September 2023

1. Governing Texts

Currently, there are no specific laws or regulations related to data protection in Myanmar. However, the Constitution of the Republic of the Union of Myanmar 2008 ('the Constitution') and the Law Protecting the Privacy and Security of Citizens (Union Parliament Law 5/2017)  March 8, 2017 ('the Privacy Law') both set-out provisions for the protection of privacy and security of communications.

Furthermore, the Electronic Transactions Law (State Peace and Development Council Law 5/2004) April 30, 2004 ('the Electronic Transactions Law') was amended by the Amendment on Electronic Transactions Law (State Administration Council Law 7/2021) February 15, 2021 (only available in Burmese here) ('Electronics Transaction Law as amended in 2021'), which introduced the protection of personal data.

In addition, other laws related to various industry sectors protect against the disclosure of confidential information. However, we are not aware of any action that has been taken by the authorities under any of these provisions for a breach of privacy or the unauthorized disclosure of confidential information.

1.1. Key acts, regulations, directives, bills

The Constitution

The Constitution refers to the protection of privacy and security of communications. Although not entirely clear, this seems to include a form of data privacy. Section 357 of the Constitution states that 'The Union shall protect the privacy and security of home, property, correspondence, and other communications of citizens under the law, subject to the provisions of this Constitution.'

The Privacy Law

The Privacy Law was enacted for the protection of privacy and security of citizens of Myanmar as stated in the Constitution. Section 3 of the Privacy Law states that 'Every citizen has the right to enjoy the protection of their privacy and security in full, as set out in the Constitution.'

However, no general offense is created by the Privacy Law for interfering with this Constitutional right, although there appears to be room to make a complaint under Section 6 of the Privacy Law.

Section 8 of the Privacy Law contains provisions regarding communications, telecommunications, and private correspondence as follows:

• 'no person shall have their communication with another person or communications equipment intercepted or disturbed with in any way;
• no one shall demand or obtain personal telephonic and electronic communications data from telecommunication operators; and
• no one shall open, search, seize, or destroy another person's private correspondence, envelope, package, or parcel.'

In the case of a breach of Section 8, the Privacy Law does create an offense, which carries with it six months to three years imprisonment and a fine between MMK 300,000 (approx. $143) to MMK 1.5 million (approx. $715).

The Competition Law

Section 19 of the Competition Law (Union Parliament Law 9/2015)  February 24, 2015 ('the Competition Law') refers to disclosing or using secrets of another business.

In particular, no businessman shall, in respect of disclosing secrets of any other business, carry out any of the following acts:

• infringe security measures protected by the lawful owners of business secrets by accessing and collecting business secrets and information related to such secrets;
• use or reveal information of business secret without permission of the lawful owner of such business;
• deceive a person with an obligation to maintain secrets or abuse the confidence of such person in accessing, collecting, collecting, or revealing business secrets and information related to such secrets;
• leak business secrets and procedures of product distribution owned by other persons whose conduct is systematically in accordance with the Competition Law;
• leak economic information by infringing security measures exercised by the State-owned organization; and
• carry out business activities or apply for business licenses or distribute goods by using information contained in Section 19(6) of the Competition Law.

The Competition Law provides that a person guilty of an offense under Section 19 of the Competition Law shall be punished with up to two years imprisonment, a fine of up to MMK 10 million (approx. $4,766), or both.

The Electronic Transactions Law

Section 27-A of the Electronics Transactions Law as amended in 2021 provided the role of a 'Personal Data Administrator' ('PDA') who is responsible for;

• maintaining, protecting, and managing the personal data systematically that they administered in accordance with law and by the degree of type and security;
• not, except the permission of the owner of personal data or under provisions of any existing law, letting the personal data that they administered be scrutinized, disclosed, informed, distributed, sent, altered, destroyed, copied, or submitted as evidence to any third party or any entity;
• not using personal data for management matters that do not comply with the objective; and
• destroying, when the designated period is expired, the personal data in the case that data is collected with an intention to be used within a limited period.

Other legislation

There have been numerous discussions about the introduction of a data protection law and regime, although nothing has transpired as of yet. The Government of the Republic of the Union of Myanmar is currently challenged with a full legislative program to update many old laws, but data protection is certainly on the agenda. One such discussion document is the Policy Brief a Data Protection Law that Protects Privacy: Issues for Myanmar January 2019.

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

Data protection related provisions apply to all related persons.

2.2. Territorial scope

Data protection related provisions of Myanmar extend to the whole of Myanmar.

2.3. Material scope

Section 4(a) of the Electronic Transactions Law  provides that the provisions of the Electronics Transaction Law 'shall apply to any kind of electronic record and electronic data message used in the context of commercial and non-commercial activities including domestic and international dealings, transactions, arrangements, agreements, contracts and exchanges and storage of information.'

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Not applicable.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Data controller: This is not defined in the applicable law. However, a 'Personal Data Administrator' refers to a person and its staff authorized by a Government department, or an entity having the power to collect, store, and use personal data according to the provision of the Electronic Transactions Law or any existing law (Section 2(m) of the Electronic Transaction Law as amended in 2021).

Data processor: This is not defined in the applicable law.

Personal data: Any information that relates to an identified or identifiable living individual (Section 2(l) of the Electronic Transactions Law as amended in 2021).

Sensitive data: This is not defined in the applicable law.

Health data: This is not defined in the applicable law.

Biometric data: This is not defined in the applicable law.

Pseudonymization: This is not defined in the applicable law.

Information: Data, text, image, voice, video, code, software, application, and database (Section 2(a) of the Electronic Transactions Law as amended in 2021).

5. Legal Bases

5.1. Consent

With reference to Section 27-A(ii) of the Electronic Transactions Law as amended in 2021, the PDA shall seek the consent of the owner of data before any transfer.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

With reference to Section 27-A(i) of the Electronic Transactions Law as amended in 2021, the PDA shall manage personal data systematically in accordance with law and by degree of type and security.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

With reference to Section 27-A(ii) of the Electronic Transactions Law as amended in 2021, the PDA shall seek the consent of the owner of data before any transfer.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Not applicable.

7.7. Data retention

With reference to Section 27-A(iv) of the Electronic Transactions Law as amended in 2021, the PDA shall destroy personal data when the designated period collected with the intention to be used is expired. 

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Not applicable.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

Not applicable.

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

Sections 38-A and 38-B of the Electronic Transactions Law as amended in 2021 provide for the punishment of breaches of personal data. Accordingly, a PDA who fails to manage personal data shall in accordance with the provisions of the Electronic Transactions Law, on conviction, be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years, or a fine not exceeding MMK 10 million (approx.$4,766), or both.

In addition, whoever commits, acquires, discloses, uses, destroys, alters, distributes, sends to any other person, or misuses the personal data of any person without the permission of such person shall, on conviction, be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years, a fine not exceeding MMK 5 million (approx. $2,383), or both.

Telecommunications sector

The Telecommunications Law (Union Parliament Law 31/2013) October 8, 2013 ('the Telecommunications Law') contains provisions related to keeping confidential and personal information secure, which includes data.

In particular, Section 69 of the Telecommunications Law provides, 'whoever, unless for the matters concerning prosecution regarding telecommunications, and unless authorized under court order to disclose, discloses any information which is kept under a secured or encrypted system to any irrelevant person by any means shall, on conviction, be liable to imprisonment for a term not exceeding one year or to a fine or to both.'

9.1 Enforcement decisions

Not applicable.