Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Myanmar - Data Protection Overview
Back

Myanmar - Data Protection Overview

September 2022

1. Governing Texts

Currently, there are no specific laws or regulations related to data protection in Myanmar. However, the Constitution of the Republic of the Union of Myanmar 2008 ('the Constitution') and the Law Protecting the Privacy and Security of Citizens (Union Parliament Law 5/2017) 8 March 2017 ('the Privacy Law') both set out provisions for the protection of privacy and security of communications.

Furthermore, the Electronic Transactions Law (State Peace and Development Council Law 5/2004) 30 April 2004 ('the Electronic Transactions Law') was amended by the Amendment on Electronic Transactions Law (State Administration Council Law 7/2021) 15 February 2021 (only available in Burmese here), which introduced the protection of personal data.

In addition, other laws related to various industry sectors protect against the disclosure of confidential information. However, we are not aware of any action that has been taken by the authorities under any of these provisions for a breach of privacy or the unauthorised disclosure of confidential information.

1.1. Key acts, regulations, directives, bills

The Constitution

The Constitution refers to the protection of privacy and security of communications. Although not entirely clear, this seems to include a form of data privacy. Section 357 of the Constitution states that, 'The Union shall protect the privacy and security of home, property, correspondence, and other communications of citizens under the law subject to the provisions of this Constitution'.

The Privacy Law

The Privacy Law was enacted for the protection of privacy and security of citizens of Myanmar as stated in the Constitution. Section 3 of the Privacy Law states that, 'Every citizen has the right to enjoy the protection of his/her privacy and security in full, as set out in the Constitution'.

However, no general offence is created by the Privacy Law for interfering with this constitutional right, although there appears to be room to make a complaint under Section 6.

Section 8 of the Privacy Law contains provisions regarding communications, telecommunications, and private correspondence as follows:

  • 'No person shall have their communication with another person or communications equipment intercepted or disturbed with in any way';
  • 'No one shall demand or obtain personal telephonic and electronic communications data from telecommunication operators'; and
  • 'No one shall open, search, seize, or destroy another person's private correspondence, envelope, package, or parcel'.

In the case of a breach of Section 8, the Privacy Law does create an offence, which carries with it six months to three years imprisonment and a fine between MMK 300,000 to MMK 1.5 million (approx. €150 to €740).

The Competition Law

Section 19 of the Competition Law (Union Parliament Law 9/2015) 24 February 2015 ('the Competition Law') refers to disclosing or using secrets of another business.

In particular, no businessman shall, in respect of disclosing secrets of any other business, carry out any of the following acts:

  • infringing security measures protected by the lawful owners of business secrets by accessing and collecting business secrets and information related to such secrets;
  • using or revealing information of business secret without permission of the lawful owner of such business;
  • deceiving a person with an obligation to maintain secrets or abusing the confidence of such person in accessing, collecting, collecting, or revealing business secrets and information related to such secrets;
  • leaking business secrets and procedures of products distribution owned by other persons whose conduct is systematically in accordance with the Competition Law;
  • leaking economic information by infringing security measures exercised by the State-owned organisation; and 
  • carrying out business activities or applying for business licenses or distributing goods by using information contained in Section 19(6).

The Competition Law provides that a person guilty of an offence under Section 19 shall be punished with up to two years imprisonment, a fine of up to MMK 10 million (approx. €4,940), or both.

The Electronic Transactions Law

Section 27-A of the Electronics Transactions Law (as amended in 2021) provided the role of a 'Personal Data Administrator' ('PDA') who is responsible for;

  • maintaining, protecting, and managing the personal data systematically that they administered in accordance with law and by the degree of type and security;
  • not, except the permission of the owner of personal data or under provisions of any existing law, letting the personal data that they administered be scrutinised, disclosed, informed, distributed, sent, altered, destroyed, copied, or submitted as evidence to any third party or any entity;
  • not using the personal data for the management matters that do not comply with the objective; and
  • destroying, when the designated period is expired, the personal data in the case that data is collected with an intention to be used within a limited period.

Other legislation

There have been numerous discussions about the introduction of a data protection law and regime, although nothing has transpired as yet. The Government of Republic of the Union of Myanmar is currently challenged with a full legislative program in updating many old laws, but data protection is certainly on the agenda. One such discussion document is the Policy Brief a Data Protection Law that Protects Privacy: Issues for Myanmar January 2019.

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

Data protection-related provisions apply to all related persons.

2.2. Territorial scope

Data protection-related provisions of Myanmar extend to the whole of Myanmar.

2.3. Material scope

Please see Section 27-A of the Electronic Transactions Law in the section on key acts, regulations, directives, bills above.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Not applicable.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Information: Data, text, image, voice, video, code, software, application, and database (Section 2(a) of the Electronic Transactions Law as amended in 2021).

Data controller: This is not defined in the applicable law. However, a 'Personal Data Administrator' refers to a person and its staff authorised by a Government department, or an entity having power to collect, store, and use personal data according to the provision of the Electronic Transactions Law or any existing law (Section 2(m) of the Electronic Transaction Law as amended in 2021).

Data processor: This is not defined in the applicable law.

Personal data: Any information that relates to an identified or identifiable living individual (Section 2(l) of the Electronic Transactions Law as amended in 2021).

Sensitive data: This is not defined in the applicable law.

Health data: This is not defined in the applicable law.

Biometric data: This is not defined in the applicable law.

Pseudonymisation: This is not defined in the applicable law.

5. Legal Bases

5.1. Consent

With reference to Section 27-A(ii) of the Electronic Transactions Law (as amended in 2021), the PDA shall seek the consent of the owner of data before any transfer.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

With reference to Section 27-A(i) of the Electronic Transactions Law (as amended in 2021), the PDA shall manage personal data systematically in accordance with law and by degree of type and security.

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

With reference to Section 27-A(ii) of the Electronic Transactions Law (as amended in 2021), the PDA shall seek the consent of the owner of data before any transfer.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Not applicable.

7.6. Data breach notification

Telecommunications sector

The Telecommunications Law (Union Parliament Law 31/2013) 8 October 2013 ('the Telecommunications Law') contains provisions related to keeping confidential and personal information secure, which includes data.

In particular, Section 69 of the Telecommunications Law provides, 'Whoever, unless for the matters concerning prosecution regarding telecommunications, and unless authorised under court order to disclose, discloses any information which is kept under a secured or encrypted system to any irrelevant person by any means shall, on conviction, be liable to imprisonment for a term not exceeding one year or to a fine or to both'.

7.7. Data retention

With reference to Section 27-A(iv) of the Electronic Transactions Law (as amended in 2021), the PDA shall destroy personal data when the designated period collected with the intention to be used is expired.  

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Not applicable.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

Not applicable.

8.2. Right to access

Not applicable.

8.3. Right to rectification

Not applicable.

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

Sections 38-A and 38-B of the Electronic Transactions Law (as amended in 2021) provides for the punishment of breaches of personal data. Accordingly, a PDA who fails to manage, in accordance with the provisions of the Electronic Transactions Law, personal data shall, on conviction, be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years, or a fine not exceeding MMK 10 million (approx. €4,940), or both.

In addition, whoever commits, acquires, discloses, uses, destroys, alters, distributes, sends to any other person, or misuses the personal data of any person without the permission of such person shall, on conviction, be punished with imprisonment for a term which may extend from a minimum of one year to a maximum of three years, a fine not exceeding MMK 5 million (approx. €2,470), or both.

9.1 Enforcement decisions

Not applicable.