[Regional] Southeast Asia’s draconian cyber laws: In the name of ‘national security’, so say states

Laws regulating how people use the internet must never serve as tools to control and silence critical and independent voices. Yet this is the stark reality in much of Southeast Asia today.

In a region where authoritarianism is on the rise, these laws have conveniently become the state’s weapon to restrict freedoms of expression and information, and penalize dissent.



Empowering business and society became the core message of Singapore’s Cybersecurity Strategy. Cyberattacks can disrupt the country’s better future and its benefits from technology, the Singapore government declared.

In February 2018, it passed the Cybersecurity Act, which broadly defines cybersecurity threats as “threats to national security, defence, foreign relations, economy, public health, public safety or public order of Singapore.” This was preceded by the Computer Misuse Act (first enacted in 1993 and revised in 2007), which authorizes collecting information from any computer once deemed as threat to national security. Both laws do not require court permission for search and investigation by authorities.



A necessary law to ‘protect the state’ is how Thailand’s Prime Minister Prayut Chan-o-cha described the country’s Cybersecurity Act.

“We need to have national security otherwise everybody does what they want,” he was quoted as saying in a Bangkok Post report in 2015. Despite criticisms on the law’s vague definition of “critical threat,” the Cybersecurity Act was enacted in February 2019 (see SEAPA report: [Thailand] New cyber laws raise concerns).

Just like Singapore’s cybersecurity law, the same legislation in Thailand does not require a court warrant for authorities to seize, search, and make copies of equipment and data. The law will be implemented by May 2019, said the Bangkok Post. The newspaper also reported on 4 March 2019 about the establishment of a cyberthreat team for telecommunications industry, comprising eight telecommunications companies in Thailand.



For Vietnamese Prime Minister Nguyen Xuan Phuc, “social consensus” must be created by the country’s mass communications efforts. To this end, the country’s controversial Cybersecurity Law took effect on 1 January 2019. Tagged as draconian by the international community, the law requires internet companies to set up and store their data inside the country, and mandates service providers to remove content that are prohibited by the state within 24 hours of receiving the request.

Internet companies and service providers were given a grace period of one-year to comply with Vietnam’s recently minted cybersecurity law. Civil society organizations working for the country’s democracy and human rights are taking this opportunity to not only lobby for its repeal through foreign trade relations, but also to educate the citizens about its impact on their daily lives.

The Southeast Asian Press Alliance (SEAPA) interviewed free expression advocates Vi Tran of Legal Initiatives for Vietnam and Don Le of Viet Tan to probe into the details  and impact of the cybersecurity law.


Click on these podcasts to listen to Vi and Don:

Part 1: Cybersecurity Law in Vietnam: Rule by Law

Part 2: Facebook as the Battleground

Part 3: Opportunities against an Unpredictable State


Cybercrime laws used for libel and defamation

Laws penalizing cybercrimes such as cyberstalking, cyberbullying, pornography, and trafficking against individuals have also been passed in Southeast Asia. Not classified under “cybersecurity,” laws about tele/communications, computer, media, and/or electronic transactions are meant to regulate broadcast and online media content, along with e-commerce transactions. These laws have also been used to broaden the scope of libel and defamation charges against journalists, activists, bloggers, and citizen journalists.

By invoking Communications and Multimedia Act 1998 (CMA) of Malaysia, the old government under former Prime Minister Najib Razak’s administration filed charges against journalists, and broadcast and online media companies. For instance, director and co-founder Premesh Chandran of the online news portal Malaysiakini was tried for four offenses in the cyber court for publishing a video of a press conference related to a major corruption investigation (1MDB) in July 2016 (see CIJ report: Media and Freedom Report in Malaysia).

In the Philippines, the “Cybercrime Prevention Act of 2012” has drawn vigorous opposition from concerned groups, since it contains provisions criminalizing libel. It adopted the now 88-year old libel law under the Revised Penal code “almost wholesale except for the penalties” (see SEAPA report: “Failed expectations, restrictive laws”). This cybercrime law became the basis for the libel charge filed against Rappler chief executive officer Maria Ressa, for which she was arrested in February 2019.

Three laws in Myanmar are currently used to silence online free expression: the 1996 Computer Science Development Law, the 2000 Web Regulations, and the 2004 Electronic Transactions Law (ETL) (see iLaw report: A Southeast Asian Chronicle: Internet Censorship and the Repression of Digital Democracy).

The ETL has been used to punish any online action deemed by the state as detrimental to peace and order, economy, and culture. Among the online actions it penalizes is “receiving or sending” related information (see Freedom House report: Freedom on the Net 2018). Enacted in 2013, the country’s Telecommunications Law (particularly Article 66[d]) has been used to criminalize reports produced by journalists such as Ko Swe Wi.   

A draft Cybercrime Law is currently pending with the Cambodia government (see unofficial translation of draft law). If approved, it will form part of the state’s current arsenal of laws, comprising the Cyber War Team and the Telecommunications Law – that authorizes surveillance and monitoring of content seen to harm national security. Prime Minister Hun Sen is said to have ordered its speedy approval, following the alleged hacking of his Facebook account, the Khmer Times reported.

The cybersecurity laws, in a region ruled by repressive regimes, are in reality state-sponsored restrictions on press freedom, free expression, and the public’s right to know and access information. Pursuing the challenge of ensuring free and democratic civic space online and offline requires both a vigilant civil society and a media that boldly asserts its right to report freely and independently while beholden to no one.

x Logo: Shield Security
This Site Is Protected By
Shield Security