The military’s new draft Cyber Security Law repeats the repressive provisions of previous drafts and adds more, seriously threatening the safety and security of Myanmar’s digital space.
The military has circulated a newly revised draft Cyber Security Law to a few stakeholders requesting any feedback by 28 January 2022. A 2021 draft of the same law disappeared after being criticised by business and civil society, including FEM. Some of the 2021 draft’s repressive provisions were later added to the Electronic Transactions Law in an amendment condemned by FEM and others.
This analysis outlines new threats posed by the 2022 draft. FEM’s analysis is based upon international standards relating to the right to freedom of expression. All of the threats posed by the 2021 draft still remain in the 2022 draft, and are listed below too. FEM has published an unofficial translation of the 2022 draft, showing any changes from 2021. This analysis should not be understood as legitimising the military’s authority or its so-called laws.
Prosecution bias, evidence ignored, and courts sidelined
The 2022 draft seriously undermines due process in Myanmar’s judicial system. Due process, which can be defined as fair treatment in courts according to a clear set of rules, is vital for the protection of all human rights, including freedom of expression. Any undermining of due process is therefore an attack on the right to freedom of expression.
Prosecutors would no longer be required to present electronic evidence of a crime in court, but could simply say that the evidence exists (Art. 66). The prosecutor’s evidence would come from the newly established and military-controlled “National Digital Forensic Lab” (Art. 65). If the defendant’s lawyers gave contradictory evidence in defence, which is normal in any criminal case, the court would be forced to favour the prosecution’s evidence, regardless of its merit (Art. 67).
Several provisions in the 2022 draft would sideline the courts entirely. The military would have the legal authority to check and take over the systems of digital businesses, order content deleted, block digital platforms, revoke business licences, and seize individuals’ computers or phones, all without going to court (Arts. 60, 61b, 35, 61c, 71-78, 55, 57).
More options for permanently blocking social media and websites
The 2022 draft has added a whole new chapter on administrative sanctions for digital businesses (Ch. 15), compared to just one article in the 2021 draft (Art.72). The new chapter includes four articles that each allow the military to block access to digital businesses, such as Facebook, YouTube, or domestic companies (Arts. 71-74) for breaching any one of five long and vaguely written provisions (Arts. 34, 35, 36, 54, 58). For example, the military could permanently block the whole of Facebook on the grounds that it included just one post criticising a military leader (Arts. 71 and 35e). Any such block would likely be a clear violation of the right to freedom of expression and access to information.
The 2022 draft does not include any safeguards to arbitrary blocking. The military would not need to have or show a reason for blocking, would not need to go to court, or get a court order, and could therefore decide to block access unilaterally. Any appeal by a blocked digital business would be decided by the military rather than a court (Art. 77). If blocking was inadequate, the military could shut down the entire digital business on the grounds that it had not been “properly formed”, a status undefined anywhere in the draft (Art. 74).
VPN use and encouragement criminalised
The 2022 draft would criminalise the use of Virtual Private Networks, or VPN, with a punishment of up to three years imprisonment and a fine (Art. 90). VPNs hide data flows so that people can access blocked content or communicate privately. VPNs are vital for protecting freedom of expression and access to information in authoritarian countries like Myanmar.
Most people in Myanmar use VPNs to access Facebook, which has been blocked by the military since 4 February 2021 shortly after the coup began. Businesses also use VPNs to exchange data securely, but could potentially apply for a waiver to the ban (Art. 62). Given that VPNs are needed to access Facebook, any individual or business that posted on Facebook could in effect be creating evidence of a crime.
Any individual that encouraged the use of VPNs could also face a punishment of up to three years imprisonment and a fine (Art. 89c). This could include phone shops that install VPNs, media outlets and civil society organisations who promote VPN use, or digital rights defenders who give security training.
Platforms like Facebook criminalised for hosting criticism
The previous 2021 draft would have made digital businesses, such as Facebook and YouTube, criminally liable for hosting any expression that the military decided fell under five vague categories (Arts. 29 and 61). The five categories included expressions that were vital for democratic debate and were lawful offline. For example, expression that disturbed the so-called “stability” of the military’s coup (Art. 29a). The military would also have had the legal authority to order such expression deleted (Art. 29). Any international businesses operating outside of Myanmar could have ignored the order. However, they would still have faced the risk of their employees being charged in absentia, or their services being blocked (Art 86, 100, 101).
The 2022 draft repeats the 2021 version and its violation of the right to freedom of expression. It has also added a sixth vague category of expression that the military could order deleted: “expressions that damage an individual’s social standing and livelihood” (Art. 35f). On first impression, this could mean defamation, which is best defined as a false assertion of fact that results in serious harm to a person’s reputation. However, the sixth category does not say or imply that the expression needs to be false, or needs to be an assertion of fact, or that it should create serious harm. Furthermore, the sixth category does not use any of the common Burmese language descriptions of defamation. Instead, it would best be described as simple criticism, which inevitably – and often rightly – damages a person’s standing. For example, criticism of a coup leader.
The 2022 draft’s “intermediary liability”, or holding digital businesses liable for content, would not only apply to international social media, but could also apply to Myanmar-based servers, websites, or apps. This increase in business risk may directly or inadvertently encourage businesses, including international companies, to carry out military orders in part or in whole, increase general content moderation to delete anything that could fall under the military’s six categories, or block Myanmar users altogether.
Child “pornography” crime removed
The right to freedom of expression and information may be limited under particular circumstances, including when necessary and proportionate to protect the rights of others. As such, there is no right to seek, receive, or impart content showing sexual abuse of children, often inappropriately called child “pornography”.
