On 15 February 2021, the Myanmar Electronic Transactions Law was amended through the Law Amending the Electronic Transactions Law 2021 (“Amending Law”) following the announcement made by the Myanmar State Administrative Council. The amendments came into force on 15 February 2021.

The Myanmar Electronic Transactions Law, originally enacted on 30 April 2004, governs any kind of electronic record and electronic data message used in the context of commercial and non-commercial activities, including domestic and international dealings, transactions, arrangements, agreements, contracts and exchanges and storage of information.

It was first amended on 25 February 2014 to provide criminal punishments for the following prohibited actions:

• sending, hacking, modifying, altering, destroying, stealing, or causing loss and damage to the electronic record, electronic data message, or the whole or part of the computer programme dishonestly;
• intercepting of any communication within the computer network, using or giving access to any person of any fact in any communication without permission of the originator and the addressee;
• communicating to any other person directly or indirectly with a security number, password or electronic signature of any person without permission or consent of such person; or
• the creating, modifying or altering information or distributing information created, modified or altered by electronic technology in a way which is detrimental to the interests of or to lower the dignity of any organisation or any person,

whereby, a person shall, on conviction, be liable to a fine of MMK 5,000,000 to MMK 10,000,000, and in default of such payment of fine, shall be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years (the original position was such person shall, on conviction, be punished with imprisonment for a term which may extend to five years or with fine or both).

The Amending Law further amended the Myanmar Electronic Transactions Law, by inserting provisions relating to the management of personal information into the Myanmar Electronic Transactions Law. Thereby providing a basic rudimentary framework for personal data/ information protection in Myanmar.

Newly inserted provisions regarding the management of personal information into the Myanmar Electronic Transactions Law

The Amending Law inserted a new Chapter 10, namely “Protection of Personal Information” to the Myanmar Electronic Transactions Law. The Chapter comprises the following new provisions, namely Section 27(a) (1) – (4), Section 27(b), and Section 27 (c) (1) – (4).[1]

Section 27(a) provides that the person responsible for managing and keeping the personal information shall:

• systematically keep, protect and manage the personal information based on its types, security levels in accordance with the law;
• not allow to scrutinise, disclose, inform, distribute, dispatch, modify, destroy, copy and submit as evidence of the personal information of an individual without the consent of such individual, to any individual or organization;
• not utilise personal information for managing issues that are not in compliance with the objectives; and
• systematically destroy or delete the personal information that is collected to be used for a certain period of time after such period is expired.

In this regard, “person responsible for managing and keeping the personal information” is defined as a person assigned by any government department or organisation authorised to collect, compile, keep and use personal information under provisions contained in the Myanmar Electronic Transactions Law (read together with the Amending Law) or any existing laws. Whereas “personal information” is defined to mean any data or information which can identify or have identified who a person is.

Section 27(b) goes on to grant the investigation team who receives information, including personal information, in accordance with the existing laws shall keep the information confidential except disclosing such information in accordance with the law. Failure to manage and keep the personal information in accordance the Amending Law is a crime punishable by imprisonment for a term of one to three years, or a fine not exceeding MMK 100 or both.

Notwithstanding the above protection under Section 27(a) (1) – (4), Section 27(c) further provides exceptions to the safe management of personal information, such as in the event of cybersecurity, cyber-crimes, investigations and enquiry by the Central Committee as well as any investigation, co-ordinating or collecting of information on matters relating to stability of state sovereignty, public order, national security. The terms “stability of state sovereignty, public order, national security” are not defined and would allow the governmental authority to interpret them as wide as it deemed necessary to do so.

In addition to the above provisions relating to the management of personal information, the Amending Law also provides further amendments criminalising “cyber-attacks” and other dissemination of information online with the intent of causing public panic, loss of trust or social division (Sections 38(c) and 38(d)).

Commentary

While the objective of the Amending Law is stated for the protection of the personal information of the public, however, as one may note from the abovementioned paragraphs, the provisions are brief and not comparable to the standards of personal data protection regimes in other modern legal frameworks. In fact, these newly inserted provisions (including provisions for the management of personal information in the new Chapter 10) are essentially copied from the draft Cyber Security Law, which received widespread condemnation from 250 Myanmar society organisations and business associations.

As the legal developments involve the management of personal information and criminalises any acts of unlawful disclosure of personal information, it is prudent for business entities and industry players collecting, sharing and storing data between their Myanmar businesses and entities and their group companies outside of Myanmar to take note of such legal developments.

If you have any questions or require any assistance in relation to the handling of data protection and privacy in Myanmar, please contact Bell Boo Hsiu Ting or the ZICO Law Myanmar partner you usually deal with.

This article is for general information only and is not a substitute for legal advice.

[1] Please note that provisions for Section 27(a)(1) – (4), Section 27(b) and Section 27(c)(1) – (4), as well as definitions as outlined in this article are based on the non-official English translation as made available to the public, whereby terms used in the said non-official English translation may not have an equivalent terms or concept, as the case may be, in the Myanmar version of the Law Amending the Electronic Transactions Law 2021, and our statements and opinions, whilst professionally rendered in this article, will not necessarily prevent judicial enquiry or judicial interpretation by the courts in a manner that is distinct from our statements and opinions herein.