Tilleke & Gibbins has contributed the Cambodia, Myanmar, Thailand, and Vietnam chapters to Data Protection and Cybersecurity Regulation in Southeast Asia, a wide-ranging guide published by Drew Network Asia (DNA). The resource provides a comprehensive overview of data protection and cybersecurity laws across the region, offering practical insight into compliance requirements and regulatory developments affecting organizations that handle personal data or operate digital services in Southeast Asia. The guide begins with a regional overview, including the broader ASEAN context and cooperation initiatives. Jurisdiction-specific chapters follow a consistent structure—covering data privacy and governance obligations, security requirements and breach notification, outsourcing and cross-border data transfers, and broader accountability and compliance measures. This format allows readers to compare regulatory approaches across markets such as Brunei, Indonesia, Malaysia, the Philippines, Singapore, and others. In addition to the country chapters, the publication addresses cybersecurity and privacy engineering challenges, providing guidance for organizations and outlining obligations applicable to data controllers, processors, and intermediaries. A dedicated section on data breach management across ASEAN examines notification requirements, response considerations, and practical steps for managing incidents in a regional or global context. The guide is intended to serve as a practical reference, and the authors note that specific legal requirements may vary depending on sector, processing activity, or evolving legislation. Readers seeking more detailed advice can contact the practitioners listed in each chapter. The full guide is available for download using the button below or directly from the DNA website.

Tilleke & Gibbins has contributed an updated Myanmar chapter to the recently published Foreign Investment Review 2025, a global guide to the legal and regulatory environment for foreign investment in 27 jurisdictions worldwide. Published and distributed by Lexology Panoramic, the guide discusses law and policy on oversight of foreign investment, regulatory frameworks, procedural requirements, and other important concerns for foreign investors. The Myanmar chapter was prepared by Nwe Oo and Aye Thuzar Hlaing, senior associates in Tilleke & Gibbins’ office in Yangon. The Myanmar chapter covers the following topics: Law and Policy: Government policies and practices, main laws and their scope of application (including details on investment promotional measures), definitions, rules for state-owned enterprises and sovereign wealth funds, relevant authorities and oversight, and national interest provisions. Procedure: Jurisdictional thresholds, national interest clearance, securing approval, the review process for competition clearance and associated penalties, involvement of authorities, facilitation of clearance, and post-closing regulatory powers. Substantive assessment: Substantive tests for clearance, authorities’ consultation with other countries and other relevant parties, transactional prohibitions and objections, mitigating arrangements and challenges to a decision, and protection of confidential information. Recent cases, updates, and trends: Relevant recent case law, key recent and ongoing developments. A PDF of the Myanmar chapter can be downloaded through the button below. Tilleke & Gibbins also contributed the Cambodia, Laos, and Vietnam chapters to Foreign Investment Review 2025. Readers can also gain 30 days of complementary access to the full Foreign Investment Review 2025 guide and the rest of Lexology Panoramic’s varied offerings through this link.

Myanmar’s Directorate of Investment and Company Administration (DICA) has issued new documentation requirements for Myanmar-registered companies making changes to their shares or directors. Effective January 8, 2025, the DICA will only approve such changes when accompanied by specific supporting evidence as required under the Myanmar Companies Law 2017 (MCL). Key Changes and Requirements For share transfers, companies must submit the required application form, along with the following documents: Resolution from the company’s board of directors approving the change of shares or share transfer. Copy of the share-transfer agreement signed by both parties, with proof of stamp duty payment. For director changes, companies must submit the required application form, along with the following documents: Copy of new director’s ID or passport. Shareholder resolution approving the change of the director(s). New director’s consent to act (for appointments) or signed resignation (for departures) In addition to announcing the new documentation requirements, the DICA also reminded companies of an April 2023 announcement that requires companies to submit certain other required documentation within two months of establishment to the DICA by email. Next Steps Companies planning share transfers or director changes must ensure they prepare the complete documentation package before submission to the DICA. For more information on this announcement or assistance with corporate secretarial matters, please contact Tilleke & Gibbins at [email protected].

On January 1, 2025, Myanmar’s State Administration Council enacted Cybersecurity Law No. 1/2025, which aims to regulate various aspects of digital security and online activities. The law has not yet been implemented and will come into force on a date specified by the Myanmar president, who will also provide an official adoption and compliance timeline for individuals and organizations impacted by the new regulations. Below are some of the key provisions, implications, and penalties under the Cybersecurity Law. Extraterritorial penalties. The law contains an important provision that authorizes penalties against Myanmar citizens who are found guilty of violations, even if these occur outside the country’s borders. VPN definition and regulation. Virtual private networks (VPNs) are defined by this law as specific systems that function as backup networks by using technological means in order to ensure the safety of linking networks to each other. This definition sets the framework for subsequent regulations and penalties associated with VPN usage. The law does not restrict individuals or entities from using VPNs; it regulates VPN service providers. Penalties for unapproved VPN services. Establishing a VPN or providing VPN services without approval from the designated ministry (to be appointed later by the government) can result in significant penalties. For individuals, the punishment may be imprisonment for 1–6 months, a fine of MMK 1–10 million (approx. USD 476–4,760), or both, with the proceeds of the violation being confiscated. If the violator is a company or organization, the minimum fine will be MMK 10 million, and the proceeds will be confiscated. Government oversight. The ministry designated by the government is authorized to investigate and take control of cybersecurity services and digital platform services for national defense and security purposes, or upon request from a government department or organization in accordance with respective laws. Licensing requirements. The