A Myanmar citizen on Monday filed a complaint with the Norwegian Data Protection Authority against telecom giant Telenor Group in an attempt to stop the transfer of sensitive user data in the controversial sale of its Myanmar subsidiary to military-linked companies.
The complaint was filed by SANDS law firm on behalf of a Telenor customer and stated that the sale would violate the privacy of the more than 18 million users in the country as well as breach the General Data Protection Regulation (GDPR) of the European Union (EU), by which Norway is also bound.
The law firm did not disclose the identity of the complainant.
In a statement released on Tuesday, SANDS privacy and data security law specialist Ketil Sellæg Ramberg stressed that the sale could have “very serious consequences.”
“We ask the Norwegian Data Protection Authority to investigate the case urgently and use its powers to ensure that the rights of Telenor’s customers in Myanmar are not violated,” the specialist said.
Myanmar Now reported last week that Telenor’s sale of its Myanmar subsidiary to a joint partnership between the Lebanon-based M1 Group and local conglomerate Shwe Byain Phyu would be completed by February 15. The partnership is named Investcom Myanmar, a company that has not yet been registered. Shwe Byain Phyu, a military-linked gems and petrol conglomerate, will be the majority owner of Investcom Myanmar.
The company recently acquired a 49-percent stake in Investcom Pte Ltd, a company created by the M1 Group that was registered in Singapore after Telenor announced last year that it was selling its Myanmar unit to M1 for US$105m. The sale will include the transfer of personal data of Telenor Myanmar customers.
The complaint said that the Myanmar users’ fundamental rights and freedoms could be violated if M1 gets access to this data after the sale.
“Even though Telenor Group might have a legitimate interest in conducting the sale, the interests of the data subjects’ fundamental rights and freedoms will override that legitimate interest,” the complaint said.
It suggested that Telenor Group could have minimised potential privacy risks by “deleting the customer database before the sale.”
“Of course, this would have had an impact on the valuation of Telenor Myanmar, but it exemplifies that Telenor Group has a choice—whether to incur revenue or data protection,” it said.
The complaint to the Norwegian Data Protection Authority alleged that the sale would amount to a serious infringement of the GDPR and that Telenor could subsequently be fined up to 4 percent of the group’s worldwide annual revenue from the preceding financial year. Based on the company’s 2020 revenue—$13b—this would amount to a penalty of more than $500m, the statement said.
Even before the sale, Telenor Myanmar had complied with at least 200 requests from the junta-controlled Ministry of Transport and Communications over the past 12 months to provide information from its customers. This included records of calls, call locations and the last known location of specific phone numbers registered with Telenor.
A Telenor Group spokesperson told Myanmar Now on Monday that violating or not complying with the requests would have had severe and unacceptable consequences for the company’s employees in Myanmar.
The Netherlands-based Centre for Research on Multinational Corporations (SOMO), which is supporting the Myanmar citizen’s complaint, said that Norway has a responsibility to prevent a junta-linked company from gaining control of the personal data of Myanmar users, among whom are pro-democracy activists, human rights defenders, journalists and other at-risk individuals.
“Telenor Group and its majority shareholder, the Norwegian government, have an obligation to protect these individuals from harm, which include persecution, torture, and even extrajudicial killings,” Joseph Wilde-Ramsing, a senior researcher at SOMO, said.
“Despite the very foreseeable risk that something like a military coup could happen, Telenor chose to enter the Myanmar market and asked Myanmar citizens—as part of its sales pitch—to trust the company with their personal data.”
SOMO previously filed a complaint against Telenor with the Organisation for Economic Co-operation and Development (OECD) on behalf of hundreds of Myanmar civil society organisations in July, accusing the company of “irresponsible disengagement” from the country and alleging that the sale of Telenor’s Myanmar unit violated OECD standards outlining the requirements for a responsible exit.
Telenor Group did not respond to Myanmar Now’s request for comment regarding the complaint. But in a reply to Norwegian business newspaper Dagens Næringsliv (DN), the group argued that the customer data in its Myanmar unit is handled locally in line with Myanmar legislation and licensing requirements.
“No customer data from Telenor Myanmar’s customers is processed in Norway or the EU, and GDPR does not apply to the processing of this customer data,” Gry Rohde Nordhus, Communications Director of Telenor Group, told DN.
She added that Telenor Group is in conflict between local Myanmar laws and the company’s values, international laws, and human rights principles.
“We are forced to balance difficult considerations. We have concluded that a sale of the operation is the least disadvantageous solution for our employees, customers and the community,” Nordhus told DN.
The Norwegian Data Protection Authority also confirmed to DN that the agency had received the recent complaint.
“We will open a case based on this complaint. However, it is too early to say what we will do next. What we can say is that the legal issues are complicated and we have to reckon it will take some time,” Tobias Judin, head of the agency’s international section, told DN.