The 2021 draft would have rightly criminalised the specific crime of seeking, receiving, or imparting content showing sexual abuse of children (Art. 69). However, the military has completely removed this crime from the 2022 draft. It is unclear why the military would choose to effectively decriminalise child abuse content.
The 2022 draft does however keep the 2021 draft’s crime of sharing general sexually explicit content (Art. 96). The provision is vague and could be used to violate the right to freedom of expression and access to information. For example, people, including teachers and civil society workers, could be criminalised for providing sex education, discussing women’s bodies, or raising awareness of LGBTIQ issues.
Financial flows to dissenting groups blocked
The right to freedom of expression is closely linked to the right to freedom of association. Often, individuals join together with others who wish to express similar concerns. They may establish organisations that sometimes require income in order to facilitate their rights to association and expression. Any block that prevents an organisation from raising funds can be a violation of the right to freedom of association. If the organisation is blocked because of its political message, this is a violation of the right to freedom of expression too.
The 2022 draft includes a range of provisions that could seriously undermine the financial systems that are commonly used by members of the public to finance groups that offer dissent against the military such as the National Unity Government (NUG), Committee Representing Pyidaungsu Hluttaw (CRPH), and Civil Disobedience Movement (CDM) (Art.94 and 95).
At the beginning of the coup, the only institution in Myanmar with the constitutional mandate to adopt laws was the Union Parliament. As the Union Parliament is no longer functioning, laws and amendments, including the 2022 draft Cyber Security Law, cannot be lawfully adopted. The military has no legal right to adopt laws as civil society has already established.
Nevertheless, FEM calls on all national and international stakeholders – including those from within the business community – to review FEM’s analysis, reflect on how these violations of the right to freedom of expression would affect them and the Myanmar people, and act immediately to ensure that the military once again withdraws their repressive proposal.
Previously published concerns
The following concerns were published in February 2021 in response to the military’s circulation of the 2021 draft Cyber Security Law. All of the threats posed by the 2021 draft still remain in the 2022 draft.
1. Military will have absolute control over Myanmar’s internet
The draft law establishes a hierarchy of bodies overseen by and formed of representatives chosen by the military under the military’s governing State Administration Council (Arts. 5.a, 7, and 9). These oversight bodies are given absolute control over making internet and communications-related rules (Art. 6.a), implementing those rules (Art. 6.b), and investigating rule-breakers (Art. 12). Furthermore, the draft law also enables the Ministry of Defence to issue rules (Art. 88).
2. Regulates people, communications, and companies internationally
The draft law is unusual because it has a wide, extra-territorial reach, giving the military government an international jurisdiction as well as a normal domestic one. It creates international offences (Art. 2.a), applies to Myanmar citizens outside of Myanmar (Art. 1.a) and international organisations (Art. 6.h), and covers any form of international communications (Art. 1.c). This significantly extends the oppressive effect of Myanmar’s already restrictive domestic legal framework.
3. Increase in criminalisation and long prison terms
The draft law includes a variety of vague and overlapping crimes with three-year prison terms and fines, many of which do not have legitimate democratic aims. Three-year prison terms for misinformation or “fake” websites that cause “public panic, loss of trust or social division” are likely to be used to punish criticism (Arts. 64 and 65). Sharing “sexually explicit speech” – such as that currently being used by many Generation Z protesters – is also punished with a three-year prison term (Art. 68). Using false names or pseudonyms on Facebook will result in a three-year prison sentence (Art. 65). Several provisions include three-year prison terms for actions commonly done by whistleblowers (Arts. 57, 59, and 60). In addition to these disproportionate three-year prison terms, those convicted may also be charged under the Counter-Terrorism Law (Arts. 70 and 71).
4. Internet intermediaries criminally liable for content
The draft law places both administrative and criminal liability on internet intermediaries such as Facebook, Google, and Telenor, while easing the military’s potential to ban them altogether. It includes a vague list of content that all “online service providers”, defined as “any person or business providing online services used in Myanmar”, must remove when ordered (Art. 29). The vague list includes for example, “verbal statements against any existing law” and is clearly intended to punish criticism. All “online service providers” must prepare in advance to receive orders (Art. 48), which may come from any person or organisation authorised by the military government (Art. 47).
If an intermediary does not comply with an order, the military government can issue a warning, fine, or temporary or permanent ban (Art. 72). Representatives of the intermediary will also face a criminal punishment of up to three-years imprisonment plus a fine (Art. 61).
5. Eases network control and internet shutdown
The draft law enables the military government to take direct control over network infrastructure and eases their ability to shut down the internet. It includes provisions for both temporary and permanent bans on any online service such as Facebook (Arts. 51.a and 51.c), and provisions for allowing the military government temporary control of any network devices (Art. 51.b). Bans must be in accordance with a vague “public interest”, presumably as defined by the military (Art. 51). The only so-called “safeguard” is that the military’s governing State Administration Council must approve the military-controlled ministry’s decision (Art. 51).
6. Private data put under military control
The draft law gives the military unfettered access to private data. It requires all “online service providers” such as Facebook, Google, and Telenor, to store vast quantities of personal private data including Citizenship Card numbers for at least three years (Art. 30). This data must be stored on servers designated by the military-controlled government (Art. 28.a), and be accessible for “national security” checks (Art. 59). There are no privacy safeguards (Art. 15) and data must be provided when requested (Art. 31). Any computer owned by anybody can be inspected on vague grounds (Art. 45).