As Myanmar faced the third internet shutdown on Sunday, a new cybersecurity bill put forward by the country’s military-run State Administrative Council has triggered overwhelming opposition among businesses and rights groups.
Although the government says the proposed bill will prevent cybercrime and other online activities that harm the state and its stability, civil society groups have warned that it could violate human rights, including freedom of expression, data protection, and personal privacy.
“The military’s proposed bill grants its leaders unprecedented power to censor citizens and violate their privacy, contravening democratic norms and fundamental rights guaranteed under international law,” wrote Jeff Paine, managing director of Asia Internet Coalition, in a statement issued on February 11. The group counts tech giants like Google, Facebook, and Twitter as members.
The law requires all online service providers to store personal information of each user, including their username, IP address, telephone number, and ID number, “at a place designated by the Ministry” for three years. Authorities can access the information on request, without providing a reason or warrant.
It also grants the government power to order internet service providers to “prevent, remove, destroy, and suspend” content that “triggers hatred, destroys unity and peace, or content that is identified as fake news and pornographic materials.”
“Myanmar’s chances of creating jobs and becoming a location for offshore data-based services such as call centers or shared services centers will be undermined as this law is incompatible with international data protection regulation such as the EU’s General Data Protection Regulation (GDPR),” reads a statement published by Myanmar Center for Responsible Business (MCRB), an independent initiative to foster responsible business activities throughout Myanmar.
“It will greatly increase the risk for companies in Myanmar, to the extent that some responsible international investors, particularly in the ICT sector, may exit the market altogether, or delay or terminate plans to invest or supply services,” the statement said.
The draft requires servers used by tech companies operating in Myanmar to be hosted within the country. This means tech companies will not be able to utilize the “secure and efficient services” of international cloud-based services, MCRB said in a statement.
“The bill is not written by people with any knowledge on cybersecurity, but by people who want to control the internet. Without any input from the cybersecurity community and stakeholders, the bill is more of a dictator shopping list,” a cybersecurity expert who had lobbied for formulating a cyber law for the National League for Democracy government told KrASIA on the condition of anonymity.
“The Telecommunications Law already gives the government broad powers to shut down the internet or block certain sites. However, the current law doesn’t give full authority to the government to directly direct access personal information and sweeping control of the telecom sector,” said the expert.
International telecommunication providers like Ooredoo and Telenor used to be able to publish government directives on their websites for public disclosure purposes, such as in the case of internet shutdowns, but that seems to no longer be the case.
Telenor issued a statement that indicates a gag order came into effect on Sunday: “It is currently not possible for Telenor to disclose the directives we receive from the authorities. We are gravely concerned with this development and recognize the impact this has on the local and international community’s ability to receive information. We deeply regret that the list on this site will no longer be updated.”
Read more: As Myanmar’s military pounced, an aerobics video turns viral
Analysts warn of a firewall that will manipulate internet traffic
“Currently, authorities could ban access to social media by limiting traffic to certain sites. However, this is no longer a viable option for the authorities who seek a long-term and comprehensive shutdown of social media. With the help of firewall and proxy servers, the government could manipulate the internet gateways where internet traffic goes between Myanmar and the rest of the internet,” the cybersecurity expert said.
“They are already implementing a Chinese hardware firewall to manipulate the internet traffic, so as to block certain websites, namely social media like Facebook, completely. The current military State Administration Council has instructed the telecom firms and internet service providers to configure and get the firewall ready for operations by February 15,” the expert claimed. KrASIA was not able to confirm this news.
The 36-pages draft bill was sent by the Ministry of Transport and Communications to mobile operators and telecom license holders on February 9. Operators have time to offer comments until February 15, according to the MCRB statement.
Individuals who fail to comply with the law could face up to three years in prison and a fine of up to MMK 10 million (USD 7,750). The ministry could temporarily suspend operations and issue a final ban on any online service providers if they breach the rules.
The bill was put forth nine days after the military arrested the country’s de facto leader Aung San Suu Kyi and other senior officials and activists on February 1.
The junta had already restricted telecom connectivity three times. Social media platforms including Facebook, WhatsApp, Instagram, and Twitter remain blocked in Myanmar.