The draft “Cybersecurity Law” (“draft law”) recently circulated by the Myanmar State Administrative Council (“SAC”) contains a number of troubling provisions and should not be implemented. As a threshold matter, the military-run SAC lacks democratic legitimacy and it is, therefore, inappropriate for it to unilaterally implement such a law during a declared state of emergency. On substance, the Global Network Initiative (GNI) has reviewed this draft and sets out some of our initial observations below, building on our analysis of the previous draft Cybersecurity Law circulated by the SAC in February 2021.

In particular, the draft law’s approach to the prohibition and regulation of content, prosecution of cybercrime, data retention, and the use of virtual private networks (VPNs) are out of line with international law, business expectations, and the SAC’s stated intentions to enable safety and security, protect personal information, support the digital economy, and “protect the authenticity and integrity of electronic information.” Many of these concerns are exacerbated by the existing and ongoing lack of government legitimacy, rule of law, and an independent judiciary in Myanmar. GNI calls upon the SAC to revoke this draft law and to focus instead on restoring peace and the democratic process in Myanmar.

Vague and Overbroad Prohibitions

The draft law defines six categories of content that digital platform service providers are obligated to remove “in a timely manner” upon notice from relevant authorities, all of which (with the possible exception of “child pornography”) are either too vague or described too broadly to comport with international standards related to freedom of expression (Art. 35). This creates a high degree of discretion for authorities and the likelihood that the law will be used to, inconsistently and in a discriminatory manner, order removal of content that should be protected under both domestic and international law. In addition to these new content removal requirements for providers, the law introduces various new provisions criminalizing vaguely-defined forms of content and conduct online, including troubling penalties for misinformation and disinformation (Art. 91). Furthermore, the reference in Article 35 to “prevention” of covered categories of content raises additional freedom of expression risks, in line with concerns GNI has raised in response to proposals that require or otherwise strongly incentivize the use of automated filtering systems.

Overbroad Authorities

The draft law empowers the SAC and its subsidiary bodies, as well as anyone they delegate, to “inspect” the computers of any person suspected of having been related to any security threat, cyber-attack, or cyber fraud, as well as of anyone “related” to that person, without any warrant, judicial oversight, or notice required (Art. 55, 57). These authorities can also inspect any “digital platform service provider” and ask them to “present labels” that serve the purposes of state defense and security, again without any prior notice, due process, or independent oversight (Art. 60).

The draft law would allow State authorities to unilaterally block, seize, and ban digital platform service providers at their discretion, again without any effective due process or independent oversight (Art. 61, 71). Individually and collectively, these provisions would undermine the right to freedom of expression and privacy online in Myanmar.

Adding to these concerns, the draft law appears to revoke due process guarantees for individuals such as the right for those accused of crimes to be confronted with the evidence against them, and the mandate that courts defer to findings of a proposed State-run “National Digital Forensic Laboratory” (Art. 63–67).

Data Localization and Retention

The draft law would require digital platform service providers with over 100,000 users in Myanmar to store user data “in a place designated by” the Ministry of Transport and Communications, in addition to registration requirements for internet service providers.These companies would also be obligated to retain the unique user-identifying information such as “telephone number, identification card number and address of the service users” and “any other information directed by [the authorities]” (Art. 37), and to provide such information to any “assigned person or authorized organization” that requests it “under any existing law”(Art 38).

These provisions are out of line with regional and global standards and expectations and would create significant costs and burdens on covered companies. Taken together, they create a serious risk that these companies would be required to hand over sensitive user data to the government in violation of users’ privacy and expectations, without any due process or independent oversight.

Prohibition on VPNs

The draft law criminalizes the use of VPNs (Art. 90). Although there is a reference to a process for a possible waiver, given the fact that their use is being criminalized, it is unrealistic to expect any significant number of individuals or businesses to request or receive such waivers (Art. 62). VPNs allow individuals to access content and protect their privacy online. VPNs have become increasingly popular in Myanmar since the SAC implemented orders to block most internet sites. Restricting the use of VPNs will significantly curtail access of people within Myanmar to critical educational, social, and economic services.