(Bangkok) – Myanmar’s navy junta has revived a draconian cybersecurity invoice that would offer sweeping powers to the authorities, Human Rights Watch mentioned at this time. The present draft would enable the junta, in energy because the navy coup on February 1, 2021, to entry person knowledge, block web sites, order web shutdowns, and prosecute critics and representatives of noncomplying firms.
The Cybersecurity Regulation was initially proposed per week after the coup. The present draft, an unofficial translation of which may be discovered right here, consists of new provisions that may ban use of digital personal networks (VPNs), abolish the necessity for sure evidentiary proof at trial, and require on-line service suppliers to dam or take away on-line criticism of junta leaders. Ten worldwide chambers of commerce in Myanmar issued a joint assertion on January 28, 2022, that mentioned the proposed legislation “disrupts the free stream of data and immediately impacts companies’ talents to function legally and successfully in Myanmar.”
“Myanmar’s navy junta has taken a horrible draft cybersecurity legislation and made it even worse,” mentioned Linda Lakhdhir, Asia authorized adviser at Human Rights Watch. “The junta ought to scrap this invoice, which might additional devastate free expression and entry to data throughout the nation.”
The draft legislation would apply to all these offering “Digital Platform Companies,” outlined to incorporate “any excessive (OTT) service that may present the service to precise knowledge, data, photographs, voices, texts and video on-line through the use of cyber sources and related programs or supplies.” The legislation thus applies not solely to social media and different content-sharing platforms, however to digital marketplaces, search engines like google, monetary companies, knowledge processing companies, and communications companies offering messaging or video calls and video games. Whereas firms licensed underneath the Telecommunications Act are excluded from the definition of Digital Platform Service suppliers, the restrictions on use of VPNs and the requirement that firms cooperate with investigations are made particularly relevant to such firms.
Underneath a brand new provision, using VPNs to browse the web could be a prison offense with out particular permission from an as-yet-unspecified ministry licensed to take care of cybersecurity. Use of an unauthorized VPN could be punishable by as much as three years in jail. Digital Non-public Networks, which permit a person entry to blocked content material, have performed a crucial position in enabling web customers in Myanmar to entry websites blocked by the navy because the coup and to entry the web with out disclosing their true location. VPNs are additionally routinely utilized by companies and people to make sure privateness and safety.
One other newly added provision would enable the authorities to order Digital Platform Service suppliers to dam or take away content material about which there’s a “reputable grievance” that the content material “damages an individual’s social standing and livelihood.” It could not require the data to be false or require a courtroom order. In impact, the brand new provision would enable the authorities to order the elimination of any content material crucial of particular person navy leaders or others linked to the junta, Human Rights Watch mentioned.
The draft legislation additionally retains provisions from the sooner draft requiring on-line service suppliers to dam or take away a variety of data on the instruction of the authorities. Prohibited content material consists of “misinformation and disinformation,” data “inflicting hate, disrupting the unity, stabilization and peace,” and statements “towards any current legislation.” Anybody who posts “misinformation or disinformation” faces a minimal of 1 yr and as much as three years in jail if they’re discovered to have carried out so “with the intent of inflicting public panic, lack of belief or social division.”
Since any criticism of the coup or the navy might be deemed as meaning to trigger “lack of belief” within the junta or social division, the junta may use these provisions as sweeping censorship instruments.
Each Digital Platform Service suppliers and telecommunications firms could be required to cooperate with the authorities investigating a broad vary of offenses, together with these underneath the cybersecurity legislation. Failure to take action could be punished by a variety of penalties as much as and together with revocation of their license to function in Myanmar. The scope of the “interventions” with which companies should cooperate is unclear, leaving open the likelihood that this legislation might be used to pressure telecommunications firms to facilitate the stay interception of communications. Final Might, Reuters reported that the navy, by way of the civilian authorities then in energy, had compelled telecommunications and web service suppliers to put in stay intercept capabilities within the months main as much as the coup.
The invoice, as with the Telecommunications Act, would successfully dispense with the authorized requirement for a prosecutor to carry digital proof to courtroom, offering that:
the proof referring to prosecuting an offense filed underneath this legislation just isn’t simple to carry to courtroom, it may be introduced with a report or different related documentation on how the proof is saved with out going to courtroom. Such submission shall be deemed to have been introduced as proof earlier than the courtroom and could also be administered by the related courtroom in accordance with the legislation.
Any dispute over digital proof must be submitted to the Nationwide Digital Laboratory created underneath the legislation, and the choices of that physique could be ultimate. This provision violates defendants’ rights to a good trial and due course of, which require that any proof be introduced towards them, Human Rights Watch mentioned.
Myanmar doesn’t have any privateness or knowledge safety legal guidelines that regulate the gathering, use, and storage of non-public knowledge to safeguard towards abuse when knowledge is collected and retained even for reputable functions. The present model of the cybersecurity invoice retains problematic provisions additional undermining knowledge privateness.
Digital Platform Service Suppliers could be required to maintain a broad vary of person knowledge, together with the individual’s title, web protocol (IP) handle, cellphone quantity, ID card quantity, bodily handle, “person document,” and “different data as directed” for as much as three years. Suppliers with not less than 100,000 customers in Myanmar must be certain that gadgets storing that knowledge are “maintained in accordance with knowledge classification guidelines” – guidelines that the invoice doesn’t outline. Those that fail to conform would resist three years in jail. Given the broad applicability of the legislation, this provision additionally poses critical dangers for these utilizing on-line cost programs. Firms must present this knowledge to the authorities when requested “underneath any current legislation.”
The invoice offers the authorities broad scope to dam companies and order web shutdowns. The ministry assigned to implement cybersecurity issues, with approval from the junta, would be capable of briefly prohibit any digital platform provision, briefly management gadgets associated to provision of digital platform companies, and situation a ultimate ban on any digital service platform supplier in Myanmar.
The United Nations Human Rights Committee, in its Normal Remark No. 34 on the suitable to freedom of expression, states that governments might impose restrictions on free expression provided that they’re offered by legislation and are vital for the safety of nationwide safety or different urgent public want. To be offered by legislation, a restriction should be formulated with enough precision to allow a person to control their conduct accordingly. “Mandatory” restrictions should even be proportionate, that’s, balanced towards the particular want for the restriction being put in place. Nor can these restrictions be overbroad.
Myanmar’s cybersecurity invoice falls far in need of these requirements. It fails to require that “disinformation” or “misinformation” must trigger actual hurt to a reputable curiosity, or to obviously outline the content material that’s prohibited. The ensuing lack of readability would severely chill the dialogue of controversial topics out of worry of prosecution, Human Rights Watch mentioned.
Additional, obligatory third-party knowledge retention fails to satisfy worldwide human rights requirements on the suitable to privateness. Such measures are neither vital nor proportionate, are significantly susceptible to abuse, and circumvent key procedural safeguards. They restrict individuals’s potential to speak anonymously and should improve the specter of hacking or different knowledge breaches.
“The proposed cybersecurity legislation would consolidate the junta’s potential to conduct pervasive censorship and surveillance and hamper the operation of companies in Myanmar,” Lakhdhir mentioned. “Governments that do enterprise with the junta ought to acknowledge the data dangers if the invoice as drafted turns into legislation.”
