After decades of relative isolation, the regulatory framework in the Information Technology and Communications (ITC) space in Myanmar has remained fairly undeveloped amidst stellar business growth, particularly in Telecommunications. Nevertheless, there are some strict compliance points that ITC businesses must identify and address.
To provide context, a recent report released by The Economist Corporate Network, sponsored by Baker McKenzie highlights that Myanmar had only "thousands" of sim cards prior to the reform period in 2013. This figure has since ballooned to 50 million registered sim cards out of a population of about 54 million, translating to more than 90% mobile internet penetration in under 5 years. As a result, online banking and Fintech is now starting to pick-up and online retail is expected to follow.
Despite encouraging indicators, rolling-out products and services calls for a keen navigation of the various laws and regulations covering the ITC industry in Myanmar. Below are some key points to consider.
Permits and Licenses
Permits and licenses, if required, will depend on the nature of the service or product to be offered. Telecoms-related services, for example, may fall under any of four telecoms business licenses, and providers must obtain the appropriate license to offer services. Further limitations may also apply to other kinds of businesses, for example direct-to-home TV broadcasting, which requires special permission from the government.
Myanmar law recognizes that contracts perfected by electronic means are valid and this provides statutory basis to uphold "click wrap" agreements and online purchases. Unauthorised interception, unlawful disclosure, alteration and "hacking" in general, are all offences subject to criminal prosecution.
Fintech is subject to different sets of regulations altogether. Mobile Financial Service Providers (MFSP), for example, require specific permits to operate — they are subject to strict Know-Your-Customer (KYC) requirements, and periodic reportorial requirements. This licensing requirement is triggered by any financial service provided "through mobile technologies" and thus by definition may theoretically include any kind of payment made via mobile phone — something to keep in mind in business models using mobile online payments.
Myanmar has no specific data privacy law, but data is not completely unprotected. The unauthorised alteration, interception and disclosure of data, the unlawful access or disturbance to a network and the release of a virus with the intention to cause damage, are all considered criminal offences in Myanmar. The unauthorised disclosure of business secrets is considered an act of unfair competition, which is a criminal offence. Additionally, telecoms service providers have an obligation to maintain the confidentiality of information transmitted or received through their services and the personal information of each user.
Data and Infrastructure Location
The location of data, or the infrastructure where data is contained, should be a key consideration. For example, it may be prudent to keep certain data locally in select circumstances, such as when on-site inspection is required by a regulator. Additionally, placing infrastructure (such as servers) locally, may have "doing business" consequences and may trigger further compliance requirements.
The legal landscape of the ITC space in Myanmar is fluid, and businesses must be vigilant in keeping up to date. To mitigate risks, identifying and complying with existing laws and regulations, or confirming exemption therefrom, should be a principal concern.