing any acts for the defense and security of the State;
Performing any acts for the rule of law and public order;
Issues approved under any existing laws; and
Act of safeguarding and protecting public life, property and public welfare.
50. A Related Ministry or a department and organization which is assigned by the Ministry may investigate, and supervise any services being operated and processed at the online service provider and may request them to provide written records if it is necessary for the country’s protection and security purposes and public interest.
On 25 January 2019, MCRB participated in a consultation of Ministries and other interested stakeholders to discuss a draft ‘Cyber Law’ prepared by Singapore based consultancy TRPC (TRPC.biz) with World Bank funding in response to ToRs provided by the Myanmar’s Ministry of Transport and Communications (MoTC). MCRB is making this January 2019 draft available to improve transparency and address some confusion which has arisen over the origins of the Feb 2021 draft Cybersecurity Law. The draft Cyberlaw was accompanied by a paper on ‘Policies Related to e-Government, e-Commerce, and Cyber Security’ which addressed a number of issues such as ‘cloud first’, data classification, etc.
At the 25 January meeting, MoTC and TRPC received feedback that the scope of the draft law was too wide, and that it should be divided into individual laws on issues such as Cybercrime, Data Protection etc. It was also pointed out that the E-Commerce provisions should be covered in a unified law, together with the Ministry of Commerce who was also working on this issue. MCRB also questioned the approach of the draft law, in which important issues were being left to the decision of various Committees. This kind of approach reduced transparency, accountability and legal certainty for businesses and other stakeholders. As a result of dissatisfaction with draft, the planned public consultations in Q1 2019 were not held, and the WB/TRPC assistance came to an end without further extension.
In 2020 the MoTC developed an internal ‘zero draft’ ‘Cybersecurity Law’ which took a different approach to the January 2019 draft. This zero draft (see above) was updated following the assumption of power by the 1 Feb 2021 military government.
Read more: Civil society, businesses condemn junta’s draft Cyber Security Law - Frontier Myanmar, 11 February 2021