Myanmar: Scrap Sweeping Cybersecurity Bill

Click to expand Image

State Administrative Council Chairman and Commander-in-Chief Senior Gen. Min Aung Hlaing makes a televised statement in Naypyitaw, Myanmar, February 11, 2021.
© 2021 Tatmadaw True Information Team Facebook page via AP

(Bangkok) – Myanmar’s military junta has put forward a draconian bill that would give it sweeping powers to access user data, block websites, order internet shutdowns, and imprison critics and officials at noncomplying companies, Human Rights Watch said today. The junta should withdraw the bill.

The ruling State Administrative Council, installed after the February 1, 2021 coup, sent the draft to telecommunications operators on February 9, and called for input on the bill by February 15.

“The draft cybersecurity law would hand a military that just staged a coup and is notorious for jailing critics almost unlimited power to access user data, putting anyone who speaks out at risk,” said Linda Lakhdhir, Asia legal advisor at Human Rights Watch. “It would have a devastating impact on freedom of expression and access to information at a time when those rights are more important than ever.”

The draft law requires online service providers to keep a broad range of user data, including the person’s name, IP address, phone number, ID card number, and physical address, for up to three years “at a place designated by” the as-yet-unspecified ministry authorized by the military junta to deal with cybersecurity. Companies must provide that data to the authorities when requested “under any existing law.” Those who fail to comply would face up to three years in prison.

Online service providers are required to block or remove a wide range of information at the instruction of the authorities, including “misinformation and disinformation,” information “causing hate, disrupting the unity, stabilization and peace,” and statements “against any existing law.” The law does not specify how the authorities are to determine what constitutes “misinformation,” nor does it provide any route of appeal for those whose content is blocked or removed. In effect, it would allow the military authorities to order the removal of any content it does not like, Human Rights Watch said.

Anyone who posts “misinformation or disinformation” faces up to three years in prison under section 65 of the bill if they are found to have done so “with the intent of causing public panic, loss of trust or social division.” Creation of a “fake” account, website, or web portal “with the intent of causing public panic, loss of trust or social division” carries the same possible penalties.

Since any criticism of the coup or the military could be deemed as intending to cause “loss of trust” in the junta or social division, the military could use these provisions as sweeping tools for censorship. The restriction on “fake” accounts could also be used to curb online anonymity and the use of pseudonyms, which are essential for people to be able to express themselves freely, especially in environments such as Myanmar where free expression rights are severely restricted.

The bill contains a number of provisions prohibiting “illegal” or “unauthorized” access to online material. Under section 62, a “dishonest attempt to access cyber sources without permission” or “extracting, copying, downloading or destroying any data” is punishable by up to three years in prison. Section 71 states that anyone who attempts unauthorized access to online information that is “kept confidential for nationally, internationally or multilaterally implemented security reasons” with the intent of “deteriorating the relationship between the country and other foreign countries” is subject to prosecution under an unspecified “Anti-Violence” law. Both of these provisions could be used to prosecute whistle blowers, investigative journalists, or activists who use leaked material for their work.

The draft law increases the military’s power over online service providers by authorizing the authorities to conduct unspecified “interventions” for a broad range of reasons, including public order, investigating crime, and “safeguarding public life, property and public welfare.” Section 51 authorizes the ministry assigned to implement cybersecurity matters, with approval from the State Administrative Council, to temporarily prohibit any online service provision, including shutting down communication networks, temporarily control devices related to online service provision, and issue a final ban on any online service provider in Myanmar. Representatives of the junta can also “visit and check and oversee” the premises of online service providers at any time.

Existing online service providers are required to register and apply for a new license within one year from the date on which the law is enacted. The license will be denied if the provider is not in compliance with the cybersecurity law’s strict requirements.

“Myanmar’s proposed cybersecurity law is the dream of despots everywhere,” Lakhdhir said. “It would not make people’s data, communications, or the underlying infrastructure more secure, but it would consolidate the junta’s ability to conduct pervasive surveillance, curtail online expression, and cut off access to essential services.”

The United Nations Human Rights Committee, in its General Comment No. 34 on the right to freedom of expression, states that governments may impose restrictions on free expression only if they are provided by law and are necessary for the protection of national security or other pressing public need. To be provided by law, a restriction must be formulated with sufficient precision to enable an individual to regulate their conduct accordingly. “Necessary” restrictions must also be proportionate, that is, balanced against the specific need for the restriction being put in place. Nor can these restrictions be overbroad.

The cybersecurity bill falls far short of these standards. It fails to require that the “misinformation” be material or cause real harm to a legitimate interest, or clearly define the content that is prohibited. The resulting lack of clarity would severely chill the discussion of controversial subjects out of fear of prosecution, Human Rights Watch said.

Further, mandatory third-party data retention fails to meet international human rights standards on the right to privacy. Such measures are neither necessary nor proportionate, are particularly prone to abuse, and circumvent key procedural safeguards. They limit people’s ability to communicate anonymously and may facilitate hacking or other data breaches.

“The proposed cybersecurity law poses real risks for activists, journalists, academics, and ordinary people expressing their views on the internet,” Lakhdhir said. “The junta should scrap the bill entirely since its basic premise is contrary to respect for human rights.”