Competent authority
The Cybersecurity Law's provisions regularly refer to a "Ministry" and "Department". The focal ministry and the department responsible for implementing the Cybersecurity Law are yet to be determined, but in the 2022 draft version of the law, the Ministry of Transport and Communications was designated as the focal ministry, and the Information Technology and Cybersecurity Department was the implementing department.
Licensing for cybersecurity service providers
The Cybersecurity Law requires companies who provide cybersecurity services in Myanmar to be incorporated under the Myanmar Companies Law and hold a cybersecurity service licence from the relevant department. The licence term ranges from three to 10 years and is renewable six months before expiry.
Key responsibilities of cybersecurity service providers
Cybersecurity service providers have the following key responsibilities:
- Legal compliance: Obtaining necessary permits and documentation as required by applicable laws
- Preventative measures: Establishing and implementing cybersecurity measures to monitor breaches and support emergency response units
- Damage notification: Notify customers of potential cybersecurity damages and advise on preventive actions
- Responsive programmes: Develop and implement solutions for malware or cyberattacks
- Emergency response: Immediately implement emergency programmes, respond to issues and notify affected/interested parties
- Technology standards: Use cybersecurity technology and adhere to international standards
- Information protection: Prevent breaches of, damages to or loss of service users' information
- Anomaly reporting: Immediately report any cybersecurity anomalies to the Department
- Compliance with license terms and conditions: Adhere to the terms and conditions of the applicable license
- Activity reporting: Prepare and submit cybersecurity activity reports to the Department as required
Administrative actions for non-compliance by cybersecurity service providers
The Department reserves the right to take the following actions against any cybersecurity service provider that fails to comply with its responsibilities:
- Issue a warning
- Impose a fine
- Suspend the licence
- Cancel the licence
Penalties for unlicensed cybersecurity service providers
Any individual or entity providing cybersecurity services without a licence may face the following penalties:
- Individuals: imprisonment for between one and six months and/or a fine ranging from MMK 1 million to MMK 10 million (approx. USD 500 to USD 5,000). Evidence related to the offence will also be confiscated as state property.
- Companies/entities: A minimum fine of MMK 10 million (approx. USD 5,000), and the confiscation of evidence related to the offence as state property. The Cybersecurity Law does not set out any penalties for officers of companies/entities.
Licensing for digital platform service providers
Any digital platform service provider (DPSP) with at least 100,000 users in Myanmar must be registered as a company under the Myanmar Companies Law, and must apply for service registration with the Department.
- 'Digital platform service' means any service enabling users to express, send, distribute or use information online using cyber resources or similar technology and related tools.
- 'Information' means data, database, sound, text, image, code, sign, signal, video, software or application.
The registration term ranges from three to 10 years and is renewable six months before expiry.
Compliance requirements for DPSP
DPSPs must adhere to the following regulations:
- Legal compliance: Obtain necessary permits and documentation as required by applicable laws
- Data storage: Maintain data storage devices in accordance with the requirements and user data based on data classification standards. (Since the requirements have not yet been specified, it is unclear whether there will be data localisation requirements.)
- Commercial activities: Comply with applicable laws for any commercial or profit-driven activities conducted via the platform
- Registration conditions: Comply with the terms and conditions as specified in the applicable registration certificate
- Information management: Upon awareness or notification by the Department, prevent the dissemination of destabilising information, misinformation, inappropriate content for public view, child pornography and sexually explicit content, and content violating laws, including infringement of intellectual property rights
- User data retention: Retain personal data, usage records and additional data as specified by the department for up to three years
- Information disclosure: Produce required information upon request by the authority
Administrative actions for DPSPs
The Department may take the following actions against a DPSP:
- Issue a warning
- Impose a fine
- Suspend the registration certificate
- Cancel the registration certificate and blacklist the DPSP
In addition, the Ministry may take the following actions in public interest:
- Suspend DPS or electronic information
- Temporarily seize materials related to DPS
- Shut down a DPS or declare it inappropriate for public use
Penalties for unregistered DPSPs
Any DPSP with 100,000 or more users in Myanmar that operates without registration may face penalties, namely a fine of at least MMK 1 billion (approx. USD 500,000) and the confiscation of evidence related to the offence as state property.
Virtual Private Network requirements
Ministry approval required to provide VPN services
Individuals or entities wishing to establish or provide Virtual Private Network (VPN) services in the national cyberspace must obtain approval from the Ministry. A VPN is defined in the Cybersecurity Law as a system that independently establishes a secure network within an existing network using technology to ensure secure connections between networks.
We note that "national cyberspace" is not defined, but further guidance from the authorities may be provided.
Penalties for unapproved VPN services
The following penalties apply for establishing or providing VPN services without Ministry approval:
- Individuals: imprisonment for between one and six months and/or a fine ranging from MMK 1 million to MMK 10 million (approx. USD 500 to USD 5,000). Evidence related to the offence will also be confiscated as state property.
- Companies/entities: A minimum fine of MMK 10 million (approx. USD 5,000), and confiscation of evidence related to the offence as state property. The Cybersecurity Law does not set out any penalties for officers of companies/entities.
Other offences using cyber resources
The Cybersecurity Law also criminalises other offences concerning the use of cyber resources:
Cyber abuse: Cyber abuse includes altering the quality or capacity of a computer program, software, or information; deleting the information; selling computer programs, software, or information without authorization; unauthorized access to or transfer of a computer program, software, or information; or controlling a computer system, computer program, software, or electronic information. The penalties for cyber abuse are imprisonment for between six months to three years, and/or a fine ranging from MMK 1 million to MMK 20 million (approx. USD 500 to USD 10,000).
Unsolicited message: The penalties for sending unwarranted or unsolicited messages using networks are imprisonment for between one year to two years and/or a fine ranging from MMK 5 million to MMK 20 million (approx. USD 2,400 to USD 10,000).
Online theft: The penalties for online theft of, or mischief to, a person's funds using cyber resources are imprisonment for between two years to seven years and a fine.
Online gambling: The following penalties apply for establishing an online gambling system without authorisation:
- Individuals: imprisonment ranging from six months to one year, and/or a fine ranging from MMK 5 million to MMK 20 million (approx. USD 2,400 to USD 10,000). Evidence related to the offence will also be confiscated as state property.
- Companies/entities: A minimum of MMK 20 million (approx. USD 10,000). Evidence related to the offence will also be confiscated as state property. The Cybersecurity Law does not set out any penalties for officers of companies/entities.
Key takeaways
Companies intending to offer cybersecurity services should begin planning to ensure compliance with the licensing and registration regimes established by the Cybersecurity Law. Please reach out if you have any questions, and we would be delighted to assist.
To learn more about these issues and how they affect you, reach out to your usual Baker McKenzie contact.
We will continue to monitor these developments closely. Should you have questions or concerns, please contact any member of our team.
* * * * *
Japanese version