Asian-mena Counsel: Data + Cyber Security Special Report 2020Published in
By William Greenlee, Partner, DFDL
This article sets out the data protection regulatory framework in Myanmar and its recent developments, and concludes with some reflections on the current significant shifts in global data protection standards.
Overview of the regulatory framework of data protection
There are currently no specific data protection laws in Myanmar. The regulatory framework for protection of privacy in Myanmar consists of an overarching privacy law as well as sector-specific legislation regulating certain categories of data, such as customer information protected under the Telecommunications Law 2013 and the Financial Institutions Laws 2016.
Law Protecting the Privacy and Security of Citizens 2017
In Myanmar, the principal legislation regulating privacy and security of information is the Law Protecting the Privacy and Security of Citizens 2017 (the “Privacy Law”). The benefits of the Privacy Law apply to Myanmar citizens only and it has no application to any non-citizens residing in the country.
Among others, the Privacy Law prohibits the following activities by responsible authorities1 without approval from the President or the government:
- Spying, investigation, or detection that may affect or adversely impact the dignity, privacy, or security of a citizen; and
- Requesting or acquiring personal telephonic and electronic communications data from telecommunication operators.
There are no specific requirements under the Privacy Law to obtain prior consent from data subjects2 to process the data subjects’ personal data, but as a matter of good practice and in line with international practices, data users typically request consent from data users before processing any personal data.
Electronic Transaction Law 2004
Another relevant law concerning privacy is the Electronic Transaction Law 2004 (the “ET Law”). Among others, the ET Law prohibits the following activities:
- Communicating to any other person directly or indirectly with a security number, password or electronic signature of any person without permission or consent of such person.
- Creating, modifying or altering of information or distribution of such information which is deemed to be detrimental to the interest of any person.
The ET Law has extraterritorial jurisdiction and applies to every person who commits any actionable offence inside and beyond the territory of Myanmar using any form of electronic technology.
Competition Law 2015
Under the Competition Law 2015, every person is prohibited from disclosing or using secrets of another business.3 A person guilty of an offence under this law is subject to imprisonment for up to two years and/or a fine of up to MMK 10 million (approximately US$ 7,310).
There are a few sector-specific laws that govern aspects of data protection and privacy issues in Myanmar, although only to a small extent.
The Telecommunications Law 2013 primarily imposes obligations on licensees that obtain a telecommunication services license from the Ministry of Transport and Communications. The telecommunication service licensee is required to maintain securely the information and contents (including confidential personal information of the users) that are transmitted or received through the telecommunications services. It is also prohibited under the law to disclose any information secured on encrypted systems to any third party by any means. Violators are subject to imprisonment for a term not exceeding one year and/or a fine.
The Financial Institutions Law 2016 (the “FIL”) imposes restrictions on institutions licensed under this law. Banks are required to keep information secret relating to the affairs or the accounts, records, and transactions of their customers.4 There are limited exceptions to the duty to maintain banking secrecy including but not limited to disclosure of information to the Central Bank of Myanmar or disclosure to comply with a court order or where required under the law.5
Recent Developments and Impact of the GDPR
In Myanmar, data privacy obligations are scattered across several pieces of legislation protecting data through confidentiality provisions and secrecy obligations. This means that personal information will primarily remain protected as confidential information through contractual obligations or through private claims being brought by individuals for breaches of confidentiality.
The absence of specific legislation on data protection and the lack of a data protection authority results in limited or no opportunities for individuals to seek information on their privacy rights or the protection of their personal data, and it also hampers their ability to seek redressal or compensation in cases where such rights are violated. The exponentially increasing number of electronic transactions in the country urgently calls for dedicated legislation to govern data protection issues.
With the continuous progress of society and technology, the concept of privacy has significantly transformed and evolved. From using internet services to social interactions to cloud computing, every activity requires revealing personal data.
The increased dependence on technology and an ever-increasing information boom calls for the establishment of a sound data protection regime. To adequately protect the interests of all stakeholders – citizens, companies, as well as the government – the enactment and proper enforcement of data protection laws is essential.
- Responsible authorities refers to relevant government department, government organisation or government officials.
- Individuals whose personal data is being shared.
- Competition Law, 2015, § 19.
- Financial Institutions Law, 2016, § 81.
- Id. § 82.