The revised draft Cyber Security Law released by the Ministry of Transport and Communications (MOTC) on 13 January 2022 (“Draft Law 2.0“) appears to impose a broad prohibition on the use of virtual private networks (VPN) in Myanmar unless specific permission is granted by the MOTC. The Draft Law 2.0 does not distinguish the use of VPN between consumers and businesses; any person found guilty of the offense shall be punishable by imprisonment of a minimum of one year to a maximum of three years or a fine not exceeding MMK 5 million (approximately USD 2,500) or both.
Under the state of emergency, new regulations can be issued by the current administration within a short timeframe without a parliamentary review process. It is important for businesses which are operating in Myanmar to monitor developments in respect of the Draft Law 2.0 and assess how such changes could impact their existing IT practices and operations. Additionally, businesses should also look out for any subsequent release of guidelines that may provide details for the application of permission from the MOTC.
In more detail
- The Draft Law 2.0 was circulated by MOTC to certain key businesses including banks and telecommunications service providers, requesting for comments on the revised draft to be provided by 28 January 2022. While many of the provisions are similar to or constitute a refinement over the initial draft circulated back in February 2021, the prohibition on the use of VPN is a new provision.
- Under the Draft Law 2.0, any person intending to establish, access or connect to a network using VPN or equivalent technology is required to apply for specific permission from the MOTC. The definition of “network” is broadly drafted and covers any telecommunication system connected between any communication / computer devices through the use of cable, wireless or satellite or any other technologies.
- Upon our informal consultation with the relevant authorities, we understand that the Draft Law 2.0, if and when enacted, may provide a transition period for the parties concerned to comply with the regulations in respect of the use of VPN. We also understand that further guidelines or notification may be released, setting out the requirements for parties who use VPN in their ordinary course of business to apply for the necessary permission from the MOTC. We would, however, highlight that the information received to-date may still be subject to changes and should not be regarded as an assurance that such a transition period would be provided or that further guidelines would be released.