A Myanmar citizen has filed a complaint at the Norwegian Data Protection Authority against telecom multinational Telenor Group, seeking to halt the dangerous transfer of control over sensitive user data in the sale of its activities in Myanmar.
The complaint, filed by SANDS law firm on behalf of the Myanmar Telenor customer and supported by SOMO, contends that the Norwegian company’s sale of its Myanmar subsidiary will violate the privacy of the over 18 million Telenor customers in Myanmar, in breach of the EU’s General Data Protection Regulation (GDPR), to which Norway adheres.
Telenor is selling its Myanmar business to the Lebanese company M1 Group, which has a history of doing business with dictators, in an apparent disregard for human rights. Reportedly, the sale will also involve a consortium led by Shwe Byain Phyu, a gems and petroleum trader with close ties to the military regime and no apparent experience running a telecommunications company. The sale is due to be completed by February 15, according to media reports.
Ketil Sellæg Ramberg, privacy and data security law specialist at SANDS: “The complaint argues that the GDPR applies to the sale of Telenor’s Myanmar subsidiary. We ask the Norwegian Data Protection Authority to investigate the case urgently and use its powers to ensure that the rights of Telenor’s customers in Myanmar are not violated, as this could have very serious consequences.”
Joseph Wilde-Ramsing, senior researcher at SOMO: “Despite the very foreseeable risk that something like a military coup could happen, Telenor chose to enter the Myanmar market and asked citizens – as part of its sales pitch – to trust the company with their personal data. Over 18 million people believed Telenor, but now these customers — including many democracy activists, human rights defenders, journalists and other at-risk individuals — are in danger of having control over their data transferred to a military-linked outfit. Telenor and its majority shareholder, the Norwegian government, have an obligation to protect these individuals from harm, which includes persecution, torture, and even extrajudicial killings, by not handing over control of sensitive user data.”
The sale of Telenor Myanmar will bring Telenor Group 105 million USD, and the value includes the transfer of personal data. The complaint alleges that the sale would amount to a serious infringement of the GDPR, and Telenor could be fined up to 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. Based on Telenor’s 2020 revenue of 13 billion USD, this would be over 500 million USD.
How does the GDPR apply to the Telenor Myanmar sale?
GDPR article 3 provides the terms of when the GDPR is applicable, even if the processing is happening outside the EU-area:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
In summary, it is the complainant’s view that Telenor Group is responsible for the data processing happening in Myanmar based on the following:
- Telenor Group is a controller within the EU, and thus subject to the GDPR.
- Telenor Group exercise real and effective influence on how its subsidiary, Telenor Myanmar, process the data of its customers.
Furthermore, Telenor Group is the one deciding to sell Telenor Myanmar, and will also receive the revenue of the sale. When Telenor Group sells its subsidiary including the data of its customers, Telenor must accordingly ensure the right to privacy of the data.
The GDPR complaint follows an OECD Guidelines complaint filed in July 2021 by SOMO on behalf of 474 Myanmar civil society organisations. It contends that Telenor’s sale breaches the OECD Guidelines, because the company failed to adequately mitigate the severe human rights risks to its customers in the context of its disengagement from Myanmar. Mediation offered by the Norwegian Contact Point for the OECD Guidelines to resolve the dispute about acute security risks to users has not been possible.
SOMO’s Wilde-Ramsing: “Individual Telenor Myanmar customers facing severe security risks are left with no other choice but to turn to the Norwegian Data Protection Authority to uphold basic privacy rights that Telenor is unable to uphold.”
Appeal to Norwegian Prime Minister
On January 31, 2022, the Norwegian Forum for Development and Environment, Access Now and SOMO wrote to the Prime Minister of Norway on behalf of 168 Myanmar civil society organisations, appealing for intervention to stop the damaging sale.