Cyber security bill – Lexology | #itsecurity | #infosec | #education | #technology | #infosec



On 13 January 2022, almost a year after the declaration of the State of Emergency, the Cyber Security Bill 2022 (“CSB 2022”) was issued by the Ministry of Transport and Communications (“MOTC”). The CSB 2022 restates the repressive provisions of the first draft which was released in February 2021 and inserts more serious provisions threatening the safety and security of Myanmar’s digital economy. The objectives of the CSB 2022 are to secure cyber systems, protect critical information infrastructure, protect privacy of personal data of individuals, manage cyber-attacks and support digital economy. The keys provisions and some of the notable changes introduced by the CSB 2022 are summarized below.

Key Provisions

1. Applicability

The CSB 2022 governs in respect of the offences committed within or outside of Myanmar by anyone residing in Myanmar, Myanmar citizens and foreigners temporarily or permanently residing in Myanmar, and any matter of online communication made with anyone either directly or indirectly with regards to the cyber resource within the national cyber space. While the previous provisions of the first draft included the arrangement, agreements, contracts and covenants made for local outbound communications and matters related to economy or specific type of electronic information exchange or storage information, this is no longer the case. 

2. Cyber Security Steering Committee

The CSB 2022 provides for formation of a Cyber Security Steering Committee (“CSSC”) by the State Administration Council (“SAC”) which would be responsible for: (a) preventing cyber-crimes; (b) the implementation of the cyber security policy; (c) the coordination with other relevant ministries to ensure cyber security; and (d) the formation of an investigation team to investigate cyber security related offences. It will consist of the assigned Union Minister and its Deputy Minister or permanent secretary, cyber security professionals and representatives from nongovernmental organizations as members with the approval of the SAC.

3. Protection of Personal Information The CSB 2022 is the first comprehensive legislation regulating the protection of personal information of individual. ‘Personal information’ is broadly defined to cover any information that reveals or is capable of revealing a person’s identity and in this connection the term ‘information’ includes data, text, images, videos, code, software, applications and databases. The CSB 2022 stipulates that consent is required to be obtained before disclosing, distribution, dispatching, modifying, copying, destroying or submitting personal information. However, CSB 2022 does not stipulate the process and details of the consent process.

4. Digital Platform Service Provider and Registration Requirement

The CSB 2022 stipulates the obligations and restrictions applicable to digital platform service providers. ‘Digital platform service provider’ is defined as any individual or any entity providing digital platform service in Myanmar. Apart from the specific Sections of the CSB 2022, the word does not include companies and organizations that hold telecommunication service licenses under the Telecommunication Law. ‘Digital platform service’ is defined as any over the top (OTT) service that can provide data, information, images, voice, text or video online by using cyber resources and similar systems or materials by using a system similar to the cyber source or material. It is notable that the CSB 2022 changed the definition of ‘online service provider’ from the first draft to ‘digital platform service provider’, which term now includes businesses such as cloud services, media steaming, corporate online services, e-commerce services, ticketing services, e-banking services and any mobile services. The CSB2022 stipulates that all digital platform service providers must obtain license to operate within Myanmar from the CSSC within one year of the CSB 2022 being enacted. Furthermore, all digital service providers are required to incorporate under Myanmar Companies Law and be subject to taxation laws.

5. Data Localization

The CSB 2022 requires digital platform service providers to store information of its users, such as username, IP address, ID numbers, contact details and other user record for a period of three years from the user’s first use of the service. Digital platform service providers with more than 100,000 users in Myanmar must ensure that the devices storing such information are at a location which are assigned by the government.

6. Government Access to Data

The CSB 2022 states that government empowers the MOTC and other relevant or authorized organizations to investigate, block and supervise any services being operated and processed by a digital platform service provider, revoke business licenses, inspect individual’s computer or computer system or phone at any time and may request them to provide written records if it is necessary for the country’s protection, security and the public interest. In addition, no specific jurisdiction or judicial warrant is required under the CSB 2022 to exercise such powers. 

7. Critical Information Infrastructure

The CSB 2022 sets out a framework for the protection of critical information infrastructure. ‘Critical information infrastructure’ is defined under the CSB 2022 as electronic government services, electronic information and infrastructure on finance and budgeting, water resources, transportation, communication, public health, electricity and energy, natural resources, and electronic information and infrastructure classified for private use only. CSB 2022 stipulates that a cybersecurity report must be submitted by operators of critical information infrastructure on a yearly basis. In addition, the CSB 2022 stipulates that the CSSC shall have the right to inspect the cyber security of critical information infrastructure stored in accordance with the regulations.

8. Virtual Private Network and Similar Technologies

The CSB 2022 stipulates that any person intending to use a Virtual Private Network (“VPN”) or similar technology must be registered by the MOTC. However, the CSB 2022 does not stipulate information regarding use of VPNs by a private individual or a business and does not specify restricted purpose of use. 

9. Offences

Offences under the CSB 2022 include: (a) processing or transferring personal data in violation of the CSB 2022, punishable by imprisonment for a term not exceeding 3 years or a fine not exceeding MMK 50,000,000 or both, (b) failure to comply with the provisions of CSB 2022 by the digital platform service provider, punishable by imprisonment for a term not exceeding 3 years or a fine not exceeding 100,000,000 or both, (c) failure to comply with the data retention and data localization obligation, punishable with imprisonment for a term not exceeding (3) years and/or a fine not exceeding MMK 100,000,000. New offence added under the CSB 2022 is that using a VPN or similar technology without prior registration is punishable with imprisonment for a term not exceeding three (3) years and/or a fine of up to MMK 50,000,000. Notably, the offences in the CSB 2022 are recognized as cognizable offences and can be charged by the Myanmar Police Force. 

10. Repeal of Other Laws

The CSB 2022 repeals the Electronic Transaction Law (State Peace and Development Council Law No 5/2004) and replaces it with strict regime of the use of VPN, digital platform services, control of electronic data and information by the Myanmar government authorities and setting out a framework for the prevention of cyber-crimes and cyber-attacks and protection of personal data.


The CSB 2022 has raised numerous concerns by various stakeholders, including the foreign chamber of commerce in Myanmar since it allows for extensive control of electronic data and information by the government authorities and the restriction on the usage of VPN, which could have a significant impact on businesses operating in Myanmar especially those businesses who hold a lot of customer data and also potentially all other businesses which rely on cloud-based systems. Therefore, global entities, social media companies, and other corporate entities in Myanmar, should be ready to put in place robust infrastructure to comply with the CSB 2022 when it comes into effect.



Source link