The junta has enacted a cybersecurity law including 16 chapters and 88 articles on 1st January 2025. According to the preliminary review from MIP, this newly emerging “cybersecurity law” appears to be a law designed with numerous provisions aimed at oppressing users rather than serving the positive intention for the public.
The cybersecurity law, enacted by the military junta which intensely repressed the digital rights and freedom of expression through the coup period, included a number of articles to repress the local internet users. Moreover, according to the Article 3, Clause (b) of the "Cybersecurity Law", it is evident that the law includes provisions to take action against citizens living abroad.
Cybersecurity Law: A Reality Diversion
Article 5, Clause (g) of the "Cybersecurity Law" states that it aims to "support the development of a digital economy based on cyber resources." Nevertheless, throughout the coup period, the junta has severely repressed the digital sphere.
Measures such as blocking social media networks, internet shutdown, restricting VPNs, and monitoring and arresting individuals for their online speech have significantly undermined Myanmar's digital cornerstones. Businesses reliant on the digital ecosystem have also been visibly negatively impacted.
Initiating Large-scale surveillance
Under the new cybersecurity law, internet users will experience surveillance and monitoring events more than before.
According to the Article 33 of new cybersecurity law, digital platform service providers with more than 100,000 users within the country must retain not only personal information of users but also user activity logs, and any other information specified by the relevant department from time to time for up to three years.
Furthermore, article 34 enacted that if any authorized person or organizations under an existing law request with written, it is stipulated that the retained information must be disclosed. According to this article, it is evident that organizations under the military junta can easily request user information without needing to obtain any form of court letter.
Under the provisions of the cybersecurity law, social media services and locally based digital platform services, as mandated by the SAC’s cybersecurity law, must retain users’ personal information, user activity logs, and any other information specified by the relevant department from time to time for up to three years.
In addition to targeting users, the military council's strict measures also include legal restrictions intended to tighten oversight of digital platform service providers.
According to article 43, it was found that the military junta has authorized it to temporarily suspend the digital platform services or electronic data, to temporarily control the digital device used for digital platform services and permanently shutdown the service.
Cutting Lifeline On VPN Usage
According to the article 44 of cybersecurity law by the military junta, individuals who would like to build the VPNs or to provide the VPN services in the national cyber sphere need to obtain permission from the relevant ministry in accordance with the prescribed regulations.
Under the cybersecurity law, VPN services permitted by cybersecurity law will emerge in the near future.
According to Article 33 of the Cybersecurity Law, VPN service providers are required to retain users' activity logs, including personal information, for up to three years.
The cyber law defines VPN as a private network that secures an existing network or connects securely to another network. However, provisions relating to Virtual Private Servers under this law fail to uphold the privacy of users.
Article 70 subscribes VPN providers operating without the ministry’s permission to face either imprisonment of 1-6 months and/or fines ranging from 10-100 lakhs Myanmar kyats.
Broad and Vague Definitions and Legal Consequences
Article 72 dictates that whoever conducts electronic production, distributions, sending and copying or selling information unfit for public consumption will be faced with 1-6 years incarceration and fines ranging from 10-100 lakhs Myanmar kyats. However, there is no set definition as to what defines as “information unfit for public consumption”. Since the terminology and definition may differ widely depending on the political, societal and other contexts, this clause may be used to put users at risk.
Article (60), (62), (64), (66), (86), (71) and (72) falls under police jurisdiction and the clause provides wide power for the police to crack down on organizations and personnel providing critical digital security and safety without registration.
(Disclaimer: This article is based on the unofficial translation of the Cyber Security Law in Myanmar, enacted on 1st January 2025 . As the official English version of the law is not yet available, this article relies on the Myanmar version, and there may be inaccuracies in terminology when the English version becomes available.)
Comments