At present, there is no specifically codified data privacy law in Myanmar. Myanmar’s data privacy protection can however be found in a wide range of legal provisions under relevant existing laws.

Among this legislation, the Electronic Transactions Law 2004 (as amended in 2014 and 2021) is currently the most comprehensive statute consisting of inclusive provisions on data privacy in Myanmar. The Constitution of the Republic of the Union of Myanmar 2008 generally proclaims the rights to privacy and security of the citizens. Other notable laws and regulations relating to the protection of data privacy include the Telecommunications Law 2013 (as amended in 2017), Law Protecting the Privacy and Security of Citizens 2017 (amended in 2020 and 2021), Competition Law 2015, Financial Institutions Law 2016, and Notification 116/97 (Insurance Business Rules) of the Ministry of Finance and Revenue.

The 2022 Cybersecurity Law (draft), which has not yet been enacted, also involves a key chapter on the protection of data privacy.

In general, “personal data” capable of identifying an individual and “personal communication” delivered via cyberspace or a  telecommunications network are protectable under the Electronic Transactions Law 2004 (as amended) and the Telecommunications Law 2013 (as amended), respectively.

Various existing laws relating to data privacy protection generally define “personal information” and “personal data” as information that can identify a data subject. In the business context, the personal information of customers or individual users is subject to confidentiality and must be protected to prevent disclosure to any third party, except where allowed or with the consent of the personal data owner in accordance with the existing laws. The specific definitions are as follows:

• Electronic Transactions Law 2004 (as amended in 2014 and 2021) – “Personal data” means “information that identifies or is capable of identifying an individual.
• Telecommunication Law 2013 (as amended in 2017) – “Information” means “data, text, image, sound, code, sign, signal, any collection of data and combination of more than one thereof and similar matters.

Although Myanmar does not have a single comprehensive data privacy protection law, the aforementioned relevant laws designate the responsible individuals, organizations, and institutions subject to privacy obligations, as follows:

• Electronic Transactions Law 2004 (as amended in 2014 and 2021) – All organizations, as well as individuals and personal data administrators, are obliged to follow the privacy obligations.
• Telecommunications Law 2013 (as amended in 2017) – All telecommunication business licensees operating under the Telecommunications Law 2013 are responsible for the privacy concerns of end-users through their telecommunication services.
• Financial Institutions Law 2016 – Banks, financial institutions, and credit bureaus licensed in Myanmar are required to maintain the privacy of information relating to customers’ affairs, accounts, records, and transactions under the supervision of the Central Bank of Myanmar. However, the law exempts banking data from being divulged in certain circumstances, such as bankruptcy or dissolution of a business; criminal or civil proceedings; some audit and outsourcing activities; business transfer, merger, or restructuring; disclosure under the Anti-Money Laundering Law; and so on.
• Notification No 116/1997 (Insurance Business Rules) of the Ministry of Finance and Revenue – All insurers and underwriting agents are required to keep the information and facts of a person's life assured confidential.
• Competition Law 2015 – All business owners are responsible for nondisclosure and nonuse of another business’ secrets and private information without the lawful owner’s permission.
• Law for Protection of Privacy and Security of Citizens 2017 (as amended in 2020 and 2021) – Individuals are prohibited from invading the personal privacy or personal security of other Myanmar citizens. However, this provision has been suspended by the Amendment Law of the State Administration Council (2021) until further notice.

In general, personal data cannot be examined, disclosed, informed, disseminated, transmitted, altered, destroyed, copied, or submitted as evidence without the consent of the data owner, or as permitted by existing law, to any individual or organization.

The processing of data can be managed by the Personal Data Administrator according to applicable principles. Pursuant to the Electronic Transactions Law 2004 (as amended in 2014 and 2021), personal data is processed based on its type and level of security in accordance with the law. During an investigation, the mandated person who receives personal data must keep the data confidential except when disclosing the information to persons permitted under the law.

There are some circumstances under which the management of personal data (data administration) can be done without the consent of the owner. These include filing a criminal charge in court, providing evidence before a court via an authorized person, and collecting information for national security.

Individuals and institutions are obliged to process personal data in compliance with the purpose of use as agreed by data owners and as enacted by law. Processing of personal data contrary to the proper purposes set out in the law is prohibited. Of the regulations relating to personal data protection in Myanmar, the Electronic Transactions Law 2004 (as amended in 2014 and 2021) contains fundamental provisions on the processing of data and aims to protect the personal data of the public. Under the law, processing personal data without the consent of the individual or not as permitted by existing law is prohibited. The Personal Data Administrator must also refrain from processing data contrary to the objectives set out in the law.

According to the Electronic Transactions Law 2004 (as amended in 2014 and 2021), the Personal Data Administrator is obliged to systematically store, protect, and process personal data according to its type and level of security. All retained personal data must be destroyed after the expiration of the designated period.

The Telecommunications Law 2013 (as amended in 2017) states that telecommunications business licensees must securely store the confidential personal information of individual users and not disclose it to irrelevant parties. Personal information in telephone and communication data from telecommunications operators must not be disclosed without a permit, permission, warrant in accordance with existing laws, or permission of the president or the Union Government.

Under the Competition Law 2015, the confidential data of a business is also protected and must be stored in accordance with confidentiality. Accessing, collecting, or revealing business secrets without consent or permission is considered unauthorized disclosure of business secrets.

In compliance with the Financial Institutions Law 2016, no person who has access to customer data may disclose it to a third party, except in cases where disclosure of customer information is permitted under relevant law. In addition, all licensed banks and financial institutions must securely store the data relating to customer accounts, records, and transactions and must not further disclose improperly obtained customer information or data.

