On 15 February 2021, the State Administration Council ("SAC") enacted Law Number 07/2021, which introduced new provisions into the existing Electronic Transactions Law (ETL) ("Amended Law"). Among other things, the Amended Law has introduced the concept of Personal Data and provided protections for it. However, it has also included broad scenarios where the governing authority may breach such protections. The Amended Law also introduced offences relating to cyber-crime and cyber-terrorism. The new provisions are as follows:
Section 27-A – Section 27-A sets out the responsibilities and duties of a Personal Data Management Officer when processing Personal Data.
Section 27-B – Section 27-B stipulates that an Investigative Team, which will be designated as such by a relevant authority, has the responsibility to retain Personal Data and keep them confidential, unless their disclosure is required in accordance with the law.
Section 27-C – Section 27-C sets out scenarios where the protection of Personal Data may not apply, as follows:
- Where a governmental organisation designated by the Central Committee, the Investigative Team, or other Governmental Organisations requires the disclosure of Personal Data for the prevention, investigation, undertaking discovery, or provision of evidence in court in relation to cybersecurity, cyber attacks, cyber terrorism, cyber misuse, and other accidents.
- Where a governmental organisation designated by the Central Committee, the Investigative Team, or other Governmental Organisations requires Personal Data for the prevention, investigation, undertaking discovery, or provision of evidence in court in relation to a criminal matter.
- Where an investigation, undertaking discovery, or gathering or sharing information is undertaken in connection with cybersecurity and cybercrimes which threatens the sovereignty, peace, and stability or national security.
- Any other instances where a matter is undertaken by a department or an organisation authorised by the Central Committee, or the Central Committee in relation to sub-section (c).
Section 38-A – Section 38-A provides for the offence where a Personal Data Management Officer breaches his duties. The penalty imposed under this provision is an imprisonment term between one to three years, or a fine not exceeding 10 million MMK, or both.
Section 38-B – Section 38-B provides for the offence when one breaches the provision prohibiting interference with Personal Data. Interference includes, but is not limited to, obtaining, disclosing, altering, or disseminating Personal Data without the consent of the relevant person. Section 38-B imposes a penalty of an imprisonment term between one to three years, or a fine not exceeding 5 million MMK, or both.
Section 38-C – Section 38-C provides for the offence when one breaches the provision prohibiting the creation of fake or false information on the Cyber Space with the intent to cause fear, lose trust or respect, or disunity among the public. This provision imposes a penalty of an imprisonment term between one to three years, or a fine not exceeding 5 million MMK, or both.
Section 38-D – Section 38-D provides for the offence when one breaches the provision prohibiting unlawful interference with Cyber Resources, and obtaining access to restricted information including installing malware and committing Cyber Attacks. Section 38-D imposes a penalty of an imprisonment term between two to five years, or a fine not exceeding 30 million MMK, or both.
Section 38-E – Section 38-E provides for the offence when one breaches the provision prohibiting the commission of Cyber Attacks to obtain access to confidential Cyber Resources between Myanmar and another country, with the intent to cause disruption in diplomatic relations. Section 38-E imposes a penalty of an imprisonment term between three to seven years, or a fine not exceeding 50 million MMK, or both.
