(Bangkok) – Myanmar’s military junta has revived a draconian cybersecurity bill that would provide sweeping powers to the authorities, Human Rights Watch said today. The current draft would allow the junta, in power since the military coup on February 1, 2021, to access user data, block websites, order internet shutdowns, and prosecute critics and representatives of noncomplying companies.
The Cybersecurity Law was initially proposed a week after the coup. The current draft, an unofficial translation of which can be found here, includes new provisions that would ban use of virtual private networks (VPNs), abolish the need for certain evidentiary proof at trial, and require online service providers to block or remove online criticism of junta leaders. Ten international chambers of commerce in Myanmar issued a joint statement on January 28, 2022, that said the proposed law “disrupts the free flow of information and directly impacts businesses’ abilities to operate legally and effectively in Myanmar.”
“Myanmar’s military junta has taken a terrible draft cybersecurity law and made it even worse,” said Linda Lakhdhir, Asia legal adviser at Human Rights Watch. “The junta should scrap this bill, which would further devastate free expression and access to information across the country.”
The draft law would apply to all those providing “Digital Platform Services,” defined to include “any over the top (OTT) service that can provide the service to express data, information, images, voices, texts and video online by using cyber resources and similar systems or materials.” The law thus applies not only to social media and other content-sharing platforms, but to digital marketplaces, search engines, financial services, data processing services, and communications services providing messaging or video calls and games. While companies licensed under the Telecommunications Act are excluded from the definition of Digital Platform Service providers, the restrictions on use of VPNs and the requirement that companies cooperate with investigations are made specifically applicable to such companies.
Under a new provision, the use of VPNs to browse the internet would be a criminal offense without specific permission from an as-yet-unspecified ministry authorized to deal with cybersecurity. Use of an unauthorized VPN would be punishable by up to three years in prison. Virtual Private Networks, which allow a user access to blocked content, have played a critical role in enabling internet users in Myanmar to access sites blocked by the military since the coup and to access the internet without disclosing their true location. VPNs are also routinely used by businesses and individuals to ensure privacy and security.
Another newly added provision would allow the authorities to order Digital Platform Service providers to block or remove content about which there is a “legitimate complaint” that the content “damages a person’s social standing and livelihood.” It would not require the information to be false or require a court order. In effect, the new provision would allow the authorities to order the removal of any content critical of individual military leaders or others linked to the junta, Human Rights Watch said.
The draft law also retains provisions from the earlier draft requiring online service providers to block or remove a wide range of information at the instruction of the authorities. Prohibited content includes “misinformation and disinformation,” information “causing hate, disrupting the unity, stabilization and peace,” and statements “against any existing law.” Anyone who posts “misinformation or disinformation” faces a minimum of one year and up to three years in prison if they are found to have done so “with the intent of causing public panic, loss of trust or social division.”
Since any criticism of the coup or the military could be deemed as intending to cause “loss of trust” in the junta or social division, the junta could use these provisions as sweeping censorship tools.
Both Digital Platform Service providers and telecommunications companies would be required to cooperate with the authorities investigating a broad range of offenses, including those under the cybersecurity law. Failure to do so would be punished by a range of penalties up to and including revocation of their license to operate in Myanmar. The scope of the “interventions” with which businesses must cooperate is unclear, leaving open the possibility that this law could be used to force telecommunications companies to facilitate the live interception of communications. Last May, Reuters reported that the military, through the civilian government then in power, had forced telecommunications and internet service providers to install live intercept capabilities in the months leading up to the coup.
The bill, as with the Telecommunications Act, would effectively dispense with the legal requirement for a prosecutor to bring digital evidence to court, providing that:
the evidence relating to prosecuting an offense filed under this law is not easy to bring to court, it can be presented with a report or other relevant documentation on how the evidence is kept without going to court. Such submission shall be deemed to have been presented as evidence before the court and may be administered by the relevant court in accordance with the law.
Any dispute over digital evidence would have to be submitted to the National Digital Laboratory created under the law, and the decisions of that body would be final. This provision violates defendants’ rights to a fair trial and due process, which require that any evidence be presented against them, Human Rights Watch said.
Myanmar does not have any privacy or data protection laws that regulate the collection, use, and storage of personal data to safeguard against abuse when data is collected and retained even for legitimate purposes. The current version of the cybersecurity bill retains problematic provisions further undermining data privacy.
Digital Platform Service Providers would be required to keep a broad range of user data, including the person’s name, internet protocol (IP) address, phone number, ID card number, physical address, “user record,” and “other information as directed” for up to three years. Providers with at least 100,000 users in Myanmar would have to ensure that devices storing that data are “maintained in accordance with data classification rules” – rules that the bill does not define. Those who fail to comply would face up to three years in prison. Given the broad applicability of the law, this provision also poses serious risks for those using online payment systems. Companies would have to provide this data to the authorities when requested “under any existing law.”
The bill gives the authorities wide scope to block services and order internet shutdowns. The ministry assigned to implement cybersecurity matters, with approval from the junta, would be able to temporarily prohibit any digital platform provision, temporarily control devices related to provision of digital platform services, and issue a final ban on any digital service platform provider in Myanmar.
The United Nations Human Rights Committee, in its General Comment No. 34 on the right to freedom of expression, states that governments may impose restrictions on free expression only if they are provided by law and are necessary for the protection of national security or other pressing public need. To be provided by law, a restriction must be formulated with sufficient precision to enable an individual to regulate their conduct accordingly. “Necessary” restrictions must also be proportionate, that is, balanced against the specific need for the restriction being put in place. Nor can these restrictions be overbroad.
Myanmar’s cybersecurity bill falls far short of these standards. It fails to require that “disinformation” or “misinformation” would have to cause real harm to a legitimate interest, or to clearly define the content that is prohibited. The resulting lack of clarity would severely chill the discussion of controversial subjects out of fear of prosecution, Human Rights Watch said.
Further, mandatory third-party data retention fails to meet international human rights standards on the right to privacy. Such measures are neither necessary nor proportionate, are particularly prone to abuse, and circumvent key procedural safeguards. They limit people’s ability to communicate anonymously and may increase the threat of hacking or other data breaches.
“The proposed cybersecurity law would consolidate the junta’s ability to conduct pervasive censorship and surveillance and hamper the operation of businesses in Myanmar,” Lakhdhir said. “Governments that do business with the junta should recognize the information risks if the bill as drafted becomes law.”