Tilleke & Gibbins
What law(s) specifically govern personal data / information?
Constitution of the Republic of the Union of Myanmar (2008)
Law Protecting the Privacy and Security of Citizens (2017) (as amended)
Electronic Transactions Law (2004) (as amended)
Competition Law (2015)
Financial Institutions Law (2016)
Telecommunications Law (2013)
Notification 116/97 of the Ministry of Finance and Revenue
Law Relating to Private Health Care Services (2007)
Regulations on Mobile Financial Services (2016)
Cybersecurity Law (2025)
The Electronic Transactions Law 2004 ("ETL") was updated in 2021 to establish personal data protections for the first time under Myanmar law, making it the primary legislation governing personal data protection in the country.
What are the key data protection principles in this jurisdiction?:
Personal data is data that identifies an individual.
Personal data must be kept securely.
Personal data may not be disclosed or transferred without the consent of the data subject.
Personal data must not be used for any purpose other than the one for which it was originally collected.
Personal data should not be retained longer than necessary to fulfill its intended purpose and must be securely destroyed once that purpose has been achieved.
What is the supervisory authority / regulator in charge of data protection?
Electronic Transactions Control Board.
Is there a requirement to register with a supervisory authority / regulator?
No. However, under the Cybersecurity Law, cybersecurity service providers and digital platform service providers are required to register with the relevant authorities in order to obtain a service license.
Is there a requirement to notify the supervisory authority / regulator?
No. However, under the Cybersecurity Law, cybersecurity service providers and digital platform service providers are required to register with the relevant authorities in order to obtain a service license.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A
What are the key data subject rights under the data protection laws of this jurisdiction?
No specific rights.
Is there a requirement to appoint a data protection officer (or equivalent)?
No. The law is not clearly drafted but appears to require that a personal data administrator (PDA) is appointed.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Unclear.
Does this jurisdiction have any specific data breach notification requirements?
The suspension of Section 8 of the Law Protecting the Privacy and Security of Citizens (2017) means that government agencies can now intercept any communication and demand data from telecommunications service providers. In addition, amendments to the Electronic Transactions Law (2004) allow the government access to personal data in the name of 'stability,' 'tranquility,' and 'national security.'
According to the Regulations for Mobile Financial Services (MFS), a Mobile Financial Service Provider is required to promptly notify the Central Bank of Myanmar (CBM) in writing—no later than two business days—if there are any signs of confidential data loss within the MFS system.
What restrictions apply to the international transfer of personal data / information?
The law is not clearly drafted but appears to require consent from the data subject.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No.
What rules specifically deal with marketing?
There are general rules relating to marketing contained in the Competition Law (2015) and the Consumer Protection Law (2019), however they do not deal with the use of personal data in marketing. Provisions of the E-Commerce Guidelines (issued by Ministry of Commerce of Myanmar on 5 September 2023) refer to the Competition Law and Consumer Protection Law regarding the compliance of marketing, promotion and advertising.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
There are no specific rules for electronic marketing in Myanmar. However, based on the E-Commerce Guidelines, there are general provisions on marketing via electronic messaging.
What rules specifically deal with cookies?
None.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Failure of a personal data administrator to properly manage personal data in accordance with the law is punishable by 1–3 year's imprisonment, a fine, or both.
Similarly, any other person misusing personal data is subject to 1–3 year's imprisonment, a fine, or both.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Two factors should be borne in mind:
- Consent of the data subject is required for data processing and transfers; and
- Personal data must be held securely.
What upcoming data protection developments should multinational organisations be aware of?
No updates sighted at this time.