Data protection & privacy laws in Myanmar (2026)

Myanmar has not enacted a standalone, omnibus data protection statute. Data-related obligations are scattered across sector-specific legislation covering telecommunications, electronic transactions, financial institutions, and health services.

State Administration Council Law No. 07/2021 added a 'Protection of Personal Information' chapter (Art. 7/27) to the 2004 ETL — the first explicit personal data obligations in Myanmar law. Controllers must obtain consent, limit use to the original purpose, store data securely, and delete it when no longer needed. Violations carry 1–3 years imprisonment or a fine. However, broad carve-outs for 'stability of state sovereignty, public order, and national security' effectively undercut these protections.

The Law Protecting the Privacy and Security of Citizens (2017) originally prohibited warrantless searches and communication interception. On 13 February 2021 — less than two weeks after the coup — the junta suspended Sections 5, 7, and 8, authorising warrantless surveillance, prolonged detention without judicial oversight, and mandatory data disclosure by telecoms operators to security forces.

Enacted 1 January 2025 and in force from 30 July 2025, the Cybersecurity Law requires digital platforms with 100,000+ users to register locally, retain user data and records for up to three years, and disclose them to authorities on request. VPN services require government approval. Analysts and human-rights organisations widely characterise it as a mass-surveillance and censorship instrument.

Myanmar has no dedicated, independent data protection authority. Oversight of electronic-transactions data obligations sits with designated government ministries under the State Administration Council. There is no ombudsman or commissioner with investigatory or enforcement powers equivalent to those in GDPR-model jurisdictions.

Sector-specific obligations touching personal data include the Telecommunications Law 2013 (subscriber data confidentiality), Financial Institutions Law 2016 (customer information), and Law Relating to Private Health Care Services 2007 (patient records). None of these establishes data-subject rights comparable to a modern DP framework.