In Myanmar, there is no express provision on the rights of data subjects (e.g., a do-not-call list or a right to correction of data).

However, according to existing laws, data subjects have the right to nondisclosure without the consent of a data owner and/or without the permission of law, the right to nondisturbance in communication by telecommunications devices or in any way, and the right to not have their data processed by unauthorized means.

Most importantly, every citizen has the right to personal privacy and personal security as set forth in the Constitution of Myanmar and under the Law for Protection of Privacy and Security of Citizens (2017).

Cross-border data transfers are not expressly restricted under Myanmar’s laws and there is no statutory provision for the transfer of data overseas. Under the Telecommunications Law, restrictions on cross-border data transfers must be in accordance with the terms and conditions contained in the telecommunications business license, especially for data center operations. Currently, Myanmar’s Post and Telecommunications Department ("PTD") oversees data transfer controls, and their position is not as clear when no express provision is made. Under the Electronic Transactions Law 2004 (as amended up to 2021), personal data may be transferred overseas with the consent of the data subject.

Existing statutes do not provide specific terms on notification requirements for data breaches. Practically, companies should notify the respective end-users, data subjects, or victims of a data breach in their system or service as a matter of responsible business conduct.

The authority for privacy regulation varies from sector to sector. The Post and Telecommunications Department under the Ministry of Transport and Communications is the key privacy regulator for the telecommunications sector under the Telecommunication Law 2013 (as amended), whereas Central Body for Electronic Transactions regulates the management of personal data under the Electronic Transactions Law 2004 (as last amended in 2021). The Central Bank of Myanmar is entitled to regulate the supervision of information and data under the Financial Institutions Law 2016.

A privacy breach may be punishable by imprisonment, fines, and administrative action in Myanmar.

According to the Electronic Transactions Law 2004 (as amended up to 2021), failure to manage personal data in accordance with the law may be subject to imprisonment for one to three years, a fine of up to MMK 10 million (approx. USD $5,600), or both. Obtaining, disclosing, utilizing, destroying, altering, disseminating, or sending personal data to a third party without the consent of the data subject or without other required approval may be subject to imprisonment for one to three years, a fine of up to MMK 5 million (approx USD 2,800), or both.

Violations of privacy regulations in the Financial Institutions Law 2016 are punishable by administrative penalties such as warnings; fines; orders, including those restricting the operations of financial institutions; suspension; or permanent termination of rights. These administrative sanctions do not preclude taking criminal or civil action.

Under the Competition Law 2015, breaching the privacy of another business may be subject to imprisonment for up to two years, a fine of up to MMK 10 million (approx. USD $5,600), or both.

The Telecommunications Law 2013 (as amended in 2017) states that communication, reception, transmission, distribution, or conveyance of incorrect information with dishonest intent—or prohibiting, obstructing, or interfering with the transmission, reception, communication, conveyance or distribution of information without permission—is liable to imprisonment for up to one year, a fine, or both.

There is no codified statute in Myanmar exclusively on electronic marketing; however, electronic marketing is regulated by the Competition Law (2015) and the Consumer Protection Law (2019) in general. Some other laws, including the Financial Institutions Law (2016) and the Electronic Transactions Law (2004), also mention protection from misleading advertisements and detrimental information in electronic transactions.

• Competition Law 2015 – No business owner may carry out any of the following acts for the purpose of unfair competition:
  1. Directly comparing the business’ goods or services to those of the same type of another business;
  2. Misleading customers by imitative advertising of the goods of others;
  3. Broadcasting false or misleading information to the customers on one of the following matters:
     1. Price, quantity, quality, utility, designs, varieties, packaging, date of manufacture, durability, origin, manufacture, place of manufacture, processors, or place of the processing;
     2. Usage, service, or warranty period;
     3. Other false or misleading information
  4. Other advertising activities prohibited by any existing law.

Moreover, false information may not be broadcast directly or indirectly by any business owner seeking to damage the reputation, financial situation, or business operations of another business.

• Consumer Protection Law 2019 – Entrepreneurs are obliged to give clear and proper information on goods or services and not produce and trade goods or services that are not in conformity with the statements contained in the label (e.g., regarding ingredients), an advertisement, or a sales promotion.
• Electronic Transactions Law 2004 (as amended up to 2021) – Creating, modifying or altering information, or distributing information that was created, modified or altered by electronic technology to be detrimental to the interest of or to lower the dignity of any organization or person, is liable to punishment under the law.
• Financial Institutions Law 2016 – Financial institutions must not make a false, deceptive, offensive, or misleading advertisement in connection with their permitted activities.

The 2022 Cybersecurity Law (draft) is a pending law that covers the protection of data privacy in Myanmar.

Myanmar’s State Administration Council has been considering the enactment of the new Cybersecurity Law since 2021. Under the draft law, “personal data” means any data or information that can identify or has identified who the concerned person is, and “data” means completed, in-progress, or planned directives, presumptions, data, knowledge, or information, in a network or a computer system, that have either been prepared or are under preparation systematically, and which can be stored on computer memory in various forms.

Additionally, all individuals and organizations, including critical information infrastructures, companies, organizations carrying out service business under the Telecommunications Law, and digital platform service providers having above 100,000 users in Myanmar are subject to privacy obligations under the draft. This draft also states that any person who manages by other means or abuses personal data without the consent of the respective person will be liable, upon conviction, for imprisonment for one to three years, a fine up to MMK 5 million, or both.