Tilleke & Gibbins


The following law(s) specifically govern personal data / information:

  • Constitution of the Republic of the Union of Myanmar (2008)
  • Law Protecting the Privacy and Security of Citizens (2017) (as amended)
  • Electronic Transactions Law (2004) (as amended)
  • Competition Law (2015)
  • Financial Institutions Law (2016)
  • Telecommunications Law (2013)
  • Notification 116/97 of the Ministry of Finance and Revenue
  • Law Relating to Private Health Care Services (2007)


The key data protection principles in this jurisdiction are:

  1. Personal data is data that identifies a living individual
  2. Personal data must be kept securely
  3. Personal data may not be disclosed or transferred without the consent of the data subject


The supervisory authority / regulator in charge of data protection is:

Electronic Transactions Control Board


Is there a requirement to register with a supervisory authority / regulator?



Is there a requirement to notify the supervisory authority / regulator?



Is it possible to register with / notify the supervisory authority / regulator online?



The key data subject rights under the data protection laws of this jurisdiction are:

No specific rights.


Is there a requirement to appoint a data protection officer (or equivalent)?



Do data protection/ privacy impact assessments need to be carried out in certain circumstances?


Does this jurisdiction have any specific data breach notification requirements?

The suspension of Section 8 of the Law Protecting the Privacy and Security of Citizens (2017) means that government agencies can now intercept any communication and demand data from telecommunications service providers. In addition, amendments to the Electronic Transactions Law (2004) allow the government access to personal data in the name of “stability,” “tranquillity,” and “national security.”


The following restrictions apply to the international transfer of personal data / information:

The law is not clearly drafted but appears to require a personal data administrator.


Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?



The following rules specifically deal with marketing:

There are general rules relating to marketing contained in the Competition Law (2015) and the Consumer Protection Law (2019), however they do not deal with the use of personal data in marketing.


Do different rules apply to business-to-business and business-to-consumer marketing?



The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):



The following rules specifically deal with cookies:



The consequences of non compliance with data protections laws (including marketing laws) are:

Failure of a personal data administrator to properly manage personal data in accordance with the law is punishable by 1–3 year’s imprisonment, a fine, or both. Similarly, any other person misusing personal data is subject to 1–3 year’s imprisonment, a fine, or both.


In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:

Two factors should be borne in mind:

  1. Consent of the data subject is required for data processing and transfers; and
  2. Data must be held securely.


Multinational organisations should be aware of the following upcoming data protection developments:

There is a draft Cyber Security Law that has been circulated that contains data protection provisions, however they are extremely similar to the new provisions in the Electronic Transactions Law referred to above.



Search by:

Need more information?
Contact a member firm:
Yuwadee Thean-ngarm
Tilleke & Gibbins