The anticipated impact of Myanmar’s 2022 draft Cyber Security Law on people’s online safety and rights were discussed in the first Report. While there are no further developments known to this particular legislation as of date, the Union Government’s Ministry of Transportation and Communications (MoTC) has signaled plans on governing Myanmar’s digital security as we move into 2024.
Cyber Security Policy 2023
On March 29, 2023, MoTC’s Department of Information Technology and Cyber Security published a 31-page Cyber Security Policy document envisioning how Myanmar’s cyber and digital security should be managed across the next 5 years until 2028. As MoTC expects “to build a stable and robust cyber realm for the safety of Myanmar” (Art.5), the enactment of cyber and digital security legislation was placed atop the plan.
Institutional Structure
Chapter 5 of the document described the envisioned institutional structure in managing cyber and digital security in the country. At first glance, this seems to be a shift from its 2022 plan laid out in the draft Cyber Security Law as MoTC’s Department of Information Technology and Cyber Security has now taken charge instead of being presided over directly by the Deputy Prime Minister of the Union Government. The 31-page document also showed the government’s efforts to align with regional and international cybersecurity management mechanisms through the planned establishment of Chief Information Security Officers (CISOs), Cyber Security Incident Response Team (CSIRTs), and Information Sharing and Analytic Centers (ISACs). Nevertheless, even disregarding speculations on how the management team would be formed, the fact that General Mya Tun Oo is concurrently the incumbent Deputy Prime Minister and the Transportation and Communications Minister effectively means a direct military control over Myanmar’s cyberspace. The lack of checks and balances not only undermines its management, but also online safety.
Digital Security Legislation
Delving into the digital security matters to be addressed through legislation, the document listed electronic certificates, digital currency and e-commerce, critical information infrastructure, cybercrime and security and the protection of organizational and personal information (including in investigations). Without further illustration of how these matters would be governed (differently), threats of the latest draft Cyber Security Law that was highlighted in our first Report toward people’s rights to privacy, freedom of expression, and access to information are likely to remain.
In particular, the provision criminalizing the production, possession, and dissemination of child sexual abuse material (CSAM) was removed from its 2021 draft (Art.69) without an explanation while keeping the more general ban (Art.96) on “sharing sexually explicit” content —- defined in the Law as “not culturally appropriate for the Myanmar society to see” (Art.35(c)). Both clauses are not mutually exclusive, therefore, the latest draft Cyber Security Law risks stifling citizens’ access to sex education while jeopardizing the protection of minors from sexual exploitation.
Additionally, Article 9(e) of the Cyber Security Policy stated the “ethical and legal issues related to the use of social networks” shall also be considered. Cross-referencing MoTC’s 2022 draft Cyber Security Law, this alludes to the vague provisions against online misinformation and disinformation intends to “cause social division” (Art.91) and the obligations of social networks to curb and disable content that “harms social standing and livelihood” (Art.35). Overly broad stipulations without clear and transparent guardrails could lead to content limitations that favor government censorship and hinder people’s freedom of expression and online safety.
The 2023 Cyber Security Policy also identified “priority sectors” to safeguard Myanmar’s cyberspace, namely (1) government institutions, (2) critical information infrastructures, (3) private organizations and companies, (4) individual persons, and (5) education, training and research institutions. Separate guidelines and notifications shall be expected for each “priority sector” as MoTC explained the importance and need for national and sectoral-specific mechanisms for digital security management in the document.
Recalling the various statements by the civil society and international governmental and private organizations raising concerns toward Myanmar’s draft Cyber Security Law in previous years, such attention shall be rejuvenated as the State Administration Council (SAC) moves forward with legislation.
E-Governance Master Plan 2030
More insights can be picked up from the Myanmar E-Governance Master Plan 2030 published by MoTC on October 2, 2023 for a three-week public consultation. While reflecting on its previous master plans on ICT development, SAC also noted the digitalization journeys of other governments, the ASEAN Digital Master Plan 2025, and the five-stage Model of E-Government adopted by the United Nations. With SAC’s “strategic vision” to “achieve an inclusive and transformative digital economic development” (pg.14), a significant portion of the 167-page Master Plan mapped out projects to digitize government operations, upgrade digital infrastructure, and improve the nation’s digital capacity and adoption.
