Myanmar Needs a People-Centred Cybersecurity Framework Including Data Protection to Benefit from the Digital Economy
MCRB contributed to a seminar organised by Telenor on ‘Privacy and Data Protection in the Digital Age’ on 27 August in Naypyidaw.
It was attended by around 40 participants from the Post and Telecommunications Department (PTD), the Information Technology and Cyber Security Department (ITCS), the Cybercrime unit of Myanmar Police Force, Union Attorney General’s Office (UAGO), as well as some telecoms companies.
The aim of the seminar was to discuss the importance of data protection and privacy in an increasingly data-driven Myanmar, and to:
Support the development of a Myanmar Cyber Security Framework that would protect human rights, including the right to privacy, and promote development, innovation, and cross-border trade.
Highlight issues concerning data protection and privacy in Myanmar, including those related to cross-border data transmission.
Promote technological literacy to improve awareness of these issues.
Recommend specific strategies in legislating on data protection and privacy.
Vicky Bowman, MCRB Director, highlighted the need for Myanmar to develop a comprehensive people-centred cybersecurity framework, including an effective and modern data protection law. She noted that cybersecurity was a ‘public good’, like clean air and water. This was why government action was needed. She underlined that laws and policies to protect users’ data needed to be risk-based, and future-proofed which means focussing on outcomes, rather specifying a particular ICT type; otherwise they would soon be out of date. She outlined what a rights-respecting cybersecurity framework could look like and encouraged Myanmar’s government to be transparent in developing the legal and policy framework and consult widely, particularly with business.
Myanmar lacks effective laws for data protection and cybersecurity (for example the 2017 ‘Law Protecting the Privacy and Security of Citizens’ failed to address numerous issues, including lawful interception, intellectual property, and data protection more generally). However legislation needs to be carefully designed. Inter alia, the framers of the law should distinguish between cyber-dependent crime (crimes targetting computer systems) and cyber-enabled crime (familiar crimes already addressed in law such as fraud and harassment that make use of ICT). Not every issue required legislation, hence the need for an overall legal and policy framework that was flexible and could be adapted. It should draw on international experience, but not be a copy-paste of outdated or inappropriate instruments such as the 2001 Budapest Convention on CyberCrime.
Telenor presented on the opportunities presented by the ‘4th industrial revolution’ of digitisation and the risks to Myanmar’s digital economy and consumers of inadequate regulation. These include reduced market access, heightened business costs, and reduced competition. Improving the legal and policy framework would benefit both human rights protection and economic development in Myanmar. Telenor referred to a 2015 report from McKinsey on ‘The Net’s sweeping impact on growth, jobs, and prosperity’. This highlighted increasing data flows as a powerful catalyst for job creation and GDP growth.
Speakers, including a representative of Amazon Web Services (AWS) who presented on cloud data storage, recommended that regulators and policy makers should establish data protection requirements to facilitate the free flow and safe storage of data. They highlighted that allowing data to flow freely across borders – for example for storage in the cloud outside the country in which it is generated – will benefit governments, and traditional and digital industries and boost economic growth and innovation.
Cloud storage allows companies, governments and individual users to take advantage of the latest and most secure hardware and software available, rather than investing scarce capital in rapidly outdated systems, and enables them to obtain ICT services from the most cost-effective provider. The cloud also offers systems which are more resilient and, if properly protected, less vulnerable to hacking or other damage than is currently achievable in Myanmar. Facilitating cross-border data flows will also be necessary if Myanmar is to develop its own ICT service industry. While encrypted data may sit in the cloud on a regional server outside Myanmar, access to the data in usable unencrypted form is available only to the Myanmar-based data owner. Legitimate access requests for example by law enforcement authorities, can be made to them, just as if the data was physically held in encrypted form within the country.
Data protection, cybersecurity and privacy/surveillance issues were highlighted in MCRB’s sector-wide impact assessment (SWIA) on the ICT Sector in September 2015. In February 2018, Telenor released its first Digital Myanmar report, with the commitment to support the implementation of the government’s Digital Myanmar Economy Plan.