On 11 December 2024, the junta enacted the Cybersecurity Law, a revised version of the 2022 draft. The law mandates that individuals or companies providing VPN services must register with a designated government ministry yet to be specified. The law states that anyone caught operating an unregistered VPN service faces penalties ranging from one to six months’ imprisonment, fines between MMK 1 million and MMK 10 million (approximately USD 226 to USD 2,260), or both. For companies or organizations, the fine starts at MMK 10 million.
Sub-clause 36(c) specifies that anyone using computer programs or electronic data with “dishonest intention” may face six months to two years’ imprisonment, a fine between MMK 1 million and MMK 10 million, or both. However, "dishonest intention" is left undefined, allowing for arbitrary interpretation and detentions against individuals by the regime. A significant revision from the previous draft is the law’s extension to include Myanmar nationals living abroad, as stated in Section 3(b). The law also authorizes a ministry designated by the regime to oversee cybersecurity services and digital platform services for national defense and security purposes, or upon the request of a regime department or organization, in accordance with relevant laws.
The law introduces two types of licenses for Cybersecurity services and Digital platform providers, valid for 3–10 years: Additionally, it stipulates that digital platforms with 100,000 or more users are required to obtain a license. Failure to comply may result in fines of at least MMK 100 million (approximately USD 47,600), and any proceeds from violations will be confiscated.
Arguably, one of the most troubling aspects of the law is its mandate on digital platform service providers to: retain user information, including usernames, IP addresses, phone numbers, identification card numbers, addresses, and usage data, as specified by the relevant department, for up to three years. The data is to be provided to the relevant authorities upon request. This could be interpreted as the extension of the 2022 draconian measures previously imposed on digital mobile payment platforms, which required service providers to register users with their photos, national identity cards, and SIM card numbers. Moreover, in an apparent effort to limit the reach of anti-regime content especially on social media like Facebook, the law requires digital platforms to remove “fake news,” "illegal" content, and posts inciting violence.
Overall, the Cybersecurity Law appears designed to increase monitoring of activities of social media users and expand business opportunities for crony networks. News reports, while yet to be corroborated, suggest that military-affiliated entities, including a company owned by junta leader Min Aung Hlaing’s son, Aung Pyae Son, have proposed establishing VPN services in Myanmar. While the law could have security implications for individuals and online businesses by forcing them to record user data, its enforceability is rather questionable. Major social media platforms, such as Facebook which has already been banned by the regime, X (formerly Twitter), and Signal, as well as VPN services commonly used in Myanmar, remain beyond the junta’s jurisdiction. Additionally, individual users are unlikely to willingly subscribe to military-affiliated VPN services for apparent security issues unless further coercive measures are implemented. One such measure could involve intensifying efforts to suppress foreign VPN services. Since May 2024, the military has demonstrated increased capacity to block VPNs, leveraging new technologies that have significantly disrupted most connections. Escalating these actions could potentially force individual users and businesses to switch to junta-affiliated services.
