As the one year anniversary of the military’s illegal coup in Myanmar nears, the junta’s methodical efforts to achieve ultimate control over civic space are continuing. The recently revived draft Cybersecurity Law will effectively extinguish any remaining avenues for dissent and expression against an increasingly violent regime, and must be immediately withdrawn.
On January 13, leaked documents revealed the military’s attempts to reintroduce a notorious and oppressive law, previously shut down by Access Now and other civil society and industry stakeholders. The latest draft — an unofficial English version of which was shared with Access Now through partners — appears to resurrect all the major fears around suppression of freedoms that were enshrined in the original iteration. It is expected to pass as early as next week after a two-week token consultation.
The latest draft confers overbroad powers to the junta to censor expression online and undermine data protection, with no prospect for independent oversight or effective remedy. Military-controlled ministries will be granted powers to implement the law — including the Ministry of Defence (Ch. 1) with its decades-long history of human rights abuses, including serious international violations amounting to crimes against humanity and genocide.
If passed, this bill will enshrine in law the death of online civic space in Myanmar — throttling any remaining rights of the people of Myanmar to freedom of expression, association, information, privacy, and security. The redrafted text is designed to commandeer control of cybersecurity, electronic communications, cybercrime, data protection, and VPN services in not only an illegitimate, but also practically impossible manner.
Major warning signs
Sweeping definitions allow paralysing censorship in violation of the rights to free expression and information. A “Central Committee” — led by the military-appointed Deputy Prime Minister and ministers — is empowered to declare any digital intermediary or service provider as “critical information infrastructure” relevant to “cybersecurity” (Ch. 2-4). They have new authority to order the removal of virtually any form of data — texts, images, audio, or otherwise — deemed to “disrupt unity and peace in the country” (Ch. 9). “Cybercrimes” are overbroadly defined, allowing the military to easily suspend, block, take over, or ban websites, digital platform services, and providers that threaten the power of the junta (Ch. 11-12). “Cybersecurity organizations” can also be dissolved without accountability or oversight, allowing for overbearing military control of infrastructure (Ch. 15).
Controls on VPN usage will undermine individuals’ rights to information, privacy, and security. The free use of Virtual Private Networks (VPNs) is effectively banned by the bill — which requires VPN usage to be registered with and cleared by the authorities, and criminalises usage with up to three years’ imprisonment (Ch. 12, 17). This will significantly impact on people in Myanmar who are now reliant on VPNs to safely access and share crucial independent information online. Their right to information directly links to, and impacts, their rights to liberty and security, education, health, association, and adequate standard of living amidst a coup and pandemic. In the last few days, increased arrests have been reported of individuals for alleged illegal usage of VPNs — a worrying trend that is bound to expand if this bill comes into force.
Data protection measures are non-existent, allowing for privacy violations. The bill gives the junta access to data on the people of Myanmar, with virtually no real data protection rights or independent regulatory structure to protect their personal information. Wide carve-outs exclude government and police actors from protection obligations, and provide them instead with unchecked inspection powers (Ch. 6-7). Data localisation is forced upon digital service providers to hold personal information of their users for up to three years — which they must then furnish to the authorities if requested (Ch. 9).
Excessive intermediary regulations throttles the independence of online platforms and services. The bill imposes unprecedented licensing and registration requirements where digital service providers are obliged to register with authorities, pay licence fees, submit business reports to the authorities, and comply with military-led content regulation orders (Ch. 9-10). These regulations expand the Myanmar military’s surveillance of the operations of digital platforms, and increase its powers of control of and intrusion in their functioning — to the detriment of the millions of people who use these platforms.
What can be done to secure rights in Myanmar?
The proposed Cybersecurity Law was shelved last year due to massive national and international opposition. This current draft is no better, and needs global pushback.
Attempts to resurrect this draconian law must be immediately met with civil society, industry, and diplomatic pressure. These calculated encroachments on civic space impact not only on the freedoms of individuals, communities, and businesses within Myanmar, but — if left unopposed or unchecked — send an alarming signal that it is okay for an illegitimate regime to solidify control of its population through surveillance and suppression online and offline. The military must be taken to task.