Myanmar ‘s military junta has revived a draconian cybersecurity bill that would provide sweeping powers to the authorities, Human Rights Watch said today. The current draft would allow the junta, in power since the military coup on February 1, 2021, to access user data, block websites, order internet shutdowns, and prosecute critics and representatives of noncomplying companies.
The Cybersecurity Law was initially proposed a week after the coup. The current draft, an unofficial translation of which can be found here, includes new provisions that would ban use of virtual private networks (VPNs), abolish the need for certain evidentiary proof at trial, and require online service providers to block or remove online criticism of junta leaders. Ten international chambers of commerce in Myanmar issued a joint statement on January 28, 2022, that said the proposed law “disrupts the free flow of information and directly impacts businesses’ abilities to operate legally and effectively in Myanmar.”
“Myanmar’s military junta has taken a terrible draft cybersecurity law and made it even worse,” said Linda Lakhdhir, Asia legal adviser at Human Rights Watch. “The junta should scrap this bill, which would further devastate free expression and access to information across the country.”
The draft law would apply to all those providing “Digital Platform Services,” defined to include “any over the top (OTT) service that can provide the service to express data, information, images, voices, texts and video online by using cyber resources and similar systems or materials.” The law thus applies not only to social media and other content-sharing platforms, but to digital marketplaces, search engines, financial services, data processing services, and communications services providing messaging or video calls and games. While companies licensed under the Telecommunications Act are excluded from the definition of Digital Platform Service providers, the restrictions on use of VPNs and the requirement that companies cooperate with investigations are made specifically applicable to such companies.
Under a new provision, the use of VPNs to browse the internet would be a criminal offense without specific permission from an as-yet-unspecified ministry authorized to deal with cybersecurity. Use of an unauthorized VPN would be punishable by up to three years in prison. Virtual Private Networks, which allow a user access to blocked content, have played a critical role in enabling internet users in Myanmar to access sites blocked by the military since the coup and to access the internet without disclosing their true location. VPNs are also routinely used by businesses and individuals to ensure privacy and security.
Another newly added provision would allow the authorities to order Digital Platform Service providers to block or remove content about which there is a “legitimate complaint” that the content “damages a person’s social standing and livelihood.” It would not require the information to be false or require a court order. In effect, the new provision would allow the authorities to order the removal of any content critical of individual military leaders or others linked to the junta, Human Rights Watch said.
The draft law also retains provisions from the earlier draft requiring online service providers to block or remove a wide range of information at the instruction of the authorities. Prohibited content includes “misinformation and disinformation,” information “causing hate, disrupting the unity, stabilization and peace,” and statements “against any existing law.” Anyone who posts “misinformation or disinformation” faces a minimum of one year and up to three years in prison if they are found to have done so “with the intent of causing public panic, loss of trust or social division.”
Since any criticism of the coup or the military could be deemed as intending to cause “loss of trust” in the junta or social division, the junta could use these provisions as sweeping censorship tools.
Both Digital Platform Service providers and telecommunications companies would be required to cooperate with the authorities investigating a broad range of offenses, including those under the cybersecurity law. Failure to do so would be punished by a range of penalties up to and including revocation of their license to operate in Myanmar. The scope of the “interventions” with which businesses must cooperate is unclear, leaving open the possibility that this law could be used to force telecommunications companies to facilitate the live interception of communications. Last May, Reuters reported that the military, through the civilian government then in power, had forced telecommunications and internet service providers to install live intercept capabilities in the months leading up to the coup.
The bill, as with the Telecommunications Act, would effectively dispense with the legal requirement for a prosecutor to bring digital evidence to court, providing that:
the evidence relating to prosecuting an offense filed under this law is not easy to bring to court, it can be presented with a report or other relevant documentation on how the evidence is kept without going to court. Such submission shall be deemed to have been presented as evidence before the court and may be administered by the relevant court in accordance with the law.
Any dispute over digital evidence would have to be submitted to the National Digital Laboratory created under the law, and the decisions of that body would be final. This provision violates defendants’ rights to a fair trial and due process, which require that any evidence be presented against them, Human Rights Watch said.
Myanmar does not have any privacy or data protection laws that regulate the collection, use, and storage of personal data to safeguard against abuse when data is collected and retained even for legitimate purposes. The current version of the cybersecurity bill retains problematic provisions further undermining data privacy.