Access to personal electronic data: now the law says you need permissionMay 29, 2017
The Pyidaungsu Hluttaw published a new law on 8 March, 2017, the Law Protecting the Privacy and Security of Citizens (Union Parliament Law 5/2017).
This new law sets out general duties of relevant ministries and authorities to protect privacy and security of citizens, while a “citizen” is defined as “the person who is a citizen either under the Constitution or any other existing law”.
More importantly, Section 8 of the law prohibits conducts infringing on personal privacy and information. In particular, Article 8 (d) reads:
“In the absence of an order, permission or warrant issued in accordance with existing law, or permission from the Union President or a Union-level Government body…(d) No one shall demand or obtain personal telephonic and electronic communications data from telecommunication operators.”
Section 10 further sets out whosoever is found guilty of committing an offence under Section 8 shall, in addition to a sentence for a period from six months to up to three years, subject to a fine between 300,000 to 1,500,000 kyats.
The wording of Section 8 is very broad as it does not restrict access to the electronic data to those only of the Myanmar citizens, nor does it limit the type of infringers. Any person, except for the telecommunication operators which would hold personal data generated from their end users at the first place, could be an infringer under Section 8 and subject to penalty under Section 10, which leads to imprisonment and fine. It doesn’t mean that telecommunication operators themselves could be immune from this new law. Section 12 of the new law provides
“whoever is found guilty of encouraging, ordering, joining with, and assisting or abetting another to commit an offence under this law shall be sentenced in accordance with this law”.
Therefore a telecommunications operator assisting non-authorized access to personal data could be subject to penalty of the new law, too.
The new law is not clear on which authorities will be responsible to enforce this law. While the Ministry of Home Affairs is certainly one of them, any other government department, organizations or officials could be responsible to ensure the privacy and personal affairs of citizens are protected because the definition of “Responsible Authorities” is very broad. Hence the law seems to empower any Myanmar authority to take action under the name of protection of privacy.
This is the first time a law in Myanmar lays down a direct imprisonment term for unauthorized access to personal electronic communications data. The telecommunications laws in Myanmar imposes general duties for telecommunication licensees to protect personal data and privacy, however it does not set forth penalty for violation of such duties. Moreover, a party which is not a telecommunications licensee would not be subject to the same duties. A law to fill in this gap is Section 34 of the Electronic Transactions Law which provides anyone who accesses or uses data without permission of the data originator and the addressee could be subject to a fine, and only imprisonment if failing to pay the fine. Again, Section 34 of the Electronic Transactions Law does not lead to direct criminal penalty. It only becomes so under Section 10 of the new Law Protecting the Privacy and Security of Citizens.
It should also be noted that Section 13 under the new law states that provisions in the new law takes precedence upon other existing laws. In other words, if one is committing illegal acts punishable under both the Electronic Transactions Law and the new law, the new law should be applicable and a more serious penalty would be applied.
With implementation of the new privacy law, anyone who wants to obtain personal telephonic and electronic communication data from telecommunications operators should seek permission beforehand to avoid jail time. Even the telecommunication operators should be cautious to ensure they have obtained proper permission from the data originators to grant access for such personal data to any third party, to avoid being a conspiracy under Section 12 of the new law.
What permission will qualify?
The new law makes it important to get permission to access personal electronic data. Order, warrant or permission from government authorities or court will of course suffice, but any non-authority permission? Section 8 of the law states “permission…in accordance with existing law” can also satisfy the permission requirement. Therefore permission from the data originator could suffice such permission as it fits in the Electronic Transactions Law and Myanmar general legal principles.
The new law posts challenges to telecommunications operators to draw out the proper scope and steps of obtaining permission regarding use of data generated and received from the end users’ side. In the privacy agreement between the telecommunication operators and the end users, there should be clauses articulating end users’ permission which sufficiently covers possible and necessary third-party access and use of their personal data like third party access for system maintenance purpose. The telecommunications operators should also keep an eye on updating their privacy agreement with the end users any time when they needs to change the scope of permission. For example, they need to expand the list of third party to access such data. In practice, it might be prudent to seek a “double security” from both the relevant authority and private side for third-party access and use of such personal data.