On 5 September 2023, the Ministry of Commerce ("MOC") under the State Administration Council issued the E-Commerce Guidelines ("Guidelines") that introduced several significant provisions affecting the e-commerce landscape. Our previous 21 September 2023 alert provided an overview of the Guidelines' key features. In this alert, we will delve into specifics of personal data protection as provided in the Guidelines.

1. Legal Framework and Ethical Principles

The Guidelines reinforce the necessity of safeguarding personal freedom and consumer information in alignment with the Constitution of Myanmar, the Telecommunications Law, the Protection of Personal Privacy and Personal Security of Citizens Law, and other applicable statutes. Moreover, they articulate ethical principles that e-commerce operators ("Operators") are obligated to adhere to diligently:

• Limited Data Collection: Operators should restrict data collection to personal and payment information only.
• Lawful Grounds: Data collection must occur on lawful and reasonable grounds.
• Preventing Misuse: Operators are required to ensure that consumer data is not misused.

2. Data Lifecycle Management

The Guidelines underscore the importance of responsible data lifecycle management. Once data has fulfilled its initial purpose, Operators must either retain it for a period necessary for the original purpose or securely dispose of it unless legal restrictions or circumstances against the public interest necessitate retention.

3. Operator Liability and Market-Specific Safeguards

Operators are exempt from liability for incidents stemming from consumer negligence, such as sharing confidential data like passwords. However, Operators must implement safeguards tailored to the specific market characteristics in which they operate.

4. Transparency and Consumer Rights

To enhance transparency, Operators must maintain a clear policy encompassing the types of personal data collected, the primary purposes of data usage, and details about data controller documentation and contact information. Importantly, consumers, now recognized as data subjects, have the right to request and confirm the existence of their personal information from the data controller. Such requests should be promptly fulfilled at a reasonable cost and in an easily understandable format. Consumers can seek reasons for the denial and the right to appeal. Furthermore, data subjects have the authority to file complaints and, if successful, make modifications or request data deletion. They should also have avenues to report challenges related to ethical principles to regulatory authorities and assignees.

5. Responsibility of Data Collectors

Data collectors are mandated to take adequate measures to uphold ethical principles. Collection, disclosure, or usage of data necessitates consumers' informed consent.

6. Privacy-Enhancing Technologies (PETs) and Collaboration

Operators are urged to deploy Privacy-Enhancing Technologies (PETs) to protect personal freedom and enhance technology communication. Collaborative efforts are encouraged with authorities to promote education, awareness, and technological safeguards for personal freedom. Operators should promptly report any personal information leaks due to technological misuse or legal violations, adhering to rules that aim to minimize personal data risks, prevent discrimination, and prohibit the unauthorized sale, lending, or exchange of online personal information.

7. Cyber Security Obligations

The Guideline put the onus of cyber security risk on the Operators by mandating measures to reduce or mitigate any adverse consequence of e-commerce transactions. The Operators must conspicuously provide information regarding cyber security and authentication mechanisms to the consumers. The details must be clear and understandable. Similarly, Operators must implement effective measures to minimize risks while paying particular attention to information management, authentication process, data in transit, data at rest, and safeguarding personal and payment information. Emphasis must also be placed on enhancing security controls and network security.
 

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.