	Global Data Privacy Guide
	Myanmar
	(Asia Pacific) Firm Tilleke & Gibbins Contributors Yuwadee Thean-Ngarm Updated 08 Aug 2025
1. What is the key legislation?	The key legislation for data protection is Electronic Transactions Law (2004) (as amended) (the “ETL”). The related legislations are – • Constitution of the Republic of the Union of Myanmar (2008) • Law Protecting the Privacy and Security of Citizens (2017) (as amended) • Competition Law (2015) • Financial Institutions Law (2016) • Telecommunications Law (2013) • Law Relating to Private Health Care Services (2007)
2. What are the key decisions applying that legislation?	ETL covers all electronic records used in commercial or non-commercial activities, both domestic and foreign. The Electronic Transactions Law allows public authorities and law enforcement to access personal data from private organisations in certain situations by exempting them from Myanmar’s data protection laws. When authorities request data for national security or other specified reasons, these organisations are not subject to Myanmar's data protection or privacy regulations.
1. How are “personal data” and “sensitive data” defined?	ETL defines personal data as information that identifies or can identify an individual, but does not define sensitive data.
2. How is the defined data protected?	Please see the answer to Q7 below.
3. Who is subject to privacy obligations?	Pursuant to the provisions of the ETL, the personal data administrator (“PDA”) holds responsibility for ensuring data privacy.
4. How is “data processing” defined?	ETL does not contain specific provisions regarding data processing. However, ETL does define data management as the processes involving the collection, acquisition, transfer, distribution, organization, restriction, deletion, recording, maintenance, storage, alteration, retrieval, consultation, utilization, or disclosure of personal data.
5. What are the principles applicable to personal data processing?	Please see the answer to Q4 above.
6. How is the processing of personal data regulated?	Please see the answer to Q4 above.
7. How are storage, security and retention of personal data regulated?	The ETL provides that - a PDA must ensure that personal data is not accessed, used or transferred without authorization (consent). - a PDA shall maintain, protect and manage the personal data systematically in accordance with law and with a level of security appropriate to the type of data. There are no specific provisions on required security controls. - a PDA must not to use the personal data for a purpose other than that for which it was collected. - the data must not be retained for longer than is necessary to meet the purpose for which it was collected and must be destroyed thereafter.
8. What are the data subjects' rights under the data legislation?	No particular rights have been granted. However, a data subject may lodge a complaint with the police for breach of the provisions of the ETL by a personal data administrator, as such breaches are considered are cognizable offences.
9. What are the consent requirements for data subjects?	The ETL does not specify how to obtain data subject consent.
10. How is authorization for use of data handled?	Please see the answer to Q7 above.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	The ETL does not impose explicit restrictions on the cross-border transfer of data. According to the responsibilities outlined under the PDA (as referenced in the response to Q7), personal data may be transferred outside the country if either the data subject's consent has been obtained or such transfer is otherwise authorised by law.
12. How are data "incidents" and "breaches" defined?	Not applicable.
13. Are there any notification requirements for incidents and/or data breaches?	Not applicable.
14. Who is/are the privacy regulator(s)?	Not specified. The Electronic Transactions Control Board will supervise all activities under the ETL.
15. What are the consequences of a data breach?	Please see the answer to Q22.
16. How is electronic marketing regulated?	On 5 September 2023, the Ministry of Commerce released binding E-Commerce Guidelines, defining e-commerce as online sales of goods or services, including marketing, logistics, ordering, and delivery. The guidelines require compliance with the Competition Law and the Consumer Protection Law in marketing and advertising.
17. Are there sector-specific or industry-specific privacy requirements?	Not defined.
18. What are the requirements for appointing Data Protection Officers or similar roles?	Not defined.
19. What are the record-keeping and documentation obligations?	Please see the answer to Q7 above.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	Not applicable.
21. What are the requirements for third-party vendor management and data sharing?	Please see the answer to Q7 above.
22. What are the penalties and enforcement mechanisms for non-compliance?	A breach of data protection regulations under the ETL constitutes a criminal offense. The specified penalties are as follows: • Should the PDA fail to manage personal data in accordance with the ETL requirements, the individual may be subject to imprisonment for a term ranging from 1 to 3 years, a fine not exceeding MMK 10 million (approximately USD 4,700), or both. • If the PDA is found guilty of obtaining, disclosing, using, modifying, disseminating, or transferring personal data to a third party without the owner's consent, the penalty may include imprisonment for a term of 1 to 3 years, a fine not exceeding MMK 5 million (approximately USD 2,350), or both.
23. What are the ongoing compliance and audit requirements?	Not applicable.
24. Are there any recent developments or expected reforms?	None at this time.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

