Financial Crime World

Myanmar Tightens Data Protection Laws for Finance Sector

YANGON - As Myanmar’s economy continues to grow, foreign companies are investing in the country at an increasing rate. With this growth comes a greater need for understanding the complex web of regulations governing personal data and information.

Overview of Key Legislation

The following key legislation governs personal data and information in Myanmar:

  • Constitution of the Republic of the Union of Myanmar (2008)
  • Law Protecting the Privacy and Security of Citizens (2017)
  • Electronic Transactions Law (2004)
  • Competition Law (2015)
  • Financial Institutions Law (2016)
  • Telecommunications Law (2013)
  • Notification 116/97 of the Ministry of Finance and Revenue

Key Data Protection Principles

The key data protection principles in Myanmar include:

  • Secure Personal Data: Keeping personal data secure is a requirement under Myanmar’s laws.
  • Obtain Consent: Companies must obtain consent from individuals before disclosing or transferring their information.
  • No Misuse: Personal data must not be misused.

However, the lack of clear guidelines on data subject rights and data breach notification requirements has raised concerns among experts.

Regulatory Oversight

The Electronic Transactions Control Board is responsible for overseeing data protection in Myanmar. However, it does not require companies to register or notify them prior to processing personal data. The appointment of a data protection officer (DPO) is also not mandatory under current laws.

Concerns and Criticisms

Myanmar’s data protection laws have been criticized for being overly broad, allowing the government to intercept communications and demand data from telecommunications service providers in the name of national security. The country’s draft Cyber Security Law has raised concerns among experts about its implications for foreign companies operating in the country.

Recommendations for Companies

Multinational organizations processing personal data from individuals within Myanmar should be aware that:

  • Consent is Required: Consent is required for data processing and transfers.
  • Personal Data Must be Held Securely: Personal data must be held securely to avoid penalties.
  • Compliance with Regulations: Companies must stay up-to-date with the latest developments and ensure compliance with relevant regulations.

Consequences of Non-Compliance

Failure to comply with Myanmar’s data protection laws can result in imprisonment, fines, or both. Companies operating in the finance sector should take proactive steps to ensure that they are meeting their obligations under these laws to avoid reputational damage and financial penalties.