Myanmar sets a dangerous precedent with the new draft of its cyber security bill

Caitlin Thompson


It has been a year since Myanmar’s military junta blocked Facebook, making it difficult to access the platform in the country where Facebook is equivalent to the internet. But the country’s new cyber bill, which is about to go into effect, could also make it illegal. 

Digital spaces have been shrinking ever since the junta’s takeover on February 1, 2021. Mobile data prices are going up, and internet shutdowns and blocks on websites are common. Telenor, the Norwegian telecom company, is currently selling its Myanmar subsidiary because of  military pressure to install surveillance tech.

But the new Cybersecurity Bill is about to make this already bad situation even worse.

Labeled as one of the world’s most restrictive cyber laws, the bill actually was first drafted before the coup by the country’s democratically elected government. But the junta’s version is more repressive, and the bill’s legislative innovations could inspire authoritarians worldwide.   

“It’s dangerous for other authoritarian states who are going to see it as a possible option. If Myanmar can get away with it, why can’t we?” said Oliver Spencer at Free Expression Myanmar.

It is also a disaster for the people of Myanmar. The latest draft of the cyber security bill, announced in late January, criminalizes the use of VPNs and makes it punishable by one to three years in prison or a fine of up to $280.

VPNs are currently the only way to access Facebook, which is crucial to many aspects of life in Myanmar. For years, Facebook came preinstalled on new smartphones. Businesses have Facebook pages rather than websites, people make a living through online shops and Messenger is one of the most popular communication tools. 

And Facebook is one of the only ways people can access independent news sources that are otherwise blocked in the country. 

Only a few years ago, the social media giant was accused of promoting hate and violence in Myanmar that led to deaths of nearly 10,000 Rohingya Muslims who were killed during a military crackdown in the Buddhist-majority country in 2017. Five years on, Facebook now embraces the role of the last bastion of free speech in the country and is calling for the immediate retraction of the law. 

“Facebook remains committed to protecting freedom of expression for the millions of Myanmar citizens who rely on our platform more than ever,” said Rafael Frankel at Meta, formerly Facebook.

It is true that criminalizing VPNs, which will make using Facebook effectively impossible and illegal, will have massive implications for Myanmar’s crippled civil society. But it is the economic impact that people in Myanmar seem to be most worried about. 

“It’s not that we see our rights or ability to speak out will be eroded because that’s already been eroded,” said an analyst in Yangon who didn’t want to be named due to security concerns. Now “everything, including the wider digital economy, becomes criminal,” the analyst added.

The law is effectively criminalizing “being part of society really, because being part of society means being on Facebook for most people,” said Vicky Bowman at the Myanmar Center for Responsible Business.

Business and civil society groups have somewhat successfully pushed back against the cyber security bill before. The junta first introduced the bill shortly after last year’s coup, but didn’t enact it due to backlash from the business community. Instead, some of the bill’s most repressive elements, like the government’s power to intercept data without a warrant, were simply added to the existing Electronic Transaction Act.  

The bill is expected to become law any day now. In Myanmar’s economic capital Yangon, police are already checking phones of residents for “illegal” VPNs. 


China has a new draft law cracking down on deepfakes, and it has some welcome additions. For example, it criminalizes deepfake porn and bans the technology from being used to spread false information. But it also requires companies that offer deepfake services to identify their users, “respect social morality and ethics” and “follow the correct political direction.” One of our favorite deepfakes that the Chinese government would definitely want to regulate is this one of Xi Jinping as Winnie the Pooh.

The UK Home Office seized and searched mobile phones of every migrant who arrived at the processing center at Tug Haven on the Dover coast between April to November 2020. It’s estimated thousands of people were caught up in the blanket policy. Migrants are challenging the policy for allegedly violating data privacy laws. Privacy International has come to their aid and is intervening in the Judicial Review conducted by the UK’s High Court. Now authorities have defended themselves, saying it’s necessary to help officials catch smugglers who help people cross the English Channel from France. As my colleague Isobel Cockerell reported, this is just one element of a complex matrix of surveillance targeting migrants trying to cross the sea into the UK. 

Arrested for a Facebook post: a young man in Tunisia is in jail for criticizing President Kais Saied on Facebook. This keeps happening in what was once the Middle East’s most liberal country. Last summer, a member of parliament was arrested for accusing the president of staging a “coup against the constitution” in a Facebook post. It’s not just Tunisia that jails people for social media posts. Russia, which has a long history of criminalizing social media activity, is an innovator in this space. Check out our Jailed for a Like series if you’d like to know more.


  • This very important investigation by the Intercept about major U.S. media companies like CNN and the New York Times lobbying against restrictions on the collection and sale of user data for advertising. These news outlets have been covering data privacy scandals without ever telling us that they are in fact doing the same thing. 
  • This story about police in New South Wales in Australia building a database of residential surveillance cameras. This cheap and easy way of outsourcing surveillance is a common practice in the United States.