The key legislation for data protection is Electronic Transactions Law (2004) (as amended) (the “ETL”). The related legislations are –
• Constitution of the Republic of the Union of Myanmar (2008)
• Law Protecting the Privacy and Security of Citizens (2017) (as amended)
• Competition Law (2015)
• Financial Institutions Law (2016)
• Telecommunications Law (2013)
• Law Relating to Private Health Care Services (2007)

2. What are the key decisions applying that legislation?

ETL covers all electronic records used in commercial or non-commercial activities, both domestic and foreign. The Electronic Transactions Law allows public authorities and law enforcement to access personal data from private organisations in certain situations by exempting them from Myanmar’s data protection laws. When authorities request data for national security or other specified reasons, these organisations are not subject to Myanmar's data protection or privacy regulations.

1. How are “personal data” and “sensitive data” defined?

ETL defines personal data as information that identifies or can identify an individual, but does not define sensitive data.

2. How is the defined data protected?

Please see the answer to Q7 below.

3. Who is subject to privacy obligations?

Pursuant to the provisions of the ETL, the personal data administrator (“PDA”) holds responsibility for ensuring data privacy.

4. How is “data processing” defined?

ETL does not contain specific provisions regarding data processing. However, ETL does define data management as the processes involving the collection, acquisition, transfer, distribution, organization, restriction, deletion, recording, maintenance, storage, alteration, retrieval, consultation, utilization, or disclosure of personal data.

5. What are the principles applicable to personal data processing?

Please see the answer to Q4 above.

6. How is the processing of personal data regulated?

Please see the answer to Q4 above.

7. How are storage, security and retention of personal data regulated?

The ETL provides that
- a PDA must ensure that personal data is not accessed, used or transferred without authorization (consent).
- a PDA shall maintain, protect and manage the personal data systematically in accordance with law and with a level of security appropriate to the type of data. There are no specific provisions on required security controls.
- a PDA must not to use the personal data for a purpose other than that for which it was collected.
- the data must not be retained for longer than is necessary to meet the purpose for which it was collected and must be destroyed thereafter.

8. What are the data subjects' rights under the data legislation?

No particular rights have been granted. However, a data subject may lodge a complaint with the police for breach of the provisions of the ETL by a personal data administrator, as such breaches are considered are cognizable offences.

9. What are the consent requirements for data subjects?

The ETL does not specify how to obtain data subject consent.

10. How is authorization for use of data handled?

Please see the answer to Q7 above.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

The ETL does not impose explicit restrictions on the cross-border transfer of data. According to the responsibilities outlined under the PDA (as referenced in the response to Q7), personal data may be transferred outside the country if either the data subject's consent has been obtained or such transfer is otherwise authorised by law.

12. How are data "incidents" and "breaches" defined?

Not applicable.

13. Are there any notification requirements for incidents and/or data breaches?

Not applicable.

14. Who is/are the privacy regulator(s)?

Not specified. The Electronic Transactions Control Board will supervise all activities under the ETL.

15. What are the consequences of a data breach?

Please see the answer to Q22.

16. How is electronic marketing regulated?

On 5 September 2023, the Ministry of Commerce released binding E-Commerce Guidelines, defining e-commerce as online sales of goods or services, including marketing, logistics, ordering, and delivery. The guidelines require compliance with the Competition Law and the Consumer Protection Law in marketing and advertising.

17. Are there sector-specific or industry-specific privacy requirements?

Not defined.

18. What are the requirements for appointing Data Protection Officers or similar roles?

Not defined.

19. What are the record-keeping and documentation obligations?

Please see the answer to Q7 above.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

Not applicable.

21. What are the requirements for third-party vendor management and data sharing?

Please see the answer to Q7 above.

22. What are the penalties and enforcement mechanisms for non-compliance?

A breach of data protection regulations under the ETL constitutes a criminal offense. The specified penalties are as follows:
• Should the PDA fail to manage personal data in accordance with the ETL requirements, the individual may be subject to imprisonment for a term ranging from 1 to 3 years, a fine not exceeding MMK 10 million (approximately USD 4,700), or both.
• If the PDA is found guilty of obtaining, disclosing, using, modifying, disseminating, or transferring personal data to a third party without the owner's consent, the penalty may include imprisonment for a term of 1 to 3 years, a fine not exceeding MMK 5 million (approximately USD 2,350), or both.

23. What are the ongoing compliance and audit requirements?

Not applicable.

24. Are there any recent developments or expected reforms?

None at this time.