Tilleke & Gibbins

 

What law(s) specifically govern personal data / information?

Constitution of the Republic of the Union of Myanmar (2008)

Law Protecting the Privacy and Security of Citizens (2017) (as amended)

Electronic Transactions Law (2004) (as amended)

Competition Law (2015)

Financial Institutions Law (2016)

Telecommunications Law (2013)

Notification 116/97 of the Ministry of Finance and Revenue

Law Relating to Private Health Care Services (2007)

 

 

What are the key data protection principles in this jurisdiction?:

Personal data is data that identifies a living individual.

Personal data must be kept securely.

Personal data may not be disclosed or transferred without the consent of the data subject.

 

What is the supervisory authority / regulator in charge of data protection?

Electronic Transactions Control Board.

 

Is there a requirement to register with a supervisory authority / regulator?

No.

 

Is there a requirement to notify the supervisory authority / regulator?

No.

 

Is it possible to register with / notify the supervisory authority / regulator online?

N/A.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

No specific rights.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

No. The law is not clearly drafted but appears to require that a personal data administrator (PDA) is appointed.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Unclear.

 

Does this jurisdiction have any specific data breach notification requirements?

The suspension of Section 8 of the Law Protecting the Privacy and Security of Citizens (2017) means that government agencies can now intercept any communication and demand data from telecommunications service providers. In addition, amendments to the Electronic Transactions Law (2004) allow the government access to personal data in the name of “stability,” “tranquillity,” and “national security.”

 

What restrictions apply to the international transfer of personal data / information?

The law is not clearly drafted but appears to require consent from the data subject.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

No.

 

What rules specifically deal with marketing?

There are general rules relating to marketing contained in the Competition Law (2015) and the Consumer Protection Law (2019), however they do not deal with the use of personal data in marketing.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

N/A.

 

What rules specifically deal with cookies?

No.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Failure of a personal data administrator to properly manage personal data in accordance with the law is punishable by 1–3 year’s imprisonment, a fine, or both.

Similarly, any other person misusing personal data is subject to 1–3 year’s imprisonment, a fine, or both.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Two factors should be borne in mind:

  • Consent of the data subject is required for data processing and transfers; and
  • Personal data must be held securely.

 

What upcoming data protection developments should multinational organisations be aware of?

There is a draft Cyber Security Law that has been circulated that contains data protection provisions, however they are extremely similar to the new provisions in the Electronic Transactions Law referred to above.

 

Search by:

Need more information?
Contact a member firm:
Yuwadee Thean-ngarm
Tilleke & Gibbins
Myanmar