Virtual Private Networks (VPNs)
Under its e-governance strategy, a silver-lining has emerged with SAC’s perspective towards the use of VPNs. According to the 2022 draft Cyber Security Law, using and facilitating the access of VPNs without MoTC’s explicit permissions could be fined and imprisoned (Art.89(c), Art.90). While a waiver could be applied in advance, the criminalization would hamper the day-to-day use of VPNs, which has become increasingly popular and crucial for individuals to protect their privacy and access information following SAC’s directives to block most sites on the Internet.
In a turn of events, the E-Governance Master Plan 2030 acknowledged the role of VPNs in protecting network traffic and Internet connection, which would be crucial for safeguarding cybersecurity (pg.114). While this should not be mistakenly seen as a reversal of MoTC’s 2022 proposal, such an acknowledgement signals MoTC’s consideration of a less blatant approach to ban VPNs across the country.
Digital Security Legislation
Meanwhile, the MoTC recognized the current ICT-related regulations are incomplete and lack separate provisions for implementation (pg.59). Apart from reviewing and amending existing regulations, the Master Plan listed 90 ICT-related policies, frameworks, and standards to be implemented or developed by various agencies across the SAC. With matters largely echoing the Cyber Security Policy document, MoTC prioritizes the legislation of digital security matters as “initiatives” to be established by the end of 2025, with most of other ICT-related issues such as artificial intelligence (AI), online consumer protection, and national broadband policies to be set up in the “short-term” (i.e., by the end of 2026).
With both the 2023 Cyber Security Policy and E-Governance Master Plan 2030, an update to the 2-year-old draft Cyber Security Law shall be anticipated. It is unclear if the prospective Cyber Security Law will continue to cover such a broad scope of matters in a single piece of legislation, or the SAC plans to deal with matters such as personal information protection and cybercrimes in separate papers. In this regard, close attention should be given to monitor digital policy developments in Myanmar, especially with the latest precedent where the Ministry of Commerce (MOC) mandates all individuals and entities that sell goods or services online to have a physical presence in Myanmar and to obtain certification via online registration. With immediate effect from July 2023, there are no prior consultations or notices on the Online Sales Business Registration Order, which also contains guidelines pertaining to data protection and cyber security.
Touting Transnational Ties
On the other hand, MoTC highlighted the need to engage and align with governments across the globe in managing the Internet for its nature of being transnational and border-agnostic. After not being involved in the November ASEAN Digital Ministerial Meeting (ADMM) and the ASEAN Leaders’ Summit second year in a row, the State Administration Council (SAC) has turned to Russia for closer cybersecurity partnership. The bilateral Agreement signed in December 2023 emphasized the role of state sovereignty in the use of ICT and determining Internet and network policies. The two governments will also formulate joint-measures to counter cyber-threats as they expressed concerns over state sovereignty and security being undermined and internal political and social-economic situation being destabilized online.
The United Nations also flagged in August 2023 that at least 120,000 citizens and foreigners in Myanmar are reportedly being forced to conduct online scams. On this front, as the SAC seeks cooperation with China to “thoroughly eradicate the cancer of online gambling and telecom fraud”, Myanmar has shown “immediate support” for the Global Security Initiative (GSI), according to a readout by the Chinese Foreign Ministry in December 2023. The GSI adopts the concept of “indivisible security” to build a “common, comprehensive, cooperative, and sustainable security” in traditional and non-traditional fields while respecting the “sovereignty and territorial integrity” of all nations.
The Ongoing Threats, Too
With the aforementioned plans and cooperations set up by the State Administration Council (SAC), progress in their governance to safeguard online safety shall be tracked vigilantly. The Five-Point Consensus jointly developed by the 10-member nations of ASEAN has been decided to remain as the “main reference” to address the instability within Myanmar as the country enters its third year of the coup d’état. Regional and international communities have been focusing on the cessation of violence and attacks against civilians, the imposition of sanctions against SAC officials, and the provision of humanitarian aids. However, international governments must also take a closer look at the imminent threats to digital freedoms not limited to access to information, privacy, and freedom of expression.
But until then, indefinite interim measures including the Electronic Transactions Law (which is set to be replaced by the Cyber Security Law) and the Law Protecting the Privacy and Security of Citizens amended instantaneously after the 2021 military takeover, as well as the intermittent targeted Internet shutdowns against “rebel communities” consistently cripple Myanmar’s Freedom on the Net. As we enter 2024, a truly “stable and robust cyber realm for the safety of Myanmar” can only be ensured via multi-stakeholderism, starting with a greater attention to be paid on such fronts by the international community.
*This article is originally published in the Asia Pacific Policy Observatory December 2023 Report.