This analysis outlines six serious risks posed by the Myanmar military government’s draft “Cyber Security Law”. It is based upon international standards relating to the right to freedom of expression. It builds upon a statement issued on 11 February by 250 civil society organisations in Myanmar, and other international statements.
The draft Cyber Security Law was circulated to stakeholders for feedback by 15 February. The draft law has been under development for several years, and the circulated version is similar to the version from mid-2020 under the previous government.
The draft law establishes a hierarchy of bodies overseen by and formed of representatives chosen by the military under the military’s governing State Administration Council (Arts. 5.a, 7, and 9). These oversight bodies are given absolute control over making internet and communications-related rules (Art. 6.a), implementing those rules (Art. 6.b), and investigating rule-breakers (Art. 12). Furthermore, the draft law also enables the Ministry of Defence to issue rules (Art. 88).
The draft law is unusual because it has wide, extra-territorial reach, giving the military government an international jurisdiction as well as a normal domestic one. It creates international offences (Art. 2.a), applies to Myanmar citizens outside of Myanmar (Art. 1.a) and international organisations (Art. 6.h), and covers any form of international communications (Art. 1.c). This significantly extends the oppressive effect of Myanmar’s already restrictive domestic legal framework.
The draft law includes a variety of vague and overlapping crimes with three-year prison terms and fines, many of which do not have legitimate democratic aims. Three-year prison terms for misinformation or “fake” websites that cause “public panic, loss of trust or social division” are likely to be used to punish criticism (Arts. 64 and 65). Sharing “sexually explicit speech” – such as that currently being used by many Generation Z protesters – is also punished with a three-year prison term (Art. 68). Using false names or pseudonyms on Facebook will result in a three-year prison sentence (Art. 65). Several provisions include three-year prison terms for actions commonly done by whistleblowers (Arts. 57, 59, and 60). In addition to these disproportionate three-year prison terms, those convicted may also be charged under the Counter-Terrorism Law (Arts. 70 and 71).
The draft law places both administrative and criminal liability on internet intermediaries such as Facebook, Google, and Telenor, while easing the military’s potential to ban them altogether. It includes a vague list of content that all “online service providers”, defined as “any person or business providing online services used in Myanmar”, must remove when ordered (Art. 29). The vague list includes for example, “verbal statements against any existing law” and is clearly intended to punish criticism. All “online service providers” must prepare in advance to receive orders (Art. 48), which may come from any person or organisation authorised by the military government (Art. 47).
If an intermediary does not comply with an order, the military government can issue a warning, fine, or temporary or permanent ban (Art. 72). Representatives of the intermediary will also face a criminal punishment of up to three-years imprisonment plus a fine (Art. 61).
The draft law enables the military government to take direct control over network infrastructure and eases their ability to shut down the internet. It includes provisions for both temporary and permanent bans on any online service such as Facebook (Arts. 51.a and 51.c), and provisions for allowing the military government temporary control of any network devices (Art. 51.b). Bans must be in accordance with a vague “public interest”, presumably as defined by the military (Art. 51). The only so-called “safeguard” is that the military’s governing State Administration Council must approve the military-controlled ministry’s decision (Art. 51).
The draft law gives the military unfettered access to private data. It requires all “online service providers” such as Facebook, Google, and Telenor, to store vast quantities of personal private data including Citizenship Card numbers for at least three years (Art. 30). This data must be stored on servers designated by the military-controlled government (Art. 28.a), and be accessible for “national security” checks (Art. 59). There are no privacy safeguards (Art. 15) and data must be provided when requested (Art. 31). Any computer owned by anybody can be inspected on vague grounds (Art. 45).
The only institution in Myanmar with the constitutional mandate to adopt laws is the Union Parliament. Therefore, FEM rejects the draft Cyber Crime Law in its entirety. Nevertheless, FEM calls on all national and international stakeholders to remind the military government of their obligations under international law and Myanmar’s Constitution, and to significantly revise any such “law” to address the six serious risks highlighted above.