Myanmar's ruling military has drafted new cybersecurity laws that have been widely condemned as draconian, giving the government sweeping powers to access user data and block online sites. The legislation could also undermine the country's location as an offshore hub for data services, since it will not be in compliance with international laws.
News leaked days after the February 1 military coup that a draft copy of the Bill was sent to telcos and online service providers for their feedback, due back on Monday. According to various organisations that had seen the 36-page document, the proposed legislation would require online platforms operating in the country to retain all user data, including IP address, home address, and ID number, for three years and in a system assigned by the government.
In addition, Article 29 would enable the government to instruct a user account be intercepted, blocked, or removed when identified to incite hate or disrupt peace with "fake news", "disinformation, or comments that violated existing laws. Local authorities would also have access to the data when requested, without the need for a warrant.
The current military government, which has named itself the State Administration Council, pitched the proposed legislation as being necessary to combat cybercrime and various online activities deemed detrimental to the country.
Various organisations, though, have stepped up to condemn the rules as repressive, comprising vague terms that would provide the government with powers to outlaw content and prosecute its author. It also marked a significant step back after years of economic and social progress in Myanmar, many have said.
In its statement, the Myanmar Centre for Responsible Business (MCRB) cautioned that such laws would not only impact civil society, but also risk driving away international investors and stymie local business growth, particularly in the ICT sector.
MCRB singled out the legislation's focus on data localisation of requiring data to be stored in sites designated by the government, which it said would leave local businesses vulnerable. This is especially true for banks and e-commerce companies that use significant volumes of data as they would not be able to tap the security and features offered by global cloud services, it said.
Financial services institutions, meanwhile, would not be able to mitigate security risks and ensure governance, and this would drive away foreign investors and harm local businesses already struggling to cope with the COVID-19 crisis, it added.
Myanmar's ability to create jobs and be a hub for offshore data-based services, such as call centres and shared service centres, would also be undermined as the proposed law would not be in compliance with international data protection rules, including the EU's General Data Protection Regulation (GDPR), said MCRB.
It noted that the Myanmar Computer Federation, Myanmar Computer Industry Association, and Myanmar Computer Professionals Association have already voiced their objections to the draft law.
Norwegian telecommunications group Telenor said in a statement Tuesday that the legislation should be debated in Parliament and consulted with industry stakeholders to ensure it was "fit for purpose" and in line with Myanmar's constitution.
Describing it as broad in scope, the company said the proposed laws would provide extensive powers that could "significantly impact many". The telco said its local operations, since 2013, were established on commitments from Myanmar's government that its regulatory updates and framework would be in line with international best practices. These included the establishment of an independent telecommunications regulator.
"We are concerned that the proposed bill does not progress relevant regulatory frameworks and law for a digital future, [neither does it] promote and safeguard digital safety and rights," Telenor said, adding that it was "not appropriate" to pass a bill with such broad powers to a temporary administration during a state of emergency.
It further called for the proposed Bill to adopt transparency and "legal certainty" with regards to the exercise of powers, and to exclude provisions that could be used to order interception of user accounts. It noted that laws governing personal data protection, electronic transactions, and cybersecurity should be kept separate to ensure governance.
In calling the proposed legislation "draconian", Human Rights Watch has urged for the laws to be withdrawn as they would "consolidate" the government's ability to conduct pervasive surveillance and cut access to essential services. The laws also neither specified how authorities would determine what constituted as misinformation nor provide any options for those whose content was blocked or removed to appeal, the organisation said.
Human Rights Watch's Asia legal advisor Linda Lakhdhir said: "The draft cybersecurity law would hand a military that just staged a coup and is notorious for jailing critics almost unlimited power to access user data, putting anyone who speaks out at risk."
Under the proposed rules, companies that fail to comply can face up to three years' imprisonment or fines of 10 million kyats ($7,009).
"The provisions of this cybersecurity law pose a clear threat to the right of Myanmar's citizens to reliable information and to the confidentiality of journalists' and bloggers' data," Daniel Bastard, Asia-Pacific head of Reporters Without Borders (RSF) said in a statement. "We urge digital actors operating in Myanmar, starting with Facebook, to refuse to comply with this shocking attempt to bring them to heel. This junta has absolutely no democratic legitimacy and it would be highly damaging for platforms to submit to its tyrannical impositions."
According to RSF, Facebook has almost 25 million users in the country or 45% of the local population. It added that access to the social media platform as well as others such as Twitter and Instagram was blocked soon after the February 1 coup.
UNI Global Union has also called for industry stakeholders to speak out against the law, singling out Japan's KDDI, Qatar's Ooredoo, and Telenor, as these three multinational corporations had strong presence in Myanmar.
Representing some 3 million employees in the ICT services sector, UNI Global Union's general secretary Christy Hoffman said: "This so-called cybersecurity bill only protects the government's grasp on power and it will be a powerful weapon against trade unionists, students, teachers, and the broad swath of civil society speaking out. The international community must stand up to reject this law... Telecommunications companies must also push back against this law or risk becoming a weapon of this military junta against democracy."
According to activist group Access Now, Myanmar's junta on Tuesday ordered another internet shutdown amidst increased military presence and use of force against demonstrators. It described the military's "weaponisation" of internet shutdowns to silence dissent as "unacceptable and a flagrant violation to human rights laws".
Access Now's Asia-Pacific policy director and senior international counsel, Jit Singh Chima, said: "Myanmar's draft cybersecurity bill is already instilling a fear of surveillance and being persecuted for what you say and do online. The gagging of telecom and ICT firms from being able to report on government orders concerning internet shutdowns, web censorship, or user surveillance is very concerning. Given the evolving situation and suppression of free media on the ground, the ability of telecom firms to provide information about the government directives they receive is key."